The British government is pushing for a law that would require Internet service providers to keep for a year a list of all the websites that their users visit – an action that has already been ruled a violation of privacy by the European Court of Justice. And this new law was in response to the last set of Paris terrorist attacks, let alone the most recent ones.
The Investigatory Powers Bill would order communications companies, such as broadband firms, to hold basic details of the services that someone has accessed online, explains the BBC. “This duty would include forcing firms to hold a schedule of which websites someone visits and the apps they connect to through computers, smartphones, tablets and other devices,” the BBC writes. “Police and other agencies would be then able to access these records in pursuit of criminals — but also seek to retrieve data in a wider range of inquiries, such as missing people.”
While the government already has some of these powers, it doesn’t have historical information about the websites people visit, reports the BBC.
“This isn’t a license for the police to simply prowl over everything you have been doing, but I quite accept that a lot of data is being kept by these service providers and under the government’s proposals it would be kept for a very long time,” David Anderson, described as the “government’s terror watchdog,” told the BBC.
Predictably, some members of the UK government are using the most recent Paris attacks to justify accelerating adoption of the Investigatory Powers Bill. “Lord Carlile says Theresa May’s Snooper’s Charter should be rushed through Parliament within the next month, to prevent terrorist attacks in the UK,” writes Mikey Smith for the Mirror. “Speaking in the wake of the Paris terror attacks, the Lib Dem peer warned: ‘It could have been London.’”
What might end up stopping the whole plan is less a matter of privacy or personal liberty and more a matter of money. Though the cost of performing universal surveillance has gotten a lot more affordable lately, thanks to cheaper storage, tracking all these websites still adds up, reports the BBC. The British government had allocated 175 million pounds – about $267 million – but that might not be enough, the BBC writes.
Part of the cost, of course, is protecting all that data. It could end up being a treasure trove for hackers, after all, because it could provide all sorts of juicy blackmail material such as which porn sites people visit. “Making sure there’s no way the hackers can get in is a challenge for any company, and that is hard work,” Adrian Kennard, director of Andrews & Arnold, a Bracknell-based internet provider, told the BBC. “This is sensitive personal information, even if you are just holding the websites people went to and not the specific pages. That makes it a very valuable target for criminals to go after — they may even try to infiltrate employees into companies to try to access it.”
Ironically, this is all happening despite findings that such broad-based surveillance actually doesn’t do much to help prevent terrorist attacks. “Court documents lodged in the US and UK, as well as interviews with involved parties, suggest that data-mining through Prism and other NSA programmes played a relatively minor role in the interception of the two plots” that governments claimed were prevented, writes Ed Pilkington and Nicholas Watt for the Guardian. “Conventional surveillance techniques, in both cases including old-fashioned tip-offs from intelligence services in Britain, appear to have initiated the investigations.”
That said, other law enforcement organizations such as the FBI are also using the Paris attacks to justify their long-held position that governments should mandate a “back door” into encryption, even though there’s no evidence the attackers used encryption — and, in fact, quite a lot of evidence that they didn’t.
Companies that collect data – and organizations that like to help people concerned about the data the companies are collecting – are on opposing sides of a case that the Supreme Court is hearing.
Like the recent decision on whether you had to give up your phone password, this is one of those incredibly arcane legal things that has very little to do with the actual case, but could have major ramifications to the computer industry either way it’s decided.
The actual case revolves around the data aggregation site Spokeo. This site has been around for a while. It uses publically available data to collect information about a person, some of which it provides for free and some of which you pay for. Because of how it collects and aggregates the data, it can sometimes be laughably inaccurate.
“It listed me as married to someone ten years older than his actual age whom I divorced in 2002, that my house was worth $1 million (let me tell you, my *town* is hardly worth that much), that I played hockey and football, and that my 60+ year-old house was built in 2003,” I wrote in 2010 when this site first started making the rounds. It’s not much more accurate today; it lists my former husband as taking my name and has his age wrong, it lists an email address I never used and a phone number I haven’t used in two years, and has me living in two houses a thousand miles apart at the same time (one of them is off by almost twenty years).
That said, it still has a list of all the places I’ve lived since college with significant information about them, and enough contact information that if someone wanted to be a pest, they could do so, especially if they were willing to pay to get additional information about me. Could someone have gotten this information on their own? Sure, but it would have been harder and more time-consuming. (Interestingly, some of the briefs in this case encourage the Justices to look themselves up.)
