Les anglonautes

About | Search | Vocapedia | Learning | Podcasts | Videos | History | Arts | Science | Translate

 Previous Home Up Next


History > 2013 > USA > Internet (II)




Obama Panel Recommends

New Limits on N.S.A. Spying


December 18, 2013
The New York Times


WASHINGTON — A panel of outside advisers urged President Obama on Wednesday to impose major oversight and some restrictions on the National Security Agency, arguing that in the past dozen years its powers had been enhanced at the expense of personal privacy.

The panel recommended changes in the way the agency collects the telephone data of Americans, spies on foreign leaders and prepares for cyberattacks abroad.

But the most significant recommendation of the panel of five intelligence and legal experts was that Mr. Obama restructure a program in which the N.S.A. systematically collects logs of all American phone calls — so-called metadata — and a small group of agency officials have the power to authorize the search of an individual’s telephone contacts. Instead, the panel said, the data should remain in the hands of telecommunications companies or a private consortium, and a court order should be necessary each time analysts want to access the information of any individual “for queries and data mining.”

The experts briefed Mr. Obama on Wednesday on their 46 recommendations, and a senior administration official said Mr. Obama was “open to many” of the changes, though he has already rejected one that called for separate leaders for the N.S.A. and its Pentagon cousin, the United States Cyber Command.

If Mr. Obama adopts the majority of the recommendations, it would mark the first major restrictions on the unilateral powers that the N.S.A. has acquired since the Sept. 11 terrorist attacks. They would require far more specific approvals from the courts, far more oversight from the Congress and specific presidential approval for spying on national leaders, especially allies. The agency would also have to give up one of its most potent weapons in cyberconflicts: the ability to insert “back doors” in American hardware or software, a secret way into them to manipulate computers, or to purchase previously unknown flaws in software that it can use to conduct cyberattacks.

“We have identified a series of reforms that are designed to safeguard the privacy and dignity of American citizens, and to promote public trust, while also allowing the intelligence community to do what must be done to respond to genuine threats,” says the report, which Mr. Obama commissioned in August in response to the mounting furor over revelations by Edward J. Snowden, a former N.S.A. contractor, of the agency’s surveillance practices.

It adds, “Free nations must protect themselves, and nations that protect themselves must remain free.”

White House officials said they expected significant resistance to some of the report’s conclusions from the N.S.A. and other intelligence agencies, which have argued that imposing rules that could slow the search for terror suspects could pave the way for another attack. But those intelligence leaders were not present in the Situation Room on Wednesday when Mr. Obama met the authors of the report.

The report’s authors made clear that they were weighing the N.S.A.’s surveillance requirements against other priorities like constitutional protections for privacy and economic considerations for American businesses. The report came just three days after a federal judge in Washington ruled that the bulk collection of telephone data by the government was “almost Orwellian” and a day after Silicon Valley executives complained to Mr. Obama that the N.S.A. programs were undermining American competitiveness in offering cloud services or selling American-made hardware, which is now viewed as tainted.

The report was praised by privacy advocates in Congress and civil-liberties groups as a surprisingly aggressive call for reform.

Senator Ron Wyden, an Oregon Democrat who has been an outspoken critic of N.S.A. surveillance, said it echoed the arguments of the N.S.A.’s skeptics in significant ways, noting that it flatly declared that the phone-logging program had not been necessary in stopping terrorist attacks.

“This has been a big week for the cause of intelligence reform,” he said.

Greg Nojeim of the Center for Democracy and Technology called the report “remarkably strong,” and singled out its call to sharply limit the F.B.I.’s power to obtain business records about someone through a so-called national security letter, which does not involve court oversight.

Anthony Romero, the executive director of the American Civil Liberties Union, while praising the report’s recommendations, questioned “whether the president will have the courage to implement the changes.”

Members of the advisory group said some of the recommendations were intended to provide greater public reassurances about privacy protections rather than to result in any wholesale dismantling of the N.S.A.’s surveillance powers. Richard A. Clarke, a cyberexpert and former national security official under Presidents Bill Clinton and George W. Bush, said the report would give “more reason for the skeptics in the public to believe their civil liberties are being protected.”

Other members included Michael J. Morell, a former deputy director of the C.I.A.; Cass Sunstein, a Harvard Law School professor who ran the office of Information and Regulatory Affairs in the Obama White House; Peter Swire, a privacy law specialist at the Georgia Institute of Technology; and Geoffrey R. Stone, a constitutional law specialist at the University of Chicago Law School, where Mr. Obama once taught.

Mr. Obama is expected to take the report to Hawaii on his vacation that starts this week and announce decisions when he returns in early January. Some of the report’s proposals could be ordered by Mr. Obama alone, while others would require legislation from Congress, including changes to how judges are appointed to the Foreign Intelligence Surveillance Court.

Senator Rand Paul, Republican of Kentucky, said he was skeptical that any changes passed by Congress would go far enough. “It gives me optimism that it won’t be completely brushed under the rug,” he said. “However, I’ve been here long enough to know that in all likelihood when there’s a problem, you get window dressing.”

The FISA court, which oversees national security surveillance inside the United States, has been criticized because it hears arguments only from the Justice Department without adversarial lawyers to raise opposing views, and because Chief Justice John G. Roberts Jr. has unilateral power to select its members. Echoing proposals already floated in congressional hearings and elsewhere, the advisory group backs the view that there should be a “public interest advocate to represent the interests of privacy and civil liberties” in classified arguments before the court. It also says the power to select judges for the surveillance court should be distributed among all the Supreme Court justices.

In backing a restructuring of the N.S.A.’s program that is systematically collecting and storing logs of all Americans’ phone calls, the advisers went further than some of the agency’s backers in Congress, who would make only cosmetic changes to it, but stopped short of calling for the program to be shut down, as its critics have urged. The N.S.A. uses the telephone data to search for links between people in an effort to identify hidden associates of terrorism suspects, but the report says it “was not essential to preventing attacks.”

Currently, the government obtains orders from the surveillance court every 90 days that require all the phone companies to give their customers’ data to the N.S.A., which commingles the records from every company and stores it for five years. A small group of analysts may query the database — examining records of everyone who is linked by up to three degrees of separation from a suspect — if the analyst has “reasonable, articulable suspicion” that the original person being examined is linked to terrorism.

Under the new system proposed by the review group, such records would stay in private hands — either scattered among the phone companies or pooled into some kind of private consortium. The N.S.A. would need to make the case to the surveillance court that it has met the standard of suspicion — and get a judge’s order — every time it wanted to perform such “link analysis.”

“In our view, the current storage by the government of bulk metadata creates potential risks to public trust, personal privacy, and civil liberty,” the report said.

The report recommended new privacy protections for the disclosure of personal information about non-Americans among agencies or to the public. The change would extend to foreigners essentially the same protections that citizens have under the Privacy Act of 1974 — a way of assuring foreign countries that their own citizens, if targeted for surveillance, will enjoy at least some protections under American law.

It also said the United States should get out of the business of secretly buying or searching for flaws in common computer programs and using them for mounting cyberattacks. That technique, using what are called zero-day flaws, so named because they are used with zero days of warning that the flaw exists, were crucial to the cyberattacks that the United States and Israel launched on Iran in an effort to slow its nuclear program. The advisers said that the information should be turned over to software manufacturers to have the mistakes fixed, rather than exploited.

Regarding spying on foreign leaders, the report urged that the issue be taken out the hands of the intelligence agencies and put into the hands of policy makers.


Jeremy W. Peters contributed reporting.

    Obama Panel Recommends New Limits on N.S.A. Spying, NYT, 18.12.2013,






After Setbacks,

Online Courses Are Rethought


December 10, 2013
The New York Times


Two years after a Stanford professor drew 160,000 students from around the globe to a free online course on artificial intelligence, starting what was widely viewed as a revolution in higher education, early results for such large-scale courses are disappointing, forcing a rethinking of how college instruction can best use the Internet.

A study of a million users of massive open online courses, known as MOOCs, released this month by the University of Pennsylvania Graduate School of Education found that, on average, only about half of those who registered for a course ever viewed a lecture, and only about 4 percent completed the courses.

Much of the hope — and hype — surrounding MOOCs has focused on the promise of courses for students in poor countries with little access to higher education. But a separate survey from the University of Pennsylvania released last month found that about 80 percent of those taking the university’s MOOCs had already earned a degree of some kind.

And perhaps the most publicized MOOC experiment, at San Jose State University, has turned into a flop. It was a partnership announced with great fanfare at a January news conference featuring Gov. Jerry Brown of California, a strong backer of online education. San Jose State and Udacity, a Silicon Valley company co-founded by a Stanford artificial-intelligence professor, Sebastian Thrun, would work together to offer three low-cost online introductory courses for college credit.

Mr. Thrun, who had been unhappy with the low completion rates in free MOOCs, hoped to increase them by hiring online mentors to help students stick with the classes. And the university, in the heart of Silicon Valley, hoped to show its leadership in online learning, and to reach more students.

But the pilot classes, of about 100 people each, failed. Despite access to the Udacity mentors, the online students last spring — including many from a charter high school in Oakland — did worse than those who took the classes on campus. In the algebra class, fewer than a quarter of the students — and only 12 percent of the high school students — earned a passing grade.

The program was suspended in July, and it is unclear when, if or how the program will resume. Neither the provost nor the president of San Jose State returned calls, and spokesmen said the university had no comment.

Whatever happens at San Jose, even the loudest critics of MOOCs do not expect them to fade away. More likely, they will morph into many different shapes: Already, San Jose State is getting good results using videos from edX, a nonprofit MOOC venture, to supplement some classroom sessions, and edX is producing videos to use in some high school Advanced Placement classes. And Coursera, the largest MOOC company, is experimenting with using its courses, along with a facilitator, in small discussion classes at some United States consulates.

Some MOOC pioneers are working with a different model, so-called connectivist MOOCs, which are more about the connections and communication among students than about the content delivered by a professor.

“It’s like, ‘The MOOC is dead, long live the MOOC,’ ” said Jonathan Rees, a Colorado State University-Pueblo professor who has expressed fears that the online courses would displace professors and be an excuse for cuts in funding. “At the beginning everybody talked about MOOCs being entirely online, but now we’re seeing lots of things that fall in the middle, and even I see the appeal of that.”

The intense publicity about MOOCs has nudged almost every university toward developing an Internet strategy.

Given that the wave of publicity about MOOCs began with Mr. Thrun’s artificial-intelligence course, it is fitting that he has become emblematic of a reset in the thinking about MOOCs, after a profile in Fast Company magazine that described him as moving away from college classes in favor of vocational training in partnerships with corporations that would pay a fee.

Many educators saw the move as an admission of defeat for the idea that online courses would democratize higher education — and confirmation that, at its core, Udacity, a company funded with venture capital, was more interested in profits than in helping to educate underserved students.

“Sebastian Thrun put himself out there as a little bit of a lightning rod,” said George Siemens, a MOOC pioneer who got funding from the Bill & Melinda Gates Foundation for research on MOOCs, and last week convened the researchers at the University of Texas at Arlington to discuss their early results. “Whether he intended it or not, that article marks a substantial turning point in the conversation around MOOCs.”

The profile quoted Mr. Thrun as saying the Udacity MOOCs were “a lousy product” and “not a good fit” for disadvantaged students, unleashing a torrent of commentary in the higher-education blogosphere.

Mr. Thrun took issue with the article, and said he had never concluded that MOOCs could not work for any particular group of students.

“I care about education for everyone, not just the elite,” he said in an interview. “We want to bring high-quality education to everyone, and set up everyone for success. My commitment is unchanged.”

While he said he was “super-excited” about working with corporations to improve job skills, Mr. Thrun said he was working with San Jose State to revamp the software so that future students could have more time to work through the courses.

“To all those people who declared our experiment a failure, you have to understand how innovation works,” he wrote on his blog. “Few ideas work on the first try. Iteration is key to innovation. We are seeing significant improvement in learning outcomes and student engagement. ”

Some draw an analogy to mobile phones, which took several generations to progress from clunky and unreliable to indispensable.

Mr. Thrun stressed that results from the second round of the San Jose experiment over the summer were much improved, with the online algebra and statistics students doing better than their on-campus counterparts. Comparisons are murky, though, since the summer classes were open to all, and half the students already had degrees.

Some San Jose professors said they found the MOOC material useful and were disappointed that the pilot was halted.

“We had great results in the summer, so I’m surprised that it’s not going forward,” said Julie Sliva, who taught the college algebra course. “I’m still using the Udacity videos to support another course, because they’re very helpful.”

Mr. Siemens said what was happening was part of a natural process. “We’re moving from the hype to the implementation,” he said. “It’s exciting to see universities saying, ‘Fine, you woke us up,’ and beginning to grapple with how the Internet can change the university, how it doesn’t have to be all about teaching 25 people in a room.

“Now that we have the technology to teach 100,000 students online,” he said, “the next challenge will be scaling creativity, and finding a way that even in a class of 100,000, adaptive learning can give each student a personal experience.”

    After Setbacks, Online Courses Are Rethought, NYT, 10.12.2013,






Internet Firms

Step Up Efforts to Stop Spying


December 5, 2013
The New York Times


SAN FRANCISCO — When Marissa Mayer, Yahoo’s chief executive, recently announced the company’s biggest security overhaul in more than a decade, she did not exactly receive a standing ovation.

Ordinary users asked Ms. Mayer why Yahoo was not doing more. Privacy activists were more blunt. “Even after today’s announcement, Yahoo still lags far behind Google on web security,” said Christopher Soghoian, a technology analyst at the American Civil Liberties Union.

For big Internet outfits, it is no longer enough to have a fast-loading smartphone app or cool messaging service. In the era of Edward J. Snowden and his revelations of mass government surveillance, companies are competing to show users how well their data is protected from prying eyes, with billions of dollars in revenue hanging in the balance.

On Thursday, Microsoft will be the latest technology company to announce plans to shield its services from outside surveillance. It is in the process of adding state-of-the-art encryption features to various consumer services and internally at its data centers.

The announcement follows similar efforts by Google, Mozilla, Twitter, Facebook and Yahoo in what has effectively become a digital arms race with the National Security Agency as the companies react to what some have called the “Snowden Effect.”

While security has long simmered as a concern for users, many companies were reluctant to employ modern protections, worried that upgrades would slow down connections and add complexity to their networks.

But the issue boiled over six months ago, when documents leaked by Mr. Snowden described efforts by the N.S.A. and its intelligence partners to spy on millions of Internet users. More than half of Americans surveyed say N.S.A. surveillance has intruded on their personal privacy rights, according to a Washington Post-ABC News poll conducted in November.

The revelations also shook Internet companies, which have been trying to reassure customers that they are doing what they can to protect their data from spying. They have long complied with legal orders to hand over information, but were alarmed by more recent news that the N.S.A. was also accessing their data without their knowledge.

“We want to ensure that governments use legal process rather than technological brute force to obtain customer data — it’s as simple as that,” said Bradford L. Smith, Microsoft’s general counsel, in an interview.

Mr. Smith said his company would also open “transparency centers” where foreign governments can inspect the company’s code in an effort to assure them that it does not plant back doors for spy agencies in its products.

Already, the Snowden revelations threaten to erode the market share of American technology companies abroad.

In India, government officials are now barred from using email services that have servers located in the United States. In Brazil, lawmakers are pushing for laws that would force foreign companies to spend billions redesigning their systems — and possibly the entire Internet — to keep Brazilian data from leaving the country.

Forrester Research projected the fallout could cost the so-called cloud computing industry as much as $180 billion — a quarter of its revenue — by 2016.

“The world is quickly being divided into companies that are secure and companies that are not,” said Bhaskar Chakravorti, a dean of international business and finance at the Fletcher School at Tufts University.

One by one, technology companies have been scrambling to plug security holes.

The best defense, security experts say, is using Transport Layer Security, a type of encryption familiar to many through the “https” and padlock symbol at the beginning of Web addresses that use the technology. It uses a long sequence of numbers — a master key — that scrambles sensitive data like passwords, credit card details, intellectual property and personal information between a user and a website while in transit.

Banks and other financial sites have used such security for years, and Google and Twitter along with Microsoft’s email service made it standard long ago. Facebook adopted https systemwide this year. And Ms. Mayer said Yahoo would finally allow consumers to encrypt all their Yahoo data in January.

But as many sites move to https, security experts say more advanced security measures are needed. If a government can crack the master key — or obtain it through court orders — it could go back and decrypt past communications for millions of users.

That’s why companies like Google, Mozilla, Facebook and Twitter have added another layer of protection, called Perfect Forward Secrecy. That technology adds a second lock to each user’s transmissions, with the key changed frequently. Microsoft plans to add the encryption method next year, but Yahoo has not said whether it will add it.

“Perfect Forward Secrecy is a billion different secrets, and it’s not protected by one central secret,” said Scott Renfro, a Facebook software engineer who works on the company’s security infrastructure.

So even if an outsider obtained the master key, it would still have to crack the other keys, over and over again.

“This type of protection should have been engineered into all web systems and all Internet systems to begin with,” said Jacob Hoffman-Andrews, an engineer at Twitter.

The technology has existed for two decades, but companies were slow to adopt it because it added complexity and introduced a delay to Internet transactions, which can encourage impatient users to flee for faster sites. But many of those issues were resolved by Google when it applied Perfect Forward Secrecy in 2011, said Adam Langley, a software engineer at the company. Google shared its improvements with the broader tech community.

Still, technical solutions can be trumped by law. While https and Perfect Forward Secrecy protect the data transmission, law enforcement agencies can still compel companies to hand the data over from their servers, where it is stored.

So Internet companies are trying to ensure they are at least blocking unauthorized access by addressing other security issues, including a hole that leaves users vulnerable at the very beginning of a site visit. When users want to log into, say, Google’s Gmail, their Internet browser checks the site’s security certificate to make sure it’s not an impostor.

Some security experts believe that hackers are nearly capable of cracking the 1024-bit encryption keys that protect the certificates. But an industry standards group is requiring that, starting next year, all new and renewed certificate keys use 2048-bit encryption, which is far more difficult to break.

Ultimately, however, every security advance is met by new threats. “Attacks don’t get worse,” Mr. Langley said. “They only get better.”

    Internet Firms Step Up Efforts to Stop Spying, NYT, 5.12.2013,






They Loved Your G.P.A.

Then They Saw Your Tweets.


November 9, 2013
The New York Times


At Bowdoin College in Brunswick, Me., admissions officers are still talking about the high school senior who attended a campus information session last year for prospective students. Throughout the presentation, she apparently posted disparaging comments on Twitter about her fellow attendees, repeatedly using a common expletive.

Perhaps she hadn’t realized that colleges keep track of their social media mentions.

“It was incredibly unusual and foolish of her to do that,” Scott A. Meiklejohn, Bowdoin’s dean of admissions and financial aid, told me last week. The college ultimately denied the student admission, he said, because her academic record wasn’t competitive. But had her credentials been better, those indiscreet posts could have scuttled her chances.

“We would have wondered about the judgment of someone who spends their time on their mobile phone and makes such awful remarks,” Mr. Meiklejohn said.

As certain high school seniors work meticulously this month to finish their early applications to colleges, some may not realize that comments they casually make online could negatively affect their prospects. In fact, new research from Kaplan Test Prep, the service owned by the Washington Post Company, suggests that online scrutiny of college hopefuls is growing.

Of 381 college admissions officers who answered a Kaplan telephone questionnaire this year, 31 percent said they had visited an applicant’s Facebook or other personal social media page to learn more about them — a five-percentage-point increase from last year. More crucially for those trying to get into college, 30 percent of the admissions officers said they had discovered information online that had negatively affected an applicant’s prospects.

“Students’ social media and digital footprint can sometimes play a role in the admissions process,” says Christine Brown, the executive director of K-12 and college prep programs at Kaplan Test Prep. “It’s something that is becoming more ubiquitous and less looked down upon.”

In the business realm, employers now vet the online reputations of job candidates as a matter of course. Given the impulsiveness of typical teenagers, however — not to mention the already fraught nature of college acceptances and rejections — the idea that admissions officers would covertly nose around the social media posts of prospective students seems more chilling.

There is some reason for concern. Ms. Brown says that most colleges don’t have formal policies about admissions officers supplementing students’ files with their own online research. If colleges find seemingly troubling material online, they may not necessarily notify the applicants involved.

“To me, it’s a huge problem,” said Bradley S. Shear, a lawyer specializing in social media law. For one thing, Mr. Shear told me, colleges might erroneously identify the account of a person with the same name as a prospective student — or even mistake an impostor’s account — as belonging to the applicant, potentially leading to unfair treatment. “Often,” he added, “false and misleading content online is taken as fact.”

These kinds of concerns prompted me last week to email 20 colleges and universities — small and large, private and public, East Coast and West Coast — to ask about their practices. Then I called admissions officials at 10 schools who agreed to interviews.

Each official told me that it was not routine practice at his or her institution for admissions officers to use Google searches on applicants or to peruse their social media posts. Most said their school received so many applications to review — with essays, recommendations and, often, supplemental portfolios — that staff members wouldn’t be able to do extra research online. A few also felt that online investigations might lead to unfair or inconsistent treatment.

“As students’ use of social media is growing, there’s a whole variety of ways that college admissions officers can use it,” Beth A. Wiser, the director of admissions at the University of Vermont, told me. “We have chosen to not use it as part of the process in making admissions decisions.”

Other admissions officials said they did not formally prohibit the practice. In fact, they said, admissions officers did look at online material about applicants on an ad hoc basis. Sometimes prospective students themselves ask an admissions office to look at blogs or videos they have posted; on other occasions, an admissions official might look up an obscure award or event mentioned by an applicant, for purposes of elucidation.

“Last year, we watched some animation videos and we followed media stories about an applicant who was involved in a political cause,” says Will Hummel, an admissions officer at Pomona College in Claremont, Calif. But those were rare instances, he says, and the supplemental material didn’t significantly affect the students’ admissions prospects.

Admissions officials also said they had occasionally rejected applicants, or revoked their acceptances, because of online materials. Often, these officials said, a college may learn about a potential problem from an outside source, such as a high school counselor or a graduate, prompting it to look into the matter.

Last year, an undergraduate at Pitzer College in Claremont, Calif., who had befriended a prospective student on Facebook, notified the admissions office because he noticed that the applicant had posted offensive comments about one of his high school teachers.

“We thought, this is not the kind of person we want in our community,” Angel B. Perez, Pitzer’s dean of admission and financial aid, told me. With about 4,200 applications annually for a first-year class of 250 students, the school can afford to be selective. “We didn’t admit the student,” Mr. Perez said.

But colleges vary in their transparency. While Pitzer doesn’t contact students if their social media activities precluded admission to the school, Colgate University does notify students if they are eliminated from the applicant pool for any reason other than being uncompetitive candidates.

“We should be transparent with applicants,” says Gary L. Ross, Colgate’s dean of admission. He once called a student, to whom Colgate had already offered acceptance, to check whether an alcohol-related incident that was reported online was indeed true. (It was, and Colgate rescinded the offer of admission.)

“We will always ask if there is something we didn’t understand,” Mr. Ross said.

In an effort to help high school students avoid self-sabotage online, guidance counselors are tutoring them in scrubbing their digital identities. At Brookline High School in Massachusetts, juniors are taught to delete alcohol-related posts or photographs and to create socially acceptable email addresses. One junior’s original email address was “bleedingjesus,” said Lenny Libenzon, the school’s guidance department chairman. That changed.

“They imagine admissions officers are old professors,” he said. “But we tell them a lot of admissions officers are very young and technology-savvy.”

Likewise, high school students seem to be growing more shrewd, changing their searchable names on Facebook or untagging themselves in pictures to obscure their digital footprints during the college admission process.

“We know that some students maintain two Facebook accounts,” says Wes K. Waggoner, the dean of undergraduate admission at Southern Methodist University in Dallas.

