Listen Up!

I love the Internet’s response to new forms of advertising.

Specifically, I’m talking about Burger King’s recent attempt to hijack TV viewers’ cell phones and Google Home devices.

In case you missed it, BK ran–and is still running–an ad that deliberately uses the “OK Google” activation phrase to trigger any gadget in earshot to start reading the Wikipedia page about their Whopper burger.

The response? The page in question was almost immediately edited to describe the burger as “cancer-causing” and to list cyanide in its ingredients.

Allegedly, a senior BK executive tried to change the page to something more complimentary, only to have his edits removed.

So, yeah, I think that’s the perfect response. Google, who apparently were not warned about the ad in advance, modified their software’s response to ignore the ad. While I’m sure many people appreciate that, it does raise a few questions.

Let’s not forget that most of Google’s billions of dollars come from advertising. Suppose BK had come to Google and said, “Hey, we want to tie a TV ad to your devices. Here’s a stack of money.” Does anyone think Google’s response would have been “Buzz off”? I’m guessing it would have been more along the lines of “How big is the stack?”

And then there’s the privacy aspect. This contretemps should serve as a reminder that “OK Google” does not use any kind of voice recognition to limit requests to the device’s owner. Nor can the phrase be changed. I’ve complained about that before: not only does it lead to multiple devices trying to respond to a single request, but it also makes it simple for outright malicious actions.

Amazon, Apple, and Microsoft are equally guilty here–Alexa, Siri, and Cortana have fixed, unchangeable triggers too.

And now, perhaps, we’re seeing why none of the manufacturers want to let users personalize their devices’ voice interaction. If we could change the trigger phrase, or limit the device to taking instructions from specific people, then the manufacturers wouldn’t be able to sell broadcast advertising like this.

If the only way you can prevent random strangers from using your phone is to turn off the voice feature, then you don’t own your phone.

Microsoft is making it harder and harder to turn Cortana off. Microsoft is also putting more and more ads in Windows. Do you sense a connection?

How long will it be before you can’t turn Siri and Google off?

And editing Wikipedia pages will only get us so far in defending ourselves.

Google was able to turn off the response to BK’s ad-spam. But they could just as easily have changed the response to read from an internally-hosted page or one housed on BK’s own servers. Either way, Internet users wouldn’t be able to touch it, at least not without opening themselves up to legal liability for hacking.

The most annoying part of this whole debacle is that now I’m craving a hamburger. I won’t be getting one at Burger King, though.

Another Failure Mode

Oh, goody! A whole ‘nother way the Internet of Things is getting security wrong.

Last month, security researcher Charles Henderson wrote about his experience trading in his car.

Briefly, both he and the dealer wiped all of his personal information out of the car–phone book, garage door opener, list of authorized devices. And yet, months later, the car still showed up in the app on his phone.

It’s not that the dealer and the manufacturer were unaware of security. Henderson makes it clear that they took the correct steps. But the focus of the team that designed and built the app and integrated it with the car’s systems was obviously on the “first owner” scenario, and not enough attention was paid to the possibility that someone might want to sell their car.

And it’s not just auto makers who have that problem. Henderson mentions another researcher who purchased a used home automation hub and found that doing a factory reset only wiped the configuration on the device itself; it didn’t touch the cloud-based configuration which included, among other things, the list of devices authorized to control the hub.

Right: even after wiping the device, the original owner would still have had access to every light bulb, every thermostat, and every door lock connected to the hub.

Still feeling cheerful about your Amazon Echo or Google Home giving you voice control over your house? After all, you’re not planning to sell that device, are you? No? Well, what if something goes wrong and you have to send it in for service? Are you certain you’re going to get the same device back? How confident are you that your original device won’t wind up being refurbished and resold?

Let’s face it: this isn’t a new problem, and we should have seen it coming. How many stories have you seen in the newspaper about someone buying a used computer and finding porn on the hard drive? Henderson notes that early smartphones lacked a way to wipe them for resale, and it was only after many well-publicized tales of people buying used phones for nefarious purposes that a wipe command was added.

