Republican Presidential candidate Donald Trump recently indicated that he would at least consider setting up a database to track Muslims. While he’s since to some degree backed away from it, it still makes an interesting thought experiment in the context of database design and public policy – if only to point out how very, very fraught such a thing would be.
Needless to say, the whole notion of such a database is problematic. Any student of American history, ranging from the Japanese internment to McCarthyism, can explain this. But simply as a technical issue, here’s all the reasons it’s impractical.
- How do we define “Muslim”? Self-defined? Your parents were? What if one parent was? How devout do you have to be to “count”? (Theoretically, the U.S. could use the definition of Jewish that the Nazis used, but that might be politically unpopular.)
- Similarly, which people “in” the U.S. would need to register? Citizens? Students? (That should go over well with the colleges and universities that count on foreign student tuition.) Visitors? How long do you have to be in the country before you sign up? Do they get removed from the database when they leave?
- Just what information is going to be tracked? And how does it get updated when it’s changed? Keep in mind how challenging it is even to ensure that voter rolls are kept up to date.
- How do you get people to sign up? If it’s voluntary, do we really think that people with terrorist leanings are going to meekly put their names on a database? If not, how do you enforce signups? Where do you get the data to begin with to find the people you want to sign up? The census, for example, no longer tracks religion.
- On the other hand, how do you keep non-Muslims from signing up as an “I am Spartacus” act of protest? Following the (sadly untrue) belief that World War II’s King Christian of Denmark wore a yellow star to show solidarity with Jews, a number of people have already indicated that they plan to identify as Muslim should any such system be implemented. Do we just shrug and say ok, if you want to say you’re Muslim, you are?
- If you don’t just register yourself, how do you deal with false positives? Remember that even Senator Ted Kennedy has been put on a terrorism no-fly list.
- Who’s going to provide this database? While companies such as IBM reportedly worked with the Nazis during World War II, many vendors these days consider themselves progressive. It’s difficult to believe, for example, that Google or Facebook would cooperate with such an effort.
- Similarly, who’s going to set this up and work on it? Presumably this would be a government effort, perhaps through the Department of Homeland Security. But how many techies are actually going to consent to work on this? It doesn’t seem like the sort of project where outsourcing is going to be a good idea, you know?
- More to the point, how do you ensure that protesting techies don’t sabotage it in some way? Does anyone think that Anonymous – which is doing its own work to help reduce terrorism – is going to let this database stay up and functioning properly for more than ten seconds? Won’t an effort like this spawn a dozen Edward Snowdens who want people to know what their country is doing?
- Aside from the politically motivated hackers, how is the database going to be secured, both for the amount of personally identifiable information it would have and from the people who might decide to use it to take out their Muslim neighbors?
- How much is this going to cost? And where’s the money going to come from? Michigan, for example, has paid HP $33 million to develop a replacement for its Secretary of State’s system. The state’s population is about 9 million, right in the 5 to 12 million range estimated for the number of Muslims in the U.S.
- How long is this going to take? Going back to Michigan, the state is now suing HP for $49 million after the company took more than ten years and still didn’t deliver a working product.
- Finally, keep in mind that every organization from the ACLU to the EFF would be taking the government to court on this, which would mean development would take even more time.
In short, even if this database were a good idea, it would be years before the data could be used. Hopefully, by then, we’ll have wised up.
Smile. You’re on the government’s camera.
Increasingly, governments are able to identify people using facial recognition software, and are collecting databases of people’s faces – not just criminals, but regular, ordinary people. Generally, there’s no laws against it.
And what’s more, we’re helping them do it.
Collectors of such images range from border security to law enforcement organizations to even retailers. “Before taking her away, Officer Rob Halverson paused in the front yard, held a Samsung Galaxy tablet up to the woman’s face and snapped a photo,” writes Ali Winston, of a program in San Diego. “Halverson fiddled with the tablet with his index finger a few times, and – without needing to ask the woman’s name or check her identification – her mug shot from a previous arrest, address, criminal history and other personal information appeared on the screen.”
Photos used in the system come from the statewide law enforcement database, which includes 32 million driver’s license photos, Winston writes. The county is also looking at using mug shots from statewide gang and parolee databases, he adds.
Similarly, Australia announced earlier this year that it was spending $18.5 million to create a database of facial photos – including photos from Facebook and Instagram — for use in federal law enforcement. “The images can come from drivers’ licences, passport photos or security cameras in your local shopping center,” write Margot O’Neill and Amy Sherden for ABC Australia.
The FBI has a similar program. Incidentally, the system has a 20 percent failure rate in terms of identification.