For their part, high school seniors say that sanitizing social media accounts doesn’t seem qualitatively different than the efforts they already make to present the most appealing versions of themselves to colleges. While Megan Heck, 17, a senior at East Lansing High School in Michigan, told me that she was not amending any of her posts as she applied early to colleges this month, many of her peers around the country were.

“If you’ve got stuff online you don’t want colleges to see,” Ms. Heck said, “deleting it is kind of like joining two more clubs senior year to list on your application to try to make you seem more like the person they want at their schools.”

    They Loved Your G.P.A. Then They Saw Your Tweets., NYT, 9.10.2013,






Angry Over U.S. Surveillance,

Tech Giants Bolster Defenses


October 31, 2013
The New York Times


SAN FRANCISCO — Google has spent months and millions of dollars encrypting email, search queries and other information flowing among its data centers worldwide. Facebook’s chief executive said at a conference this fall that the government “blew it.” And though it has not been announced publicly, Twitter plans to set up new types of encryption to protect messages from snoops.

It is all reaction to reports of how far the government has gone in spying on Internet users, sneaking around tech companies to tap into their systems without their knowledge or cooperation.

What began as a public relations predicament for America’s technology companies has evolved into a moral and business crisis that threatens the foundation of their businesses, which rests on consumers and companies trusting them with their digital lives.

So they are pushing back in various ways — from cosmetic tactics like publishing the numbers of government requests they receive to political ones including tense conversations with officials behind closed doors. And companies are building technical fortresses intended to make the private information in which they trade inaccessible to the government and other suspected spies.

Yet even as they take measures against government collection of personal information, their business models rely on collecting that same data, largely to sell personalized ads. So no matter the steps they take, as long as they remain ad companies, they will be gathering a trove of information that will prove tempting to law enforcement and spies.

When reports of surveillance by the National Security Agency surfaced in June, the companies were frustrated at the exposure of their cooperation with the government in complying with lawful requests for the data of foreign users, and they scrambled to explain to customers that they had no choice but to obey the requests.

But as details of the scope of spying emerge, frustration has turned to outrage, and cooperation has turned to war.

The industry has learned that it knew of only a fraction of the spying, and it is grappling with the risks of being viewed as an enabler of surveillance of foreigners and American citizens.

Lawmakers in Brazil, for instance, are considering legislation requiring online services to store the data of local users in the country. European lawmakers last week proposed a measure to require American Internet companies to receive permission from European officials before complying with lawful government requests for data.

“The companies, some more than others, are taking steps to make sure that surveillance without their consent is difficult,” said Christopher Soghoian, a senior analyst at the American Civil Liberties Union. “But what they can’t do is design services that truly keep the government out because of their ad-supported business model, and they’re not willing to give up that business model.”

Even before June, Google executives worried about infiltration of their networks. The Washington Post reported on Wednesday that the N.S.A. was tapping into the links between data centers, the beating heart of tech companies housing user information, confirming that their suspicions were not just paranoia.

In response, David Drummond, Google’s chief legal officer, issued a statement that went further than any tech company had publicly gone in condemning government spying. “We have long been concerned about the possibility of this kind of snooping,” he said. “We are outraged at the lengths to which the government seems to have gone.”

A tech industry executive who spoke only on the condition of anonymity because of the sensitivities around the surveillance, said, “Just based on the revelations yesterday, it’s outright theft,” adding, “These are discussions the tech companies are not even aware of, and we find out from a newspaper.”

Though tech companies encrypt much of the data that travels between their servers and users’ computers, they do not generally encrypt their internal data because they believe it is safe and because encryption is expensive and time-consuming and slows down a network.

But Google decided those risks were worth it. And this summer, as it grew more suspicious, it sped up a project to encrypt internal systems. Google is also building many of its own fiber-optic lines through which the data flows; if it controls them, they are harder for outsiders to tap.

Tech companies’ security teams often feel as if they are playing a game of Whac-a-Mole with intruders like the government, trying to stay one step ahead.

Google, for instance, changes its security keys, which unlock encrypted digital data so it is readable, every few weeks. Google, Facebook and Yahoo have said they are increasing the length of these keys to make them more difficult to crack.

Facebook also said it was adding the encryption method of so-called perfect forward secrecy, which Google did in 2011. This means that even if someone gets access to a secret key, that person cannot decrypt past messages and traffic.

“A lot of the things everybody knew they should do but just weren’t getting around to are now a much higher priority,” said Paul Kocher, president and chief scientist of Cryptography Research, which makes security technologies.

Facebook said in July that it had turned on secure browsing by default, and Yahoo said last month that it would do the same for Yahoo Mail early next year. And Twitter is developing a variety of new security measures, including encrypting private direct messages, according to a person briefed on the measures.

Many tech companies have made public information about the number of government requests for user data they receive, and sued to ask for permission to publish more of this data. On Thursday, Google, Microsoft, Facebook, Yahoo, Apple and AOL reiterated these points in a letter to members of Congress.

But publishing the numbers of requests the companies receive has less meaning now that reports show the government sees company data without submitting a legal request.

A sense of betrayal runs through the increasingly frequent conversations between tech company lawyers and lawmakers and law enforcement in Washington, and in private conversations among engineers at the companies and increasingly outspoken public statements by executives.

Mr. Drummond and Larry Page, Google’s co-founder and chief executive, have said privately that they thought the government betrayed them when the N.S.A. leaks began, by failing to explain the tech companies’ role to the public or the extent of its spying to the tech companies, according to three people briefed on these conversations. When President Obama invited tech chief executives to discuss surveillance in August, Mr. Page did not go and sent a lower-level employee instead.

Mark Zuckerberg, Facebook’s chief executive, sarcastically discussed surveillance at the TechCrunch Disrupt conference in September.

“The government blew it,” he said. “The government’s comment was, ‘Oh, don’t worry, basically we’re not spying on any Americans.’ Right, and it’s like, ‘Oh, wonderful, yeah, it’s like that’s really helpful to companies that are really trying to serve people around the world and really going to inspire confidence in American Internet companies.’ ”

    Angry Over U.S. Surveillance, Tech Giants Bolster Defenses, NYT, 31.10.2013,






Ahead of I.P.O.,

Twitter Alters Feed to Add Images


October 29, 2013
The New York Times


SAN FRANCISCO — Twitter has gone visual.

The social network, which has been built around 140-character snippets of text since its founding in 2006, has added photo and video previews to the feed of items that users see when they log onto the service from the Web or mobile applications. In the past, Twitter users had to click on a link to see a photo or video.

The change, which helps Twitter catch up to recent moves by rivals like Facebook to showcase photos and videos more prominently, could help increase the use of Twitter as the company prepares to sell stock to the public for the first time in an offering expected to occur next week.

The addition could also help the company sell more ads with visual elements.

Robert Peck, an Internet analyst with SunTrust Robinson Humphrey, said that the adjustment to Twitter’s look addressed a concern he had heard from potential buyers of Twitter’s stock. “It was all text, for the most part. There was no multimedia,” he said. “People thought Twitter was behind.”

Twitter has traditionally resisted tinkering with its message feed, which it calls the timeline, because it has wanted to keep its display of tweets as streamlined as possible.

The turn toward the visual is the biggest change to Twitter’s interface since it was overhauled in 2011, although the company has recently introduced other changes, including a blue line that groups related messages so that users can more easily follow a conversation.

With Tuesday’s change, tweets will still show up in chronological order, with the most recent first. But the tweets that contain photos uploaded to Twitter or six-second videos from Vine, a video-creation service owned by Twitter, will automatically preview those images.

“Starting today, timelines on Twitter will be more visual and more engaging: previews of Twitter photos and videos from Vine will be front and center in tweets,” Michael Sippey, Twitter’s vice president for product, wrote in a blog post on Tuesday. “To see more of the photo or play the video, just tap.”

If users embrace the change, Twitter could also add automatic previews of other types of links, like articles and web pages or images and videos from outside sites like Google’s YouTube.

That technology is already used to preview a variety of sites on Twitter’s Discover tab, a little-used feature of the service that is meant to help users find new content they might like based on the users they follow and topics in which they have expressed interest.

The company is also experimenting with ways to highlight other types of messages, like those about television shows, although no other changes have yet been released to all users.

Although a more visual feed does not directly affect advertisers on Twitter, it does improve the company’s position in the battle for mobile ad dollars.

Instagram, the photo-sharing service owned by Facebook, just began selling visual ads on its service from brands like Adidas and Lexus that are sprinkled into the flow of messages that users see.

Twitter’s principal form of advertising, known as a sponsored tweet, also appears in the stream of messages from users, and advertisers can post sponsored tweets with images in them.

Industry research shows that users are far more likely to click on an ad with a photo in it. Since Twitter is paid by the advertiser only when a user interacts with an ad, more responses to or sharing of image-based ads would most likely lead to an increase in revenue. Some on Wall Street have expressed worries about the company’s slowing growth ahead of its initial public offering of stock.

In the third quarter, Twitter had 232 million users who checked the service at least once a month, up just 6.4 percent from the previous quarter and an increase of 39 percent from the previous year. That is far less than the double-digit quarterly growth rates that Facebook posted when it was the same size as Twitter.

Clark Fredricksen, a vice president at the digital research firm eMarketer, said that Twitter’s decision to make its feed more visually attractive makes sense on multiple levels and helps it compete with the image and video-friendly services of competitors like Instagram, Snapchat and Facebook.

“This move may help Twitter more deeply engage users, which is vital for its long-term growth,” he said in an email. “At the very least it allows users to perform some of the same actions that helped Twitter’s competitors grow quickly.”

    Ahead of I.P.O., Twitter Alters Feed to Add Images, NYT, 29.10.2013,






Why the Government

Never Gets Tech Right


October 24, 2013
The New York Times


MILLIONS of Americans negotiating America’s health care system know all too well what the waiting room of a doctor’s office looks like. Now, thanks to HealthCare.gov, they know what a “virtual waiting room” looks like, too. Nearly 20 million Americans, in fact, have visited the Web site since it opened three weeks ago, but only about 500,000 managed to complete applications for insurance coverage. And an even smaller subset of those applicants actually obtained coverage.

For the first time in history, a president has had to stand in the Rose Garden to apologize for a broken Web site. But HealthCare.gov is only the latest episode in a string of information technology debacles by the federal government. Indeed, according to the research firm the Standish Group, 94 percent of large federal information technology projects over the past 10 years were unsuccessful — more than half were delayed, over budget, or didn’t meet user expectations, and 41.4 percent failed completely.

For example, Sam.gov, a system for government contractors developed by I.B.M. that started in 2012, has cost taxpayers $181 million and is just now beginning to work as expected. Before that, a new version of USAJobs.gov landed with a thud, after years during which millions were spent. In 2001, the F.B.I. started a virtual case file system, and after dumping the project, renaming it, and finding new vendors to build it, the project, “Sentinel,” managed to see the light of day just last year.

Clearly, these failures — though they are not as well known to the public — extend far beyond Barack Obama’s presidency. But this latest stings more than the others. Perhaps that’s because it comes from a president who is seen as a transformational figure, who has had to watch his signature achievement be held hostage by that most banal of captors: a clunky computer system.

So why is it that the technology available to Mr. Obama as president doesn’t compare to the technology he used to win an election? Much of the problem has to do with the way the government buys things. The government has to follow a code called the Federal Acquisition Regulation, which is more than 1,800 pages of legalese that all but ensure that the companies that win government contracts, like the ones put out to build HealthCare.gov, are those that can navigate the regulations best, but not necessarily do the best job. That’s evidenced by yesterday’s Congressional testimony by the largest of the vendors, CGI Federal, which blamed everyone but itself when asked to explain the botched rollout of the new Web site.

But maybe there’s hope. In 2004, campaign contracting was a lot like government contracting is today: full of large, entrenched vendors providing subpar services. Howard Dean changed that by reaching out to a new breed of Internet-savvy companies and staffers (including one of us). In 2012, Barack Obama beat Mitt Romney thanks in part to a mix of private-sector-trained technology workers and a well-developed ecosystem of technologies available from competitive consultants.

This latest failure is frustrating for us to watch. Our careers have largely been about developing technology that allows more people to participate in the way we finance, support and elect candidates for public office. Together, we’ve done things that transformed elections, but we now need that work to carry into transforming government.

Government should be as participatory and as interactive with its citizens as our political process is. A digital candidate will never be able to become a digital president if he can’t bring the innovation that helped him win election into the Oval Office to help him govern.

HealthCare.gov needs to be fixed. We believe that in a few days it will be. As Mr. Obama said last week after the government shutdown ended, “There’s no good reason why we can’t govern responsibly, despite our differences, without lurching from manufactured crisis to manufactured crisis.” There’s no good reason we can’t code responsibly, either. We must find a fix to the federal procurement process that spares the government’s technology projects from the self-inflicted wounds of signing big contracts whose terms repeatedly and spectacularly go unmet.

The good news is that these problems are not unique to the United States government, and others already have solutions. In 2011, the British government formed a new unit of its Cabinet Office called the Government Digital Service. It’s a team of internal technologists whose job it is to either build the right technology, or find the right vendors for every need across the government. It gives the government a technical brain. It has saved the country millions, and improved the way the government delivers services online.

The United States has taken a step in this direction. Last year, the government’s chief technology officer, Todd Park, started the Presidential Innovation Fellows program and brought together innovators from across the country to work on hard technical problems inside of government. But we need to create our own Government Digital Service.

The president should use the power of the White House to end all large information technology purchases, and instead give his administration’s accomplished technologists the ability to work with agencies to make the right decisions, increase adoption of modern, incremental software development practices, like a popular one called Agile, already used in the private sector, and work with the Small Business Administration and the General Services Administration to make it easy for small businesses to contract with the government.

Large federal information technology purchases have to end. Any methodology with a 94 percent chance of failure or delay, which costs taxpayers billions of dollars, doesn’t belong in a 21st-century government.

Clay Johnson, a former Presidential Innovation Fellow and lead programmer for Howard Dean’s 2004 campaign, is the chief executive officer of the Department of Better Technology, a nonprofit that develops technology for governments. Harper Reed is the former chief technology officer of Obama for America.

    Why the Government Never Gets Tech Right, NYT, 24.10.2013






Google Stock Tops $1,000,

Highlighting a Tech Divide


October 18, 2013
The New York Times


SAN FRANCISCO — Google has done something few companies ever do in the stock market: it has joined the $1,000 club.

On Friday, Google’s share price jumped above that price for the first time, another milestone in its remarkable ascent from $85 in its public offering in 2004.

On one level, $1,000 is just a number. But on another, it is a reminder of the new order that has taken hold in the technology world in just a few short years — and how far apart the winners are from the losers.

Google closed up 14 percent on Friday, at $1,011.41, after a better-than-expected earnings release late Thursday. The jump brought its gain since its initial offering to roughly 1,100 percent. During the same period, the shares of Amazon.com rose 830 percent. Samsung, which makes smartphones as well as the chips that go into many other manufacturers’ devices, rose 760 percent. And Apple leapt a staggering 3,300 percent.

By comparison, the overall Nasdaq composite rose 120 percent, while Microsoft — 10 years ago the most feared giant in technology — gained just 28 percent.

“Companies away from Google and Apple and a few others increasingly have trouble communicating a value proposition” to shareholders, said Martin Reynolds, an analyst with Gartner. “Only a few big companies are starting to matter.”

These new leaders have focused on Web-based businesses. While the big money in technology used to be in selling to businesses, today’s leaders are oriented toward consumers.

Friday’s gain made Google, already one of the world’s most valuable companies, one of the few in which buying a single share costs more than $1,000. Others include Priceline.com, the online-travel company, and Seaboard, which processes turkeys and hogs.

In some ways, Google’s investors are betting that quantity can beat quality. Google’s challenge has been lower prices for the ads it puts on its own and others’ Web pages. Much of the traditional market for these ads has been saturated, and Google has been trying to put more ads on mobile devices like smartphones and tablets. Mobile ads tend to make less money because people click on them less often.

But Google executives have emphasized the enormous number of mobile devices on which it now places ads, and indicated that the sheer number of mobile outlets was set to keep growing.

Much of the growth in mobile was initially in the developed world, where ad prices are generally higher. As the use of smartphones and tablets spreads into developing economies, the revenue per user is likely to drop, affecting overall profits unless Google can grow even faster in these markets. For the third consecutive quarter, 55 percent of Google’s revenue came from overseas sources.

Google also appeared to be moving more money through overseas accounts and holding more money overseas, a strategy Apple and others have used to avoid corporate taxes in the United States.

Both Republicans and Democrats in Washington have criticized Apple for its offshore tax strategies. So far, however, the trend among companies seems to be increasing.

“The U.S. corporate tax rate is supposed to be 35 percent, and Google was paying an effective rate of about 15 percent,” said Colin Gillis, an analyst with BGC Financial. “It wasn’t like there was a massive reacceleration of Google’s business here.”

Google finished the quarter with $56 billion in cash, held in the United States and overseas. Even the companies trying to compete with Google are starting to draw off their overseas cash, buying foreign companies. These deals include Microsoft’s purchase of the phone assets of Finland’s Nokia for $7.2 billion, and Cisco’s purchase of NDS, a video services company based in Britain, for $5 billion in 2012.

Even eBay’s recent Bill Me Later feature is backstopped with its overseas cash, Mr. Gillis said. “If I was starting a tech company, I’d put it in Luxembourg so I could get bought with a U.S. company’s offshore cash,” he said.

Google’s United States business grew just under 13 percent over the quarter, a low number that analysts ascribe to a maturing business. Google is trying to increase the profitability of its ads by making them more personal, doing things like looking at where people are or what their previous habits have been.

On Friday, Google announced a new partnership with a rival, Facebook, in which it will begin selling ads that can appear on the desktop version of Facebook’s service. It also announced changes to location-based searches in international markets. While this yields more profitable ads for Google, since people are generally more likely to click on things targeted at them, it also can run afoul of privacy advocates and regulators.

Over all, Google’s quarterly numbers showed that its audience was spending more time on mobile devices. The traditional business of people clicking ads on desktop and laptop computers was flat last quarter, according to Search Agency, a digital marketing firm. Clicks on phones more than doubled, the research company said, while tablet clicks were up 63 percent.

Another bright spot in Google’s earnings, though a relatively small one, was Google’s “other” category, believed to consist mostly of sales to businesses of Google Apps, Google’s alternative to Microsoft’s office communications and productivity software. This revenue was $1.23 billion, an increase of 85 percent from the third quarter of 2012.

    Google Stock Tops $1,000, Highlighting a Tech Divide, NYT, 18.10.2013,






Facebook’s New Rules


October 18, 2013
The New York Times


No sooner had the ink dried on my last column — about the new Dave Eggers’s novel “The Circle,” in which he imagines a world without privacy — than Facebook announced two changes to its privacy settings. In its short nine-year existence, Facebook has made many changes to its privacy policies, of course. More often than not, the changes have enabled the company to monetize the rich trove of data it collects from its users. When you get right down to it, that’s really all it has to sell.

As these things go, these particular changes were less than earth-shattering: the first would make everyone’s news feed searchable; the second would allow teenagers to share their latest thoughts or videos not just with their “friends,” or their “friends of friends,” but with anyone who uses Facebook. Previously, under-18 users of Facebook were restricted to sending posts to “friends of friends” — a category that, admittedly, can run into the thousands for many teenagers.

Still, it felt as though Facebook was making at least some small effort to establish boundaries beyond which teens couldn’t go: a zone of safety to protect them from predators and bullies. Now, it seemed, all bets were off. (In fairness, I should note that the default setting for teenagers is “friends,” which is restrictive, and that users under 18 have to change their setting to be able to share information publicly.)

Whenever Facebook makes a change like this, it is always accompanied by some highfalutin rationale. Sure enough, the company says that the move will amplify the voices of young activists and idealists.

Well, I suppose. What the move clearly exemplifies, though, is the steady erosion of privacy online — and not just on Facebook. In some ways, Facebook is playing catch-up.

It’s important to remember that Facebook didn’t start life with an obvious business model. Begun as a way for university students to share information with others on the same campus — and no one else — it came to realize that advertising was its ticket, and that advertisers wanted to be able to market to a large universe of people who were sharing information. The more they divulged about their likes and dislikes, the richer the data they provided.

Thus, as early as 2007, Facebook set up a program, called Beacon, that made it possible to advertise to a user’s “friends” based on their purchases at other sites. It resulted in a class-action lawsuit that has been settled. Facebook has since shut down Beacon. In 2009, it got in trouble with the Federal Trade Commission because it weakened its users’ privacy settings without telling them. In 2010, it started a program called Open Graph, which gave marketers a wealth of information about a Facebook user’s preferences. Most recently, the company has developed a program that turns its users’ information into product endorsements that are displayed to their “friends.” Such ads are far more powerful than an obvious corporate ad because the “friends” trust the user.

Meanwhile, Facebook’s chief executive, Mark Zuckerberg, has always had a philosophical bent toward “openness” and “sharing” — which meshed nicely with his company’s advertising focus. Emily Bazelon, a Slate columnist, found a radio interview in which Zuckerberg said, “We help you share information, and when you do that, you’re more engaged on the site, and then there are ads on the side of the page.” He added, “The model all just works out.”

“I think Facebook’s whole business model is habituating people to sharing all their information,” Bazelon told me.

There’s one other factor: There are plenty of popular sites today where there is no privacy at all. On Twitter, for the most part, every tweet is available for anybody to see. Plenty of teenagers have gravitated to Twitter. When I spoke to Facebook executives, I got the sense that they felt they had been backed into a corner and had no choice but to open their site further so that teenagers could post publicly on Facebook. Why should Facebook be punished commercially by caring about privacy if competitors didn’t — and the users didn’t seem to care?

As for advertising, plainly the more time people spend on Facebook, the more likely advertisers will stick with the company, instead of gravitating to Twitter. Allowing teenagers to post publicly might well have the effect of keeping them in Facebook’s orbit. The company acknowledges it wants more public content, especially about popular subjects like television shows or movies. Advertisers will continue to target teens with those ads on the side of the page, just as they always have.

But what they won’t do, Facebook executives insist, is use teens’ own words and images to create ads, the way they can do now with adults. They say this with considerable vehemence, as if they are offended by the very notion.

Given their history, however, the obvious retort is: Give ’em time.

    Facebook’s New Rules, NYT, 18.10.2013,






A World Without Privacy


October 14, 2013
The New York Times


In his great and prophetic novel “1984,” George Orwell laid out his vision of what totalitarianism would look like if taken to its logical extreme. The government — in the form of Big Brother — sees all and knows all. The Party rewrites the past and controls the present. Heretics pop up on television screens so they can be denounced by the populace. And the Ministry of Truth propagates the Party’s three slogans:




Dave Eggers’s new novel, “The Circle,” also has three short, Orwellian slogans, and while I have no special insight into whether he consciously modeled “The Circle” on “1984,” I do know that his book could wind up being every bit as prophetic.

Eggers’s subject is what the loss of privacy would look like if taken to its logical extreme. His focus is not on government but on the technology companies who invade our privacy on a daily basis. The Circle, you see, is a Silicon Valley company, an evil hybrid of Google, Facebook and Twitter, whose cultures — the freebies, the workaholism, the faux friendliness — Eggers captures with only slight exaggeration.

The Circle has enormous power because it has become the primary gateway to the Internet. Thanks to its near-monopoly, it is able to collect reams of data about everyone who uses its services — and many who don’t — data that allows The Circle to track anyone down in a matter of minutes. It has begun planting small, hidden cameras in various places — to reduce crime, its leaders insist. The Circle wants to place chips in children to prevent abductions, it says. It has called on governments to be “transparent,” by which it means that legislators should wear a tiny camera that allows the world to watch their every move. Eventually, legislators who refuse find themselves under suspicion — after all, they must be hiding something. This is where The Circle’s logic leads.