Nor is there a good solution. Even if every new IoT device was designed with security as the first consideration, there are still millions of gadgets out there that have no security and no way to upgrade them to add it. In many cases, the company that made them isn’t even in business any more.

YARBI

That’s “Yet Another Really Bad Idea”. Arguably the worst one yet.

If you agreed with me that the electronic license plate was a bad idea, wait’ll you get a load of this one.

According to a story in The Atlantic last December, the Air Force is planning to make “a missile for the modern age”. In other words, a missile with a network connection.

The Air Force Scientific Advisory Board will be conducting a study this year on how to make it happen. Not if they should make it happen, but how.

If you don’t see why this is a bad idea, take a look at Eric Schlosser’s recent piece in The New Yorker.

My trepidations have nothing to do with who’s in charge of the military or who’s running the Department of Energy. They’re all about the path technology has taken in recent years. The first step has been to provide the network capability. Then comes the ability for “learning”. Security, if it comes at all, is a distant last.

Do we really want our missiles to talk to each other and the early warning systems and make their own decisions about whether the US is under attack? Look how well that sort of capability has worked out for “smart” thermostats that learn when you change the settings and begin to anticipate your needs. Or smoke detectors. Remember the Nest smoke detectors that all started screaming when one of the set had a false alarm–and none of the could be be shut off?

Even if the missiles remain “dumb” and the network connectivity is only used to transmit maintenance and self-test data, how long is it going to be before someone decides that security testing is unnecessary because the devices will only be connected to a private military network, or an even more restricted local-to-the-base network?

Even if we ignore the possibility of an unauthorized connection to the Internet being set up in the name of “convenience”, let’s not forget about all of the research that’s been done by the NSA and other “interested parties” on remotely accessing computers that aren’t networked at all. There’s not such thing as an unreachable computer these days if someone is willing to devote time and money to reaching it.

So someone reaches the missile through that network connection. What can they do? It’s only for maintenance, right? Are you confident that there’s no connection between the monitoring and maintenance hardware and the command and control system? I’m not. What’s the point of monitoring the missile remotely if you can’t test the functionality of the launch system?

I can’t argue against the need to update the technology behind the nuclear arsenal. There’s a limit to how much you can do to interface modern systems with 1970s technology. BART is having increasing difficulty expanding opening new stations and increasing capacity because they can’t hook up modern trains to the ancient computer systems, and I’m sure the Air Force has similar concerns about the Minuteman system.

But updating the off-missile systems does not require updating the missiles themselves. Keep them offline and make damn sure that humans stay in control of the decision loop.

Another Really Bad Idea

Monday’s Chron had a story documenting one of the worst ideas I’ve ever seen.

It’s a profile of a company called Reviver and their “rPlate” product, which, they say “modernizes and reinvents the license plate for the 21st century.”

What’s wrong with the license plate that it needs modernization and reinvention? There seem to be three major problems: renewing your auto registration is expensive and time-consuming, license plates are boring, and they can’t be monetized.

Let’s take those in order, shall we?

The rPlate could potentially store a credit card number and use it to renew the registration “at the push of a button”. Is registration really that much of a problem? How long does it take you? When I get the bill once a year, I pay it online, and when the new sticker shows up, I put them on the plate. I doubt it takes more than fifteen minutes of my time. Yeah, there’s also the time spent on getting the smog check, but automating the renewal process won’t change that.

But let’s say Reviver is correct, and those fifteen minutes are an insupportable burden. Letting the plate pay the bill and update it’s image of the sticker would, of course, require the plate to have some kind of a network connection via Wi-Fi or cellular. I presume Reviver is sufficiently security-conscious to put that button inside the car, not on the plate where anybody walking through a parking lot could push it. But really, does anyone think their security is good enough to keep your credit card information safe? We’ve already seen cameras, TVs, and light bulbs hijacked and used in DDOS attacks. How optimistic are you that your license plate wouldn’t be misused the same way?