Anyway, there’s this guy, Thomas Robins, who didn’t find the inaccuracies laughable. In fact, he said they had caused him harm. Did they say he was an embezzler or a child molester? No, they said he had a graduate degree and was married with children. He was concerned that this inaccurate information would make it harder for him to find a job, though he didn’t have any evidence that had happened or that anyone had even looked at his file in the first place. And so he was suing Spokeo, not because their collection of data was creepy and an invasion of his privacy, but because it was inaccurate. Now the case has made its way to the Supreme Court, which heard oral arguments on it this month.
And so that’s what the legal decision hinges on. It’s not about Spokeo’s collection of the data. It’s not about whether Robins was damaged by the inaccurate data. (Indeed, a number of the arguments on either side make it clear that they aren’t commenting on the merits of his case, which implies they think it’s a crock.)
Instead, it’s all about whether Robins has “standing” to file a case, because he can’t point to any specific damages that were done – simply the fact that he believes that Spokeo is violating the Fair Credit Reporting Act by having this inaccurate information about him in its database.
How many millions does he stand to get if he wins? None. At most, if the court decides he has standing, and if he wins, he gets $1,000. So why is he going to all this effort to file the case? And why are companies like Google, Facebook, eBay, and Yahoo! lining up to fight him on it? (To give some indication of the significance of this case, there’s 17 friend of the court briefs on it. That’s a lot.)
Because if it’s decided Robins has standing, even though he doesn’t have any specific damages he can prove, anybody can file a case any time they find a company making some sort of mistake or violating some aspect of a federal law, even if it didn’t hurt them – such as failing to follow the law by including an 800 number in its listing. “Plaintiffs can seek damages for unwanted phone calls or text messages, [Spokeo’s attorneys] noted, as well as improper disclosure of videos, mislabeled food, a failure to provide full notices involving loans or debts and retaining or disclosing personal information from credit cards and other electronic transactions,” writes David Savage in the Los Angeles Times.
Moreover, they can do it as a class action. Let’s say they discovered Facebook was making some sort of error in its data collection that applied to every member of Facebook. So that $1,000 per person suddenly becomes $1.23 trillion, plus the cost of fighting the case. And Facebook, Google and Yahoo have already all faced similar lawsuits over violations of different federal laws, writes Lawrence Hurley for Reuters.
“This closely-watched case has major potential implications for consumer-facing companies of all types, as it may result either in a ‘green light’ for no-damage class actions based on technical liability theories, or could result in a requirement that plaintiffs plead and prove some concrete harm, which would create a major new roadblock for consumer claims, particularly class actions,” summarizes the Consumer Financial Services Law Monitor. The case could also limit Congress’ ability to pass laws in the future to help protect people from inaccurate information.
Of course, who really stands to make money with this kind of case? The lawyers. Chances are you’ve gotten one of these class-action notifications before – pages and pages of tiny print telling you that if you jump through a whole lot of hoops, eventually you’ll get $5.34, while the legal firms that fought the case collect millions. People arguing against this case say that a finding in favor of Robins will result in many, many more class-action lawsuits.
On the other hand, it’s important to retain the right to have class-action lawsuits in the first place, because that’s how change gets made and wrongs get righted. And people arguing in favor of this case point out that there’s other times when people have been allowed to sue without having to prove specific damages in their case, such as housing discrimination cases. “If Spokeo wins the broad holding its lawyers at Mayer Brown are advocating, class actions under all sorts of consumer and civil rights statutes, including the Telephone Consumer Protection Act, the Wiretap Act, and the Americans with Disabilities Act, will be endangered,” writes Alison Frankel for Reuters. On the other hand, requiring plaintiffs to show that they’ve suffered “real-world harm” could make it harder to fight patent trolls, she adds.
So organizations such as the Center for Democracy and Technology and the Electronic Frontier Foundation are also stepping in, because they want to ensure that people have the right to protect themselves from inaccurate data collection. “A host of privacy laws, including the Stored Communications Act, the Video Privacy Protection Act, and the Cable Communications Policy Act, create a private right of action similar to FCRA, and could be limited by a broad ruling in this case,” writes G.S. Hans of the CDT. “As with FCRA, each of these laws remains vital to protecting individual privacy today, given how much data exists about us online and the potential for privacy violations involving that data.”
