It’s been a difficult, depressing year for many of us. Different reasons for different people, of course, but depressing none the less.

There are two ways to deal with downers*: work to mitigate them, and focus your attention on happier things.

* Let me be clear here: I’m talking about isolated depressing events. Ongoing depression is a completely different matter; one that has surprisingly little to do with specific occurrences, and that needs to be handled differently.

Some things you can work on: the result of an election, for example (right, British readers who didn’t favor Brexit?) Others, not so much.

So, with Thanksgiving approaching, take a couple of minutes to think about something you’re grateful for. Non-US readers, feel free to join in. Even if you don’t observe our holiday, there’s never a bad time to give thanks.

Last night we hit a major milestone.

Much as Rufus loves the neck skritches and tummy rubs, he hadn’t quite gotten behind the concept of laps. He’d flop on the floor of his enclosure for cuddles, and that was pretty much it. If we hoisted him into our laps, he’d stand nervously for a minute or two, then hop down and demand more pettings from the floor.

Then came last night. Maggie set him in her lap and…

Yup. He settled in. He’d probably still be there if I hadn’t startled him by starting to sneeze.

Right now, warm laps and warm, snuggly cats to sit in them are high up on my list of things to be thankful for.

Theft Detection

Sort of a painful post today. I hate to publish a downer about Google right after the neutral-to-good things I said yesterday, but putting it off doesn’t make it any better.

There’s an interesting story on The Verge about Google uncovering a ring of Chinese car thieves.

The gist of it is that the thieves would take pictures of cars parked on the street and use the photos in ads offering the cars for sale. When they found a buyer, they would go steal the car, take the buyer’s money, and leave him to deal with the repercussions of having purchased stolen merchandise. It’s a clever scam: the JIT procurement processes means that the car probably doesn’t get reported as stolen until after the deal is done, and the delays built into the Chinese banking system apparently make it almost impossible for the buyer to stop payment–and give the thieves several days to make their getaway.

So what’s the Google connection? It seems that when they were updating their tools for detecting fraudulent ads in their AdWords network, a bunch of used car ads were getting flagged alongside the expected ads for counterfeit designer goods and phishing schemes. Nobody was sure why, as the ads didn’t appear significantly different than other ads for used merchandise that didn’t get flagged. In fact, as far as I can tell from the article, nobody is still quite sure exactly what caused the fraud flag to be set. There are some obvious clues, most notably a pattern of quick buys from new accounts. But because the main algorithm incorporates its own feedback loop, using the results of past runs as input for new runs, the specific combination of pieces of information is obscure, to say the least.

Of course, there really isn’t much Google can do when they spot a fraudster in China. They can delete the ad from AdWords, but that’s about it. Their relationship with China is rather rocky, making the sort of fast, targeted communication necessary to catch the scammers somewhere between “difficult” and “impossible”.

But they’re spotting crime, and there are other countries where Google has better access. This is a good thing, right?

Well, no. Even without considering the question of false positives–not everything that gets flagged as fraudulent will actually turn out to be an actual crime–consider this quote from AdWord’s director David Baker: “There’s no one thing or even a handful of things. It’s thousands of pieces of information in aggregate.” In other words, it’s Google’s massive database of information about who is doing what using their system.

This is, of course, exactly the same database that the NSA and other law enforcement and intelligence agencies are accessing in secret. Do you really want Google being forced to produce a list of suspected terrorists based on advertising history? Keep in mind that the database doesn’t just include the ad buyers, it also includes who sees which ads, what pages the ads were shown on, and whether the viewer clicked on them. Are you confident that your name won’t show up on the list?

Sure you’re OK with that risk–terrorism is pretty bad stuff, after all? Consider the FBI’s definition of terrorism: “…the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives”. “Any segment” could be as small as one or two people, which means it could apply to breaking windows during a protest (see, for example the recent protests in Oakland over the Zimmerman trial verdict). I’m not the only one who thinks this is a legitimate risk. As far back as 2002, the ACLU pointed out that Greenpeace, Operation Rescue, and WTO protesters were at risk for being treated as terrorists. Open Salon pointed out that the Department of Defense explicitly defines protests as “low-level terrorism” and that definition was used in responding to the 2008 “RNC Welcoming Committee” protests.

Still totally confident that your name isn’t going to show up on the suspect list? Let’s face it: if you came to this post via a Google or Bing search, you’re going to be on that list. Chances are good that even if you just have this blog bookmarked, a simple demand that WordPress turn over their activity logs would include enough information for you to be tied to your other web actions and identified.

And none of this discussion even considers the possibility of scope creep. If the NSA can use this approach to fight terrorism, who’s to say that the local police can’t use it to fight serious crimes like rape and murder? And once that door is open, history shows that other crimes won’t be far behind. Fraud (remember where this discussion started?), theft, and even driving violations could be next).

I implied back at the beginning of this post that it’s Google’s problem. It is and it isn’t. As with the NSA’s reported surveillance activities to date, Google wouldn’t have a whole lot of choice about cooperating with a demand for such materials. It’s their problem, but it’s ours too. And there isn’t any more of a good solution for this part of the problem than the rest of it.


No, that title isn’t the start of a joke.

Now I feel like an idiot for April’s post on the CISPA bill and its potential to strip privacy protections online.

After all, we now know that we already have no protection.

With this week’s revelations about phone companies being required to turn over metadata for all calls and the existence of the PRISM program that gives the NSA full access to everything that Microsoft, Google, Apple, and a host of other large Internet companies know, it’s clear that if you use a phone or computer, you have no privacy whatsoever.