And don’t forget that there would need to be a software update at the DMV to accept those automated registrations and send back the instruction to update the tag. Just what we all need: another avenue for attackers to break into the DMV’s database. Think for a moment about how much information the DMV has on you. It’s not just your vehicles, after all. Organ donor status. Voting registration. Medical information.

Plates are boring. Yeah, they are, but so what? If you don’t like the standard plate, support a worthy cause by getting a special design, or pay a little extra for a personalized plate. But that, in Reviver’s opinion, is so 20th century.

When your car isn’t moving, the rPlate can show “Amber alerts and weather warnings, as well as custom messages from the driver…along with images”. Why not? It’s got that Internet connection, so why not make use of it? I don’t know about you, but when I’m sitting at a red light, I really don’t want the drivers behind me and in the next lane over looking at my license plate; I want them watching the road.

And how much control can, or will, Reviver exercise over those custom messages? “Go [sports team]” is relatively harmless, but what about “Kill [political figure]”? Presumably they’d include a filter for offensive words, but who gets to decide what words are on that list? How many Internet filters block access to gay rights organizations and breast cancer survivors’ groups? And it’s much harder to filter images. I suspect the first hardcore porn pictures will show up within twelve hours of the plates going on sale.

There’s also the chance (somewhere between 99% and 100%) that someone will figure out how to hack the plates via that Internet connection to put their own pictures and messages on tens of thousands of plates. Think those ads people leave on your windshield are annoying? Wait until they start hijacking your license plate to hype their hair and nail salons, DJ performances, and political candidates.

But that Internet connection is really the heart of the whole plan. No matter how bad an idea the automated renewal and message display options may be, they’re not going away, because they’re the excuse to include that designed-in vulnerability. Why? Reviver is quite upfront that they plan to sell advertising.

I’m sure they have the loftiest of intentions to control the content of the ads to avoid offensive content, but even companies with long experience in advertising don’t always get that right.

I’m also sure that the states will appreciate their cut of the ad revenue–and the ability to use that Internet connection to track where your car has been. Who needs license plate cameras and red light cameras when your car will cheerfully offer a time-stamped report of every mile you drive?

And I’m quite sure that we’re not going to get a kickback of any of the ad money–we may even pay an annual subscription fee for the use of the plates (on top of the cost of registration; what was that about saving money?)–for the privilege of being a mobile billboard and being tracked far more precisely than ever before.

Batter Up

Welcome to 2017!

The beginning of the year is completely arbitrary. There’s no relationship to any specific event*, but it is when it is, and we’ll have to make the best of it.

* I’ve long been of the opinion that the year should begin with the Winter Solstice, when the days begin getting longer again. Better yet, set it in mid-February, when pitchers and catchers report for Spring Training. But there’s too much cultural inertia behind the current system to make a change at this point. A shame nobody thought to introduce Pope Gregory to baseball. The 1582 season was a thriller, and might have converted him. As it was, the confusion caused when Italy adopted the new calendar in October, while Greece remained on the old calendar forced the abandonment of the World Series with Milan and Athens tied at two games apiece. But I digress.

My first post of 2014 covered continuing problems with the Bay Bridge, BART, and the San Francisco Giants. In 2015, I talked about BART and Caltrans again, and added a few thoughts on the NSA, police militarization, the Oakland As, and phablets. Despite the initial gloom and doom, both years had their ups and downs, but turned out relatively well.

I started 2016 with “The Tale of Knuckles Malloy” and we all know the general consensus on last year. I won’t accept sole responsibility for the state of the world, but it’s clear I should begin this year with a rant instead of trying to entertain.

Unfortunately, I really don’t have anything new to say about the problems besetting our transportation infrastructure, super-giant phones, or the increasing number of threats to privacy and security. And the less said about the Giants’ and As’ off-season moves thus far, the better.

How about a generic admonition instead of a rant?