What might be the most Solomonic ruling, these organizations and analysts say, is for the Court to rule that Robins does or doesn’t have standing, but to limit it to this case in particular rather than establishing a broad legal precedent. “A broad ruling that an alleged statutory violation alone is insufficient injury in fact to establish Article III standing would impinge on congressional authority and invalidate private actions in a wide range of federal statutes,” the CDT and EFF write. “The question before the Court asks whether Congress can confer Article III standing by authorizing a private right of action based on a ‘bare violation’ of any federal statute. As framed, the question presented has implications far beyond Mr. Robins’ particular case and the FCRA itself. The Court’s ruling could affect the ability of individuals to file claims under private rights of action authorized by a vast number of other federal statutes, as well.”
The Court is expected to rule by June.
The Edward Snowden revelations happened more than two-and-a-half years ago, but repercussions are still happening.
Here’s the background, according to the firm Paul Hastings. The European Union passed a law that went into effect in October, 1998, that prohibited transfers of personal data to third countries that do not ensure an “adequate level of protection.” The Clinton Administration then negotiated the U.S.-EU Safe Harbor program, which enabled U.S. organizations to transfer data from the EU to the United States based on their declared compliance with the EU’s privacy principles. In 2000, the European Commission found the Safe Harbor program provided adequate protection.
So what happened? In early October, the European Court of Justice responded to a lawsuit by Maximillian Schrems, an Austrian law student, who filed a complaint with the Irish Data Protection Commissioner challenging the transfer of his personal data from Facebook Ireland to Facebook, Inc. in the United States. “Citing revelations by Edward Snowden, Mr. Schrems alleged that the United States did not ensure adequate protection of personal data against surveillance by public authorities,” explains Paul Hastings. The Court agreed and found that the U.S. was no longer in compliance with those principles, and invalidated the Safe Harbor program. (Later in the month, Israel also jumped on the bandwagon.)
Needless to say, the entire legal and technology industry had kittens. Law enforcement, for example, could no longer count on getting information about possible criminals from Europe. And almost two dozen technology companies, including Google and Microsoft, wrote a letter to Congress about it. “Without the adequacy finding, many of the 4,400 companies that relied solely upon the Safe Harbor agreement to transfer data from the EU to the United States face tremendous uncertainty regarding what bases exist to justify transatlantic flows of data,” they wrote.
Safe harbor “allowed big companies like Facebook and Google, for example, to carry out a self-certification process, promising to protect EU data stored on U.S. soil,” writes Arjun Kharpal for CNBC. “The agreement is key for thousands of companies operating in the EU.”
The data in question could be as minor – or as major, depending on how you look at it – as people’s web search histories and social media updates, writes Mark Scott in the New York Times. “At issue is the sort of personal data that people create when they post something on Facebook or other social media; when they do web searches on Google; or when they order products or buy movies from Amazon or Apple,” Scott writes. “Such data is hugely valuable to companies, which use it in a broad range of ways, including tailoring advertisements to individuals and promoting products or services based on users’ online activities. The data-transfer ruling does not apply solely to tech companies. It also affects any organization with international operations, such as when a company has employees in more than one region and needs to transfer payroll information or allow workers to manage their employee benefits online.”
There are other data transfer alternatives, Kharpal notes. “Two such processes are Binding Corporate Rules and Model Contract Clauses,” he writes. “These are essentially contracts allowing companies to transfer data out of the EU by going through different approval processes involving the European Commission and data protection authorities in the member states.” Larger companies typically have access to these alternative methods to transfer data from Europe to the U.S.; it’s the smaller companies that are particularly left out in the cold by the decision, he writes. And companies that are big enough to have their own servers in Europe to store data about Europeans are also okay, writes Kurt Wagner in Re/code.
European authorities have given the U.S. until the end of January to fix the problem. So the U.S. Congress is scrambling (though some believe its solution is still inadequate) through the Judicial Redress Act. It “gives the citizens of some of the U.S.’s allies access to records about them that have been collected by the U.S. government, as well as the ability to amend those records and, importantly, civil redress (the right to file a civil suit) when such records are unlawfully disclosed,” writes John Eggerton in Broadcasting & Cable. (There are exceptions for reasons such as national security, adds Brendan Sasso of the National Journal.)
The House passed the bill on October 20; the Senate still needs to pass it.
