“Basically, you’ve given everybody a little radio-frequency doodad that silently declares ‘Hey, I’m a foreigner,’” says author and futurist Bruce Sterling, who lectures on the future of RFID technology. “If nobody bothers to listen, great. If people figure out they can listen to passport IDs, there will be a lot of strange and inventive ways to exploit that for criminal purposes.”

There are two issues. The first is that, currently, few people carry around anything with an RFID tag. By simply detecting the presence of such a tag, a bad guy could infer that the person is likely to be a foreigner. The second issue is that the tags are likely to be cracked — meaning that the personal information in the passport would be available to ID thieves.

I definitely see a market for passport holders with RF shielding.

Via Slashdot.

It should be noted that the GWT is not without privacy concerns. As clearly stated by Google, hosted mode does send some information back to Google:

Privacy notice: When you use the Google Web Toolkit’s hosted web browser, the application sends a request back to Google’s servers to check to see if you are using the most recent version of the product. As a part of this request, Google will log usage data including a timestamp of the date and time you downloaded the Google Web Toolkit and the IP address for your computer. We won’t log cookies or personal information about you, and we will use any data we log only in the aggregate to operate and improve the Google Web Toolkit and other Google Services. Please see the Google Privacy Policy for more information.

Since this information is only sent in hosted mode, it will mostly apply to developers. A deployed system would use web mode which does not appear to contact Google. Of course, depending on the security requirements of a deployed application, one would want to audit the generated JavaScript and HTML code as a bug (or worse) in the GWT could lead to security holes. To see what I mean, read the classic Ken Thompson’s ACM Turing Award lecture, Reflections on Trusting Trust (PDF).

While this kind of technology has been around for a while, the fact that Google has published their own toolkit may lead to a de facto standard. I expect to take the GWT for a spin soon.

We logged on to the BA website, bought a ticket in [the passenger's] name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details – including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

I’m a bit surprised that this level of access was granted without typing a password. I wonder if the lack of a password is a system-wide feature or something that is configurable on a per-account basis.

The article then dives into the recent history of information gathering by the airlines/governments including the CAPPS II and subsequent Secure Flight programs. For additional background, see these weblog postings by Bruce Schneier and Ed Felten.

Even if you trust the entity with which you share your information, things can and do go wrong. The March 20, 2006, issue of InformationWeek magazine has an article, The High Cost Of Data Loss, which describes incidents of customer data-loss affecting millions of people. This cover caught my eye as it had a picture of Princeton computer science graduate student Alex Halderman; the article states:

J. Alex Halderman, a doctoral candidate in computer science at Princeton University, about a year ago received a letter from the University of California, Berkeley, where he had been accepted as a graduate student in 2003, advising him that his personal data had been compromised. A university computer had been stolen that contained files with names and Social Security numbers of applicants and others at the university.

Berkeley warned people affected by the breach to be on the lookout for scam artists who might try to contact them under the pretense of being affiliated with the school. Halderman was shocked that two years after he applied to UC Berkeley, the application remained susceptible to a data breach. “It’s amazing that data can be on file for years, even when you think you’re finished with it,” he says. “There’s no way to take it back.”

You can’t always “un-share” data

Alex’s experience illustrates that once information has been shared it is generally not possible to “un-share” it. I recently met with a representative of a company that holds some of my retirement funds to discuss my allocations. During the course of the conversation, the representative asked some questions about salary and retirement plans which was noted on a yellow pad of paper. Additionally, I answered a short questionnaire to assess my risk tolerance which was entered into an untethered laptop computer. The meeting went well but I was never told that the salary information was going any farther than the yellow pad. My mistake was not to make my wishes known that the information I provided was not to be kept on file. Sure enough, a week or so later I received a “confirmation letter” with all the information listed. It was clearly a form letter generated at the corporate office from data in a big database. I immediately returned the confirmation letter with a note asking that my profile be removed. A week or so later, I received a phone call from a customer service manager to discuss my request. The conversation was cordial and long but only partially effective. It turns out that once the data exists in the system, there is no way to remove it. The best he could offer was to set the values to obviously bogus values (like an annual salary of $1). The manager was surprised that I was sensitive about this — after all, (1) they take special measure to protect the data and (2) if I met with a different planner in the future they would need to have the information. My counter to this was (1) data gets lost/stolen/misused anyway (USA Today just reported that a Fidelity Investments laptop computer containing sensitive data on 196,000 retirement-account customers was just stolen) and (2) I could easily bring the information to each face-to-face meeting.

Other options

In addition to carefully considering whether to share personal information, you can also push back and see if the requester really needs it or if there is a way for you to get the goods or service without providing the information. Recently I renewed my family’s membership to a local swimming pool club. The application stated that proving the full birthday for all members was mandatory. After several e-mail messages I learned that the insurance company required that the club have this information on hand in the event of an emergency. In this case, I reluctantly decided that this was OK. In another case, I made a purchase at a nationwide home improvement store where my receipt indicated that I won a $10 gift certificate and could claim it by either visiting a website or by calling a phone number. I went to the website and saw that one of the required fields on the web form was birth date. Rather than using a bogus birth date, I tried the phone number. Interestingly, I was able to claim my prize without giving out this information — the system never even asked.

