I have started this thread because something in a previous post struck a nerve that has been raw since the implementation of cookies by Microsoft a few years ago.

There is a great hue and cry not to regulate the Internet. I believe there are many valid reasons why we should not regulate content on the Internet but I also have concerns about the implementation of 'privacy invading' technology.

I believe Congress has severely dropped the ball on regulation of this 'privacy invading' technology and law enforcement has failed miserably to enforce existing statutes concerning computer crime (hacking, virii, trojan horses, etc.). The reasons are complex but one of the biggest reasons, in my perhaps not so humble opinion, is that we (Computer Scientist here) technologists have successfully raised the cry, "Don't regulate what you can't understand." We in the industry have deluded ourselves AND our legislators with the idea that we can manage the power which accrues to this new communications technology. We have pushed the boundarys so quickly that we have successfully managed to establish 'people tracking' technology BEFORE the population has had an opportunity to assess the benefit/threat ratio of that new technology... 'future shock' in other words, is here.

Microsoft has been at the forefront of this effort to track your activities on the web. Not to imply that all others have not also taken part, for they have. People (users, even power users) have only the vaguest idea of what a vendor can do when they are allowed to install software on your system. We have already seen a couple of instances where installed software from major corporations was forwarding user tracking information back to corporate without the knowledge of the user. This 'automated' data collection, profiling, whatever you want to call it, is being sold to an unsuspecting public by well meaning programmers and marketeers who make promisses about how much it will 'simplify' your life. These are the same people who put the 'shutdown' option under the 'start' button...

In another life I was an intelligence collector and analyst. Those experiences have given me a different perspective on the dangers of such tracking software... I want to present one or perhaps two purely hypothetical scenarios as to how such technology can be misused and URGE you to think on other like scenarios.

Suppose I am a Senator on a committie that is responsible an investigation into campaign finance illegalities. Suppose that I find a few hours one afternoon to casually browse the web and have a bit of a problem with enjoying pictures of young men. Suppose that I happen to browse a site in China, established by their intelligence community that provides such pictures. Suppose that a week ago I ordered something on-line from some vendor who placed a cookie containing my identity in my browser. Suppose that the site maintained by that intelligence agency downloads all the cookies in my browser. They now have all the information they need to send their representative to my office one afternoon. The scenario would go something like this. "Senator xxxx, the representative of the Chinese embassy is here for his appointment concerning your decision on xxxxxx" (some totally unrelated matter). The representative then opens his briefcase while discussing the other unrelated matter and allows only the Senator to notice a picture (one that he had been browsing on that web site a couple of days ago). The representative NEVER mentions the picture. It is as if it weren't even in his case. They discuss the other matter and he leaves... The Senator stews a while and becomes fearfull that they may have one hell of a lot more than just that picture. He knows that they have a thousand ways to make that guilty secret of his public knowledge... and so he makes the expedient decision... in the campaign finance matter. NO I AM NOT SAYING THIS HAPPENED. I am saying something like this can and probably has happened. That is why cookies are dangerous. Not because the information any individual cookie provides is necessarily dangerous BUT because it has the potential to be MISUSED.

Here is another one for you. Suppose that some government agency manages to get a company like Microsoft or Netscape to install a back door to your system. Maybe something that allows them to make security modifications to your system. Suppose that you are an outspoken, critic of that agency and have frequently preformed some sort of watchdog function, such as report your concerns to your Congressman or perhaps the Speaker of the House. Now suppose that they are somewhat upset with you and some mid-level manager controlling the activities of an intelligence unit decides that it is time you took a fall. He does not have to be authorized to do the setup all he has to do is be able to cover it up from his superiors... so... one day while you are online... your security settings are changed and half a dozen cookies are dumped into your browser showing that you have visited certain child pornography sites... a couple of days later the FBI receives an anonymous tip that you are viewing illegal porograpy.... They seize your computer and dump your cookies and low and behold, the proof is right there.

One day you write a letter to an old friend in MS Word. You mail it as an attachment to a friend in Germany. It crosses the filters and a copy is dumped into a database. Three days later a major corporation is hit with a macro-virus that contains all the identifying information from that message to Germany and it looks like you are the guilty party. How do you explain that you are not to the judge?

Technology IS dangerous folks...

