Michael Eriksson's Blog

A Swede in Germany

Posts Tagged ‘privacy

Follow-up: A German’s home is not his castle / a few issues around inspections and meter readings

leave a comment »

Last Friday, the exhaust inspection for my gas heater took place (cf. [1]).

My previous impression of a somewhat cooperative attitude on behalf of the chimney-sweep (responsible for the check) turned out to be very wrong.

Not only did the employee in question claim that I would be (illegally and unethically) billed for an out-of-hours visit, she also, for the second time in three years, tried to start a fight over my (calmly and factually) not agreeing with her often absurd claims—this time, that I pointed out that there was no legal justification for this bill. This is a highly unprofessional behavior that should be unacceptable in any service profession. (To which I note the difference between a factual discussion and the highly dubious behavior displayed here—she was an inch short of throwing a hissy fit.)

Looking at the bill issue, I note that:

  1. I had suggested a date and time within the narrow (cf. [1]) scopes that she had provided and that she had accepted them. Thus, either we were within regular hours or the out-of-hours aspect was solely her fault.

    I note (cf. [1]) that she had previously rejected a total of four suggestions: The 7th and 14th of June for being already booked,* the 19th and 26th of July due to company holidays. While the two former are understandable, the two latter are a pure own convenience. In effect: On the hand, customer suggestions are rejected; on the other, the customer is to be billed for a date and time practically suggested by her.

    *Here she had also explicitly mentioned that these (later in the day) suggestions were out-of-hours, removing any chance of applying the (already highly implausible) excuse of “because I did not state the opposite, you should have assumed that it was out-of-hours”.

  2. No mention had been made of any extra fee at the time of the agreement, nor had there been any reason for a reasonable third-party to expect an extra fee. This, in it self, rules a fee out.

    In particular, the day in question, I would have had no problem with arranging an earlier time—and would have done so, had there been any talk of an extra fee.

  3. The only possible angle of attack that she (and/or her employer) could have is that she had given intervals for possible times of day that would normally be interpreted as referring to the beginning of the visit, but which could conceivably be construed as referring to its end. If so, however, it would have been her responsibility to point out that the end of the interval was not an acceptable start time—but instead she accepted the suggested time… Moreover, considering the length of the visit, the latter interpretation would have been unconscionable in combination with a fee: subtract the delays through her belligerence and the visit could have been done in just several minutes, implying that just replacing 2 PM with 1:55 PM or, on the very outside, 1:50 PM would have put me within the interval.

All in all, and noting the reputation German chimney-sweeps (and e.g. plumbers) have, I suspect that this is just a trick to earn a few Euros above what the employer was actually entitled to. (German readers can look at e.g. a dedicated web-site/forum for many examples of disputable billing attempts and other problems relating to chimney-sweeps.

As for some claims made by her:

  1. She (again) went on about how hard the “late” Fridays were for her to arrange—at 2 PM. Apparently, she was now incurring over-time, needed a baby sitter (more expensive than her over-time pay), and whatnot (I do not remember all the details).

    Well, cry me a river…

    First, compare this to what many of the customers* have to go through every year because time ranges set for her convenience: What about all those who have to take several hours off work? Those that have to commute twice in a day? Those that are so far away and receive so unfortunate a time that they miss an entire day of work, as e.g. with me and my Cologne project? For the employed, the last amounts to using up a vacation day; for me, it would have amounted to a full day that I could not bill. For that matter, consider the potential negative effects on e.g. an employer. Or consider her complaints about arranging to have her children picked up from school—what about the children of the many customers who are force-fed an unfortunate time?

    *The word “customer[s]” is misleading, but I will stick with it for ease of use and the lack of something obviously better.

    Second, much of this is a pure luxury problem, amounting to “because of this customer, I do not get to enjoy an artificially short work-week” or “[…] a much earlier week-end than most others”. I note that the central collective agreement (Bundestarifvertrag) for chimney-sweeps sets the weekly hours at 38.5, whereas I have never had anything less than 40—sometimes with the expectation that overtime be performed without additional remuneration above the monthly salary. (Whereas the same source would give her her regular hourly pay + 25 % for every hour overtime.) I further note that by the standards of past generations (and some modern low-end jobs) even 40 hours a week would be a relief. Further yet, that when I have gotten off at 2 PM on a Friday, it has usually been because I have had a long weekly commute on top of my 40 hours. For instance, when I lived in Düsseldorf and did a project in Munich my weekly schedule was roughly: Monday, five hours of travel and another six hours in the office; Tuesday through Thursday, nine or ten hours in the office; Friday, five or six hours in the office and another five hours of travel—to which must be added time needed for hotel handling, time to pack and unpack, time lost due to unforeseen delays during travel, whatnot.

    Third, none of this is my problem—it is a matter between her and her employer. If she has a complaint, she should direct it at him—too “harsh” working hours, too little over-time pay, whatnot.

    My grand-mother, I suspect, would have called her a spoiled brat to her face…

  2. She claimed that her working hours would be regulated by law. Not only do I find this implausible, but I have also not found any support for this claim on the Internet. Moreover, other companies appear to have different working hours (and/or a different distribution between “office” and “customer” hours). For instance, a magazine article discussing the field in general says “[…] der Außendienst, der meist so gegen 16 Uhr endet” (“[…] customer visiting hours that tend to end towards 4 PM”). Another company lists time intervals from 7–7:15 AM to 4–4:15 PM for possible visits. In other words, it seems highly unlikely that there would be such a law—and her employer appears to be unusually restrictive.

    More likely than not, she is deliberately lying, with the expectation that the customer will just accept the customer-hostile situation “because its the law”. (I cannot rule out that she is deeply ignorant or that her employer has earlier lied to her.)

  3. She claimed that I should be happy that replacement dates were offered at all, because I would have a legal obligation to let her in at her convenience. It is true that there are some jobs performed by a chimney-sweep that have a quasi-governmental (“hoheitliche”) character,* and for which this claim could to some degree apply. However, the exhaust check is not one of these and this reasoning does not apply. Extending it to general tasks is like a land-lord claiming that “because I have the right to enter an apartment unannounced and on short notice when there is an emergency requiring immediate action, I always have the right to enter an apartment unannounced and on short notice”. Or consider a police officer who reasons that “because I can violate some traffic rules when on duty, I can violate them when off duty too”.

    *Due to a very unfortunate and highly outdated legal situation in Germany. To be specific, this does not refer to chimney-sweeps in general, but to the designated local “Bezirksschornsteinfeger”; however, this company happens to be Bezirksschornsteinfeger in my area.

    Again, she is likely deliberately lying to trick customers into compliance.

  4. She claims that the works would be done for my benefit and paints the situation as if she were doing me some type of favor. She is not—on the contrary, her employer relies on outdated and disproportionate regulations to perform a service for the government, which in many cases amounts to cheap money-making for the chimney-sweep. I have very little to gain from this farce, and am stuck with considerable extra efforts. This claim is as absurd as when governments claims that issuing passports would be a service to the citizens, when the need for a passport only arises because of governments and their artificial impositions.