What to do?

Does this mean one should never share personal information? No, but it does mean that each time you do, you should think about the associated risks and benefits. What makes this trade-off tricky is that the benefits are often obvious and immediate and the risks are more nebulous. An interesting example of an unexpected use of seemingly benign information involved Farrell’s Ice Cream Parlor Restaurant customers who signed up for free ice cream on their birthday. The obvious benefit of sharing this information is that they would get free ice cream. However, in 1983, the U.S. Selective Service purchased a list of names and birthdays of boys turning 18 that year so that they could be reminded to register. Food for thought.

An anonymous reader writes “The New Jersey legislature is considering a bill [link] that would require operators of public forums to collect users’ legal names and addresses, and effectively disallow anonymous speech on online forums. This raises some serious issues, such as to what extent local and state governments can go in enacting and enforcing Internet legislation.”

The key provisions of the bill are:

2. The operator of any interactive computer service or an Internet service provider shall establish, maintain and enforce a policy to require any information content provider who posts written messages on a public forum website either to be identified by a legal name and address, or to register a legal name and address with the operator of the interactive computer service or the Internet service provider through which the information content provider gains access to the interactive computer service or Internet, as appropriate.

3. An operator of an interactive computer service or an Internet service provider shall establish and maintain reasonable procedures to enable any person to request and obtain disclosure of the legal name and address of an information content provider who posts false or defamatory information about the person on a public forum website.

The bill would make any operator of an “interactive computer service” (e.g., comments in a weblog) or an ISP liable to damages caused by a posting if the operator did not enforce section 2 (above) of the bill.

Peter G. Neumann, chairman of ACM Committee on Computers and Public Policy, states:

This of course would have considerable impact on all Internet newsgroups, and opens up the question of liability that out-of-state moderators would have. It also greatly increases the difficulties for whistle-blowers who might wish to publicly air vital concerns without the obvious risks of retribution. Seems like a bad piece of legislation to me.

This would also have a tremendous impact on operators of weblogs. To what extent would operators have to go to ensure that the name and address provided was accurate? Would they be required to periodically verify that the contact information is current? If someone posts an item that becomes a thread, would they be obligated to take down the entire thread if the person can no longer be contacted?

Sounds like a bad piece of legislation to me, too.

If Mr. Feingold spoke for the bill’s critics, Senator Jim Bunning, Republican of Kentucky, offered another perspective in support of the antiterrorism measure: “Civil liberties do not mean much when you are dead.”

Had he been around in 1775, I guess that Senator Bunning wouldn’t have agreed with patriot Patrick Henry’s, “Give Me Liberty or Give Me Death,” speech either.

The basic idea behind the talk was originally proposed by Sandy Pearlman and Professor Levitin in March 2005 — Specifically, that the Apple iTunes price point of 99 cents per song is much too high and that a price point closer to 5 cents per song would substantially increase revenues for record companies and artists.

Price Point

His argument that the price point is too high is based on the [2004 ?] statistics that there were 300 million legal iTunes downloads and 30 billion illegal downloads (where one billion is a thousand million) during the year. By lowering the price and getting some fraction of the illegal downloaders to become paying customers, you increase revenue. By using a simple-minded calculation, I figure that at a 5 cent price point 18.8% of those 30 billion illegal downloads would have to have been paying downloads instead to generate the same gross revenue. Here are some other price points:

Of course, the economics are not that simple. Such an adjustment would eat into the total sales ($3B in 2004) and simultaneously encourage the legal downloaders to potentially purchase even more music. Note that Professor Levitin emphasized that 5 cents was an example; it could be bigger or smaller as long as it was greater than zero. Also, instead of purchasing a song with unlimited plays, one could imagine that each time a song is played, the consumer is charged, say a tenth or a hundredth of a cent. The idea is that the actual value would be small enough that an individual consumer doesn’t really care but still generates a revenue stream.

State of the Record Industry

In order to discuss how consumers and musicians can reclaim ownership of music, Professor Levitin gave a rather interesting overview of the record industry. I wasn’t able to keep up with all the details. Here are some of the main points he made:

• The top 5% of the artists make 95% of the money.
• Most musicians either have days jobs or are on the road 340 days of the year.
• Record companies no longer find talent and then nurture it (e.g., Bob Dylan, Talking Heads, Barenaked Ladies). Rather, they find money makers and milk them (e.g., Spice Girls, ‘NSync, Britney Spears).
• In the 1980s, groups of investors began to buy radio stations and national consulting firms began to program (select songs for play) groups of stations.
• With the passage of the Telecommunications Act of 1996, the cap on the number of stations an entity could own in a given market was lifted. As a result, Clear Channel grew from 40 stations to 1240 stations.
• Massive consolidation in the record industry leaves four major labels (Sony BMG, EMI, Vivendi, Warner)—all are losing money and all are for sale for pennies on the dollar.