The U.S. can also try to argue with the ruling, writes Karen Kornbluh for the Council on Foreign Relations (though it cannot be appealed). “Experts within and outside the U.S. government have argued that the ECJ based its ruling on erroneous factual assumptions regarding the nature and oversight of U.S. surveillance,” she writes. “Moreover, they note that the United States provides adequate privacy protections, especially in comparison to European countries many of which have no independent data protection oversight of law enforcement and intelligence surveillance. The ECJ also based its decision on a 2013 European Commission report on U.S. surveillance, parts of which are outdated given U.S. surveillance reforms spurred by President Obama’s 2014 executive order. Robert Litt, general counsel for the Office of the Director of National Intelligence, wrote an opinion piece for the Financial Times before the ruling to argue that the surveillance program at issue in the ECJ’s decision ‘does not give the U.S. ‘unrestricted access’ to data.’”
But this is unlikely to go far, writes Timothy Edgar in Lawfare. “So, perhaps all the US has to do is convince enough people that Bob Litt is right about PRISM, the European Commission is wrong, and the Europeans will say it was all a big misunderstanding?” he writes. “Not likely.”
Back in the day, kings used to forestall a potential war from another country by marriage. Thus merged, the theory went, the countries would henceforth work together instead of competing.
In the computer industry, that’s not really an option. This is why we’re seeing alliances like the merger of hard disk powerhouse Western Digital with solid state size queen SanDisk, announced last week after having been rumored earlier this month.
Western Digital, which has to have been getting itchy because it hasn’t bought anybody major in a while, was also facing a problem in that it had pretty much bought everyone who’d hold still for it in the hard disk space this decade. (They weren’t alone. Seagate bought Samsung storage, and Toshiba bought Fujitsu storage.)
True, Western Digital could always have bought Seagate itself, or vice versa, but eventually the Federal Trade Commission would start finding all these computer storage mergers to be monopolistic. As it is, when Western Digital bought Hitachi GST in March, 2012, it had to sell off some pieces first. For example, it sold to Toshiba assets that Hitachi GST used to make and sell desktop hard- disk drives. In addition, the European Commission required Western Digital to sell one of Hitachi’s 3.5-inch manufacturing plants and associated intellectual property for making these drives. In return, Western Digital received a Toshiba plant that had been damaged in last year’s Thai floods.
And why haven’t either Western Digital or Seagate bought Toshiba, anyway? “When Western Digital’s leadership gets comfortable with this new partnership, I wouldn’t be surprised to see it develop into yet another hard-drive buyout,” agrees The Fool’s Anders Bylund. “If Western Digital doesn’t own Toshiba’s hard drive operations by 2018, I’ll be shocked.”
In fact, this deal hinges on whether Toshiba approves, writes Reuters. “Any deal with SanDisk will require a sign off from Toshiba . SanDisk uses Toshiba’s foundries to make its chips and the two have an important intellectual property-sharing joint venture,” writes Reuters. “Analysts have said Toshiba is more likely to accept Western Digital as a buyer for SanDisk than Micron, a rival memory chip maker.”
In any event, Sandisk, while not as profligate a shopper as Western Digital, had had its own share of acquisitions over the years, such as Fusion-io and SMART Storage Systems. It was generally considered to be third in the NAND flash memory market after Samsung and Toshiba. It was also just ahead of Micron, which had also been suggested as a potential Sandisk acquirer.
According to Leo Sun at The Motley Fool, Western Digital was the leader of the hard disk drive market, holding 43 percent market share. Assuming the acquisition completes, it will then control 14 percent of the SSD market, including Sandisk’s 11 percent, ranking it second after Samsung.
That said, Sun is wondering whether Western Digital is paying too much. The $19 billion total calls for an $86.50 purchase price — $85.10 in cash and the rest in stock. But if a planned 15 percent investment in WD by Tsinghua Unigroup subsidiary Unisplendour doesn’t go through, the cash portion of the deal will drop to $67.50 per share. “WD’s offer of $86.50 per share values SanDisk at nearly 35 times trailing earnings, compared to the industry average P/E of 15 for the data storage industry.”
On the other hand, for several reasons, buying Sandisk now was cheaper and more manageable than waiting, Sun writes. For that matter, there’s a potential class action lawsuit brewing because Western Digital isn’t paying enough with its 15 percent premium. Plus, sales on both the Western Digital and Sandisk side are slowing. “A slowing business buying another slowing business at a hefty price tag doesn’t sound all that appealing to Western Digital shareholders,” writes The Fool’s Evan Niu.
