The 2nd Circuit Court released a decision today in a case involving the Hathi Trust, which has been scanning old books and making them available online for search purposes. Some author’s unions sought to prevent them from doing this on copyright grounds, but Hathi (and many supporters) argued that the open-source non-profit partner with Google Books was entitled under the ‘fair use’ provision of the Copyright Act to scan millions of books (including, particularly, ‘orphan’ books whose copyright was still valid, but whose authors were either long gone or unlocatable) and make the results searchable.. Hathi Trust is an invaluable tool for historical, linguistic and literary research because it means that millions of out-of-print books were accessible to the world of research.
This doesn’t mean you can now just read any book in their repository. You can’t. What you can do, however, is search for every instance of a word in the millions of books and get the surrounding context for each use (which is a gold mine for linguists), or find mentions of historical events or people (or political theories or scientific experiments) in millions of books scattered around the country.
The court’s conclusion was that making snippets available through searches, and making entire texts available to the visually impaired constituted fair use through the ‘transformative’ clause of the fair use clause (you can read all about it on the WSU Library’s Copyright page).
Here are two news items on the court case:
Recently a number of universities (including Wayne State) have been hit by a particularly vicious phishing trick. Faculty with relatively high salaries receive what look like official notifications to ‘verify’ their login details. If they click on the link in the email they are sent to university web pages that look very much like the standard login page (complete with appropriate wordmarks, layout etc.) This kind of phishing is called ‘spearphishing’, because the attacks are not random, but carefully targeted, so the email message looked like it was directed to the addressee–it had their name in it, and perhaps their chair’s name, or the name of the VP for Administration. However, after they enter their credentials they eventually find that someone else has logged in and changed their direct deposit to a bank in another country. Often a pop-up bank (similar to a pop-up restaurant but not nearly as tasty). By the time the deception is discovered (usually when the victim notices that their real account never received the deposit) it’s too late.
All the universities that have had this happen have had to make good on the lost paychecks, and with lots of full professors getting caught that’s a lot of money the universities don’t have to spare. How can you resist getting sucked into these scams?
- Never log in to a Wayne State account by clicking on a link in an email.
- Always go directly to the appropriate website by typing its address into your browser (blackboard.wayne.edu, pipeline.wayne.edu, academica.wayne.edu).
- Make sure that the address that shows in the browser once the page has ‘painted’ begins ‘https://…‘
- Change your password immediately if you think you have fallen for one of these scams.
Here are some other universities that have been caught (so you can see we’re not outliers): https://oit.ncsu.edu/news-releases/look-out-for-phishing-email-targeting-your-direct-deposit http://www.bu.edu/today/2014/internet-scammers-change-some-bu-direct-deposit-accounts/ http://uis.georgetown.edu/page/1242745504502.html http://www.annarbor.com/news/university-of-michigan-spear-phishing/
Finally, our colleagues at U of M put together an excellent video about phishing which is worth watching (you can just ignore the hype about ‘Big Blue’ )
A couple of months ago I wrote about a future Wayne State email system based in the cloud. At the time we were considering Gmail and Microsoft’s Office 365. Since then we’ve pretty much settled on the Microsoft offering, although no formal decision has yet been made.
An alarming development at the University of Illinois Chicago about a month ago made many question the value of working with Google–an infected machine on the UIC network caused Google to block them from sending any email from UIC. This is something that occasionally happens (every now and then AOL or someone like that blocks Wayne State email for a day or so). What was alarming was that it took Google almost two weeks to unblock UIC’s mail, mostly because they were unable to get hold of anyone at Google. That certainly didn’t help Google’s reputation among universities.
Even more interesting is the fact that Google normally uses their customers’ data to tailor ads. You may have noticed that ads in your Gmail account sometimes reflect something you searched for in Google earlier in the week. This is not a coincidence–Google admits that they do this. When universities contracted with Google to use Gmail, they agreed to Google mining the email to target ads, even if the ads didn’t show up in the university-based email accounts.
Yesterday Google announced that they would no longer mine academic Gmail accounts. Apparently the drumbeat of the privacy advocates got a little too loud for them. I’ll be attending an academic computing privacy conference in DC next week–no doubt that will be one of the topics of conversation.
By now probably everyone has heard about the Heartbleed problem, but just in case you haven’t, here’s a quick summary. One of the programs1 that websites use to communicate securely with customers, called OpenSSL, turns out to have a vulnerability that would let bad guys snoop on traffic to and from those websites even though the data exchanged between them is supposed to be encrypted (as indicated by the icon of a closed padlock in the address bar, and https in the address itself).
The accidentally unlocked ‘door’ has been around for a while, and so there is a chance that your communications with Gmail, Facebook, tumblr and others have been snooped on. There is even a chance that your password has been swiped, and, of course, if you use the same password in various sites, any stolen password will work on all those sites.
