The income of a utility (and basically all companies) in the end comes out of the pockets of their customers. So any cost made by a utility - fines, refunds to some customers, bad decisions on outsourcing, etc - in the end are paid for by their customers, through the electricity price.
It is nice for a customer to get a rebate, however sooner or later this rebate will have to flow back into the utility, as the company will have to continue running.
Try to explain that to your average library worker, for whom a computer is a mere tool, and all they know about computing that in a few years a computer is considered old and obsolete, is replaced, and they have to relearn the applications all over again - hence all books about computing must be obsolete in a similar timespan...
The ads that target my search terms, are often quite relevant to me. It advertises goods or services that I happen to be interested in there and then. And if I'm indeed looking for commercial results, possibly after looking for reviews and other information on a product, good chance I'll click them.
And no need for invasive privacy. They don't really need to know my age or anything - just my location. And that they can see from my IP address. And if looking for highly local services like a restaurant around where I am "right now" I'm happy to provide a coordinate for even better results. There is just no need to know anything about "me" to properly target advertisements.
On the same note, Google's ads (that go along the search results) are often very useful. So much that I unblocked those in ABP.
I have used Google Ads myself to advertise. Click-through rates of ads on their homepage are like 100 times greater than those on their "affiliate network". Difference is to such an extent that I suspect that most of the clicks on the "affiliate network" are accidental... those click-through rates were like 0.01% or so.
I tend to draw the line at the CPU because if that is compromised or includes back doors, we are all screwed anyway.
The CPU will have bugs, for sure. Pushed hard enough people will be able go get to do things with it they're not supposed to be able to do. Whether those bugs allow for your finger print data to be revealed, we don't know yet. But intentional backdoors certainly are not needed for that.
And good luck changing your fingerprint after it's out in the open, and people start using it to impersonate you.
Steal one's fingerprints, steal their identity. That's the issue.
Everything about a person can be changed - names, IDs such as social security numbers, etc. Lots of bureaucracy to deal with maybe, but it can be changed. Your fingerprints, not so much. They're yours until after you die.
And even if so. Your fingerprints may be all over the phone - incomplete, streaked out, overlapping: most likely totally useless to harvest. It will work great against the casual theif, or the one who find the phone you just lost. They won't be able to get in that way, so it's working pretty well.
The key of the issue is that more and more governments are demanding biometrics to be included in one's passport, including fingerprints (I'm using my thumb print to clear immigration - very convenient now they finally got a good reading of my thumb, the previous one didn't really work well). That makes my thumb print also rather valuable: everyone who has my thumb print and knows how to thwart Hong Kong's scanners can enter and leave the country pretending to be me. And that accounts for the other 6 mln or so Hong Kong permanent residents that use this system as well (it's mandatory for all adults).
Now a casual device like the iPhone wants your fingerprint. That means that if I were to use my thumb for that and lose my phone, the person who finds it could theoretically extract my thumb print data (even if Apple says you can't: they got the actual device so I will assume it is possible, even if hard), and use that to clear immigration.
Even if it is not possible now, those scanners get better over time and will likely store more and more detailed fingerprint details, making it more and more likely that it becomes possible. And the fear is that by that time everyone is so used to use their fingerprints for anything, that it's going to be the perfect avenue for identity theft.
In many countries public utilities are run by a commercial company, for profit.
Sounds odd? Not really. There are two quite easy ways to control them, and push them to provide good service while maximising their profit and keeping prices to the end user reasonable.
Power companies in Hong Kong, are commercial. They have their monopoly, they have limited pricing power (they must apply to the government to change prices), and have certain supply obligations, like must provide power to anyone within their area. They can make a profit, which is a percentage of their fixed asset investment. Invest more, be allowed to make more money. As a result we have exceptionally reliable power for a reasonable price. An improvement here would be to separate infrastructure and supply, but it's not that bad as it stands.
Telephone/internet (ADSL) infrastructure, like in The Netherlands, is owned almost entirely by KPN, the former state-owned telephone company. They have the job to provide the infrastructure, and accept other ISPs on that same infrastructure at a fixed price. All ISPs pay the same for access to the homes. And KPN makes profits by keepking their cost lower than the set price they may charge for access. Currently there are dozens of ISPs available for end users, competing with one another, keeping their price low and their service quality high.
