Author: Danielle Citron


Harnessing the Wisdom of Crowds to Spot Spin

According to Business Week, this month marks the birth of Spinspotter, a website that lets users identify and discuss phrases in news stories that smack of bias. The website owner, a former Microsoft executive, will generate income by selling advertisements connected to the bias-infected new stories identified by users. For instance, Toyota might want to hang Prius ads around the phrase “gas guzzler.” Or Microsoft and Apple might want to buy ad space next to a news article that deems Windows Vista a “bug-filled failure.”

This is an intriguing, and mischevious, combination–users expose media bias (or its gullibility to spin doctors) while spin doctors append ads to win back or capture those cynical eyeballs. Given the site’s construction around key phrases, bias accomplished through silence may be missed. So often, media outlets emphasize the positive in politicians and industry such that the lack of criticism reveals a bias worthy of the SpinSpot treatment. But if crowds are indeed wise, they may find a way to highlight those bias-filled silences.


The Inability to Opt Out of DPI (or Why the Marketplace Cannot Cure Paul’s Worries)

Some might respond to Paul’s Ohm’s terrific article, The Rise and Fall of Invasive ISP Surveillance, by suggesting, as network providers do, that the marketplace will sort out our privacy concerns about Deep Packet Inspection practices because consumers can opt out of DPI tracking of their online life with a single click. Optimism about a proper functioning marketplace, however, is misplaced for several reasons. First, as Arstechnica reports, network providers bury notice of their inspection practices in densely worded privacy policies and do not email users to note the change in policy. Thus, a basic information asymmetry problem arises—consumers cannot reasonably be expected to know about, and protect themselves from, opaque practices. Second, even if consumers opt out of the creation of behavioral profiles for use in delivering ads, they may not be opting out of the copying of their traffic. And, third, as Dr. David Reed testified before the Subcommittee on Telecommunications and the Internet, even if some network providers switch to an opt-in approach or reject DPI entirely, consumers cannot totally control the use of DPI technologies by those with whom they communicate, thus rendering consumer choice illusory. Thus, the privacy concerns that Paul raises likely are not self-correcting.


Is LinkedIn a Bad Idea for Employers?

On LinkedIn, users connect with colleagues, clients, and friends, providing information about their professional specialties in the hopes of generating business opportunities. Although that social networking site and others like it may help organizations and their employees build client rosters, they also provide crucial information to hackers who use it to prey upon an organization’s employees and fool them into downloading malware into their system. With the Google search of “at site:” and a company’s name, an attacker can view a list of public LinkedIn profiles of individuals working at the company, their positions, and potentially a list of their closest colleagues. An attacker who knows the email address formatting conventions within a company would in turn know the email address of many potential victims.

Consider this example. An attacker learns that two employees with an organization, Jonathan and Nate, are friends. The attacker might send Jonathan an email purporting to be from Nate. The text of the message might say, “Jonathan, I would love your thoughts on this power point I put together for my upcoming conference. Best, Nate.” If the attacker can persuade Jonathan to open the email, the attacker can gain power over that user to spread malware that could raid the employer’s digital treasure chests of valuable information.

Markus Jakobsson offers advice on how to combat this problem. Employers could insist that employees do not maintain public profiles of their social networking sites. They could educate employees about the tactics used by attackers. Better spam filtering would make it harder to reach the potential victims, and good antivirus protection from an established vendor that provides regular, reliable updates may effectively block many dangerous attachments.


Agent Mulder Redux

Arstechnica reports that the U.K.’s National Hi-Tech Crime Unit will be producing to the United States government a British citizen who allegedly infiltrated computer systems run by the United States military and numerous federal agencies, including the Pentagon. It appears that the British hacker was searching for proof of “alien life.” U.S. Attorney Paul McNulty of the Eastern District of Virginia intends to pursue charges under the Computer Fraud and Abuse Act, which could result in serious jail time and significant fines.

Computer hacking to steal credit cards, trade secrets, and other valuable information is widespread. Although the pursuit of computer crimes has been slow to evolve, this extradition request and the recent arrest of 11 members of an international identity theft ring that stole 41 million credit and debit card numbers may signal to would-be hackers that they face the real risk of prosecution. It would be heartening to see the Department of Justice put its resources behind pursuing hackers who inflict serious financial and personal harm. Perhaps we could call any uptick in such prosecutions as the Mulder Effect.


