OTTAWA — Canada’s privacy watchdog says Internet phenomenon Facebook breaches the law by keeping users’ personal information indefinitely — even after members close their accounts.

Privacy Commissioner Jennifer Stoddart says the popular social networking site should hang on to the data only for as long as truly necessary.

In a report Thursday, Stoddart urged Facebook to remedy the problem, one of several serious privacy shortfalls she discovered.

Facebook, which has nearly 12 million Canadian users, allows people to keep in touch with friends and family by updating their personal pages with fresh messages and photos.

Stoddart said although Facebook provides information about its privacy practices, it is often confusing or incomplete.

“It’s clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates,” Stoddart said in a statement.

For example, the “account settings” page describes how to deactivate accounts but not how to delete them, which actually removes personal data from Facebook’s computer servers.

Stoddart wants Facebook to wipe the information in deactivated accounts after a reasonable length of time.

The report also raises concerns about the sharing of users’ personal information with the almost one million third-party developers around the globe who create Facebook applications such as games and quizzes.

Facebook lacks proper safeguards to prevent these developers from seeing users’ profile information, the investigation found.

Stoddart calls for more transparency to ensure the site’s Canadian users have knowledge they need to make meaningful decisions about how widely they share personal information.

The privacy commissioner will review Facebook’s actions after 30 days to gauge progress. She can take the case to the Federal Court of Canada to have her recommendations enforced.

She launched a probe of Facebook in response to a complaint last year from the Canadian Internet Policy and Public Interest Clinic.

The clinic, based at the University of Ottawa’s law faculty, alleged numerous violations by the high-profile site.

The Full Report can be found Here:

http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm

Posted by Caroline McCarthy

From a MySpace-related suicide to hate speech on YouTube, the world of user-generated content has been plagued by plain, old nastiness since its early days.

That’s why, as part of the Family Online Safety Institute conference in Washington, D.C., YouTube parent company Google has unveiled an “Abuse and Safety” resource guide.

According to a post on the official Google blog, the new section of YouTube’s help center features “straightforward safety tips and multimedia resources from experts and prominent safety organizations” regarding topics like cyberbulling, privacy, spam, and sexual exploitation.

YouTube also said that the resource guide will make it more straightforward to find out how to manage privacy and safety settings.

The dark underbelly of online video was in the spotlight once again when a Florida teenager used live-streaming service Justin.tv to broadcast his suicide last month.

By Julian Sanchez | Published: December 11, 2008 – 05:10AM CT

SAN FRANCISCO — License plates may be coming to cyberspace.

A government and technology industry panel on cyber-security is recommending that the federal government end its reliance on passwords and enforce what the industry describes as “strong authentication.”

Such an approach would probably mean that all government computer users would have to hold a device to gain access to a network computer or online service. The commission is also encouraging all nongovernmental commercial services use such a device.

“We need to move away from passwords,” said Tom Kellermann, vice president for security awareness at Core Security Technologies and a member of the commission that created the report.

The report, which offers guidance to the Obama administration, is a strong indictment of government and private industry efforts to secure cyberspace to date. “The laissez-faire approach to cyber-security has failed,” Mr. Kellermann said.

Restricting Internet access is one of a series of recommendations that a group of more than 60 government and business computer security specialists will make in a public presentation, “Securing Cyberspace in the 44th Presidency,” on Monday.

The report has been prepared during the last 18 months under the auspices of the Center for Strategic and International Studies, a Washington policy group, after a number of break-ins into government computer systems.

“The damage from cyber attack is real,” the report states. “Last year, the Departments of Defense, State, Homeland Security, and Commerce, NASA and the National Defense University all suffered major intrusions by unknown foreign entities.”

The report describes a laundry list of serious break-ins ranging from the hacking of the secretary of Defense’s unclassified e-mail to the loss of “terabytes” of data at the State Department.

The group recommends the creation of a White House cyber-security czar reporting to the president and the consolidation of the powers that have largely been held by the Homeland Security Department under the Bush administration. The report argues that cyber-security is one of the most significant national security threats and that it can no longer be relegated to information technology offices and chief information officers.

The commission included the top Democrat and Republican members of the House Homeland Security subcommittee that oversees cyber-security. The chairmen of the commission included Jim Langevin, a Democratic congressman from Rhode Island; and Michael McCaul, a Republican congressman from Texas.

Scott Charney, corporate vice president for trustworthy computing at Microsoft; and Harry D. Raduege Jr., a retired Air Force lieutenant general who is chairman of the Center for Network Innovation at Deloitte & Touche, were also on the commission.

