December 2007
Facebook Apologizes (5 December 2007)
More Tracking Mania: PDFs with Ads (6 December 2007)
Western Digital's Crippled Drive (9 December 2007)'s "AskEraser" (12 December 2007)
Full Text Feed Coming Soon (12 December 2007)
Full Text Feed Installed (31 December 2007)
Exploiting Linkages for Good (31 December 2007)

Facebook Apologizes

5 December 2007

A couple of weeks ago, I described Facebook's "Beacon" system of apparent user endorsements of various products. Lots of people were upset by it; they've now backed down and apologized for it.

It's good that they've changed things; the sad part is how long it took.

More Tracking Mania: PDFs with Ads

6 December 2007

Another company is getting into the trackable ads game: Adobe. They've announced a new product: PDF files with ads. Publishers can upload PDF files to Adobe's web site; the files will be modified to display ads via Yahoo!'s advertising network. When the PDF file is viewed, "contextual ads are dynamically matched to the content of the document." The ads are displayed in a sidebar; they aren't printed, and don't obscure the content of the document.

Ads alone are perhaps unobjectionable. After all, someone has to pay for web content. The problem, though, is that user behavior is tracked. From reading the privacy section of the Technical Details page, I believe that the viewer invokes a web browser to retrieve and render ads. This means that viewing a PDF incurs all the privacy and security risks of Web browsing, including cookies, web bugs, and Javascript.

There is one bright spot: at least in the current version, users are shown a "network connection dialog" before any ads are retrieved. If you say "no", you won't see the ads and you won't be tracked. You can even select "Remember my action". Frankly, I suspect that that won't last; given a choice, most people will decline to see ads. Time will tell; for now, I applaud Adobe for including that feature.

Another interesting question is what the ads will be like. Today, they're restricted to text. Adobe says, though, that images and graphics will be implemented. They also note that the ads may include Javascript, at the discretion of the advertiser; that in turn may mean that there can be pop-ups.

Tags: privacy

Western Digital's Crippled Drive

9 December 2007

There's been a lot of discussion about Western Digital's intentionally crippled network drive. Briefly, the device — a 1 Terabyte storage unit — can serve up files on the wide-area Internet. This lets you retrieve your files when you're traveling — except that a great many file types cannot be shared with other users "due to unverifiable media license authentication".

This is, of course, preposterous. Normally, I'd be content to let the market deal with it — why would anyone want to buy a crippled product? — but I'm concerned that more is going on. Western Digital isn't stupid; why have they done this? More precisely, why would they go to extra effort to add a feature none of their customers want, and which is trivially evaded by those who want to distribute copyrighted materials?

The obvious answer is to evade lawsuits for contributory copyright infringement. It's unclear to me that that's a sufficient explanation. As best I can tell (and I'm not a lawyer), they're under no legal obligation to take such actions. This is a product with "substantial noninfringing use", the standard the Supreme Court set in the Betamax case.

One possible answer is that pressure was applied by the content industry. Perhaps Western Digital (or, more accurately, its Mionet subsidiary) has received a threatening lawyer letter. If so, there's no hint of that on its news page. (Might they be on double secret probation?)

A more disturbing possibility is self-censorship. That is, they're afraid they might get sued, and defending against a groundless lawsuit is still very, very expensive, especially when your opponent has much deeper pockets than you do. This — self-censorship of behavior out of fear — is the real danger. The market will indeed deal with isolated incidents of stupidity, but only if consumers have a choice. If the content industry has created such a climate of fear that people and corporations won't exercise their lawful rights, we're all in trouble.'s "AskEraser"

12 December 2007

Since I frequently criticize companies that have done something bad about privacy, it's only fair to praise the ones who do good things., a search engine, has introduced the AskEraser, an option to prevent it from retaining any user data, via cookies or any other mechanism.

One can quibble about some of the details: it may take a few hours to take effect, the option expires after two years, etc. More seriously, your queries are sometimes delivered to third parties, and the AskEraser does not affect that process. They do claim that you are protected by their contracts, but that's not the same as technical protections.

All that said, this is a big step in the right direction. Other search engines are prying ever deeper.

Tags: privacy

Full Text Feed Coming Soon

12 December 2007

A number of people have asked me if my RSS feed could contain the full text of the postings, rather than just the first few lines. I will do it, but it may not happen until mid-January. The blogging software I use needs several improvements, and I just don't have time to do them during the semester. (I tried a quick-and-dirty fix in October. It didn't work…)

I'll make a few other changes at the same time. The monthly archives will contain an index of all postings during that month; I'll probably add an ATOM feed as well. There will be some internal changes as well; the most important of which will make the code general enough to release, if anyone else wants it. (I'll probably post a notice of that on the blog when it's ready.)

Full Text Feed Installed

31 December 2007

Starting today, all of my posts should contain a full text feed. The other enhancements I plan aren't ready yet. An unfortunate side-effect is that the RSS feed may show the last five posts as new.

Exploiting Linkages for Good

31 December 2007

I heard an interesting story the other day. Since I often write about how linkages can be exploited for bad purposes, I thought I should mention an instance where there was a happy ending. I do have permission to post this story to the net.

Paul was robbed of his laptop at gunpoint. The story might end there, except that a few days later, a girl called him to ask for his password: "We're from Microsoft; we've recovered your laptop, but we need your password to verify your ownership". Paul said he wasn't comfortable giving it out over the phone. She asked if he'd email it to her; he agreed, so she supplied her Yahoo! Mail address.

Naturally, Paul called the police with that information. They thanked him, but said there was nothing they could do with it. Paul, however, knew rather more about the Internet. Since the caller had sounded rather young, he went to myspace and searched for that email address. He found her page; however, it was marked private, so he couldn't read it. But he searched for her myspace name on Google to find her friends. That was very productive; aside from a picture of one of her friends with a gun, another friend provided her own picture and precise birthdate and time, as part of her horoscope… This was enough for the police, though emailing the information to them was a bit problematic: the robbery squad — in what should be one of the most tech-savvy large city police departments in the country — has a single email address on a fading ISP, and the detective had to look it up.

The rest of the story is ordinary police work. The police found the astrology believer; she identified her friend, who indeed had Paul's laptop. However, she was a juvenile, so he doesn't know what happened to her. She told the cops who gave it to her (not the person who posted the picture of the gun, it turned out); the police then arrested him. Paul then had to identify him in a lineup; thirteen other robbery victims did the same.

The moral? I'm not sure… One, of course, is that many criminals are very stupid. Beyond that, the linkages were there, and Paul knew how to exploit them. The police did not, and they should have. Perhaps not enough violent street crime has a cyber angle to make such expertise worthwhile in that squad. But Paul got his laptop back, and the perpetrator was convicted.