Of course, nobody who works for The Circle thinks what he or she is doing is evil. On the contrary, like many a real Silicon Valley executive, they view themselves as visionaries, whose only goal is benign: to make the world a better place.

“We’re at the dawn of the Second Enlightenment,” says one of The Circle’s founders in a speech to the staff. “I’m talking about an era where we don’t allow the majority of human thought and action and achievement and learning to escape as if from a leaky bucket.” It believes if it can eliminate secrecy people will be forced to be their best selves all the time. It even toys with the idea of getting the government to require voters to use The Circle — to force them to vote on Election Day. And, of course, it has found multiple ways to monetize the data it collects. As for the potential downside of this loss of privacy, it is waved away by Circle executives as if too trifling to even consider.

Is this vision of the future far-fetched? Of course it is — though no more than “1984” was. “The Circle” imagines where we could end up if we don’t begin paying attention. Indeed, what is striking is how far down this road we have already gone. Thanks to Edward Snowden, we know that the National Security Agency has the ability to read our e-mails and listen to our phone calls. Google shows us ads based on words we use in our Gmail accounts. Last week, Facebook — which has, in shades of Orwell, a chief privacy officer — removed a privacy setting so that any Facebook user can search for any other Facebook user. The next day, Google unveiled a plan that would make it possible for the company to use its customers’ words and likeness in ads for products they like — information that Google knows because, well, Google knows everything.

So, yes, while we’re not in Eggers territory yet, we are getting closer. I don’t have either a Facebook or a Twitter account, yet every few days I get an e-mail from one of the two companies saying that so-and-so is waiting for me to join them in social media land. The people it picks as my potential “friends” are very often people with whom I’ve never been a true colleague, but I’ve briefly met at some point in my life. It is creepy to me that the companies know that I know these particular people.

“If you have something that you don’t want anyone to know,” Eric Schmidt, the former chief executive of Google, once said, “maybe you shouldn’t be doing it in the first place.” That line could easily have been uttered by one of Dave Eggers’s characters. That is the thought-process that could someday cost us our last shred of privacy. “The Circle” is a warning.

(And in case you’re wondering, here are The Circle’s three slogans:





Frank Bruni is off today. David Brooks is on book leave.

    A World Without Privacy, NYT, 14.10.2013,






Felony Counts for 2

in Suicide of Bullied 12-Year-Old


October 15, 2013
The New York Times


MIAMI — For the Polk County sheriff’s office, which has been investigating the cyberbullying suicide of a 12-year-old Florida girl, the Facebook comment was impossible to disregard.

In Internet shorthand it began “Yes, ik” — I know — “I bullied Rebecca nd she killed herself.” The writer concluded that she didn’t care, using an obscenity to make the point and a heart as a perverse flourish. Five weeks ago, Rebecca Ann Sedwick, a seventh grader in Lakeland in central Florida, jumped to her death from an abandoned cement factory silo after enduring a year, on and off, of face-to-face and online bullying.

The Facebook post, Sheriff Grady Judd of Polk County said, was so offensive that he decided to move forward with the arrest immediately rather than continue to gather evidence. With a probable cause affidavit in hand, he sent his deputies Monday night to arrest two girls, calling them the “primary harassers.” The first, a 14-year-old, is the one who posted the comment Saturday, he said. The second is her friend, and Rebecca’s former best friend, a 12-year-old.

Both were charged with aggravated stalking, a third-degree felony and will be processed through the juvenile court system. Neither had an arrest record. The older girl was taken into custody in the juvenile wing of the Polk County Jail. The younger girl, who the police said expressed remorse, was released to her parents under house arrest.

Originally, Sheriff Judd said he had hoped to wait until he received data from two far-flung cellphone application companies, Kik Messenger and ask.fm, before moving forward.

“We learned this over the weekend, and we decided that, look, we can’t leave her out there,” Sheriff Judd said, referring to the older girl. “Who else is she going to torment? Who else is she going to harass? Who is the next person she verbally abuses and attacks?”

He said the older girl told the police that her account had been hacked, and that she had not posted the comment.

“She forced this arrest today,” Sheriff Judd said.

Rebecca was bullied from December 2012 to February 2013, according to the probable cause affidavit. But her mother, Tricia Norman, has said the bullying began long before then and continued until Rebecca killed herself.

The older of the two girls acknowledged to the police that she had bullied Rebecca. She said she had sent Rebecca a Facebook message saying that “nobody” liked her, the affidavit said. The girl also texted Rebecca that she wanted to “fight” her, the police said. But the bullying did not end there; Rebecca was told to “kill herself” and “drink bleach and die” among other things, the police added.

The bullying contributed to Rebecca’s suicide, the sheriff said.

Brimming with outrage and incredulity, the sheriff said in a news conference on Tuesday that he was stunned by the older girl’s Saturday Facebook posting. But he reserved his harshest words for the girl’s parents for failing to monitor her behavior, after she had been questioned by the police, and for allowing her to keep her cellphone.

“I’m aggravated that the parents are not doing what parents should do: after she is questioned and involved in this, why does she even have a device?” Sheriff Judd said. “Parents, who instead of taking that device and smashing it into a thousand pieces in front of that child, say her account was hacked.”

The police said the dispute with Rebecca began over a boy. The older girl was upset that Rebecca had once dated her boyfriend, they said.

“She began to harass and ultimately torment Rebecca,” said the sheriff, describing the 14-year-old as a girl with a long history of bullying behavior.

The police said the older girl began to turn Rebecca’s friends against her, including her former best friend, the 12-year-old who was charged. She told anyone who tried to befriend Rebecca that they also would be bullied, the affidavit said.

The bullying leapt into the virtual world, Sheriff Judd said, and Rebecca began receiving sordid messages instructing her to “go kill yourself.” The police said Rebecca’s mother was reluctant to take her cellphone away because she did not want to alienate her daughter and wanted her to be able to communicate with her friends. Ms. Norman tried, she has said, to monitor Rebecca’s cellphone activity.

In December, the bullying grew so intense that Rebecca began cutting herself and was sent to a hospital by her mother to receive psychiatric care. Ultimately, her mother pulled her out of Crystal Lake Middle School. She home schooled her for a while and then enrolled her in a new school in August.

But the bullying did not stop.

“As a child, I can remember sticks and stones can break your bones but words will never hurt you,” the sheriff said. “Today, words stick because they are printed and they are there forever.”

Some of the messages were sent using a variety of social media smartphone messaging and photo-sharing applications, including ask.fm and Kik Messenger, that parents have a difficult time keeping track of.

“Watch what your children do online,” Sheriff Judd said. “Pay attention. Quit being their best friend and be their best parent. That’s important.”

    Felony Counts for 2 in Suicide of Bullied 12-Year-Old, NYT, 15.10.2013,






Let’s Build a More Secure Internet


October 8, 2013
The New York Times


ARLINGTON, Va. — CAN we ever trust the Internet again?

In the wake of the disclosures about the National Security Agency’s surveillance programs, considerable attention has been focused on the agency’s collaboration with companies like Microsoft, Apple and Google, which according to leaked documents appear to have programmed “back door” encryption weaknesses into popular consumer products and services like Hotmail, iPhones and Android phones.

But while such vulnerabilities are worrisome, equally important — and because of their technical nature, far less widely understood — are the weaknesses that the N.S.A. seems to have built into the very infrastructure of the Internet. The agency’s “upstream collection” capabilities, programs with names like Fairview and Blarney, monitor Internet traffic as it passes through the guts of the system: the cables and routers and switches.

The concern is that even if consumer software companies like Microsoft and telecommunications companies like AT&T and Verizon stop cooperating with the N.S.A., your online security will remain compromised as long as the agency can still take advantage of weaknesses in the Internet itself.

Fortunately, there is something we can do: encourage the development of an “open hardware” movement — an extension of the open-source movement that has led to software products like the Mozilla browser and the Linux operating system.

The open-source movement champions an approach to product development in which there is universal access to a blueprint, as well as universal ability to modify and redistribute the blueprint. Wikipedia is perhaps the best-known example of a product inspired by the movement. Open-source advocates typically emphasize two kinds of freedom that their products afford: they are available free of charge, and they can be used and manipulated free of restrictions.

But there is a third kind of freedom inherent in open-source systems: the freedom to audit. With open-source software, independent security experts can scrutinize the code for vulnerabilities — whether accidentally or intentionally introduced. The more auditing by the programming masses, the better the security. As the open-source software advocate Eric S. Raymond has put it, “given enough eyeballs, all bugs are shallow.”

Perhaps the greatest open-source success story is the Internet itself — at least its “soft” parts. The Internet’s communications protocols and the software that implements them are collaboratively engineered by loose networks of programmers working outside the control of any single person, company or government. The Internet Engineering Task Force, which develops core Internet protocols, does not even have formal membership and seeks contributions from developers all over the world.

But the problem is that the physical layer of the Internet’s infrastructure — the hardware that transmits, directs and relays traffic online, as well as its closely knit software (or “firmware”) — is not open-source. It is made by commercial computing companies like Cisco, Hewlett-Packard and Juniper Networks according to proprietary designs, and then sold to governments, universities, private companies and anyone else who wants to set up a network.

There is reason to be skeptical about the security of these networking products. The hardware firms that make them often compete for contracts with the United States military and presumably face considerable pressure to maintain good relations with the government. It stands to reason that such pressure might lead companies to collaborate with the government on surveillance-related requests.

Because these hardware designs are closed to public scrutiny, it is relatively easy for surveillance at the Internet’s infrastructural level to go undetected. To make the Internet less susceptible to mass surveillance, we need to recreate the physical layer of its infrastructure on the basis of open-source principles.

At the moment, the open hardware movement is limited mostly to hobbyists — engineers who use the Internet to collaboratively build “open” devices like the RepRap 3D printer. But the Internet community, through a concerted effort like the one that currently sustains the Internet’s software architecture, could also develop open-source, Internet-grade hardware. Governments like Brazil’s that have forsworn further involvement with American Internet companies could adopt such nonproprietary equipment designs and have them manufactured locally, free from any N.S.A. interference.

The result would be Internet infrastructure, both hardware and software, that was 100 percent open and auditable.

But never, of course, 100 percent secure. The N.S.A. could still try to exploit the Internet’s open hardware. And of course, open hardware would do little to prevent the government from reading e-mail if it still had the cooperation of companies like Microsoft or Google. Open hardware is not a panacea.

Still, open hardware would at a minimum make the N.S.A.’s Internet surveillance efforts more difficult and less effective. And it would increase the difficulty of surveillance not just for the N.S.A. but also for foreign governments that might otherwise piggyback on N.S.A.-introduced security vulnerabilities.

A 100 percent open-infrastructure Internet — a trustworthy Internet — would be an important step in the empowerment of individuals against their governments the world over.


Eli Dourado is a research fellow

with the technology policy program

at the Mercatus Center at George Mason University.

    Let’s Build a More Secure Internet, NYT, 8.10.2013,






Google Accused of Wiretapping

in Gmail Scans


October 1, 2013
The New York Times


SAN FRANCISCO — Wiretapping is typically the stuff of spy dramas and shady criminal escapades. But now, one of the world’s biggest Web companies, Google, must defend itself against accusations that it is illegally wiretapping in the course of its everyday business — gathering data about Internet users and showing them related ads.

The accusations, made over several years in various lawsuits that have been merged into two separate cases, ask whether Google went too far in collecting user data in Gmail and Street View, its mapping project. Two federal judges have ruled, over Google’s protests, that both cases can move forward.

The wiretapping rulings are the latest example of judges and regulators prodding Google over privacy violations. The company is on the defensive, struggling to persuade overseers and its users that it protects consumer data, while arguing that the law is stuck in the past and has failed to keep up with new technologies.

“It’s been a bad month for Google,” said Alan Butler, a lawyer at the Electronic Privacy Information Center. “What’s at stake is a core digital privacy issue for consumers right now, which is the extent to which their digital communications are protected from use by third parties.” For the most part, Google has managed to avoid major privacy penalties. The Gmail case could have broad effects, though, because nearly half a billion people worldwide use the service, and because if it is, as expected, certified as a class action, the fines could be enormous. At the same time, the case could have long-term consequences for all e-mail services — including those from Yahoo and Microsoft — and for the issue of how confidential is online data.

“This ruling has the potential to really reshape the entire e-mail industry,” said Eric Goldman, director of the High Tech Law Institute at Santa Clara University School of Law.

The Gmail case involves Google’s practice of automatically scanning e-mail messages and showing ads based on the contents of the e-mails. The plaintiffs include voluntary Gmail users, people who have to use Gmail as part of an educational institution and non-Gmail users whose messages were received by a Gmail user. They say the scanning of the messages violates state and federal antiwiretapping laws.

The case revives a short-lived uproar over Gmail ads when Google introduced them in 2004. Microsoft has recently tried to call attention to the practice as part of its Scroogled campaign, including a video that shows a so-called Gmail man reading people’s e-mail. Google has continued to show new types of ads in Gmail, including ads that look like e-mails.

“Google uses Gmail as its own secret data-mining machine, which intercepts, warehouses, and uses, without consent, the private thoughts and ideas of millions of unsuspecting Americans who transmit e-mail messages through Gmail,” lawyers for the plaintiffs argued on July 11, opposing Google’s motion to dismiss the case. On Thursday, Judge Lucy H. Koh of Federal District Court denied Google’s motion in a 43-page order that fought the company at almost every turn.

Judge Koh is highly respected in Silicon Valley, with a reputation for being fearless. During the Apple-Samsung patent trial, she made headlines for asking an Apple lawyer if he was “smoking crack.”

In this case, she came down hard on Google.

In the June 13 motion to dismiss the suit, Google said the plaintiffs were trying to “criminalize ordinary business practices.” It argued that the scanning of Gmail messages was automated, with no human review, and was no different from the processes it uses to detect spam or viruses, offer in-box searching or filter messages into folders. It said users had consented to it by agreeing to Google’s terms of service and privacy policy.

In a section of the motion that was widely noted, Google also argued that non-Gmail users had no expectation of privacy when corresponding with Gmail users.

“Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use Web-based e-mail today cannot be surprised if their communications are processed by the recipient’s” e-mail provider, the lawyers wrote.

Federal wiretap law exempts interception of communication if it is necessary in a service provider’s “ordinary course of business,” which Google said included scanning e-mail. That argument did not fly with Judge Koh.

“In fact, Google’s alleged interception of e-mail content is primarily used to create user profiles and to provide targeted advertising — neither of which is related to the transmission of e-mails,” she wrote in last week’s ruling.

Judge Koh also dismissed Google’s argument that Gmail users consented to the interception and that non-Gmail users who communicated with Gmail users also knew that their messages could be read.

“Accepting Google’s theory of implied consent — that by merely sending e-mails to or receiving e-mails from a Gmail user, a non-Gmail user has consented to Google’s interception of such e-mails for any purposes — would eviscerate the rule against interception,” she wrote. A Google spokeswoman, Leslie Miller, and a lawyer for the company, Michael G. Rhodes of the law firm Cooley, declined to comment on the case beyond a company statement. “We’re disappointed in this decision and are considering our options,” it said. “Automated scanning lets us provide Gmail users with security and spam protection, as well as great features like Priority Inbox.”

Lawyers for the plaintiffs, Sean F. Rommel of Wyly Rommel and F. Jerome Tapley of Cory Watson, did not respond to requests for comment.

Also last week, Google asked the Court of Appeals for the Ninth Circuit to reconsider a Sept. 10 ruling that a separate wiretapping lawsuit could proceed. That one involves Google Street View vehicles that secretly collected personal information from unencrypted home computer networks.

The federal antiwiretapping law at the heart of both cases is part of the Electronic Communications Privacy Act, a 1986 law that has been under fire for years for not taking into account modern-day technology like e-mail.

“It’s not surprising we’re seeing courts struggle with applying the E.C.P.A.,” Mr. Goldman of Santa Clara said. “It’s a poorly drafted statute that has aged very poorly.”

    Google Accused of Wiretapping in Gmail Scans, NYT, 1.10.2013,






N.S.A. Gathers Data

on Social Connections of U.S. Citizens


September 28, 2013
The New York Times


WASHINGTON — Since 2010, the National Security Agency has been exploiting its huge collections of data to create sophisticated graphs of some Americans’ social connections that can identify their associates, their locations at certain times, their traveling companions and other personal information, according to newly disclosed documents and interviews with officials.

The spy agency began allowing the analysis of phone call and e-mail logs in November 2010 to examine Americans’ networks of associations for foreign intelligence purposes after N.S.A. officials lifted restrictions on the practice, according to documents provided by Edward J. Snowden, the former N.S.A. contractor.

The policy shift was intended to help the agency “discover and track” connections between intelligence targets overseas and people in the United States, according to an N.S.A. memorandum from January 2011. The agency was authorized to conduct “large-scale graph analysis on very large sets of communications metadata without having to check foreignness” of every e-mail address, phone number or other identifier, the document said. Because of concerns about infringing on the privacy of American citizens, the computer analysis of such data had previously been permitted only for foreigners.

The agency can augment the communications data with material from public, commercial and other sources, including bank codes, insurance information, Facebook profiles, passenger manifests, voter registration rolls and GPS location information, as well as property records and unspecified tax data, according to the documents. They do not indicate any restrictions on the use of such “enrichment” data, and several former senior Obama administration officials said the agency drew on it for both Americans and foreigners.

N.S.A. officials declined to say how many Americans have been caught up in the effort, including people involved in no wrongdoing. The documents do not describe what has resulted from the scrutiny, which links phone numbers and e-mails in a “contact chain” tied directly or indirectly to a person or organization overseas that is of foreign intelligence interest.

The new disclosures add to the growing body of knowledge in recent months about the N.S.A.’s access to and use of private information concerning Americans, prompting lawmakers in Washington to call for reining in the agency and President Obama to order an examination of its surveillance policies. Almost everything about the agency’s operations is hidden, and the decision to revise the limits concerning Americans was made in secret, without review by the nation’s intelligence court or any public debate. As far back as 2006, a Justice Department memo warned of the potential for the “misuse” of such information without adequate safeguards.

An agency spokeswoman, asked about the analyses of Americans’ data, said, “All data queries must include a foreign intelligence justification, period.”

“All of N.S.A.’s work has a foreign intelligence purpose,” the spokeswoman added. “Our activities are centered on counterterrorism, counterproliferation and cybersecurity.”

The legal underpinning of the policy change, she said, was a 1979 Supreme Court ruling that Americans could have no expectation of privacy about what numbers they had called. Based on that ruling, the Justice Department and the Pentagon decided that it was permissible to create contact chains using Americans’ “metadata,” which includes the timing, location and other details of calls and e-mails, but not their content. The agency is not required to seek warrants for the analyses from the Foreign Intelligence Surveillance Court.

N.S.A. officials declined to identify which phone and e-mail databases are used to create the social network diagrams, and the documents provided by Mr. Snowden do not specify them. The agency did say that the large database of Americans’ domestic phone call records, which was revealed by Mr. Snowden in June and caused bipartisan alarm in Washington, was excluded. (N.S.A. officials have previously acknowledged that the agency has done limited analysis in that database, collected under provisions of the Patriot Act, exclusively for people who might be linked to terrorism suspects.)

But the agency has multiple collection programs and databases, the former officials said, adding that the social networking analyses relied on both domestic and international metadata. They spoke only on the condition of anonymity because the information was classified.

The concerns in the United States since Mr. Snowden’s revelations have largely focused on the scope of the agency’s collection of the private data of Americans and the potential for abuse. But the new documents provide a rare window into what the N.S.A. actually does with the information it gathers.

A series of agency PowerPoint presentations and memos describe how the N.S.A. has been able to develop software and other tools — one document cited a new generation of programs that “revolutionize” data collection and analysis — to unlock as many secrets about individuals as possible.

The spy agency, led by Gen. Keith B. Alexander, an unabashed advocate for more weapons in the hunt for information about the nation’s adversaries, clearly views its collections of metadata as one of its most powerful resources. N.S.A. analysts can exploit that information to develop a portrait of an individual, one that is perhaps more complete and predictive of behavior than could be obtained by listening to phone conversations or reading e-mails, experts say.

Phone and e-mail logs, for example, allow analysts to identify people’s friends and associates, detect where they were at a certain time, acquire clues to religious or political affiliations, and pick up sensitive information like regular calls to a psychiatrist’s office, late-night messages to an extramarital partner or exchanges with a fellow plotter.

“Metadata can be very revealing,” said Orin S. Kerr, a law professor at George Washington University. “Knowing things like the number someone just dialed or the location of the person’s cellphone is going to allow them to assemble a picture of what someone is up to. It’s the digital equivalent of tailing a suspect.”

The N.S.A. had been pushing for more than a decade to obtain the rule change allowing the analysis of Americans’ phone and e-mail data. Intelligence officials had been frustrated that they had to stop when a contact chain hit a telephone number or e-mail address believed to be used by an American, even though it might yield valuable intelligence primarily concerning a foreigner who was overseas, according to documents previously disclosed by Mr. Snowden. N.S.A. officials also wanted to employ the agency’s advanced computer analysis tools to sift through its huge databases with much greater efficiency.

The agency had asked for the new power as early as 1999, the documents show, but had been initially rebuffed because it was not permitted under rules of the Foreign Intelligence Surveillance Court that were intended to protect the privacy of Americans.

A 2009 draft of an N.S.A. inspector general’s report suggests that contact chaining and analysis may have been done on Americans’ communications data under the Bush administration’s program of wiretapping without warrants, which began after the Sept. 11 attacks to detect terrorist activities and skirted the existing laws governing electronic surveillance.

In 2006, months after the wiretapping program was disclosed by The New York Times, the N.S.A.’s acting general counsel wrote a letter to a senior Justice Department official, which was also leaked by Mr. Snowden, formally asking for permission to perform the analysis on American phone and e-mail data. A Justice Department memo to the attorney general noted that the “misuse” of such information “could raise serious concerns,” and said the N.S.A. promised to impose safeguards, including regular audits, on the metadata program. In 2008, the Bush administration gave its approval.

A new policy that year, detailed in “Defense Supplemental Procedures Governing Communications Metadata Analysis,” authorized by Defense Secretary Robert M. Gates and Attorney General Michael B. Mukasey, said that since the Supreme Court had ruled that metadata was not constitutionally protected, N.S.A. analysts could use such information “without regard to the nationality or location of the communicants,” according to an internal N.S.A. description of the policy.

After that decision, which was previously reported by The Guardian, the N.S.A. performed the social network graphing in a pilot project for 1 ½ years “to great benefit,” according to the 2011 memo. It was put in place in November 2010 in “Sigint Management Directive 424” (sigint refers to signals intelligence).

In the 2011 memo explaining the shift, N.S.A. analysts were told that they could trace the contacts of Americans as long as they cited a foreign intelligence justification. That could include anything from ties to terrorism, weapons proliferation or international drug smuggling to spying on conversations of foreign politicians, business figures or activists.

Analysts were warned to follow existing “minimization rules,” which prohibit the N.S.A. from sharing with other agencies names and other details of Americans whose communications are collected, unless they are necessary to understand foreign intelligence reports or there is evidence of a crime. The agency is required to obtain a warrant from the intelligence court to target a “U.S. person” — a citizen or legal resident — for actual eavesdropping.

The N.S.A. documents show that one of the main tools used for chaining phone numbers and e-mail addresses has the code name Mainway. It is a repository into which vast amounts of data flow daily from the agency’s fiber-optic cables, corporate partners and foreign computer networks that have been hacked.

The documents show that significant amounts of information from the United States go into Mainway. An internal N.S.A. bulletin, for example, noted that in 2011 Mainway was taking in 700 million phone records per day. In August 2011, it began receiving an additional 1.1 billion cellphone records daily from an unnamed American service provider under Section 702 of the 2008 FISA Amendments Act, which allows for the collection of the data of Americans if at least one end of the communication is believed to be foreign.