The report calls for new laws and regulations governing cyberspace.

“We believe that cyberspace cannot be secured without regulation,” the report said. The proposed regulations included new standards for critical infrastructure providers like the finance and energy industries, as well as new federal product acquisition rules to force more secure products.

The report does not entirely reject the work of the Bush administration. It cites the creation of the Comprehensive National Cybersecurity Initiative, adopted by the government as part of a presidential memorandum issued last January as a good starting point for remaking the nation’s cyber-security strategy.

That effort has led to a commitment by the federal government to spend more than $30 billion in the next seven years to enhance computing security.

By Nate Anderson | Published: December 04, 2008 – 09:35PM CT

Now that the official Amazon Mobile iPhone app is here, it’s easier than every to check prices from anywhere, even while shopping in retail stores. And the company’s clever new “Amazon Remembers” service will use humans to identify product pics snapped with the iPhone, even if they include shoes worn by the person sitting next to you on the subway.

Both are Good Things, but can too much of a Good Thing turn a little sour on the tongue?

Don’t even try to hide it

I confess there have been occasions when I went to a retail store, learned about and handled products, then went home and ordered them less expensively over the Internet. After getting a laptop and an EVDO card, the practice went at time a bit further; I would retreat to the parking lot, check online deals, and make a buying decision there in the front seat of the car. But actually scanning the Internet for lower prices while standing in the store?

The practice might feel a bit like being caught reading a dirty novel in the back of the library stacks (“Can I help you with anything?” “Uh, no, just looking, thanks! Please go away!”) but Amazon wants to make it mainstream. In the official App Store description of its new iPhone app, the company suggests it can be used for “comparing prices on Amazon and 9,000 other merchants to those in the retail store you are visiting.”

It’s certainly a consumer-friendly idea, though one wonders if it will cause that throbbing vein on the necks of Best Buy and Borders execs to throb a bit more quickly. For Amazon to explicitly suggest that shoppers take advantage of bricks-and-mortar stores—an expensive investment that Amazon has purposely not made—and then use the benefit derived from those stores to order the product cheaply online, well, that’s a pretty straightforward declaration of war.

Retailers certainly can’t be pleased with idea of all those 1-click iPhone orders going to Amazon even as customers stand in their stores, fondling their merchandise. Not antagonizing your customers is the first rule of business, but it’s not real hard to imagine some stores approaching heads-down iPhone users with a crisp, “May I help you, ma’am?”

Amazon Remembers, so snap away!

Once, while rumbling through the darkened tunnels of the Prague Metro, the train pulled up to a station stop, the doors opened, and a man with a monkey on his shoulder stepped inside. It doesn’t look so odd when written down in print like that, so let me say it again: he had a live monkey. On his shoulder. On the Prague Metro.

I did what anyone would do—waited until he turned away (the monkey continued to level its creepy simian gaze at me) and snapped a surreptitious photo. I mean, the dude had a monkey! On his shoulder! On the Metro!

I bring this up only to point out that snapping pictures without permission of people at close range in public places is generally something of a taboo; at the least, it can be shockingly impolite. (Though when you have a monkey! on your shoulder! on the Metro! I’d say you’re fair game.) Which is why Amazon’s new “Amazon Remembers” feature sounds potentially unsettling.

So many chances for shopping

Amazon Remembers uses the iPhone camera to snap images, which are uploaded to the cloud and farmed out to humans for identification with Amazon products. Cool enough when the product is a book cover, of course, but what if it’s an article of clothing currently worn by someone sitting next to you on the subway? We are treading in the deep waters of etiquette here.

Amazon has no problem with the practice, though. In its official App Store description, the company suggests that people start snapping away in public. “Seeing if Amazon Remembers can find a pair of shoes for sale like the one the person sitting next to you is wearing,” it offers. Perhaps I’m betraying my own sense of personal space here, but I would not feel pleased to see people holding out their iPhones to photograph the label on my jeans, the brand of my shoes, or the cut of my scarf when I’m riding the El from Oak Park to the Loop.

Pirates of the Amazon

Oddly enough, this week also saw the release of some software that does the same thing to Amazon that Amazon encourages iPhone users to do to other retailers. “Pirates of the Amazon” is a Firefox extension that compares Amazon products with items available on The Pirate Bay; when it finds a match, the add-on creates a “download 4 free” button directly on the Amazon product page. Clicking it retrieves the file using BitTorrent.

It’s not the same thing, of course, being utterly illegal, immoral, and generally piratical (which is sort of the point). It’s also not currently available, with the site displaying a “The Ship was hit. We’re offline” message at the moment.