There’s also the security aspect. “If your passport, credit card, PIN or tax file number are compromised due to a security breach, they can be replaced fairly easily,” writes Adam Molnar in The Conversation. “Not so with your facial features. If a biometric database is hacked, the information can potentially be abused by criminals over your entire life.”
Coincidentally, there’s suddenly a swarm of games out there that seem to have the goal of collecting facial photographs. Earlier this year, Microsoft’s “How Old Do I Look” analyzer swept through Facebook. Were the results right? Were they wrong? Who cares? The point is, within a few hours, Microsoft had tens of thousands of new facial photographs.
“Proposed uses include verifying whether two faces in separate photos belong to the same person, or using one person’s photos to find him or her in multiple other photos,” writes CBC News. You know, like searching photos of a demonstration to identify protesters.
For what it’s worth, the developers now say the site doesn’t save the photo. “No we don’t store photos, we don’t share them and we only use them to guess your age and gender,” write Corom Thompson and Santosh Balasubramanian, Engineers in Information Management and Machine Learning at Microsoft, who wrote a blog post about it. “The photos are discarded from memory once we guess. While we use the terms of service very common in our industry, and similar to most other online services, we have chosen not to store or use the photos in any way other than to temporarily process them to guess your age.”
But even assuming that’s true, how many people even thought about that aspect before trying to find out how young they looked? Even without saving the pictures, the database now has a lot more practice identifying people. And just because this app doesn’t save photos, how about other apps?
More recently, there’s the “My Most-Used Words on Facebook” app, which not only looks at the words you’ve posted in the past year but every picture that’s been posted – which most people didn’t even notice, writes Paul Bischoff. “Over 16 million people have agreed to give up almost every private detail about themselves to a company they likely know nothing about just to play a quiz,” he writes. In addition to a boatload of information about yourself and your friends, it also has access to all the photos you’re tagged in.
Like Microsoft, the word cloud app vendor, Vonvon, said it didn’t save the data, and later allowed people to edit the permissions for their personal information. But again – how many people even thought to look at the permissions?
(And now there’s a new one, Which is Your Most-Liked Photo On Facebook?)
Or there’s the recent trend toward “gigapixel” super-high resolution photos of enormous sporting events, where the more than 100,000 attendees are not only perfectly identifiable, but are encouraged to helpfully tag themselves and their friends. It takes only 2 minutes and 40 seconds to photograph an entire stadium, and the company specializing in the process says it typically has eight such projects every weekend.
It may be that all these apps are perfectly innocent. But we don’t know. And until we do, it behooves us to be careful – at least til we find out who’s on the other side of the camera.
The British government is pushing for a law that would require Internet service providers to keep for a year a list of all the websites that their users visit – an action that has already been ruled a violation of privacy by the European Court of Justice. And this new law was in response to the last set of Paris terrorist attacks, let alone the most recent ones.
The Investigatory Powers Bill would order communications companies, such as broadband firms, to hold basic details of the services that someone has accessed online, explains the BBC. “This duty would include forcing firms to hold a schedule of which websites someone visits and the apps they connect to through computers, smartphones, tablets and other devices,” the BBC writes. “Police and other agencies would be then able to access these records in pursuit of criminals — but also seek to retrieve data in a wider range of inquiries, such as missing people.”
While the government already has some of these powers, it doesn’t have historical information about the websites people visit, reports the BBC.
“This isn’t a license for the police to simply prowl over everything you have been doing, but I quite accept that a lot of data is being kept by these service providers and under the government’s proposals it would be kept for a very long time,” David Anderson, described as the “government’s terror watchdog,” told the BBC.
Predictably, some members of the UK government are using the most recent Paris attacks to justify accelerating adoption of the Investigatory Powers Bill. “Lord Carlile says Theresa May’s Snooper’s Charter should be rushed through Parliament within the next month, to prevent terrorist attacks in the UK,” writes Mikey Smith for the Mirror. “Speaking in the wake of the Paris terror attacks, the Lib Dem peer warned: ‘It could have been London.’”
What might end up stopping the whole plan is less a matter of privacy or personal liberty and more a matter of money. Though the cost of performing universal surveillance has gotten a lot more affordable lately, thanks to cheaper storage, tracking all these websites still adds up, reports the BBC. The British government had allocated 175 million pounds – about $267 million – but that might not be enough, the BBC writes.
Part of the cost, of course, is protecting all that data. It could end up being a treasure trove for hackers, after all, because it could provide all sorts of juicy blackmail material such as which porn sites people visit. “Making sure there’s no way the hackers can get in is a challenge for any company, and that is hard work,” Adrian Kennard, director of Andrews & Arnold, a Bracknell-based internet provider, told the BBC. “This is sensitive personal information, even if you are just holding the websites people went to and not the specific pages. That makes it a very valuable target for criminals to go after — they may even try to infiltrate employees into companies to try to access it.”