The overall volume of metadata collected by the N.S.A. is reflected in the agency’s secret 2013 budget request to Congress. The budget document, disclosed by Mr. Snowden, shows that the agency is pouring money and manpower into creating a metadata repository capable of taking in 20 billion “record events” daily and making them available to N.S.A. analysts within 60 minutes.

The spending includes support for the “Enterprise Knowledge System,” which has a $394 million multiyear budget and is designed to “rapidly discover and correlate complex relationships and patterns across diverse data sources on a massive scale,” according to a 2008 document. The data is automatically computed to speed queries and discover new targets for surveillance.

A top-secret document titled “Better Person Centric Analysis” describes how the agency looks for 94 “entity types,” including phone numbers, e-mail addresses and IP addresses. In addition, the N.S.A. correlates 164 “relationship types” to build social networks and what the agency calls “community of interest” profiles, using queries like “travelsWith, hasFather, sentForumMessage, employs.”

A 2009 PowerPoint presentation provided more examples of data sources available in the “enrichment” process, including location-based services like GPS and TomTom, online social networks, billing records and bank codes for transactions in the United States and overseas.

At a Senate Intelligence Committee hearing on Thursday, General Alexander was asked if the agency ever collected or planned to collect bulk records about Americans’ locations based on cellphone tower data. He replied that it was not doing so as part of the call log program authorized by the Patriot Act, but said a fuller response would be classified.

If the N.S.A. does not immediately use the phone and e-mail logging data of an American, it can be stored for later use, at least under certain circumstances, according to several documents.

One 2011 memo, for example, said that after a court ruling narrowed the scope of the agency’s collection, the data in question was “being buffered for possible ingest” later. A year earlier, an internal briefing paper from the N.S.A. Office of Legal Counsel showed that the agency was allowed to collect and retain raw traffic, which includes both metadata and content, about “U.S. persons” for up to five years online and for an additional 10 years offline for “historical searches.”


James Risen reported from Washington and New York.

Laura Poitras, a freelance journalist, reported from Berlin.

    N.S.A. Gathers Data on Social Connections of U.S. Citizens, NYT, 28.9.2013,






Victims Push Laws

to End Online Revenge Posts


September 23, 2013
The New York Times


He was a muscular guy with “kind of a nerdy kind of charm,” Marianna Taschinger recalled, a combination that proved irresistible to an 18-year-old girl in a small Texas town.

They dated, broke up, dated again. He asked her to pick out a wedding ring. He also made another request — that she take nude pictures of herself and send them to him.

“He said if I didn’t want to send them to him, that meant that I didn’t trust him, which meant that I didn’t love him,” Ms. Taschinger said.

The photos would never be shared with anyone else, she remembers him promising. And she believed him — until last December, more than a year after the couple broke up, when a dozen nude images of her popped up on a Web site focusing on what has become known as revenge porn. She is suing the site and her ex-boyfriend.

Revenge porn sites feature explicit photos posted by ex-boyfriends, ex-husbands and ex-lovers, often accompanied by disparaging descriptions and identifying details, like where the women live and work, as well as links to their Facebook pages. The sites, which are proliferating, are largely immune to criminal pursuit. But that may be changing. California lawmakers this month passed the first law aimed at revenge porn sites.

With cellphone cameras ubiquitous and many Americans giving in to the urge to document even the most intimate aspects of their lives, revenge porn has opened up new ways to wreak vengeance.

The effects can be devastating. Victims say they have lost jobs, been approached in stores by strangers who recognized their photographs, and watched close friendships and family relationships dissolve. Some have changed their names or altered their appearance.

“Sometimes I want to get into a fetal position and cry,” said Ms. Taschinger, 23, who added that she gave up her job at a restaurant and was stalked by a man who sat outside her house in a car.

But when victims call the police, they are invariably told there is little to be done. Lawsuits sometimes exact payments from men who post photographs or succeed in shutting down a site. But once the images are online they spread, picked up by dozens or even hundreds of other Web sites.

When Holly Jacobs, a woman in Florida, changed her name to dissociate herself from the photos posted by her ex-boyfriend, she found them linked to her new name. And the owners and operators of the Web sites are in most cases protected by federal law, which largely absolves them of responsibility for material posted by third parties.

“It’s just an easy way to make people unemployable, undatable and potentially at physical risk,” said Danielle Citron, a law professor at the University of Maryland, who is writing a book on online harassment.

As the sites have increased, legal scholars and women’s advocates have begun to push for criminal penalties for people who post on them. Only New Jersey has a law that would allow for criminal prosecution, although it was not written with revenge porn in mind.

But proposals have met opposition from critics who worry that such laws would infringe on the First Amendment. A bill addressing the issue failed in the Florida Legislature this year.

And even California’s law, which on Monday was awaiting Gov. Jerry Brown’s signature, would make only some forms of revenge posting a misdemeanor punishable by jail time or a hefty fine — applying only to photos taken by others and posted with an intent to cause serious distress.

“It has been watered down again and again as it has weaved its way through Sacramento,” said Charlotte Laws, who began pushing for legislation after pictures of her daughter, Kayla, 26, were posted on a site.

“What we really need is federal legislation,” Ms. Laws said.

Women who have been victimized by disgruntled exes have filed civil suits based on claims of copyright infringement, invasion of privacy or, in some cases, child pornography.

In Michigan, a federal judge last month issued a default judgment for more than $300,000 in a suit filed by a woman whose photos appeared on yougotposted. The Web site continues to operate despite at least four lawsuits filed against its operators, including one that alleges that the site published images of under-age girls. The alleged owners and operators of yougotposted have either not responded to the lawsuits or have denied the allegations.

Ms. Taschinger is one of 25 plaintiffs, five of them under age, who are suing Texxxan.com, along with its operators GoDaddy, the company that hosted the now-defunct site, for invasion of privacy.

Ms. Taschinger’s ex-boyfriend, Eastwood Almazan, is also named, along with seven other men who the suit claims uploaded photos of plaintiffs. In a telephone interview, Mr. Almazan, 35, denied posting the images of Ms. Taschinger or any other women. He said he was not familiar with the Texxxan.com Web site and did not own a computer at the time the photographs appeared.

“I don’t know where they’re getting this information from,” Mr. Almazan said.

John Morgan, a lawyer in Beaumont, Tex., who represents Ms. Taschinger and the other plaintiffs, said that Texxxan.com is under investigation in Texas by the F.B.I.’s cybercrimes division and the Orange County Sheriff.

Aaron McKown, a lawyer representing GoDaddy, which has filed an appeal contending that Section 230 of the federal Communications Decency Act exempts it from liability for posted material, said in an e-mail that the company does not comment on pending legislation.

Messages left for a lawyer representing Hunter Taylor, the operator of the Web site, were not returned. (In a document filed with the court denying the allegations in the lawsuit, Mr. Taylor said, “Attempts to contact Hunter T. Taylor by the press will be of no use, as there will be no comment.”)

Revenge porn first drew public attention in 2011, when Hunter Moore, the unapologetic creator of a site called isanyoneup.com, said in a television interview with Anderson Cooper that he had no qualms about profiting from public revenge.

“Why would I?” Mr. Moore said. “I get to look at naked girls all day.”

Mr. Moore — who shut down the Web site in 2012 but was reported to have earned $10,000 a month in advertising when it was operational — drew outrage, including from the hacker collective Anonymous. In a video announcing the creation of “Operation Hunt Hunter,” the group called Mr. Moore a capitalist who “makes money off of the misery of others” and said, “We will hold him accountable for his actions.” Mr. Moore is under investigation by the F.B.I.

Not everyone agrees that criminalizing revenge porn is the best strategy. Marc Randazza, a Nevada lawyer who represents plaintiffs against yougotposted, says that he thinks civil remedies are preferable.

“As horrible as I think people are who do this,” he said, “do we really need another law to put more people in jail in the United States?”

And some experts, like Eric Goldman, a law professor at Santa Clara University, have said that any state law would be vulnerable to First Amendment challenges.

But Eugene Volokh, a First Amendment scholar at the University of California, Los Angeles, said he saw no constitutional obstacle to a law written narrowly to address naked or sexual images distributed without permission.

“I think that’s a kind of invasion of privacy that the courts would say can be prohibited,” he said.

An example of what such a law might look like has been drafted by a law professor at the University of Miami, Mary Anne Franks, and posted on the Web site endrevengeporn.org, founded by Ms. Jacobs.

Professor Franks said that opposition to legislation often stems from a blame-the-victim attitude that holds women responsible for allowing photographs to be taken in the first place, an attitude similar in her view to blaming rape victims for what they wear or where they walk.

“The moment the story is that she voluntarily gave this to her boyfriend, all the sympathy disappears,” she said.

Ms. Taschinger said even now, her friends continued to send nude pictures of themselves to their boyfriends.

“You don’t want to really think that five years down the line, your boyfriend at the time could be your not-boyfriend and do something really bad to you,” she said.

    Victims Push Laws to End Online Revenge Posts, NYT, 23.9.2013,






Biometric Technology Takes Off


September 20, 2013
The New York Times


The use of biological markers like fingerprints, faces and irises to identify people is rapidly moving from science fiction to reality. Apple’s latest iPhone, which went on sale this week, can be unlocked with a fingerprint. Users of Android smartphones can unlock their devices with a glance. And the Federal Bureau of Investigation is developing facial recognition technology that would allow it to pinpoint criminals and suspects in large crowds of people with closed-circuit cameras.

Once so expensive that it was used only by the military or high-tech companies, biometric technology has become so commonplace that even some schools and hospitals are using it. Its adoption could make sensitive information more secure than conventional identification cards or passwords, which can be easily forgotten, lost or hacked. But it also has the potential to undermine privacy, which has been greatly compromised by recent revelations about government surveillance of phone and Internet communications.

In fact, biometrics are not as safe as is often thought. A 2010 report from the National Research Council concluded that such systems are “inherently fallible” because they identify people within certain degrees of certainty and because biological markers are relatively easy to copy. For example, people leave their fingerprints on everything they touch, which makes those fingerprints available to any determined spy or law enforcement agent. Experts have shown that fingerprints and other markers can be copied, giving hackers and thieves access to private information. And once compromised, fingerprints cannot be reset, like passwords, or replaced, like passports.

If proper safeguards are not put in place, the use of some biometrics, like facial-recognition technology, can also be used to conduct intrusive surveillance of individuals or groups of people by governments and private companies. Using facial-recognition software to match databases of photos with images from security cameras in public spaces and private buildings can help law enforcement agencies spot and track dangerous criminals. But the same technology can just as easily be abused to target political activists or protesters. Retailers could use such systems to snoop on their customers’ shopping behavior so that they could later target specific ads and offers to those customers. Facebook already uses software to determine whether photos that users upload to the site contain the images of their friends, though the company does let users opt out of the system.

Even as the use of such technology has expanded rapidly, there has been little public debate about its use. Most federal and state laws do not directly address the collection and use of biological markers by businesses and the government. Some lawmakers, like Senator Al Franken, Democrat of Minnesota, have asked the F.B.I. and companies like Apple and Facebook to explain how they use biometrics. But Congress must do more by enacting legislation that governs how this technology is used, to make sure it does not compromise privacy rights.

    Biometric Technology Takes Off, NYT, 20.9.2013,






Girl’s Suicide Points to Rise in Apps

Used by Cyberbullies


September 13, 2013
The New York Times


MIAMI — The clues were buried in her bedroom. Before leaving for school on Monday morning, Rebecca Ann Sedwick had hidden her schoolbooks under a pile of clothes and left her cellphone behind, a rare lapse for a 12-year-old girl.

Inside her phone’s virtual world, she had changed her user name on Kik Messenger, a cellphone application, to “That Dead Girl” and delivered a message to two friends, saying goodbye forever. Then she climbed a platform at an abandoned cement plant near her home in the Central Florida city of Lakeland and leaped to the ground, the Polk County sheriff said.

In jumping, Rebecca became one of the youngest members of a growing list of children and teenagers apparently driven to suicide, at least in part, after being maligned, threatened and taunted online, mostly through a new collection of texting and photo-sharing cellphone applications. Her suicide raises new questions about the proliferation and popularity of these applications and Web sites among children and the ability of parents to keep up with their children’s online relationships.

For more than a year, Rebecca, pretty and smart, was cyberbullied by a coterie of 15 middle-school children who urged her to kill herself, her mother said. The Polk County sheriff’s office is investigating the role of cyberbullying in the suicide and considering filing charges against the middle-school students who apparently barraged Rebecca with hostile text messages. Florida passed a law this year making it easier to bring felony charges in online bullying cases.

Rebecca was “absolutely terrorized on social media,” Sheriff Grady Judd of Polk County said at a news conference this week.

Along with her grief, Rebecca’s mother, Tricia Norman, faces the frustration of wondering what else she could have done. She complained to school officials for several months about the bullying, and when little changed, she pulled Rebecca out of school. She closed down her daughter’s Facebook page and took her cellphone away. She changed her number. Rebecca was so distraught in December that she began to cut herself, so her mother had her hospitalized and got her counseling. As best she could, Ms. Norman said, she kept tabs on Rebecca’s social media footprint.

It all seemed to be working, she said. Rebecca appeared content at her new school as a seventh grader. She was gearing up to audition for chorus and was considering slipping into her cheerleading uniform once again. But unknown to her mother, Rebecca had recently signed on to new applications — ask.fm, and Kik and Voxer — which kick-started the messaging and bullying once again.

“I had never even heard of them; I did go through her phone but didn’t even know,” said Ms. Norman, 42, who works in customer service. “I had no reason to even think that anything was going on. She was laughing and joking.”

Sheriff Judd said Rebecca had been using these messaging applications to send and receive texts and photographs. His office showed Ms. Norman the messages and photos, including one of Rebecca with razor blades on her arms and cuts on her body. The texts were full of hate, her mother said: “Why are you still alive?” “You’re ugly.”

One said, “Can u die please?” To which Rebecca responded, with a flash of resilience, “Nope but I can live.” Her family said the bullying began with a dispute over a boy Rebecca dated for a while. But Rebecca had stopped seeing him, they said.

Rebecca was not nearly as resilient as she was letting on. Not long before her death, she had clicked on questions online that explored suicide. “How many Advil do you have to take to die?”

In hindsight, Ms. Norman wonders whether Rebecca kept her distress from her family because she feared her mother might take away her cellphone again.

“Maybe she thought she could handle it on her own,” Ms. Norman said.

It is impossible to be certain what role the online abuse may have played in her death. But cyberbullying experts said cellphone messaging applications are proliferating so quickly that it is increasingly difficult for parents to keep pace with their children’s complex digital lives.

“It’s a whole new culture, and the thing is that as adults, we don’t know anything about it because it’s changing every single day,” said Denise Marzullo, the chief executive of Mental Health America of Northeast Florida in Jacksonville, who works with the schools there on bullying issues.

No sooner has a parent deciphered Facebook or Twitter or Instagram than his or her children have migrated to the latest frontier. “It’s all of these small ones where all this is happening,” Ms. Marzullo said.

In Britain, a number of suicides by young people have been linked to ask.fm, and online petitions have been started there and here to make the site more responsive to bullying. The company ultimately responded this year by introducing an easy-to-see button to report bullying and saying it would hire more moderators.

“You hear about this all the time,” Ms. Norman said of cyberbullying. “I never, ever thought it would happen to me or my daughter.”

Questions have also been raised about whether Rebecca’s old school, Crystal Lake Middle School, did enough last year to help stop the bullying; some of it, including pushing and hitting, took place on school grounds. The same students also appear to be involved in sending out the hate-filled online messages away from school, something schools can also address.

Nancy Woolcock, the assistant superintendent in charge of antibullying programs for Polk County Schools, said the school received one bullying complaint from Rebecca and her mother in December about traditional bullying, not cyberbullying. After law enforcement investigated, Rebecca’s class schedule was changed. Ms. Woolcock said the school also has an extensive antibullying campaign and takes reports seriously.

But Ms. Norman said the school should have done more. Officials told her that Rebecca would receive an escort as she switched classes, but that did not happen, she said.

Rebecca never boarded her school bus on Monday morning. She made her way to the abandoned Cemex plant about 10 minutes away from her modest mobile home; the plant was a place she had used as a getaway a few times when she wanted to vanish. Somehow, she got past the high chain-link fence topped with barbed wire, which is now a memorial, with teddy bears, candles and balloons. She climbed a tower and then jumped.

“Don’t ignore your kids,” Ms. Norman said, “even if they seem fine.”


Lance Speere contributed reporting from Lakeland, Fla.,

and Alan Blinder from Atlanta.

    Girl’s Suicide Points to Rise in Apps Used by Cyberbullies, NYT, 13.9.2013,






Obama, Snowden and Putin


August 13, 2013
The New York Times


You only get one chance to make a second impression. It seems to me that Edward Snowden should use his and that Russian President Vladimir Putin has blown his.

Considering the breadth of reforms that President Obama is now proposing to prevent privacy abuses in intelligence gathering, in the wake of Snowden’s disclosures, Snowden deserves a chance to make a second impression — that he truly is a whistle-blower, not a traitor. The fact is, he dumped his data and fled to countries that are hostile to us and to the very principles he espoused. To make a second impression, Snowden would need to come home, make his case and face his accusers. It would mean risking a lengthy jail term, but also trusting the fair-mindedness of the American people, who, I believe, will not allow an authentic whistle-blower to be unfairly punished.

As for Putin, he blew his second impression — the reset in U.S.-Russian relations — long before he granted Snowden asylum. Dealing with Putin always involved a certain trade-off for America: accepting a degree of Putin authoritarianism in return for cooperation on global issues that mattered to us, as long as Putin “sort of” kept Russia moving toward a more open, consensual society. But the balance is not there anymore. Putin’s insistence on blocking any diplomacy on Syria that might move out “his guy,” President Bashar al-Assad, his abuse of Russian gays and lesbians, and his blatant use of rule-by-law tactics to silence any critics mean that we’re not getting anything from this relationship anymore, nor are many Russians.

But rather than punch Putin in the face, which would elevate him with his followers, it would be much better to hit him where it would really hurt by publicly challenging the notion that he is making Russia strong.

Here’s what Obama could have said when asked about Putin last week: “You know, back in 1979, President Putin’s brutal Soviet predecessors sent us Sergey Brin and his family. As you know, Brin later became the co-founder of Google. That was Russia’s loss, but a gift to us and to the world. We could not have enjoyed the benefits of search had the Soviets not made life so unattractive for Brin’s family. I make that point because Putin doesn’t seem interested in making life attractive in today’s Russia for the Sergey Brins of his generation. Putin only seems interested in sticking pipes in the ground and extracting oil and gas — rather than the talents of his own young people — and making sure that he and his cronies get their cut of the oil flow.

“Look what Putin just did. Sergei Guriev is one of the most talented of Russia’s new-generation economists. He was rector of one of the few world-class academic institutions left in Russia today: the New Economic School. Guriev was a loyal, liberal adviser to former President Dmitri Medvedev, but after he co-authored a report that criticized the conviction of Mikhail Khodorkovsky, the imprisoned oil magnate, Putin’s goons began to harass him. He said they even demanded his e-mails going back five years. (Snowden beware.) Well, in the spring, Guriev fled to France, saying he feared losing his freedom, and he says he’s not going back.

“Sergei Guriev, come to America. Bring your friends. Bring the members of that band Putin put in jail, Pussy Riot, too. No creative person has any future in Putin’s Russia because he doesn’t understand the present: There are no ‘developed’ and ‘developing’ countries anymore. There are only H.I.E.’s (high imagination-enabling countries) and L.I.E.’s (low imagination-enabling countries). That is, countries that nurture innovation and innovators and those that don’t — in a world where so many more people can turn ideas into products, services, companies and jobs faster and cheaper than ever. Putin is building a political monoculture that will make Russia the lowest of low imagination-enabling countries.

“Putin prefers to rely instead on less educated, xenophobic rural populations, who buy into his anti-American, anti-gay trope that the world just wants to keep Russia down. As the revolution in hydraulic fracturing, horizontal drilling and energy efficiency spreads around the world, and oil and gas prices fall, Putin’s failure to invest in Russia’s human talent — which he won’t do because it means empowering and freeing them from his grasp — will become a big problem for Russia.”

That’s what I would have said. Do we lose anything by not having Putin’s help? You bet. Those who say we don’t need Russia are wrong. There is no major problem in the world today — Syria, Afghanistan, Egypt, cybercrime, climate or drugs — that would not be easier to solve if the U.S. and Russia worked together. (It’s why I opposed NATO expansion.) But running against America is now essential to Putin’s domestic survival.

So there is no sense wasting more time with him. While he will not help us, he can’t do us serious harm. He can and is doing serious harm to Russia, by putting loyalty to him before competence. Any system that does that for long, dies.

You can Google it.

    Obama, Snowden and Putin, NYT, 13.8.2013,






Facebook Is Erasing Doubts on Mobile


July 24, 2013
The New York Times


If Facebook were a car, it just went from zero to 60 mph in six seconds.

The social networking company said Wednesday that it had revved up its mobile advertising from virtually nothing a year ago to 41 percent of its total ad revenue of $1.6 billion in the second quarter.

“Soon we’ll have more revenue on mobile than desktop,” Mark Zuckerberg, Facebook’s founder and chief executive, said in a conference call with analysts.

Facebook’s results elated investors, who sent the company’s stock up nearly 17 percent, to $30.94, in after-hours trading.

Analysts said the strong performance dissipated lingering worries that the company could not adapt to the current Internet environment, in which users are relying more on mobile devices instead of personal computers to access the information they want.

Those concerns have dogged the company since its disappointing initial public offering in May 2012, in which it sold shares at $38 and then saw them fall by half.

“One of the biggest overhangs from their I.P.O. is that this company had been blindsided by mobile,” said Mark Mahaney, an analyst with RBC Capital Markets. “They caught up. Instead of being behind the curve on mobile, they are ahead of the curve.”

The company said it had net income of $333 million, or 13 cents a share, in the second quarter. Excluding stock-based compensation expenses, profits were $488 million or 19 cents a share, compared with $295 million, or 12 cents a share, in the second quarter a year ago.

The company’s revenue soared 53 percent, to $1.81 billion.

Facebook had particularly strong demand for ads that appear in its users’ news feeds, the flow of updates from friends that they see when they log on. About 1 in 20 posts in the news feed is an ad, and advertisers cannot seem to get enough of them.

The company expects those ads to continue to grow in the second half, its chief financial officer, David Ebersman, said in a conference call with analysts.

One concern for the future is whether Facebook will annoy its users if it significantly increases the number of ads in news feeds, said Debra Aho Williamson, an analyst with eMarketer, a research firm.

“How many ads will people tolerate?” she asked.

Mr. Zuckerberg said Facebook’s studies had shown that users were noticing ads more, and the company was working to improve the quality and relevance of ads.

Facebook is also studying when and how to introduce video ads, which are expected to command at least several hundred thousand dollars each.

“We have nothing to announce today,” Facebook’s chief operating officer, Sheryl Sandberg, said in an interview. But she said video was “tremendously important” for users as well as marketers. Videos made and shared through Facebook’s new video feature in Instagram are growing quickly.

The company’s results also show how its users are continuing to shift toward mobile phones and tablets to use the site instead of a computer’s Web browser. Although the company’s total number of active monthly users worldwide grew slightly from the first quarter, to 1.15 billion, the number of people who use its mobile versions at least once a month grew 9 percent, to 819 million in that time.

Total ad revenue, a crucial measure watched by Wall Street, was $1.6 billion, up 61 percent from the second quarter of 2012. Of total ad revenue, 41 percent came from mobile, up from 30 percent in the first quarter.

“I think this shows that all the questions that people might have had in the past about whether Facebook could monetize on mobile devices, they’ve settled definitively,” Ms. Williamson said.

Users’ preference for reading Facebook on the go has created special revenue opportunities, like ads that prompt users to install mobile apps like games. But advertisers are generally willing to pay much less for a mobile ad than they are for the desktop.

