Secondary Screening

Archives
By Date
April 2006
March 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
By Category
Airline Security Measures
Bicycles
Book Reviews
Congress
Data Mining
Department of Homeland Security
Freedom of Information
Government Secrecy
Miscellany
Other People's Writing
Privacy
Security Measures
The Courts
The New Web
Threat Level
Recent Entries
More DOJ Subpoenas
TRUSTe Trusty? A quick case study
V for I Want My Money Back
Schadenfreude Pt. II
Ticket? Check. I.D.? Nope, but Not a Problem
Lovely Day
A Slimy Little World
Published articles
Wired News Articles
Links
Wired News
DefenseTech
Practical Nomad
BeSpacific
DHS Privacy Office
Memory Hole Blog
Electronic Privacy Information Center
Privacy Digest
Electronic Frontier Foundation
Homeland Security Institute
Secrecy News
Emergent Chaos
EPIC West's Chris Hoofnagle
Prawfs Blog with Daniel Solove
Ann Harrison
Reuter's Andy Sullivan
Schneier on Security
Talk Left
Reason's Hit & Run
W. David Stephenson
Phillip Carter's Intel Dump
Project on Government Oversight
Technology Liberation Front
Edward Felten's Freedom to Tinker
Contact
Email me
415.375.3150
Subscribe
Feed: Your Reader
Atom
RSS 1.0
RSS 2.0
RSD
About Ryan Singel
I'm a San Francisco-based freelance journalist who covers antiterrorism programs, civil liberties, the Internet and privacy.
March 2006 Archives « January 2006 | Main | April 2006 »
March 30, 2006 | More DOJ Subpoenas

The Justice Department made a bit of a splash in January, when Google's opposition to a Justice Department subpoena for its entire index and months of user search queries became public. Now, according to documents unearthed via FOIA by InformationWeek, the feds issued subpoenas to at least 34 companies, ranging from Verizon to Symantec.

Google won its battle eventually, when a judge forced the company to turn over just a wee bit of information.

The Justice Department issued that subpoena, and AOL, Yahoo and MSN soon copped to having been served themselves -- though none fought the subpoena in court. The subpoenas are part of a long running battle by the DOJ to have the Child Online Privacy Act okayed by judges. (The 1998 bill, which was immediately deemed unconstitutional by the courts, mandates that commercial providers of material deemed harmful to minors have to find some method, such as credit card verification, to keep minors off their sites)

Specifically, the DOJ is trying to prove that filters don't work well to protect kids and it turns out that it didn't just want info from search engines. According to InformationWeek's Thomas Claburn:

[T]he Department of Justice disclosed that it has issued to subpoenas to a broad range of companies that includes AT&T, Comcast Cable, Cox Communications, EarthLink, LookSmart, SBC Communications (then separate from AT&T), Symantec, and Verizon.

Asked which companies objected to, or sought to limit, these subpoenas, Department of Justice spokesperson Charles Miller declined to comment because the litigation is ongoing. He also declined to comment on the utility of the information gathered by the government.

The documents presented to InformationWeek reveal that some companies did object to the government's demands. In an E-mail sent to the Department of Justice last July, Fernando Laguarda, an attorney representing Cablevision Systems Corp., characterized some of what the government was asking for as "overly broad, vague, ambitious, and unduly burdensome. [...]

The bulk of the subpoenas were directed at Internet service providers and makers of content filtering software. The effectiveness of filtering technology is a critical issue in the COPA case. If the Department of Justice can prove that filters fail to shield minors from explicit material online, COPA may well be reinstated.

Full Story.

Highlights of the subpoenas, as well as a .zip file of all 54 documents can be found here. (Hat Tip to Richard M. Smith for the last bit of info.)

