There’s a lot of confusion about the actual versus rhetorical security integrated with Apple’s iMessage product. I’ve tried to suggest, in the linked article, how Canadians can use our federal privacy laws to figure out whether Apple is, or the company’s critics are, right about the company’s security posture.
Category: Writing
From an editorial in the Cape Breton Post:
Elections Nova Scotia also touts “a dozen ways to vote.” But that’s a little misleading. Nine of those “ways” involve a write-in ballot.
Conspicuously, none include electronic voting. The significance of Doiron’s claim that Elections Nova Scotia’s changes will make it easier for people to vote fizzles when we consider the fact that electronic voting allows people to vote from virtually anywhere.
The Cape Breton Regional Municipality successfully implemented e-voting during the last round of municipal elections in 2012, with 26,949 — or 32.8 per cent — of CBRM electors voting electronically.
And as Postmedia News recently reported, Elections Canada has been touting Internet voting since 2008, although budget cuts put the kibosh on plans to introduce online voting in byelections held this year. But at least Elections Canada acknowledges the potential value of e-voting.
So, what are the chances of an elector voting electronically in a provincial election anytime soon?
“The registration and voting and the security — maintaining the integrity of the election — is still a very tricky game,” Doiron told the Globe and Mail. “And that’s one of the reasons that no provincial or federal authority has online voting yet because it’s just not secure enough for the kind of integrity we have to deliver.”
The CBRM had e-voting success. And at the federal level, barriers to implementing electronic voting seem to be more fiscal in nature than about security.
I’m curious as to how the author of this opinion piece concludes that fiscal issues are more significant than security issues. I presume that they are referring to Elections Canada’s decision to scrap an e-vote test, but despite not running the test the federal agency recognized that security was an issue with online voting.
These security challenges have been highlighted repeatedly: a recent election in Nova Scotia used online voting, and officials cannot guarantee that votes were recorded properly based on significant technical deficits. Similarly, voting events during the NDP Leadership election in 2012 suffered from third-party interference, which ultimately caused people to not vote. Moreover, even if the servers that recorded votes in both situations were secured all of the intermediary systems were not; consequently it is functionally impossible to assert that the malware-ridden computers that people vote on or intermediary network points didn’t alter voting outcomes.[1] This isn’t to say that malware or intermediary interference did affect the outcomes, but that the authoritative conclusions of online votes are much, much weaker than those reliant on paper ballots.
Voting matters. A lot. And folks that insist that we can ignore the security and privacy issues either don’t care enough to learn the detailed problems of online voting, or don’t seem to care that most verifiable online voting mechanisms enable the tracking of how people vote. That kind of tracking is something that a large number of people fought hard to excise from our democratic electoral systems. We invite it back in at our peril.
For more on this point, see “Online Voting and Hostile Deployment Environments” ↩
jakke said: Actually I don’t agree at all. That’s directly analogous to leveraging (some is a positive externality to credit, too much is a negative externality to risk, the threshold differs depending on whom you’re talking about) and we can regulate that.
The literature that has looked at the economic of privacy over the past decade or two has been absolutely dismal, insofar as efforts to operationalize the ‘value’ of privacy are pervaded with assumptions of rationality, comprehension, ability to enact privacy choices, and so forth. The literature on privacy more generally is still struggling – after 40+ years – to really move beyond squabbling about what ‘privacy’ even means. The consequence is that ascertaining the externalities linked to privacy infringements/violations/concerns/(term of the month) necessarily requires adopting one definition or another.
Unlike more ‘defined’ harms (e.g. X percentage of Y particulate in the water is linked to Z) those linked with privacy have a tendency to be more normative, and harder to measure as a result. Ascertaining what the chilling effect of corporate surveillance, or the consequences of non-transparency in how communications infrastructures subtly modulate discourse and association, is an exercise in theory as much as anything else. Consumers, for lots of good reasons, are poor rational actors in lots of areas, and privacy is argued to be one of those areas.
So the quotation was emergent from a (longer) argument concerning the efficacy of economic analyses of privacy and place such analyses have within the broader dimensions of the contested individual, communal, and intersubjective natures of privacy. It’s on these bases that economic analyses fall short: while they *might* improve the situation, marginally, what is improved will be regarded as perpetuating the harm by some, and being the wrong measure of alleviating harms by other.