In Europe there are more such separations of infrastructure and supply: power lines and power supply. Gas pipes and gas supply. Railways and train services. Not all of it runs perfectly well, but it's at least the correct direction.
So yes sure it takes some kind of government regulation - but not necessarily government taking part in the company. The key problem in the US is probably that ANY governmnet intervention is frowned upon, even if it helps freeing a market from a monopolist's stranglehold and allowing many more players to take part.
Obviously the NSA believes they're the smartest when it comes to breaking cryptography.
Shouldn't that also mean, that if they can not break it, no-one else can?
To me it's a bit odd that they'd approve for government use encryption they know they can break already. Knowing that technology advances quickly (more computing power) and also cryptanalyses and related mathematics moves forward constantly.
There is no need to have backdoors in the standard - that'd be counter-productive anyway considering the large number of cryptographers outside the US that try to find weaknesses in those standards. And indeed some have been broken to lesser and greater extent, others are still standing strong.
It is those that stand strong (AES etc) that are now recommended by the NSA to use for top secret stuff and so, and also to the general public. Nothing fishy there, the standards themselves are fine.
The problem lies in the implementation. They have their tentacles reaching out to Microsoft, so they can add a backdoor in MS's https implementation for example, a way that allows them to easily decrypt a stream. Windows being closed source makes it really hard to detect such backdoors by outsiders, however a single leak from the inside or a stroke of luck could prove total disaster for everyone involved.
And that's what I'm actually still waiting for - if MS has put some kind of backdoor in their https, or other encryption software, there must be quite some people on the inside that know about this. Those that implemented it, those that ordered the implementation, and those that work with the source and see the backdoor code while working on their own parts. It should be just a matter of time before there is another Bradley Manning or Edward Snowden who says "enough is enough" and exposes the issue.
In the case of a signed (and dated) statement, you still hold the controlling factor and would necessitate coercion on the behalf of the other party. If the other party (government or individual) is willing and able to bear sufficient coercion upon you to acquiesce to perjury, than the system fails. So, one should only implement such a model if one believes that the level of coercion is within the limits of one's conviction to resist - otherwise you're setting yourself and your "trusted" parties up for compromise.
Not giving in for long enough for your "dead man switch" or "canary" to expire is long enough. Like the example of rsync.org; they'd only have to delay the update for a single day and (assuming there is someone actually paying attention to it) the message is out. That one day should be manageable. Especially as the message can not be prepared in advance (thanks to the news snippets) the government can't do much until the new message is due to be created.
No, we don't "love it", we're appalled, angry, embarrassed and saddened.
No doubt there are also in the US many people who are appalled, angry, embarrassed and saddened about these indefinite detentions. However there are obviously not enough of them. Not enough people in the US that really want it to be changed, not enough people there that go to the streets and protest against those human rights violations, not enough people there voting for politicians who make fixing it their primary item.
Most of the rest of the world wants it to be changed. I really hope you guys can fix this issue, instead of trying to make such behaviour the norm and pull more and more other countries (most notably in Europe) into this.
Trust in government is at an all-time low.
Do you have anything to back up that claim? Or is it just your personal opinion?
Indeed, cloud security is a big issue, and will always be so.
I'm currently using a cloud server for my web site and email needs - all my mails, as cyrus mail store, are stored there. It's not in the US so should be out of reach from the TSA at least, though security is a bit of an concern for me. Until recently I had my own physical server with fast Internet connection but due to changing circumstances I had to change that.
My mails are stored unencrypted on the server. My hard drive is unencrypted - I really don't see the purpose of that, because the OS needs to be able to access everything unencrypted or it can't work in the first place. E-mail can't be searched (nor indexed) if it's all stored encrypted. And my cloud provider, having "physical" access to my virtual server can always access it if they really want.
If you use the cloud for pure storage, I imagine it can work to have all files encrypted on the server, only decrypting when it arrives on your workstation. I may be able to do that with the user files I store on that server, the need of special software on the client side is an issue as I occasionally need to access it from other places.
..if it's "voluntary" or not just saves the feds one trip to the judge. it's voluntary in the sense that they help them do it - it's also good business because the government has to pay for their time(it's not a tax, so it's paid for with tax money...), it's very good business also due to the fact that the expenses are not checked by anyone and the government side of the budget is also secret so nobody can really question the expenses....
