Author: Danielle Citron


Agent Mulder Redux

Arstechnica reports that the U.K.’s National Hi-Tech Crime Unit will be producing to the United States government a British citizen who allegedly infiltrated computer systems run by the United States military and numerous federal agencies, including the Pentagon. It appears that the British hacker was searching for proof of “alien life.” U.S. Attorney Paul McNulty of the Eastern District of Virginia intends to pursue charges under the Computer Fraud and Abuse Act, which could result in serious jail time and significant fines.

Computer hacking to steal credit cards, trade secrets, and other valuable information is widespread. Although the pursuit of computer crimes has been slow to evolve, this extradition request and the recent arrest of 11 members of an international identity theft ring that stole 41 million credit and debit card numbers may signal to would-be hackers that they face the real risk of prosecution. It would be heartening to see the Department of Justice put its resources behind pursuing hackers who inflict serious financial and personal harm. Perhaps we could call any uptick in such prosecutions as the Mulder Effect.


The Googlization of Advertising

Search engines are indispensable to the quest for helpful information in our data saturated age. Although custom search engines attract small audiences, the big three—Google, Yahoo, and Microsoft—run the lion share of online searches, with Google performing 62% of U.S. Internet searches and with Yahoo next in line running 17.5% of searches. Not surprisingly, Google attracts a disproportionate share of online advertisers, the main source of revenue for search companies. The recent joint venture advertising agreement between Google and Yahoo heralds the further concentration of online advertising in the search market from three to two hands by allowing Google to sell search ads that display next to Yahoo search results.

This Sunday, the Association of National Advertisers announced its opposition to the Google-Yahoo deal on the grounds that the partnership would “diminish competition, increase concentration of market power, limit choices currently available and raise prices to advertisers.” Frank Pasquale presented spirited and compelling testimony on this issue before the House Judiciary Committee’s Task Force on Competition Policy and Antitrust Laws this summer. (I attended the hearing and highly recommend viewing the C-SPAN recording—see here). As Pasquale brought alive at the hearing, the joint venture agreement would cement Google’s dominance over the online advertising market. Benjamin Edelman of Harvard Business School explains that such excessive market share allows Google to control the ads generally available (and unavailable) to consumers. For instance, in August 2004, Google banned an ad critical of President Bush, but, of course, consumers did not know what they were missing. Worth serious consideration is Pasquale’s concern that the opacity of Google’s practices enables it to conceal any abuse of its soon-to-be overwhelming power in the online advertising market.


Cyber Stalking: Anything But a Modern Love Story

The Styles section of this Sunday’s New York Times featured Amy Klein’s essay, “My Very Own Cyberstalker,” in its weekly Modern Love column. In the essay, Klein, a journalist, recalls meeting a fellow reporter, Luke Ford, who then writes about her in his blog. At first, the reporter’s posts seemed innocuous, e.g., he wrote that she favored skirts when she in fact never wore them and that she was shy. Then, his posts escalated into the frightening–“I’d like to bonk Amy on the head with a Talmud and drag her back to my Aborigine-style hovel and make her mine.” He also began to criticize her work as delusional and shoddy. The blogger apparently continued his fixation with Klein for years, and at times, Klein worried that his writing hurt her reputation.

With her history with the cyber stalker thus recounted, Klein’s essay then veers into the unpredictable and, by my lights, deeply disturbing. Klein attests that “it was oddly flattering to have someone obsessed with me, even someone like Luke Ford.” She explains that when the reporter finally began to fixate, and blog, about other women (i.e., younger reporters whom he deemed hotter than Ms. Klein), she was sad. She asks “why had he dumped me?” and admits to missing the attention.

Klein’s essay is stupefying and offensive. Klein seemingly equates her cyber stalker with a love interest and, in the process, makes light of a deeply serious problem—cyber harassment—that afflicts countless women every year. According to a 2006 study, individuals writing under female names received 25 times more sexually menacing comments than posters writing under male names. And Working to Halt Online Abuse reports that, in 2006, 70% of the 372 individuals that it helped combat cyber harassment were female and, in half of those cases, the victims had no connection to their stalkers. In response to cyber attacks, women tend to go offline or write under gender-neutral pseudonyms to avoid further harassment. Victims of cyber harassment also feel a sustained loss of personal security. In short, cyber harassment is anything but a modern love story. Such coverage trivializes the very real problem of cyber harassment and, in turn, sends the odious message that such stalking is not only acceptable but indeed desirable.


A Dangerous Combination: A Politicized Bench and Diluted Judicial Review

Over the summer, a number of sources reported on the Justice Department’s politicization of the immigration bench during the Bush administration. In July, the DOJ’s Inspector General and Office of Professional Responsibility released an investigative report concluding that Justice officials had illegally vetted immigration judges based on their political ties and ideological views. In August, the New York Times published an analysis of the records of the judges appointed under the illegally politicized system, which suggested that these judges disproportionately ruled against asylum-seekers in comparison to their peers appointed under the applicable civil service system.

