The Daily Parker

Politics, Weather, Photography, and the Dog

Figuring out the Safe Harbor fallout

As I mentioned yesterday, the European Court of Justice ruled yesterday that the US-EU Safe Harbor pact is illegal under European law:

The ruling, by the European Court of Justice, said the so-called safe harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans’ online information. The court said leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy.

The court said data protection regulators in each of the European Union’s 28 countries should have oversight over how companies collect and use online information of their countries’ citizens. European countries have widely varying stances toward privacy.

The Electronic Frontier Foundation examines the implications:

[I]f those reviews [of individual companies' transfers] continue to run against the fundamental incompatibility of U.S. mass surveillance with European data protection principles, the end result may well be a growing restriction of the commercial processing of European users' data to within the bounds of the European Union.

That would certainly force the companies to re-think and re-engineer how they manage the vast amount of data they collect. It will not, however, protect their customers from mass surveillance. The geographic siloing of data is of little practical help against mass surveillance if each and every country feels that ordinary customer data is a legitimate target for signals intelligence. If governments continue to permit intelligence agencies to indiscriminately scoop up data, then they will find a way to do that, wherever that data may be kept. Keep your data in Ireland, and GCHQ may well target it, and pass it onto the Americans. Keep your data in your own country, and you'll find the NSA—or other European states, or even your own government— breaking into those systems to extract it.

Harvard law student Alex Loomis highlighted the uncertainties for US-based companies:

But ultimately it is still hard to predict how national and EU authorities will try to enforce the ECJ decision in the short-run because, as one tech lobbyist put it, “[c]ompanies will be working in a legal vacuum.”  Industry insiders are already calling for more guidance on how to act lawfully. That’s hard, because the EU Commission’s decision is no longer controlling and each individual country thus can now enforce EU law on its own. Industry experts suggest that the turmoil will hurt smaller tech companies the most, as the latter lack separate data centers and accordingly are more likely to rely on transferring data back to the United States. As I pointed out last week, that might have some anticompetitive effects.

In short, data transfers between the EU and US are now a problem. A big one. Fortunately at my company, we don't keep any personal information—but we still may have a heck of a time convincing our European partners of that, especially if Germany and France go off the deep end on privacy.

On the reading stack

These crossed my various news feeds today:

I've now got to really understand the implications of the EU ruling. More when I do.

The Internet self-corrects (sort of)

Canadian Julia Cordray created an app described as a "Yelp for people," and apparently failed to predict the future:

Except of course it took the rest of the world about two seconds to figure out that filtering the world to only include those with positive feelings was not exactly realistic, and all the app was likely to do was invite an endless stream of abuse, bullying, and stalking.

It wasn't long before people were posting Cordray's personal details online – seemingly culled from the Whois information for domain names she owns. Just to highlight how out of control these things can get, one heavily quoted tweet providing her phone number and home address actually provided the wrong information.

Meanwhile, the company's website at ForThePeeple.com has fallen over.

We'll have this app, of course. I'm interested to see how U.S. and U.K. libel laws deal with it. Or not.

Update: Just looking at their Facebook page, I can't help but wonder if this is just a parody. But no, these women are delusional, and their app is not a new idea—just one that no one before them has ever had the immorality to produce.

Sadly, I think it will be a success.

Upgrades!

In the last 48 hours, I've upgraded my laptop and surface to Office 2016 and my phone to Android 5.0 and 5.1. Apparently T-Mobile wants to make sure the Lollipop update works before giving you all the bug fixes, which seems strange to me.

All four update events went swimmingly, except that one of my Outlook add-ins doesn't work anymore. Pity. I mean, it's not like Outlook 2016 was in previews for six months or anything...

Two must-see posts

First, Bruce Schneier warns about living in a Code Yellow world:

The psychological term for this is hypervigilance. Hypervigilance in the face of imagined danger causes stress and anxiety. This, in turn, alters how your hippocampus functions, and causes an excess of cortisol in your body. Now cortisol is great in small and infrequent doses, and helps you run away from tigers. But it destroys your brain and body if you marinate in it for extended periods of time.

Most of us...are complete amateurs at knowing the difference between something benign and something that's actually dangerous. Combine this with the rarity of attacks, and you end up with an overwhelming number of false alarms. This is the ultimate problem with programs like "see something, say something." They waste an enormous amount of time and money.

You also need to see these satellite photos.

And I need to do more work.

Computer security like a boss

Via Schneier, a new paper by researchers at Google discussed the differences between the ways security experts and non-experts treat online security. Not surprising, experts have better habits.

When asked about the security practices that most matter to them, experts talked about multi-factor authentication, password safes, and getting the latest software patches, while non-experts worried about anti-virus software and changing passwords frequently:

The most common things-you-do responses from each group varied, with only one practice, using strong passwords, in common within each group’s top 5 responses. While most experts said they install software updates (35%), use unique passwords (25%), use two-factor authentication (20%), use strong passwords (19%), and use a password manager (12%), nonexperts mentioned using antivirus software (42%), using strong passwords (31%), changing passwords frequently (21%), visiting only known websites (21%), and not sharing personal information (17%).