The Googlization of Advertising

Search engines are indispensable to the quest for helpful information in our data saturated age. Although custom search engines attract small audiences, the big three—Google, Yahoo, and Microsoft—run the lion share of online searches, with Google performing 62% of U.S. Internet searches and with Yahoo next in line running 17.5% of searches. Not surprisingly, Google attracts a disproportionate share of online advertisers, the main source of revenue for search companies. The recent joint venture advertising agreement between Google and Yahoo heralds the further concentration of online advertising in the search market from three to two hands by allowing Google to sell search ads that display next to Yahoo search results.

This Sunday, the Association of National Advertisers announced its opposition to the Google-Yahoo deal on the grounds that the partnership would “diminish competition, increase concentration of market power, limit choices currently available and raise prices to advertisers.” Frank Pasquale presented spirited and compelling testimony on this issue before the House Judiciary Committee’s Task Force on Competition Policy and Antitrust Laws this summer. (I attended the hearing and highly recommend viewing the C-SPAN recording—see here). As Pasquale brought alive at the hearing, the joint venture agreement would cement Google’s dominance over the online advertising market. Benjamin Edelman of Harvard Business School explains that such excessive market share allows Google to control the ads generally available (and unavailable) to consumers. For instance, in August 2004, Google banned an ad critical of President Bush, but, of course, consumers did not know what they were missing. Worth serious consideration is Pasquale’s concern that the opacity of Google’s practices enables it to conceal any abuse of its soon-to-be overwhelming power in the online advertising market.


Cyber Stalking: Anything But a Modern Love Story

The Styles section of this Sunday’s New York Times featured Amy Klein’s essay, “My Very Own Cyberstalker,” in its weekly Modern Love column. In the essay, Klein, a journalist, recalls meeting a fellow reporter, Luke Ford, who then writes about her in his blog. At first, the reporter’s posts seemed innocuous, e.g., he wrote that she favored skirts when she in fact never wore them and that she was shy. Then, his posts escalated into the frightening–“I’d like to bonk Amy on the head with a Talmud and drag her back to my Aborigine-style hovel and make her mine.” He also began to criticize her work as delusional and shoddy. The blogger apparently continued his fixation with Klein for years, and at times, Klein worried that his writing hurt her reputation.

With her history with the cyber stalker thus recounted, Klein’s essay then veers into the unpredictable and, by my lights, deeply disturbing. Klein attests that “it was oddly flattering to have someone obsessed with me, even someone like Luke Ford.” She explains that when the reporter finally began to fixate, and blog, about other women (i.e., younger reporters whom he deemed hotter than Ms. Klein), she was sad. She asks “why had he dumped me?” and admits to missing the attention.

Klein’s essay is stupefying and offensive. Klein seemingly equates her cyber stalker with a love interest and, in the process, makes light of a deeply serious problem—cyber harassment—that afflicts countless women every year. According to a 2006 study, individuals writing under female names received 25 times more sexually menacing comments than posters writing under male names. And Working to Halt Online Abuse reports that, in 2006, 70% of the 372 individuals that it helped combat cyber harassment were female and, in half of those cases, the victims had no connection to their stalkers. In response to cyber attacks, women tend to go offline or write under gender-neutral pseudonyms to avoid further harassment. Victims of cyber harassment also feel a sustained loss of personal security. In short, cyber harassment is anything but a modern love story. Such coverage trivializes the very real problem of cyber harassment and, in turn, sends the odious message that such stalking is not only acceptable but indeed desirable.


A Dangerous Combination: A Politicized Bench and Diluted Judicial Review

Over the summer, a number of sources reported on the Justice Department’s politicization of the immigration bench during the Bush administration. In July, the DOJ’s Inspector General and Office of Professional Responsibility released an investigative report concluding that Justice officials had illegally vetted immigration judges based on their political ties and ideological views. In August, the New York Times published an analysis of the records of the judges appointed under the illegally politicized system, which suggested that these judges disproportionately ruled against asylum-seekers in comparison to their peers appointed under the applicable civil service system.

However, these reports only skim the surface of the DOJ’s changes to the immigration system over the last seven years, and their lopsided effects. Shortly after September 11, 2001, the DOJ implemented expansive “streamlining” rules to the system of immigration adjudication at the agency which had significant consequences for asylum-seekers, agency decision making, and federal courts. (The DOJ oversees the nation’s immigration courts and system of administrative appeals).