The company’s sharp revenue growth reflects increased competition among advertisers to reach Facebook’s large user base, said Rob Jewell, chief executive of Spruce Media, a firm that helps advertisers like McDonald’s and the insurer Progressive to buy ads on the social network and measure their effectiveness.

Facebook’s ad rates are generally set through a bidding process, and Mr. Jewell said that his clients paid about 10 percent more on average for ads in the second quarter than in the first quarter. Ads in the news feed, both on the desktop and mobile versions of Facebook, were in particularly high demand, with rates up about 75 percent from the first quarter for both categories, he said.

“Facebook is the best channel for mobile app advertisers to purchase advertising,” Mr. Jewell said.

In the second quarter of 2012, the company reported a net loss of $743 million, or 8 cents a share. But that figure included $1.3 billion in compensation expenses related to the company’s initial public offering. In the year ago quarter, Facebook’s revenue was $1.2 billion.

The company far exceeded Wall Street’s expectations. Analysts had predicted the company would report earnings of 14 cents a share, excluding stock compensation costs, on revenue of $1.62 billion, according to a survey by Thomson Reuters.

Facebook’s surprisingly strong second-quarter earnings contrasted with those of Google, which last week reported disappointing profits in mobile advertising.

While the two companies are not strictly comparable because Facebook is expanding its ads from a much a smaller base, Ronald Josey, an analyst at JMP Securities, said Facebook was doing extremely well in mobile categories like ads prompting users to install new mobile applications.

“This company is becoming more and more of a mobile company,” he said.



This article has been revised to reflect the following correction:

Correction: July 24, 2013

An earlier version of this article

misstated the title of Rob Jewell.

He is the chief executive of Spruce Media,

not the president.

    Facebook Is Erasing Doubts on Mobile, NYT, 24.7.2013,






Facebook Shares

Touch a Symbolic Threshold


July 31, 2013
The New York Times


SAN FRANCISCO — It took more than a year, but Facebook’s stock has fought its way back.

On Wednesday morning, the company’s stock crossed an important psychological barrier, trading above $38 a share, the price at which Facebook, the world’s leading social network, first sold shares to the public in May 2012.

The catalyst for the rise was the company’s surprisingly strong second-quarter earnings report last Wednesday, which quelled many investors’ doubts about Facebook’s ability to make money from its legions of mobile users and suggested that the company’s profit stream would continue growing.

Since last week’s report, shares have risen about 34 percent. Early Wednesday, they briefly touched $38.31 a share, although they pulled back to end at $36.80 a share at the time the market closed.

The company’s shares hit a low of $17.55 last fall. Since then, investors have warmed to the company as its management demonstrated that it can increase profits and not just users.

“There was a perception that they hadn’t monetized the users they have,” said Aaron Kessler, an analyst at the Raymond James brokerage firm, referring to last summer, when the Facebook’s stock was trading at half the current level.

These days, Wall Street sees revenue potential everywhere — from soon-to-come video ads in the Facebook news feed to the expansion of high-dollar ads targeted to specific swaths of Facebook users.

“Facebook was caught flat-footed by the shift to mobile,” said Mark S. Mahaney, an analyst with RBC Capital Markets. Now, he said, “they appear to be set up as a sustainable, high-growth business.”

Still, there are reasons to be concerned. Mobile messaging platforms like Snapchat and WhatsApp are grabbing the attention of many of Facebook’s younger users. Twitter is mounting a major effort to go after marketers, especially brands that typically advertise on television, as it prepares for its own likely public offering.

And Facebook risks turning off users with too many ads. About 1 in 20 items in the news feed, the main flow of items that a Facebook user sees, is an ad. During the company’s quarterly conference call with analysts, Facebook’s co-founder and chief executive, Mark Zuckerberg, said that users were beginning to notice the number of ads, suggesting that the company could not greatly increase their frequency without losing some users.

Nate Elliott, a principal analyst with Forrester Research, said Facebook users who visit the site on a computer’s browser still see too many cheap, poorly targeted ads on the right side of the page. “They’ve got to get much better at targeting,” he said.

Despite these worries, investors’ views of the company’s prospects have clearly changed.

Mr. Mahaney, whose firm has a $40 price target on the Facebook stock, said that analysts across Wall Street had increased their projections of the company’s financial performance. Analysts now expect Facebook to increase its profits 30 to 35 percent a year through 2015.

Because stocks tend to trade as a multiple of a company’s future profits, those upgrades last week sent Facebook’s stock soaring.

Facebook officials declined to comment on the stock rise on Wednesday. But for the company’s executives, who had urged investors to be patient as their strategy played out, the surge surely offers some vindication.

The company raised $16 billion from the initial public offering on May 18, 2012, vaulting it into the big leagues of American stocks, but problems struck immediately. The Nasdaq stock exchange botched the handling of buy and sell orders on the first day of trading — so badly, in fact, that regulators eventually fined Nasdaq $10 million for the fiasco.

In ensuing weeks, Facebook shares continued to fall. Instead of pouring into the stock, as they did a decade earlier with Google, many investors questioned whether Facebook’s stock was overpriced at $38 a share.

Particularly worrisome was Facebook’s seemingly nonexistent mobile strategy just as Internet users were abandoning PCs for their smartphones. The company’s smartphone and iPad applications were clunky, and it was generating no revenue from mobile ads.

Facebook’s management, including Mr. Zuckerberg, recognized the problem and began a crash course to revamp the company’s approach to mobile and better position the company for fast-growing emerging markets.

The company overhauled its apps, introduced ads into its users’ news feeds, and created a new category of revenue called app-install ads. With the app-install ads, a game maker, for example, can promote its new game in Facebook’s mobile software and give users an easy way to install the app with just a couple of clicks.

Facebook also introduced new advertising products meant to give marketers more ways to target specific groups of customers, which allowed the service to charge higher advertising rates.

While mobile advertising continues to grow, and was about 41 percent of Facebook’s ad revenue in the second quarter, investors are also looking to new areas of potential profit growth. Those include video advertising in the news feed, which is expected to begin later this year, and the possible sale of ads in Instagram, the fast-growing photo and video-sharing app that Facebook bought in 2012.

“All of those seem like relatively large low-hanging fruit, and they are starting to go after them,” Mr. Mahaney said.

    Facebook Shares Touch a Symbolic Threshold, NYT, 31.7.2013,






A Mixed Verdict on Manning


July 30, 2013
The New York Times


Lurking just behind a military court’s conviction of Pfc. Bradley Manning, on charges that included multiple violations of the Espionage Act, is a national-security apparatus that has metastasized into a vast and largely unchecked exercise of government secrecy and the overzealous prosecution of those who breach it.

Private Manning, a 25-year-old former intelligence analyst who served in Iraq, was arrested in 2010 and charged with the largest military leak in United States history. Private Manning shared 700,000 documents with the antisecrecy group WikiLeaks, and several international news organizations, including The New York Times, published extensive excerpts and articles on the documents.

Private Manning’s original leaks seemed careless in some ways, including names and details of American operations that The Times and other organizations did not publish. But there was also real value for the public in the documents about the conduct of the war in Iraq, including a video of a military helicopter shooting at two vans and killing civilians, including two Reuters journalists.

The judge in the court-martial, Col. Denise Lind, was wise to acquit Private Manning on the most serious charge against him — that he had “aided the enemy,” in this case Al Qaeda, by uploading the documents to the Internet, where he should have known Al Qaeda would be able to get them. Aiding the enemy is punishable by death. To convict under this law without requiring at least an intent to communicate with an enemy would have severely chilling implications for free speech, particularly in the age of the Internet.

There is no question that Private Manning broke laws. In February he pleaded guilty to 10 of the less serious charges against him, which exposed him to up to 20 years in prison. But prosecutors continued to press the more serious charges, which included violations of the Espionage Act, a 1917 law that has become the Obama administration’s hobbyhorse to go after government workers whose actions look nothing like spying. Under President Obama, the government has brought espionage charges more than twice as often under that particular law as all previous administrations combined.

Americans accept that material must be classified in the interest of national security. But that acceptance is severely tested when the government classifies more than 92 million documents in a year. In addition to the administration’s overuse of the Espionage Act and its overly aggressive leak investigations, the trust between the government and the public has been strained by the National Security Agency’s indiscriminate collection of all Americans’ telephone logs, based on a spurious reinterpretation of the Patriot Act.

The administration’s effort to chill connections between the news media and confidential sources in government did not work with Edward Snowden, who revealed the phone records sweep last month. And there are 4.2 million people who have security clearance to view classified information. But investigative journalists are reasonably concerned that prosecutions will cut off their access to critical sources of information.

When he entered his guilty plea, Private Manning said he was trying to shed light on the “day-to-day reality” of American war efforts. He hoped the information “could spark a debate about foreign policy in relation to Iraq and Afghanistan.” These are not the words of a man intent on bringing down the government. On the contrary, Private Manning continues to express his devotion to his country, despite being held without trial for three years, nine months of which amounted to punitive and abusive solitary confinement.

Private Manning still faces the equivalent of several life sentences on the espionage counts regarding disclosure of classified information. The government should satisfy itself with a more moderate sentence and then do something about its addiction to secrecy.

    A Mixed Verdict on Manning, NYT, 30.7.2013,






Manning Is Acquitted of Aiding the Enemy


July 30, 2013
The New York Times


FORT MEADE, Md. — A military judge on Tuesday found Pfc. Bradley Manning not guilty of “aiding the enemy” for his release of hundreds of thousands of military and diplomatic documents to WikiLeaks for publication on the Internet, rejecting the government’s unprecedented effort to bring such a charge in a leak case.

But the judge in the court-martial, Col. Denise R. Lind, convicted Private Manning of six counts of violating the Espionage Act of 1917 and most of the other crimes he was charged with. He faces a theoretical maximum sentence of 136 years in prison, although legal experts said the actual term was likely to be much shorter.

While advocates of open government celebrated his acquittal on the most serious charge, the case still appears destined to stand as a fierce warning to any government employee who is tempted to make public vast numbers of secret documents. Private Manning’s actions lifted a veil on American military and diplomatic activities around the world, and engendered a broad debate over what information should become public, how the government treats leakers, and what happens to those who see themselves as whistle-blowers.

“We always hate to see a government employee who was trying to publicize wrongdoing convicted of a crime, but this case was unusual from the start because of the scope of his release,” said Gregg Leslie of the Reporters Committee for Freedom of the Press, adding, “Whistle-blowers always know they are taking risks, and the more they reveal the bigger the threat is against them.”

Colonel Lind said she would issue findings later that would explain her ruling on each of the charges. But she appeared to reject the government’s theory that an employee who gives information about national security matters to an organization that publishes it online for the world to see is guilty of aiding the enemy.

The premise of that theory is that the world includes not just ordinary people who might engage in socially valuable debate, but also enemies like Al Qaeda. Critics have said that it is not clear how giving information to WikiLeaks is different for legal purposes from giving it to traditional news organizations that publish online.

Yochai Benkler, a Harvard law professor who testified in Private Manning’s defense, praised the judge for making an “extremely important decision” that he portrayed as denying “the prosecution’s effort to launch the most dangerous assault on investigative journalism and the free press in the area of national security that we have seen in decades.”

But, he said, the decades of imprisonment that Private Manning could face “is still too high a price for any democracy to demand of its whistle-blowers.”

The sentencing phase will begin on Wednesday, with more than 20 witnesses scheduled to appear for both the prosecution and the defense. It could last for weeks; there are no sentencing guidelines or minimum sentences in the military justice system. Private Manning’s appeals could go on for years, legal experts said.

Eugene R. Fidell, who teaches military law at Yale Law School, said Private Manning would not be sentenced to anywhere near the 136-year maximum because Colonel Lind was likely to collapse some charges so he did not “get punished twice for the same underlying conduct.”

The case has arisen amid a crackdown by the Obama administration on leaks and a debate about government secrecy. Private Manning is one of seven people to be charged in connection with leaking to the news media during the Obama administration; during all previous administrations, there were three.

The Justice Department recently won an appeals court ruling forcing James Risen, a reporter for The New York Times and an author, to testify in the criminal trial of a former intelligence official accused of being his source. And it has used aggressive tactics in secretly subpoenaing communications records of reporters for Fox News and The Associated Press.

Most reporters watched the proceedings from a closed-circuit feed in a filing center. One who was inside the small courtroom said that Private Manning, 25, appeared relaxed when he entered the room. But as the hour drew near he grew more stoic, and he showed no emotion as he stood while Colonel Lind marched through the litany of charges.

The “aiding the enemy” charge was the first in the list, and she said “not guilty.” But she quickly moved into a long list of guilty findings for the bulk of the remaining charges, including six counts of violating the Espionage Act, five of stealing government property, and one violation of the Computer Fraud and Abuse Act. Each carries up to a 10-year sentence.

Colonel Lind accepted Private Manning’s guilty pleas on two lesser counts, one of which involved leaking a video of an American helicopter attack in Baghdad. She also found him not guilty of leaking in 2009 a video of an airstrike in Afghanistan; he had admitted leaking it, but said he did so later than the time in the charge.

Steven Aftergood, the director of the project on government secrecy for the Federation of American Scientists, called Private Manning’s many other convictions “a weighty verdict that the prosecution would count as a win,” but he argued that the “larger significance of the case” for open government may be limited, since most leakers do not disclose entire databases.

Months before the trial, Private Manning confessed to being WikiLeaks’ source for videos of airstrikes in which civilians were killed; incident reports from the Afghanistan and Iraq wars; dossiers on detainees at Guantánamo Bay, Cuba; and about 250,000 diplomatic cables.

Private Manning also pleaded guilty to a lesser version of the charges against him, although that was not part of any bargain with prosecutors. The move was unusual, and it appeared aimed at trying to persuade the judge to view Private Manning as having taken responsibility for his actions, while recasting the trial as a test of whether the government had brought excessive charges in the case.

The government elected to press forward with trying to convict Private Manning of the more serious charges. Prosecutors portrayed him as an “anarchist” and a “traitor” who recklessly endangered lives out of a desire to “make a splash.” The defense portrayed him as a young, naïve, but good-intentioned humanist who wanted to prompt debate and change.

Hours before the verdict, about two dozen supporters of Private Manning gathered at the main gate to Fort Meade displaying signs with messages like “whistle-blowers keep us honest.” After the verdict, his supporters announced a protest rally Tuesday in front of the White House.

But Representatives Mike Rogers of Michigan and C. A. Dutch Ruppersberger of Maryland, the top Republican and Democrat on the House Intelligence Committee, praised the verdict.

“Justice has been served today,” they said in a statement. “Pfc. Manning harmed our national security, violated the public’s trust, and now stands convicted of multiple serious crimes.”

    Manning Is Acquitted of Aiding the Enemy, NYT, 30.7.2013,






In the Beginning Was the Word;

Now the Word Is on an App


July 26, 2013
The New York Times


EDMOND, Okla. — More than 500 years after Gutenberg, the Bible is having its i-moment.

For millions of readers around the world, a wildly successful free Bible app, YouVersion, is changing how, where and when they read the Bible.

Built by LifeChurch.tv, one of the nation’s largest and most technologically advanced evangelical churches, YouVersion is part of what the church calls its “digital missions.” They include a platform for online church services and prepackaged worship videos that the church distributes free. A digital tithing system and an interactive children’s Bible are in the works.

It’s all part of the church’s aspiration to be a kind of I.T. department for churches everywhere. YouVersion, with over 600 Bible translations in more than 400 languages, is by far the church’s biggest success. The app is nondenominational, including versions embraced by Catholics, Russian Orthodox and Messianic Jews. This month, the app reached 100 million downloads, placing it in the company of technology start-ups like Instagram and Dropbox.

“They have defined what it means to access God’s word on a mobile device,” said Geoff Dennis, an executive vice president of Crossway, one of many Bible publishers — from small presses to global Bible societies to News Corporation’s Thomas Nelson imprint — that have licensed their translations, free, to the church.

When Jen Sears, 37, a human resources manager in Oklahoma City, wants to pray these days, she leaves her Bible behind and grabs her phone instead.

“I have my print Bible sitting on my dresser at home, but it hasn’t moved” in the four years since she downloaded YouVersion, Mrs. Sears said.

The app, marketed simply as “The Bible,” has brought new donors to LifeChurch.tv. About $3 million was given by a handful of large donors to support development of the app last year; the church raised nearly $60 million over all, according to its financial statements. The church says it will have spent almost $20 million over all on YouVersion by the end of this year.

The church was founded in 1996 by a team consisting mostly of former business executives. It is affiliated with the Evangelical Covenant Church, a wider association of 850 congregations, which gives its members wide latitude in their operations. It has 50,000 weekly attendees in 16 locations.

The Gutenberg behind YouVersion is the church’s 36-year-old “innovation pastor,” Bobby Gruenewald, whose training was in business, not religion.

Mr. Gruenewald grew up in Decatur, Ill., in an evangelical church, where as a teenager he started a Christian rap ministry. Later, he moved to Oklahoma to join his sixth-grade crush, now his wife, who left Illinois to study at Southern Nazarene University.

Here at the church’s headquarters, Mr. Gruenewald wears the same tennis shoes, slouchy jeans and T-shirts that suited him as a Christian rapper and small-time entrepreneur who bluffed his way into building Web sites, then ran a Web hosting company out of his dorm room and later sold a pro-wrestling fan Web site for $7 million.

He joined LifeChurch.tv in 2001 after playing keyboard in its house band. Since then, the church has allowed him to experiment without an eye to profit.

Mr. Gruenewald’s early efforts for LifeChurch.tv included a virtual church for the online Second Life community and a Google ad campaign to lure pornography consumers to the church instead. But then he had a critical insight: if the church wanted to attract younger people, it needed both to be technically advanced and to offer its resources free.

“We have a generation of people that can’t fathom paying 99 cents for a song that they love,” Mr. Gruenewald said, “and we were asking them to pay $20 for a book that they don’t understand.”

He made YouVersion available in 2008, as the first Bible in Apple’s App Store. That early release contained only a few translations, like the King James Version, mostly in the public domain. When he began trying to persuade traditional Bible publishers to enter licensing arrangements with him, he encountered suspicion.

“People would say: ‘If people read it on YouVersion and they’re not paying anything for it, what’s going to happen to my pew Bibles?’ ” said Mr. Dennis of Crossway. “‘What’s going to happen to the thinline Bible that people carry to church?’”

Adam Graber of Tyndale House, another publisher that provides translations for the app, expressed some reservations about YouVersion’s strong position in the market for Bible apps.

“One major player emerges, whether it’s Apple or Google or YouVersion,” he said. “It has its drawbacks in the sense that it gives people fewer options and it definitely consolidates power and kind of clumps that power into a few people’s hands.”

But Mr. Graber also said he saw benefits in being part of the app; he said he hoped readers who use his company’s translation would later buy additional print or digital editions.

He compared the relationship between YouVersion and traditional publishers to the “freemium” strategy common in mobile games where the core content is free, but extra features cost money. In this case, those extras are things like devotional Bibles, study Bibles or gold-embossed heirloom Bibles.

As YouVersion became increasingly popular, other publishers also came to view the app as a positive force — less a threat than a marketing opportunity. Although there are no ads on the app and no plans to create any, Mr. Gruenewald said, YouVersion collects vast amounts of data on Bible readership patterns. That trove of data provides valuable information about the habits and preferences of Christians that YouVersion selectively shares with its traditional publishing partners, such as which verses are the most popular within their own translations.

Today, the app contains everything from the New International Version to “The Message,” an ultramodern interpretation that reads like a juicy novel. It also includes the so-called Orthodox Jewish Bible, which was actually developed for a religious sect known as Messianic Jews, who believe that Jesus is the Messiah that the Jews await.

And it has become a platform for evangelical leaders like Rick Warren to reach millions of people with custom reading plans; the pastor Billy Graham is the most recent addition. On Sunday mornings, as pastors around the country preach from iPads while congregations click on Corinthians, YouVersion’s servers track more than 600,000 requests every minute.

And lately the church has fielded a variety of requests, including from a Christian music Web site, a major Hollywood movie studio and television producers like Mark Burnett and Roma Downey, who featured YouVersion alongside their biblical History Channel mini-series this year.

Scott Thumma, a professor at the Hartford Institute for Religion Research, who studies large American churches, said YouVersion filled a longstanding vacuum for technological products aimed at a religious market. He called LifeChurch.tv “the most innovative congregation in the country in developing and using technology.”

The app has gained appreciation in the tech world as well.

“This is a remarkable tech start-up by any measure,” said Chi-Hua Chien, a partner at the Silicon Valley venture capital firm Kleiner Perkins and a Christian who has offered informal advice to Mr. Gruenewald. He compared YouVersion with well-known ventures like Pinterest or Path.

“It is certainly going to be the most important distribution channel for anyone who is creating Christian faith content,” he said. “Where else can you go and reach 100 million people?”

    In the Beginning Was the Word; Now the Word Is on an App, NYT, 26.7.2013,






For Developing World,

a Streamlined Facebook


July 21, 2013
The New York Times


MENLO PARK, Calif. — Facebook has been quietly working for more than two years on a project that is vital to expanding its base of 1.1 billion users: getting the social network onto the billions of cheap, simple “feature phones” that have largely disappeared in America and Europe but are still the norm in developing countries like India and Brazil.

Facebook soon plans to announce the first results of the initiative, which it calls Facebook for Every Phone: More than 100 million people, or roughly one out of eight of its mobile users worldwide, now regularly access the social network from more than 3,000 different models of feature phones, some costing as little as $20.

Many of those users, who rank among the world’s poorest people, pay little or nothing to download their Facebook news feeds and photos, with the data usage subsidized by phone carriers and manufacturers.

Facebook has only just begun to sell ads to these customers, so it makes no money from them yet. But the countries in which the simple phone software is doing the best — India, Indonesia, Mexico, Brazil and Vietnam — are among the fastest-growing markets for use of the Internet and social networks, according to the research firm eMarketer.

Like many other giants of the technology industry, Facebook is struggling with the seismic shift of its customers away from computers to mobile devices and the erosion of profit that can bring.

Last year, the company overhauled its apps for Apple iPhones and Android-based smartphones to improve mobile access while introducing new types of ads that nudge users to install a new game or other apps on their phones. But customer growth in developed markets like the United States has still slowed markedly because just about everyone who wants to be on Facebook has already joined the network.

Analysts say Facebook has a powerful opportunity to win the long-term loyalty of millions of new global users by giving them their first taste of the Internet through Facebook on a simple cellphone.

“In a lot of foreign markets, people think that the Internet is Facebook,” said Clark Fredricksen, a vice president at eMarketer.

Those users, Facebook hopes, will become more attractive to advertisers as their incomes grow and they gain broader access to the Web.

The feature phone project was driven by a small group of people who joined Facebook in 2011, when it purchased a start-up called Snaptu. The team had to re-engineer Facebook’s software to drastically shrink the amount of data sent over slow cellular networks. They also had to find a way to quickly display familiar Facebook features like chat and photos on phones with very basic computing power and low-resolution screens.

“We actually run the apps on our servers,” said Ran Makavy, who was chief executive of Snaptu and now runs Facebook’s feature phone project. “The result was something that looks almost like a smartphone app.”

The software has features that are common in more advanced versions of Facebook, including sticker-size emoticons in chat and Instagram-style filters to dress up photos. (Facebook for Every Phone can be used by feature phone customers anywhere, including those in the United States. It can be downloaded from Facebook using the phone’s mobile browser or obtained from app stores operated by the phone maker or independent companies like Getjar.)

Brian Blau, who studies consumer technologies at the research firm Gartner, said that given Facebook’s mission of linking the entire globe through its service, it needed to reach out to the least tech-savvy customers.

“They talk about socially connecting the world together,” he said. “They can’t do that until they connect people who don’t have smartphones or computers.”