If you’re one of the majority who regards 2016 as the worst year since [insert date here*], don’t just sit back and hope 2017 will be better. That’s not going to work.

* Popular choices include 1969, 1944, and 1930. If that seems rather 20th Centuryist, you might want to consider 410, 1066, or 1348.

Granted, there isn’t much any one person can do about some of the depressing aspects of 2016. But some can be dealt with. Pick one–any one–and do something–anything–about it.

It doesn’t have to be something big. I’ll spare you the usual platitudes about grains of sand and beaches or acorns and oak trees. But you’ll feel better for having made a contribution.

Oopsie!

Let’s get the obligatory disclaimer out of the way, shall we?

I’m not in favor of piracy. IMNSHO, information does not want to be free. And, while I believe the music, movie, and publishing industries, have, to varying degrees, bobbled the transition to a digital-dominated marketplace*, I don’t believe that justifies an attitude that all audio, video, and written material can be “shared”, guilt-free.

* Especially when it comes to the methods they use to enforce copyright.

That said, I had to laugh when I saw this story. You read it correctly. Warner Bros. issued DMCA takedown requests against its own websites because the content violated its own copyrights.

To be fair, the requests didn’t come from WB directly, they came from Vobile, a company whose homepage claims their goal is to “Protect, Measure, Monetize the best movies and TV content in the world” Advertising mis-capitalization aside, that’s a remarkably elitist statement, isn’t it? Do they decide whether your content is among “the best” when you engage with them, or–as seems likely–is the fact that you want them to work their PMM magic sufficient evidence that your content is superior?

Regardless, they use the usual sort of digital “fingerprint” technology to identify their clients’ content–and then, apparently fire off a barrage of DMCA takedown requests with little-to-no human oversight. “Fair use? What’s that?” “Verification? Never heard of it.” Yeah, I’m putting words in their mouths.

Hey, do you suppose Warner has told Vobile that they should stop searching for unauthorized distributions of “Happy Birthday”? After all, the song was only placed in the public domain seven months ago…

Anyway, it’s a nice bit of gander sauce.

Moving on (briefly).

Rumor has it that Google is preparing to release a successor to the extremely popular Nexus 7 tablets. Ars, among many other tech venues, suggests that it’ll be announced at Google’s big October 4 launch party, along with new phones, Chromecast, and VR hardware.

If it’s true, I’m very glad to hear it. The world needs more seven-inch tablets. It’s an excellent size for reading, it’s large enough that watching video and playing games isn’t an exercise in annoyance, and it’s small enough to be carried easily.

I don’t expect to be getting one immediately–I’m still quite satisfied with my $50 Amazon Fire tablet for reading and my Nexus 9 for anything that needs a larger screen–but if the new “Pixel 7” (or whatever they decide to call it) is as affordable as Google’s earlier seven-inchers, I’d give it a strong recommendation to anyone who is in the market for a tablet.

Painfully Obvious

Apparently, Intel has decided that the best way to sell computers with their latest processors is to insult the intelligence of potential buyers.

Consider the pair of ads they’ve been running in heavy rotation recently. The first focuses on the wonders of facial recognition for security.

Let’s consider that for a moment. Leave aside the fact that facial recognition doesn’t require a sixth-generation Core processor and all the Intel trimmings–my old Android phone could do it just as well. Ignore the fact that facial recognition can and has been defeated with photographs or short videos played on a cell phone. Forget the fact that the amount of security provided by any single authentication feature is limited.

Even without considering all of those facts, how in Hell would locking his laptop with his face–or anything else–help the guy in the commercial? He doesn’t keep his money on his laptop*! He keeps it in the bank, like any sensible human being. The chances that someone cracked his laptop to steal his life’s savings are somewhere between slim and none. More likely, his bank’s been breached by a cracker in Asia who’s made off with millions.

The poor schlub being castigated in the commercial is probably delivering cash to the bank so it can cover the expected demand for account closures when word of the breach gets around.