    What benefit there is to gain, could be achieved much better by having e.g. the maintenance company* do the same check and/or doing the same check every five-or-so years—or by use of some type of detector**. Such a detector would actually be vastly superior through giving a timely warning, while the yearly check could lead to exposure over a full year before detection…

    *When this suggestion has been raised on the Internet, chimney-sweeps tend to answer that this would increase the risks, e.g. through giving the maintenance company incentives to approve its own work. This argument is not entirely without merit, but the benefits of avoiding this risk are not in proportion to the additional costs of the current system, making it specious. More likely, it is an excuse to justify own money-making than something honestly believed. In particular, the “incentives” part is highly dubious, because a maintenance company that does both work and check would be liable for any health damage without excuses, while the current system allows blame pushing between maintenance company and chimney-sweep.

    **I wish to recall having seen such in the past, but have not researched the availability and details. Even if I misremember, however, such detectors should be comparatively easy to provide.

    From another perspective, entering someone else’s apartment, outside of rare emergencies, is a privilege and should be treated as such—no matter the law. Indeed, even when a legal right is present, even e.g. when we talk of police with a search warrant, the self-invited visitor should show a corresponding humility and respect. The attitude displayed by this woman is entirely lacking in this regard. The same applies to the impositions regarding e.g. time: even to the degree that she might be legally entitled to force people to forego work and whatnot for her benefit, she should show a corresponding humility and respect, and realize that she causes a major imposition* for her own benefit—but she does not.

    *Indeed, so large an imposition that I consider it outright unethical, even to the degree that it is legally allowed. A more ethical company would still provide times for the convenience of the customers, not for its own.


Written by michaeleriksson

July 17, 2019 at 8:17 am

A German’s home is not his castle / a few issues around inspections and meter readings

with 2 comments

One of the great annoyances with living in Germany is the one, two, or more* service companies that invariably demand entry to one’s apartment every year—after having made a one-sided declaration of date and time, and usually with a comparatively short** advance warning. Moreover, this is usually done through simply posting a notice on the door of the building (often on the outside), with the implications that (a) people who are not currently present, including those who live elsewhere*** and those currently on vacation, might not have the ability to react in time, (b) the notice can be removed by another party, including playing children. Of course, this type of announcement could easily be done by a fraudulent entity who just wants access to the apartments.

*I have three myself, and it might have been four or five had not the gas and electricity meters been outside the apartment… These are two to respectively inspect the smoke detectors and the exhaust/chimney for the gas heater, and a third to read the water meter. (An earlier text might have claimed that the chimney inspection took place once every three years. This was an early misunderstanding on my part.)

**I have not paid great attention, but a rough guesstimate would be ten days for a typical notice. I have seen less than a week on at least some occasion.

***For instance, those who try to rent out an apartment and who currently do not have a tenant; for instance, those (like me, in the past) who spend months at an end living elsewhere due to work.

True, missing the date is not the end of the world, because these companies are obliged to provide alternative dates upon request. However, this is usually not handled well. For instance, many notices fail to inform about the right to request a different date, and contact information is usually limited to telephone* only. The chimney-sweep, whose recent notice is the trigger for this text, does have an email address, but fails to mention it. The notice does mention the possibility of requesting an alternate date, but it does so in such a different font size and color (compared to the rest of the text) that I actually did not recognize it before a closer inspection.** Moreover, it speaks of a “rechtzeitig” (roughly, “timely”) contact, which is very vague and in most circumstance would be taken to imply that the contact must take place before the scheduled date (which is not the case and would be unconscionable for the absent). The smoke-detector service, on the other hand, appears to have no interest in actually going through with replacement dates,*** implying that my smoke detectors have not been serviced since before I bought the apartment, because the previous owner apparently also had problems with it. A similar issue is present with some other apartments in my building.

*Which, combined with typical office hours, can be inconvenient for those who work during the day, highly troublesome for those who work during the night, and a severe obstacle for the deaf and mute.

**But, unlike many others, I was already well aware of my right.

***Presumably, either to avoid the extra cost of a second visit or to push the delay to the point that there is a pseudo-justification to request a billable visit. (By regulation, at least a first replacement date must not come with an extra charge to the apartment residents.)

Now, the chimney inspector was open to providing a new date, but this too was fraught with complications. On the one hand, no dates were available before July 12th (still more than a month ahead). My suggestions of the 19th and the 26th, picked to have a greater time flexibility than the 12th, were rejected due to “betriebsferien” (“company holidays”) between July 15th and August 1st… Moreover, the possible hours were restricted independent of date, including a 3 PM upper limit Monday through Thursday and 2 (!) PM on Fridays. Effectively, to get it done after work is not possible without infringing severely on typical working hours—not just leaving an hour or so earlier than the colleagues. While “before work” is a little easier and might work for most local workers (but not for all and not for many commuters), the end effect is that a portion of the regular work day must be sacrificed. (That Saturday and Sunday are out entirely is hardly worth mentioning in Germany.) This continues an idiocy already discussed for delivery services—a failure to adapt to the needs of the service recipients in favor of a strict adherence to “traditional” working hours, even when the result is more work for the service provider. Indeed, here the working* hours are even a sub-set of the normal working hours, making it even harder. As elsewhere, an outdated world-view (or resulting “legacy procedures”) might have survived through the implicit assumption that every apartment comes with a house-wife.

*The word “working” might be misleading, because the individual employees might have other tasks to perform at other times. The end effect on the residents is the same, however.

Even in those cases, however, when everything works as planned, these notifications are problematic through giving intervals of hours,* often in the middle of the day. For instance, the gas-inspection notice gives 9–11 AM, which implies that even someone who works locally might be forced to take half-a-day off from work—and, when working in Cologne, I would have been forced to take so much time off that I likely would have skipped work altogether.

*Which, obviously, do not state how long the individual visit will take. Instead, it is an understandable matter of “we could come at any time during this interval”, with an eye on questions like how long the visits to other apartments, or even apartment houses, take. The long intervals make this issue worse than the similar problem discussed a paragraph earlier.

Looking at possible solutions, at least some of this will likely take care of it self over time, through the spread of new technology*. However, improvements here and now still make sense. For instance, how about requiring a considerably longer interval for notification, e.g. that notices must be published at least one month in advance?** How about a requirement that notifications are also given per e.g. email (to those who have registered in some manner)? How about more reasonable hours and/or days of visit? Or how about my personal pet idea: Have each city (or some other unit) coordinate two*** fix, known-to-all, and non-adjacent days a year, for some sub-area. On these, the residents within the sub-area are required to give access to (legitimate) service providers; on others, they must not be bothered****. Notably, this would bring great benefits even to the service providers, because they could cut the costs for repeat visits and most of their own efforts to coordinate with absent residents—or actually charge for them from day one. This scheme would, obviously, require a considerable first effort of coordination, but later adjustments are likely to be small for a typical year.

