Saturday, May 22, 2010

Web security and SSL certificates

You may recognize secure web sites by the fact that their URL starts with https://, or by a little lock icon in the address bar or on the bottom of your browser window. Maybe the URL location bar turns green when it's "safe" - when a third party has verified that the server you're communicating with is at the address you expect. This weak authentication regime is implemented using SSL certificates, little pieces of data which are badges handed out by third parties to server operators,for a fee. Each certificate contains the name of the domain or host name the server is handling, and a digital signature by a company such as Verisign, GoDaddy, AC Camerfima, or TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı. In Firefox you can see the list of trusted third parties by choosing (Edit or Tools)->Preferences->Advanced->Encryption(tab)->View Certificates. These are the companies you and your browser are trusting to authenticate web sites around the world.

How do you know they can all be trusted? Wired magazine has an interesting article about certificate spoofing. If you are not careful about checking the name on each certificate at each site, your browser won't tell you if it's necessarily a good one; all it knows is that the certificate was signed by an entity it trusts. Some entities have embedded their certificates in network-level devices so the devices can spoof certificates from any site you're visiting. With that, the device and its owner can intercept all the traffic between you and the site you suppose is secure, maybe your bank or GMail.

You can fight back, a bit, if you have Firefox. There's an extension called petname which lets you "tag" certificates from sites you've verified. If you visit Google's mail site and petname doesn't recognize the certificate, it'll warn you, and you should be suspicious or at least extra careful. The alternative is to check every certificate for every secure site - and memorize the issuer for each. Not really an easy task.

Remember, SSL and browser security aren't enough! It's all based on trust. So verify!

Friday, May 21, 2010

Curbside recycling

Our neighborhood has recently improved its curbside recycling program. We used to have a small open green bucket to put our paper and other recyclables in; this bucked lived outside, and got put out every other week next to our giant, closed trash container. We would never remember which week was recycling, and we didn't want to keep the materials outside in the bucket to be waterlogged by rain. Therefore we rarely used the curbside recycling; I'd occasionally take our saved materials to the recycling center, but not on a regular basis.

Now we have a giant, closed container for recycling as well. It's just like our trash container, except it's bright green, and it has a handy sticker on the outside which describes what's appropriate to put in the container. It's so easy now to just toss recyclables in the container outside; much better than trying to manage them inside in the small space we can spare in the kitchen. Paper, plastic, cans, glass - it all goes in together, as soon as it's clean.

Our family tries not to have too much to recycle or dispose in the first place; the best policy is to eschew things with so much packaging. Nevertheless, we do generate trash, except now our trash container is rarely full. Instead, the recycling container has been almost full every two weeks, as we are more disciplined about putting in the newspapers, junk mail, cans, and even plastic clamshells from berry and tomato containers. I think this new program, with its bigger, closed containers and its automated pickup, must be drawing a lot of material out of the garbage stream. I'm looking forward to seeing the numbers when they're published.

Thursday, May 20, 2010

Congratulations, Google

The Free Software Foundation congratulates Google on its release of the On2 VP8 video codec. Free software can be built for this free codec, allowing high quality libre video content on the web. Thank you, Google.

Wednesday, May 19, 2010

Public disclosure of private facts

Justice Louis Brandeis's Right to Privacy outlined a legal theory which in the United States led to the creation of four privacy related courses of action. One of these is known as public disclosure of private facts, which is defined (roughly) as a

  1. public disclosure
  2. of one or more private facts
  3. the release of which would offend a reasonable person.

A publisher can claim that the facts are newsworthy as a defense; however, the truth of the fact(s) is not a defense, as it is in defamation actions.

Google is perhaps setting itself up as the Napster of location disclosure. As part of its data collection effort for Street View, Google has been collecting private wireless hot spot data; Irish and German authorities caught them keeping private information and forced them to remove it in a fashion auditable by third parties. Google reports that they are using the data about your wireless routers to better locate the position of Internet users. They keep that wireless information in a huge database, associated with its physical location.

How does this work? An application running on your computer, or phone, or network router can continuously check to see what wireless hot spots are around you. The application can then submit that "MAC" information to Google's location service to find out where you are.Once that's determined, the application can send that information to an advertising service, or to a social network site, or basically anywhere else, to keep track of you and let others know where you are.

Is this a public disclosure of a private fact? A number of moving parts must be analyzed to answer that question.

First, is your current location a private fact about you? If so, does the disclosure of one's location offend a reasonable person? Those questions are probably best answered by a jury, should a case like this ever be brought to court.

Is there a public disclosure of your location? To whom is the location disclosed? At what point in the process is it disclosed? Who is at fault for the disclosure; what is the proximate cause? Certainly your computer or device can know your physical location (latitude and longitude) if you are using a GPS (Global Position Service) device; most phones have that built in, and you can buy a GPS device for your computer or laptop. Without such a device, which is presumably known to you and/or under your control, your computer and its applications can't know your location without a database like the one maintained by Google. Therefore it's definitely difficult to argue that Google is the cause of a disclosure, if one happens. They are only potentially an enabler, much like Napster was, and perhaps can be held liable under a similar theory.