In the name of efficiency and good long-term planning, DHS is ensuring that its Predator Drones over the USA are able to distinguish persons from animals, evaluate whether such persons are armed, and are also integrating signals intelligence systems into the vehicles. From the article:
Homeland Security’s specifications for its drones, built by San Diego-based General Atomics Aeronautical Systems, say they “shall be capable of identifying a standing human being at night as likely armed or not,” meaning carrying a shotgun or rifle. They also specify “signals interception” technology that can capture communications in the frequency ranges used by mobile phones, and “direction finding” technology that can identify the locations of mobile devices or two-way radios.
The analysis and interdiction capabilities being integrated into drones may – prospectively – be considered legal. If they are legal then it should be clear that ethical and normative (to say nothing of constitutional) claims should be brought to bear on the basis that such expansions of government surveillance are almost certain to be used inappropriately and to the disadvantage of American citizens and residents alike.
The Internet of Things is moving apace and consumers are increasingly purchasing Internet-connected devices for their homes. In the case of SmartTVs it appears that manufacturers’ poor security design(s) could pose a direct threat to the network the TV is integrated with:
Since the well-known Javascript object XmlHttpRequest is available within the DAE, not only the TV is the target of possible attacks but also other networked devices in the user’s home network.
Using a timing-based approach, attackers are able to scan the user’s home network from the TV for other devices that are behind the user’s firewall and would not directly be visible from the internet. This could be used for user profiling and for finding further attack targets.
The next step for the attackers could be the reconfiguration of components in the local area network in order to facilitate further attacks via different vectors. For example the home router – which in many cases has no password protection when accessed from the LAN – could be reconfigured by the attacker to have no protection against attacks from the internet.
In order to gain personal information, attackers could access well-known services like UPnP or http in the user’s network via the connected TV. For example IP cameras or printers could be compromised using this technique.
Also using the XmlHttpRequest object, attackers can transfer all of the gained information to arbitrary Internet drop-zones, which would also expose the victim’s IP address.
As a lot of these attacks have been publicized in the context of browser hacking, there is a lot of available code on the Internet that might be used for also compromising Smart TVs.
While the researcher who’s done this work is presently posing SmartTVs as potential – rather than necessary, or actual – threats, now that the cat’s out of the bag it’s almost guaranteed that more people will be working on weaponizing your TV. Isn’t the pervasive connection of equipment to the Internet just great?
Yahoo will need to balance its involvement with Tumblr to let the creative site flourish while also driving some benefits to core Yahoo. While Tumblr likely needs to take its feed advertising slowly so as not to negatively impact the user experience, the company should be able to leverage Yahoo!’s sales force and advertising relationships.
So it’s kind of cool to see what actual analysts say about Yahoo buying Tumblr. But I have a pretty hard time figuring out what benefits the site would be driving to “core Yahoo”. Better integration with Flickr, maybe? Not really sure what core Yahoo comprises, anymore. (via jakke)
This is something I’ve been thinking about a bit. Just off the top of my head, how could Yahoo! leverage Tumblr:
- Use Tumblr to surface popular/emerging content for the various Yahoo! branded home pages that are provided to enterprise customers;
- Offer free blogging services to enterprise customers;
- Integrate Flickr’s communities (somehow) withTumblr to enhance finding and sharing original content;
- Leverage Tumblr to expand Bing search capabilities (which would be part of the Yahoo!/MS search integration, and perhaps offer Yahoo! another line of revenue given Microsoft’s current pursuit of Social searchability)
- Generally provide customized blogging solutions across properties. If Tumblr is eventually de-siloed then Yahoo! would have a blogging platform like Google (i.e. Blogger) except it would be ‘fresh’ like Blogger was at the time of Google acquiring it.
Those are just the most immediate thoughts. I really think that what happens will occur over time and not tomorrow; Yahoo! needs to get ‘integration right’ or else risk drowning their new $1.1 billion dollar baby.
Dissertation pieces are now being stitched together in the über-document that conforms with grad studies’ style guide. By this time next week, the first 6/8 chapters will be assembled and sent to my committee. It should total in the vicinity of 65,000-70,000 words at that point.
A little over a month after that, the last 2/8 chapters should be written and added to the über-document. And, god willing, everything defended by the end of August/very beginning of September.
Finishing is starting to feel real, and possible.