*Notably, meters that can be read electronically without entering an apartment. However, like e.g. my own current outside-the-apartment gas and electricity meters, this comes with an increased risk of leak of data to unauthorized third parties.

**Note that anything less than two weeks is inherently problematic due to the larger risk that e.g. a vacation absence prevents the residents from being informed on time. In contrast, a full month would make it a near certainty that the notice is present in time for the residents to react. Moreover, the longer interval makes it easier to arrange for e.g. a work absence.

***Using two, instead of one, allows for a greater flexibility, e.g. to compensate for a strike or to make life easier on service providers with unfortunate day collisions for serviced sub-areas; however, each service provider would be expected to only use one of the two (per apartment and/or sub-area), just like it is one day a year today. Note that reserving two days a year will not increase the effort for the average resident, because the two days are the same for all service providers (but it will allow for far better planning).

****Among these annual (or otherwise recurring) activities: when we move to more ad-hoc matters or something requiring a short-term response, e.g. a burst pipe, a strict adherence will not always be reasonable.

I note that as far as solutions are concerned, it is positive if a portion of the burden is passed from the residents to the service providers, because (a) the current system is constructed to the very one-sided advantage of the latter, (b) not all of these bring an advantage to the residents, notably the borderline idiotic yearly smoke-detector inspections and many chimney inspections and whatnots (also see excursion), (c) the matter of entering someone else’s home should not be trifled with. As to the latter, I would personally very much prefer never to have someone in my apartment that I have not explicitly invited (and I would not invite many to being with); other relevant concerns include the extra cleaning efforts that many, likely in particular the “neat freaks”, will feel necessary to make the apartment sufficiently presentable.

Excursion on chimney-sweeps:
The problems are increased by regulations relating to chimney-sweeps, who are responsible for some tasks in a semi-governmental role—including at least some inspections. Among the many problems is that there is one “official” chimney-sweep who has the right to perform the semi-governmental tasks in a given area: I am allowed to hire another chimney-sweep to perform various tasks—but not all tasks. Because the official chimney-sweep still needs to involved, there is a strong incentive to just stick with him through-out. To boot, it can be disputed whether the exact checks* involved in my case really should be done by a chimney-sweep at all, or not rather the gas company or a service specialist for gas-heaters.

*Strictly speaking, it appears to be more of an emissions check than a chimney check, with the chimney only playing in as far as a blocked chimney would lead to dangerously large emissions in the apartment.

I read up a fair bit my first year in the apartment, but have forgotten most of what I read by know. However, there were several web sites and/or forums dedicated to problems around the flawed system. One recurring issue (that I do remember) was skepticism towards the reasonability of inspection intervals in at least some contexts, and some inspections that were outright nonsensical, e.g. that chimneys that were not even used still needed* a yearly inspection.

*In the eyes of the local chimney-sweep. That his interpretation was even formally/legally/bureaucratically correct (let alone practical), was not always a given.

Excursion on other means to calculate costs:
The use of meters to measure consumption of e.g. heating* is laudable from a fairness perspective and might or might not give incentives to consume less energy. However, it is not the only approach possible. For instance, in Sweden, heating costs are typically included in the rent in a blanket manner, and this appears to work well. The heating costs per apartment might be higher** in Sweden, but this is offset** by the costs for reading meters. Similarly, the overall environmental impact might be greater***, but this is partially offset by e.g. the environmental impact of meter readers traveling in cars.

*One of the more common German meter-types is the per-radiator meter that attempts to track the amount of central heating used by individual apartments, to allow a corresponding division of the overall costs.

**The degree varies depending on what is measured and on details unknown to me. If only the cost for the service company is included, it is likely only a partial offset; if the lost time and extra effort for otherwise working residents are included, at least these are likely see approximately a full offset; and if we look at the overall societal cost, it is almost certainly more than an offset.

***After adjusting for the effects of a colder climate, or it would be a near given.

Excursion on use of “layers” in texts:
A very common practice in e.g. notices, advertisements, prospects, web pages, …, is to give different types of information a different “look”. This is presumably with the intention of putting information in “layers” to be read independently. In my personal experience, this works very poorly, because people (like I above) tend only see one layer at a time, which implies that the information put into a different layer through e.g. a radically different (foreground?) color runs a risk of being overlooked entirely, especially when having a poor contrast. Such layers might sometimes be helpful when the reader is aware of them in advance, e.g. when comparing the descriptions of many products that have the same layering. More often, it is likely better to not try such tricks and to rely on a simple text flow, intended to be read as a single layer. This text, in turn, might then contain changes in (background?) colors to high-light a different purpose without causing a layer division. If in doubt, just put the different layers on different pages. (Disclaimer: This excursion is unusually “spur of the moment” and might be unusually open to revisions of opinion.)

Written by michaeleriksson

June 6, 2019 at 4:19 am

Detection of manipulation of digital evidence / Follow-up: A few points concerning the movie “Anon”

leave a comment »

In a recent discussion of the movie “Anon”, I noted, regarding the uselessness of digital evidence, “Whatever is stored […] can be manipulated”, with a footnote on the limitations of write-only storage (an obvious objection to this claim).

A probably more interesting take than write-only storage is the ability to detect manipulation (or accidental change). Here there are many instances where some degree of protection can be added, say, a check digit or a check sum for an identifier (e.g. a credit-card number) respectively a larger piece of content (e.g. an executable file), cryptographic verification of extended change history in a version-control system (notably Git), or any number of Blockchain applications (originating with Bitcoin). The more advanced uses, including Blockchains, could very well be legitimately relevant even in a court of law in some cases.

In most cases, however, these are unlikely to be helpful—starting with the obvious observation that they only help when used during the manipulation, which (today and for the foreseeable future) will rarely be the case.* Worse, the victim of a manipulation will also need to convince the court that e.g. the planted evidence would necessarily have been covered by such verification mechanisms: Consider e.g. someone who meticulously keeps all his files under version control, but where incriminating evidence is planted outside of it. He can, obviously, claim that any file or change of a file actually owned by him would have been registered in version control. However, how can he prove this claim? How does he defeat the (not at all implausible) counter that he kept all his regular files in version control, but that these specific files were left outside due to their incriminating character, in an attempt to hide them from a search by a third-party?

*I note e.g. that the technologies are partly unripe; that the extra effort would often be disproportionate; and that a use sufficiently sophisticated to be helpful against hostile law enforcement might require compromises, e.g. to the ability to permanently delete incriminating content, that could backfire severely. In a worst case scenario, the use of such could it self lead to acts that are considered illegal. For instance, assume that someone inadvertently visits a site with a type of pornography illegal in his own jurisdiction, that the contents are cached by the browser, at some point automatically stored in a file-system cache, and that all contents stored in the file system are tracked in such detail that the contents can be retrieved at any future date. Alternatively, consider the same example with contents legal in his jurisdiction, followed by travel with the same computer to a jurisdiction where those contents are illegal. Note that some jurisdictions consider even the presence in a browser cache, even unbeknownst to the user, enough for “possession” to apply; by analogy, this would be virtually guaranteed to extend to the permanent storage discussed here. (This example also points to another practical complication: This type of tracking would currently be prohibitive in terms of disk space for many applications.)