Ironically, this is all happening despite findings that such broad-based surveillance actually doesn’t do much to help prevent terrorist attacks. “Court documents lodged in the US and UK, as well as interviews with involved parties, suggest that data-mining through Prism and other NSA programmes played a relatively minor role in the interception of the two plots” that governments claimed were prevented, writes Ed Pilkington and Nicholas Watt for the Guardian. “Conventional surveillance techniques, in both cases including old-fashioned tip-offs from intelligence services in Britain, appear to have initiated the investigations.”
That said, other law enforcement organizations such as the FBI are also using the Paris attacks to justify their long-held position that governments should mandate a “back door” into encryption, even though there’s no evidence the attackers used encryption — and, in fact, quite a lot of evidence that they didn’t.
Companies that collect data – and organizations that like to help people concerned about the data the companies are collecting – are on opposing sides of a case that the Supreme Court is hearing.
Like the recent decision on whether you had to give up your phone password, this is one of those incredibly arcane legal things that has very little to do with the actual case, but could have major ramifications to the computer industry either way it’s decided.
The actual case revolves around the data aggregation site Spokeo. This site has been around for a while. It uses publically available data to collect information about a person, some of which it provides for free and some of which you pay for. Because of how it collects and aggregates the data, it can sometimes be laughably inaccurate.
“It listed me as married to someone ten years older than his actual age whom I divorced in 2002, that my house was worth $1 million (let me tell you, my *town* is hardly worth that much), that I played hockey and football, and that my 60+ year-old house was built in 2003,” I wrote in 2010 when this site first started making the rounds. It’s not much more accurate today; it lists my former husband as taking my name and has his age wrong, it lists an email address I never used and a phone number I haven’t used in two years, and has me living in two houses a thousand miles apart at the same time (one of them is off by almost twenty years).
That said, it still has a list of all the places I’ve lived since college with significant information about them, and enough contact information that if someone wanted to be a pest, they could do so, especially if they were willing to pay to get additional information about me. Could someone have gotten this information on their own? Sure, but it would have been harder and more time-consuming. (Interestingly, some of the briefs in this case encourage the Justices to look themselves up.)
Anyway, there’s this guy, Thomas Robins, who didn’t find the inaccuracies laughable. In fact, he said they had caused him harm. Did they say he was an embezzler or a child molester? No, they said he had a graduate degree and was married with children. He was concerned that this inaccurate information would make it harder for him to find a job, though he didn’t have any evidence that had happened or that anyone had even looked at his file in the first place. And so he was suing Spokeo, not because their collection of data was creepy and an invasion of his privacy, but because it was inaccurate. Now the case has made its way to the Supreme Court, which heard oral arguments on it this month.
And so that’s what the legal decision hinges on. It’s not about Spokeo’s collection of the data. It’s not about whether Robins was damaged by the inaccurate data. (Indeed, a number of the arguments on either side make it clear that they aren’t commenting on the merits of his case, which implies they think it’s a crock.)
Instead, it’s all about whether Robins has “standing” to file a case, because he can’t point to any specific damages that were done – simply the fact that he believes that Spokeo is violating the Fair Credit Reporting Act by having this inaccurate information about him in its database.
How many millions does he stand to get if he wins? None. At most, if the court decides he has standing, and if he wins, he gets $1,000. So why is he going to all this effort to file the case? And why are companies like Google, Facebook, eBay, and Yahoo! lining up to fight him on it? (To give some indication of the significance of this case, there’s 17 friend of the court briefs on it. That’s a lot.)
Because if it’s decided Robins has standing, even though he doesn’t have any specific damages he can prove, anybody can file a case any time they find a company making some sort of mistake or violating some aspect of a federal law, even if it didn’t hurt them – such as failing to follow the law by including an 800 number in its listing. “Plaintiffs can seek damages for unwanted phone calls or text messages, [Spokeo’s attorneys] noted, as well as improper disclosure of videos, mislabeled food, a failure to provide full notices involving loans or debts and retaining or disclosing personal information from credit cards and other electronic transactions,” writes David Savage in the Los Angeles Times.
Moreover, they can do it as a class action. Let’s say they discovered Facebook was making some sort of error in its data collection that applied to every member of Facebook. So that $1,000 per person suddenly becomes $1.23 trillion, plus the cost of fighting the case. And Facebook, Google and Yahoo have already all faced similar lawsuits over violations of different federal laws, writes Lawrence Hurley for Reuters.
“This closely-watched case has major potential implications for consumer-facing companies of all types, as it may result either in a ‘green light’ for no-damage class actions based on technical liability theories, or could result in a requirement that plaintiffs plead and prove some concrete harm, which would create a major new roadblock for consumer claims, particularly class actions,” summarizes the Consumer Financial Services Law Monitor. The case could also limit Congress’ ability to pass laws in the future to help protect people from inaccurate information.