Personally, if I had to draw behavioral lines around various practices, I wouldn’t be a “Pirate of the Amazon,” but I would use the Amazon iPhone app to price check stores—and I’d return to the parking lot to do it. Why? For the same reason I wouldn’t tell my dinner hosts that their instant mashed potatoes reminded me of caulk in a bowl, though I might make the observation to my wife in the car on the way home.

As for Amazon Remembers, snapping standalone objects is fine and useful, but taking pics of someone’s shoes, laptop case, watch, hat, or gloves in public feels a bit too much like being a paparazzi. If someone sitting beside me in a coffee shop started snapping iPhone pictures of my jeans, I can’t imagine liking it a whole lot, but neither can I really imagine people walking up to strangers all over the country and asking, “Hey, do you mind if I take this picture of your pants with my phone?” and getting a positive result.

There are no black and white lines here, though, just shades of grey; how would you handle these issues?

This guest post is written by Matt Rutherford, Web Strategist and technology producer for Charlie Rose. Matt focuses on the macro themes affecting the internet and the wider world. You can read Matt’s previous guest post, Larry Lessig Defends Copyright, Loves Charlie Rose Remixes, here.

Who protects the internet? In part, it’s this man – General Kevin Chilton, US STRATCOM commander and the head of all military cyber warfare. We’re broadcasting an interview tonight with General Chilton, in which he discusses the threat of cyber warfare, along with his other remits of space warfare and the US nuclear deterrent. Chilton is fascinating, and amongst other things has been a NASA space shuttle pilot, logging over 700 hours in space. You can watch the full interview here (and it is embedded below).

The discussion with General Chilton brings to light a crucial question, however. Is the internet actually protected? The military remit is to defend the .mil networks, prevent online espionage, and develop offensive strike capabilities. But who’s protecting the rest? Given its integration with every aspect of our lives and economy, it’s surprising just how little we know about who defends our electronic nervous system.

The Threat

There’s copious discussion about exactly how vulnerable the US is to online attack. The alleged Russian DoS attacks on Estonia in 2007, and on Georgia this summer, highlighted the potential damage of state sponsored attacks. China has also been developing cyber warfare capabilities for some time, mounting online intelligence operations against Taiwan, and almost certainly against the US. The Chinese military has openly stated that it plans to be able to win an “informationized war” by the middle of this century. Russia, Israel and Romania are also alleged to have high-level cyber warfare capabilities.

This developing threat from state actors led Sami Saydjari, CEO of Cyber Defense LLC, to testify (pdf) to the US House Committee of Homeland Security in 2007, saying: “The US is vulnerable to a strategically crippling cyber attack from nation-state-class adversaries.” Such an attack has the potential to turn the US “from being a superpower to a third-world nation practically overnight.”

I should point out that many have disputed the apocalyptic nature of Saydjari’s statement. Kevin Mitnick, the reformed hacker, noted in a recent phone call:

“Could we face a mass DOS attack, as in Georgia and Estonia? I don’t think so. I think it would be more of a surveillance operation to get intelligence. Technically you could have a mass attack against the thirteen root nameservers around the world. But as for cyber war, I don’t think we’re at that point yet, I think it’s over-stated.”

Regardless of the impact of an offensive cyber attack, everyone appears to agree on the insidious danger from online intelligence gathering. Former counter-terrorism chief Richard Clarke eloquently summarized this in Foreign Policy recently:

“People tend to think about attacks that change things—turn off power grids, or whatever. And while that’s possible, what is happening every day is quite devastating, even though it doesn’t have a kinetic impact and there are no body bags. What’s happening every day is that all of our information is being stolen. So, we pay billions of dollars for research and development, both in the government and the private sector, for engineering, for pharmaceuticals, for bioengineering, genetic stuff… and all that information gets stolen for one one-thousandth of the cost that it took to develop it.”

Who protects us?

The problem is that it isn’t clear who has the remit for comprehensive defense of the internet. The US military and intelligence agencies defend government networks and track targets online, both domestically and abroad. A new Bush-ordained funding boost in January this year will help them become more coordinated. However, as Richard Clarke goes on to note, “the problem is that much of what we need to protect is not in the U.S. government; it’s in our private companies and our private networks”.

