Category: Politics

The Truth Is Out There

Hey, they *track* where aircraft go. Darn deep-state retroactively hacking into FAA data archived on third party sites to make Trump look bad! Turns out Trump was technically honest in telling Comey that he didn’t sleep in Moscow after the pagent – had the plane leave that night! No one asked about the night or two previous to the padgent.

I’ve pondered Trump’s ability to lie all.the.time without consequence – and it seems (to me) to hinge on the difference between “I outsmarted you” lying and “we’re all in on this one” lying. Will lying to an FBI agent be deemed OK because he’s part of this deep state out to get Trump? Will lying to the public to cover his own posterior be deemed OK because ‘the media’ (liberals, East coast elites) are out to get Trump? Will “they’re out to get me, so I had to lie” be a new class of falsehood approved by his supporters?

Data Privacy

Facebook is getting a lot of attention for the information it gathers and how well it secures personal data you provide. We should look just as intently at other companies. Some provide services to individuals in exchange for advertising data, and some provide advertising targeting services without offering anything to the individuals being tracked.

LinkedIn — Maybe because “professional” information about oneself does not feel as private as that which is shared on Facebook, LinkedIn gets overlooked a bit. The companies I’ve worked for and titles I’ve held almost seem like public records. You can download a copy of “your data” (like Facebook, this is not apt to contain meta-data they’ve gathered regarding you – just data you have submitted to the site). In your settings, use the privacy tab and scroll down to “How LinkedIn uses your data” – the first selection is to download your data.

Nothing stunning – a list of contacts, my various employers and titles. But LinkedIn is trying to slurp in my entire contact list, maintain a web of people who know people, and allow advertisers to target users. There’s a whole tab apart from your privacy settings to control how your data is used for advertising purposes. “Advertisers” seem to be corporate hiring agents and recruiters, so this marketing is not always mentally classified as “advertising”.

LinkedIn also has a setting which allows you to opt-out (mine was on, and I’ve never opted in so I assume it is an opt-out deal) of having some of your data made available to third parties for policy and academic research.

And remember that Facebook Pixel? LinkedIn wants to track information about “websites you’ve visited” and “information you’ve shared with businesses” to show you more relevant jobs and ads.

Beyond the data feeling less private, having high-paying jobs that need my exact skill set and tend to hire people with my browsing history … well, that feels like a score compared to Facebook’s ad trying to coerce me once again to buy a pair of roller skates I already decided wouldn’t work for my daughter. Even if you’re not actively interested in changing jobs, it is nice to feel wanted. But that’s a nice veneer to data hording, analysis, and target marketing. They’ve even got a peculiar setting under the “Communications” tab that wants to use algorithms to analyze your messages to formulate suggested replies. This too seems to be an opt-out setting.

Google — no one uses Google+ (pity, that) but Google amasses information from searches, e-mails, Hangouts, Android phones. You can request an archive of your data through https://takeout.google.com — it takes a long time for the archive to be built, and it was an incredible amount of data. A few +1s from mis-clicks that there is no immediately obvious way to delete. “Bookmarks” that all appear to be map locations. A calendar that apparently was syncing with my home server back in 2009 since that’s the create date on all of the items. A whole folder for Chrome with 75 meg of browsing history and another meg of bookmarks (a meg of text is a *lot* of data, but I *love* that my bookmarks sync between devices). A handful of contacts that I assume my husband created in our shared account. The totality of every conversation I’ve ever had in Hangouts. Some Google Keep notes that I also assume are my husband’s from our shared account. My entire GMail mailbox, which is an obvious data source. The very tiny set of profile data I actually shared with Google.

Hell, Google has years worth of location data that I guess comes from my phone (it’s got fairly accurate lat/long coordinates, so GPS is the likely source). Following Google’s directions to delete the data didn’t work either (on the map, hit the hamburger menu then scroll ALL THE WAY DOWN to the ‘history’ selection”. Google both claims to have no history data for me and has 423 places on my timeline. Sooo, yeah, that would be history data. I finally managed to delete the stuff through my phone. There is a “Google Settings” app. Select “Location” from it, then “Google Location History”. There is a “Manage Activities” selection (use Google Maps to open it). Confirm you don’t want to use location history because, of course, it asks you to turn it on. Then use the hamburger menu button and select “Settings”. Waaay down at the bottom, there’s an option to delete all history or a date range of history. A couple of warnings later, the timeline map shows no data.