Of course, who really stands to make money with this kind of case? The lawyers. Chances are you’ve gotten one of these class-action notifications before – pages and pages of tiny print telling you that if you jump through a whole lot of hoops, eventually you’ll get $5.34, while the legal firms that fought the case collect millions. People arguing against this case say that a finding in favor of Robins will result in many, many more class-action lawsuits.
On the other hand, it’s important to retain the right to have class-action lawsuits in the first place, because that’s how change gets made and wrongs get righted. And people arguing in favor of this case point out that there’s other times when people have been allowed to sue without having to prove specific damages in their case, such as housing discrimination cases. “If Spokeo wins the broad holding its lawyers at Mayer Brown are advocating, class actions under all sorts of consumer and civil rights statutes, including the Telephone Consumer Protection Act, the Wiretap Act, and the Americans with Disabilities Act, will be endangered,” writes Alison Frankel for Reuters. On the other hand, requiring plaintiffs to show that they’ve suffered “real-world harm” could make it harder to fight patent trolls, she adds.
So organizations such as the Center for Democracy and Technology and the Electronic Frontier Foundation are also stepping in, because they want to ensure that people have the right to protect themselves from inaccurate data collection. “A host of privacy laws, including the Stored Communications Act, the Video Privacy Protection Act, and the Cable Communications Policy Act, create a private right of action similar to FCRA, and could be limited by a broad ruling in this case,” writes G.S. Hans of the CDT. “As with FCRA, each of these laws remains vital to protecting individual privacy today, given how much data exists about us online and the potential for privacy violations involving that data.”
What might be the most Solomonic ruling, these organizations and analysts say, is for the Court to rule that Robins does or doesn’t have standing, but to limit it to this case in particular rather than establishing a broad legal precedent. “A broad ruling that an alleged statutory violation alone is insufficient injury in fact to establish Article III standing would impinge on congressional authority and invalidate private actions in a wide range of federal statutes,” the CDT and EFF write. “The question before the Court asks whether Congress can confer Article III standing by authorizing a private right of action based on a ‘bare violation’ of any federal statute. As framed, the question presented has implications far beyond Mr. Robins’ particular case and the FCRA itself. The Court’s ruling could affect the ability of individuals to file claims under private rights of action authorized by a vast number of other federal statutes, as well.”
The Court is expected to rule by June.
The Edward Snowden revelations happened more than two-and-a-half years ago, but repercussions are still happening.
Here’s the background, according to the firm Paul Hastings. The European Union passed a law that went into effect in October, 1998, that prohibited transfers of personal data to third countries that do not ensure an “adequate level of protection.” The Clinton Administration then negotiated the U.S.-EU Safe Harbor program, which enabled U.S. organizations to transfer data from the EU to the United States based on their declared compliance with the EU’s privacy principles. In 2000, the European Commission found the Safe Harbor program provided adequate protection.
So what happened? In early October, the European Court of Justice responded to a lawsuit by Maximillian Schrems, an Austrian law student, who filed a complaint with the Irish Data Protection Commissioner challenging the transfer of his personal data from Facebook Ireland to Facebook, Inc. in the United States. “Citing revelations by Edward Snowden, Mr. Schrems alleged that the United States did not ensure adequate protection of personal data against surveillance by public authorities,” explains Paul Hastings. The Court agreed and found that the U.S. was no longer in compliance with those principles, and invalidated the Safe Harbor program. (Later in the month, Israel also jumped on the bandwagon.)
Needless to say, the entire legal and technology industry had kittens. Law enforcement, for example, could no longer count on getting information about possible criminals from Europe. And almost two dozen technology companies, including Google and Microsoft, wrote a letter to Congress about it. “Without the adequacy finding, many of the 4,400 companies that relied solely upon the Safe Harbor agreement to transfer data from the EU to the United States face tremendous uncertainty regarding what bases exist to justify transatlantic flows of data,” they wrote.
Safe harbor “allowed big companies like Facebook and Google, for example, to carry out a self-certification process, promising to protect EU data stored on U.S. soil,” writes Arjun Kharpal for CNBC. “The agreement is key for thousands of companies operating in the EU.”
The data in question could be as minor – or as major, depending on how you look at it – as people’s web search histories and social media updates, writes Mark Scott in the New York Times. “At issue is the sort of personal data that people create when they post something on Facebook or other social media; when they do web searches on Google; or when they order products or buy movies from Amazon or Apple,” Scott writes. “Such data is hugely valuable to companies, which use it in a broad range of ways, including tailoring advertisements to individuals and promoting products or services based on users’ online activities. The data-transfer ruling does not apply solely to tech companies. It also affects any organization with international operations, such as when a company has employees in more than one region and needs to transfer payroll information or allow workers to manage their employee benefits online.”