Incidentally, Unisplendour’s parent company also proposed investing in Micron a while back. (Honestly, keeping track of all this is like Game of Thrones.) After some unease about the plan due to a Chinese company investing in an American chipmaker, perhaps that’s why Unisplendour is taking this circuitous route toward investing in a different American chipmaker.
Anyway, if approved and all the various contingencies fall into place, the deal is expected to close in the third quarter of 2016. A whole fistful of financial and legal companies are involved, because of the complexities and how much debt will be involved.
There must be some sort of Murphy’s Law that when a database reaches a certain size, law enforcement is going to want to get their hands on it.
We’ve seen this recently with 23andme, a database of information compiled through voluntarily offered genetic material (spit, actually), which recently hit a million users.
If you don’t remember 23andme, they made headlines in 2007 by offering people the chance to test their genetics for susceptibility for a number of various diseases, as well as look at their ancestry. People who couldn’t resist the opportunity to find out just what percentage of Neanderthal they had were soon coughing up $99 for the chance to spit at these people and, in the process, find out what weaknesses their flesh might be heir to.
This, however, caught the attention of the U.S. Food and Drug Administration, which declared in 2013 that the company was offering tests that the FDA hadn’t approved, and the company pulled the test kits off the market.
The kits were still available for ancestral testing, though, and people continued to submit their genetic material, albeit more slowly. While the company had 500,000 subscribers by 2013, it took until this year to hit a million, according to the New York Times.
That’s when the cops started getting interested.
It’s not unusual for police officers to obtain DNA evidence at crime scenes. And here was a database of a million people’s DNA. Did the police really think that criminals were coincidentally also having their ancestries tested? No, but certain components of DNA are passed down through the father and mother. It could happen that a relative of a criminal would be tested and in the database, which would help narrow down the search.
“People who submitted genetic samples for reasons of health, curiosity, or to advance science could now end up in a genetic line-up of criminal suspects,” writes Kashmir Hill in Fusion. “If you’re a cop trying to solve a crime, and you have DNA at your disposal, you’re going to want to use it to further your investigation. But the fact that your signing up for 23andMe or Ancestry.com means that you and all of your current and future family members could become genetic criminal suspects is not something most users probably have in mind when trying to find out where their ancestors came from.”
Hill has been on the forefront of this issue; as long ago as 2010, she was warning in Forbes about the possibility. “How far should law enforcement be allowed to go?” she wrote then. “Should prosecutors be allowed to subpoena a company’s DNA database of thousands of people if they suspect it contains a match to a crime suspect?”
The problem is, such genetic testing isn’t foolproof; among other things, someone could be adopted, illegitimate, or cuckolded, and never know it. That may be what happened in one case earlier this year, when police officials used a similar database, operated by Ancestry.com, to compare it with DNA material from a crime scene. (Ancestry.com has since taken the database down, Hill writes.) Police then looked up all the relatives of the person in the database who matched, found a likely prospect, and got him to submit a DNA sample – which ended up exonerating the person, but still.
Meanwhile, 23andme and Ancestry.com come right out and says they’ll cooperate with law enforcement when served with a warrant. And they don’t really have any choice. Since they’re not doctors, Health Insurance Portability and Accountability Act (HIPAA) and other laws that could protect people don’t play into it.
This concerns a number of civil liberties organizations, such as the Electronic Frontier Foundation. “if the cops can access private databases—especially private databases like Ancestry.com and 23 and Me that collect matrilineal and patrilineal markers—everyone’s risk increases,” the organization writes. “People should be able to learn about their ancestors and relatives and about possible risks for genetic diseases without fear that their data will be shared with the cops without their consent.”
“Civil liberties groups have called for laws that would prohibit the use of private genetic databases for law enforcement purposes, but until one comes into existence, the only thing standing between police and the spit you send to a private DNA company is the company’s lawyers,” Hill writes.
What 23andme is doing, like companies such as Facebook and Google, is hiring a privacy officer and publishing a quarterly government transparency report that tracks how many such requests it gets. It just published its first report, which notes that it’s had five requests. It will be interesting to see how it trends; similar reports from other vendors have shown sharp increases over time.