Then there are the photos. Gig after gig of photos. I had an Android phone that went into a reboot loop. I spent a few days wiping and reloading my phone, then failed back to an old phone. One of those iterations, evidently, slurped up all of the photos on my SD card because companies *want* your data. So the initial phone setup pushes you to backup your data, sync up your media, and generally upload ‘stuff’. One erroneous click and they’ve got metadata they’ll be able to keep forever. And there’s no readily apparent way to delete everything at once either. I’ve spent days on the web site deleting a couple hundred photos at a time. Not fun. Click the first picture, scroll down a bit, hold shift and click another picture. If you’re lucky, you didn’t select more than whatever the limit is (guessing 500) and you’ll get “389 Selected” in the upper left hand corner. At which point, you can click the delete and remove that chunk of photos. If you are not lucky, you get “2 Selected” and have to try again.

Ceasing data collection is much easier than removing data they’ve already grabbed. From your account settings, elect to “Manage your Google activity”. Then go into “Go To Activity Controls” and turn off (well, pause) whatever you want to turn off.

And I assume any bucket into which they’ve placed you based on previously gathered information will be retained even if you’ve deleted the underlying data.

 

Context

I’ve walked into conversations mid-way and missed an important bit that completely changed the meaning of what I overheard – context matters. ABC’s interview with James Comey provides context for the odd announcement of finding Clinton’s e-mails on Weiner’s laptop. As background, prosecutors decide if the particulars of an event warrant filing charges. An extreme example is a manslaughter case with a self-defense argument. In a clear-cut situation, the prosecutor might never charge the individual — why waste tax payer money and juror time adjudicating a situation where there are a dozen independent witnesses who saw an attack and lethal force used as defense? In a murkier situation, like Zimmerman killing Martin in Florida, the prosecutor will charge the individual; and a jury determines if the lethal force was used in legitimate self-defense. The question being investigated by the FBI wasn’t just if there were classified materials inappropriately handled – the deeper question was if there was criminal negligence in the handling of classified materials. Did someone say “now, you need to keep all classified electronic materials on a State Department server” but the messages were still moved to a private server? Were the classified documents sensitive enough that the need to secure the information would be self-evident? From the messages on the seized server, the classified material was not high value (the bar for being stamped ‘classified’ is not particularly high). While it would have been possible for someone to send an email saying “you shouldn’t be doing this”, the personal server was not apt to contain any conversation leading up to the installation of the server — it didn’t. The FBI deemed Clinton’s handling of classified material as careless but not criminal.

Finding a cache of e-mails from the period preceding the installation of her personal server — well, as Comey says:

‘She used a Blackberry for the first three months or so of her tenure as secretary of State before setting up the personal server in the basement. And the reason that matters so much is, if there was gonna be a smoking gun, where Hillary Clinton was told, “Don’t do this,” or, “This is improper,” it’s highly likely to be at the beginning.’

Did the FBI “sit” on the information for weeks? He claims that someone mentioned finding Clinton’s emails on Weiner’s computer and he thought it sounded wrong (even assuming he knew the relationship between Clinton, Abedin, and Weiner … do you expect to find my manager’s emails on my husband’s computer?) and pretty much didn’t think about it until called into a meeting a few weeks later.

Context. Even as a long-time IT person, I could see thinking someone mis-spoke if they just mentioned in passing that seemed illogical. If the illogical thing were true, I would expect more attention to be called to it (i.e. the “in passing” bit is a salient fact). And the messages coming from the period before the personal server was built, and thus possibly containing conversations regarding the propriety of doing so (or, as she claimed, the “Hi, I used to be Sec of State and here’s how we handled things … get a personal email server” could have been there too).

A fellow who feels he has a “duty to correct” … if he recently stated that nothing was found and the case was being shelved, then discovered new evidence? Seems pretty reasonable to mention “hey, you remember that case we were shelving? Turns out we have some new, unique, evidence that we want to look at”. Now why he failed to mention the federal investigation into Russian interference in the election and possible involvement of the Trump campaign, the October FISA warrant for Carter Page … haven’t heard any rational for that one yet beyond “it looks bad for the Democratic president to be investigating the Republican campaign during an election year”.