The Department of Homeland Security’s National Cyber Security Division operates various public-private initiatives, such as the rather prosaic National Cyber Security Awareness Month. But beyond this, the general response appears highly fragmented with little grand oversight or public-private coordination. I emailed Jonathan Zittrain to ask his opinion on ‘who protects the internet’. He replied:

“Basically no one. At most, a number of loose confederations of computer scientists and engineers who seek to devise better protocols and practices — unincorporated groups like the Internet Engineering Task Force and the North American Network Operators Group. But the fact remains that no one really owns security online, which leads to gated communities with firewalls — a highly unreliable and wasteful way to try to assure security.”

Hackers to the rescue?

When Obama appoints a white house CTO, there will at least be an official figurehead in charge of this matter. Proposed candidates for the role currently include Eric Schmidt, Steve Ballmer, Jeff Bezos and Julius Genachowski from IAC.

However, perhaps the future of internet security really lies in the hands of the community. Indeed, Jonathan Zittrain talked about ‘good hackers’ on our show in May, and he argues the importance of community policing in The Future of the Internet. The last few years of the internet have been about empowering the masses, and removing intermediary apparatus – so why not leverage the community to defend its cyber territory? Indeed, this is already happening, to a certain extent. Just look at Dan Kaminsky, a computer consultant who discovered a fundamental flaw in DNS, allowing him control over any website online. This flaw was astounding in what it gave access to – yet Dan Kaminsky didn’t turn to a government agency or organization, or abuse the hack himself. Instead he made a phone call to Paul Vixie, one of the creators of the BIND9 DNS routing software, and they assembled a team of civilians and private companies to resolve this apocalyptic vulnerability.

It will be interesting to see what happens from here. And whilst it’s certainly entertaining to envision vigilante hackers and rag-tag groups of high school kids overcoming nation states, I think there’s more serious matters at stake. The way that the internet community reacts and operates with state apparatus in defending against cyber threats will be a crucial indicator of our future society. How reliant are we on the nation-state to protect us? Will it ever be possible for internet communities to erode the relevance of the nation state? Or will the internet turn out to be just as Hobbesian as the real world has been?

Charlie Rose’s discussions with General Kevin Chilton and Jonathan Zittrain are available at our website, charlierose.com. Matt Rutherford can be reached at matt@charlierose.com.

Published: November 29, 2008 HARRISON BROWN, an 18-year-old freshman majoring in mathematics at M.I.T., didn’t need to do complex calculations to figure out he liked this deal: in exchange for letting researchers track his every move, he receives a free smartphone.

Now, when he dials another student, researchers know. When he sends an e-mail or text message, they also know. When he listens to music, they know the song. Every moment he has his Windows Mobile smartphone with him, they know where he is, and who’s nearby.

Mr. Brown and about 100 other students living in Random Hall at M.I.T. have agreed to swap their privacy for smartphones that generate digital trails to be beamed to a central computer. Beyond individual actions, the devices capture a moving picture of the dorm’s social network.

The students’ data is but a bubble in a vast sea of digital information being recorded by an ever thicker web of sensors, from phones to GPS units to the tags in office ID badges, that capture our movements and interactions. Coupled with information already gathered from sources like Web surfing and credit cards, the data is the basis for an emerging field called collective intelligence.

Propelled by new technologies and the Internet’s steady incursion into every nook and cranny of life, collective intelligence offers powerful capabilities, from improving the efficiency of advertising to giving community groups new ways to organize.

But even its practitioners acknowledge that, if misused, collective intelligence tools could create an Orwellian future on a level Big Brother could only dream of.

Collective intelligence could make it possible for insurance companies, for example, to use behavioral data to covertly identify people suffering from a particular disease and deny them insurance coverage. Similarly, the government or law enforcement agencies could identify members of a protest group by tracking social networks revealed by the new technology. “There are so many uses for this technology – from marketing to war fighting – that I can’t imagine it not pervading our lives in just the next few years,” says Steve Steinberg, a computer scientist who works for an investment firm in New York.

In a widely read Web posting, he argued that there were significant chances that it would be misused, “This is one of the most significant technology trends I have seen in years; it may also be one of the most pernicious.”

For the last 50 years, Americans have worried about the privacy of the individual in the computer age. But new technologies have become so powerful that protecting individual privacy may no longer be the only issue. Now, with the Internet, wireless sensors, and the capability to analyze an avalanche of data, a person’s profile can be drawn without monitoring him or her directly.

“Some have argued that with new technology there is a diminished expectation of privacy,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a privacy rights group in Washington. “But the opposite may also be true. New techniques may require us to expand our understanding of privacy and to address the impact that data collection has on groups of individuals and not simply a single person.”

Mr. Brown, for one, isn’t concerned about losing his privacy. The M.I.T researchers have convinced him that they have gone to great lengths to protect any information generated by the experiment that would reveal his identity.