* Well, OK, maybe he’s heavily into Bitcoin. But if he’s that heavily invested in digital currency, he’s not keeping his wallet on his laptop; he’s got it on the machine at home that’s busy mining currency 24/7.

Then there’s the second ad. This one talks up how fast and light the new computers with the latest Intel processors are. “Well, if it’s so old, why are you chasing it?” the spokesperson asks the poor, befuddled woman who just left her old computer in a cab.

Well, maybe it’s got something to do with the years of data she’s got stored on its hard drive. If she’s lucky and smart, most of it’s backed up somewhere, but chances are, there’s something on there that isn’t backed up. Maybe the latest changes to the presentation she’s about give? Or maybe the steamy photos her sweetie just e-mailed her. Why should she care if some random stranger opens her laptop and sees those*?

* Don’t forget: in Intel’s universe, if the computer is that old, it can’t be securely protected, because it won’t do facial recognition!

Again, leaving all of that aside, what good would it do her to have a new, fast, light laptop? She’s still going to be chasing the damn cab trying to get it back when she leaves it on the seat.

Come on, Intel, assume we have a modicum of intelligence, and spend those advertising dollars telling us what your CPUs can do better than anyone else’s.

Moving on.

A brief Windows 10 Anniversary Edition note: There are reports from the first people to install the new Windows 10 that it’s not playing nicely on computers that dual-boot Windows and Linux. Details are inconsistent; some users are saying that their Linux partitions have been deleted; others report that the partitions are present, but inaccessible; still others say that Windows detects the partitions as unformatted and asks permission to format them.

Naturally, users are screaming about Microsoft’s insidious plan to force a “Windows-only” world on us.

Let’s be honest: Windows has never played well in a dual-boot scenario, especially when it comes to upgrades. I strongly doubt that Microsoft is intentionally wiping out Linux installations. For one thing, if they were, every dual-boot system would be affected, and we’d have a lot more information about what’s going on by now.

The smart money says it’s a bug–and given the incredible variety of hardware configurations Microsoft supports, it’s not even a “Who QAed This Shit?” bug. High-severity, yes. Hopefully a high priority for a fix, as well. But I think it’s a mistake to ascribe it to malice or a plan for world domination.

That said, if you do dual-boot, I’d recommend postponing the upgrade as long as possible. Let someone else risk their setup until more details emerge.

If you don’t dual-boot, the upgrade to the Anniversary Edition shouldn’t be any riskier than any other Windows upgrade. The most likely outcome is a successful install, possibly combined with some changes to your desktop (i.e. if you’ve turned Cortana off, the upgrade may turn her back on.)

For what it’s worth, my Windows-only laptop is installing the upgrade now. But my desktop machine, which is dual-boot, will stay in Linux for at least a couple of weeks–if I don’t go into Windows, I won’t get Anniversary Edition.

Google I/O 2016

We’re in Google I/O week, so I suppose I should do my annual summation of the keynote and highlight what we can expect to see heading our way.

Google is very excited about “the Google Assistant”. It’s a collection of technologies–natural language processing, voice recognition, geographic awareness, and on and on–intended to provide context-aware help and advice.

From what I can see, a large part of it is the next stage in the evolution of “Google Now” and “Now on Tap”. Ask the assistant about movies, and it’ll give recommendations tailored to your local theaters, what you tell* it (or what it already knows!) about your family and your tastes, and let you buy tickets. All from within the search app.

* Yes, “tell” as in “speak aloud”. Voice recognition, you dig?

Nothing new and earthshaking, but definitely keeping the pressure on Apple and Amazon. Especially Amazon–there’s going to be a “Google Home” device later this year that’s built around the Google Assistant technology. Like Amazon’s Echo–but since it’s from Google, of course it’ll be zillions of times better.

Google Assistant will also be part of two new apps: “Allo” and “Duo”. Allo is the next generation of text messaging, replacing “Hangouts”. The GA will listen in on your exchange of messages, allowing it to pre-write replies for you (presumably going beyond simple “yes” and “no” answers) and letting you to ask it for context-sensitive help. Their example of the latter is giving you restaurant recommendations based on your current location (or an area you’ve been discussing) and food preferences. Oh, and it’s got emoticons and variable font sizes. Yay.