Indeed, they've received a lot of money from the government. However if that amount can be seen as unreasonably high, it may point to graft. And that'd be at least as serious a situation (and quite interesting as usually it's the company manager that bribes the government official, not the other way around).
I wonder what the consequences could be for the Internet at large.
Apparently there are backdoors in popular encryption software programs. That in itself should be alarming: if the NSA knows about it, who says the underworld hasn't found out about it already? Or is now directly searching for backdoors, knowing that they exist?
The NSA is after your privacy - which is a very bad thing, but something that doesn't hit most people directly.
Cybercriminals are usually after your money. If encryption is not secure, they can easily start listening in on credit card transactions done "securely" over HTTPS.
They can also start to intercept financial orders, decrypt them, alter them (i.e. payment redirected to another recipient, while still sending the intended recipient a "transaction accepted" reply), and sending them on correctly encrypted so the payment processor is none the wiser; after all it's encrypted so it's true. And it's going to be really hard for the intended recipient to file a complaint.
It won't be the end of the Internet as we know it, but there are some serious considerations to make.
Honestly I doubt Google (and the others) were really voluntarily helping the NSA, because if anything providing data to the NSA means work (and more work to keep it secret), and that costs money. Bad for business.
These taps are generally enforced onto them by the NSA, be it directly or via the courts. The companies directly involved are all American companies - companies in other countries invariably were forced into cooperation by their national secret service (who in turn was "asked" by the NSA).
As long as Google were true to their case, they'd drop development in such a case (or intentionally stall it, or whatever). With or without stating the true reason.
The first is Google. I switched off ABP to see Google's ads - when doing a general search I can easily ignore them (they're not intrusive - if they were, I'd have ABP on), and when searching for commercial offerings, actual stuff to buy, they tend to give me better results than the search results, as the ads link to indeed places where I can buy the thing I'm searching for. The general search results tend to give information about the product, but not where to buy it.
The second is a recycling business related web site, that hosts their own ads, which is why ABP misses them. Very relevant ads, targeting exactly the audience of that site. They're not too intrusive (and the few flash-based ones are blocked by FlashBlock), so that's OK.
There are multiple such advertising space brokers, they compete with one another.
Now why this "personal data" and "targeted advertising" is so big business, is still beyond me. It can be done so much simpler.
From personal experience I know that (at least five years ago) Google AdWords was a pretty efficient advertising tool. I got click-through rates on ads posted on their search page of 1-2% (the "affiliate network" got Who my customers are, Google doesn't know. They just know that when searching for certain keywords they may be interested in my service, and post my ads to those visitors. They try to do the same with their "affiliate network" of third-party web sites showing Google ads, but not exactly successful.
Now there are two forms of advertising: one that wants to directly attract customers to a service (what I wanted), and then there is the general brand-awareness advertising (like e.g. coca cola is doing). They buy advertising space left right and centre to get their brand name and logo out, and in the minds of their customers. This is the kind of advertiser that wants to know the demographic of their customers.
But then again, traditionally they would choose the locations for outdoor advertising and specific magazines/paper for print advertising, based on the demographic targeted by those media. Coca Cola would not advertise in a magazine for the elderly, for example. Nor would they advertise on a tech site like Slashdot. More likely they would advertise where the teens and younger kids go.
So why do they need to know individual web surfers? The sites they visit should be a very obvious clue of what they're interested in there and then. Now I visit Slashdot, my mind is in tech-interest mode. Maybe in an hour I go search for gardening stuff, then I may be interested in learning about gardening products. My visits to gardening web sites should be enough of a clue: gardening-related ads on gardening sites, tech-related ads on Slashdot. How hard can it be?
This marketing organisation has a commercial interest in getting their data right. The NSA not (as long the NSA produces something, they'll get their money). Now for whom are the stakes higher?
Slashdot Mirror
The income of a utility (and basically all companies) in the end comes out of the pockets of their customers. So any cost made by a utility - fines, refunds to some customers, bad decisions on outsourcing, etc - in the end are paid for by their customers, through the electricity price.
It is nice for a customer to get a rebate, however sooner or later this rebate will have to flow back into the utility, as the company will have to continue running.