To understand how far Facebook has come in its approach to mobile devices, consider this: until two years ago, the only way to sign up for the service was through a Web browser, which is much slower to use than an app. Facebook originally viewed phones as mostly useful for posting status updates, not as a primary way to access the service, said Javier Olivan, who heads Facebook’s growth team.

Eventually, the company realized that tens of millions of people in developing countries were eager to try Facebook but had no access to a computer, nor could they afford the $600 iPhones or $40-a-month data plans common in the developed world.

“It became very obvious that the next wave of users would come on mobile only,” Mr. Olivan said in an interview last week.

To go after those customers, Facebook spent a reported $70 million to buy Snaptu, an Israeli company that had begun to offer primitive versions of Facebook and other apps on simple cellphones.

The acquisition “unlocked an opportunity for us,” Mr. Olivan said.

From virtually no users on feature phones a couple of years ago, the company has grown to 100 million active users. Facebook declined to offer any specific predictions about the growth of its service on either smartphones or feature phones.

The immediate prospects of making money from feature phone users are modest. During the first quarter of this year, Facebook got only 24 percent of its $1.5 billion in revenue from outside of the United States, Canada and Europe. It is just beginning to ramp up its mobile advertising revenue, which was 30 percent of its overall global ad revenue in the first quarter. Those mobile ads are not as profitable as desktop ads, whose growth is flat.

The company will report its second-quarter earnings on Wednesday, but analysts expect that developed markets will be the biggest source of Facebook’s revenue and profit for a long time.

Still, there is a longer-term business opportunity, for both Facebook and its phone industry partners, as mobile usage grows in Asia, Latin America and Africa.

Facebook has struck promotional deals with phone makers like Nokia, which in May announced a $99 feature phone called the Asha 501 that includes free Facebook access for customers of certain carriers, including Bharti Airtel, which serves India and much of Africa.

The social network gets legions of new users from such deals, and the carriers and phone manufacturers hope that once customers get a taste of the Internet through Facebook, they will be willing to pay for more data access and better phones.

“It drives people to use data,” Mr. Makavy said.

Mr. Olivan said Facebook has found that many users of the feature phone software, despite slow and erratic data connections, are more engaged with the service than customers using iPhones on fast networks. That engagement might be attractive to advertisers.

The development of the feature phone technology, which is five to 10 times more efficient than Facebook’s smartphone apps, has paid other dividends, teaching the company how to improve the rest of its software.

“We’re working on bringing a lot of the ideas into smartphone apps,” Mr. Olivan said.

But Mr. Makavy says he sees a strong future for the feature phone version of Facebook. Even in places where sales of new feature phones are slowing, use of the mobile Internet on them is growing.

“Before, maybe 2 percent were connecting,” he said. “Now it’s like 25 percent. I think there is a pretty long runway still.”

    For Developing World, a Streamlined Facebook, NYT, 21.7.2013,







Face a Rising Barrage of Cyberattacks


July 16, 2013
The New York Times


America’s research universities, among the most open and robust centers of information exchange in the world, are increasingly coming under cyberattack, most of it thought to be from China, with millions of hacking attempts weekly. Campuses are being forced to tighten security, constrict their culture of openness and try to determine what has been stolen.

University officials concede that some of the hacking attempts have succeeded. But they have declined to reveal specifics, other than those involving the theft of personal data like Social Security numbers. They acknowledge that they often do not learn of break-ins until much later, if ever, and that even after discovering the breaches they may not be able to tell what was taken.

Universities and their professors are awarded thousands of patents each year, some with vast potential value, in fields as disparate as prescription drugs, computer chips, fuel cells, aircraft and medical devices.

“The attacks are increasing exponentially, and so is the sophistication, and I think it’s outpaced our ability to respond,” said Rodney J. Petersen, who heads the cybersecurity program at Educause, a nonprofit alliance of schools and technology companies. “So everyone’s investing a lot more resources in detecting this, so we learn of even more incidents we wouldn’t have known about before.”

Tracy B. Mitrano, the director of information technology policy at Cornell University, said that detection was “probably our greatest area of concern, that the hackers’ ability to detect vulnerabilities and penetrate them without being detected has increased sharply.”

Like many of her counterparts, she said that while the largest number of attacks appeared to have originated in China, hackers have become adept at bouncing their work around the world. Officials do not know whether the hackers are private or governmental. A request for comment from the Chinese Embassy in Washington was not immediately answered.

Analysts can track where communications come from — a region, a service provider, sometimes even a user’s specific Internet address. But hackers often route their penetration attempts through multiple computers, even multiple countries, and the targeted organizations rarely go to the effort and expense — often fruitless — of trying to trace the origins. American government officials, security experts and university and corporate officials nonetheless say that China is clearly the leading source of efforts to steal information, but attributing individual attacks to specific people, groups or places is rare.

The increased threat of hacking has forced many universities to rethink the basic structure of their computer networks and their open style, though officials say they are resisting the temptation to create a fortress with high digital walls.

“A university environment is very different from a corporation or a government agency, because of the kind of openness and free flow of information you’re trying to promote,” said David J. Shaw, the chief information security officer at Purdue University. “The researchers want to collaborate with others, inside and outside the university, and to share their discoveries.”

Some universities no longer allow their professors to take laptops to certain countries, and that should be a standard practice, said James A. Lewis, a senior fellow at the Center for Strategic and International Studies, a policy group in Washington. “There are some countries, including China, where the minute you connect to a network, everything will be copied, or something will be planted on your computer in hopes that you’ll take that computer back home and connect to your home network, and then they’re in there,” he said. “Academics aren’t used to thinking that way.”

Bill Mellon of the University of Wisconsin said that when he set out to overhaul computer security recently, he was stunned by the sheer volume of hacking attempts.

“We get 90,000 to 100,000 attempts per day, from China alone, to penetrate our system,” said Mr. Mellon, the associate dean for research policy. “There are also a lot from Russia, and recently a lot from Vietnam, but it’s primarily China.”

Other universities report a similar number of attacks and say the figure is doubling every few years. What worries them most is the growing sophistication of the assault.

For corporations, cyberattacks have become a major concern, as they find evidence of persistent hacking by well-organized groups around the world — often suspected of being state-sponsored — that are looking to steal information that has commercial, political or national security value. The New York Times disclosed in January that hackers with possible links to the Chinese military had penetrated its computer systems, apparently looking for the sources of material embarrassing to China’s leaders.

This kind of industrial espionage has become a sticking point in United States-China relations, with the Obama administration complaining of organized cybertheft of trade secrets, and Chinese officials pointing to revelations of American spying.

Like major corporations, universities develop intellectual property that can turn into valuable products like prescription drugs or computer chips. But university systems are harder to secure, with thousands of students and staff members logging in with their own computers.

Mr. Shaw, of Purdue, said that he and many of his counterparts had accepted that the external shells of their systems must remain somewhat porous. The most sensitive data can be housed in the equivalent of smaller vaults that are harder to access and harder to move within, use data encryption, and sometimes are not even connected to the larger campus network, particularly when the work involves dangerous pathogens or research that could turn into weapons systems.

“It’s sort of the opposite of the corporate structure,” which is often tougher to enter but easier to navigate, said Paul Rivers, manager of system and network security at the University of California, Berkeley. “We treat the overall Berkeley network as just as hostile as the Internet outside.”

Berkeley’s cybersecurity budget, already in the millions of dollars, has doubled since last year, responding to what Larry Conrad, the associate vice chancellor and chief information officer, said were “millions of attempted break-ins every single week.”

Mr. Shaw, who arrived at Purdue last year, said, “I’ve had no resistance to any increased investment in security that I’ve advocated so far.” Mr. Mellon, at Wisconsin, said his university was spending more than $1 million to upgrade computer security in just one program, which works with infectious diseases.

Along with increased spending has come an array of policy changes, often after consultation with the F.B.I. Every research university contacted said it was in frequent contact with the bureau, which has programs specifically to advise universities on safeguarding data. The F.B.I. did not respond to requests to discuss those efforts.

Not all of the potential threats are digital. In April, a researcher from China who was working at the University of Wisconsin’s medical school was arrested and charged with trying to steal a cancer-fighting compound and related data.

Last year, Mr. Mellon said, Wisconsin began telling faculty members not to take their laptops and cellphones abroad, for fear of hacking. Most universities have not gone that far, but many say they have become more vigilant about urging professors to follow federal rules that prohibit taking some kinds of sensitive data out of the country, or have imposed their own restrictions, tighter than the government’s. Still others require that employees returning from abroad have their computers scrubbed by professionals.

That kind of precaution has been standard for some corporations and government agencies for a few years, but it is newer to academia.

Information officers say they have also learned the hard way that when a software publisher like Oracle or Microsoft announces that it has discovered a security vulnerability and has developed a “patch” to correct it, systems need to apply the patch right away. As soon as such a hole is disclosed, hacker groups begin designing programs to take advantage of it, hoping to release new attacks before people and organizations get around to installing the patch.

“The time between when a vulnerability is announced and when we see attempts to exploit it has become extremely small,” said Mr. Conrad, of Berkeley. “It’s days. Sometimes hours.”

    Universities Face a Rising Barrage of Cyberattacks, NYT, 16.7.2013,






Offering Snowden Aid,

WikiLeaks Gets Back in the Game


June 23, 2013
The New York Times


WikiLeaks once again seized the global spotlight on Sunday by assisting Edward J. Snowden in his daring flight from Hong Kong, mounting a bold defense of the culture of national security disclosures that it has championed and that has bedeviled the United States and other governments.

Accompanying Mr. Snowden on the Aeroflot airliner that carried him on Sunday from Hong Kong to Moscow — continuing a global cat-and-mouse chase that might have been borrowed from a Hollywood screenplay — was a British WikiLeaks activist, Sarah Harrison. The group’s founder, Julian Assange, who has been given refuge for the last year in Ecuador’s embassy in London, met last week with Ecuador’s foreign minister to support Mr. Snowden’s asylum request. And Baltasar Gárzon, the legal director of WikiLeaks and a former Spanish judge, is leading a volunteer legal team advising him on how to stay out of an American prison.

“Mr. Snowden requested our expertise and assistance,” Mr. Assange said in a telephone interview from London on Sunday night. “We’ve been involved in very similar legal and diplomatic and geopolitical struggles to preserve the organization and its ability to publish.”

By Mr. Assange’s account, the group helped obtain and deliver a special refugee travel document to Mr. Snowden in Hong Kong that, with his American passport revoked, may now be crucial in his bid to travel onward from Moscow.

More broadly, WikiLeaks brought to global attention the model that Mr. Snowden has wholeheartedly embraced: that of the conscience-stricken national security worker who takes his concerns not to his boss or other official channels but to the public.

The group’s assistance for Mr. Snowden shows that despite its shoestring staff, limited fund-raising from a boycott by major financial firms, and defections prompted by Mr. Assange’s personal troubles and abrasive style, it remains a force to be reckoned with on the global stage.

“As an act of international, quasi-diplomatic intrigue, it’s impressive,” Steven Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists, said of WikiLeaks’ role in Mr. Snowden’s flight. “It’s an extraordinary turn of events.”

The antisecrecy advocates are themselves secretive — Mr. Assange said he could not reveal the number of paid staffers at WikiLeaks because of “assassination threats” or its budget because of the “banking blockade” — but the group has dedicated volunteers in several countries, notably Britain and Iceland, and a large number of supporters.

Since publishing the military and diplomatic documents in 2009 and 2010 that made it famous, the group has released several lower-profile collections: documents on commercial spying equipment; internal e-mails of an American security consulting company, Stratfor; millions of e-mails sent by Syrian government and business officials; and a library of cables to and from Henry Kissinger, the former secretary of state, though most of those were already public.

Mr. Assange said that WikiLeaks, which he started in 2006, has a “seven-year history of publishing documents from every country in the world.” He added: “We’ve documented hundreds of thousands of deaths and assassinations, billions of dollars of corruption. We’ve affected elections and prompted reforms.”

WikiLeaks played no role in Mr. Snowden’s disclosures of classified documents he took from his job as a National Security Agency contractor. But since joining forces with him, WikiLeaks has used his case to boost its profile; its Twitter feed on Sunday made an appeal for donations along with news about Mr. Snowden’s flight.

Even as Mr. Snowden’s odyssey continued, the source whose disclosures brought WikiLeaks to broad public attention, Pfc. Bradley Manning, was in a military cell in the fourth week of his court-martial at Fort Meade, Md. Private Manning, who became disillusioned as an intelligence analyst in Iraq, has admitted that he gave WikiLeaks roughly 700,000 confidential government documents. He faces a possible sentence of life in prison if convicted of charges that include espionage and aiding the enemy.

In a statement on Saturday, Mr. Assange suggested that President Obama was the real “traitor,” for betraying the hopes of a generation of idealists represented by both Private Manning and Mr. Snowden.

“They are young, technically minded people from the generation that Barack Obama betrayed,” Mr. Assange wrote on the WikiLeaks Web site. “They are the generation that grew up on the Internet, and were shaped by it. The U.S. government is always going to need intelligence analysts and systems administrators, and they are going to have to hire them from this generation and the ones that follow it.”

Mr. Assange added a warning to the government: “By trying to crush these young whistle-blowers with espionage charges, the U.S. government is taking on a generation, and that is a battle it is going to lose.”

The claim sounded like bravado. But Mr. Snowden is the seventh person to be prosecuted by the Obama administration in its unprecedented campaign against leaks. And while by many accounts the threat of prosecution has distinctly chilled conventional national security reporting, Mr. Snowden has said he was inspired to leak by several high-profile, self-described whistle-blowers who have faced criminal charges since 2010: Private Manning; Thomas Drake, a former N.S.A. official; and John Kiriakou, a former C.I.A. officer now serving a prison term.

Instead of waiting on American soil to be arrested, Mr. Snowden headed to Hong Kong before going public and sought help from WikiLeaks more than a week ago. Explaining his decision to leave the United States, he said in an online question-and-answer session with The Guardian that it made no sense to “volunteer” for prosecution at home “if you can do more good outside of prison than in it.”

Though in one initial comment Mr. Snowden appeared to distance himself from WikiLeaks and Private Manning — suggesting that he had deliberately been more selective in his leaks than the soldier had been — he later said that was a misimpression.

“WikiLeaks is a legitimate journalistic outlet,” he wrote on The Guardian site on June 17, “and they carefully redacted all of their releases in accordance with a judgment of public interest.” Diplomatic cables were later released without redactions, and Mr. Assange and a British journalist have disputed who was to blame, but claims that Private Manning was responsible were a “smear,” Mr. Snowden wrote.

Even among advocates of greater government openness, WikiLeaks evokes mixed feelings. Mr. Aftergood, of the Federation of American Scientists, called it “an adolescent phenomenon of rebellion against authority.”

“WikiLeaks and Mr. Snowden have elevated issues that have been neglected in public discourse,” he said. “But they don’t offer solutions to the problems they’ve raised.”

Yochai Benkler, a law professor at Harvard who has written extensively on WikiLeaks and is a possible defense witness at the Manning trial, said he found it “tragic” that the interaction of both WikiLeaks and Mr. Snowden with the United States government had become so adversarial. WikiLeaks began as an innovative media venture, he said, but the government’s overreaction has turned it into more of an activist venture.

“It was so easy to portray Assange as an unpleasant weirdo,” he said.

Mr. Benkler noted that a federal grand jury in Alexandria, Va., is believed to still be looking into the possibility of prosecuting WikiLeaks and Mr. Assange for publishing Private Manning’s leaked documents, a development he said would be dangerous to democracy.

Government employees who leak classified information may deserve modest penalties, he said, but the Obama administration needs to make clear that reporting or publishing classified information will not be prosecuted.

“It’s a big policy decision about relative threats: on the one hand, occasional leaks of classified information; on the other hand, shutting down the Fourth Estate’s oversight of national security,” Mr. Benkler said.

Mr. Assange, from his embassy lair, said the Obama administration appeared intent on criminalizing national security journalism but promised that WikiLeaks would keep revealing secrets. For naysayers who say that since 2010 the group has never come close to publishing anything with the impact of the Manning documents, he offered a riposte.

“As Joseph Heller said when people said he hadn’t published anything as good as ‘Catch 22’: ‘Neither has anyone else.’ ”

    Offering Snowden Aid, WikiLeaks Gets Back in the Game, NYT, 23.6.2013,






Data Security Is a Classroom Worry, Too


June 22, 2013
The New York Times


LIKE many privacy-minded parents of elementary students, Tony Porterfield tries to keep close tabs on the personal information collected about his two sons. So when he heard that their school district in Los Altos, Calif., had adopted Edmodo, an online learning network connecting more than 20 million teachers and students around the world, he decided to check out the program.

Edmodo’s free software allows teachers to set up virtual classrooms where they can post homework assignments, give quizzes and use third-party apps to complement lessons. Students can create individual profiles, including their photograph and other details, within their teacher’s class and post comments to a communal class feed.

Mr. Porterfield, an engineer at Cisco Systems, examined Edmodo’s data security practices by registering himself on the site as a fictional home-school teacher. As he went about creating imaginary students — complete with cartoon avatars — for his fictitious class, however, he noticed that Edmodo did not encrypt user sessions using a standard encryption protocol called Secure Sockets Layer.

That cryptography system, called SSL for short and used by many online banking and e-commerce sites, protects people who log in to sites over an open Wi-Fi network — like the kind offered by many coffee shops — from strangers who might be using snooping software on the same network. (An “https” at the beginning of a URL indicates SSL encryption.)

Without that encryption, Mr. Porterfield says, he worried about the potential for a stranger to gain access to student information, and thus hypothetically be able to identify or even contact students.

To test this hypothesis, he used a computer on his home Wi-Fi network to log in as an imaginary student; then, using another computer, he installed free security auditing software, called Cookie Cadger, to spy on the student’s online activities. Though the risk of this happening with actual students seemed small — Edmodo and other companies say they have no evidence that this kind of breach has occurred — he contacted his school district about his concerns.

“There’s a lot of contextual information you could use to gain trust, to make yourself seem familiar to the child,” he says. “As a parent, that’s the scariest thing.”

In response to an inquiry from me last week, Sara Mandel, a spokeswoman for Edmodo, said the service provided “a safe alternative to open, consumer social networking sites” because students could participate only in groups created by their teachers and because teachers decided whether students could send private messages to one another.

She added that “any school that chooses” had been able to use a completely encrypted version of the site since 2011 and that the company “is working to ensure that all of our users are using an SSL-encrypted version.”

SCHOOL administrators and teachers said they liked these online learning systems because they could control the information that students might share.

“Kids can’t talk to each other. They can only speak to the group,” says Heather Peretz, a special-education teacher at Great Neck South Middle School in Great Neck, N.Y., who uses Edmodo in her English class. “It helps them learn to be good digital citizens so they are not making inappropriate posts.”

But as school districts rush to adopt learning-management systems, some privacy advocates warn that educators may be embracing the bells and whistles before mastering fundamentals like data security and privacy.

Although a federal law protecting children’s online privacy requires online services to take reasonable measures to secure personal information — like names and e-mail addresses — collected from children under 13, the law doesn’t specifically require SSL encryption. Yet school districts often issue only general notices about classroom technology, leaving many parents unaware of the practices of the online learning systems their children use. Moreover, schools often require online participation so students can gain access to course assignments or collaborate on projects.

“What we are finding with this type of database is that parents are uninformed,” says Khaliah Barnes, a lawyer at the Electronic Privacy Information Center. “Most don’t understand how the technology works.”

Online security experts have long warned consumers about unencrypted Web sites that collect personal details. That is because on open Wi-Fi networks, hackers using simple software programs can see and copy the unique code, called a session cookie, that servers issue to authenticate a person who has logged into a Web site. By replicating that cookie, a hacker can acquire the same privileges, like the ability to edit a profile or grade a quiz, of the authenticated user for that session.

To call attention to this risk, a software developer in 2010 released a free program called FireSheep that was capable of hijacking unencrypted sessions of people using open Wi-Fi. Early the next year, Facebook began rolling out full encryption. But, because that kind of cryptography requires more computing power, it can slow down sites and increase costs. That is why many sites — even some dating services that ask personal questions — remain largely unencrypted.

“It’s not good to trade performance for security when you are talking about people’s personal information,” says Michael Clarkson, an assistant professor of computer science at George Washington University who teaches an annual course on software security. “I can’t think of a good reason not to keep the entire session encrypted.”

Last fall, Mr. Porterfield, who was coaching his younger son’s soccer team, was asked by the league to use a free youth sports site provided by Shutterfly, a photo-sharing service, to post team rosters, player contact information, game locations and player photos. He discovered that the site was not fully encrypted — an issue reported in a May article in Mother Jones. (Last Friday, a spokeswoman for Shutterfly told me that the company planned to introduce full SSL encryption on its youth sports and other sites by the end of July.) It was this that made Mr. Porterfield curious about data security practices of K-12 online learning services and led him to set up imaginary classes on several sites.

One site was Schoology, a learning network used by more than two million students and teachers worldwide. Its privacy policy says it “uses industry standard SSL (secure socket layer) encryption to transfer private, personal information.”

Mr. Porterfield found that for the fictitious classroom he set up in May using Schoology’s free software, the login page did use SSL. But the profile pages that included students’ e-mail addresses, birth dates, phone numbers and home addresses were not protected.

To check Mr. Porterfield’s concerns, I asked Ashkan Soltani, an independent security analyst, to look at both Edmodo and Schoology. He found that each site’s login page was encrypted, but not student sessions themselves.

“Anyone at a local cafe with Wi-Fi will have access to the information that the student is viewing or transmitting,” he told me. “I would consider that potentially sensitive information from the perspective of parents.”

Full-session encryption may not have seemed so important several years ago, when students logged into the sites primarily on secure networks at school or at home. But now that so many students use mobile devices, learning networks say they are moving toward full encryption.

For individual teachers who wanted to set up online groups, for instance, Schoology until last week offered free software that encrypted login pages. For customers like school districts who paid for more comprehensive packages, the site offered the option of full-session encryption. Last Monday, Jeremy Friedman, the C.E.O. of Schoology, told me the company planned to switch to sitewide encryption by this fall. Last Thursday evening, he e-mailed with an update: the sitewide encryption had just been completed.

“Ultimately, we are all working toward the same thing — protecting student data and privacy,” Mr. Friedman said.

SCHOOLS are also developing methods to protect student data. The Palo Alto Unified School District in California uses Schoology as a clearinghouse for course assignments in its secondary schools and a couple of elementary schools. But administrators prevent students from entering personal data, like e-mail addresses, in their profiles. They encourage students to upload an avatar, not a photo of themselves. And the district doesn’t post grades on the site.

“We take security very seriously,” says Ann Dunkin, the school district’s chief technology officer, “and one way to take it seriously is to limit the amount of information students can put into the system.”

But Mr. Porterfield says schools, no matter their vigilance, should be transparent with parents about the potential risks of online learning networks.

“It’s not the school’s decision to make,” he said. “You should let the parents know.”

    Data Security Is a Classroom Worry, Too, NYT, 22.6.2013,






The Banality of ‘Don’t Be Evil’


June 1, 2013
The New York Times


“THE New Digital Age” is a startlingly clear and provocative blueprint for technocratic imperialism, from two of its leading witch doctors, Eric Schmidt and Jared Cohen, who construct a new idiom for United States global power in the 21st century. This idiom reflects the ever closer union between the State Department and Silicon Valley, as personified by Mr. Schmidt, the executive chairman of Google, and Mr. Cohen, a former adviser to Condoleezza Rice and Hillary Clinton who is now director of Google Ideas.

The authors met in occupied Baghdad in 2009, when the book was conceived. Strolling among the ruins, the two became excited that consumer technology was transforming a society flattened by United States military occupation. They decided the tech industry could be a powerful agent of American foreign policy.