Those who still do not know history …

Having been a teen asking for a motorbike when she really wanted to go to a concert, I understand the negotiating tactic where one asks for something outright silly with the intent of giving oneself “negotiating room” (i.e. if you ask for what you want, compromise means not getting what you want). Joanna Hendon requests that the president review documents seized from Cohen’s office and hand over anything he considers unprivileged.

First of all, a guy who thinks a conversation having a lawyer involved instantaneously creates a privilege situation is obviously unqualified to evaluate the privileged nature of documents. Also, way to make the ostensible President of the country seem like he’s got heaps-o time on his hands that can be spent in, say, depositions.

But beyond that, didn’t Nixon talk A.G. Elliot Richardson into something similar. Nixon would summarize the tapes and have Sen Stennis (not exactly an unbiased third party) listen to the tapes and verify nothing of substance had been omitted. Cox didn’t agree, and I’m sure Judge Wood will similarly find the proposal outlandish. A third party review, or a third party in conjunction with the taint team, is possible. It’s called answering a subpoena if you review documents and hand over what you think matches the request and isn’t privileged.

Those who do not know history …

Those who do not know history compound errors by using phrases with loaded meanings or abysmal histories. As the World Meteorological Organization’s Hurricane Committee retires names so no one has another Katrina approaching them, I assumed politicians would retire phrases which haunt their predecessors. Then there’s this guy:

With a narrowly defined ‘mission’, sure it’s true. But GW stood in front of someone else’s sign and “mission accomplished” still hasn’t escaped the new connotative meaning.

Corporate Privacy

We had the Senate & House Facebook thing playing Tue/Wed – kind of background noise because anyone who didn’t realize a billion dollar corporation offering a “free” service was making money somehow on the back-end … well, didn’t bother thinking about it. But there were a few interesting tidbits (not the least of which being how many things one can claim, before a Congressional panel, to be ignorant of in spite of the topic being germane to the core operation of one’s company). The thing that stood out most to me through two days of testimony is that no one questioned the validity of the underlying service – consumerism is good, hence serving ads more likely to convince a person to buy the product is good too. I’ve got friends exclaiming that they’ve found products they’d never have known existed without targeted ads — which to me sounds like you’ve spent money on “stuff” that you didn’t need enough to go out and research something to fill that gap. Not a bad thing per se, but certainly not the laudable endeavor they make personalized advertising out to be. The flip side to presenting me ads that are more likely to convince me to buy something (assuming this is true, which dunno … sounds good on the face of it, but I tend to be put off by it and less likely to buy something) is, well, me buying more ‘stuff’ which is not always to my economic benefit.

But when they got onto the topic of Facebook Pixels (which work around people who block third party cookies), it got me thinking about the lack of control we all have over metadata. A lot of companies serve a menagerie the third party cookies from their site, and then execute a couple of third party JS trackers too. Because, as a company, it provides those third parties with data that potentially help drive sales. In theory. But do those marketing companies have some kind of non-compete clauses included in the contract they write with WIN? Can FB, Adobe, Google, etc have code embedded in a telco’s site, take the info they gather from my telco’s embedded JS code, and use it to promote non-telecom services? Cable TV even though it competes with a component of our business? An alternate telecom even though it’s a major line of our business? Is there a meta-category of “people who looked at my site but also looked at two competitors sites” v/s “people who have only looked at my site”?  At least that’s governed by contract and might be tightly controlled — although I doubt an org like Facebook tracks the provenance of each bit of metadata it collects to isolate its usage, that’s based on a feeling rather than any knowledge of their internal algorithms.