Shruti Rana’s superb article, Streamlining the Rule of Law: How the Department of Justice is Undermining Judicial Review of Agency Action, coming out in the Illinois Law Review, analyzes how these streamlining rules, intended to speed up the deportation process and reduce the backlog of cases pending at the agency, instead stripped the immigration system of critical checks and balances and undermined judicial review. The article traces how the politically-vetted judges were installed just as the DOJ sought to grant these judges increasingly unfettered discretionary power. As the agency’s decisions grew increasingly arbitrary and inscrutable, immigration appeals flooded the federal courts, rising to nearly 20% of the federal docket (and now make up 90% of administrative appeals in the federal courts). The article explores the resulting clash between judicial review and agency discretion, and its implications for the vitality of judicial review.


A Not So Pretty Picture

ZDNet reports that over 1,000 Facebook users adopted a Photo of the Day application featuring National Geographic images that also embedded malicious code, creating a botnet of users that launched distributed denial of service attacks. The good news is that information security researchers orchestrated the “Facebot” in order to expose this security flaw. The bad news is that given the flaws in social network platforms, real attacks could be worse. (Here is the research paper that the group produced, which is entitled “Antisocial Networks: Turning a Social Network into a Botnet”). Although Facebook has fixed the vulnerability identified by the researchers, concerns remain about the security risks of third-party applications on social networking sites. The serious downside of a pretty picture, to be sure.


The Right to Have Our Votes Count

In early August, Ohio Secretary of State Jennifer Bruner sued Premier Election Solutions (formerly Diebold), alleging that Premier’s e-voting machines lost hundreds of votes cast in Ohio’s primary election. At first, Premier blamed the machines’ malfunction on conflicts caused by antivirus software from McAfee Inc. Now, Premier has accepted responsibility for the problem. In a letter to Secretary Bruner, Premier’s President admitted that logic errors in the machines’ source code caused the machines to lose the votes.

This is a major problem not just for Ohio but for all of the states using Premier’s e-voting machines in November. (Premier is one of the four top vendors of electronic voting machines used by states across the country). Premier has released a product advisory notice, telling users of its e-voting machines running the troubled software how to avoid lost votes. To fix the problem, poll workers have to check the vote-counting servers to see if all memory cards are shown as uploaded. Although the company has submitted “fixed” software for federal certification, the new and improved version will not be certified before the November election.

This November, votes cast on Premier’s machines will be counted accurately only if poll workers execute the fix correctly. This seems like a dangerous gamble as poll workers likely do not have technical backgrounds. So the puzzling question remains–why is it so hard to ensure that e-voting machines count our votes accurately? Something is clearly amiss with the testing authorities working in connection with the Election Assistance Commission–they failed identify the logic error. Yet a variety of agencies, such as the NSA and FAA, oversee mission-critical systems that do not fail (at least not often). For instance, airplanes employ software and planes do not fall out of the sky. Perhaps, as Bruce Schneier suggests, voting machines need to undergo the same assurance practices as airplanes do in order to ensure that our votes are counted accurately.


E-Voting in California

Last summer, California’s Secretary of State Debra Bowen investigated the state’s electronic voting machines after allegations that they lost, added, or flipped votes. Teams of computer scientists found that the state’s e-voting systems had major security holes in their design and were vulnerable to attacks. California has now replaced its e-voting machines with the optical scan machines that it used for mail-in voting, only leaving one e-voting machine per precinct to accomodate voters with certain disabilities. Secretary Bowen recently explained to Government Technology that the decision to get rid of the machines came down to the concern that the state had no way to ensure that insiders, such as vendors and election officials, had not tampered with the machines’ software to alter the results. This concern is certainly justified. Party officials often control the administration of elections, and partisanship has long been a driving force in election officials’ dirty tricks . (Roy Saltman details these abuses in his comprehensive book on the history of voting machines). Because e-voting machines are black boxes whose actual operation cannot be checked, fraud perpetrated by vendors and election officials would be hidden from view.

Although it seems a colossal waste of the $450 million California counties spent on e-voting hardware and software, democracy will be better served so as long as the optical scan machines provide a more accurate and secure solution. Bowen recently urged Los Angeles to adopt open source e-voting. This is a step in the right direction. Open source code voting machines would be more transparent, accurate, secure, and accountable. They also might be cheaper. Last month’s LinuxWorld conference hosted a mock election of open source code voting machines. At a price of $400, the voting machine is a tenth of the cost of proprietary machines because it is simply designed and based on free software. Open Voting Consortium hopes to announce the adoption of its open-source e-voting system by at least one large county in California soon and would like to provide their services to the rest of the state by 2012.