-- Michael Erskine (osiris@urbanna.net), December 26, 1999

Answers

Thats why Cookies get dumpet as soon as I leave a site. Only cookies I want to stick around are being cached. The informed user has a choice. Its like everything else, the people that know will find ways around a problem who doesn't care gets cought on the web. There are many utilities download sites on the web that lete you set up your computer as YOU want it and behave as you want it. There is NO excuse for people not to do it.

-- RickJohn (rickjohn1@yahoo.com), December 26, 1999.

Yes, technology is very dangerous and porography makes me toss my cookies. Back to the future!

-- (lorenzo@luddite.central), December 26, 1999.

I expected someone to point out that porn makes them toss their cookies... infact that is why I picked porn and not some 'lesser' evil which would still be potentially serious issue to someone in the public eye. Yes we can clean out our browsers... what have you done about the _NSAKEY in your registry... you do run Microsoft don't you? Have you removed the default settings in your MS Word that include all the registration information you input at install with every document you publish? I am a Computer Scientist, what I know FOR SURE is that I can not keep up with every new invasion of my privacy that is enabled by some poorly thought out new information technology.

My friend, if I can't keep up with it... There is no reasonably informed user that can. What I am describing is the tip of an iceberg not the whole scenario.

-- (...@.......), December 26, 1999.

Michael, Thanks for your article. This site talks about pollys with regard to y2k but as you mention, the invasion of privacy issue is not something to keep our head in the sand about. I don't know that regulation is the answer because I would think that the regulating authorities would desire to have some type of tracking system. Being aware of these realities and the potentials is at least a step forward.

-- Bob (not UncleBob) (secondguesser@home.here), December 26, 1999.

I still believe we are innocent until proven guilty and that's why, regardless of what anyone else thinks about lawyers, I love them. My conscience is my guide so I do not do anything wrong, but if the government tries to frame me they will pay a thousand times. They can spy all they want, but they will never take away our freedom on the Internet because this is one place where they were not able to get control before it became popular with the masses. If they try to screw with us now, we've got the best and brightest hackers on our side, so they'll never be able to implement any system that is unfair.

-- Hawk (flyin@high.again), December 26, 1999.

Hawk... Little known FACT. IP that is the TCP/IP which is the lingua franca of the Internet was developed at the behest of NSA. We have it today because it was released into the public domain by DIRNSA (use of which word ensures this message was flagged) which expands to Director Of National Security Agency. The very code we all depend upon to communicate... If it were not for NSA, we would not be able to do this. Most distributions of that code have had the copyrights removed and one can no longer discover those copyrights in the source code but I am sure there are other programmers on the board who have seen those copyrights in the past. I was not able to find it in the source on my system but it is a German distribution of Linux. Several months ago I showed it to my son on one of my Debian systems (he is graduating W&M next summer, God Willing, as a Computer Scientist). I thought he should know.

That source code has been ported to every TCP/IP stack of which I know. Some of the obvious holes have been cleaned up, for example the holes in ICMP (in particular ping) which originally appeared to be a good idea but later proved to be security issues are removed in most recent implementations. What else is there? Probably precious little that has not been cleaned out by the programmers on the net BUT... There have been rumors of back doors for years... none substantiated... just rumors.

This year the biggest security problem was buffer overflows. This is a method of obtaining administrative authority by sending an overlarge packet manipulated in such a way that the system executes code stored in the packet after it is received. Hackers have now discovered this technique and written volumes about it on the hacking sites. It is not a new techniqueue in the intel/scientific community but widespread exploitation is fairly new in the hacker community (operative word being widespread).

I do not believe that the intelligence community OF ANY COUNTRY is unable to obtain the 'best and brightest minds' for I know from experience that they are YEARS ahead of the community as a whole.

We can not rely simply upon the belief that we are smarter than they are so I opt for protection from the system by the same means our forefathers selected. I want legislative gaurantees and strict enforcement of those protections.

I am probably too suspicious... I just have a real hard time trusting governmental systems or even over large corporations.

-- (...@.......), December 26, 1999.