Employees visiting various sites — what data to we leak and how can that be used? It’s not like my company has any sort of agreement in place to control how CompanyX uses data gathered as our employees use CompanyY’s web site. My super paranoid brain goes to the potential for abuse — a competitor using our information against us. Not the marketing company directly – like FB doesn’t sell my name and data (that’s what they make their money on after all, using my data to throw me into advertising buckets) … but the company gathering the data can get acquired. Quite a few companies use Triblio – some niche B2B tracking thing as well as Google Analytics. Now Google isn’t a big acquisition target, but some small B2B marketing company? VZ bought Yahoo, so it’s not like the only thing they’re buying is towers and fiber. VZ buys Triblio and we’re in the beginning stages of forming some new product line through some company that uses Triblio. VZ doesn’t exactly know what we’re planning to sell in six months … but they’ve got a good idea. Or even industrial espionage — it’s getting to the point it makes a lot more sense to target one of these data brokers than to target a specific company.

I get that’s a little far-fetched and more than a little paranoid. Is targeted marketing effective for companies too – are company-targeted ads convincing the company’s employees to buy more stuff on the company’s behalf?

As a company are we benefiting, harmed, or indifferent to information being gathered from our employees as they navigate the web. Employees are going to show up from an assigned netblock most of the time (i.e. from the office or VPN), so it isn’t like it’s a super-hard-to-ascertain where the individual works. Is there benefit to blocking the tracking ‘stuff’ on a corporate level (and maintaining a default browser config that blocks third party cookies)? Is there harm in blocking the trackers? The parade of horrors approach would say with Facebook/Google specifically, widespread blocking would necessitate some other revenue stream for the company (i.e. we’d end up buying 1$ hundred search passes or something). Dedicated targeted advertising companies – beyond putting a company out of business (e.g. Triblio which seems to be a dedicated marketing data company) or reducing revenue (e.g. Adobe since they’ve got other profitable lines of business), not much direct impact. A vividly imagined parade would be worldwide recession as psychologically engineered spending prompts disappear and consequently consumer spending retracts. Worst thing I can come up with is being perceived as a bunch of hypocrites who track everything customers do on their site but specifically took efforts to prevent employees from being tracked around the web.

House Facebook Hearings

Day two didn’t change my opinion from day one, but it does introduce a few new nuances. If you consider “my” information to be content (text, video, images, likes) that I’ve personally submitted to Facebook … sure I have some control over ‘my’ data. Not the granular level of control I would prefer, not always readily usable control, and like all things on the Internet (including user data downloaded by a third party), I don’t have control over what people who have access to my data can subsequently do with it. But Facebook has a whole other realm of my data — metadata from images or videos, geo-location information (maybe IP-based with low accuracy, maybe GPS with high accuracy), how long I spent looking at what content, what time of day I log on … and that’s just information gathered directly from my usage of the web site.

Block third party cookies in your web browser (seriously, do it) and see how often adobetm.com, disqus.com, doubleclick.net, facebook.com, google.com, twitter.com, and youtube.com show up in the blocked cookie list.

Particular interesting tidbit from the House proceedings was the “Facebook Pixel” – so named because of the single transparent pixel served from a Facebook site if the actual script-based tracking is blocked by the browser. It’s a little code snippet with a function that allows the site owner to track specific actions within the site (i.e. there’s a difference between “someone who visited my site two months ago and has not been back”, “someone who visits my site every other day”, and “someone who spent 100 bucks at my site”) using the standard events (currently nine) and a custom catch-all event. Advertisers then have target audiences created for their custom site data — this means the advertiser cannot see that I visited their site twice a week or spent over ten bucks in the past quarter but they can elect to spend money on ads delivered to people who have visited their site twice in the past week or not deliver ads to people who purchased merchandise in the last month.

Looking through the developer documentation, that is a LOT of really personal information about me that I am not consenting to provide Facebook (in fact, they’re getting that information for people who aren’t even account holders – just their “match pixel to user” algorithm falls out and creates some phantom profile to track the individual instead of landing on a known user’s account). And it’s a lot of really personal information over which I have no control. There’s a difference between opting out of interest based advertising and opting out of tracking. And how exactly can I go about

In the particular case of the Facebook pixel, the script function is housed on a Facebook server. You can pretty easily prevent this bit of tracking. Add a line in your hosts file (/etc/hosts, c:\windows\system32\drivers\etc\hosts) to map the hosting server to your loopback address:

127.0.0.1 connect.facebook.net

Voila, fbq is no longer a valid function. I haven’t noticed any adverse impact to actual Facebook use (although I assume were a significant number of people to block their script host … they’d move it over to a URI that impacted site usage).