However, these reports only skim the surface of the DOJ’s changes to the immigration system over the last seven years, and their lopsided effects. Shortly after September 11, 2001, the DOJ implemented expansive “streamlining” rules to the system of immigration adjudication at the agency which had significant consequences for asylum-seekers, agency decision making, and federal courts. (The DOJ oversees the nation’s immigration courts and system of administrative appeals).

Shruti Rana’s superb article, Streamlining the Rule of Law: How the Department of Justice is Undermining Judicial Review of Agency Action, coming out in the Illinois Law Review, analyzes how these streamlining rules, intended to speed up the deportation process and reduce the backlog of cases pending at the agency, instead stripped the immigration system of critical checks and balances and undermined judicial review. The article traces how the politically-vetted judges were installed just as the DOJ sought to grant these judges increasingly unfettered discretionary power. As the agency’s decisions grew increasingly arbitrary and inscrutable, immigration appeals flooded the federal courts, rising to nearly 20% of the federal docket (and now make up 90% of administrative appeals in the federal courts). The article explores the resulting clash between judicial review and agency discretion, and its implications for the vitality of judicial review.


A Not So Pretty Picture

ZDNet reports that over 1,000 Facebook users adopted a Photo of the Day application featuring National Geographic images that also embedded malicious code, creating a botnet of users that launched distributed denial of service attacks. The good news is that information security researchers orchestrated the “Facebot” in order to expose this security flaw. The bad news is that given the flaws in social network platforms, real attacks could be worse. (Here is the research paper that the group produced, which is entitled “Antisocial Networks: Turning a Social Network into a Botnet”). Although Facebook has fixed the vulnerability identified by the researchers, concerns remain about the security risks of third-party applications on social networking sites. The serious downside of a pretty picture, to be sure.


The Right to Have Our Votes Count

In early August, Ohio Secretary of State Jennifer Bruner sued Premier Election Solutions (formerly Diebold), alleging that Premier’s e-voting machines lost hundreds of votes cast in Ohio’s primary election. At first, Premier blamed the machines’ malfunction on conflicts caused by antivirus software from McAfee Inc. Now, Premier has accepted responsibility for the problem. In a letter to Secretary Bruner, Premier’s President admitted that logic errors in the machines’ source code caused the machines to lose the votes.

This is a major problem not just for Ohio but for all of the states using Premier’s e-voting machines in November. (Premier is one of the four top vendors of electronic voting machines used by states across the country). Premier has released a product advisory notice, telling users of its e-voting machines running the troubled software how to avoid lost votes. To fix the problem, poll workers have to check the vote-counting servers to see if all memory cards are shown as uploaded. Although the company has submitted “fixed” software for federal certification, the new and improved version will not be certified before the November election.

This November, votes cast on Premier’s machines will be counted accurately only if poll workers execute the fix correctly. This seems like a dangerous gamble as poll workers likely do not have technical backgrounds. So the puzzling question remains–why is it so hard to ensure that e-voting machines count our votes accurately? Something is clearly amiss with the testing authorities working in connection with the Election Assistance Commission–they failed identify the logic error. Yet a variety of agencies, such as the NSA and FAA, oversee mission-critical systems that do not fail (at least not often). For instance, airplanes employ software and planes do not fall out of the sky. Perhaps, as Bruce Schneier suggests, voting machines need to undergo the same assurance practices as airplanes do in order to ensure that our votes are counted accurately.


E-Voting in California

Last summer, California’s Secretary of State Debra Bowen investigated the state’s electronic voting machines after allegations that they lost, added, or flipped votes. Teams of computer scientists found that the state’s e-voting systems had major security holes in their design and were vulnerable to attacks. California has now replaced its e-voting machines with the optical scan machines that it used for mail-in voting, only leaving one e-voting machine per precinct to accomodate voters with certain disabilities. Secretary Bowen recently explained to Government Technology that the decision to get rid of the machines came down to the concern that the state had no way to ensure that insiders, such as vendors and election officials, had not tampered with the machines’ software to alter the results. This concern is certainly justified. Party officials often control the administration of elections, and partisanship has long been a driving force in election officials’ dirty tricks . (Roy Saltman details these abuses in his comprehensive book on the history of voting machines). Because e-voting machines are black boxes whose actual operation cannot be checked, fraud perpetrated by vendors and election officials would be hidden from view.

