Over the past couple of weeks a number of important privacy-related legal decisions have hit the IT policy landscape, and I thought I’d take time today to talk about one of them. The other will be a topic next week.
First, the European Court of Justice ruled that Google must stop linking to search results that are ‘inadequate, irrelevant or no longer relevant’ if someone requests it. It all revolves around someone who wanted Google to stop returning a newspaper article from the late nineties about his house being repossessed in the eighties.
Since then Google has received tens of thousands of requests to ‘be forgotten’, and is establishing a system to decide how to respond to those requests. It also has a warning (only on the European versions of its pages) that not all results are being displayed if that item has been ‘censored’.
As one might imagine, this has caused a firestorm. Numerous commentators have argued that this will simply permit politicians and other public figures to hide their shady pasts. Although the official court decision said ‘journalistic work may not be touched’ Google has delinked a number of blog posts on various European online newspapers, and Wikipedia itself has received at least fifty notices from Google that articles have been removed from search results. As a result Jimmy Wales, the founder of Wikipedia blasted the decision as a violation of the human right to have access to history.
An additional weird, but understandable, twist is that the ruling applies to Google, but only to European Google, so it has no effect on searches conducted from elsewhere in the world. Even more interesting, the publishers of the actual articles do not have to delete them–it’s simply that Google must not report them in a search. So the offending material is still on the web, and other search engines (such as https://duckduckgo.com/, which does not track you and does not note where you are), and computers whose IP addresses are concealed (such as with ‘Incognito Browsing’) will still find the relevant information.
In addition, it is likely that this result will trigger what has come to be known as the Streisand Effect–loudly attempting to hide something leads to it being even more visible. This is certainly the case for the Spanish guy who started the whole story (you can find his name yourself, as well as all the information he was trying to suppress, with very simple search tools).
On Monday I’ll tell you about a different case, where a US judge attacked European’s right to privacy in a totally different way.
Some folks may have heard the claim that the song ‘Happy Birthday’ is copyrighted, and you’re supposed to pay royalties if you ‘perform’ it. Certainly when restaurants used to have their staff gather round customers and sing birthday greetings there was a time when they sang other songs, because some restaurant or other had been sued for copyright violation.
If you don’t believe it, you can check Snopes, the famous myth debunking website and they confirm that this is true.
Interestingly enough, someone is challenging this claim, and the case was written up recently by a web buddy of mine on the Volokh Conspiracy blog, which I read fairly regularly. It’s a classic case of ‘Copyright Trolling’–the people who are claiming the copyright have no relation to the folks who wrote the song (which wasn’t ‘Happy Birthday to You’ in its original lyrics in any case)–the authors fumbled the copyright, but someone picked it up and their catalog was bought by someone who bought it, and it was subsequently sold to someone else and so on.
This case will be fun to watch–it’s still ongoing.
Strange twist–the original authors, a pair of schoolteacher sisters named ‘Hill’ were the aunts of a famous linguist of the mid twentieth century named Archibald Hill, who I once met. Apparently he was independently wealthy because the sisters left their estate to him. You never know…
The 2nd Circuit Court released a decision today in a case involving the Hathi Trust, which has been scanning old books and making them available online for search purposes. Some author’s unions sought to prevent them from doing this on copyright grounds, but Hathi (and many supporters) argued that the open-source non-profit partner with Google Books was entitled under the ‘fair use’ provision of the Copyright Act to scan millions of books (including, particularly, ‘orphan’ books whose copyright was still valid, but whose authors were either long gone or unlocatable) and make the results searchable.. Hathi Trust is an invaluable tool for historical, linguistic and literary research because it means that millions of out-of-print books were accessible to the world of research.
This doesn’t mean you can now just read any book in their repository. You can’t. What you can do, however, is search for every instance of a word in the millions of books and get the surrounding context for each use (which is a gold mine for linguists), or find mentions of historical events or people (or political theories or scientific experiments) in millions of books scattered around the country.
The court’s conclusion was that making snippets available through searches, and making entire texts available to the visually impaired constituted fair use through the ‘transformative’ clause of the fair use clause (you can read all about it on the WSU Library’s Copyright page).
Here are two news items on the court case:
Recently a number of universities (including Wayne State) have been hit by a particularly vicious phishing trick. Faculty with relatively high salaries receive what look like official notifications to ‘verify’ their login details. If they click on the link in the email they are sent to university web pages that look very much like the standard login page (complete with appropriate wordmarks, layout etc.) This kind of phishing is called ‘spearphishing’, because the attacks are not random, but carefully targeted, so the email message looked like it was directed to the addressee–it had their name in it, and perhaps their chair’s name, or the name of the VP for Administration. However, after they enter their credentials they eventually find that someone else has logged in and changed their direct deposit to a bank in another country. Often a pop-up bank (similar to a pop-up restaurant but not nearly as tasty). By the time the deception is discovered (usually when the victim notices that their real account never received the deposit) it’s too late.
All the universities that have had this happen have had to make good on the lost paychecks, and with lots of full professors getting caught that’s a lot of money the universities don’t have to spare. How can you resist getting sucked into these scams?
- Never log in to a Wayne State account by clicking on a link in an email.