There are other data transfer alternatives, Kharpal notes. “Two such processes are Binding Corporate Rules and Model Contract Clauses,” he writes. “These are essentially contracts allowing companies to transfer data out of the EU by going through different approval processes involving the European Commission and data protection authorities in the member states.” Larger companies typically have access to these alternative methods to transfer data from Europe to the U.S.; it’s the smaller companies that are particularly left out in the cold by the decision, he writes. And companies that are big enough to have their own servers in Europe to store data about Europeans are also okay, writes Kurt Wagner in Re/code.
European authorities have given the U.S. until the end of January to fix the problem. So the U.S. Congress is scrambling (though some believe its solution is still inadequate) through the Judicial Redress Act. It “gives the citizens of some of the U.S.’s allies access to records about them that have been collected by the U.S. government, as well as the ability to amend those records and, importantly, civil redress (the right to file a civil suit) when such records are unlawfully disclosed,” writes John Eggerton in Broadcasting & Cable. (There are exceptions for reasons such as national security, adds Brendan Sasso of the National Journal.)
The House passed the bill on October 20; the Senate still needs to pass it.
The U.S. can also try to argue with the ruling, writes Karen Kornbluh for the Council on Foreign Relations (though it cannot be appealed). “Experts within and outside the U.S. government have argued that the ECJ based its ruling on erroneous factual assumptions regarding the nature and oversight of U.S. surveillance,” she writes. “Moreover, they note that the United States provides adequate privacy protections, especially in comparison to European countries many of which have no independent data protection oversight of law enforcement and intelligence surveillance. The ECJ also based its decision on a 2013 European Commission report on U.S. surveillance, parts of which are outdated given U.S. surveillance reforms spurred by President Obama’s 2014 executive order. Robert Litt, general counsel for the Office of the Director of National Intelligence, wrote an opinion piece for the Financial Times before the ruling to argue that the surveillance program at issue in the ECJ’s decision ‘does not give the U.S. ‘unrestricted access’ to data.’”
But this is unlikely to go far, writes Timothy Edgar in Lawfare. “So, perhaps all the US has to do is convince enough people that Bob Litt is right about PRISM, the European Commission is wrong, and the Europeans will say it was all a big misunderstanding?” he writes. “Not likely.”
Back in the day, kings used to forestall a potential war from another country by marriage. Thus merged, the theory went, the countries would henceforth work together instead of competing.
In the computer industry, that’s not really an option. This is why we’re seeing alliances like the merger of hard disk powerhouse Western Digital with solid state size queen SanDisk, announced last week after having been rumored earlier this month.
Western Digital, which has to have been getting itchy because it hasn’t bought anybody major in a while, was also facing a problem in that it had pretty much bought everyone who’d hold still for it in the hard disk space this decade. (They weren’t alone. Seagate bought Samsung storage, and Toshiba bought Fujitsu storage.)
True, Western Digital could always have bought Seagate itself, or vice versa, but eventually the Federal Trade Commission would start finding all these computer storage mergers to be monopolistic. As it is, when Western Digital bought Hitachi GST in March, 2012, it had to sell off some pieces first. For example, it sold to Toshiba assets that Hitachi GST used to make and sell desktop hard- disk drives. In addition, the European Commission required Western Digital to sell one of Hitachi’s 3.5-inch manufacturing plants and associated intellectual property for making these drives. In return, Western Digital received a Toshiba plant that had been damaged in last year’s Thai floods.
And why haven’t either Western Digital or Seagate bought Toshiba, anyway? “When Western Digital’s leadership gets comfortable with this new partnership, I wouldn’t be surprised to see it develop into yet another hard-drive buyout,” agrees The Fool’s Anders Bylund. “If Western Digital doesn’t own Toshiba’s hard drive operations by 2018, I’ll be shocked.”
In fact, this deal hinges on whether Toshiba approves, writes Reuters. “Any deal with SanDisk will require a sign off from Toshiba . SanDisk uses Toshiba’s foundries to make its chips and the two have an important intellectual property-sharing joint venture,” writes Reuters. “Analysts have said Toshiba is more likely to accept Western Digital as a buyer for SanDisk than Micron, a rival memory chip maker.”
In any event, Sandisk, while not as profligate a shopper as Western Digital, had had its own share of acquisitions over the years, such as Fusion-io and SMART Storage Systems. It was generally considered to be third in the NAND flash memory market after Samsung and Toshiba. It was also just ahead of Micron, which had also been suggested as a potential Sandisk acquirer.