Even when such measures are used and evidence is planted within their purview, however, it is not a given that they will help. Consider (for an unrealistically trivial example) a credit-card number, where a single (non-check) digit has been manipulated. A comparison with the check digit will* make it clear that a manipulation has taken place. However, nothing prevents the manipulator from recalculating the check digit… Unless the original check digit had somehow been made public knowledge in advance, or could otherwise be proved, the victim would have no benefit in a court of law. Indeed, he, himself, might now be unaware of the manipulation. The same principle can be used in more advanced/realistic scenarios, e.g. with a Git repository: While a naive manipulation is detectable, a more sophisticated one, actually taking the verification mechanisms into consideration, need not be. In doubt, a sophisticated manipulator could resort to simply “replaying” all the changes to the repository into a fresh one, making sure that the only deviation in content is the intended.** If older copies are publicly known, deviations might still be detected by comparison—but how many private repositories are publicly known?*** The victim might still try to point to differences through a comparison with a private backup, but (a) the manipulator can always claim that the backup has been manipulated by the victim, (b) it is not a given that he still has access to his backups (seeing that they are reasonably likely to have been confiscated at the same time as the computer where the repository resides).

*With reservations for some exceptional case. Note that changing more than one digit definitely introduces a risk that the check digit will match through coincidence. (It being intended as a minor precaution against accidental errors.)

**Counter-measures like using time stamps, mac addresses, some asymmetric-key transfer of knowledge to identify users, …, as input into the calculations of hashes and whatnots can be used to reduce this problem. However, combining a sufficiently sophisticated attacker with sufficient knowledge, even this is not an insurmountable obstacle. Notably, as long as we speak of a repository (or ledger, Blockchain, whatnot) that is only ever used from the computer(s) of one person, chances are that all information needed, including private keys, actually would be known to the manipulator—e.g. because he works for law-enforcement and has the computer running right in front of him.

***In contrast, many or most Git repositories used in software development (the context in which Git originated) will exist in various copies that are continually synchronized with each other. Here a manipulation, e.g. to try to blame someone else for a costly bug or to remove a historical record of a copyright violation, would be far easier to prove. (But then again, we might not need a verification mechanism for that—it would often be enough to just compare contents.)

Worse: All counter-measures might turn out to be futile with manipulations that do not try to falsify the past. Consider some type of verification system that allows the addition of new data (events, objects, whatnot) and verifies the history of that data. (This will likely be the most typical case.) It might now be possible to verify that a certain piece of data was or was not present at a given time in the past—but there is no automatic protection against the addition of new data here and now. For instance, a hostile with system access could just* as easily plant evidence in e.g. a version-control system (by simply creating a new file through the standard commands of the version-control system), as he can by creating a new file in the file system.

*Assuming, obviously, that he has taken the time to learn how the victim used his system, which should be assumed if someone becomes a high-priority target of a competent law-enforcement or intelligence agency.

Then we have complications like technical skills, actual access to the evidence, and similar: If digital evidence has been planted and a sufficiently skilled investigator looked at the details, possibly including comparisons with backups, he might find enough discrepancies to reveal the manipulation. However, there is no guarantee that the victim of the manipulations has these skills*, can find and afford a technical consultant and expert witness, has access to relevant evidence (cf. above), … To take another trivial and unrealistic example: Assume that a manipulating police employee adds a new file into the file system after a computer has been confiscated. Before court, testimony is given of the presence of the file, even giving screen shots** verifying the name, position, and contents of the file—but not the time stamp***! With sufficient access and knowledge, the defense could have demonstrated that the time stamp indicated a creation after the confiscation; without, it has nothing—no matter what mechanisms were theoretically available.

*And even when he has these skills himself, he would likely still need an expert witness to speak on his behalf, because others might assume that his technical statements are deliberate lies (or be unwilling to accept his own expertise as sufficiently strong).

**I am honestly uncertain how this would be done in practice. With minor restrictions, the same would apply even if the computer was run physically in the court room, however. (But I do note that screen shots, too, can be manipulated or otherwise faked, making any indirect evidence even less valuable.)

***Here the triviality of the example comes in. For instance, even many or most laymen do know that files have time stamps; the timestamp too could have been manipulated; if the computer was brought into the court room, the defense could just have requested that the time stamp be displayed; … In a more realistic example, the situation could be very different.

Excursion on auditing:
Some of these problems could be reduced through various forms of more detailed user auditing, to see exactly who did what and when. This, however, runs into a similar set of problems, including that such auditing is (at least for now) massive overkill for most computer uses, that auditing might not always be wanted, and that the auditing trail can it self be vulnerable to manipulation*. To boot, if a hostile has gained access to the victim’s user account(s), auditing might not be very helpful to begin with: It might tell us that the user account John.Smith deleted a certain file at a certain time—but it will not tell us whether the physical person John Smith did so. It could equally be someone who has stolen his credentials or otherwise invaded the account (e.g. in the form of a Bundestrojaner).

*To reduce the risk of manipulation, many current users of auditing store audit information on a separate computer/server. This helps when the circumstances are sufficiently controlled. However, when both computers have been confiscated, the circumstances are no longer controlled. To boot, such a solution would be a definite luxury for the vast majority of private computer users.

Excursion on naive over-reliance in the other direction:
Another danger with digital evidence (in the form discussed above or more generally) is that a too great confidence in it could allow skilled criminals to go free, through manipulation of their own data. A good fictional example of this is given in Stephen R. Donaldson’s “Gap Cycle”, where the (believed to be impossible) manipulation of “datacores”* allows one of the characters to get away with horrifying crimes. Real-life examples could include an analogous manipulation of tachographs or auditing systems, if these were given sufficient credibility in court.

*The in-universe name for an “append-only” data store, which plays a similar (but more complex and pervasive) role to current tachographs in tracking the actions taken by a space ship and its crew.

Excursion on digital devices in general:
Above I deal with computers. This partly, because “traditional” computers form the historical main case; partly, because most digital devices, e.g. smart-phones, formally are computers, making it easier use “computer” than some other term. However, the same principles and much of the details apply even with a broader discussion—and for a very large and rising proportion of the population, smart-phones might be more relevant than traditional computers.

Written by michaeleriksson

July 11, 2018 at 2:34 am

A few points concerning the movie “Anon”

with 2 comments

I recently watched the movie “Anon”, which follows a police detective working in a police system (and society in general) highly dependent on implants that capture and modify the visual* impressions of the populace—like a mixture of “built-in” smart glasses and some of my own satiric suggestions ([1]).