Yes, I understand what you are saying, and I have heard that the Internet was originally developed for military purposes. But now it is dominated by the private sector, and it will be very difficult for the government to get complete control back without a hell of a fight. I believe that we should support any legislation and regulations that protect the privacy and freedom of the individual users of the Internet. Microsoft is a good example of what we need to watch out for, because corporations want to gather data on all of our activities on the Net, but unless we allow our constitutional rights to be destroyed I'm not going to let myself be paranoid about getting framed for a crime I didn't commit. Thank God for organizations like the ACLU, who are all over situations like the "Echelon" project.

-- Hawk (flyin@high.again), December 26, 1999.

Hawk... Getting framed for a crime is not the point. The point is the privacy issue. No, I am not worried about being framed for something. I am worried about the leverage the technology can be used to obtain and the lack of control of that leverage. I am not saying that someone is actually doing such things but I believe I know how 'intel' folks think and therefore I think they probably are doing such things. No specific intel people... might be anyone, any country, anywhere. We have opened some doors that were never so easy to walk thru before. Sure the old joke that runs in the community is true, "prostitution is not the oldest profession, it is the second oldest profession... the lady got paid twice." It has ever been thus, yes it has. But it has NEVER been so easy.

-- (...@.......), December 26, 1999.

Michael,

You raise a lot of good points. I have a lot of concern about privacy and security issues. Thanks for the warning, but what are some specific actions that "regular" users like myself can take, short of going to school for a couple of years to learn about all this stuff?

-- Clyde (clydeblalock@hotmail.com), December 26, 1999.

I was referring to Michael's suggestion that someone could put cookies on our computer that the FBI would use to convict us of a crime. In my opinion that is getting a little more paranoid than we need to be. The important thing like you said, is protecting our privacy rights.

-- Hawk (flyin@high.again), December 26, 1999.

Hawk; I am Michael. I understand your point. Did not intend for people to come to the conclusion it was happening to them. I don't think for a second it is... only that it could.

What things can one do short of a couple of years of school. I am truly sorry. As I said earlier, I can't keep up with the stuff as fast as it is coming out. I don't know what to do. You can set your browser to refuse ALL cookies by default but there will be inconvienences because of that. That still won't cover a half a dozen other issues.

I am a tiny ISP. I set my system up so that everything is aliased behind my firewall and a couple of servers. Most of the time no other site can actually track back to my users computers. But that only protects against some things. Even the military/govenrment are having trouble keeping up. The new protocols and technologies are popping up so quickly AND every single one that comes along, somebody in your organization simply MUST have that capability... next thing you know you have opened a big hole in your system.

Somewhere I recently read that Active-X and Java technology was to be disabled on all government computers... perhaps I have it wrong but it was something like that. Implication is that a technology that has been in use for three years or so has been decreed to be such a security risk that it is to be removed...

There is nothing really that you can do. But hope you hear about it first and block the hole before someone else finds it. Eventually you will loose and then it is time to reinstall. Atleast that is what I have seen.

Most of what I have spoken about here is the straight forward use of existing technology by people who would exploit the information they glean thru LEGAL means for ILLEGAL purposes. When you toss virii, trojan horse programs, and actual hacking into the picture it gets a LOT more messy.

Run a virus checker on your system at all times. Never execute a program you receive in email, even from a friend and tell people that you DONT WANT THOSE CUTE LITTLE PROGRAMS. Never take a floppy disk to another computer without scanning it. Never boot your system with a floppy disk in the drive that has not first been scanned. Set your browse to refuse all cookies by default and see if you can stand the inconvienences... Now pray. It used to be that every site you visited would generate about fifty questions asking to set the cookie. I gave up. If you ever receive a receipt via E-Mail which contains information you do don't want to be public knowledge, notify the sender in NO UNCERTAIN TERMS that E-Mail is a public medium... Thanks to the fact that NOBODY (for all intents and purposes) encrypts their mail. Ensure that your ISP has their ducks in order. There are thousands that haven't a clue as to how badly their systems are hacked. This industry NEEDS regulation, inspection, and licensing... much as I hate all those ideas. I have seen it, worked it. Even the ISP's for the most part just don't realize. Take a look at the thread that Taz started asking when she should upgrade. What she describes there makes ALL sorts of alarms go off in this paranoid mind, but then I caught a fellow compiling a client for 'Back Orifice' on a server at one of my customer's sites not four months ago. When confronted, though he no longer had an account with that provider, though he was compiling software used for only one purpose, he brazenly answered my E-Mail and said that he wasn't doing anything wrong. That it was OK for him to do what he was doing because he could.