Besides, he says, “the way I see it, we all have Facebook pages, we all have e-mail and Web sites and blogs.”

“This is a drop in the bucket in terms of privacy,” he adds.

GOOGLE and its vast farm of more than a million search engine servers spread around the globe remain the best example of the power and wealth-building potential of collective intelligence. Google’s fabled PageRank algorithm, which was originally responsible for the quality of Google’s search results, drew its precision from the inherent wisdom in the billions of individual Web links that people create.

read more…

Published: November 27, 2008

Is lying about one’s identity on the Internet now a crime?The verdict Wednesday in the MySpace cyberbullying case raised a variety of questions about the terms that users agree to when they log on to Web sites.

The defendant in the case, a Missouri woman, was convicted by a federal jury in Los Angeles on three misdemeanor counts of computer fraud for having misrepresented herself on the popular social network MySpace. The woman, Lori Drew, posed as a teenage boy in using the account to send first friendly and then menacing messages to Megan Meier, 13, who killed herself shortly after receiving a message in October 2006 that said in part, “The world would be a better place without you.”

MySpace’s terms of service require users to submit “truthful and accurate” registration information. Ms. Drew’s creation of a phony profile amounted to “unauthorized access” to the site, prosecutors said, a violation of the Computer Fraud and Abuse Act of 1986, which until now has been used almost exclusively to prosecute hacker crimes.

While the Internet’s anonymity was used in this case as a cloak to bully Megan, other users say they have perfectly good reasons to construct false identities online, if only to help protect against the theft of personal information, for example.

“It will be interesting to see if issues of safety and security will eventually trump the hallmark ideology of free, largely anonymous or pseudonymous participation in cyberspace,” said Sameer Hinduja, a professor of criminology and criminal justice at Florida Atlantic University.

Andrew M. Grossman, senior legal policy analyst for the Heritage Foundation, said the possibility of being prosecuted for online misrepresentation, while remote, should worry users nonetheless.

“If this verdict stands,” Mr. Grossman said, “it means that every site on the Internet gets to define the criminal law. That’s a radical change. What used to be small-stakes contracts become high-stakes criminal prohibitions.”

The judge in the Los Angeles case, George H. Wu, is to hear motions next month for its dismissal. Ms. Drew’s defense asserts among other things, as it did at trial, that she never read MySpace’s terms of service in detail.

“The reality, recognized by almost everyone, is that the vast majority of Internet users do not read Web site terms of service carefully or at all,” said Phil Malone, director of the Cyberlaw Clinic at Harvard Law School.

Representatives of MySpace declined to make any executives available for interviews about the case. In a statement, the site said that it did not tolerate cyberbullying and would continue to work with industry experts to raise awareness of the “harm it can potentially cause.”

Mr. Hinduja, who writes for the research site CyberBullying.us, said there had been a handful of cases involving teenagers who were “driven to suicide in part because of cyberbullying by peers.” What drew the greatest attention to Megan’s death, he said, was that it involved the actions of an adult, Ms. Drew, now 49, whose daughter’s friendship with Megan had soured.

It remains easy to create a fraudulent account on social networking sites like MySpace and Facebook, though a witness at Ms. Drew’s trial, Jae Sung, a MySpace vice president for customer care, said “impostor profiles” were deleted when they were flagged by users or discovered by the Web site’s employees.

A number of corporations are competing to develop age verification software for Web sites. But relying on technology to confirm a user’s identity is not without drawbacks. There are legitimate reasons to hide one’s name and other information online, be it concern about identity theft or a need for comfort when asking for advice or help.

“We’ve been telling our kids to lie about ID information for a long time now,” said Danah Boyd, a fellow at the Berkman Center for Internet and Society, at Harvard.

Ms. Boyd said forms of digital street outreach were needed.

“There are lots of kids hurting badly online,” she said. “And guess what? They’re hurting badly offline, too. Because it’s more visible online, people are blaming technology rather than trying to solve the underlying problems of the kids that are hurting.”

A new site called TweetStalk is in private beta. It allows you to “follow” Twitter users without them knowing you are doing it (Twitter tells you when someone new has subscribed to your data). It’s all through a Firefox Add-On and appears to modify the Twitter page itself via Greasemonkey or otherwise. You are then able to follow the person without them knowing, and the service provides a RSS feed as well.

This isn’t as bad as it sounds. Twitter pages are public by default so all the content is there for everyone to see anyway. Twitter should probably just implement a private follow feature of some sort to allow this anyway. But until they do, you’ve got TweetStalk.