*I am uncertain to what degree other senses were involved.

While the movie as a whole is not that great, it demonstrates several conceivable future dangers.

Of these the possibly most noteworthy are those present in [1]—or how a state like that could come into being*: Take “smart glasses”, make it an implant, connect it to the cloud, allow the police increasingly greater access to that cloud or even the implants themselves, and a nightmare scenario could very easily manifest it self.

*The movie it self gives no (in universe) historical background; however, the speculation is fairly obvious.

Another issue touched upon repeatedly in my own writings is the low value of digital evidence: Whatever is stored*, transmitted, replayed, …, digitally can be manipulated, usually very easily, in order to give an incorrect impression. This applies not just to obvious items, e.g. entries in the access log of a server or the presence of illegal contents on a private hard-drive, but increasingly extends even to e.g. video capture**. Even the (extraordinarily naive and absolutely intolerable) assumption that law-enforcement personnel would never manipulate evidence is not enough to remedy this problem, nor is the strictest tracking*** by “chain of evidence”, because there is no guarantee that manipulations have not taken place through a third party.

*There is an availability of write-only storage that to some degree could remedy this. However, this presumes that write-only storage actually is used (which can be impractical for e.g. cost reasons and the inability to re-use storage); does not help against manipulations during retrieval of the data; and can be circumvented by simply copying the one write-only storage unit to an identical unit, making only the wanted modifications, and then proclaiming the modified copy to be the original.

**To achieve sufficiently high-quality manipulations or forgeries today is rarely practical. However, at the rate CGI has advanced over the years, we will eventually (likely: soon) reach a point where anyone with even a semi-powerful enemy could be at risk. (Whether we ever reach a state where a single skilled individual can achieve this with at most a few hours work, as implied in the movie, I leave unstated. However, given enough time, that too might be the case.)

***Especially since such tracking would almost certainly be largely digital…

Anonymity and privacy, even outside police work, is another important theme (as might be surmised from the title): Walking along a street and being able to see the names, occupations, whatnot of the other pedestrians might be interesting and useful—but the same applies in reverse. I, myself, certainly would not be comfortable with that. Extrapolate it a bit further, and assume that (drawing on the current U.S.) someone who once was caught peeing in the park has a “sex offender” sign displayed over his head, or that (drawing on Nazi-Germany) Jews, homosexuals, whatnot come with their own warning signs. What if a direct connection with e.g. a Facebook account is made, and passers-by can extract almost arbitrary information, e.g relationship status, at will? Recall e.g. a recent assault over a mistaken identity; or note how easy it is for someone rooting for the wrong team or supporting the wrong party to be beaten up, if encountering the wrong crowd—or consider how information on income can affect the risk of being robbed or pick-pocketed.

From another perspective, consider the ability to replay the capture of previous sights—including e.g. love making. We could argue that that which we have once seen should be ours to see again—and I would mostly agree. However, it is easy to find special cases where this is highly disputable, e.g. when someone accidentally walks in on someone else who is having sex or otherwise being naked: It would not be unreasonable for the observed party to demand a deletion. Certainly, a kept recording might give far greater opportunity of observing details than the original (typically) brief flash. Similarly, there is a wide consensus that filming sex with a partner without consent is unacceptable—but what happens when everyone has a built-in camera? To boot, others can wish for even stricter criteria—I have, e.g., seen the opinion (but disagree) that even consensually filmed material must be destroyed after a break-up or that voluntarily given intimate images must be returned.

These problems are by no means limited to physical acts and nakedness: Consider e.g. the ban on cameras (including on cell-phones and notebooks) in many offices and factories. Or consider someone having a private conversation on which a third-party can now far more easily listen in*.

*An early scene showed even the near-inaudible dialogue of some passers-by being translated directly to text.

Alternatively, consider the invasion of privacy implied by a spouse’s or parent’s request to see a certain section of recording (“Where were you last night?!?”)*: Show it and lose privacy; do not show it and the worst will be suspected. (A similar situation is discussed in a text on lies under oath.) An interesting twist is provided by two (real life) parents who are repeatedly in the news for trying to get access to a deceased daughter’s Facebook account: What if this scenario is replaced by parents/spouses/children/whatnot who gain access to their deceased children’s/spouses’/parents’/whatnot implant data, including extensive recordings?

*It is my strong personal belief that even children relative their parents and spouses relative each other have a right to a considerably degree of privacy; however, even those who do not (e.g. an over-protective parent or a wife who fails to understand that the members of a couple are still different people) must realize that there can be areas where a legitimate need for such privacy can exist: Not everything that the one party wants to keep secret is necessarily harmful to the other, morally wrong, or susceptible to the (pseudo-)argument “the innocent have nothing to fear”. Consider e.g. a husband giving a female friend some help strictly for reasons of friendship, and a wife who has a history of jumping to (incorrect) conclusions about cheating.

Then again, we have anonymity (respectively lack thereof) in the frame of police work. I have earlier (notably in [2]) objected to e.g. computer searches for reasons like the presence of highly personal material and private information, as well as the risk that material that in theory would only be accessed by the police might leak out. What if the information collected includes basically everything seen or done by someone? (Including sex acts, intimate conversations, confidential business meetings, …)

Then there is the issue of hacking and security: Not only does this provide yet another channel through which private information can leak, but it also adds the risk of damaging interventions. For instance, the movie showed examples of visual input being sufficiently manipulated, in real time, that the victim could not rely on his eye sight. With this level of technology, it would be easy to e.g. have someone just walk into oncoming traffic. However, even with abilities more realistic by today’s standards, great harm can be caused, e.g. by having textual information altered to imply that another party is sleeping with the own spouse. Looking at self-driving cars, with similar vulnerabilities and a greater current realism, we could have a hostile entity manipulate a car into taking actions that lead to a car crash, a run-over pedestrian, or some other calamity. (See also e.g. [3].)

On the other hand, if external access is technically and legally sufficiently limited, there can be a great upside to some of the technologies. Consider e.g. re-running a business meeting or a lecture to refresh a failing memory; re-living an enjoyable moment; or (most enticing to me) re-visiting a portion of prior life to have another look at how things were back then or how one has developed or not developed, what lessons can be drawn and what could have been done differently, etc.

As an aside, it is depressing that while we live in a time when privacy and anonymity are more urgent than ever before (for the simple reason that they are so much easier to violate), legislation and other “government behavior” shows a broad trend towards weakening both. The fear of terrorism and organized crime makes this partially understandable; but not only do the “big bads” have far greater means to circumvent such legislation than the average citizen, the measures are often obviously intended against crimes of any kind. Both these factors point strongly towards the damage done being greater than the benefits gained. What we need is the reverse trend—and this not only with regard to the government, but also to strengthen protection against e.g. profile-building private enterprises, for instance by making it possible to order even physical to-be-delivered goods (close to) anonymously and by removing antiquated laws like the German requirement for a hotel guest to register with full and real name and address.