What can we do, I don't know. I write my congressman and tell him leave the content alone but do something about the privacy issues. Fund it properly, and limit it's scope appropriatly. We have managed to do that with the telephone system, why can't we do it with the net?

-- (...@.......), December 26, 1999.

One last point because I am not sure it was clear from the heading under which I posted. "Trust me I am a Technologist" is a take off on "Trust me I am with the Government."

-- (...@.......), December 26, 1999.

Thanks for your valuable knowledge Michael, I will indeed keep it in mind. What I am hoping is that as long as we keep all of our current legislation in place, that our rights will still be protected regardless of what the environment is, including the Internet.

I must admit though, it makes me nervous to see things like this, where it would seem that existing legislation is being ignored with respect to the Internet:

http://www.greenspun.com/bboard/q-and-a-fetch-msg.tcl?msg_id=0026 Iy

If it is not legal to use recorded phone calls in a court of law, and then they say that they can use recorded Internet chats as evidence, then that is simply not right. Oddly enough, no one responded to this post, which seems to indicate that the sheeple are going to allow their rights to be taken away!

-- Hawk (flyin@high.again), December 26, 1999.

Oh, yeah. That is a bad one. Gives them the freedom to conduct surveillance without a Judges permission... Don't like that AT ALL.

-- (...@.......), December 26, 1999.

In his book In the Absence of the Sacred, Jerry Mander observes that despite technology often being presented as giving us more control, it often has the opposite effect of creating a technological elite whom we are at a loss to influence.

Regarding the use of recorded Internet chats as evidence, I was wondering whether the surruptitious recording of speech in a public place such as a restaurant, would be admissible evidence under the law. This might bear on whether surveillance of chat rooms is legally defensible, even if it is repugnant.

-- David L (bumpkin@dnet.net), December 26, 1999.

David,

Regarding the use of recorded Internet chats as evidence, I was wondering whether the surruptitious recording of speech in a public place such as a restaurant, would be admissible evidence under the law. This might bear on whether surveillance of chat rooms is legally defensible, even if it is repugnant.

Public postings, like a conversation in a restaurant, ARE admissible since there is no presumption of privacy (even if you use an alias). Email (sent using your personal, non-company owned PC) would NOT be admissible to a third party unless they had a warrent. If it was you who was sending or recieving the email then it is admissible either by yourself or through discovery. You are even legally allowed to 'wire' yourself to tape a PRIVATE conversation as long as you are a party to that conversation. I know because I've done it.

Now I don't normally go around taping people but there was a situation a few years back where some people I happened to be working for were promising me the sun but refusing to put it in writing. They said their 'word' was good enough. When it came time for them to make good I had a mini tape recorder running in my pocket (I had watched them screw others over the months and was determined that they wouldn't do it to me). During that meeting they admitted they had been lying and I got up and walked out of the office never to return. I filed suit the next day. When they found out I had the tape they promptly settled. Had it not been for the tape I would have been SOL. Sometimes you just HAVE to protect yourself and your interests.

-TECH32-

-- TECH32 (TECH32@NOMAIL.COM), December 26, 1999.

TECH32 (which by the way is a fine piece if it is a firearm)... You are correct in as much as Federal law is concerned. Unfortunatly there are number of states where BOTH parties must be privy to the taping for it to be legal...

-- (...@.......), December 26, 1999.

Thanks for the info, TECH32.

Hawk and ...@......., from this, could it be reasonably argued that making it legal to record a conversation in a chat room is a logical extension of being able to do the equivalent in a restaurant.

-- David L (bumpkin@dnet.net), December 27, 1999.

From: Y2K, ` la Carte by Dancr (pic), near Monterey, California

A chat is not necessarily the same as a restaurant. IRC software, such as mIRC has logging capability built in. Some people log everything. I would use logs to defend myself, if necessary. I do not share privledged communications. Recording a restaurant conversation requires the introduction of recording devices which are not a natural or expected aspect of that environment. It's not the same thing at all. Web chats are closer to restaurant conversations. At least the ones I've seen. They do not have a built in recorder. Though it is possible to copy and paste limited amounts of conversation, this has to be done manually and intentionally.

-- Dancr (addy.available@my.webpage), December 27, 1999.