The security practices mentioned by experts are consistent with experts’ rating of different pieces of advice, when we asked them to rank how good these are on a 5-point Likert scale. ...[M]ost experts considered installing OS (65%) and application (55%) updates, using unique (49%) and strong (48%) passwords, using a password manager (48%), and using two-factor authentication (47%) very good advice (the highest Likert-scale rating). Other advice that was not frequently mentioned by experts in the top three things they do, but ranked high in this multiple choice question of the advice they’d consider good, included turning on automatic updates (72%), being suspicious of links (60%), not entering passwords on links in emails (60%), and not opening email attachments from unknown people (55%).

Generally, non-experts favor convenience over security—which is consistent with human behavior in just about every situation in life. Just look at cash, for example: it's demonstrably the least-secure way of transmitting wealth generally available, but people still use it frequently because it's a lot more convenient (and—no small irony—private) than using more-secure methods like credit cards.

The authors suggest that making good security more convenient may be the answer. But until average users get burned enough, they'll still use the same dictionary-word password for OKCupid that they use for their bank's website, just as they'll still hand their credit card to the waiter rather than demanding table-side chip-and-pin readers like Europeans use. Defense in depth? Maybe later.

Today is the longest day of the year

No, really. Today will have 86,401 seconds in it, as opposed to the usual 86,400 seconds that every day for the last 18 years has had.

Because the earth interacts with lots of other gravity sources in the universe—most notably the moon—its rotation sometimes speeds up and sometimes slows down. Over the last 18 years or so, the planet has lost an entire second because of these perturbations, requiring us to update our most accurate clocks to compensate. Of course, when those clocks get updated, there's a trickle-down effect, because so much of what we do in the 21st Century requires really, really accurate timekeeping.

So, this evening in Chicago, the 6pm hour will have 3,601 seconds in it as the master clocks all over the planet add their leap second at 23:59:60 UTC.

Enjoy your extra second.

Seven billion dollars for nothing

Security guru Bruce Schneier, writing for CNN, is not surprised that TSA screeners missed 95% of guns in a recent drill:

For those of us who have been watching the TSA, the 95% number wasn't that much of a surprise. The TSA has been failing these sorts of tests since its inception: failures in 2003, a 91% failure rate at Newark Liberty International in 2006, a 75% failure rate at Los Angeles International in 2007, more failures in 2008. And those are just the public test results; I'm sure there are many more similarly damning reports the TSA has kept secret out of embarrassment.

The TSA is failing to defend us against the threat of terrorism. The only reason they've been able to get away with the scam for so long is that there isn't much of a threat of terrorism to defend against.

Even with all these actual and potential failures, there have been no successful terrorist attacks against airplanes since 9/11. If there were lots of terrorists just waiting for us to let our guard down to destroy American planes, we would have seen attacks -- attempted or successful -- after all these years of screening failures. No one has hijacked a plane with a knife or a gun since 9/11. Not a single plane has blown up due to terrorism.

Of course, what American politician would ever vote to reduce security spending? The incentives on the individual representatives are too strongly skewed in favor of an ever-ratcheting security state. This is one of the things that did in Rome.

That said, Italy is a lovely country these days...

User Self-Blame

Microsoft's Scott Hanselman blames us computer professionals for users thinking they don't know computers:

In my recent podcast with UX expert and psychologist Dr. Danielle Smith the topic of "user self-blame" came up. This is that feeling when a person is interacting with a computer and something goes wrong and they blame themselves. I'd encourage you to listen to the show, she was a great guest and brought up a lot of these points.

Self-blame when using technology has gotten so bad that when ANYTHING goes wrong, regular folks just assume it was their fault.

This harkens back to the middle ages when the average person couldn't read. Only the monks cloistered away had this magical ability. What have we done as techies to make regular folks feel so isolated and afraid of all these transformative devices? We MAKE them feel bad.

This on the same day that Jeff Atwood tells us our passwords suck (and he's right):

The easiest way to build a safe password is to make it long. All other things being equal, the law of exponential growth means a longer password is a better password. That's why I was always a fan of passphrases, though they are exceptionally painful to enter via touchscreen in our brave new world of mobile – and that is an increasingly critical flaw. But how short is too short?

...[Y]ou can't really feel safe until the 12 character mark even with a full complement of uppercase, lowercase, numbers, and special characters.

This is also a UX failure, but of a different kind. Until two-factor authentication becomes ubiquitous—and until users start accepting the need for it—passwords are going to be the chink in Smaug's armor.

Of course, it doesn't help that users typically don't have accurate conceptual models for things. The number of times I have explained the difference between authentication and authorization (which is a necessary conceptual model for understanding why you should never, ever give your passwords to anyone).