The main take-aways from this discussion are (1) the distribution of revenue is not fair to artists, and (2) the consolidation of the record industry, the radio broadcasters, and the radio programmers has reduced the diversity of broadcast content to the point that 90-100% of radio play is from the four major labels. The major labels have a market share of about 75% meaning that about 25% of the record industry gets little or no radio play.

Value Add-ons

For the people paying 99 cents a song, dropping the price by a factor of twenty sounds great; however, how does one get people to pay (even a nickel) for something they’ve always gotten for free? The answer: value add-ons.

The value add-ons could be that every song (including The Beatles) would be available online for every codec (i.e., in every format: MP3, AAC, Ogg) and that downloaded songs would not be corrupted and their tags would be accurate. Also, there would be the assurance that the musicians are participating in the revenue stream—musicians should be able to make a living as musicians.

Professor Levitin made a point of noting that the idea of paying for something that was once free is not without precedent. He gave two examples: TV and books. In the case of TV, if you use an antenna to pick up the broadcast signal, it is free. However, people regularly pay $50 a month for cable. I’m not sure that this is analogy completely works for digital music. I do concede that the cable signal is likely to be better than that from an antenna and that’s worth something. Having extra channels on cable is more a case of “bundling” rather than value-added. In the case of books, libraries will loan you one yet people still buy books. At this point in the talk, someone from the audience pointed out that people simply like to own the artifact—the actual book or CD—for reasons that may be purely emotional.

New Problem: Selection/Recommendation

If you’re like me, the growth rate of your CD collection significantly dropped after graduating from college—after that, there were far fewer people available to recommend music for you to try. If every song becomes available on the web, simply finding new music that you are likely to want to buy becomes a big problem. Given its decrease in diversity, broadcast radio is not likely to be much help. Professor Levitin explained that a recommendation engine would represent a significant value add-on. The recommendation engine would need to take into account a user’s personal tastes as well as their current mood. He then showed a screenshot of a system he worked on from MoodLogic.com.

Interestingly, the recommendation engine idea points to how the record industry might evolve to where music is 5 cents a song: Professor Levitin wrapped-up the talk by suggesting a buy-out by the major search engine companies. While there are certainly non-trivial differences between Internet searching and music recommendation, there are no doubt similarities. If Google, Yahoo, Microsoft, and Ask were to purchase a significant portion of the record industry, they would be in the position to index all available music and implement the proposal.

Additional Thoughts

Because the talk only lasted about an hour, we weren’t able to explore the nuances of the proposal in depth. While preparing this weblog entry, I’ve had the time to think about how I’d like the system to work. For me, the big issues preventing me from acquiring music online are:

1. Privacy/Anonymity — no one needs to know if I’m a closet ABBA fan
2. Unrestricted Personal Use — I want to be able to manipulate the bits of the song for my own use
3. Reasonable Cost — $0.99 per song from iTunes is too much for a song with digital rights management (DRM) restrictions (see #2) that is purchased from a named account (see #1)
4. Musician Compensation — I’d like to know that the artists and musicians benefit from my purchase

With the right kind of cryptographic protocols, it should be possible for me to anonymously purchase a song while still compensating the musicians.

In addition, I would like to use a recommendation engine. However, the design of MoodLogic’s system requires that one’s collection be uploaded to their servers for analysis. From MoodLogic’s Privacy Policy:

Why does MoodLogic identify my songs? Do they need to know what’s in my collection?
Simply stated – If we don’t know what songs you have, we can’t help you organize them, clean their tags, discover new music, or build one click playlists.

MoodLogic understands digital audio – and we know that a very high percentage of files have been linked with incorrect (or altogether missing) filenames and tags. It’s not easy to sort your music if artist and song names are misspelled – and it’s impossible to build one click playlists if your songs can’t be linked to descriptive data. In an effort to eliminate this problem, MoodLogic developed powerful media recognition technology to identify songs (and return their profiles) without the need for filenames or tags.

MoodLogic also compiles lists of identified songs, which help us better understand our community on an aggregate basis while improving the quality of our services. MoodLogic also may publish lists of such aggregated data (like ‘most popular songs’) so that others may also benefit from this information.

Instead of uploading my collection, I would much rather their system work like a virus scanner. That is, I periodically download (on a subscription basis) updates to the recommendation database so that I could get the latest recommendations.

I agree—in fact, the same argument could apply to the privacy implications of the new version of the Google Desktop. If you bundle enough goodies with a technology that threatens privacy, people will buy it anyway. Just a spoonful of sugar makes the medicine go down…

The trouble is that due to the provisions of the Electronic Communication Privacy Act of 1986, there are fewer legal protections on one’s files when they are stored with an online service provider (OSP) as opposed to when they are stored on your home computer. To access your home computer, the government would require a search warrant; to access files at an OSP they would only need a subpoena. A subpoena issued directly to an OSP could mean that you might not even be notified.