Computers & Society/Identity & Privacy

And precisely on this date of looking (July 31, 2008) we have discovered the existence of bit.ly which is a smart URL shortener launched July 8. The discovery is made through the TechnologyGuardian article "Pointing the internet in a new direction" by Wendy M Grossman.

However, there is one exception to this use of bit.ly. URLs internal to the Wikiworld will be used in full in order that they adhere to the community guidelines.

=Technologies of Control= There are 3 types of technologies postulated by Manuel Castells (2001), in his seminal work „The Internet Galaxy“ p. 171:
 * technologies of identification
 * technologies of surveillance
 * technologies of investigation

Technologies of Identification
Castells (2001) cites 3 things which are used in the technologies of identification:
 * passwords
 * cookies
 * authentication procedures

The last item seems to be a catch-all. How about we try and expand on it now for 2008?

MyFlickr Authentication Procedure
Let us pick an „authentication procedure“ currently available and well-documented online? Here is one from the blog of "MyFlickr.org": «

1. The user visits user.myflickr.org, which presents a start button

2. When the user clicks the start button, user.myflickr.org replies with a redirect to service.myflickr.org/?next=user.myflickr.org

3. The user gets the page at service.myflickr.org which saves user.myflickr.org in a cookie in the browser and redirect to Flickr.com to authenticate with the MyFlickr application

4. The user's browser saves the cookie and goes to Flickr.com where he can decide to authenticate with MyFlickr.

5. If the user accepts MyFlickr to get permission to the user's photos, Flickr redirects the user to a URL which is configured in MyFlickr's API preferences together with a "frob". The Frob is a string that MyFlickr must use to get the user's security token.

6. The User's browser goes to service.myflickr.org. Now with the frob from Flickr in the request URL, and hopefully with a cookie with the address of the album he is trying to authenticate with. (As created in step 3)

7. If the server at service.myflickr.org gets the cookie, it can redirect the user together with the frob to the authenticating server, otherwise the server has to ask the user to fill in a form and provide this information again. This is where Flickr.com has severe limitations in the API. (see below)

8. The user's browser gets redirected back to the domain he tried to claim or authenticate with, together with a frob in the address.

9. When MyFlickr at the proper address gets the user back with the frob, it sends the frob back to flickr and should get the user's security token back. The security token can finally together with MyFlickr's secret keys be used to access the user's photos.

10. The user configures his site which goes live immediately!

It's a complex procedure with four redirects, but it looks simple to the user. So nothing can possibly go wrong! ;)

»

from MyFlickr blog

Full details of all related issues (updates, ...) are at MyFlickr.

Of particular importance is the (unfinished) Privacy Policy: «

The MyFlickr server you use to host your photos will get access to your private photos, but you can revoke this access at any time from your Flickr account. The MyFlickr service never access your photos, and will not display photos that you don't explicitly publish. MyFlickr only access information about your photos, and gives

»

And, yes! The last sentence is unfinished in the original text. Such unfinished business is potentially alarming, especially when it occurs in the Privacy Policy.

MyFlickr Authentication Procedure Experiment
It is not often one has the opportunity to experiment with both an „authentication procedure“ and a „privacy policy“ in the one application domain. How shall we go about setting up such an experiment?

We will follow the instructions precisely as given on the MyFlickr home page:


 * “All you need is a Flickr account with some photos”

So! Let us do it!


 * Step 1: Create a Yahoo! ID such as mihal.orela@yahoo.com
 * Step 2: Create a (free) Flickr account for Mihal Orela
 * Step 3: Claim the URL http://mihalorela.myflickr.org/
 * Step 4: Done! So! The first result shows Nebeto

It is strongly recommended that one carry out this experiment for oneself. At each stage of the process, a (dated) screen shot ought to be captured and saved for further analysis.

Technologies of Surveillance
According to Manuel Castells surveillance technologies, although different in kind from identification technologies, rely on the latter “to be able to locate the individual user” („The Internet Galaxy“ p. 171-2).


 * intercept messages
 * place markers that allow tracking of communication flows from a specific computer location,
 * monitor machine activity around the clock

In the article on Computer surveillance the concept of a packet sniffer is introduced. Outside of the immediate computer technology world the concept of a sniffer would apply to a dog or a certain kind of "wine" glass called a brandy sniffer. One sniffs, that is uses the nose (and hence relys on the sense of smell) to investigate, to find out what is there.

Technologies of Investigation
Such technologies “refer to the building of databases from the results of both surveillance and storage of routinely recorded information” (Manuel Castells, „The Internet Galaxy“ p. 172). Here, Castells cites Simson Garfinkel, „Database Nation“, Sebastopol, CA:O'Reilly, 2000.

Given that “data are collected in digital form” then “all the information items contained in the database can be aggregated, disaggregated, combined, and identified according to purpose and legal capacity” (ibid. p. 172). Today, we sum up all these processes with one succinct phrase:


 * data mining

Data Mining
In a business context “data mining (sometimes called data or knowledge discovery) is the process of analyzing data from different perspectives and summarizing it into useful information - information that can be used to increase revenue, cuts costs, or both.” Evidently, there is nothing that restricts data mining to the business world.