According to Leo Sun at The Motley Fool, Western Digital was the leader of the hard disk drive market, holding 43 percent market share. Assuming the acquisition completes, it will then control 14 percent of the SSD market, including Sandisk’s 11 percent, ranking it second after Samsung.
That said, Sun is wondering whether Western Digital is paying too much. The $19 billion total calls for an $86.50 purchase price — $85.10 in cash and the rest in stock. But if a planned 15 percent investment in WD by Tsinghua Unigroup subsidiary Unisplendour doesn’t go through, the cash portion of the deal will drop to $67.50 per share. “WD’s offer of $86.50 per share values SanDisk at nearly 35 times trailing earnings, compared to the industry average P/E of 15 for the data storage industry.”
On the other hand, for several reasons, buying Sandisk now was cheaper and more manageable than waiting, Sun writes. For that matter, there’s a potential class action lawsuit brewing because Western Digital isn’t paying enough with its 15 percent premium. Plus, sales on both the Western Digital and Sandisk side are slowing. “A slowing business buying another slowing business at a hefty price tag doesn’t sound all that appealing to Western Digital shareholders,” writes The Fool’s Evan Niu.
Incidentally, Unisplendour’s parent company also proposed investing in Micron a while back. (Honestly, keeping track of all this is like Game of Thrones.) After some unease about the plan due to a Chinese company investing in an American chipmaker, perhaps that’s why Unisplendour is taking this circuitous route toward investing in a different American chipmaker.
Anyway, if approved and all the various contingencies fall into place, the deal is expected to close in the third quarter of 2016. A whole fistful of financial and legal companies are involved, because of the complexities and how much debt will be involved.
There must be some sort of Murphy’s Law that when a database reaches a certain size, law enforcement is going to want to get their hands on it.
We’ve seen this recently with 23andme, a database of information compiled through voluntarily offered genetic material (spit, actually), which recently hit a million users.
If you don’t remember 23andme, they made headlines in 2007 by offering people the chance to test their genetics for susceptibility for a number of various diseases, as well as look at their ancestry. People who couldn’t resist the opportunity to find out just what percentage of Neanderthal they had were soon coughing up $99 for the chance to spit at these people and, in the process, find out what weaknesses their flesh might be heir to.
This, however, caught the attention of the U.S. Food and Drug Administration, which declared in 2013 that the company was offering tests that the FDA hadn’t approved, and the company pulled the test kits off the market.
The kits were still available for ancestral testing, though, and people continued to submit their genetic material, albeit more slowly. While the company had 500,000 subscribers by 2013, it took until this year to hit a million, according to the New York Times.
That’s when the cops started getting interested.
It’s not unusual for police officers to obtain DNA evidence at crime scenes. And here was a database of a million people’s DNA. Did the police really think that criminals were coincidentally also having their ancestries tested? No, but certain components of DNA are passed down through the father and mother. It could happen that a relative of a criminal would be tested and in the database, which would help narrow down the search.
“People who submitted genetic samples for reasons of health, curiosity, or to advance science could now end up in a genetic line-up of criminal suspects,” writes Kashmir Hill in Fusion. “If you’re a cop trying to solve a crime, and you have DNA at your disposal, you’re going to want to use it to further your investigation. But the fact that your signing up for 23andMe or Ancestry.com means that you and all of your current and future family members could become genetic criminal suspects is not something most users probably have in mind when trying to find out where their ancestors came from.”
Hill has been on the forefront of this issue; as long ago as 2010, she was warning in Forbes about the possibility. “How far should law enforcement be allowed to go?” she wrote then. “Should prosecutors be allowed to subpoena a company’s DNA database of thousands of people if they suspect it contains a match to a crime suspect?”
The problem is, such genetic testing isn’t foolproof; among other things, someone could be adopted, illegitimate, or cuckolded, and never know it. That may be what happened in one case earlier this year, when police officials used a similar database, operated by Ancestry.com, to compare it with DNA material from a crime scene. (Ancestry.com has since taken the database down, Hill writes.) Police then looked up all the relatives of the person in the database who matched, found a likely prospect, and got him to submit a DNA sample – which ended up exonerating the person, but still.
Meanwhile, 23andme and Ancestry.com come right out and says they’ll cooperate with law enforcement when served with a warrant. And they don’t really have any choice. Since they’re not doctors, Health Insurance Portability and Accountability Act (HIPAA) and other laws that could protect people don’t play into it.
This concerns a number of civil liberties organizations, such as the Electronic Frontier Foundation. “if the cops can access private databases—especially private databases like Ancestry.com and 23 and Me that collect matrilineal and patrilineal markers—everyone’s risk increases,” the organization writes. “People should be able to learn about their ancestors and relatives and about possible risks for genetic diseases without fear that their data will be shared with the cops without their consent.”