Facebook’s debugging tool, meant for advertisers and their developers, confirms the code failed to execute. Browser specific if the <noscript> content is loaded or not – it’s not in my case.

The same approach can be used to block a number of tracking services – script content served from dedicated servers don’t impact general web usability.

127.0.0.1 connect.facebook.net
127.0.0.1 www.google-analytics.com
127.0.0.1 disqus.com
127.0.0.1 cse.google.com
127.0.0.1 bat.bing.com
127.0.0.1 www.googleadservices.com
127.0.0.1 sjs.bizographics.com
127.0.0.1 www.googletagmanager.com
127.0.0.1 chimpstatic.com
127.0.0.1 cdnjs.cloudflare.com
127.0.0.1 api.cartstack.com
127.0.0.1 js-agent.newrelic.com
127.0.0.1 se.monetate.net
127.0.0.1 assets.adobetm.com
127.0.0.1 tribl.io

 

Senate Facebook Hearings

The hearing today reminds me of digital discovery pre-Zubulake – bunch of folks who I suspect might be investigating edgy technologies to ditch cuneiform script making rulings regarding how search and seizure case-law applies to electronic data. Not terribly encouraging that they intend to draft legislation controlling … what? Digital privacy in general? Social media platforms? Here’s hoping a good number of Congresspersons take Scheindlin’s initiative to educate themselves about that on which they seek to rule.

Something that stands out to me is how much of the platform’s operations, litigation, and regulation about which Zuckerberg claims not to know anything. I get not wanting to provide an answer that looks bad for your company, not wanting to provide inaccurate information in a Congressional hearing … but I expected they would have come up with a more reasonable boilerplate fob off answer than, essentially, “I don’t know about that stuff”

The anti-trust thread is an interesting path to go down, although I doubt Graham will follow that path. Shame, too. I had great hopes for Google+ — backed by a company with enough money to compete, enhancing Google’s current ad platform, and the idea of circles to provide granular control of who can see what. An idea which would have vastly limited the impact here. In Google+, I could avoid sharing a lot of personal information with vague acquaintances and distant family members. Heck, close family too if they’re the types who are always downloading rubbish and infecting their computer.

Consumerism and advertising is a priori accepted as a good thing. Not shocking, considering the way of American society, but it really stood out to me throughout the testimony that no one questions the benefit of having stuff more effectively marketed, to having ads that are more apt to result in a sale. They’ve spent enormous sums of money, dedicated incredible human capital to delivering an ad that is more likely to show a shirt I like. Why is that a good thing? I have clothes. If I needed more, I would either go to a store or search online. I understand why a business wants to sell me a shirt … but how is more effectively separating me from my earnings a personal boon??

And the American public is having a good self-education week. There’s interest in taint teams from Cohen yesterday, and today we’re understanding the actual business model of large tech companies — the nuance between “selling my data” and “using my data to form advertising profiles and sell my services in presenting advertising based on those advertising profiles”. Back when the ISPs wanted to be able to commoditize web history, I encountered a lot of uproar about literally selling someone’s browsing history. Which – and no offense meant – your browsing history? Not a thrilling read. Taking your browsing history and turning it into profiles, then using those profiles to sell services presenting ads to customers. Objecting to “selling my data” provides a strawman for the companies to tear down (as Zuckerberg did several times with “we don’t do that”).

Hopefully people are gaining a more complete understanding of what information is available through the “Facebook Platform” … and that you are trusting not just Facebook but the other company to act in good faith regarding your privacy. When the ToS says they may sell data or analytics to a third party … well, they may well do that. What does that third party do with the data? How much control can you, Facebook, or the app developer exert over the data sold to the third party? Not a whole lot.

Finally – the bigger question that doesn’t get asked … how can Americans insulate themselves from having personal information used to foment discontent? How can we get better and analyzing “news” and identifying real fake news. Not Trump-style FAKE NEWS which basically means “something I don’t like hearing” but actual disinformation.