Written by michaeleriksson

June 30, 2018 at 12:17 am

Posted in Uncategorized

Tagged with , , , ,

A review of the new WordPress/Automattic Privacy Policy

with 2 comments

A few days ago, I received an email that WordPress (more correctly, Automattic) was changing its Privacy Policy*. Fearing the worst, in the light of the unconscionable behavior of e.g. Facebook, I decided to review it. The results were depressing, although I have not investigated what was already present and what has changed for the worse: While it is not as bad as what Facebook does, it still leaves the user with minimal protections and reliant on WordPress/Automattic not engaging in abuse.

*I use initial caps for consistency with the (spurious) use in the analyzed text.

Below I will quote some selected parts (in the original order) and offer some analysis*:

*The policy can be found under https://automattic.com/privacy at the moment; however, these contents can naturally change over time. The policy is under the Creative Commons Sharealike 4.0 License, making re-use unproblematic; however, I see my use as covered under “Fair Use” and similar principles, and do not “copy-left” this post under that license. Some change of formatting and typography might have taken place.

This is our updated Privacy Policy going into effect on January 3, 2018.

(Provided for identification purposes only.)

Your privacy is critically important to us. At Automattic, we have a few fundamental principles:

We are thoughtful about the personal information we ask you to provide and the personal information that we collect about you through the operation of our services.
We store personal information for only as long as we have a reason to keep it.
We aim to make it as simple as possible for you to control what information on your website is shared publicly (or kept private), indexed by search engines, and permanently deleted.
We help protect you from overreaching government demands for your personal information.
We aim for full transparency on how we gather, use, and share your personal information.

A very promising start and a laudable attitude, provided that they actually adhere to it. Now, I raise no accusation concerning the actual use, here or below, for the simple reason that I do not know what actually happens with the data. However, in the continuation Automattic gives it self far-going rights that are not compatible with these principles, which raises considerable doubt as to the adherence—if they do not use these far-going rights, why collect them? Even without such rights, there is considerable reason to be cautious: Words are cheap and all-too-many websites abuse customer data in an inexcusable manner. The strength of a Privacy Policy, or e.g. a set of laws, must not be measured under the assumption of good intent and high competence.

Throughout this Privacy Policy we’ll refer to our website, mobile applications and other products and services collectively as “Services.”

(Given for interpretation only.)

Please note that this Privacy Policy does not apply to any of our products or services that have a separate privacy policy.

This is largely understandable, but it is opens a large opportunity for abuse, through simply smuggling in a more specific and less acceptable Privacy Policy while hoping that the users consider themselves under the general Privacy Policy. Even deliberate abuse aside, it makes it harder for the users to know what rules apply for any given service. (Giving a universal rule for how to handle this is impossible, seeing that there is virtually no limit to the constellations to consider; however, a basic guide-line would be to keep the general everywhere and to amend it as needed for the specific service under adherence to the “fundamental principles” stated above.)

We only collect information about you if we have a reason to do so—for example, to provide our Services, to communicate with you, or to make our Services better.

Looks good, but is an almost empty promise: “to make our Services better” alone is enough of an excuse for many service providers to gather any and all data they can get their hands on. At the same time, “to communicate with you”, in my personal experience, is usually code for “to spam you”.

We collect information in three ways: if and when you provide information to us, automatically through operating our services, and from outside sources.

These items are all too vague. For instance, does “you provide” include just what is entered in (in my case) the WordPress account or can it include data gathered from email communications? The “automatically through operating our services” is to some degree unavoidable, but can at the same time be abused in absurd ways, e.g. to build irrelevant and unethical profiles, including e.g. sleeping habits. The part about “outside sources” opens a limitless room for abuse. Combine these three claims, and we are not far from Facebook.

In the continuation the Privacy Policy provides a number of examples of what data can be collected and how. If these examples were exhaustive, it would alleviate the risk of abuse somewhat—but they are not. There are also enough examples remaining that range from slightly dubious to highly problematic.

Consider e.g.:

  1. Content Information: Depending on the Services you use, you may also provide us with information about you in the draft and published content for your website. For example, if you write a blog post that includes biographic information about you, we will have that information, and so will anyone with access to the Internet, if you choose to publish the post publicly.

    Depending on what is intended this is either trivial or harmless—or a sign that there is intention to make automatic evaluations. This might be OK for the actually published* content, but hardly for drafts. Indeed, even if they do have the technical ability to access drafts, they should be ethically or even legally forbidden from doing so**. Note that drafts can contain things that are simply not intended to reach third-parties, be it at all or at the current time. (Consider e.g. a whistle-blower intending to get out of harms way and then to publish a series of posts; or a homosexual having already written a draft with a “coming out” statement, which is waiting for a known-to-disapprove grand-parent to pass away.) Also note that even non-malicious access can increase the risk of inadvertently leaking information to other third parties, e.g. through a security hole or a lack of care***.

    *However, even here there should be some type of restriction, equivalent at least to the restrictions websites can state (but not enforce) through the Robots exclusion standard.

    **Except to the degree that an access is in the immediate service of the user, e.g. to allow him to edit the draft. (A general problem with the analyzed text is that it does not clearly differ between widely separate purposes, e.g. access and storage by the user through the service vs. access by the service provider independent of the user. This limits the analysis somewhat.)

    ***There have e.g. been a number of occurrences of confidential data being accidentally uploaded to servers freely accessible on the Internet without authentication and encryption. (Or possibly servers being accidentally made accessible post-upload—the result is the same.)

  2. Credentials: Depending on the Services you use, you may provide us with credentials for your website (like SSH, FTP, and SFTP username and password). For example, Jetpack and VaultPress users may provide us with these credentials in order to use our one-click restore feature if there is a problem with their site, or to allow us to troubleshoot problems on their site more quickly.

    With reservations for rare special cases, is is a horrifyingly bad idea to hand out such data to third-parties. Requiring such data, including providing services that require such data, is unethical; a user who complies is negligent.

  3. Log Information: Like most online service providers, we collect information that web browsers, mobile devices, and servers typically make available, such as the browser type, IP address, unique device identifiers, language preference, referring site, the date and time of access, operating system, and mobile network information. We collect log information when you use our Services—for example, when you create or make changes to your website on WordPress.com.

    The extent of data collected is too large, violating the principle of parsimony in data collection and bringing no or little legitimate benefit. Even browser information is highly dubious, seeing that a good site should work equally well with any browser; operating system is simply non of their business (and a correctly configured browser should hide such information anyway). Parts can be outright illegal in some countries*.

    *For instance, saving a non-anonymized IP address in Germany.