What can you do? First of all, all your Wayne State data is safe–the WSU systems were not running OpenSSL, so they are all safe. The Wayne VPN is vulnerable, but the VPN itself was protected from external attacks in another way, so there is no risk there. But, of course, you have passwords on many other sites, and for some of those you should probably consider some password ‘maintenance’. Specifically, you should probably change those once a month for a while. I’ve already changed my Gmail and Dropbox passwords, and am working on several others.
The real takeaway from this event is that you should not reuse passwords from site to site. Of course, that’s easier to say than to do–most of us have dozens, if not hundreds of passwords, so some kind of password management device is becoming more and more necessary. I, myself, use Lastpass, which stores my passwords online (of course I use a unique, complex but rememberable password for that). It not only stores all my passwords, it even suggests complex non-memorable passwords. Since it will automatically fill them in for me I don’t need to remember them. If you don’t like having it fill things in automatically you can invoke it (there’s a plug-in for every popular web browser), display the password and copy it into the relevant website as you log in.
Note that I have no connection with Lastpass, and there are other worthy competitors such as Keepass and Roboform. You can read a review of them here
Lastpass has an interactive form you can use to see whether your favorite websites have been protected. You can find that here.
If you are interested in the technical details on how Heartbleed works you can watch this video , which lasts about 8 minutes. It’s not horribly abstruse–if you kinda know how websites communicate with your computer you can follow it.
Mashable has a good summary of which websites you need to worry about.
One final thought. NEVER send your password to anyone for any reason through email. And, in fact, if an email tells you to change your password, if you think it actually is authentic, don’t follow a link in the email to change it. Instead, use a bookmark, or type in the web address yourself, so that you know you are changing the password in the right place, and not in a rogue server in Tuvalu.
1 I know that calling it a ‘program’ oversimplifies things, but this characterization will suffice for our purposes.
In the past weeks, Pearls Before Swine and Dogs of C-Kennel commented on the NSA surveillance program. These comics run in the Free Press (and elsewhere, of course).
Pearls Before Swine
Dogs of C-Kennel
On Friday The Guardian, which has been hosting most of the significant revelations about NSA surveillance, has a series of think pieces on the topic, including one written by Edward Snowden himself, as well as one by Tom Stoppard (!):
And finally, this morning, on CNN, Bruce Schneier, the inventor of the term ‘security theater’ proposes a new future for the NSA. He points out that some of the NSA’s activities actually make us all less safe. Schneier spoke on campus a number of years ago and his writings on security, both electronic and physical have had a major influence on my understanding of security theory.
C&IT has used the Zimbra email system (branded as Wayne Connect) for a number of years now, and is looking at other cloud-based alternative systems. Across the country a number of universities have adopted Google Apps for Education as their email system1, and others have settled on Microsoft’s Office 365 Education suite2.
These products enable universities to provide ad-free, University-branded email accounts hosted and maintained by Google or Microsoft. The interface would be similar to either Gmail (Google’s popular email service) or Outlook.com (Microsoft’s webmail answer to Gmail). I’d be interested in hearing from folks who use one or the other about your experience with them and any preferences you might have. Note that Outlook.com is not the same as Outlook on your desktop – Microsoft simply wants consistent branding. Both Gmail and Outlook.com can be synced with Outlook on your desktop if you are used to that kind of setup.
Adding to the mix, both of these solutions will include collaborative document editing, and if you have used either company’s tools (Google Docs or Office Web Apps), thoughts about those would be useful too.
Please use the comments section below, or feel free to email me directly if you would prefer not to share your thoughts with others.
1 This includes the University of Minnesota, UCLA, Brandeis, Rutgers, Maryland and the little college down the road in Ann Arbor.
2 Universities using Office 365 include Duke, Emory, Iowa and University of Washington.
Speaker: Robert Ellis Smith, privacy expert and publisher of Privacy Journal
Date: January 30, 2014
Time: 1-2 p.m. ET
Location: TRC located in the Purdy/Kresge Library
Join me as I host a a free, hour-long nationally broadcast webinar, “Location, Location, Location.” Two contradictory federal court decisions in 1979 and in December 2013 focus on whether the National Security Agency’s massive data collection program is constitutional. The NSA argues that their actions are legal because they do not probe into the content of phone calls, only the digits dialed to and from a phone. A 1979 U.S. Supreme Court opinion held that collecting data on dialed phone numbers, but not acquiring the content of the calls does not require a prior court order.
Today that decision does not make sense. The extent to which many people rely on their phones means dialing information establishes patterns of personal relationships and can reveal private interests, needs, and even our locations. This information can include employment or credit information, and can be far more sensitive than our commonly disclosed medical and financial records. It has the potential to be every bit as revealing and damaging as the content of our conversations.
Everyone who is exposed to this new technology must recognize this new reality. The principles of fair information practice do not fit this important change in sensitivity. And, of course, the new reality may change again in an instant. This is an example of how learning the historical development of privacy concerns helps us focus our efforts on what is most important today, not on concerns of the last century.
Light refreshments will be provided.
If there is sufficient interest a discussion will follow, or a further local forum will be arranged.