Posted by Ryan Singel at 12:07 PM | TrackBack

March 28, 2006 | TRUSTe Trusty? A quick case study

As some of you may know, New York Attorney General Eliot Spitzer is suing Gratis Internet, the company behind the freeipods.com and Freepay sites, for violating their privacy policy and renting/selling their 7.2 million customer database to three companies, which used the list to send upwards of 200 million spam messages.

I've been following this pathetic little story for a while and was particularly interested in how TRUSTe, a non-profit organization that certifies privacy policies, would react to seeing one of their former seal holders being sued. The idea behind TRUSTe is that internet users can see the sign and know that a company's privacy policy actually means something.

If the allegations in Spitzer's lawsuit are true (and given that the lawsuit is detailed and includes email quotations, I'd be putting money on his side in this case), then I think netizens should not trust TRUSTe's little logo at all.

Here's a quick little timetable that includes the allegations in Spitzer's suit along with information from my own attempt to get TRUSTe to investigate Gratis.


  • June 2004 -- TRUSTe-certified Gratis rents out database including the names, home addresses, IP addresses and email addresses of 7.2 million customers to Datran Media, despite Gratis's promises never to sell or share this info. Datran Media employee notices the privacy policy and asks Gratis to change it. (Spitzer lawsuit allegation)

  • August 5, 2004 -- Gratis employee Rani Nagpal told TRUSTe employee Heidi Berger: "I think there was some miscommunication about our email list: we just started renting it out to one company." One assumes from this quote that TRUSTe was already getting complaints about spam originating from Gratis. (Spitzer lawsuit allegation)

  • September 15, 2004 -- Filed complaint with TRUSTe about spam arriving from third parties to address given to Gratis.

  • September 24, 2004 Gratis Co-founders Robert Jewell and Peter Martin tell my Wired News colleague Leander Kahney they have never "sold" their email lists but would stop sending email marketing messages.

  • October 5, 2004 -- TRUSTe responds by forwarding me an email from Gratis founder Rob Jewell who says I'm full of it and that "At www.FreeiPods.com and Gratis Internet, we respect the privacy concerns you have addressed in this matter. Please know that we do not share your personal information and in the future will not share this information." Having the proof in my inbox, I ask TRUSTe to actually look at it themselves.

  • October 7, 2004 -- TRUSTe responds saying they actually did do an investigation: "The results of our investigation indicate that Gratis Internet did not violate their privacy policy. [...] Unfortunately, you will have to contact the individual companies that are sending you spam in order to be removed from their lists."

    I make fun of TRUSTe here on the blog, WITHOUT even knowing that, as Spitzer alleges, that TRUSTe already knew that Gratis had violated their privacy policy.

  • December 10, 2005 -- Gratis co-founder Peter Martin writes me in an email: "Privacy is of the utmost importance to us as well. We have never sold any email address to any third party and never will."

  • December 24, 2004 -- Gratis sells JDR Media "access to the email addresses and other personal information on approximately 7,572,425 consumers." (Spitzer allegation)

  • February 9, 2005 -- TRUSTe revokes Gratis's privacy seal for not complying with some required changes. It's not clear what these changes are, but news accounts at the time suggest Gratis employees didn't take a required privacy class. No press accounts suggested that Gratis would have been required to notify all 7 million customers that the contract with them had been broken or that Gratis would be forced to make a public statement attesting to their actions.

  • February 11, 2005 -- TRUSTe and Gratis announce they have come to an agreement on how Gratis can get the seal back. TRUSTe still won't tell public what happened.

  • March 22, 2005 -- Gratis "sold email marketer Jumpstart Technologies access to approximately 1,880,382 names, Hotmail and MSN email addresses and IP addresses it had collected." (Spitzer lawsuit allegation)

  • Week of March 21, 2006 -- Attorney General Eliot Spitzer sues Gratis Internet, seeking damages that could easily put the company out of business. For its part, TRUSTe says almost nothing, except to avoid phone calls, cite "confidentiality agreements" and issue a press release re-iterating that it pulled Gratis's privacy seal.