  4. Usage Information: We collect information about your usage of our Services. For example, we collect information about the actions that site administrators and users perform on a site—in other words, who did what, when and to what thing on a site (e.g., [WordPress.com username] deleted “” at [time/date]). We also collect information about what happens when you use our Services (e.g., page views, support document searches at en.support.wordpress.com, button clicks) along with information about your device (e.g., mobile screen size, name of cellular network, and mobile device manufacturer). We use this information to, for example, provide our Services to you, as well as get insights on how people use our Services, so we can make our Services better.

    Location Information: We may determine the approximate location of your device from your IP address. We collect and use this information to, for example, calculate how many people visit our Services from certain geographic regions. We may also collect information about your precise location via our mobile apps (when, for example, you post a photograph with location information) if you allow us to do so through your mobile device operating system’s permissions.

    Similar objections apply: Parts can be acceptable; others are definitely not so.

  5. Stored Information: We may access information stored on your mobile device via our mobile app. […]

    This is utterly and entirely unacceptable and grossly unethical. I do not use mobile apps (hardly mobile devices, for that matter), but if I did, this would be an immediate call for me to purge my devices of any and all apps underlying this Privacy Policy. I urge the readers to do the same.

  6. Information from Cookies & Other Technologies: [simplistic descriptions of cookies et al.] Automattic uses cookies and other technologies like pixel tags to help us identify and track visitors, usage, and access preferences for our Services, as well as track and understand e-mail campaign effectiveness and to deliver targeted ads. […]

    The use it self is highly disputable; email campaigns (aka spam) are unethical; targeted* ads at best ethically dubious and requiring unethical profile building.

    *In today’s Internet, the use of advertising in general might be called into question: The excesses of amount and intrusion have reached a point where an ad blocker and/or a blanket ban on images/Flash/JavaScript/whatnot per browser setting is a necessity. When it comes to advertising-driven “free” content, I apply the German phrase “Geschenkt ist noch zu teuer”—“Too expensive, even when gifted”.

  7. We may also get information about you from other sources. For example, if you create or log into your WordPress.com account through another service (like Google) or if you connect your website or account to a social media service (like Twitter) through our Publicize feature, we will receive information from that service (such as your username, basic profile information, and friends list) via the authorization procedures used by that service. The information we receive depends on which services you authorize and any options that are available.

    This is another unethical, Facebook-style, idiocy. The disclaimer about “The information we receive depends on which services you authorize and any options that are available.” might be OK if sufficient options are available and presented to the users in a reasonable manner (and/or default to “no sharing”)—but will they be? Worse, these controls are with yet another party, and now the user has to trust several parties to be both honest and competent… I urge all readers to turn any such settings off and to never engage in such “cross-site” activities. (I use a whole separate computer account for WordPress, e.g.)

  8. We may also get information from third party services about individuals who are not yet our users (…but we hope will be!), which we may use, for example, for marketing and advertising purposes.

    Doubly unethical: Firstly, this implies that individuals who have had no opportunity to read and accept/decline this Privacy Policy are affected by it. Secondly, the intended use at best amounts to ethically dubious advertising—at worst to outright spam.

A following section on (alleged) use is mostly OK, but contains:

To communicate with you about offers and promotions offered by Automattic and others we think will be of interest to you, solicit your feedback, or keep you up to date on Automattic and our products; and To personalize your experience using our Services, provide content recommendations and serve relevant advertisements.

The first amounts to spam; the second is again in the area of ethically dubious advertising. To boot, looking at WordPress (and almost any other service or software tool I have ever used), automatic personalization has no place and does/would do more harm than good: By all means, provide new options and ways of doing things—but let the user be in complete control of the choice whether to use them.

The following section on information sharing is, again, mostly OK, even if some of the talk of third-parties is on the vague side*; however, it contains at least two problematic items:

*The applicable use cases are reasonable and the third parties are required to adhere to the same rules as Automattic, but there is uncomfortably much room for third-party involvement. Note that the more parties are involved, the greater the risk that data are maliciously used, carelessly exposed to the public, or stolen through a security hole.

Aggregated and De-Identified Information: We may share information that has been aggregated or reasonably de-identified, so that the information could not reasonably be used to identify you. For instance, we may publish aggregate statistics about the use of our Services.

The given example is OK, as is, likely, aggregation in general; however, the “reasonably de-identified” is not: This allows handing out data in a per-user manner, and what is considered de-identified by Automattic need not actually be so. It is, in fact, very hard to remove the possibility to track back a non-trivial amount of data to a single individual. (I have no references at my hand, but I point more generally to discussions around the Germany census of 2011 for more information.) To illustrate the problems (without necessarily saying that this scenario would occur with Automattic) assume that I was blogging anonymously and had never made much mention of personal details, except that I was Swedish. Combine this with an IP address coming from Wuppertal, Germany, and this alone could be enough to nail me down. At any rate, there would be no more than a handful of potential candidates, and just one or two pieces of additional data would be enough to clear the others. So, OK, my being Swedish makes me more vulnerable than a German, but, critically, not by much: This amounts to a game of “twenty questions” and where two questions was enough above, a German posting from Germany might have been identified with, possibly, another five to ten*… Correspondingly, non-trivial amounts of non-aggregated data simply should not be exposed to third-parties.

*Consider the rapid reductions of the set of candidates that can occur through knowing not only place of residence but place of birth, alma mater, a previous employer, …

Published Support Requests: And if you send us a request (for example, via a support email or one of our feedback mechanisms), we reserve the right to publish that request in order to help us clarify or respond to your request or to help us support other users.

Such requests can contain information not suited for publication (and it would be insane to trust customer support with such decisions), and it is an unambiguous ethical duty to either collect a specific agreement for any individual such publication or to paraphrase and anonymize the text and other data to such a degree that no problems can occur*. To boot, there is a risk of outright abuse, e.g. in that someone writes a scathing complaint in anger or feigned** anger (which would be very understandable with WordPress), and that this complaint is then republished out-of-context by the service provider for revenge purposes.

*This is also recommendable because the original text can contain much that is irrelevant to the core issue and other users are helped by a corresponding filtering.

**I repeat my recommendation to take a hard line against incompetent support staff and uncooperative businesses, and to use increasingly harsher language during escalations so that it actually registers that customer dissatisfaction cannot just be shrugged off.

Various other items:

While no online service is 100% secure, we work very hard to protect information about you against unauthorized access, use, alteration, or destruction, and take reasonable measures to do so.

Specifically WordPress is known to be highly problematic from a security point of view—and to large parts for reasons that code be avoided were Automattic doing a better job. This includes a better thought-through interface with greater consistency and less useless features, less reliance on JavaScript*, and, obviously, better code. Words are cheap.

*While JavaScript is always dangerous to some degree, it can become very highly problematic when third-party content is present, even in such a trivial situation like browsing ones own blog and encountering hostile or misprogrammed comments or ads.

To enhance the security of your account, we encourage you to enable our advanced security settings, like Two Step Authentication.