Try to explain that to your average library worker, for whom a computer is a mere tool, and all they know about computing that in a few years a computer is considered old and obsolete, is replaced, and they have to relearn the applications all over again - hence all books about computing must be obsolete in a similar timespan...
I guess ABP will take care of this one before it's released. So nothing to worry about.
The ads that target my search terms, are often quite relevant to me. It advertises goods or services that I happen to be interested in there and then. And if I'm indeed looking for commercial results, possibly after looking for reviews and other information on a product, good chance I'll click them.
And no need for invasive privacy. They don't really need to know my age or anything - just my location. And that they can see from my IP address. And if looking for highly local services like a restaurant around where I am "right now" I'm happy to provide a coordinate for even better results. There is just no need to know anything about "me" to properly target advertisements.
Totally agree.
On the same note, Google's ads (that go along the search results) are often very useful. So much that I unblocked those in ABP.
I have used Google Ads myself to advertise. Click-through rates of ads on their homepage are like 100 times greater than those on their "affiliate network". Difference is to such an extent that I suspect that most of the clicks on the "affiliate network" are accidental... those click-through rates were like 0.01% or so.
So rude! They could have politely asked the owner to start the vehicle for them - and change the registered fingerprint(s) in the process.
I tend to draw the line at the CPU because if that is compromised or includes back doors, we are all screwed anyway.
The CPU will have bugs, for sure. Pushed hard enough people will be able go get to do things with it they're not supposed to be able to do. Whether those bugs allow for your finger print data to be revealed, we don't know yet. But intentional backdoors certainly are not needed for that.
And good luck changing your fingerprint after it's out in the open, and people start using it to impersonate you.
Steal one's fingerprints, steal their identity. That's the issue.
Everything about a person can be changed - names, IDs such as social security numbers, etc. Lots of bureaucracy to deal with maybe, but it can be changed. Your fingerprints, not so much. They're yours until after you die.
And even if so. Your fingerprints may be all over the phone - incomplete, streaked out, overlapping: most likely totally useless to harvest. It will work great against the casual theif, or the one who find the phone you just lost. They won't be able to get in that way, so it's working pretty well.
The key of the issue is that more and more governments are demanding biometrics to be included in one's passport, including fingerprints (I'm using my thumb print to clear immigration - very convenient now they finally got a good reading of my thumb, the previous one didn't really work well). That makes my thumb print also rather valuable: everyone who has my thumb print and knows how to thwart Hong Kong's scanners can enter and leave the country pretending to be me. And that accounts for the other 6 mln or so Hong Kong permanent residents that use this system as well (it's mandatory for all adults).
Now a casual device like the iPhone wants your fingerprint. That means that if I were to use my thumb for that and lose my phone, the person who finds it could theoretically extract my thumb print data (even if Apple says you can't: they got the actual device so I will assume it is possible, even if hard), and use that to clear immigration.
Even if it is not possible now, those scanners get better over time and will likely store more and more detailed fingerprint details, making it more and more likely that it becomes possible. And the fear is that by that time everyone is so used to use their fingerprints for anything, that it's going to be the perfect avenue for identity theft.
HTTPS doesn't hide who you're talking to, only what you're saying to one another.
A VPN or proxy may work though. If you're OK with the performance loss.
In many countries public utilities are run by a commercial company, for profit.
Sounds odd? Not really. There are two quite easy ways to control them, and push them to provide good service while maximising their profit and keeping prices to the end user reasonable.
Power companies in Hong Kong, are commercial. They have their monopoly, they have limited pricing power (they must apply to the government to change prices), and have certain supply obligations, like must provide power to anyone within their area. They can make a profit, which is a percentage of their fixed asset investment. Invest more, be allowed to make more money. As a result we have exceptionally reliable power for a reasonable price. An improvement here would be to separate infrastructure and supply, but it's not that bad as it stands.
Telephone/internet (ADSL) infrastructure, like in The Netherlands, is owned almost entirely by KPN, the former state-owned telephone company. They have the job to provide the infrastructure, and accept other ISPs on that same infrastructure at a fixed price. All ISPs pay the same for access to the homes. And KPN makes profits by keepking their cost lower than the set price they may charge for access. Currently there are dozens of ISPs available for end users, competing with one another, keeping their price low and their service quality high.