That, in a time line, is how TRUSTe works for you.

So the next time you go to a website certified by TRUSTe, rest assured that TRUSTe will totally investigate any breaches of a privacy policy and find no evidence, even if they might have been informed months before that the breach happened, and that if it gets really bad, they will pull the seal but offer to reinstate if the company says sorry (in private, to TRUSTe).

Yup, TRUSTe seal or not, the old rules still apply. Don't give out real addresses to companies online, don't trust that market-based compliance programs mean anything, and don't click on the unsubscribe button.

Oh yeah, and there's STILL no such thing as a free lunch, a free iPod or a free privacy compliance program that works in your interest instead of the company that is paying for it.


Technorati Tags: , , , , , , , ,

Posted by Ryan Singel at 01:10 PM | TrackBack

March 28, 2006 | V for I Want My Money Back

V for Vendetta, the latest film from the Wachowski Brothers, managed to turn an ideologically interesting and morally ambiguous comic book series into a film about how bad fascism is. Of course, the film drops not so subtle hints to get viewers to link the future fascist state in England to the current administration, with more than a hint of the abominable far left "Bush Knew" conspiracy theories (the folks who argue that 9/11 was not a plot by fundamentalist Islamic terrorists, but actually a Reichstag-fire-like plot by the current administration).

The film turns the original graphic novel's relatively interesting battle between fascism and one of the more violent strains of late 19th century anarchism into a battle between repressive black booted thugs and liberals who appreciate antique Korans and like gay people.

Hmm, which side does the viewer get to be on?

Now, I'm a big fan of dystopias and utopias in fiction and cinema, but can we finally put to rest visions of a Big Brother future? Give me more riffs on Aldous Huxley, William Gibson and Franz Kafka's collective visions of the future, because Big Brother isn't here and isn't coming any time soon.

I'm no movie critic, so I'll quote a graf from Keith Uhlich of Slant Magazine, commenting on the closing moment of the film (spoiler alert). At this moment Ms. Natalie Portman (who should have ended her acting career at its pinnacle, The Professional), lets loose a train bomb that will explode Parliament. In defiance of the authorities, hordes of Londoners turn out, dressing in masks and capes just as the protagonist/killer/bomber/mediahacker V does, to watch the scheduled terrorist attack.

When the crowd of V's unmasks before the smoldering remains of (God bless you, Clark Griswold) Big Ben-Parliament, they stand perfectly still and stare forth coldly and impassively-they're like the wax figures from Madame Tussaud's performing the rave scene from The Matrix: Reloaded. Gazing over this multiracial panoply of faces (and listening to Portman's deathly serious voiceover about how V is "all of us") it's hard not to view these stoic souls as the Wachowskis' metaphorical representation of their audience. Not surprisingly, this supposedly all-inclusive cross-section of humanity comes across as little more than a faceless multitude to be coddled and exploited by ultimately meaningless laser light shows. Yet the writers neglect an important verity: once the fireworks have ended, we must inevitably leave the communal darkness and become ourselves again. And when we have emerged into the light, we might best make use of our time regained-a period in which, no doubt, those responsible for this abortive fiasco are distractedly stuffing their pockets with limitless amounts of green-by conceiving, planning, and executing a vendetta all our own.

Compare that scene in Ken Loach's masterful take on the Spanish Civil War (a fight against fascism), Land And Freedom, where Loach's camera hovers for almost 10 minutes watching a group of former serfs debate whether or not to create an anarchist farm collective. Subjects vs. Objects.

This subject wants his money back.

Posted by Ryan Singel at 11:20 AM | TrackBack

March 24, 2006 | Schadenfreude Pt. II

For those of you playing along with the Freeipods.com lawsuit, here's some extra fun.

Jumpstart Technologies was one of the three companies Freeipods.com (aka Freepay and Gratis Internet) sold their email lists to.