In many cases, such statements contain an implicit “and if you do not, we will assume that any breach was your fault and wash our hands”. (Whether this applies to Automattic, I simply do not know; however, I note that this, and a few other statements, are not part of anything that reasonably could be called “policy”, leaving the suspicion that the true purpose is not to state policy but e.g. to reduce or shift legal culpability.)

At this time, Automattic does not respond to “do not track” signals across all of our Services. However, you can usually choose to set your browser to remove or reject browser cookies before using Automattic’s websites, with the drawback that certain features of Automattic’s websites may not function properly without the aid of cookies.

Not respecting “do not track” is weak for a service provider with so large resources. Making a complex service without cookies can be hard, but it is usually possible, and some of the uses on at least WordPress are of negative value. For instance, when I try to confirm a comment subscription not made with my WordPress account, using the provided link, WordPress steps in, matches it with my WordPress session, and refuses the confirmation, claiming that it does not know the email address used for the subscription—thereby forcing me to use another browser for such confirmations. Utterly, utterly idiotic and amateurish.

Automattic encourages visitors to frequently check this page for any changes to its Privacy Policy.

Unacceptable: People have better things to do than over and over again visiting any Privacy Policy, T & C, whatnot, that any of the multitude of online services provide. It is Automattic’s job to gather consent for any and all changes. Anything else is ridiculous and unrealistic. (But, unfortunately, this follows a current destructive trend of various businesses doing their darnedest to make consent to various conditions more-or-less automatic and actual access to said conditions as hard as possible. This even outside the Internet, where I have e.g. received notifications from banks that amount to “Our conditions have changed. The conditions are available in our offices. If you do not object to the changes by X, this is considered consent.”—utterly unconscionable, especially since the changes normally would have fit in the notification message at virtually no additional cost.)

Written by michaeleriksson

December 20, 2017 at 8:49 am

Posted in Uncategorized

Tagged with , , , ,

Disturbing privacy violations

with one comment

Some selected quotes from very disturbing news article :

Muhammad Rabbani*, a director of Cage*, convicted of obstructing counter-terrorism police when stopped at Heathrow

*I have no idea what positions Rabbani and Cage take, or whether they are worthy of support in general. No such support should be implied from this post—what I do support is Rabbani’s right to keep his privacy from a government that discards human rights.

The international director of the campaign group Cage has been found guilty of obstructing counter-terrorism police by refusing to hand over his mobile phone and laptop passwords.

The verdict confirms that police have powers in port stops under schedule seven of the 2000 Terrorism Act to demand access to electronic devices, and refusal to cooperate is a criminal offense.

This is a gross violation of the rights of privacy, especially privacy from snooping governments, that everyone should have. Cf. e.g. a previous article on the topic or a similarly themed satire post.

This type of password demands are absolutely absurd, starting with the fact that there is no particular reason why someone crossing the border* of a country should be exposed to deeper checks than someone currently residing within the same country**. The situation is not analogous to a regular baggage check, because what is stored on a device cannot blow a plane up, cannot be used to perform a hi-jacking, cannot be stabbed in the eye of a flight attendant, …

*Or e.g. traveling domestically.

**Rabbani appears to have been returning to the U.K. In other words, even a highly dubious attempt to filter out “unwanteds” based on device contents would have been misplaced in this specific case.

There is, in fact, very little to gain through such checks and there is virtually no legitimate reason why a check should take place—even assuming that the intrusion on the rights of the passengers/citizens/whatnots were tolerable. Barring an even more unethical installation of malware for the purpose of spying on the device owner in the long term, the most that can be achieved in suitably short time-frame is to briefly look at the device owners emails, desktop files, or similar—and this is not something that e.g. a member of a terrorist organization or organized crime should reasonably fall for. Anything that could have been of legitimate interest can be expected to be too well hidden; what can be found is highly private information that is no business of the government’s whatsoever (e.g. who had a vacation affair with whom—not to mention the whole “intimate picture” problem).

No, in order to have a reasonable chance of finding something legitimate (barring unethical malware…), the device would be needed for several hours or a full copy has to be made—which in turn can take hours and possesses extreme risks where private data is concerned (e.g. through inadvertent leaks). With a proficient hider of information, the hours go into days, might require a specialist in computer forensics, and possibly still turn out to be in vain. If in doubt: Should the government have a high hit ratio, the conclusion of those who have something to hide would be to not carry the information past such check-points… (Instead keeping it in one place and e.g. distributing copies per i2p when needed.)

To boot, such demands for passwords can also violate the rights of third-parties or force the device owner to violate contractual obligations. Consider e.g. the case of a work laptop or the utterly insane idea that people traveling past customs should be obliged to give out their social-media passwords.

This is the type of thing where the public should legitimately take to the streets and demand that their rights and interests are respected—very much unlike e.g. the protests against Donald Trump. (Cf. e.g. a recent post.) Even comparing with his country-based restrictions on visitors, this is an outrage: The country-based restrictions serve a legitimate purpose and can have some success in achieving this purpose; this type of snooping, on the other hand, is useless. The former only rarely infringe on the reasonably expected rights of others*; the latter does so whole-sale.

*We can discuss whether entirely free movement should be allowed, but the fact remains that it is not. A great many countries reserve the right to refuse people entry, and even restrictions based on e.g. country of origin are quite common, and this has been the norm historically. The increasingly free movement we see today is as big a novelty as modern day governmental snooping—outside of dictatorships. Exceptions where a reasonably expected right would be violated occur e.g. when a foreigner residing in the U.S. is refused re-entry after visiting his home country. (Which is a possible outcome of Trump’s suggestions, at least according to his opponents.)

Written by michaeleriksson

September 25, 2017 at 10:14 pm

Yahoo tries to pull a Facebook?

leave a comment »

I have long had an email account with Yahoo for various and sundry (including as a backup, in case the addresses that come with my domain are temporarily not reachable). So far, this has been an extremely frustrating experience: Yahoo is one of the worst thought-through and poorly programmed websites that I am aware off. Whoever is guilty of this atrocity should be lead to the next wall and put before a firing squad.

Today, however, the worst of many, many user-hostile idiocies from Yahoo came to my attention: They appear to have “pulled a Facebook”, and installed various publications and notifications behind the back of the users—utterly ruining any remaining credibility.

To make matters worse, when I try to disable one of these settings, I am met with an error message—and the setting returns to the share state…

My advice to anyone using Yahoo for anything non-trivial: Do not. Reduce your account activity to near zero, remove all contacts, etc. Instead find yourself a good ISP with your own email addresses or, if that is too costly, a decent independent and pure email service. (For those in Germany: My own ISP, bytecampe, has so far been very satisfactory at < 10 Euro/month, including domain, webserver, and unlimited email addresses.)

The same advice applies, obviously, to other services of a similar character, including Gmail and Facebook. The latter already has a large number of “delete your account” recommendations here on WordPress.

Written by michaeleriksson

May 21, 2010 at 12:14 am

Posted in Uncategorized

Tagged with , , , ,