“Civil liberties groups have called for laws that would prohibit the use of private genetic databases for law enforcement purposes, but until one comes into existence, the only thing standing between police and the spit you send to a private DNA company is the company’s lawyers,” Hill writes.
What 23andme is doing, like companies such as Facebook and Google, is hiring a privacy officer and publishing a quarterly government transparency report that tracks how many such requests it gets. It just published its first report, which notes that it’s had five requests. It will be interesting to see how it trends; similar reports from other vendors have shown sharp increases over time.
Interestingly, just a week after news got out about police requesting the data, the FDA decided to give 23andme permission to once again offer the genetic tests, meaning it will be able to collect even more data. (Not to mention, that knocked all the stories about police access to the database off the front page as well.) Is it getting too much into black helicopter territory to wonder whether law enforcement agencies asked the FDA to lay off of 23andme so that it could help them do their jobs?
After years of on-again, off-again retirement plans, the 68-year-old chairman and CEO of the Hopkinton, Mass., storage company is on his way with a $27 million golden parachute, according to David Goldman in CNN Money.
“Tucci’s severance package includes $7 million in cash, equal to triple his annual salary and bonus,” Goldman writes. “The other $20 million comes in the form of EMC stock that Tucci had been awarded, according to executive compensation research firm Equilar. Had he not sold EMC to Dell, he otherwise would have needed to remain at the company to receive that stock.” In addition, EMC will pay Tucci for his unused vacation time, plus his life, disability, accident and health insurance benefits for himself and his dependents for three years, he adds.
This is all courtesy of what is said to be among the largest tech acquisitions of all time, the $67 billion acquisition of EMC by Dell. Yes, even bigger than HP and Autonomy. It remains to be seen whether the Dell-EMC acquisition will prove to be more successful. (It could hardly be worse.)
Incidentally, HP’s Meg Whitman, herself presiding over the conscious uncoupling of HP, criticized the Dell-EMC deal. “Of course, Whitman is hardly an impartial witness to the mega tech deal,” writes Matt Egan in CNN Money. “The new Dell is going to fiercely compete for business customers with HP Enterprise, which is splitting itself from HP on November 1. HP Enterprise, led by Whitman, will be focused on selling hardware like servers and also cloud technology, big money makers for Dell and EMC.”
People have been talking about Dell and EMC for more than a year, and the consensus then was that there was too much disparity in size and too much overlap in their product lines, so it’s going to be entertaining (if you’re not an EMC or Dell customer, that is) to see how that works out.
There are, of course, a few other loose ends to the acquisition.
- What of all the various other heirs to the EMC throne who have been suggested as Tucci’s successor somewhere along the line? They include David Goulden; CEO of EMC’s information infrastructure unit; Patrick Gelsinger; CEO of VMware; and Paul Maritz, who retired from EMC satellite Pivotal Software earlier this year. Four of them – CNN Money didn’t say who – are also in line for tens of millions in golden parachutes. Dell founder Michael Dell now has the role, meaning Tucci never had to choose.
- What about VMware? EMC owns about 80 percent of it, and yet, VMware also provided about three-quarters of EMC’s value. Divesting VMware is what some people wanted EMC to do all along, but as recently as last month, VMware’s value was such that some people speculated that VMware would buy EMC. VMware stockholders are also nervous.
- What about all the other dribs and drabs of EMC that Dell might not want? Most notably, there’s the content management software Documentum, which has languished under EMC’s benign neglect. Pay attention to whether Documentum is sold to a competitor, which would likely kill it, or sold privately, writes industry watcher Laurence Hart.
The other interesting aspect of this – and it’s hard to know whether Tucci did it on purpose or it was an unintended consequence – is that EMC, which was put into this position by virtue of being a public company that was hijacked by activist investor Elliott Management Corp, will never again have to go through this, because as part of Dell, it’s now a private company. (Well, sort of. Mostly.)
“Anyone who has talked to [Michael] Dell in recent years has witnessed the huge smile on his face when he discusses the joys of being private,” concurs Alan Murray in Fortune. “In his view, this transformation couldn’t have happened in the public markets.”
That said, even Dell is owned by a conglomerate including Silver Lake, which reportedly was shopping around Dell’s PC business just last week. We may yet see bits and pieces of EMC up on the auction block.
Here we go again. Is an encryption key more like a physical key or the combination to a safe?
Courts have been deciding back and forth on the issue for several years now and, most recently, have decided that a phone password is more like the combination to a safe.
It matters because something that is the expression of one’s mind, like the combination to a safe, is protected under your Fifth Amendment rights not to incriminate yourself. A physical key, something you possess, is something you can be forced to produce.