In Europe there are more such separations of infrastructure and supply: power lines and power supply. Gas pipes and gas supply. Railways and train services. Not all of it runs perfectly well, but it's at least the correct direction.
So yes sure it takes some kind of government regulation - but not necessarily government taking part in the company. The key problem in the US is probably that ANY governmnet intervention is frowned upon, even if it helps freeing a market from a monopolist's stranglehold and allowing many more players to take part.
Obviously the NSA believes they're the smartest when it comes to breaking cryptography.
Shouldn't that also mean, that if they can not break it, no-one else can?
To me it's a bit odd that they'd approve for government use encryption they know they can break already. Knowing that technology advances quickly (more computing power) and also cryptanalyses and related mathematics moves forward constantly.
There is no need to have backdoors in the standard - that'd be counter-productive anyway considering the large number of cryptographers outside the US that try to find weaknesses in those standards. And indeed some have been broken to lesser and greater extent, others are still standing strong.
It is those that stand strong (AES etc) that are now recommended by the NSA to use for top secret stuff and so, and also to the general public. Nothing fishy there, the standards themselves are fine.
The problem lies in the implementation. They have their tentacles reaching out to Microsoft, so they can add a backdoor in MS's https implementation for example, a way that allows them to easily decrypt a stream. Windows being closed source makes it really hard to detect such backdoors by outsiders, however a single leak from the inside or a stroke of luck could prove total disaster for everyone involved.
And that's what I'm actually still waiting for - if MS has put some kind of backdoor in their https, or other encryption software, there must be quite some people on the inside that know about this. Those that implemented it, those that ordered the implementation, and those that work with the source and see the backdoor code while working on their own parts. It should be just a matter of time before there is another Bradley Manning or Edward Snowden who says "enough is enough" and exposes the issue.
In the case of a signed (and dated) statement, you still hold the controlling factor and would necessitate coercion on the behalf of the other party. If the other party (government or individual) is willing and able to bear sufficient coercion upon you to acquiesce to perjury, than the system fails. So, one should only implement such a model if one believes that the level of coercion is within the limits of one's conviction to resist - otherwise you're setting yourself and your "trusted" parties up for compromise.
Not giving in for long enough for your "dead man switch" or "canary" to expire is long enough. Like the example of rsync.org; they'd only have to delay the update for a single day and (assuming there is someone actually paying attention to it) the message is out. That one day should be manageable. Especially as the message can not be prepared in advance (thanks to the news snippets) the government can't do much until the new message is due to be created.
No, we don't "love it", we're appalled, angry, embarrassed and saddened.
No doubt there are also in the US many people who are appalled, angry, embarrassed and saddened about these indefinite detentions. However there are obviously not enough of them. Not enough people in the US that really want it to be changed, not enough people there that go to the streets and protest against those human rights violations, not enough people there voting for politicians who make fixing it their primary item.
Most of the rest of the world wants it to be changed. I really hope you guys can fix this issue, instead of trying to make such behaviour the norm and pull more and more other countries (most notably in Europe) into this.
Trust in government is at an all-time low.
Do you have anything to back up that claim? Or is it just your personal opinion?
Indeed, cloud security is a big issue, and will always be so.
I'm currently using a cloud server for my web site and email needs - all my mails, as cyrus mail store, are stored there. It's not in the US so should be out of reach from the TSA at least, though security is a bit of an concern for me. Until recently I had my own physical server with fast Internet connection but due to changing circumstances I had to change that.
My mails are stored unencrypted on the server. My hard drive is unencrypted - I really don't see the purpose of that, because the OS needs to be able to access everything unencrypted or it can't work in the first place. E-mail can't be searched (nor indexed) if it's all stored encrypted. And my cloud provider, having "physical" access to my virtual server can always access it if they really want.
If you use the cloud for pure storage, I imagine it can work to have all files encrypted on the server, only decrypting when it arrives on your workstation. I may be able to do that with the user files I store on that server, the need of special software on the client side is an issue as I occasionally need to access it from other places.
..if it's "voluntary" or not just saves the feds one trip to the judge. it's voluntary in the sense that they help them do it - it's also good business because the government has to pay for their time(it's not a tax, so it's paid for with tax money...), it's very good business also due to the fact that the expenses are not checked by anyone and the government side of the budget is also secret so nobody can really question the expenses....