Interestingly, just a week after news got out about police requesting the data, the FDA decided to give 23andme permission to once again offer the genetic tests, meaning it will be able to collect even more data. (Not to mention, that knocked all the stories about police access to the database off the front page as well.) Is it getting too much into black helicopter territory to wonder whether law enforcement agencies asked the FDA to lay off of 23andme so that it could help them do their jobs?
After years of on-again, off-again retirement plans, the 68-year-old chairman and CEO of the Hopkinton, Mass., storage company is on his way with a $27 million golden parachute, according to David Goldman in CNN Money.
“Tucci’s severance package includes $7 million in cash, equal to triple his annual salary and bonus,” Goldman writes. “The other $20 million comes in the form of EMC stock that Tucci had been awarded, according to executive compensation research firm Equilar. Had he not sold EMC to Dell, he otherwise would have needed to remain at the company to receive that stock.” In addition, EMC will pay Tucci for his unused vacation time, plus his life, disability, accident and health insurance benefits for himself and his dependents for three years, he adds.
This is all courtesy of what is said to be among the largest tech acquisitions of all time, the $67 billion acquisition of EMC by Dell. Yes, even bigger than HP and Autonomy. It remains to be seen whether the Dell-EMC acquisition will prove to be more successful. (It could hardly be worse.)
Incidentally, HP’s Meg Whitman, herself presiding over the conscious uncoupling of HP, criticized the Dell-EMC deal. “Of course, Whitman is hardly an impartial witness to the mega tech deal,” writes Matt Egan in CNN Money. “The new Dell is going to fiercely compete for business customers with HP Enterprise, which is splitting itself from HP on November 1. HP Enterprise, led by Whitman, will be focused on selling hardware like servers and also cloud technology, big money makers for Dell and EMC.”
People have been talking about Dell and EMC for more than a year, and the consensus then was that there was too much disparity in size and too much overlap in their product lines, so it’s going to be entertaining (if you’re not an EMC or Dell customer, that is) to see how that works out.
There are, of course, a few other loose ends to the acquisition.
- What of all the various other heirs to the EMC throne who have been suggested as Tucci’s successor somewhere along the line? They include David Goulden; CEO of EMC’s information infrastructure unit; Patrick Gelsinger; CEO of VMware; and Paul Maritz, who retired from EMC satellite Pivotal Software earlier this year. Four of them – CNN Money didn’t say who – are also in line for tens of millions in golden parachutes. Dell founder Michael Dell now has the role, meaning Tucci never had to choose.
- What about VMware? EMC owns about 80 percent of it, and yet, VMware also provided about three-quarters of EMC’s value. Divesting VMware is what some people wanted EMC to do all along, but as recently as last month, VMware’s value was such that some people speculated that VMware would buy EMC. VMware stockholders are also nervous.
- What about all the other dribs and drabs of EMC that Dell might not want? Most notably, there’s the content management software Documentum, which has languished under EMC’s benign neglect. Pay attention to whether Documentum is sold to a competitor, which would likely kill it, or sold privately, writes industry watcher Laurence Hart.
The other interesting aspect of this – and it’s hard to know whether Tucci did it on purpose or it was an unintended consequence – is that EMC, which was put into this position by virtue of being a public company that was hijacked by activist investor Elliott Management Corp, will never again have to go through this, because as part of Dell, it’s now a private company. (Well, sort of. Mostly.)
“Anyone who has talked to [Michael] Dell in recent years has witnessed the huge smile on his face when he discusses the joys of being private,” concurs Alan Murray in Fortune. “In his view, this transformation couldn’t have happened in the public markets.”
That said, even Dell is owned by a conglomerate including Silver Lake, which reportedly was shopping around Dell’s PC business just last week. We may yet see bits and pieces of EMC up on the auction block.
Here we go again. Is an encryption key more like a physical key or the combination to a safe?
Courts have been deciding back and forth on the issue for several years now and, most recently, have decided that a phone password is more like the combination to a safe.
It matters because something that is the expression of one’s mind, like the combination to a safe, is protected under your Fifth Amendment rights not to incriminate yourself. A physical key, something you possess, is something you can be forced to produce.
This all came up when the Securities and Exchange Commission (SEC) began investigating Bonan and Nan Huang (who are not related to each other) for insider trading, writes Orin Kerr in the Washington Post.
“The two worked at the credit card company Capital One as data analysts,” Kerr writes. “According to the complaint, the two allegedly used their jobs as data analysts to figure out sales trends at major U.S. companies and to trade stocks in those companies ahead of announced company earnings. According to the SEC, they turned a $150,000 investment into $2.8 million.