More to the point is that it's the browser or other application which is taking the environmental information (local hot spots etc.), is using that to determine the location, and then is publishing your location (with explicit or implicit permission?) to other applications and services. Netscape/Mozilla has been here before in Specht v. Netscape Communications Corp., when it was sued over its "Smart Download" applet, which stored and transmitted information about user downloads back to Netscape Corporation. Litigating the disclosure of location information is more difficult, because there are likely a large number of applications and devices which are performing the public disclosure, each of which would have to be enjoined. That would be a lot of work. If Google and other "geolocation" services can be reached under a Napster-style enabling theory, then the problem goes away much more quickly, unless they can make a case that they are providing a compellingly important public service.

By the way, you can turn off location information in Firefox. Just browse to the bottom of that page to see how. Can you do that in other browsers?

Tuesday, May 18, 2010

Google Flu Trends - take with salt

Google has a service called Flu Trends which attempts to predict influenza outbreaks based on people's search behavior. The theory is that during outbreaks, people do more searches for particular terms or items.

As any investor can tell you, past performance is no predictor of future returns. Any algorithm Google can come up with can correlate very nicely with past data from the CDC, but may not be as useful for forward predictions. Still, it's a nice idea, and one more bit of information to add to the mix.

Just don't bet your house on it.

Monday, May 17, 2010

Brandeis on Monopolies

I've been reading Mel Urofsky's biography of Louis Brandeis. I'd been aware of Brandeis and his article The Right to Privacy, and enjoyed touching a bit on privacy-related claims in my Torts class. I also appreciated his dissent in Penn. Coal Co. v. Mahon, where he argued that to analyze a "taking" by the government, the courts should determine the value of what remains to the owner, not a narrow diminution of the part that was taken. This approach was incorporated into the majority opinion in Penn Central Trans. Co. v. New York City, a landmark case about, well, a landmark.

Brandeis was a firm believer that large aggregations of economic power, including monopoly, were dangerous to the economy and to democracy. He argued that economies of scale and of monopoly are an illusion, and that competition is healthier:

This argument is essentially unsound. The wastes of competition are negligible. The economies of monopoly are superficial and delusive. The efficiency of monopoly is at best temporary. Undoubtably competition involves waste. What human activity does not?

This reminded me of an article in the Houston Chronicle by Lisa Gray, An economics lesson on the beer aisle, in which Ms. Gray points out modern examples of how prices at the supermarket are affected by a lack of competition in production and distribution. We see the same attempts at market control by participants in the software industry: Microsoft attempts to use its monopoly to maintain high prices for its operating systems and office software; Apple tries to lock users into its proprietary iTunes and iGadget ecosystems; and Oracle is trying to dominate the market for database systems and middle-ware. Louis Brandeis would feel right at home in our economy, almost 100 years after beginning his "reformist period" at the turn of the 20th century.

Monday, May 10, 2010

Google Picasa

I don't use Google's Picasa photo manipulation and management software. It's not Free Software; it's free as in beer, but not free as in freedom.

That said, my family does use the program, and recently downloaded the newest version. Google has added a cool but slightly creepy feature which extracts faces from pictures and tries to assign names to them. It looks at each picture, and identifies regions which are probably faces, and then it presents you with equally sized thumbnails of each face, so you can tell it who they are. Small faces in the background, large faces up front - they're all scaled to the same size, so some are really sharp, and some (the small ones in back) are kind of blurry.

Of course (?) the program can't know at the start who each face belongs to. You start assigning names to the thumbnail pictures, and Google adds the names as tags to the photos. So far, that sounds like a Facebook for your photo album, albeit with the cool face detection. But here's where it gets creepy.

Once you start tagging the faces, the software learns, and starts suggesting names for the faces. Not only is the detection pretty good for current faces - it is also smart enough to match earlier and earlier faces, so it eventually can find baby pictures with disturbing accuracy. My family trusts Google, and believes Picasa is not publishing the face recognition patterns up to the "mother ship", Google's servers. I'm not so sure. Google has had some issues with grabbing your private data recently. With governments making big investments in closed-circuit televisions to monitor public areas, they need a good way to match names to faces. How tempting it would be for a government to work with Google to patch Picasa to upload all those face matches so it can determine who's showing up on those street corners, at those rallies, in the subways, etc.

Just be careful.

Monday, May 3, 2010

Healthy School Lunches

My family has really enjoyed Jamie Oliver's Food Revolution, a television show centered on changing the food available for school lunches in an American town, Henderson West Virginia. As much as I appreciate our Houston Independent School District, the food vendor we've been acquainted with, Aramark, has provided absolutely unpalatable food for the student lunches. My kids pack a lunch every day, so they don't have to eat school food.

I'd love to find a group of like-minded parents at my kids' schools, who would be willing to work on changing the food in HISD. My kids would benefit greatly from a warm, healthy lunch, especially one with a vegetarian option. I'm worried, though, that HISD is too huge for a small group of parents to move; it would take a very dedicated set of individuals to take on this effort. In the mean time, maybe what we need to do is help pass federal legislation to provide incentives to schools to experiment with providing healthier meal choices to students.

If any parent or group is interested in coordinating a district-wide effort to improve school lunches at HISD, please let me know; I'd be willing to be a liaison to the schools my kids attend.