This all came up when the Securities and Exchange Commission (SEC) began investigating Bonan and Nan Huang (who are not related to each other) for insider trading, writes Orin Kerr in the Washington Post.
“The two worked at the credit card company Capital One as data analysts,” Kerr writes. “According to the complaint, the two allegedly used their jobs as data analysts to figure out sales trends at major U.S. companies and to trade stocks in those companies ahead of announced company earnings. According to the SEC, they turned a $150,000 investment into $2.8 million.
“Capital One let its employees use company-owned smartphones for work. Every employee picked his own passcode, and for security reasons did not share the passcode with Capital One. When Capital One fired the defendants, the defendants returned their phones. Later, as part of the investigation, Capital One turned over the phones to the SEC. The SEC now wants to access the phones because it believes evidence of insider trading is stored inside them.”
But the SEC has been thwarted by Judge Mark Kearney, which ruled that the passwords were indeed protected by the Fifth Amendment. Exactly why is a very long how-many-angels-dance-on-the-head-of-a-pin discussion that lawyers love to have. But it boils down to whether the SEC actually wants the password itself, or access to the documents. And since it wants access to the documents, the proper way to approach it is to have the defendants enter the password, providing access to the documents but without revealing the password, Kearney writes.
And for people debating between company-provided cellphones and BYOD, that angle is involved, too: Is a password to a company-provided cell phone considered a corporate record? If it were, then the Fifth Amendment wouldn’t apply, but Kearney doesn’t believe it is.
Indeed, because Capital One specifically told the analysts to keep their passwords secret and not write them down, that made them products of the mind and not corporate records, Kearney writes.
As with other cases of this ilk, it’s likely that, eventually, the Supreme Court is going to need to rule on the issue.
To add an additional wrinkle, recall that a suspect can be forced to give up a fingerprint, if that’s being used to secure the phone. That’s because a fingerprint is something you have, similar to the way that you can be compelled to give up a blood sample to test for alcohol. (Consequently, what you’d want in an ideal is to protect a phone both through encryption and a fingerprint, but not all phones can do that.)
So all that business about not writing down your password? Turns out it was more right than you knew.
Those of us of a certain age have fond memories of hunching by the radio with a mike and our portable cassette recorder, waiting for them to play our favorite song and please-God-don’t-let-the-DJ-talk-over-the-intro-this-time.
Guess what: The cassette is coming back.
In the same way that some retro purists have brought back vinyl, some artists such as Arcade Fire and Transviolet are actually still issuing music on cassette tape. In 1983, cassettes began outselling records, until 1991, when the CD became the most popular medium, writes Zach Sokol in Motherboard.
As it turns out, there’s at least one factory – National Audio Co., in Springfield, Mo. — that still manufactures cassette tapes, and it says business is better than ever: Last year is the best year it’s had since it opened in 1969, writes Jeniece Pettitt in Bloomberg. “The profitable company produced more than 10 million tapes in 2014 and sales are up 20 percent this year,” she writes.
Why, it’s hard to say. In the case of vinyl, there is an argument to be made that it sounds “better,” though any quality improvement might be wasted on a generation that grew up listening to MP3s. And like vinyl, there are those who claim the analog sound of tape is preferable to digital recordings. Also, in a day and age where so much of our content is digital, some people really like having something tangible, Pettitt writes.
“Certain kinds of music sound good on cassette,” wrote Nick Sylvester in Pitchfork on the eve of Cassette Store Day in 2013. “The public perception is that tape is ‘warm’ and ’fat,’ but not all tape is equal, and recording to 2-inch tape on an old Studer is very different from playing a cassette in a car stereo. In the cassette heyday, people weren’t exactly seeking out cassette releases for their sonic character. Mastering engineers did everything they possibly could to ‘beat’ the cassette, to make the music sound pretty damn close to the original recording despite the ways tape stock can roll off the highs, stuff the low-mids, and hiss above 1khz.”
“Nostalgia’s a potent drug, and the music industry has changed abruptly enough that even twenty-somethings like me feel wistful for the lost ‘90s,” Zach Schoenfeld wrote in Newsweek during the first Cassette Store Day. “Though I’m not yet 30, I can recall my very first cassette (Red Hot Chili Peppers’ much-maligned One Hot Minute) far more easily than I can name my first CD or MP3 or Spotify stream.”
As we’ve mentioned, part of the problem with recording data on old media is finding a way to read it later, and indeed that is a problem for some people who didn’t save their Walkmans. (Walkmen?) And there’s the occasional story about Kids These Days who mistake the cassette player in an older car for an iPhone dock, to hilarious results.
Count your blessings, though: So far, nobody’s talking about bringing back the 8-track.