December 9, 2006
Congress Passes Pretexting Law, Finally
One of the last accomplishments of the lame-duck 109th Congress was to pass a law criminalizing pretexting. That is the practice of lying to get the telephone records of another. The bill introduced earlier this year as a reaction to the HP scandal where board members were investigated by company investigators over leaks. That generated legal action by the State of California which the company settled for around $14.5 million. That was in addition to the internal turmoil, the SEC investigations, and resignations at HP over the incident.
The HP incident wasn't the only case. Over the last year news broke over web sites and other investigators getting cell phone records belonging to FBI agents, members of congress, and even presidential candidate Wesley Clark. That cut close to home but did not spur any law getting passed until yesterday.
Anyone who uses false or fraudulent statements to phone company employees, or by obtaining false or fraudulent documents to access accounts, or by accessing customer accounts through the Internet face prison sentences of up to 10 years and fines. Prison sentences and fines are enhanced if the damages are more than $100,000 or involve more than 50 customers.
Passage of this federal law comes in sharp contrast to the situation in California where the MPAA lobbied to kill a popular pretexting bill in the current Assembly. The MPAA said the law would hinder their ability to investigate piracy. Lying to get telephone records, Social Security numbers, financial, and other information is all part of keeping the product safe, and the state where the industry has the greatest clout managed to kill the bill at the last minute. The most harrowing provision for the MPAA was probably giving the right to sue to the victims. California ultimately did pass a bill that addressed telephone records and nothing else.
December 7, 2006
Your Shoes, If You Can Afford Them, Are Spying On You
So, your shoes may spy on you. A report written as a college project by University of Washington doctoral candidate Scott Saponas details how the Nike+iPod Kit can help "bad people" track a user. The sensor in the shoes broadcast a signal to a receiver attached to an iPod Nano that gives running data to the user. The point of the report is that anyone can set up easily hidable receivers to track an individual. No security encrypts or otherwise limits the transmission, which has a range of about 60 feet. Saponas describes setting up just such a system for about $250 in parts. The likeliest people to use such a system are estranged boyfriends (girlfriends, husbands, wives, etc.), stalkers, and maybe just crazy people.
Should this be a cause for concern? Possibly, but for a majority of people probably not. This is not to minimize the potential threat. There is always someone loony enough out there who would go this far and more. But my reaction to this threat to privacy was "compared to what?" Our cell phones track us. Web sites track us. Microsoft Zune players can tell when another one is near by.
Similar RFID chips are going into credit cards, driver's licenses, passports, corporate IDs, retail inventory, and a host of other applications. Security experts complain that the government implementation in passports is not secure, but the government is going forward with issuing their electronic documents anyway. I'm surprised that music and movie producers haven't embedded them in discs for players to tell the difference between an original and a copy.
Retailers love the idea of tracking inventory to make stock decisions simpler and less costly. RFID chips can also act as security devices to prevent theft. But privacy experts warn that these same chips can identify us and track our movements as we wear these clothes. The problem and contradiction in all of this is the convenience these technologies bring compared to how they can be used against us. Until someone actually does that malevolence in a significant way, I suspect that a majority of people will take the risk.
It was similar in the early days of the web when cookies became an issue. Cookies offer the convenience of a personalized web experience, such as having those shopping carts at online stores being static, or preserving a set of preferences at a site. Cookies also track our surfing habits. There is no doubt about that. Most people, however, don't erase them or clear their cache or other online trails because its inconvenient to do so and it hasn't come back to hurt them compared to the convenience they get from cookies. Cookies are not going away and neither is RFID. But the choice is there: erase them, or leave them. It won't matter anyway if a government proposal goes through that Internet providers keep records of our site visits and emails for two years. We'll be tracked as mandated by law.
The report does not go after Apple and Nike for using this technology. It just points out the security issues as they currently exist. It's up to the user to make a decision over the risk. Buy a $10 pedometer if you are afraid someone is tracking your running route. Of course, that isn't as cool as the Nike and Apple brand combined, but you'll be a tad safer but likely no more private than before.
Survey Finds Teens Love IM, Duh
The Associated Press is reporting survey results that compare the use of Instant Messaging between teens and adults. The results show that teens use IM more than adults. What a surprising development. (That's sarcasm, son, to paraphrase Foghorn Leghorn.) One third of teen IM users can't live without it, which is double adults. Adults love email, but teens prefer IM. Both groups use the telephone when they want to discuss something serious, with 72% of teen IM users and 84% of adult IM users going for the handset.
There are lots of other comparisons in the report. Here's the story via the Seattle Post-Intelligencer.
December 6, 2006
Federal Panel to Develop Verification Standards in e-Voting
The Technical Guidelines Development Committee has voted to develop a standard for the next generation of voting machines to have an independent means of verifying election results. Any standard that is created by the NIST panel would have to be approved by the U.S. Election Assistance Commission. Predictions are the standard would not be implemented until 2009 at the earliest.