Consider: According to the Guardian and Washington Post reports, to conduct a PRISM search, the NSA has to be 51% sure that the subject is foreign. That’s the only limitation. A barrier that low will allow a massive number of false positives, but that’s almost irrelevant, because once the search begins, it can (again according to the reports) be extended to all of the contacts of the subject and all of the contacts of the contacts. By design, anyone who is “probably” not a US citizen is – and has been since at least 2007 – a terrorism suspect.

Hell, more than half of the regular readers of this blog are “foreign”; they have no protection against being the subject of a PRISM search: PRISM was designed to allow the NSA to monitor everything they do online to “protect against terrorism”.

Last week’s picture of Kokoro lurking in the headboard of my bed drew likes from people in England, Wales, and Moscow. The NSA knows that (and knew it before this post told the world). Since I’m now associated with those foreign “suspects”, all of my online activities are now available to the NSA, and because I’m associated with you, so are yours. And by “you”, I’m not just talking about those of you reading this post. Everyone I’ve communicated with falls into that category – as described, PRISM would make it trivially easy for the NSA to link the email address I use for this blog to all of my other email addresses, at which point they’ll find out that I’ve exchanged emails with citizens of India, Japan, and China. Better check all of their contacts; since they’re foreign, the rule of “two levels of contacts” resets and the NSA can chain their searches outward from there. Nice work, Kokoro. You’re single-pawedly responsible for the investigation of thousands of people around the world for their possible roles in plotting terroristic acts against the US.

Yes, I do have a sudden urge to make myself an aluminum foil hat. Why do you ask? Right now it’s seeming like the most sensible thing to do.

Seriously though folks, if even half of the capabilities being touted for PRISM are accurate, by combining its output with the results of the phone company data, the NSA can figure out not only damn near everything you’ve done online, but also what you’re doing out in the real world. Legally. And that’s why I feel like an idiot about getting bent out of shape over CISPA – all that adds to the government’s capabilities is to let the FBI and Homeland Security track US citizens without first linking them somehow to someone “foreign”.

Please, no comments along the lines of “If you’re not doing anything wrong, you shouldn’t care.” If nothing else, when the government can secretly monitor everything you do, “wrong” is what they define it to be. I don’t think I’m being overly pessimistic in saying that “Niemöller” and Orwell were conservative.

Frankly, I think there’s very little we can do. The capability won’t go away: even if a public outcry forced the repeal of the PATRIOT Act and the other legislation that enables this warrantless surveillance, you can be sure that the tools will stay in the hands of the government agencies that have it now. They’re just too useful for them to give up. And removing the laws that limit their use will just encourage the agencies to use them more: why shouldn’t they if any use is illegal?

Heck, given the administration’s position that these data collection programs are “a critical tool in protecting the nation from terrorist threats”, even trying to take those toys away can be classed as a terroristic act (giving aid to terrorists).

If y’all will excuse me, I’m going to go downstairs and arrest myself. Maybe if I save the government the effort of doing it, they’ll let me share my cell with Kokoro.


This is just tacky. Inevitable, but tacky none the less.

Mike McCaul, a Republican congressman from Texas, is using the Boston Marathon bombing as an argument for passing the CISPA bill currently pending in Congress. Said McCaul: “I think if anything, the recent events in Boston demonstrate, that we have to come together to get this done in name. In the case of Boston, they were real bombs. In this case they’re digital bombs. These bombs are on their way. That’s why this legislation is so urgent. For if we don’t and those digital bombs land and attack the United States, and Congress failed to act, then Congress has that on his hands.”

The CISPA legislation would allow companies to share any information – including customer’s personal details and private emails – with “any other entity” if there is some relationship to “cybersecurity”. I’m not a lawyer, but as I read the proposed wording, this would allow any company that provides cybersecurity to itself to send customer data not only to the government but to any other company that provides cybersecurity to itself.

Again, as I read it, it’s so broadly written that encrypting customer’s passwords on their website could be construed as a providing cybersecurity, and mistyping a password could be interpreted as a hacking attempt (a “cyberthreat”). So under this legislation, I could see, say, Microsoft sending a list of customers who had failed logins (including all known information – names, addresses, income, SSN, and so on) to a marketing affiliate with a cover along the lines of “The following individuals may have been the subject of a cyberthreat. Please be on the alert for further attempts to access their information.”

Think I’m being alarmist? Note that the bill includes language (“Notwithstanding any other provision of law”) which many advocacy groups believe would protect companies from any violation of laws protecting privacy rights or even their own privacy policies. Note also that the Computer Fraud and Abuse Act (intended to be used against malicious hackers) was used to prosecute a woman last year for setting up a fake MySpace profile as part of an online harassment campaign. Even better, according to the ACLU, amendments supposedly made to improve privacy actually decrease it by adding library and tax information to the category of information that can be collected and shared.

Even more delightful: if the company sends your information to anyone, you’ll never know – the company is under no obligation to tell you that your information is being shared, and even in the case where the information is sent to a government agency, that agency will notify the company about the validity of the alleged threat, but not you.

Note that CISPA was passed by the House last year and died in the Senate. A package of amendments to add some protections (including limitations on police ability to request information without a warrant and confirmation that privacy policies can be legally enforced) was rejected by the House Rules committee Tuesday.

So, coming back to McCaul’s tactic. He’s saying that you have no right to privacy because you might be a bomber, a hacker, or a liar and that it’s not only the government’s responsibility to monitor everything you say or do online in case you decide to tell a lie, but it’s also the responsibility of every company you do business with to do the same.

The really depressing thing is that tacky or overblown, it appears that McCaul’s tactic worked. Today’s vote on CISPA in the House passed by a larger margin than it did last year.

President Obama threatened to veto the bill if it gets to him, but a promise isn’t worth much in the face of appearing soft on terrorism. The bill goes on to the Senate now. Contact your senators now and let them know that you oppose CISPA’s sharing of your personal information.