Indeed, they've received a lot of money from the government. However if that amount can be seen as unreasonably high, it may point to graft. And that'd be at least as serious a situation (and quite interesting as usually it's the company manager that bribes the government official, not the other way around).
I wonder what the consequences could be for the Internet at large.
Apparently there are backdoors in popular encryption software programs. That in itself should be alarming: if the NSA knows about it, who says the underworld hasn't found out about it already? Or is now directly searching for backdoors, knowing that they exist?
The NSA is after your privacy - which is a very bad thing, but something that doesn't hit most people directly.
Cybercriminals are usually after your money. If encryption is not secure, they can easily start listening in on credit card transactions done "securely" over HTTPS.
They can also start to intercept financial orders, decrypt them, alter them (i.e. payment redirected to another recipient, while still sending the intended recipient a "transaction accepted" reply), and sending them on correctly encrypted so the payment processor is none the wiser; after all it's encrypted so it's true. And it's going to be really hard for the intended recipient to file a complaint.
It won't be the end of the Internet as we know it, but there are some serious considerations to make.
Honestly I doubt Google (and the others) were really voluntarily helping the NSA, because if anything providing data to the NSA means work (and more work to keep it secret), and that costs money. Bad for business.
These taps are generally enforced onto them by the NSA, be it directly or via the courts. The companies directly involved are all American companies - companies in other countries invariably were forced into cooperation by their national secret service (who in turn was "asked" by the NSA).
As long as Google were true to their case, they'd drop development in such a case (or intentionally stall it, or whatever). With or without stating the true reason.
Don't mix up anonymity with privacy. This are two very different things. You don't have to be anonymous to have privacy.
For me, they're not too far off.
There are actually two sites where I see ads.
The first is Google. I switched off ABP to see Google's ads - when doing a general search I can easily ignore them (they're not intrusive - if they were, I'd have ABP on), and when searching for commercial offerings, actual stuff to buy, they tend to give me better results than the search results, as the ads link to indeed places where I can buy the thing I'm searching for. The general search results tend to give information about the product, but not where to buy it.
The second is a recycling business related web site, that hosts their own ads, which is why ABP misses them. Very relevant ads, targeting exactly the audience of that site. They're not too intrusive (and the few flash-based ones are blocked by FlashBlock), so that's OK.
There are multiple such advertising space brokers, they compete with one another.
Now why this "personal data" and "targeted advertising" is so big business, is still beyond me. It can be done so much simpler.
From personal experience I know that (at least five years ago) Google AdWords was a pretty efficient advertising tool. I got click-through rates on ads posted on their search page of 1-2% (the "affiliate network" got Who my customers are, Google doesn't know. They just know that when searching for certain keywords they may be interested in my service, and post my ads to those visitors. They try to do the same with their "affiliate network" of third-party web sites showing Google ads, but not exactly successful.
Now there are two forms of advertising: one that wants to directly attract customers to a service (what I wanted), and then there is the general brand-awareness advertising (like e.g. coca cola is doing). They buy advertising space left right and centre to get their brand name and logo out, and in the minds of their customers. This is the kind of advertiser that wants to know the demographic of their customers.
But then again, traditionally they would choose the locations for outdoor advertising and specific magazines/paper for print advertising, based on the demographic targeted by those media. Coca Cola would not advertise in a magazine for the elderly, for example. Nor would they advertise on a tech site like Slashdot. More likely they would advertise where the teens and younger kids go.
So why do they need to know individual web surfers? The sites they visit should be a very obvious clue of what they're interested in there and then. Now I visit Slashdot, my mind is in tech-interest mode. Maybe in an hour I go search for gardening stuff, then I may be interested in learning about gardening products. My visits to gardening web sites should be enough of a clue: gardening-related ads on gardening sites, tech-related ads on Slashdot. How hard can it be?
At least now they got some more accurate data on you: what you filled in.
Interesting to assume a 59yo might have a 6yo child. There are probably more 59yos that have a 6yo grand-child.
Who says the NSA is doing a better job at this?
This marketing organisation has a commercial interest in getting their data right. The NSA not (as long the NSA produces something, they'll get their money). Now for whom are the stakes higher?