One of the key concepts that one might associate with data mining is that of profiling. A simple search on the latter will throw up some interesting insights. For example, the word profiling may be used to describe the action of performance analysis in software engineering and, moreover, a profiler “is a performance analysis tool that measures the behavior of a program as it runs, particularly the frequency and duration of function calls”. Let us substitute “behavior of a user” in the latter and see how it reads?

A classical case of profiling is used by Castell's in connection with DoubleClick in November 1999 (p. 174-5). « ...Double Click bought Abacus, a database of names, addresses, and information concerning the shopping patterns of 90 million households in the US. Using this database, Double Click created profiles linking individual's real names and addresses with their on-line and off-line shopping. »

He cites the article „The Eroded Self“ by Jeffrey Rosen in the New York Times Sunday Magazine, published April 30, 2000.

Here is the Privacy Policy of Abacus Direct which gives insight into just how customer data may be used.

Privacy Protection
Can one really protect one's privacy on the net? In 2001, before 9/11, Castell's gave a list of 4 websites providing technological resources to protect privacy (p. 187):


 * cnetdownload.com
 * junkbusters.com
 * silentsurf.com
 * anonymizer.com

It is seven years since the list was published. We need to know if these web addresses are still in use and if so that they refer to the same (original) entities. Let us take a look at each in turn.

Website address checking
1. cnetdownload.com — still exists  (Михал Орела 06:30, 5 August 2008 (UTC)) –– note the signature and date stamp! This is normally used for the date of last access to a web page and is to be highly recommended in serious scholarly work in journalism, academia, government, and so on. In this book, it is used especially for website existence checking. The name cnetdownload.com resolves into http://www.download.com/Mac/

Some interesting observations can be made. The Opera browser was chosen for this test. Other browsers used for checking were Firefox and Safari. The reason for choosing Opera in this case was to see if /Mac/ turned up. Clearly, download.com can tell that the computer being used in a Mac?

2. junkbusters.com — still exists (Михал Орела 07:03, 5 August 2008 (UTC)). In the „About us“ page we read Junkbusters Corp. was founded in April 1996 in Green Brook, New Jersey, with the mission of helping people get rid of junk messages of all kinds: spam, telemarketing calls, unwanted junk mail, junk faxes, and more. The web site junkbusters.com is a leading consumer resource on the control of junk communications and the protection of privacy. At the end of 2004 the site and other assets were tranferred to its sister company Guidescope Inc.

Of particular note is JunkBusters list of privacy policies.

3. silentsurf.com — still exists (Михал Орела 07:14, 5 August 2008 (UTC)). The address resolves into http://silentsurf.com/site/index.html. However, the page looks strange. At the very bottom there is a copyright notice: © Copyright 1999-2003 Distinctly Inc. All rights reserved. Page updated 30 Mar 2003. Further experimentation suggests that the actual site is dead. For example, one might like to try to buy... and read the disclaimer...
 * I fully agree with all of the policies and procedures outlined in the Distinctly.com Inc., Conditions and Acceptable Use Policy. I authorize Distinctly.com Inc. to deduct from the credit card used to purchase the service my normal monthly, quarterly, or semi-annual payments for my service as outlined in the order form for the above service. I agree fully with all of the terms in the cancellation policy outlined to me when I signed up for hosting services. In the event that this charge is contested by myself or charged back to Distinctly.com Inc., I agree that I am responsible for any charges incurred by Distinctly.com Inc. in defending authorization. In the event I wish to cancel my account, I need to call into the billing department to get full instructions for canceling. In the event that a refund is due, all monies owed will be credited back to this credit card, minus any startups, which are non-refundable after the account logins are sent out.

Before using the credit card it is worth checking Distinctly.com Inc. Continuing the research/experiment we find that the site „distinctly.com“ is available for purchase!

4. anonymizer.com — still exists (Михал Орела 07:33, 5 August 2008 (UTC)). Of note is the link to the Privacy blog.

= Notes =

= Reading links=  There is also the hard back version ISBN 978-0199241538. This is a particularly important text for many reasons. One of the most significant reasons is that it appeared in same year as and before 9/11. 

= e-Links=

on bit.ly
bit.ly Dan Frommer, Betaworks Launches Bit.ly, A Smarter TinyURL July 8, 2008. Wendy M Grossman, Pointing the internet in a new direction July 31, 2008. 

on data mining & surveillance
The Data Mine Jeffrey Rosen, „The Eroded Self“, New York Times, 2000. The Surveillance Project of the Department of Sociology at Queen's University, Kingston, Canada. </ol>

on DoubleClick
<li>DoubleClick Privacy Policy</li> </ol>

on Phorm
<li>The Register: The Phorm Files February 29, 2008.</li> <li>Phorm, Inc.</li> <li>Guardian announces it will not use Phorm March 26, 2008.</li> </ol>