Warrants And Attorney Client Priviledge

I assume that like many other obscure laws and procedures with which the general population has become familiar over the past year (seriously, how many people knew what the Emoluments Clause, Hatch Act, or the Jones Act were two years ago?), ‘taint team’ shall now enter the public discourse. And the crime-fraud exception to attorney client privilege. And the fact that being an attorney does not automatically privilege everything said in a thousand foot radius around you.

For those who didn’t spend some time immersed in the nuances of electronic discovery law, a taint team is essentially a team involved in the investigation to serve as an air-gap protecting privileged information. Seize documents from a lawyer’s office, and something is bound to be protected. So the individuals involved in the investigation are not the ones to initially review seized documents. A team of investigators unrelated to the case review to filter out privileged communications (and, I assume, irrelevant documents). This is essentially privacy theater – should the taint team encounter some other illegal activity in the course of document review, it will not be ignored.

Which brings us to the crime-fraud exception to attorney client privilege — while a client is free to communicate with their attorney in many ways, asking one’s lawyer how to commit a crime (or how to cover up a crime) is not protected communication. If documents about laundering Russian money through Trump properties since the mid 1980’s (after 18 U.S.C. §§ 1956-1957 were enacted) are obtained from Cohen’s office … well, the documents have been obtained and privilege does not apply.

Farther, Trump’s seeming belief that having an attorney listen to a conversation aside, attorney client privilege covers communication seeking legal advice, providing legal advice, or research to provide legal advice. Otherwise rich dudes would just have a lawyer travel with them at all times and call everything privileged.

But maybe I’ve found the silver lining to Trump’s time in office — a good number of people are becoming far more informed about the country’s laws and procedures.

Trump, Amazon, and USPS

May have figured out how Trump managed to lose so much money — he doesn’t know the difference between losing money, making money, and breaking even. The post office does not lose money on delivering packages. I don’t know this because I’ve got insider information on their contract with Amazon, but I do have access to the text of American legislation. The Postal Accountability and Enhancement Act disallows the Post Office from selling package delivery under its cost. Now you can debate the cost calculation – the real issue being disputed by FedEx and UPS is that the Post Office doesn’t have to include all of their delivery costs in package delivery “cost”. Why? Because they’d have carriers driving trucks all over the country even if there were on package delivery service. Of course this gives the Post Office a huge advantage in their package pricing model. And, yeah, that sucks for FedEx and UPS. But it’s sucked for FedEx and UPS for a LONG time.

The Post Office may just be breaking even on it’s Amazon contract – but as the package delivery “cost” does include some operational expenses … well, Amazon is saving American tax payers money because package delivery does include 5.5% of the fixed operating costs (I assume to cover additional cost created by package delivery service). Sure FedEx and UPS have to include 100% of their fixed operating costs in their pricing model, and if Trump wanted to talk about how providing package delivery services is unfair to private industry … that’s a discussion. But I doubt any commercial venture is going to delivery mail every day across the entire country so it’s up to the government. And providing package delivery and shipping services in urban areas (where it would be profitable for a private corporation to operate) subsidize delivery out to the cabin I stayed at in South Dakota. If the Post Office could be charging more for its services … that’s a discussion. Except do you want to pay more to ship packages and mail!?! And if we want to delve into the financial nuances of the Post Office, let’s look at their pension pre-funding requirements.

How does a guy who claims to be all about business deals think it’s bad for a corporation to use the service that provides them a cost advantage?!? Unless Trump thinks he can start tariffing the bloody post office (or, more accurately, have the legislature change the suppositions they are permitted in their pricing model) … Amazon would be outright silly to voluntarily pay more to another carrier.

And how does a guy who claims to be all about negotiating wins for American citizens think it’s a bad deal that the Post Office is making money off of Amazon instead of FedEx or UPS doing so? Say they *do* change the postal pricing model to make it “fair” to UPS/Fedex (or just outlaw package service from USPS). Our tax money is still paying for postal carriers to drive all over the country to delivery mail, Amazon Prime memberships cost more, but hey UPS is making bank. And … that’s what really matters?!?

What they’re really upset about is that the post office used to be a crap shot of getting something to “Point B” even without getting into SLA’s. You paid extra to FedEx or UPS to make sure it actually *got there*. Now the three services are equally reliable … which means government managed to provide a service as good as private industry.