Turns out that on the same day Spitzer filed suit vs. Gratis, the Federal Trade Commission leveled a $900,000 civil penalty for violating the CAN-SPAM Act against the spammers at Jumpstart Technologies. That's the biggest FTC penalty ever for a spam operation.

A big hat tip to Michael over at Spamroll for making the connection.

Posted by Ryan Singel at 04:18 PM | TrackBack

March 24, 2006 | Ticket? Check. I.D.? Nope, but Not a Problem

It's now official.

You don't need identification to travel on an airplane.

Now, the signs in the airport still tell you that you must have identification.

The TSA's website itself states, "Each adult traveler needs to keep available his/her airline boarding pass and government-issued photo ID until exiting the security checkpoint."

Neither those signs nor the TSA's website are true.

Who says?

The TSA.

"Passengers are allowed to enter screening area without identification," TSA spokeswoman Amy Kudwa told this humble reporter today.

I got an off-the-record reason for the untruthful statements in the nation's airports and on the website created with your tax dollars.

The on-the-record answer: "Customers should present government-issued I.D."

As far as I know, this is the first public acknowledgment that the government's official policy is to let people on planes without identification, that is attributed to a TSA employee (the fantastic Sarah Lai Stirland had an unattributed version here.)

The TSA has told the Ninth Circuit in two separate cases (John Gilmore & Daniel Kuualoha Aukai) that airport policy was to let people enter security areas without identification.

Gilmore's Identity Project has been asking for volunteers to see if that was true in ye olde meatspace.

Results, currently mixed. Dog-ate-my homework excuse with contrition gets you less hassle than a flat-out refusal seems to be the pattern, according to folks at the I.D. Project.

So, if you want to fly without identification without telling any white lies, I recommend taking a hearty amount of fortitude and a copy of at least one of the rulings from the Ninth Circuit.

You are likely in for a battle when the security personnel point to the sign and you try to tell them that your government is not actually telling the truth. And that it knows it isn't telling the truth. Good luck with that.


Technorati Tags: , , , , , , ,

Posted by Ryan Singel at 03:42 PM | TrackBack

March 23, 2006 | Lovely Day

Today, March 23, New York's Attorney General Eliot Spitzer filed suit against Gratis Internet , the 'brains' behind the Freepay Freeipods.com pyramid marketing schemes, alleging the company massively violated its privacy policy by selling its customer database to three marketing companies in 2004 and 2005.

All told those 3 companies, namely Datran Media, JDR Media (a spammer whose website registration info is incorrect and whose contact info is broken) and Jumpstart Technologies (best known for spamming the world with fake e-crush emails iin 2002) bombarded Gratis's 7 million customers with close to 350 million spam messages.

Spitzer is seeking enough money that its clear he's trying to put these lying bozos out of business permanently.

Specifically he wants, at minimum, $500 for each New York state resident the company sold out, which would conservatively work out to something around $10 million.

The move against Graits was widely expected since Spitzer announced just last week that it had settled with Datran for $1.1 million for buying and spamming the list despite knowing that the list was protected by a privacy policy.

Last week, Datran's paid shill portrayed Datran as a patsy caught in the crossfire to a number of media outlets, including Red Herring and myself, but today's lawsuit makes clear that Datran bought the emails, noticed the privacy policy and then ASKED Gratis to change it retroactively. (Lovely, lovely work by Datran employee Susan Weiner.)

For those of you unfamiliar with Gratis, the company, which started in 2000, made a splash in 2004 promising and sometimes delivering free ipods to rubes willing to sign up for promotional offers from the likes of CitiBank and Blockbuster and then convince 5 of their friends that they too could get a free ipod if they signed up and got five of their friends to sign up. (More detailed explanation here and here and here)

The result -- a bunch of overly credulous reporters deemed the site legitimate and the internet soon became inundated with pleas from free-lunch believing rubes looking for other free-lunch-believing rubes.