- Always go directly to the appropriate website by typing its address into your browser (blackboard.wayne.edu, pipeline.wayne.edu, academica.wayne.edu).
- Make sure that the address that shows in the browser once the page has ‘painted’ begins ‘https://…‘
- Change your password immediately if you think you have fallen for one of these scams.
Here are some other universities that have been caught (so you can see we’re not outliers): https://oit.ncsu.edu/news-releases/look-out-for-phishing-email-targeting-your-direct-deposit http://www.bu.edu/today/2014/internet-scammers-change-some-bu-direct-deposit-accounts/ http://uis.georgetown.edu/page/1242745504502.html http://www.annarbor.com/news/university-of-michigan-spear-phishing/
Finally, our colleagues at U of M put together an excellent video about phishing which is worth watching (you can just ignore the hype about ‘Big Blue’ )
A couple of months ago I wrote about a future Wayne State email system based in the cloud. At the time we were considering Gmail and Microsoft’s Office 365. Since then we’ve pretty much settled on the Microsoft offering, although no formal decision has yet been made.
An alarming development at the University of Illinois Chicago about a month ago made many question the value of working with Google–an infected machine on the UIC network caused Google to block them from sending any email from UIC. This is something that occasionally happens (every now and then AOL or someone like that blocks Wayne State email for a day or so). What was alarming was that it took Google almost two weeks to unblock UIC’s mail, mostly because they were unable to get hold of anyone at Google. That certainly didn’t help Google’s reputation among universities.
Even more interesting is the fact that Google normally uses their customers’ data to tailor ads. You may have noticed that ads in your Gmail account sometimes reflect something you searched for in Google earlier in the week. This is not a coincidence–Google admits that they do this. When universities contracted with Google to use Gmail, they agreed to Google mining the email to target ads, even if the ads didn’t show up in the university-based email accounts.
Yesterday Google announced that they would no longer mine academic Gmail accounts. Apparently the drumbeat of the privacy advocates got a little too loud for them. I’ll be attending an academic computing privacy conference in DC next week–no doubt that will be one of the topics of conversation.
By now probably everyone has heard about the Heartbleed problem, but just in case you haven’t, here’s a quick summary. One of the programs1 that websites use to communicate securely with customers, called OpenSSL, turns out to have a vulnerability that would let bad guys snoop on traffic to and from those websites even though the data exchanged between them is supposed to be encrypted (as indicated by the icon of a closed padlock in the address bar, and https in the address itself).
The accidentally unlocked ‘door’ has been around for a while, and so there is a chance that your communications with Gmail, Facebook, tumblr and others have been snooped on. There is even a chance that your password has been swiped, and, of course, if you use the same password in various sites, any stolen password will work on all those sites.
What can you do? First of all, all your Wayne State data is safe–the WSU systems were not running OpenSSL, so they are all safe. The Wayne VPN is vulnerable, but the VPN itself was protected from external attacks in another way, so there is no risk there. But, of course, you have passwords on many other sites, and for some of those you should probably consider some password ‘maintenance’. Specifically, you should probably change those once a month for a while. I’ve already changed my Gmail and Dropbox passwords, and am working on several others.
The real takeaway from this event is that you should not reuse passwords from site to site. Of course, that’s easier to say than to do–most of us have dozens, if not hundreds of passwords, so some kind of password management device is becoming more and more necessary. I, myself, use Lastpass, which stores my passwords online (of course I use a unique, complex but rememberable password for that). It not only stores all my passwords, it even suggests complex non-memorable passwords. Since it will automatically fill them in for me I don’t need to remember them. If you don’t like having it fill things in automatically you can invoke it (there’s a plug-in for every popular web browser), display the password and copy it into the relevant website as you log in.
Note that I have no connection with Lastpass, and there are other worthy competitors such as Keepass and Roboform. You can read a review of them here
Lastpass has an interactive form you can use to see whether your favorite websites have been protected. You can find that here.
If you are interested in the technical details on how Heartbleed works you can watch this video , which lasts about 8 minutes. It’s not horribly abstruse–if you kinda know how websites communicate with your computer you can follow it.
Mashable has a good summary of which websites you need to worry about.
One final thought. NEVER send your password to anyone for any reason through email. And, in fact, if an email tells you to change your password, if you think it actually is authentic, don’t follow a link in the email to change it. Instead, use a bookmark, or type in the web address yourself, so that you know you are changing the password in the right place, and not in a rogue server in Tuvalu.
1 I know that calling it a ‘program’ oversimplifies things, but this characterization will suffice for our purposes.
In the past weeks, Pearls Before Swine and Dogs of C-Kennel commented on the NSA surveillance program. These comics run in the Free Press (and elsewhere, of course).
Pearls Before Swine
Dogs of C-Kennel
On Friday The Guardian, which has been hosting most of the significant revelations about NSA surveillance, has a series of think pieces on the topic, including one written by Edward Snowden himself, as well as one by Tom Stoppard (!):
And finally, this morning, on CNN, Bruce Schneier, the inventor of the term ‘security theater’ proposes a new future for the NSA. He points out that some of the NSA’s activities actually make us all less safe. Schneier spoke on campus a number of years ago and his writings on security, both electronic and physical have had a major influence on my understanding of security theory.