Author: Danielle Citron


What Comes Around Goes Around

Today’s New York Times reports that a 68-year-old broker stole over $600,000 from elderly clients and then lost most of his loot in an Internet fraud scheme. The broker received an email from someone claiming to represent his distant relative who had died and left him over eight million dollars. The broker took the bait and wired overseas more than $400,000, apparently believing that the money would aid in the release of the inheritance.

Despite the significant publicity devoted to exposing such scams, consumers continue to fall prey to email fraudsters in significant numbers. Reports suggest that 29% of Internet users have been deceived by spam emails. According to the Sydney Morning Herald, Australians lost $36 million dollars last year to fraudsters claiming affiliations with Nigeria. An intriguing new scam involves fraudsters who set up fake profiles on dating sites, stringing along targets for months before agreeing to meet and then asking for money to help pay for a plane ticket. Some, like the Nigerian High Commission, suggest that the deceived are as guilty as those who ask for money and thus should be subject to arrest as well. That sentiment may not convince many, but in the case of the New York broker who stole his clients’ life savings, the email scam is truly just deserts.


Shiller’s Subprime Solution

In his 2005 book Irrational Exuberance, Yale economist Robert Shiller predicted the once unthinkable, and now unfortunate present: the boom and bust in real estate that would have grave consequences both in the U.S. and globally. In his newest book The Subprime Solution, Shiller calls for sweeping reform to address the current crisis. Part of his answer is greater transparency through financial databases and disclosures. He also argues for a Financial Product Safety Commission to protect consumers of financial products and services, much in the same way that the Consumer Products Safety Commission sheds light on, and removes, unsafe consumer products. This transparency-enhancing argument recalls the important proposal for a Federal Search Commission made by Frank Pasquale and Oren Bracha in the most recent issue of the Cornell Law Review. Whatever the merits of Shiller’s numerous suggestions, one thing is certain: heightened transparency of financial products and services would provide significant benefits to consumer confidence and the industry itself.


Fairfax on “Too Big to Fail”?

Over at the Conglomerate, Lisa Fairfax has a superb post on the current bailout crisis entitled “Too Big To Fail”? She writes:

“A dominant theme in the recent discussions of the bailouts is that certain entities are “too big to fail.” This got me thinking about the notion of “too big to fail” and its ramifications. In particular, I wonder whether and to what extent we need to pay closer attention to companies that are “too big to fail” going forward. A few questions come to mind. When people say that a company is too big to fail, does that really mean that a company is simply “too big”? If so, does that mean that we need to do more to encourage smaller companies, or at the very least do more to discourage large companies or companies that are intertwined with too many industries? Does it mean that these larger companies simply need to be broken apart, much in the way that we demanded AT&T break off into the baby bells. Alternatively, is there some value with ensuring that companies do not get “too big” in the sense that companies should be discouraged from having their tentacles in so many critical and multi-faceted operations that they play a pivotal role in the healthy operation of our markets, even if it does not have anti-trust implications? In other words, if a company is too big to fail, should we have taken steps to prevent these companies from getting so big, and presumably so important, to our economic health? And if so, should this be a focus for the future?

On the other hand, let’s assume that we are not prepared to discourage the growth of “too big” corporations. Perhaps then we need to take seriously increased regulation for such companies. Indeed, perhaps our current governance system is not equipped to monitor these companies. Moreover, if certain companies are so crucial to our economic health that we cannot permit them to fail, then it seems that we have an important interest in knowing as much as we can about those companies—and potentially more than we know about other companies. Enhanced disclosure and transparency not only would help us in times of crisis, but it would allow us to take preventative steps to combat problems before they arise. To be sure, some may contend that these companies are already heavily watched, while others may resist increased oversight of particular entities within the corporate world. But perhaps enhanced oversight is the price these “too big” companies must pay once we acknowledge that their continued existence is critical to our markets.”

Because the politicians have been saying that companies like Lehman were “too big” for the government to let fail, and because the news is awash in this talk, I thought that the readers here would benefit from Fairfax’s discussion.


