more on Google search and seizure, etc. vs. technologists

[David Farber <dave () farber net>]

Begin forwarded message:

From: Bob Frankston <Bob2-19-0501 () bobf frankston com>
Date: December 4, 2005 12:48:19 PM EST
To: dave () farber net, ip () v2 listbox com
Cc: "'Lauren Weinstein'" <lauren () vortex com>
Subject: RE: [IP] Google search and seizure, etc. vs. technologists

After writing my comments below I was going to close by noting that  
there
is far more to worry about with fingerprints than Google since there is
still a belief that finger prints are authoritative even if there is  
only a
small portion recovered and the matching is subjective.

In the same way we can try to avoid leaving any tracks and live a very
circumscribed life. Or we can hope that our trails are noisy and that a
visit to whitehouse.com (vs whitehouse.gov) will not mark us for  
life. Who
knows if the visit was intended, unintended, prurient or just curious?

This isn't really about technology in isolation or Google per se.

We should do what we can to make people aware of these issues -- as with
Sony DRM ultimately it's people's perception. If Google is seen as  
spying
on us then they will lose too much business. Ultimately it's that rather
than users setting complex option that limits threats.

It's about transparency -- we need to pry into Google's closets  
before they
pry into ours.

The average user didn't understand the Internet until it was packaged  
in a
browser and today the internet is the web and people still don't  
understand
it beyond the simple examples they have. But even if they think that  
people
are watching them they don't know what it means. Even the so-called  
experts
implement link level security instead of end to end.

As to Google keeping track of your searches ... what about the trail you
leave in that old world of physical objects when you use your credit  
cards.
A few key words on Google are mild compared with you are stop at the  
7-11
and the cell call you made or the email messages. The threat of Google
keeping track of your keywords is very abstract. The reason this  
story made
the news is that it is very unusual.

Those who say users will never be able to use computers for word  
processing
for have LANs at home were right.

And completely wrong.

There is a middle ground -- it doesn't just happen by accident.  
Someone has
to create a bridge. If the other "side" is visible then more people  
would
try. There is a book, "Crossing the Chasm", about getting people to make
the leap. More often we have to build the bridges before people know  
there
is even an other side.

And very often there really isn't or we pick the wrong one. Handwriting
recognition was a big deal but a failure until Graffiti. Today oddly  
enough
Palm is emphasizing little keyboards and Microsoft is trying to push  
full
handwriting recognition. So much for presuming a simple linear path.

Home networking (LANs) is personal for me since I had to make sure the
Windows had the enabling mechanisms and I was trying to move in the
direction of encrypted IPv6 with legacy ports locked down.

Unfortunately we still haven't learned the lessons of Multics and  
Project
MAC (http://www.frankston.com/?name=Symbiosis as in Man/Machine  
Symbiosis)
in giving users a way to understand and express their intent. Of course
it's far more difficult today. At least in Multics you had to take a  
step
to make your files visible while Unix defaulted to starting with the  
door
wide open.

We do have a way to say "no cookies" but you can't really do much  
that way.
Same problem with the Java VM in the browser -- there is an all or  
nothing
policy.

Worrying about Google tracking you is in the same vein. If you use their
single login it's like being tracked by American Express or by your
library. Of course we know librarians won't track you -- but they will
track which books are popular and a really good library may try to make
better predictions so they can better serve you even if the chortle  
at some
of the findings.

If you don't use a single login then it's really hard to avail  
yourself of
their set of services. Same for Yahoo, AOL, MSN etc. As much as I have
problems with passport there seems to be some separation between your
"identity" and its use.

The reason I keep coming back to phishing is that it goes to the  
heart of
some of our perceptions. Is "Google" a nice warm friendly site or a site
that promises to be worth more than a few billion dollars?

I once looked up "Sodomy in Georgia" on Yahoo which was the title of a
David Bunnell editorial in the 1980's. The ads that popped up showed  
what
they thought of my search (a good reason for not having animated GIFs in
ads) and, by extension, me. BTW, just tried the search on Google in an
attempt to pollute my legacy and the law was eventually repealed.

Should I shy away from searching? Should I not give to political  
candidates
(the disclosure laws are indeed a violation of the first amendment)?  
Should
I worry too much about police finding a latent pencil line on a pad of
paper in my house having the words "dead meat" on it (a reminder to buy
hamburger)?


-----Original Message-----
From: David Farber [mailto:dave () farber net]
Sent: Sunday, December 04, 2005 05:52
To: ip () v2 listbox com
Subject: [IP] Google search and seizure, etc. vs. technologists



Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: December 3, 2005 8:53:22 PM EST
To: dave () farber net
Cc: lauren () vortex com
Subject: Re: [IP] Google search and seizure, etc. vs. technologists


> In the 1980s, the "average user" would never
> need a local area network in his home. In the early 1990s, the
> "average user" would never understand or need the Internet. And so on.