“Capital One let its employees use company-owned smartphones for work. Every employee picked his own passcode, and for security reasons did not share the passcode with Capital One. When Capital One fired the defendants, the defendants returned their phones. Later, as part of the investigation, Capital One turned over the phones to the SEC. The SEC now wants to access the phones because it believes evidence of insider trading is stored inside them.”
But the SEC has been thwarted by Judge Mark Kearney, which ruled that the passwords were indeed protected by the Fifth Amendment. Exactly why is a very long how-many-angels-dance-on-the-head-of-a-pin discussion that lawyers love to have. But it boils down to whether the SEC actually wants the password itself, or access to the documents. And since it wants access to the documents, the proper way to approach it is to have the defendants enter the password, providing access to the documents but without revealing the password, Kearney writes.
And for people debating between company-provided cellphones and BYOD, that angle is involved, too: Is a password to a company-provided cell phone considered a corporate record? If it were, then the Fifth Amendment wouldn’t apply, but Kearney doesn’t believe it is.
Indeed, because Capital One specifically told the analysts to keep their passwords secret and not write them down, that made them products of the mind and not corporate records, Kearney writes.
As with other cases of this ilk, it’s likely that, eventually, the Supreme Court is going to need to rule on the issue.
To add an additional wrinkle, recall that a suspect can be forced to give up a fingerprint, if that’s being used to secure the phone. That’s because a fingerprint is something you have, similar to the way that you can be compelled to give up a blood sample to test for alcohol. (Consequently, what you’d want in an ideal is to protect a phone both through encryption and a fingerprint, but not all phones can do that.)
So all that business about not writing down your password? Turns out it was more right than you knew.
Those of us of a certain age have fond memories of hunching by the radio with a mike and our portable cassette recorder, waiting for them to play our favorite song and please-God-don’t-let-the-DJ-talk-over-the-intro-this-time.
Guess what: The cassette is coming back.
In the same way that some retro purists have brought back vinyl, some artists such as Arcade Fire and Transviolet are actually still issuing music on cassette tape. In 1983, cassettes began outselling records, until 1991, when the CD became the most popular medium, writes Zach Sokol in Motherboard.
As it turns out, there’s at least one factory – National Audio Co., in Springfield, Mo. — that still manufactures cassette tapes, and it says business is better than ever: Last year is the best year it’s had since it opened in 1969, writes Jeniece Pettitt in Bloomberg. “The profitable company produced more than 10 million tapes in 2014 and sales are up 20 percent this year,” she writes.
Why, it’s hard to say. In the case of vinyl, there is an argument to be made that it sounds “better,” though any quality improvement might be wasted on a generation that grew up listening to MP3s. And like vinyl, there are those who claim the analog sound of tape is preferable to digital recordings. Also, in a day and age where so much of our content is digital, some people really like having something tangible, Pettitt writes.
“Certain kinds of music sound good on cassette,” wrote Nick Sylvester in Pitchfork on the eve of Cassette Store Day in 2013. “The public perception is that tape is ‘warm’ and ’fat,’ but not all tape is equal, and recording to 2-inch tape on an old Studer is very different from playing a cassette in a car stereo. In the cassette heyday, people weren’t exactly seeking out cassette releases for their sonic character. Mastering engineers did everything they possibly could to ‘beat’ the cassette, to make the music sound pretty damn close to the original recording despite the ways tape stock can roll off the highs, stuff the low-mids, and hiss above 1khz.”
“Nostalgia’s a potent drug, and the music industry has changed abruptly enough that even twenty-somethings like me feel wistful for the lost ‘90s,” Zach Schoenfeld wrote in Newsweek during the first Cassette Store Day. “Though I’m not yet 30, I can recall my very first cassette (Red Hot Chili Peppers’ much-maligned One Hot Minute) far more easily than I can name my first CD or MP3 or Spotify stream.”
As we’ve mentioned, part of the problem with recording data on old media is finding a way to read it later, and indeed that is a problem for some people who didn’t save their Walkmans. (Walkmen?) And there’s the occasional story about Kids These Days who mistake the cassette player in an older car for an iPhone dock, to hilarious results.
Count your blessings, though: So far, nobody’s talking about bringing back the 8-track.
We have always been at war with Eastasia.