Here Now and Soon Gone

Government accountability may be more of a slogan than a reality if agencies continue to fall down on their recording-keeping obligations. According to the New York Times, countless federal records have been irretrievably lost because federal employees regularly fail to preserve the documents they create on government computers, send by email, and post on agency websites. The EPA’s website, for instance, lists more than 50 broken links that once connected readers to documents on depletion of the atmosphere’s ozone layer. At least 20 documents have been removed from the website of the U.S. Commission on Civil Rights, including a draft report that was highly critical of the Bush Administration’s civil rights policies. Because federal agencies increasingly publish reports on the Web rather than on paper, and because agencies do not store records in a centralized manner, government records will simply disappear over time. Moreover, a recent GAO report notes that email records of senior officials at several large agencies were not consistently preserved. Those government records can never be checked.

The National Archives is in the early stages of creating a permanent electronic record-keeping system. Unfortunately, it is behind schedule and under budget. Although the House passed a bill in July that would require agencies to preserve more electronic records, President Bush has threatened to veto the bill on the grounds that it would “interfere with a president’s ability to carry out his or her constitutional and statutory responsibilities.” Government officials and employees who have not adhered to federal record-keeping rules likely will not start now, especially with the turnover in administration looming. Government records needed to assure accountability should not be here now and soon gone.


Harnessing the Wisdom of Crowds to Spot Spin

According to Business Week, this month marks the birth of Spinspotter, a website that lets users identify and discuss phrases in news stories that smack of bias. The website owner, a former Microsoft executive, will generate income by selling advertisements connected to the bias-infected new stories identified by users. For instance, Toyota might want to hang Prius ads around the phrase “gas guzzler.” Or Microsoft and Apple might want to buy ad space next to a news article that deems Windows Vista a “bug-filled failure.”

This is an intriguing, and mischevious, combination–users expose media bias (or its gullibility to spin doctors) while spin doctors append ads to win back or capture those cynical eyeballs. Given the site’s construction around key phrases, bias accomplished through silence may be missed. So often, media outlets emphasize the positive in politicians and industry such that the lack of criticism reveals a bias worthy of the SpinSpot treatment. But if crowds are indeed wise, they may find a way to highlight those bias-filled silences.


The Inability to Opt Out of DPI (or Why the Marketplace Cannot Cure Paul’s Worries)

Some might respond to Paul’s Ohm’s terrific article, The Rise and Fall of Invasive ISP Surveillance, by suggesting, as network providers do, that the marketplace will sort out our privacy concerns about Deep Packet Inspection practices because consumers can opt out of DPI tracking of their online life with a single click. Optimism about a proper functioning marketplace, however, is misplaced for several reasons. First, as Arstechnica reports, network providers bury notice of their inspection practices in densely worded privacy policies and do not email users to note the change in policy. Thus, a basic information asymmetry problem arises—consumers cannot reasonably be expected to know about, and protect themselves from, opaque practices. Second, even if consumers opt out of the creation of behavioral profiles for use in delivering ads, they may not be opting out of the copying of their traffic. And, third, as Dr. David Reed testified before the Subcommittee on Telecommunications and the Internet, even if some network providers switch to an opt-in approach or reject DPI entirely, consumers cannot totally control the use of DPI technologies by those with whom they communicate, thus rendering consumer choice illusory. Thus, the privacy concerns that Paul raises likely are not self-correcting.


Is LinkedIn a Bad Idea for Employers?

On LinkedIn, users connect with colleagues, clients, and friends, providing information about their professional specialties in the hopes of generating business opportunities. Although that social networking site and others like it may help organizations and their employees build client rosters, they also provide crucial information to hackers who use it to prey upon an organization’s employees and fool them into downloading malware into their system. With the Google search of “at site:” and a company’s name, an attacker can view a list of public LinkedIn profiles of individuals working at the company, their positions, and potentially a list of their closest colleagues. An attacker who knows the email address formatting conventions within a company would in turn know the email address of many potential victims.

Consider this example. An attacker learns that two employees with an organization, Jonathan and Nate, are friends. The attacker might send Jonathan an email purporting to be from Nate. The text of the message might say, “Jonathan, I would love your thoughts on this power point I put together for my upcoming conference. Best, Nate.” If the attacker can persuade Jonathan to open the email, the attacker can gain power over that user to spread malware that could raid the employer’s digital treasure chests of valuable information.

Markus Jakobsson offers advice on how to combat this problem. Employers could insist that employees do not maintain public profiles of their social networking sites. They could educate employees about the tactics used by attackers. Better spam filtering would make it harder to reach the potential victims, and good antivirus protection from an established vendor that provides regular, reliable updates may effectively block many dangerous attachments.