The book proselytizes the role of technology in reshaping the world’s people and nations into likenesses of the world’s dominant superpower, whether they want to be reshaped or not. The prose is terse, the argument confident and the wisdom — banal. But this isn’t a book designed to be read. It is a major declaration designed to foster alliances.

“The New Digital Age” is, beyond anything else, an attempt by Google to position itself as America’s geopolitical visionary — the one company that can answer the question “Where should America go?” It is not surprising that a respectable cast of the world’s most famous warmongers has been trotted out to give its stamp of approval to this enticement to Western soft power. The acknowledgments give pride of place to Henry Kissinger, who along with Tony Blair and the former C.I.A. director Michael Hayden provided advance praise for the book.

In the book the authors happily take up the white geek’s burden. A liberal sprinkling of convenient, hypothetical dark-skinned worthies appear: Congolese fisherwomen, graphic designers in Botswana, anticorruption activists in San Salvador and illiterate Masai cattle herders in the Serengeti are all obediently summoned to demonstrate the progressive properties of Google phones jacked into the informational supply chain of the Western empire.

The authors offer an expertly banalized version of tomorrow’s world: the gadgetry of decades hence is predicted to be much like what we have right now — only cooler. “Progress” is driven by the inexorable spread of American consumer technology over the surface of the earth. Already, every day, another million or so Google-run mobile devices are activated. Google will interpose itself, and hence the United States government, between the communications of every human being not in China (naughty China). Commodities just become more marvelous; young, urban professionals sleep, work and shop with greater ease and comfort; democracy is insidiously subverted by technologies of surveillance, and control is enthusiastically rebranded as “participation”; and our present world order of systematized domination, intimidation and oppression continues, unmentioned, unafflicted or only faintly perturbed.

The authors are sour about the Egyptian triumph of 2011. They dismiss the Egyptian youth witheringly, claiming that “the mix of activism and arrogance in young people is universal.” Digitally inspired mobs mean revolutions will be “easier to start” but “harder to finish.” Because of the absence of strong leaders, the result, or so Mr. Kissinger tells the authors, will be coalition governments that descend into autocracies. They say there will be “no more springs” (but China is on the ropes).

The authors fantasize about the future of “well resourced” revolutionary groups. A new “crop of consultants” will “use data to build and fine-tune a political figure.”

“His” speeches (the future isn’t all that different) and writing will be fed “through complex feature-extraction and trend-analysis software suites” while “mapping his brain function,” and other “sophisticated diagnostics” will be used to “assess the weak parts of his political repertoire.”

The book mirrors State Department institutional taboos and obsessions. It avoids meaningful criticism of Israel and Saudi Arabia. It pretends, quite extraordinarily, that the Latin American sovereignty movement, which has liberated so many from United States-backed plutocracies and dictatorships over the last 30 years, never happened. Referring instead to the region’s “aging leaders,” the book can’t see Latin America for Cuba. And, of course, the book frets theatrically over Washington’s favorite boogeymen: North Korea and Iran.

Google, which started out as an expression of independent Californian graduate student culture — a decent, humane and playful culture — has, as it encountered the big, bad world, thrown its lot in with traditional Washington power elements, from the State Department to the National Security Agency.

Despite accounting for an infinitesimal fraction of violent deaths globally, terrorism is a favorite brand in United States policy circles. This is a fetish that must also be catered to, and so “The Future of Terrorism” gets a whole chapter. The future of terrorism, we learn, is cyberterrorism. A session of indulgent scaremongering follows, including a breathless disaster-movie scenario, wherein cyberterrorists take control of American air-traffic control systems and send planes crashing into buildings, shutting down power grids and launching nuclear weapons. The authors then tar activists who engage in digital sit-ins with the same brush.

I have a very different perspective. The advance of information technology epitomized by Google heralds the death of privacy for most people and shifts the world toward authoritarianism. This is the principal thesis in my book, “Cypherpunks.” But while Mr. Schmidt and Mr. Cohen tell us that the death of privacy will aid governments in “repressive autocracies” in “targeting their citizens,” they also say governments in “open” democracies will see it as “a gift” enabling them to “better respond to citizen and customer concerns.” In reality, the erosion of individual privacy in the West and the attendant centralization of power make abuses inevitable, moving the “good” societies closer to the “bad” ones.

The section on “repressive autocracies” describes, disapprovingly, various repressive surveillance measures: legislation to insert back doors into software to enable spying on citizens, monitoring of social networks and the collection of intelligence on entire populations. All of these are already in widespread use in the United States. In fact, some of those measures — like the push to require every social-network profile to be linked to a real name — were spearheaded by Google itself.

THE writing is on the wall, but the authors cannot see it. They borrow from William Dobson the idea that the media, in an autocracy, “allows for an opposition press as long as regime opponents understand where the unspoken limits are.” But these trends are beginning to emerge in the United States. No one doubts the chilling effects of the investigations into The Associated Press and Fox’s James Rosen. But there has been little analysis of Google’s role in complying with the Rosen subpoena. I have personal experience of these trends.

The Department of Justice admitted in March that it was in its third year of a continuing criminal investigation of WikiLeaks. Court testimony states that its targets include “the founders, owners, or managers of WikiLeaks.” One alleged source, Bradley Manning, faces a 12-week trial beginning tomorrow, with 24 prosecution witnesses expected to testify in secret.

This book is a balefully seminal work in which neither author has the language to see, much less to express, the titanic centralizing evil they are constructing. “What Lockheed Martin was to the 20th century,” they tell us, “technology and cybersecurity companies will be to the 21st.” Without even understanding how, they have updated and seamlessly implemented George Orwell’s prophecy. If you want a vision of the future, imagine Washington-backed Google Glasses strapped onto vacant human faces — forever. Zealots of the cult of consumer technology will find little to inspire them here, not that they ever seem to need it. But this is essential reading for anyone caught up in the struggle for the future, in view of one simple imperative: Know your enemy.


Julian Assange is the editor in chief of WikiLeaks

and author of “Cypherpunks:

Freedom and the Future of the Internet.”

    The Banality of ‘Don’t Be Evil’, NYT, 1.6.2013,






An Elizabethan Cyberwar


May 31, 2013
The New York Times


NEW HAVEN — AS Barack Obama and China’s president, Xi Jinping, prepare to meet in California next week, America’s relations with China are feeling increasingly like the cold war — especially when it comes to cybersecurity.

With the two countries accusing each other of breaking the old rules of the game, a new breed of “cyberhawks” on both sides are arguing for cold-war-like escalation that could turn low-level cyberconflict into total war.

But treating today’s Beijing like Brezhnev’s Moscow distorts the nature of the threat and how Washington should respond to it.

In confronting today’s cyberbattles, the United States should think less about Soviets and more about pirates. Indeed, today’s cybercompetition is less like the cold war than the battle for the New World.

In the era after the discovery of the Americas, European states fought for mastery over the Atlantic. Much like the Internet today, the ocean then was a primary avenue for trade and communication that no country could cordon off.

At that time, the Spanish empire boasted a fearsome navy, but it could not dominate the seas. Poorer and weaker England tested Spain’s might by encouraging and equipping would-be pirates to act on its behalf without official sanction. These semi-state-sponsored privateers robbed Spain of gold and pride as they raided ships off the coasts of the New World and Spain itself, enriching the English crown while augmenting its naval power. Spain’s inability to attribute the attacks directly to England allowed Queen Elizabeth I to level the playing field in an arena lacking laws or customs.

Today’s cyberbattles aren’t so different.

Next week’s summit takes place amid reports of increasingly sophisticated Chinese cyberespionage. Earlier this week, evidence surfaced that Chinese hackers had gained access to several top-secret Pentagon programs. That followed news that cyberunits believed to be linked to the Chinese Army have resumed attacks on American businesses and government agencies.

As tensions deepen, hawkish Chinese military leaders are paving the way for offensive war. A study by a RAND Corporation expert cited Chinese sources calling for pre-emptive cyberstrikes “under the rubric of the rising Chinese strategy of xianfa zhiren, or ‘gaining mastery before the enemy has struck.’ ” And a recent paper found that Chinese military officials have contemplated using cyberweapons like Stuxnet, which the United States and Israel deployed against Iran’s nuclear program, to target critical infrastructure.

American policy makers are beginning to view their cyberstruggle with China through a cold war lens. One Pentagon official recently said that while during the cold war America focused “on the nuclear command centers around Moscow,” today American leaders “worry as much about the computer servers in Shanghai.”

Another senior official declared that “the Cold War enforced norms, and the Soviets and the United States didn’t go outside a set of boundaries.” But, he argued, “China is going outside those boundaries now.”

Among those who view these hostilities as the cold war redux, some are proposing a more strident response. Earlier this year, the United States military announced the formation of 13 units dedicated to offensive cyberstrikes and endorsed pre-emptive cyberattacks. And late last month, Jon M. Huntsman Jr., the former ambassador to China, and Dennis C. Blair, the former director of national intelligence, suggested allowing American companies to retaliate against Chinese hackers on their own.

This emergence of cyberhawks in both nations raises the odds of a hack’s becoming a cyberwar. These voices could pressure both nations to treat any escalating cyberconflict as a latter-day Cuban missile crisis.

But the cold war model of a struggle with calibrated boundaries, clear rules, and the threat of mutual assured destruction simply doesn’t fit cyberspace.

The first major difference is terrain. The United States and the Soviet Union fought for global influence, manning divisions here and infiltrating covert operatives there. The Internet is more fluid. Neither the United States nor China can slice cyberspace into the reassuring structure of spheres of influence. With no obvious borders for states to violate or defend, power in cyberspace is at once easier to exercise and harder to maintain, a battle of subtleties rather than hard-nosed deterrence.

There are also more players today. The United States and the Soviet Union were the world’s unmatched nuclear powers. But in the cyberrealm, the United States and China stand only just ahead of other nations, hacker groups and individuals in their ability to inflict damage. And all of these actors can hide behind layers of networks and third parties, making it difficult to discover not only who attacked but also how and when. There will, in most cases, be plausible deniability. Even if American and Chinese policy makers wanted to manage the Web as carefully as their predecessors did the cold war, no working group could tame this instability.

With nations still navigating how to interact on the Web and arguments persisting about whether international law applies to the Internet, there are few established customs of cyberbehavior, legal or implicit. The United States should not expect China to follow the rules of a previous era. The norms of American-Soviet conflict, which themselves emerged out of years of gunpoint diplomacy, can’t be grafted onto cyberspace.

If American policy makers continue to define the cyberstruggle between Washington and Beijing as a new cold war, they will not meet the challenge. Viewing China’s actions through an obsolete lens will give them a distorted sense of its intentions. And it will limit American retaliation to the outmoded rules of a bygone battle.

If they must look to the past, they should heed the lessons of the 16th century, not the 20th. In 1588, the Spanish crown, in no small part due to its frustration with English piracy, resorted to massive retaliation, sending its armada to overthrow Queen Elizabeth. That move ended in disaster and an overwhelming English victory.

Instead of trying to beat back the New World instability of the Internet with an old playbook, American officials should embrace it. With the conflict placed in its proper perspective, policy makers could ratchet down the rhetoric and experiment with a new range of responses that go beyond condemnation but stop short of all-out cyberwar — giving them the room to maneuver without approaching cyberconflict as a path to Defcon 1.

In these legally uncharted waters, only Elizabethan guile, not cold war brinkmanship, will steer Washington through the storm.


Jordan Chandler Hirsch,

a former staff editor at Foreign Affairs,

and Sam Adelsberg,

a fellow at the Yale Information Society Project,

are students at Yale Law School.

    An Elizabethan Cyberwar, NYT, 31.5.2013,






Facebook Says It Failed

to Bar Posts With Hate Speech


May 28, 2013
The New York Times


Facebook on Tuesday acknowledged that its systems to identify and remove hate speech had not worked effectively, as it faced pressure from feminist groups that want the site to ban pages that glorify violence against women.

The activists, who sent more than 5,000 e-mails to Facebook’s advertisers and elicited more than 60,000 posts on Twitter, also prompted Nissan and more than a dozen smaller companies to say that they would withdraw advertising from the site.

In a blog post, Facebook said its “systems to identify and remove hate speech have failed to work as effectively as we would like, particularly around issues of gender-based hate.” The company said it would review how it dealt with such content, update training for its employees, increase accountability — including requiring that users use their real identities when creating content — and establish more direct lines of communication with women’s groups and other entities.

Women’s groups have complained to Facebook about misogynous content in the past, but pressure on the company escalated last week when a collective led by Women, Action and the Media; Laura Bates of the Everyday Sexism Project; and Soraya Chemaly, a writer and activist, published an open letter asking Facebook executives to “ban gender-based hate speech on your site.”

The letter highlighted Facebook pages with names like “Violently Raping Your Friend Just for Laughs” and “Kicking your Girlfriend in the Fanny because she won’t make you a Sandwich,” and other pages that included graphic images of women being abused.

The groups asked Facebook to improve how it trains moderators to recognize and remove such content. They also asked Facebook users to use the Twitter hashtag #FBrape to call on companies to stop advertising on Facebook if their ads have been placed alongside such content. A petition on the site change.org had almost 224,000 supporters by Tuesday evening.

“We thought that advertisers would be the most effective way of getting Facebook’s attention,” said Jaclyn Friedman, the executive director of Women, Action and the Media. “We had no idea that it would blow up this big. I think people have been frustrated with this issue for so long and feeling like that had no way for Facebook to pay attention to them. As consumers we do have a lot of power.”

David Reuter, a spokesman for Nissan, said in an interview on Tuesday that the automaker has stopped all advertising on Facebook until it could assure Nissan that its ads would not appear on pages with offensive content.

Nissan typically buys Facebook advertisements that target particular demographic groups, like men age 30 to 35, Mr. Reuter said. In Facebook’s system, those ads follow the users onto whatever pages they visit, potentially including those with offensive content.

“We are working with Facebook to understand this situation better and opt out of advertising on any pages that are offensive,” he said.

While more than a dozen smaller advertisers like Down Easy Brewing and eReader Utopia had agreed by Tuesday to remove their ads from Facebook, other major advertisers, including Zappos, Dove and American Express, stopped short of withdrawing their ads. Those companies did, however, issue responses through Facebook, e-mail or Twitter that they did not condone violence against women.

Dove, a beauty brand that has a campaign that focuses on “real beauty,” has come under intense pressure because of its marketing focus on women, Ms. Friedman said. One commenter on the Dove Facebook page wrote: “So, Dove, you’re willing to make money off of us, but not willing to lift a finger to let Facebook know violence against women isn’t acceptable?”

Representatives for Dove did not respond to requests for an interview, nor did representatives for Zappos or American Express.

Stacy Janicki, a senior partner and director of accounts at the advertising agency Carmichael Lynch, called Facebook’s response on Tuesday “a bit of a cop-out.”

“I think advertisers have a responsibility to consumers and media companies have a responsibility to advertisers to make sure they control the content on those sites,” Ms. Janicki, adding that as Facebook and other social media companies seek to secure more advertising dollars, advertisers will have the power to walk away from content that does not represent them well.

“That’s the power and the curse of social media,” she said. “You can put anything on there, but the benefit is that you can elevate it and scale it to where advertisers will listen and ultimately Facebook will listen.”


Vindu Goel contributed reporting.



This article has been revised to reflect the following correction:

Correction: May 28, 2013

An earlier version of this article referred incorrectly to the person who commented on the power of advertisers in social media. It was Stacy Janicki, of the advertising agency Carmichael Lynch, who said, “I think advertisers have a responsibility to consumers, and media companies have a responsibility to advertisers to make sure they control the content on those sites.” It was not “Ms. Lynch.” (No “Ms. Lynch” was quoted in the article.)

    Facebook Says It Failed to Bar Posts With Hate Speech, NYT, 29.5.2013,







the Keys to Your Digital Afterlife


May 25, 2013
The New York Times


IT’S tough enough to write an ordinary will, deciding how to pass along worldly goods like your savings, your real estate and that treasured rocking chair from Aunt Martha in the living room.

But you may want to provide for your virtual goods, too. Who gets the photographs and the e-mail stored online, the contents of a Facebook account, or that digital sword won in an online game?

These things can be important to the people you leave behind.

“Digital assets have value, sometimes sentimental, and sometimes commercial, just like a boxful of jewelry,” said John M. Riccione, a lawyer at Aronberg Goldgehn Davis & Garmisa in Chicago. “There can be painful legal and emotional issues for relatives unless you decide how to handle your electronic possessions in your estate planning.”

Many services and programs have sprung up to help people prepare for what happens after their last login.

Google has a program called Inactive Account Manager, introduced in April, that lets those who use Google services decide exactly how they want to deal with the data they’ve stored online with the company — from Gmail and Picasa photo albums to publicly shared data like YouTube videos and blogs.

The process is straightforward. First go to google.com/settings/account. Then look for “account management” and then “control what happens to your account when you stop using Google.” Click on “Learn more and go to setup.” Then let Google know the people you want to be notified when the company deactivates the account; you’re allowed up to 10 names. You choose when you want Google to end your account — for example, after three, six or nine months of electronic silence (or even 12 months, if you’ve decided to take a yearlong trip down the Amazon).

Google has ways to make sure that your electronic pulse has really gone silent; it checks for traces of your online self, for example, by way of Android check-ins, Gmail activity and Web history. Then, a month before it pulls the plug, Google alerts you by text and e-mail, just in case you’re still there. If silence has indeed fallen, Google notifies your beneficiaries and provides links they can follow to download the photographs, videos, documents or other data left to them, said Nadja Blagojevic, a Google manager.

And if you just want to say goodbye to everything, with no bequests, you can instruct Google to delete all of the information in your account.

Naomi R. Cahn, a professor of law at George Washington University Law School in Washington, says Google’s new program is a step forward in digital estate planning. “People should carefully consider the fate of their online presences once they are no longer able to manage them,” she said.

Other companies may also be of help in planning your digital legacy. Many services offer online safe deposit boxes, for example, where you can stow away the passwords to e-mail accounts and other data. Accounts like this at SecureSafe, are free for up to 50 passwords, 10 megabytes of storage and one beneficiary, said Andreas Jacob, a co-founder. Accounts can be accessed from a browser, or from free iPhone, iPad and Android apps. The company also offers premium services for those who need a larger storage space, more passwords or more beneficiaries.

There is always your sock drawer or another physical repository to store a list of your user ID’s, should you be deterred from online lockboxes by fear of cyberattacks or the risk that computer servers that may not be there in a few decades, said Alexandra Gerson, a lawyer at Helsell Fetterman in Seattle.

“Make a private list of all your user names and passwords for all the accounts in which you have a digital presence, and make sure you update the list if you change login information” Ms. Gerson said. “Don’t put user names and passwords in your will, though, as it becomes a public record when you die.”

Make sure that your executor or personal representative understands the importance of preserving these digital assets, and knows how to find them, said Laura Hoexter, a lawyer at Helsell who also works on inheritance issues. “Preferably the person should be tech-savvy,” she said, and know about your online game accounts, your PayPal account, your online presence on photo storage sites, social media accounts and blogs, and even your online shopping accounts where your credit card information is stored so that the information can be deleted.

AFTER you die, an executor or agent can contact Facebook and other social media sites, establish his or her authority to administer the estate, and request the contents of the account.

“Most accounts won’t give you the user name and password, but they will release the contents of the account such as photographs and posts” to an executor, Ms. Hoexter said.

Transfer at death can depend on the company’s terms of service, copyright law and whether the file is encrypted in ways that limit the ability to freely copy and transfer it. Rights to digital contents bought on Google Play, for example, end upon the person’s death. “There is currently no way of assigning them to others after the user’s death,” Ms. Blagojevic said.

Encryption is a common constraint, but there are exceptions. Apple’s iTunes store, for example, has long removed its anti-copying restrictions on the songs sold there, and Ms. Gerson advises people to take advantage of this in their digital planning. “Get your music backed up on your computer,” she said.

Up to five computers can be authorized to play purchases made with one iTunes account, and a company support representative advises that users make sure that their heirs have access. At Kindle, too, family members with user ID information for the account can access the digital content.

Professor Cahn in Washington says the time to prepare for the digital hereafter is now, particularly if serious illness is a factor. “If someone is terminally ill,” she said, “in addition to getting emotional and financial issues in order, you need to get your Internet house in order.”

    Bequeathing the Keys to Your Digital Afterlife, NYT, 25.5.2013,






The 1 Percent Are Only Half the Problem


Opinionator - A Gathering of Opinion From Around the Web

May 18, 2013, 12:04 pm
The New York Times


Most recent discussion about economic inequality in the United States has focused on the top 1 percent of the nation’s income distribution, a group whose incomes average $1 million (with a bottom threshold of about $367,000). “We are the 99 percent,” declared the Occupy protesters, unexpectedly popularizing research findings by two economists, Thomas Piketty and Emmanuel Saez, that had previously drawn attention mainly from academics. But the gap between the 1 percent and the 99 percent is only half the story.

Granted, it’s an important half. Since 1979, the one-percenters have doubled their share of the nation’s collective income from about 10 percent to about 20 percent. And between 2009, when the Great Recession ended, and 2011, the one-percenters saw their average income rise by 11 percent even as the 99-percenters saw theirs fall slightly. Some recovery!

This dismal litany invites the conclusion that if we would just put a tight enough choke chain on the 1 percent, then we’d solve the problem of income inequality. But alas, that isn’t true, because it wouldn’t address the other half of the story: the rise of the educated class.

Since 1979 the income gap between people with college or graduate degrees and people whose education ended in high school has grown. Broadly speaking, this is a gap between working-class families in the middle 20 percent (with incomes roughly between $39,000 and $62,000) and affluent-to-rich families (say, the top 10 percent, with incomes exceeding $111,000). This skills-based gap is the inequality most Americans see in their everyday lives.

Conservatives don’t typically like to talk about income inequality. It stirs up uncomfortable questions about economic fairness. (That’s why as a candidate Mitt Romney told a TV interviewer that inequality was best discussed in “quiet rooms.”) On those rare occasions when conservatives do bring it up, it’s the skills-based gap that usually draws their attention, because it offers an opportunity to criticize our government-run system of public education and especially teachers’ unions.

Liberals resist talking about the skills-based gap because they don’t want to tell the working classes that they’re losing ground because they didn’t study hard enough. Liberals prefer to focus on the 1 percent-based gap. Conceiving of inequality as something caused by the very richest people has obvious political appeal, especially since (by definition) nearly all of us belong to the 99 percent. There’s also a pleasing simplicity to the causes of the growing gap between the 1 and the 99. There are only two, and both are familiar liberal targets: the rise of a deregulated financial sector and the erosion of accountability in compensating top executives outside finance. (The cohort most reflective of these trends is actually the top 0.1 percent, who make $1.6 million or more, but let’s not quibble.)

Both halves of the inequality story should command our attention, because both represent a dramatic reversal of economic trends that prevailed in the United States for most of the 20th century. From the 1930s through the 1970s the 1 percent saw its share of national income decline, while the “college premium” either fell or followed no clear up-or-down pattern over time.

At least some of the tools to restore these more egalitarian trends shouldn’t be divisive ideologically. Liberals and conservatives both recognize the benefits of preschool education, which President Obama has proposed making universally available. I’ve never met an affluent 4-year-old who wasn’t enrolled in preschool, but nationwide about one-third of kids that age aren’t.

Another reform both conservatives and liberals have supported — though at different times — is withholding federal aid from colleges and universities that can’t control tuition increases. Mr. Obama proposed it in his last two State of the Union addresses; House Speaker John A. Boehner was a sponsor of a bill to do the same in 2003.

THERE is also more bipartisan support than you might suppose for restricting some of the Wall Street excesses that enrich the 1 percent. The impetus to do so isn’t inequality so much as fear that an out-of-control banking sector will once again create economic crisis and compel Congress to bail out the big banks. Congressional Republicans have been blocking proper implementation of the Dodd-Frank financial reforms, but a growing chorus of conservative voices, including the columnist George F. Will, the former Utah governor Jon M. Huntsman Jr. and Richard W. Fisher, president of the Federal Reserve Bank of Dallas, favor breaking up the big banks. Senators David Vitter, Republican of Louisiana, and Sherrod Brown, Democrat of Ohio, have sponsored a bill to require the largest banks to hold more capital reserves, or become smaller.

