Routes of Least Surveillance (Manhattan, USA, circa 2001)
From “An Atlas of Radical Cartography” edited by Lize Mogel and Alexis Bhagat.
This is a ridiculously cool idea. I’d love to see something similar that used Google fusion tables + a game to map CCTV locations in order to give surveillance-minimized travel directions.
Google’s new privacy policy is going to be sheer gold for 1984 enthusiasts. While I’m not a fan of such simplistic references, it will provide a new round of comics for speakers at privacy, security, and surveillance conferences to rip off. Hopefully those same speakers aren’t themselves too tied to the notions of 1984 or the panopticon being the defining means of framing Google’s behaviours.
Android often receives high levels of criticism when hostile programs are found in its respective app stores. While anger is high, how prevalent is malware in Android markets? A series of papers, curated by Security Research Computer Laboratory at the University of Cambridge, examine just those questions. Go read them!
From the APPA’s letter to Google concerning Google’s new privacy police:
Initially, I would like to say that the TWG recognises Google’s efforts in making its privacy policies simpler and more understandable. Similarly, it notes Google’s education campaign announcing the changes. However, the TWG would suggest that combining personal information from across different services has the potential to significantly impact on the privacy of individuals. The group is also concerned that, in condensing and simplifying the privacy policies, important details may have been lost.
It’s a short, but valuable, letter for clarifying the principles that have privacy professionals concerned about Google’s policy changes. Go read it (.pdf link).
I sympathize with people’s concern and anger when they learn more about Apple’s atrocious APIs that let developers run off with consumer data. In the most recent revelation
Accepting an iOS prompt that asks permission to access location data can also allow copying of private photo and video libraries, the Times said yesterday. Because these devices often save coordinate information along with photos, it might also be possible to put together a user’s location history, as well as recording current location.
Apparently in an attempt to make photo apps more efficient, access to private photos has been available since the fourth version was released in 2010.
All of this, however disturbing it might be, make a lot of sense. Apple is a consumer company that aims to engineer products so that users can best enjoy them. This means they don’t want to throw a whole lot of security warnings in front of you, for two reasons: First, you’ll just ignore them anyways; second, they’ll annoy you and thus could reduce your iDevice usage.
Very few mobile companies ‘do’ security. The much-maligned Research In Motion is actually about the only mobile company that sells its products on security grounds, though the need to have secured code reduces the rate that they can bring new, highly innovative, product to market. Consumers, businesses, governments, and the market point to their slower rates of innovation as indicative of RIM’s forthcoming doom, but in so doing miss that the ‘cost’ of RIM’s death would be a near-absolute dearth of secured mobile platforms.
If you’re interested in reading about the economics of ignorance and mobile security, check out a piece that was written last year on this very subject.
I’ve talked about trying to pull together a measurable comparison of Internet service in Canada for a while, but as of yet haven’t had the resources to build a tool which meets my criteria. Industry Canada had a similar idea for basic cell phone services. Specifically, the government department created a calculator to help Canadians easily compare text/voice plans across Canada’s various mobile provides. We’ll never see the calculator, however, because:
Internal departmental records released to Postmediareveal that Clement’s decision came after direct lobbying from the likes of Rogers Communications, Telus and the Canadian Wireless Telecommunications Association. Clement defended the decision to shut down the calculator by stating that it was “unfair” in that it didn’t include bundled services mainly offered by, yes, the big telecommunications providers.
It’s incredibly unfortunate that this tool wasn’t provided – it would have been of real assistance to the large number of Canadians that aren’t using bundled services. What’s worse is that, rather than providing the tool in a ‘basic’ state and then scaling it depending on demand (the approach planned by Industry Canada) the whole project was scrapped. Not even the source code has been made available. Consequently, Canadians paid a fortune to develop a tool which met its basic design specs, and have nothing to show for it save for a large government bill and the continued hassle of trying to decipher the cacophony of mobile phone plans. Carriers: 1 Canadians: 0.
An excellent piece from Bruce Schneier, in interview, concerning the relationship between trust and security. It’s short, so just go read it. For a taste:
My primary concerns are threats from the powerful. I’m not worried about criminals, even organised crime. Or terrorists, even organised terrorists. Those groups have always existed, always will, and they’ll always operate on the fringes of society. Societal pressures have done a good job of keeping them that way. It’s much more dangerous when those in power use that power to subvert trust. Specifically, I am thinking of governments and corporations.
Dan Goodin has a good piece on one of Bruce Schneier’s recent talks. From the top of the article:
Unlike the security risks posed by criminals, the threat from government regulation and data hoarders such as Apple and Google are more insidious because they threaten to alter the fabric of the Internet itself. They’re also different from traditional Internet threats because the perpetrators are shielded in a cloak of legitimacy. As a result, many people don’t recognize that their personal information or fortunes are more susceptible to these new forces than they ever were to the Russian Business Network or other Internet gangsters.
The notion that government – largely composed of security novices – large corporations, and a feudal security environment (where were trust Apple, Google, etc instead of having a generalizable good surveillance footprint) are key threats of security is not terribly new. This said, Bruce (as always) does a terrific job in explaining the issues in technically accurate ways that are simultaneously accessible to the layperson. Read the article; it’s well worth your time and will quickly demonstrate some of the ‘big’ threats to online security, privacy, and liberty.
A really interesting paper on social authentication has just been released that looks at how facial identification ‘works’ to secure social networks from unauthorized access to profiles/records. The authors note that users of social networks are most concerned in keeping their interactions private from those who know the users. Specifically, from the abstract:
Most people want privacy only from those close to them; if you’re having an affair then you want your partner to not find out but you don’t care if someone in Mongolia learns about it. And if your partner finds out and becomes your ex, then you don’t want them to be able to cause havoc on your account. Celebrities are similar, except that everyone is their friend (and potentially their enemy).
Moreover, a targeted effort to identify a users’ friends on a social network – and examine their photos – will let an attacker penetrate the social authentication mechanisms. While many users would consider this a design flaw Facebook, which uses this system, doesn’t necessarily agree because:
[Facebook] told us that the social captcha mechanism was used to solve the problem of large-scale phishing attacks. They knew it was not very effective against friends, and especially not against a jilted former lover. For that, they maintain that the local police and courts are an effective solution. They also claim that although small-scale face recognition is doable, their scraping protection prevents it being used at large scales.
What Facebook is doing isn’t wrong: they simply has a particular attacker-type in mind with regards to social authentication and have deployed a defence mechanism to combat that attacker. Most users, however, are unlikely to consider that the company has a different attack scenario in mind than its end-users, leading to anger and concern when the defence for wide-scale attacks fails to protect against targeted attackers. While I don’t see this as a security or policy failure, it is suggestive that companies would be well advised to explain to their users how different security inconveniences actually interact with different hack/attack scenarios. Beyond educating users as to what they can expect from the various defence mechanisms, it might serve to raise some awareness about the different kinds of attackers that companies have to defend against. In an ideal world, this might serve as a beginning point in educating users to become more critical of the security models that are imposed upon them by corporations, governments, and other parties they deal with.
The folks at the University of Cambridge’s Security Research and Computer Laboratory have pulled together a terrific set of short (and accessible) papers on security and privacy. I’d highly recommend taking a look.
Excited Pixels