Gratis Internet co-founders Peter Martin and Rob Jewell and their paid PR flack/apologist (from the ostensibly top tier firm Flieshman-Hillard) repeatedly swore up and down to me, Leander at Wired News and anyone else that would listen that Gratis wasn't in the business of spamming people.

According to the AG's lawsuit (.pdf), Martin and Jewell are just a pair of greedy liars.

After explicityly promising consumers that it would never "give out," "provide" or "sell, rent or loan" their information to anyone - including to its "business partners" -- Gratis did just that, for a quick payday.

Notably, Gratis's website's were "certified" by TRUSTe, a "non-profit" third party that certifies privacy policies. The lawsuit raises some VERY interesting questions about this group, (something I'll reserve for another post), but, suffice it to say here, that the new info adds more credence to my conculsion that TRUSTe's logo isn't worth the pixels it is printed with.

Martin and Jewell each made between $1.5 and $3 million in 2004, but only a small percentage, some $430,000, of Gratis's revenue came from the spam contracts, according to Spitzer's lawsuit (second .pdf).

That's really funny, because Spitzer now wants all of it. Not half, Eddie. All of it.

According to the lawsuit, all of the money that "ethical" companies like CitiCorp and Blockbuster paid for customer leads (~$20 to $70 per lead) is tainted by the scam, since Gratis customers would not have signed up if they knew they were going to have their information, including home addresses and IP addresses, sold to spammers like Datran.

Gratis unjustly earned several million dollars in commissions from third parites, by providing those parties with consumers for promotions even though the consumers were deceptively promised that Graits would not share their infromation.

So it looks like Mr. Peter Martin and Robert Jewell's desire to make a few more bucks by selling their customer database to spammers may mean they have to give up all of their earnings to New York's crusading AG, not just the money they made from selling out netizens to spammers.

Could not have happened to a better bunch of greedy scammers.

Oh, and adding to the schadenfreude, some emails I recieved today which included the phrase "class action" indicate that Spitzer isn't the only lawyer interested in suing Mr. Jewell and Mr. Martin for all of their money.

Technorati Tags: , , , , , , , , , , , ,

Posted by Ryan Singel at 11:17 PM | Comments (3) | TrackBack

March 16, 2006 | A Slimy Little World

The world of email marketing, whether that be black hat spammers or the so-called legitimate email marketers, is a slimy little world, one I've had to immerse myself in for the last couple of days.

Datran Media, a leading email marketer, just settled with New York Attorney General Eliot Spitzer for $1.1 million dollars for knowingly buying marketing databases from companies that promised their customers they would never sell or share their info with any third party.

Not surprisingly for any longtime reader of this blog, the biggest list Datran bought was from Gratis Internet, the good guys behind the FreeIpods (now known as Freepay) marketing scheme. (For more on why the scheme won't work out for most people, despite its legality, see one of these prior posts (1, 2)). Gratis remains under investigation by Spitzer, and smart money says they will soon be settling themselves, for a good deal more than $1.1 million.

When Datran bought the list in July 2004, Gratis's privacy policy was certified by Truste, who, after being asked in 2004 to investigate why third parties were spamming Gratis's customers, couldn't find any privacy violation. Nor could Truste be bothered this week to reply to repeated requests to explain their role or why people should continue to trust its seal of approval. For its part, Datran likes to portray itself as being the fall guy -- but Gratis didn't change its privacy policy until sometime in September or October of 2004, way after they got involved with Gratis.

It's all just one slice of a sleazy, sleazy world, and I can only say I'm glad my job doesn't involve barraging people's inboxes with unwanted though ostensibly "legitimate" emails, trying to get people to believe in a free lunch or providing PR cover fire for these slime balls. Leander has more on his run-ins with these fine folks over at the Cult of Mac blog.

Full Wired News story here.

Technorati Tags: , , , , , , , , ,

Posted by Ryan Singel at 01:15 PM | Comments (1) | TrackBack

Powered by
Movable Type 3.2