Duo is video chat. Call screening, performs well when bandwidth is tight, switches between wi-fi and cellular as appropriate. What can you say about video chat? Oh, it’s cross-platform, Android and iOS. I doubt any Apple-only conversations will move off of Facetime, but it ought to be nice for integrated families and businesses. (Maybe it doesn’t have GA. If not, look for that at next year’s I/O.)

Moving on.

Google can’t decide what to call Android N. They’re taking suggestions from the Internet. If you’ve got any ideas, go to https://android.com/n/ And no, they’re not offering any prizes. I’d suggest “Nutmeg,” but how would you turn that into a statue for the front lawn? There’s still the possibility of another corporate tie-in. “Nerds,” anybody?

We already know a lot about what’s new in N–new graphics APIs, split screen/multitasking, compiler improvements (and a partial return of the Just-in-Time compiler that was removed in Lollipop. The idea seems to be to provide faster installs by letting apps run with the JIT compiler at first, then compile them in the background, presumably while you’re not using the device for anything else. The user messaging for background compilation failures will be interesting. “Why does it say I need to delete some pictures to install Duo? It’s already installed and working fine!”

Other changes: Encryption will be done at the file level instead of the disk level. Other than developers and the NSA, nobody will notice. Background OS updates: assuming your carrier actually approves an update, your phone will install it in the background, then make it live with a simple reboot. No more half-hour waits for the monthly security patches to install. Assuming you get the patches, of course.

Virtual reality. Yep, as expected, Google is joining the VR craze with support for it baked into Android–on capable devices, naturally. Even some current Nexus phones fall short–Nexus 5X, I’m looking at you.

Android Wear 2.0. Hey, your watch can do more stuff without talking to your phone. Sigh

Instant Apps. It’s not strictly correct in a technical sense, but think of a bundle of web pages packaged as an app that runs on your device without installation. Seems useful, especially if you’ve got limited bandwidth, but unless you’re a developer, you probably won’t even notice when you transition from the Web to an Instant App.

So, some interesting stuff, and–as usual–a lot of “meh”.

Word Outta Redmond

Multiple sources are reporting that Microsoft has released a pricetag for upgrading to Windows 10 when the current free upgrade offer expires at the end of July.

The cost? A mere $119.

Color me skeptical.

Not that I doubt that will be the official price. But consider that, as Ars notes, there are currently three times as many Windows 7 systems out there than Windows 10. Does anybody really believe that Microsoft sincerely thinks users who haven’t upgraded at no cost will pay for the privilege?

And remember, it’s greatly to Microsoft’s benefit to convince everybody to upgrade. Not only are there the cost savings for them in reducing their support burden for older OSes, but there’s also a significant income opportunity for them in monetizing the user information they get from Cortana and the OS in general.

So I suspect that Microsoft will find continuing opportunities to reduce or eliminate the upgrade fee after July 29th. For example, “To celebrate the release of the Windows 10 Anniversary Update on July 30th, we’re offering a free upgrade to users of Windows 7 and Windows 8!”

OK, I’m not an advertising copywriter. But I’m sure Microsoft has several of them on staff, fully capable of making the same thing Microsoft has been doing for a year sound fresh and exciting.

Am I changing my recommendation to those of you still running 7 and 8 that you should upgrade before the end of July? No. Microsoft has fooled the experts in the past, and it could happen again. And, realistically, the user experience in Windows 10 is miles ahead of 8. It’s more of a wash compared with Windows 7, but even there once you get to the top of the learning curve, it’s no worse.

And there’s one other thing to consider: If you upgrade to 10 and decide you absolutely can’t stand it, you can still downgrade back to your previous operating system. But that does not invalidate the Windows 10 license you got when you upgraded. So you would still have the option of waiting a year or two, seeing where Microsoft goes with Windows 10, and then re-upgrading when support for 7 and 8 runs out.