Agent Mulder Redux

Arstechnica reports that the U.K.’s National Hi-Tech Crime Unit will be producing to the United States government a British citizen who allegedly infiltrated computer systems run by the United States military and numerous federal agencies, including the Pentagon. It appears that the British hacker was searching for proof of “alien life.” U.S. Attorney Paul McNulty of the Eastern District of Virginia intends to pursue charges under the Computer Fraud and Abuse Act, which could result in serious jail time and significant fines.

Computer hacking to steal credit cards, trade secrets, and other valuable information is widespread. Although the pursuit of computer crimes has been slow to evolve, this extradition request and the recent arrest of 11 members of an international identity theft ring that stole 41 million credit and debit card numbers may signal to would-be hackers that they face the real risk of prosecution. It would be heartening to see the Department of Justice put its resources behind pursuing hackers who inflict serious financial and personal harm. Perhaps we could call any uptick in such prosecutions as the Mulder Effect.


The Googlization of Advertising

Search engines are indispensable to the quest for helpful information in our data saturated age. Although custom search engines attract small audiences, the big three—Google, Yahoo, and Microsoft—run the lion share of online searches, with Google performing 62% of U.S. Internet searches and with Yahoo next in line running 17.5% of searches. Not surprisingly, Google attracts a disproportionate share of online advertisers, the main source of revenue for search companies. The recent joint venture advertising agreement between Google and Yahoo heralds the further concentration of online advertising in the search market from three to two hands by allowing Google to sell search ads that display next to Yahoo search results.

This Sunday, the Association of National Advertisers announced its opposition to the Google-Yahoo deal on the grounds that the partnership would “diminish competition, increase concentration of market power, limit choices currently available and raise prices to advertisers.” Frank Pasquale presented spirited and compelling testimony on this issue before the House Judiciary Committee’s Task Force on Competition Policy and Antitrust Laws this summer. (I attended the hearing and highly recommend viewing the C-SPAN recording—see here). As Pasquale brought alive at the hearing, the joint venture agreement would cement Google’s dominance over the online advertising market. Benjamin Edelman of Harvard Business School explains that such excessive market share allows Google to control the ads generally available (and unavailable) to consumers. For instance, in August 2004, Google banned an ad critical of President Bush, but, of course, consumers did not know what they were missing. Worth serious consideration is Pasquale’s concern that the opacity of Google’s practices enables it to conceal any abuse of its soon-to-be overwhelming power in the online advertising market.


Cyber Stalking: Anything But a Modern Love Story

The Styles section of this Sunday’s New York Times featured Amy Klein’s essay, “My Very Own Cyberstalker,” in its weekly Modern Love column. In the essay, Klein, a journalist, recalls meeting a fellow reporter, Luke Ford, who then writes about her in his blog. At first, the reporter’s posts seemed innocuous, e.g., he wrote that she favored skirts when she in fact never wore them and that she was shy. Then, his posts escalated into the frightening–“I’d like to bonk Amy on the head with a Talmud and drag her back to my Aborigine-style hovel and make her mine.” He also began to criticize her work as delusional and shoddy. The blogger apparently continued his fixation with Klein for years, and at times, Klein worried that his writing hurt her reputation.

With her history with the cyber stalker thus recounted, Klein’s essay then veers into the unpredictable and, by my lights, deeply disturbing. Klein attests that “it was oddly flattering to have someone obsessed with me, even someone like Luke Ford.” She explains that when the reporter finally began to fixate, and blog, about other women (i.e., younger reporters whom he deemed hotter than Ms. Klein), she was sad. She asks “why had he dumped me?” and admits to missing the attention.

Klein’s essay is stupefying and offensive. Klein seemingly equates her cyber stalker with a love interest and, in the process, makes light of a deeply serious problem—cyber harassment—that afflicts countless women every year. According to a 2006 study, individuals writing under female names received 25 times more sexually menacing comments than posters writing under male names. And Working to Halt Online Abuse reports that, in 2006, 70% of the 372 individuals that it helped combat cyber harassment were female and, in half of those cases, the victims had no connection to their stalkers. In response to cyber attacks, women tend to go offline or write under gender-neutral pseudonyms to avoid further harassment. Victims of cyber harassment also feel a sustained loss of personal security. In short, cyber harassment is anything but a modern love story. Such coverage trivializes the very real problem of cyber harassment and, in turn, sends the odious message that such stalking is not only acceptable but indeed desirable.