Although it seems a colossal waste of the $450 million California counties spent on e-voting hardware and software, democracy will be better served so as long as the optical scan machines provide a more accurate and secure solution. Bowen recently urged Los Angeles to adopt open source e-voting. This is a step in the right direction. Open source code voting machines would be more transparent, accurate, secure, and accountable. They also might be cheaper. Last month’s LinuxWorld conference hosted a mock election of open source code voting machines. At a price of $400, the voting machine is a tenth of the cost of proprietary machines because it is simply designed and based on free software. Open Voting Consortium hopes to announce the adoption of its open-source e-voting system by at least one large county in California soon and would like to provide their services to the rest of the state by 2012.


The GPS Device: Law Enforcement’s Dirty Little Secret?

This Sunday, the New York Times reported on a recent trend–prosecutors’ growing use of a defendant’s Global Positioning System device (e.g., cell phone, car, among others) to prove the defendant’s location. For instance, prosecutors in suburban Chicago used data from a defendant’s GPS device in his car to place the defendant at the scene of a murder. To be sure, tracking a person’s location is common-place in criminal investigations. But my colleague Renée Hutchins (who is quoted in the NY Times article) cautions that law enforcement should be allowed to acquire GPS data only by getting a warrant. In her recent UCLA Law Review article entitled Tied Up in Knotts? GPS Technology and the Fourth Amendment, Hutchins develops that argument.

Read More


Reputation Under Fire

As Dan Solove brought alive in his superb book The Future of Reputation, online reputations are fragile and can easily be destroyed by determined individuals. Steve Rattner, a Managing Director at DLJ Merchant Banking, recently learned that lesson the hard way. The New York Times reports that in 2003, Mr. Rattner had an affair with a married woman in London. Even though the affair and the woman’s marriage ended years ago, the woman’s ex-husband began a campaign to destroy Mr. Rattner’s reputation over the summer. On a half a dozen websites, the ex-husband accused Mr. Rattner of using his firm’s money to pay for prostitutes and trying to “steal” the man’s wife with exotic trips and expensive gifts. He included these accusations in emails to Mr. Rattner’s colleagues, clients, and reporters. When asked why he waited five years to respond to the long-ended affair, the ex-husband explained that he needed to get his life “together” in order to address his wife’s betrayal. Although Mr. Rattner admits the affair, he says that the ex-husband’s claims are “either untrue or gross exaggerations.” According to Mr. Rattner, the online accusations have spread like a virus, and he has since resigned from his job.

The Rattner incident demonstrates that online accusations are difficult to contain and even more difficult to counteract. Although it is certainly possible that Mr. Rattner’s work troubles had more to do with the beleaguered market than the online accusations, his situation demonstrates the broader problem that misinformation considerably affects our thinking, no matter how much we protest its influence. We also often forget the collateral damage that can accompany online attacks. Another Wall Street financier has the same name as Steven Rattner–he reports fielding panicked calls from friends and investors who learned of the story. That Steven Rattner, too, had to spend time rehabilitating his online reputation. As in Shusaku Endo‘s terrific novel Scandal, having a doppelgänger is not always easy.


The Clear and Present Danger of Cyber Warfare

Malicious hacking and denial of service attacks are potent weapons of twenty-first century warfare. Recently, Russian and Georgian hackers attacked vital websites in each other’s countries as troops fought on the ground. They shut down government portals. Hackers defaced government websites (e.g., routing visitors to the Georgian President’s website to a site that portrayed him as a modern-day Hitler). Although cyber attackers have not yet significantly disrupted or destroyed government systems in the United States, they have stolen sensitive information about weapon systems from the U.S. government and its defense contractors. Cyber attackers invaded the State Department’s highly sensitive Bureau of Intelligence and Research, posing a risk to CIA operatives in embassies around the world. Online espionage is a serious problem—attacks on military networks were up 55% last year. U.S. officials reportedly believe the attacks come from the Chinese government.

The United States seems to appreciate the dangers of cyber warfare. According to Business Week, the U.S. is engaged in a classified operation to detect, track, and disarm intrusions on the government’s most critical networks. President Bush signed an order known as the Cyber Initiative to overhaul the government’s cyber defenses at a cost in the tens of billions. However, in testimony before the Senate Armed Services Committee, National Intelligence Director McConnell asserted that the “federal government is not well protected.” He warned that attackers can enter information systems and destroy data and systems related to the “money supply, electric-power distribution, and transportation sequencing.”

Despite attention to the matter in the U.S., the better part of the world does not take cyber warfare seriously, leaving their networks increasingly vulnerable to attack. This is not unusual—few appreciated the importance and potency of propaganda campaigns at the beginning of World War II until the power of such propaganda became readily apparent and deeply rooted. Broad attention should be paid to cyber attacks. Online sabotage compounds the dangers inherent in national conflicts. Nations may be unable to decelerate tensions through online communications. Cyber attacks convey inaccurate information that can inflame public option, limiting leaders’ political room to defuse tensions. The dangers of cyber warfare thus should not under-estimated.