One final note. I mentioned the monetization of user data earlier. It’s true that Windows 10 collects a lot of information about what you’re doing. It’s also true that you can’t turn it all off. But you can take a few steps to minimize it.

Number One is Cortana. If you’re trying to cut down on how much Microsoft knows about you, don’t use Cortana. Turn her off.

And while you’re at it, turn off a few other things:
Open the Privacy Settings dialog (the easiest way to find it is to type “privacy” in the search field at the left end of the task bar). Work your way down the left menu and turn off everything you can live without. Everything on the “General” screen–although if you use Microsoft’s Edge browser, you should probably leave the “SmartScreen Filter” on.

Turn off Location, turn off the camera or strictly limit the apps that are allowed to use it, and ditto for the microphone.

“Speech, inking, & typing” is, by and large, Cortana.

Strictly limit the apps that have access to your Account Info, Contacts, Calendar, Call history, Email, and Messaging. Radios and “Other devices” should be under tight control too.

Feedback & diagnostics is an interesting one. You can set Feedback frequency to “Never” to prevent Microsoft from occasionally asking you questions about your “Windows experience”. But you can’t turn off Diagnostic and usage data. If a program crashes, Microsoft will be told about it, and they will collect at least some information about what applications you’re using. The best you can do is select “Basic” to minimize what they get.

Don’t forget to review which apps have permission to run in the background. You probably want the calendar running in the background, but do you really want Edge running, downloading whatever Microsoft thinks you might want to see–or more importantly, whatever Microsoft wants you to see?

And one last thing to check: The privacy implications are somewhat limited, but it’s especially important for those of you who have slow network connections or are charged by the amount you use your connection.

Go to the Windows Update settings, click “Advanced options” and then “Choose how updates are delivered”. Turn OFF “Updates from more than one place”. Yes, that’s right. Microsoft is using every Windows 10 computer that leaves the default settings in place as part of the Windows Update delivery system. How charming.

I’ve heard that it works like bittorrent software, in that there’s no central registry of which computers have what updates available, but even so, do you really want your computer advertising that it hasn’t yet installed the latest security fixes?

What a Waste

Lots of interesting news at the intersection of privacy and security these days. The ongoing Apple/FBI feud is only a tiny piece of it.

Consider, for example, the case of Paytsar Bkhchadzhyan. It seems that not all locking methods are created equal in the eyes of the law.

Things you know, such as a password, are legally protected: you can’t be forced to give them up because that would infringe on your constitutional right not to testify against yourself.

But things you own, like a PIN fob, or things you are, like a fingerprint, are not protected.

Accordingly, a court has ordered Ms. Bkhchadzhyan to give investigators her fingerprint along with her iPhone. It’s unclear whether they’re holding her fingerprint–and presumably her finger–while searching the phone.

Mind you, there’s still some wiggle room in the legal interpretation. Ars also has a report on a man who’s been held in jail for seven months for refusing to supply the password to decrypt a pair of hard drives.

His lawyer has invoked the Fifth Amendment privilege against self-incrimination, but to date the legal system appears to believe that the now-infamous All Writs Act–the same law the FBI was trying to use against Apple–supersedes the Constitution.

So, pending the result of the current appeal, using a passcode doesn’t seem much safer than a fingerprint.

Not all the news is bad, however. In a case that will mostly be of interest to residents of Washington State, a King County judge has ruled that sanitation workers cannot dig through trash while collecting it.

Seattle required workers to inspect trash to ensure that food waste went into compost bins instead of trash. However, the judge held that amounted to a warrantless search, and was forbidden under the privacy provisions of the Washington State Constitution.

It’s a minor victory for privacy, yes. And sanitation workers can–and will–still check for compostable materials “in plain view.” But at least they won’t be able to open garbage bags and dig through them checking for compliance.

We’ll take our victories where we can find them.