In an era where people have to resort to smartphones and the Internet just to look up phone numbers, people are warning that the next wave of hacking might not take information, but add or change it instead.
“Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial of service operations and data deletion attacks undermine availability,” wrote Director of National Intelligence James Clapper, in testimony presented to the House Subcommittee on Intelligence earlier this month. “In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it. Decision making by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.”
In particular, hackers or terrorists could wreak havoc by changing data about infrastructure, postulates Patrick Tucker, technology editor for Defense One. Remember that as far back as Die Hard 2, the bad guys were crashing planes by feeding them incorrect data on their actual altitude.
Clapper isn’t the only one to suggest this. For example, when the Office of Personnel Management revealed earlier this year that it had been hacked, some speculated that more could be involved than simply taking information. “For those of us who wear tinfoil hats – what if records were not only taken, but some were added as well?” writes Steve Ragan in CSO Online. “Would the OPM be able to tell?”
As it turns out, Clapper has actually been saying this for some time; articles quoting him talking about hackers who could “change or manipulate” information have been published since at least February, when he testified to the Senate Armed Services Committee. “[Clapper] described future attacks which will change or manipulate [there’s that phrase again] electronic information in order to compromise its integrity,” Business Korea wrote in March. “In the future, hackers may launch more clandestine cyber espionage programs that manipulate data so victims lose credibility.”
What might it have done, for example, if at some point someone had added data to government records to make it appear that President Obama actually had been born in Kenya?
People have always added fake people to rosters to get additional paychecks and other benefits – remember M*A*S*H’s “Captain Tuttle”? – but doing it through the computer can make it a lot easier. “A doctor pulls up your electronic medical records to discover that they have been changed and you have been receiving the wrong dosage of a lifesaving medicine,” writes Rep. John Ratcliffe (R-Texas), who chairs the Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, and sits on the Judiciary Committee, in The Hill. “Now imagine this happening at every hospital in the United States.”
Think the whole notion of messing things up by changing information is farfetched? How many “Han shot first” arguments have you seen? And that’s with film that millions of people have seen – not to mention someone who actually admits that they changed something.
Of course, if you really want to drive yourself crazy, you can remind yourself that this is the age of Edward Snowden. Maybe Clapper is warning us to beware of hackers changing data because he wants us to be suspicious of our data. Maybe he’s going to be changing the data – and is laying the groundwork now to blame it on hackers.
If you need me, I’ll be hiding under the bed.
“Joe, I know how we can make a mint. We just get a database full of personal information for a bunch of really gullible guys with something to hide, and then we can sell it!”
“That’s great, Ron, but how do we get the database of personal information in the first place?”
Which is what gave me the idea for a database that will actually be the most elaborately designed honeypot in history.
Okay, work with me here.
First of all, we find a bunch of guys who admit to strangers that they’re looking to cheat on their wives. They even provide their contact information.
Heck, they’re even willing to pay for the privilege!
Meanwhile, we create a bunch of fake female profiles. And not only do these guys not realize the women are fake, but they have conversations with them! We just send out messages periodically from these fake women so the guys think there’s really women on this database interested in cheating with them.
Who knows. Maybe we can even convince the guys to pay more to talk to these fake women.
Oh, sure, some guys are going to figure it out, or feel guilty, and drop out. But the ones who keep on – we know we’ve got ‘em.
And the ones who do drop out, and feel guilty, and want us to delete all their information so their wives never find out? We tell them they have to pay more to delete their information! And most of them pay it!
And then we don’t delete it all!
After all, data is valuable.
Then, when the database gets big enough, we tell them it’s been hacked! And all their information has been stolen! And to make that more plausible, we’ll use a really simple encryption technique that would make it easy for someone to hack it.
(Not that we need to worry much about that. They’ll end up picking really common, easy passwords.)
That’s when we can sell the data. We can market it as “Gullible guys with lots of disposable income who won’t want to go to the police.”
We can even sell the database to blackmailers. Sure, none of these guys actually cheated – but how would they convince their wives of that? Just the fact that they signed up to be in a database of cheaters is damning enough, isn’t it?
And yes, some of the guys might be kind of upset. There might be some collateral damage. We have to be prepared for that.
But think of the money we’d make! Plus, we can do it again! All the publicity will probably cause even more gullible guys to join!
Still. Maybe we don’t want to do it for real. Maybe we should just write a movie script about it.
Naah. Nobody’d believe it.