Wednesday, October 19, 2011

Why don’t Americans care about Privacy?

In my post from earlier this year, I commented on how Senator Leahy re-introduced his Personal Data Privacy Act…the same bill he has been submitted every year for the last 5 years. 5 months after the re-introduction of the bill this year, there is still no GOP support for Leahy’s Privacy bill.

By my count so far this year, there were 9 data privacy bills introduced into both houses of Congress. This may not sound like a ton, but is half the number of the bills introduced during the Health Care Reform debate of 2008. So it looks like 2011 won’t be the year we get a national data privacy law.

Why not? Do Americans not care about Privacy? Of course they do. Every state in America now has their own data privacy law. How often are their respective Attorney’s General enforcing those laws? Most of them don’t have private rights of action, so there isn’t any one else to enforce them. States probably wont enforce the laws unless they can collect some fines out of it, which means smaller infractions will get overlooked anyway. So Americans have some privacy, but not very much.

Facebook is at war with Privacy. In January of 2010, Facebook’s founder, Mark Zuckerberg pronounced that Privacy is dead. The EU Obviously cares. They’ve spent the last 30 years putting steroids into their Privacy laws. Max Screms, a European law student, is taking Facebook to task over their numerous violations of Irish Privacy laws. Although European members data privacy laws still differ, their push for privacy started with the OECD in 1980 and more recently the EU Data Protection Directive.

So why aren’t Americans more up in arms? Max Screms worries, “The KGB or the CIA never had 1200 pages [of information] on the average citizen.” But Facebook does.

Some theories about why American’s don’t care about Privacy:

  • We’re more worried about the economy – nope, the unemployment rate in Europe has been much worse for longer.

  • Most people haven’t read 1984 – that’s probably true…it’s never been made into an American movie with Brad Pitt.

  • We’re more worried about the stock market, the housing market, health care reform??? This is interesting…the Occupy Wall Street movement, along with the Tea Party, and the Iraq War Activists have been some of the few examples where Americans have been willing to take to the streets for a cause en mass in recent memory.

  • We’re more worried about Terrorism than the EU – I don’t think so. The Facebook case is going on in Ireland, and I think they’re slightly more sensitive to terrorism than we are.

  • What about Corporate Interests – some might say our politicians are bought and sold by corporations. While that may be a valid point, politicians everywhere suffer from the same temptations, and by all evidence, American politicians get in trouble a lot less than their European, Russian, or Asian counterparts.

  • Maybe we’re naturally voyeuristic? We are willing to trade our own privacy in order to invade other people’s privacy. This sounds pretty accurate to me.

  • Maybe we assume if it’s really a problem, then we can just sue somebody. Oh wait, all the so called ‘privacy’ legislation being thrown around doesn’t give individuals a private right of action against privacy infringers. Fines just go to state coffers and probably aren’t enough to deter bad behavior anyway. Remember CAN-SPAM? Of course you don’t.

  • Maybe Americans are just behind the curve? After all, Myspace fell apart, and that could have been an unconscious choice by the faceless public because Myspace felt less secure…from the viruses, to the unsolicited connections from weirdos, to how the apps felt like they gave away your information in a more overt way. Do we vote with our feet? Voting with one’s feet presumes that you have a meaningful choice…if you’re just voting between the lesser of two evils, then you end up voting for the more clean cut of two gangsters who doesn’t curse and swear while they rifle through your life.

  • Or maybe Americans do care about privacy. Maybe the ones that really care, haven’t bothered to join Facebook or have left. So why aren’t they up in arms? If they were, then they’d be in the spotlight, and that’s not really something they’re interested in. Why should they take a stand to protect you when you’re obviously okay with giving up your personal details? Also, this group of people tends to wear tin-foil hats.

Monday, October 17, 2011


Imagine a world where criminals used sophisticated networks of middlemen. Transactions between pawns were untraceable. All using the power of something called, the Internet. And people wonder why I say that the law is having a hard time keeping up with technology.

The article gives a great overview of the developments in cybercrime over the last 3 or 4 years:

Daubert's Fingerprint

Everybody knows that every snowflake is one of a kind. Unique. Just like a fingerprint. Wait, how do we know a fingerprint is unique?

In a legal proceeding in the United States, the process the court uses to determine whether an expert witness is qualified to give testimony in their field is commonly referred to as the Daubert test. If a court were going to let an expert witness in to testify whether a certain fingerprint found at the scene of a crime or on a critical piece of evidence was a match for a defendant…the court would use the Daubert test to determine whether the expert had knowledge derived from sound scientific methodology.

Except they don’t.

What do you mean, they don’t?

They don’t. No court has ever challenged the expert-ness of an expert witness who purported to be an expert on fingerprints.

Why not?

To be an expert in something, there has to be a body of knowledge for you to know about. Where is the body of knowledge about fingerprints? They swirl around, we know that much right? There’s a database of them, right?

The FBI does have a database of fingerprints. But they’ve never let researchers look at it.

The question researchers want to know the answer to is: how unique is a fingerprint? The lines of a fingerprint are about a millimeter wide. A fingertip might be a square inch. So there obviously can only be so many variations in a fingerprint. We know that fingerprints don’t come in stripes or plaid, so the universe of possible variations is limited. So just how limited? How can you compare the relative uniqueness of other markers, like a retna scan, DNA, voice patterns, etc. to a fingerprint when there isn’t any scholarship on how unique a fingerprint is?

This is really interesting because it subjects the validity of fingerprint evidence to a birthday attack. This is a basic type of security problem where you can calculate the probability of two people in the same room having the same birthday. Assuming that there are 30 people in a room, the likelihood that there is one person in the room with a specific birthday is only about 8%. 1-(364/365)30. The likelihood that two people in the room with the same birthday is nearly 70%. The two variables here are the number of people in the room and the number of possible days. If there are 10 million possible variations of fingerprint and 5,000 were at a conference on IT security, what is the likelihood of finding two with the same fingerprint? I’ll keep this idea around for my next detective novel.

A Daubert test would look at the following 5 factors to determine whether a fingerprint expert would be able to testify:

  1. Empirical testing: the theory or technique must be falsifiable, refutable, and testable.
  2. Subjected to peer review and publication.
  3. Known or potential error rate.
  4. The existence and maintenance of standards and controls concerning its operation.
  5. Degree to which the theory and technique is generally accepted by a relevant scientific community.

The list is nondispositive and nonexclusive. The 4th and 5th factors are the only ones that have bearing on a fingerprint. Would these two factors alone be enough for courts to let a fingerprint expert testify? Maybe, but we would have to see a Judge to make that decision.

Friday, October 7, 2011

Cyberattack on Predator Drones?

Wired's Danger Room points out that US Predator and Reaper drones have been under attack by a computer virus:

To date, the virus has only apparently been logging the keystrokes of the operators. From the article, I get the impression that it is the operators workstations and not the drones themselves that are the subject of the attack. Wasn't this how computers took over the world in Terminator 3? Or was that Terminator 4? I can never remember.