Electronic voting makes some people uneasy due to irregularities in equipment operation. Many machines are made by Diebold who also makes ATMs. Anyone who has experienced and ATM swallowing their debit card has little difficulty transferring the experience to voting, whether or not this feeling is legitimate. As early as last October Diebold quietly fixed touch screen freezes in machines in use in Maryland. The freeze did not cause votes to be lost but could confuse voters and raise questions about the reliability of the machines. Disenfranchisement is the last impression anyone needs in close votes given the polarization of the electorate. Most courts tend to take that issue seriously.
States are looking at the issue as well for practical reasons. The biggest controversy out of last November's vote was the House contest in the 13th District of Florida. The Republican candidate Vern Buchanan was certified the winner over Democrat Christine Jennings with just a margin of 369 votes. The number of people who voted in Sarasota County for other offices but not the House contest was 18,000, a staggering number that was six times higher than other counties in the district. That prompted suits against state officials and the manufacturer of the touch screen voting equipment.
The Washington Post has the story on the development of verification standards.
December 5, 2006
New Federal Rules: Citation to Unpublished Opinions
While we're on the subject of changes to the federal rules, another significant change in the Rules of Appellate Procedure is scheduled to go into effect on January 1, 2007. Rule 32.1 will prohibit courts from restricting the citation to opinions designated as "unpublished," "not for publication," "non-precedential," "not precedent" or the like if the opinion is issued after the rule date. Westlaw and Lexis will be thrilled as they as many of these opinions fill their databases. West Group should be particularly thrilled as it gives added reason for the existence of the Federal Appendix.
Lawyers have sought these opinions no matter what the rules have said about not citing them. The federal courts were right to finally recognize the reality of these opinions.
Rule 32.1 with comments is available here.
New Federal Rules: E-discovery
Last Friday the Federal Rules of Civil Procedure were amended to explicitly cover e-discovery. The world has moved into the digital age where document management systems archive paper documents electronically, or more likely, documents created and used digitally with paper the afterthought. But that's not the only focus for the rule change. Committee comments point to the efficiencies of searching electronic archives while balancing the costs and reasonableness of producing less accessible documents. That balance, ultimately, will get sorted out through motions to compel discovery.
The rules anticipate that documents relevant to anticipated litigation will be preserved. That's fine for document databases. Potential electronic documents also include email and IM transcripts. It's not that these can't be preserved. Corporations were a lot more lax in organizing information that may ultimately reside on the employee machine rather than on company servers. Moreover, the distinction between corporate communications gets a bit more squishy with free email and IM accounts available from a variety of vendors. Some employees are just as likely to handle some transactions outside of corporate channels for reasons ranging from ease of use to ease of evading detection. The new rules are more likely going to impact how businesses and other entities communicate in order to facilitate preservation and access compared to actually searching and producing documents. This may mean a greater wall between personal and business communication while at the office. It depends on how paranoid a company may be over this issue.
Expect HR and IT to collide over what policies to put in place and the onerousness of implementing them. And management, or course, will agonize over the cost. But that's what consultants are for, to work out these details.
The text of the federal rule amendments with committee comments is here. Excerpts from the Judicial Conference Report and the Report of the Advisory Committee on Civil Rules is available through links on this page.
December 4, 2006
New Med Study Shows Some Linkage Between Violent Games and Behavior
CNN and other outlets are reporting on a study that that links aggressive activity by teens to violent video games. A substantial link between the two is the holy grail of those who are seeking to ban the sale of such games to children. This study, conducted by Dr. Vincent Matthews of the Indiana School of Medicine in Indianapolis, provides details only for short term effects. Among the various grounds courts use to defeat bans against game sales to minors is the lack of a link between aggressive behavior and the games. This same lack of a link helps defeat causes against movie production companies when their products are charged with inciting violence.
The study looked at minute changes in brain activity in 44 teens using magnetic resonance imaging (MRI) after they had played games for 30 minutes. Half played a violent game where they shot weapons and the other half played a car and speed game. Those who played the shooting game showed more activity in the part of the brain that handles emotional activity and less in the part that handles control and focus.
The study does not use random teens, however. Those studied were diagnosed with disruptive brain disorder (DBD) and suggests that the variation in the reaction to the games may be due to differences in brain structure. There is quite a bit more to this study than the press suggests. Most stories generalize the connection between violent video games and aggressive behavior compared to the type of individuals studied and the detailed conclusions. This is not to say that there might not be a link between violent video games and violent behavior, simply that a lot more work needs to be done before a court will use this as a basis to ban a game or award liability. A lot more work.
The study was presented at the 88th Scientific Assembly and Annual Meeting of the Radiological Society of North America in Chicago. The press release with more qualifying details about the study is here.