When my consulting team did security stuff (note technical terminology) at Lotus, we found that the biggest risk from passwords is the Post-It note: users write down their passwords because security policies mandate ones that aren’t readily remembered. Try wandering around your office environment and see how many of these you can find 1) attached to monitors, 2) under keyboards, or 3) on office desk calendars / blotters. Far too much security protocol relies on conventional wisdom and accepted practice rather than empirical data.

Great cases, like hard cases, make bad law. For great cases are called great, not by reason of their real importance in shaping the law of the future, but because of some accident of immediate overwhelming interest which appeals to the feelings and distorts the judgment. These immediate interests exercise a kind of hydraulic pressure which makes what previously was clear seem doubtful, and before which even well settled principles of law will bend. Northern Securities Co. v. United States, 193 U.S. 197 (1904) (Holmes, J., dissenting).

Google uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers’ login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Thanks to Chris Soghoian for his leadership on this one!

You got to know when to hold em, know when to fold em,
Know when to walk away and know when to run.

The department wisely ran.

The complaint in the lawsuit makes for interesting reading. First, I’m depressed that a complaint still has to describe the Internet. Second, iMEGA rightly argues that ISPs are not common carriers, and hence not subject to the Wire Act’s demands about leasing, furnishing, or maintaining a facility whereby gambling information is transmitted. (See 18 U.S.C. 1084(d).) Third, I think it’s undesirable to have states making content blocking decisions, especially ones that apply to national and international carriers – it has the risk of increasing access costs, and of leading to overblocking if providers want to reduce those costs. (Cheaper and simpler to block a site for everyone than to differentiate by geographic location.)

But the neatest, and most brilliant, part of the complaint is that it throws Minnesota between Scylla and Charybdis: if ISPs block gambling sites by fully-qualified domain name or IP address, they’ll prevent access to lawful information (such as a history of blackjack) protected by the First Amendment – but if they block at a deeper level, such as individual URLs, it’ll be under-inclusive. This is clever, probably accurate, and diabolical. It points out the flaws in filtering: either it’s easily evaded, or it’s going to sweep up content that is permissible. The First Amendment frowns on both.

I don’t know why Minnesota started down this path. My intuition is that there’s either a norms-based goal, or a political one. The norms-based goal would be to signal Minnesota’s disapproval of on-line gambling. The political one would be to advance someone’s career by appearing to tackle (mostly out-of-state) gambling interests, even in a losing battle. (Battle of Thermopylae metaphor, anyone?)

Prediction: there will be more state-based filtering efforts, and soon. Pick your targeted material: a) child porn, b) terrorism materials, c) gambling, or d) “obscene” content. Any bets?

Hat tip, and serious props, to my colleague Karen Schneiderman for great research following this case…

[Update 1:00PM: The panel is in room 310.]

Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

“The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” [the company's president] said. “At this point, though, we don’t know the magnitude of what was grabbed.”

Wow. (The company hastens to add that, because the bad guys didn’t get addresses, they would need to make counterfeit cards to exploit this data. Small comfort if you’ve read stories like this one.)

This disclosure reminded me of a speech I attended recently: an important DC lawyer who represents companies in privacy disputes was complaining about data breach notification laws. He pointed out, correctly I think, that the expense of disclosing a breach often dwarfs the real risk of harms like identity theft. But then he said the better response would be regulatory rules that set the requirements for data security. Not so sure about that.

I am skeptical about the effectiveness of some federal agency (the FTC?) supposedly auditing data security compliance at big firms across the country. It has not worked very well for health care privacy under HIPAA. One thing that moves data security up a company’s priority list is the reality that mistakes will be made public. But for states’ data breach notification requirements, we might never have found out about the Heartland breach (never mind the many, many others revealed through these laws). True, there could be some better standards as to when a breach creates enough risk that the costs of notification are worthwhile. But the basic technique of using the disclosure of errors as deterrence to force better precautions seems sound to me in this setting. How far would we be toward improving data security if these breaches had remained secret?

Spam’s basic problem is the same: our social norms of trust are at odds with the insecure foundations of e-mail. Put another way, both we and our e-mail systems are too trusting, and thus easily duped. Spam exploits the credulous (”If my friend forwarded this link, it must be OK!”) and the opportunistic (”Hey, free Anna Kournikova pictures!).

I still think we should do three things. First, e-mail just doesn’t work for communications that need security and the ability to authenticate senders. I proposed “safe mail” a few years back, and as with most academic ideas, it’s garnered almost as many supporters as Blagojevich for President. But it’s still a good approach. Second, ISPs need to think about rather paternalistic approaches (=URL blocking) in some cases, with opt-out for those willing to take informed risks. Think of this as mandatory StopBadware – when you try to connect to a spoofed or phishing site, you can’t. Finally, we need better defenses on our computers. Microsoft Vista tried for this, but its constant security warnings annoyed everyone without increasing security, leading to defensive ad campaigns rather than defensive computing.

Spam will always be around. It worries me, though, that our perception of its threat seems to be inversely proportional to the harm its payload carries…

I don’t play MMOs or other virtual world games based on the high likelihood that I’d become an obsessive recluse who subsists on Diet Pepsi Max and is frighteningly pale. (Oh, wait, too late…) So I hadn’t given virtual property too much thought. But I realized that maybe this cognitive disconnect – why pay hard cash for items “made entirely of fiction and code,” as Wired puts it – comes from the label “property.” IP aside, we still expect property to be stuff – things we can lay hands on, move around, and keep away from others. Virtual swords don’t really fit this model. This leads to all sorts of challenges flowing from this cognitive mismatch: can you “steal” virtual property? What happens if the game designer gives everyone the same cool sword that you bought? Or eliminates it? Should realspace courts enforce virtual bargains?

Here’s a better model: it’s a service. (Disclaimer: I’m sure someone else has come up with this.) Take Disney World’s FastPass option. You pay more money, and in exchange, you get to cut the line at attractions like Big Thunder Mountain Railroad. (Probably not necessary at It’s A Small World – anyone who can listen to that theme song for the duration of the ride should automatically get to cut.) Going to Disney isn’t buying a thing – it’s buying an experience. At the end of your day, you don’t have anything to show for your money except pleasant memories – a change in your lived experience. The FastPass enhances that experience; it makes it more pleasant and reduces annoyances like standing behind people wearing mouse ears. But it isn’t “property.”

So, too, virtual swords. They enhance the in-game experience, letting you do things that would otherwise take more time, effort, and psychological discomfort. Basically, you’re buying a better experience – in some cases from the MMO, in some cases from a third party. I think if we reframe virtual world questions along this axis, it might help us think about challenges like theft and breach of agreements, and perhaps even about in-game alterations.

I’ve got to ponder this a bit more, but I’d love to hear what all of you have to say. And if any of you have a virtual ninja monkey for sale, I’m game!