In fact, the reality of the current security and privacy mess with
the Internet helps to prove my point.  For example, talk to the folks
who drive around plotting all of the open wireless LANs that are
literally everywhere in virtually every neighborhood.  The vast
majority of them have *no* security at all -- not even cruddy old
WEP.  This includes businesses, medical offices, you name it, as
well as vast numbers of private homes.  Yet, for years every WLAN
product has included at the very least WEP capabilities, and
instructions on how to set it up.  Despite this, many people's open
WLANs are constantly being abused, sometimes with tragic results.

That situation is gradually starting to improve, but only because the
setting up of *some* level of security has become part of the
standard installation scripts for many products.  But until this
became the *default*, even when it was easy to use, most people
didn't bother.  Why?  Most of the time, simply because they didn't
believe that any associated risks applied to them -- and that view
is easy to understand.  The computer industry is great at promoting
the vast benefits of their products, but do their best to keep the
downsides to the fine print, buried in click-through license
mumbo-jumbo that even many lawyers would have trouble understanding,
along with lilliputian quick-start guides that are the only
instructions many people read.

The same thing goes for Internet services.  It is utterly reasonable
to expect that the *defaults* provided will respect people's privacy,
security, and other rights.  We are a society of laws and those laws
are there (at least in theory) to help protect those rights.  It is
unfair in the extreme to suggest that anyone who doesn't jump
through hoops to protect themselves from information abuse is
somehow negligent, while asserting that legislative efforts should
not be made to rein in the way that the services behave -- so that
those services meet a reasonable standard that society agrees is
appropriate.

Yes, imposing society's will on such firms can be tough to do,
especially when dealing with powerful and well-heeled interests.
But not to do so -- to not even try -- is just surrendering to what
most of us know in our hearts is just plain wrong.

--Lauren--
Lauren Weinstein
lauren () pfir org or lauren () vortex com or lauren () eepi org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org
Co-Founder, EEPI
   - Electronic Entertainment Policy Initiative - http://www.eepi.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com

  - - -

> Begin forwarded message:
>
> From: Phil Karn <karn () ka9q net>
> Date: December 3, 2005 7:10:30 PM EST
> To: dave () farber net
> Cc: ip () v2 listbox com
> Subject: Re: [IP] Google search and seizure, etc. vs. technologists
>
>
> > From: Lauren Weinstein <lauren () vortex com>
>
> > 1) Any practical attempt to "swamp" Google's database in such a
> >    manner is unlikely to succeed, given the sheer volume of legit
> >    queries that they receive.  I suspect they'd be smart enough to
> >    detect abuse patterns fairly easily.  That kind of analysis is
> >    their bread and butter.
>
> The idea is not to "swamp" Google. It's simply to create a little
> plausible deniability -- i.e., reasonable doubt -- that a given
> search was entered by the user and not by the automatic daemon.
>
> > 2) Attempts to purposely "abuse" Google in such a manner (faked
> >    requests) may well violate their Terms of Service, and if they
> >    don't now you can be sure that they will in some future version
> >    of the ToS.  The likely result will at a minimum be bans and ISP
> >    actions, and at the max lawsuits.  Pull out your wallet.
>
> Again, "swamping" or "abusing" Google is not the intent, nor is it
> very likely given Google's strong emphasis on performance and
> scalability. The idea is simply to create doubt that a given query
> was generated by a human, not by the robot. The "quality" of the
> synthetic queries is much more important than their quantity.
>
> Still, the extra traffic just might have the effect of encouraging
> Google to adopt a stronger privacy policy. Not that I'd place much
> stock in that, of course (see below.)
>
> > 3) Routing queries through anon proxies will provide some protection
> >    for the technological elite who understand such things.  They will
> >    not protect the average user, who most likely doesn't understand
> >    the risks and issues, and will never use such proxies, even
> >    assuming that they were trivial to use.
>
> I wish I had a nickel for everything I've been told "the average
> user" would never understand, need or be able to use. Back in the
> 1970s, the "average user" would never understand, need or be able to
> use a personal computer. In the 1980s, the "average user" would never
> need a local area network in his home. In the early 1990s, the
> "average user" would never understand or need the Internet. And so on.
>
> It is no more necessary that the "average user" understand how an
> anonymizing Google proxy works to use it effectively than to
> understand the fields in TCP/IP packet headers. The whole idea of
> civilization and commerce is that many people can benefit from
> specialized knowledge and skills that they themselves lack. The open
> source movement and the Internet itself have certainly demonstrated
> this.
>
> Personally, I prefer the anonymizing proxy over the random query
> generator. The proxy is likely to be more effective, and it generates
> no extra load. I mention the generator mainly to be complete. My
> point is that there *are* technical defenses against potential
> privacy abuses, and we can implement them ourselves instead of
> naively demanding that Google respect our privacy against their own
> commercial interests.
>
> And even if Google were completely honest, they would still be
> subject to Patriot Act abuses that we would never know about.
>
> The sad fact is that "national security" has become the root password
> to the Constitution. The only effective defense against a "rooted"
> system is not to put any sensitive information in it in the first
> place.
>
> --Phil


-------------------------------------
You are subscribed as BobIP () Bobf Frankston com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting- 
people/




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/