Via Techdirt:
Good news, everyone. The terrorists will win and New York City Mayor Michael Bloomberg wants to help. Of course, his speech is all about not letting the terrorists win. But he’s giving them exactly what they want.
Bloomberg is an incredibly worrying political figure. He’s gone from earlier this year stating the privacy is important, but cannot be maintained in the face of expanding police surveillance, to this:
“The people who are worried about privacy have a legitimate worry,” Mr. Bloomberg said during a press conference in Midtown. “But we live in a complex word where you’re going to have to have a level of security greater than you did back in the olden days, if you will. And our laws and our interpretation of the Constitution, I think, have to change.”
This is the second time in very recent memory that he, on the one hand, supports a notion of privacy while, on the other, asserts that privacy has to be increasingly limited to enjoy ‘security’. This is an absolutely false dichotomy, and is often linked to blasé efforts to ‘secure’ a population in ineffective, inefficient, or incorrect ways. Strong security protections can and should be accompanied by equally strong privacy protections; we need to escape the dichotomy and recognize that privacy and security tend to be mutually supportive of one another, at least when security solutions are appropriately designed and implemented.
The neoliberal sacking of the universities runs much deeper than tuition hikes and budget cuts, notes Barkawi.Today in articles that criticize “meaningless buzzwords” but then also use “neoliberal” in the title.
Seriously – if you have a graduate education, you are not the oppressed and marginalized party here. There’s no reason that professors should be getting tenure in the first place; why should this one small class of wealthy well-educated people get the right to keep their jobs indefinitely regardless of performance while their students rack up six figures of debt?
If there’s an assault on academia, it comes from the fact that post-secondary education is wholly unaffordable to students from low-income backgrounds. Being expected to provide a service in exchange for money is not assault. Any confusion on this matter is a good indication of why people are skeptical about giving you more money.
Just re: tenure. There are very, very, very good reasons to provide it. I know of a host of graduate students who are prohibited from communicating their research findings for fear of the potentially very serious blowback associated with their (entirely valid, grounded) research results. Others simply avoid research tracks on the basis that ‘no good can come of it.’
These individuals are working on issues of significance (e.g. how government engages in anti-democratic surveillance and interdiction of communications) that simply cannot be engaged with by most members of the public. Such members tend to lack the time, expertise, or safety to publicly engage in the research. Tenure is meant to afford faculty the ability to engage in such ‘risky’ work while also granting the space to do what might be seen as useless basic research. It also is intended, ultimately, to offer a shield that graduate students can retreat behind if needed. The absence of tenure weakens the already precarious conception of ‘academic freedom’.
Academe is, without a doubt, an increasingly bureaucratic domain. Faculty are often as guilty as government in this transition; it wasn’t always like it is today (which, I might add, also isn’t a reason to lust for the old days: grad students in the 90s complained about pretty similar issues as the students of today). The increased shift towards publish or perish, and in the UK the ‘tiering’ of publications, has been incredibly problematic for the quality of much literature: some publications are ‘slanted’ to accommodate the tiering model, as opposed to the actual way that the research may flow. Such attitudes and efforts to ‘game’ the system are linked to a systematic problem around academe. I don’t know that there’s a ‘fix’, but it also isn’t something that’s terribly healthy today.
Last year Rob Shaw wrote a piece for the Times Colonist about online voting in British Columbia. (This is a Bad Idea by the way, for reasons that are expounded elsewhere.) At the very end of his article, we read:
B.C.’s flirtation with online voting coincides with changes to its information and privacy laws last year that paved the way for high-tech identity cards.
The government has said people will one day be able to use the cards to verify their identity and access Internet-based government services, including, potentially, online voting.
No government document released under FOIA laws that I’ve read has stated voting as a driver of the card. However, this isn’t an indictment of Shaw’s reporting but of the government’s unwillingness to fully disclose documents pertaining to the Services Card.
To be clear: there is no good reason to believe that the Services Card will be particularly helpful in combating the core problems related to online voting. It won’t actually verify that the same person associated with the Card is casting the ballot. It won’t ensure that the person is voting in a non-coerced manner. It won’t guarantee that malware hasn’t affected the computer to ‘vote’ for whomever the malware writer wants voted for.
The Services Card is (seemingly) a solution looking for a problem. Voting is not one problem to which the Card is the solution.
Excited Pixels 