One reason the left plays down the growing skills-based gap is that it accepts at face value the conservative claim that educational failure is its root cause. But the decline of labor unions is just as important. At one time union membership was highly effective at reducing or eliminating the wage gap between college and high school graduates. That’s much less true today. Only about 7 percent of the private-sector labor force is covered by union contracts, about the same proportion as before the New Deal. Six decades ago it was nearly 40 percent.

The decline of labor unions is what connects the skills-based gap to the 1 percent-based gap. Although conservatives often insist that the 1 percent’s richesse doesn’t come out of the pockets of the 99 percent, that assertion ignores the fact that labor’s share of gross domestic product is shrinking while capital’s share is growing. Since 1979, except for a brief period during the tech boom of the late 1990s, labor’s share of corporate income has fallen. Pension funds have blurred somewhat the venerable distinction between capital and labor. But that’s easy to exaggerate, since only about one-sixth of all households own stocks whose value exceeds $7,000. According to the left-leaning Economic Policy Institute, the G.D.P. shift from labor to capital explains fully one-third of the 1 percent’s run-up in its share of national income. It couldn’t have happened if private-sector unionism had remained strong.

Reviving labor unions is, sadly, anathema to the right; even many mainstream liberals resist the idea. But if economic growth depends on rewarding effort, we should all worry that the middle classes aren’t getting pay increases commensurate with the wealth they create for their bosses. Bosses aren’t going to fix this problem. That’s the job of unions, and finding ways to rebuild them is liberalism’s most challenging task. A bipartisan effort to revive the labor movement is hardly likely, but halting inequality’s growth will depend, at the very least, on liberals and conservatives better understanding each other’s definition of where the problem lies.


Timothy Noah is the author

of “The Great Divergence:

America’s Growing Inequality Crisis

And What We Can Do About It.”

    The 1 Percent Are Only Half the Problem, NYT, 18.5.2013,






Chinese Hackers

Resume Attacks on U.S. Targets


May 19, 2013
The New York Times


WASHINGTON — Three months after hackers working for a cyberunit of China’s People’s Liberation Army went silent amid evidence that they had stolen data from scores of American companies and government agencies, they appear to have resumed their attacks using different techniques, according to computer industry security experts and American officials.

The Obama administration had bet that “naming and shaming” the groups, first in industry reports and then in the Pentagon’s own detailed survey of Chinese military capabilities, might prompt China’s new leadership to crack down on the military’s highly organized team of hackers — or at least urge them to become more subtle.

But Unit 61398, whose well-guarded 12-story white headquarters on the edges of Shanghai became the symbol of Chinese cyberpower, is back in business, according to American officials and security companies.

It is not clear precisely who has been affected by the latest attacks. Mandiant, a private security company that helps companies and government agencies defend themselves from hackers, said the attacks had resumed but would not identify the targets, citing agreements with its clients. But it did say the victims were many of the same ones the unit had attacked before.

The hackers were behind scores of thefts of intellectual property and government documents over the past five years, according to a report by Mandiant in February that was confirmed by American officials. They have stolen product blueprints, manufacturing plans, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of Mandiant’s clients, predominantly in the United States.

According to security experts, the cyberunit was responsible for a 2009 attack on the Coca-Cola Company that coincided with its failed attempt to acquire the China Huiyuan Juice Group. In 2011, it attacked RSA, a maker of data security products used by American government agencies and defense contractors, and used the information it collected from that attack to break into the computer systems of Lockheed Martin, the aerospace contractor.

More recently, security experts said, the group took aim at companies with access to the nation’s power grid. Last September, it broke into the Canadian arm of Telvent, now Schneider Electric, which keeps detailed blueprints on more than half the oil and gas pipelines in North America.

Representatives of Coca-Cola and Schneider Electric did not return requests for comment on Sunday. A Lockheed Martin spokesman said the company declined to comment.

In interviews, Obama administration officials said they were not surprised by the resumption of the hacking activity. One senior official said Friday that “this is something we are going to have to come back at time and again with the Chinese leadership,” who, he said, “have to be convinced there is a real cost to this kind of activity.”

Mandiant said that the Chinese hackers had stopped their attacks after they were exposed in February and removed their spying tools from the organizations they had infiltrated. But over the past two months, they have gradually begun attacking the same victims from new servers and have reinserted many of the tools that enable them to seek out data without detection. They are now operating at 60 percent to 70 percent of the level they were working at before, according to a study by Mandiant requested by The New York Times.

The Times hired Mandiant to investigate an attack that originated in China on its news operations last fall. Mandiant is not currently working for The New York Times Company.

Mandiant’s findings match those of Crowdstrike, another security company that has also been tracking the group. Adam Meyers, director of intelligence at Crowdstrike, said that apart from a few minor changes in tactics, it was “business as usual” for the Chinese hackers.

The subject of Chinese attacks is expected to be a central issue in an upcoming visit to China by President Obama’s national security adviser, Thomas Donilon, who has said that dealing with China’s actions in cyberspace is now moving to the center of the complex security and economic relationship between the two countries.

But hopes for progress on the issue are limited. When the Pentagon released its report this month officially identifying the Chinese military as the source of years of attacks, the Chinese Foreign Ministry denied the accusation, and People’s Daily, which reflects the views of the Communist Party, called the United States “the real ‘hacking empire,’ ” saying it “has continued to strengthen its network tools for political subversion against other countries.” Other Chinese organizations and scholars cited American and Israeli cyberattacks on Iran’s nuclear facilities as evidence of American hypocrisy.

At the White House, Caitlin Hayden, the spokeswoman for the National Security Council, said Sunday that “what we have been seeking from China is for it to investigate our concerns and to start a dialogue with us on cyberissues.” She noted that China “agreed last month to start a new working group,” and that the administration hoped to win “longer-term changes in China’s behavior, including by working together to establish norms against the theft of trade secrets and confidential business information.”

In a report to be issued Wednesday, a private task force led by Mr. Obama’s former director of national intelligence, Dennis C. Blair, and his former ambassador to China, Jon M. Huntsman Jr., lays out a series of proposed executive actions and Congressional legislation intended to raise the stakes for China.

“Jawboning alone won’t work,” Mr. Blair said Saturday. “Something has to change China’s calculus.”

The exposure of Unit 61398’s actions, which have long been well known to American intelligence agencies, did not accomplish that task.

One day after Mandiant and the United States government revealed the P.L.A. unit as the culprit behind hundreds of attacks on agencies and companies, the unit began a haphazard cleanup operation, Mandiant said.

Attack tools were unplugged from victims’ systems. Command and control servers went silent. And of the 3,000 technical indicators Mandiant identified in its initial report, only a sliver kept operating. Some of the unit’s most visible operatives, hackers with names like “DOTA,” “SuperHard” and “UglyGorilla,” disappeared, as cybersleuths scoured the Internet for clues to their real identities.

In the case of UglyGorilla, Web sleuths found digital evidence that linked him to a Chinese national named Wang Dong, who kept a blog about his experience as a P.L.A. hacker from 2006 to 2009, in which he lamented his low pay, long hours and instant ramen meals.

But in the weeks that followed, the group picked up where it had left off. From its Shanghai headquarters, the unit’s hackers set up new beachheads from compromised computers all over the world, many of them small Internet service providers and mom-and-pop shops whose owners do not realize that by failing to rigorously apply software patches for known threats, they are enabling state-sponsored espionage.

“They dialed it back for a little while, though other groups that also wear uniforms didn’t even bother to do that,” Kevin Mandia, the chief executive of Mandiant, said in an interview on Friday. “I think you have to view this as the new normal.”

The hackers now use the same malicious software they used to break into the same organizations in the past, only with minor modifications to the code.

While American officials and corporate executives say they are trying to persuade President Xi Jinping’s government that a pattern of theft by the P.L.A. will damage China’s growth prospects — and the willingness of companies to invest in China — their longer-term concern is that China may be trying to establish a new set of rules for Internet commerce, with more censorship and fewer penalties for the theft of intellectual property.

Eric Schmidt, the chairman of Google, said Friday that while there was evidence that inside China many citizens are using the Web to pressure the government to clean up industrial hazards or to complain about corruption, “so far there is no positive data on China’s dealings with the rest of the world” on cyberissues.

Google largely pulled out of China after repeated attacks on its systems in 2009 and 2010, and now has its Chinese operations in Hong Kong. But it remains, Mr. Schmidt said, a constant target for Chinese cyberattackers.


David E. Sanger reported from Washington,

and Nicole Perlroth from San Francisco.

    Chinese Hackers Resume Attacks on U.S. Targets, NYT, 19.5.2013,






Times Site Is Attacked by Hackers


May 17, 2013
The New York Times


The New York Times Company was a victim of online attacks earlier this week that slowed down The New York Times Web site and limited access to articles and other types of content.

According to Danielle Rhoades Ha, a company spokeswoman, the Web site became unavailable to “a small number of users” after a denial-of-service attack, a tactic used by hackers to slow or halt Web traffic by bombarding a host site with requests for information. She added that the company did not “have confirmation on who is responsible for the most recent attacks on nytimes.com.”

The announcement follows attacks that were made on The Times’s site late last year. In January, the newspaper announced that its computer systems had been infiltrated by Chinese hackers who found passwords for reporters and other employees. The attacks took place as The Times investigated the relatives of Wen Jiabao, China’s prime minister, and how they had built up a multibillion-dollar fortune during his political tenure. David Barboza, the author of the article, won a Pulitzer Prize.

Attacks on media organizations are not unique to The Times. Shortly after the January announcement by The Times, officials at The Wall Street Journal and The Washington Post also reported that their Web sites had been attacked by Chinese hackers. On Friday, the Syrian Electronic Army said it had hacked the Web site and several Twitter accounts that belonged to The Financial Times. In the past, it has attacked other media companies, including The Associated Press and The Onion.

    Times Site Is Attacked by Hackers, NYT, 17.5.2013,






Hunting for Syrian Hackers’

Chain of Command


May 17, 2013
The New York Times


It’s the question of the moment inside the murky realm of cybersecurity: Just who — or what — is the Syrian Electronic Army?

The hacking group that calls itself the S.E.A. struck again on Friday, this time breaking into the Twitter accounts and blog headlines of The Financial Times. The attack was part of a crusade that has targeted dozens of media outlets as varied as The Associated Press and The Onion, the parody news site.

But just who is behind the S.E.A.’s cybervandalism remains a mystery. Paralleling the group’s boisterous, pro-Syrian government activity has been a much quieter Internet surveillance campaign aimed at revealing the identities, activities and whereabouts of the Syrian rebels fighting the government of President Bashar al-Assad.

Now sleuths are trying to figure out how much overlap there is between the rowdy pranks playing out on Twitter and the silent spying that also increasingly includes the monitoring of foreign aid workers. It’s a high-stakes search. If researchers prove the Assad regime is closely tied to the group, foreign governments may choose to respond because the attacks have real-world consequences. The S.E.A. nearly crashed the stock market, for example, by planting false tales of White House explosions in a recent hijacking of The A.P.’s Twitter feed.

The mystery is made more curious by the belief among researchers that the hackers currently parading as the S.E.A. are not the same people who started the pro-Assad campaign two years ago.

Experts say the Assad regime benefits from the ambiguity. “They have created extra space between themselves and international law and international opinion,” said James A. Lewis, a security expert with the Center for Strategic and International Studies.

The S.E.A. emerged during the Syrian uprisings in May 2011, they said, to offer a pro-Assad counternarrative to news coming out of Syria. In speeches, Mr. Assad likened the S.E.A. to the government’s own online security corps, referring to the group as “a real army in a virtual reality.”

In its early incarnation, researchers said, the S.E.A. had a clearly defined hierarchy, with leaders, technical experts, a media arm and hundreds of volunteers. Several early members belonged to the Syrian Computer Society, a technical organization run by Mr. Assad before he became president. Until last month, digital records suggest, the Syrian Computer Society still ran much of the S.E.A.’s infrastructure. In April, a raid of S.E.A. Web domains revealed that the majority were still registered to the society.

S.E.A. members initially created pro-Assad Facebook pages and spammed popular pages like President Obama’s and Oprah Winfrey’s with pro-Syrian comments. But by the fall of 2011, S.E.A. activities had become more premeditated. They defaced prominent Web sites like Harvard University’s with pro-Assad messages, in an attack a spokesman characterized as sophisticated.

At some point, the S.E.A.’s crucial players disappeared and a second crop of hackers took over. The current group consists of roughly a dozen new actors led by hackers who call themselves “Th3 Pr0” and “The Shadow” and function more like Anonymous, the loose hacking collective, than a state-sponsored brigade. In interviews, people who now identify as the S.E.A. insist they operate independently from the Assad regime. But researchers who have been following the group’s digital trail aren’t convinced.

“The opportunity for collaboration between the S.E.A. and regime is clear, but what is missing is proof,” said Jacob West, a chief technology officer at Hewlett-Packard. As governments consider stronger responses to malicious cyberactivity, Mr. West said, “the motivation for Syria to maintain plausible deniability is very, very real.”

Long before the S.E.A’s apparent changing of the guard, security researchers unearthed a stealthier surveillance campaign targeting Syrian dissidents that has since grown to include foreign aid workers. Morgan Marquis-Boire, a researcher at the Citizen Lab at the University of Toronto, uncovered spyware with names like “Dark Comet” and “BlackShades” sending information back to a Syrian state-owned telecommunications company. The software — which tracked a target’s location, read e-mails and logged keystrokes — disguised itself as an encryption service for Skype, a program used by many Syrian activists.

Mr. Marquis-Boire has uncovered more than 200 Internet Protocol addresses running the spyware. Some were among the few kept online last week during an Internet disruption in Syria that the government blamed on a “technical malfunction,” but experts described as a systematic government shutdown.

S.E.A. members deny spying on Syrian civilians. “We didn’t do that and we will not,” the hacker who identifies himself as Th3 Pr0 wrote in an e-mail. “Our targets are known,” he wrote, referring to the group’s public Twitter attacks. Researchers have tracked several of those attacks — including that on The Onion and another against Human Rights Watch in March — to a server in Russia, which they believe is redirecting attacks from Syria. Last weekend, researchers traced one attack back to a Syrian I.P. address registered to Syriatel, a telecommunications company owned by Rami Makhlouf, Mr. Assad’s first cousin.

Dissidents say that connection is proof the S.E.A. is backed by the Assad regime and claim that the Twitter attacks are just the outward-facing component of a deeper surveillance campaign.

“There is no doubt they are the same,” said Dlshad Othman, a Syrian in Washington who helps dissidents get rid of the spyware.

The smoking gun, Mr. Othman and others say, was an S.E.A. attack last year on Burhan Ghalioun, a Syrian opposition leader. Shortly after Mr. Ghalioun’s Facebook page was hacked, it began serving spyware to fans. Mr. Ghalioun’s e-mails also showed up on a S.E.A. leak site.

The other potential link, they say, is a list of opposition leaders that surfaced in July, after S.E.A. members boasted they could help the regime quickly search for the names of opponents. Mr. Othman said the boasts were proof the S.E.A. worked with the regime and kept tabs on dissidents.

Ironically, that opposition search most likely led to the S.E.A.’s internal shake-up. Activists say encryption on the document was cracked, and in July it popped up on Pastebin, a Web site for anonymous postings.

“There was a view that the government blamed the S.E.A. for the leak,” said John Scott-Railton, a Citizen Lab research fellow.

In the days that followed, Facebook accounts for known S.E.A. members went dark. S.E.A. aliases that researchers had been tracking suddenly vanished. New members with different monikers assumed the group’s name. Researchers say the hackers behind the recent spate of Twitter hacks are far less organized.

Outside Syria, the Twitter attacks made people take note of the S.E.A. But inside Syria, they barely registered. Dissidents there are more concerned with the mounting spyware infections and imprisonments. And researchers have seen the spyware tracking a new target: aid workers.

“The Syrian opposition are quite paranoid and aware of the stakes,” Mr. Marquis-Boire said. “But then you get foreign aid workers who show up to do good work, but are not as paranoid about their operational security.”

“It’s a smart move if you think about it,” he added.



This article has been revised to reflect the following correction:

Correction: May 17, 2013

An earlier version of this article based on previous reporting

referred incorrectly to a representative of The Financial Times,

Ryann Gastwirth. She is a spokeswoman, not a spokesman.

    Hunting for Syrian Hackers’ Chain of Command, NYT, 17.5.2013,






Cyberattacks on the Rise

Against U.S. Corporations


May 12, 2013
The New York Times


WASHINGTON — A new wave of cyberattacks is striking American corporations, prompting warnings from federal officials, including a vague one issued last week by the Department of Homeland Security. This time, officials say, the attackers’ aim is not espionage but sabotage, and the source seems to be somewhere in the Middle East.

The targets have primarily been energy companies, and the attacks appeared to be probes, looking for ways to seize control of their processing systems. The attacks are continuing, officials said. But two senior administration officials said Sunday that they were still not certain exactly where the attacks were coming from, or whether they were state-sponsored or the work of hackers or criminals.

“We are concerned by these intrusions, and we are trying to make sure they don’t lead to something much bigger, as they did in the Saudi case,” said one senior American official. He was referring to the aggressive attack last summer that affected 30,000 computers at Saudi Aramco, one of the world’s largest oil producers. After lengthy investigations, American officials concluded that Iran had been behind the Saudi Aramco attack.

Another official said that in the new wave of attacks, “most everything we have seen is coming from the Middle East,” but he did not say whether Iran, or another country, appeared to be the source.

Last week’s warning was unusual because most attacks against American companies — especially those coming from China — have been attempts to obtain confidential information, steal trade secrets and gain competitive advantage. By contrast, the new attacks seek to destroy data or to manipulate industrial machinery and take over or shut down the networks that deliver energy or run industrial processes.

That kind of attack is much more like the Stuxnet worm that the United States and Israel secretly used against Iran’s nuclear enrichment plants several years ago, to slow Iran’s progress toward a nuclear weapons capability. When that covert program began, President Obama, among other officials, expressed worry that its eventual discovery could prompt retaliatory attacks.

Two senior officials who have been briefed on the new intrusions say they were aimed largely at the administrative systems of about 10 major American energy firms, which they would not name. That is similar to what happened to Saudi Aramco, where a computer virus wiped data from office computers, but never succeeded in making the leap to the industrial control systems that run oil production.

The Washington Post first reported the security warning on Friday. Over the weekend the Obama administration described what had led to the warning. Those officials began describing the activity as “probes that suggest someone is looking at how to take control of these systems.”

According to one United States official, Homeland Security officials decided to release the warning once they saw how deeply intruders had managed to penetrate corporate systems, including one that deals with chemical processes. In the past, the government occasionally approached individual companies it believed were under threat. Last week’s warning “is an effort to make sure that the volume and timeliness of the information improves,” in line with a new executive order signed by the president, one senior official said.

The warning was issued by an agency called ICS-Cert, which monitors attacks on computer systems that run industrial processes. It said the government was “highly concerned about hostility against critical infrastructure organizations,” and included a link to a previous warning about Shamoon, the virus used in the Saudi Aramco attack last year. It also hinted that federal investigations were under way, referring to indications “that adversary intent extends beyond intellectual property to include use of cyber to disrupt business and control systems.”

At Saudi Aramco, the virus replaced company data on thousands of computers with an image of a burning American flag. The attack prompted the defense secretary at the time, Leon E. Panetta, to warn of an impending “cyber 9/11” if the United States did not respond more efficiently to attacks. American officials have since concluded the attack and a subsequent one at RasGas, the Qatari energy company, were the work of Iranian hackers. Israeli officials, who follow Iran closely, said in interviews this month that they thought the attacks were the work of Iran’s new “cybercorps,” organized after the cyberattacks that affected their nuclear facilities.

Saudi Aramco said that while the attackers had attempted to penetrate its oil production systems, they had failed because the company maintained a separation between employees’ administrative computers and the computers used to control and monitor production. RasGas said the attack on its computers had failed for the same reason.

But there are no clear standards for computer security, and the Homeland Security warning last week urged companies to take steps many computer professionals already advise. The suggestions were for “things most everyone should be doing on an everyday basis,” said Dan McWhorter, the managing director of threat intelligence at Mandiant Corporation. His company conducted a study this year that identified a specific unit of the Chinese Army as the source of a number of attacks on American businesses and government organizations. “These are all threats people have been seeing coming for some time,” he said.

Still, the warning underscored that most of the likely targets in the United States, including cellphone networks and electric utility grids, are in private rather than government hands. “The challenge will be managing our nation’s offensive and defensive capabilities,” said Evan D. Wolff, a partner at Hunton & Williams, who runs the firm’s homeland security practice and focuses on cyberissues. “Unlike conventional weapons, this will require a very broad engagement across the private sector.”

For the last four years, the Department of Homeland Security has said it needs to expand its cybersecurity force by as many as 600 hacking specialists to keep pace with the rising number of threats. But in the last four months, the department has been grappling with an exodus of top officials, including Jane Holl Lute, the agency’s deputy secretary; Mark Weatherford, the department’s top cybersecurity official; Michael Locatis, the assistant secretary for cybersecurity; and Richard Spires, the agency’s chief information officer, all of whom resigned.


David E. Sanger reported from Washington,

and Nicole Perlroth from San Francisco.

Michael S. Schmidt contributed reporting from Washington.

    Cyberattacks on the Rise Against U.S. Corporations, NYT, 12.5.2013,






U.S. Directly Blames China’s Military

for Cyberattacks


May 6, 2013
The New York Times


WASHINGTON — The Obama administration on Monday explicitly accused China’s military of mounting attacks on American government computer systems and defense contractors, saying one motive could be to map “military capabilities that could be exploited during a crisis.”

While some recent estimates have more than 90 percent of cyberespionage in the United States originating in China, the accusations relayed in the Pentagon’s annual report to Congress on Chinese military capabilities were remarkable in their directness. Until now the administration avoided directly accusing both the Chinese government and the People’s Liberation Army of using cyberweapons against the United States in a deliberate, government-developed strategy to steal intellectual property and gain strategic advantage.

“In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military,” the nearly 100-page report said.

The report, released Monday, described China’s primary goal as stealing industrial technology, but said many intrusions also seemed aimed at obtaining insights into American policy makers’ thinking. It warned that the same information-gathering could easily be used for “building a picture of U.S. network defense networks, logistics, and related military capabilities that could be exploited during a crisis.”

It was unclear why the administration chose the Pentagon report to make assertions that it has long declined to make at the White House. A White House official declined to say at what level the report was cleared. A senior defense official said “this was a thoroughly coordinated report,” but did not elaborate.

Missing from the Pentagon report was any acknowledgment of the similar abilities being developed in the United States, where billions of dollars are spent each year on cyberdefense and constructing increasingly sophisticated cyberweapons. Recently the director of the National Security Agency, Gen. Keith Alexander, who is also commander of the military’s fast-growing Cyber Command, told Congress that he was creating more than a dozen offensive cyberunits, designed to mount attacks, when necessary, at foreign computer networks.

When the United States mounted its cyberattacks on Iran’s nuclear facilities early in President Obama’s first term, Mr. Obama expressed concern to aides that China and other states might use the American operations to justify their own intrusions.

But the Pentagon report describes something far more sophisticated: A China that has now leapt into the first ranks of offensive cybertechnologies. It is investing in electronic warfare capabilities in an effort to blind American satellites and other space assets, and hopes to use electronic and traditional weapons systems to gradually push the United States military presence into the mid-Pacific nearly 2,000 miles from China’s coast.

The report argues that China’s first aircraft carrier, the Liaoning, commissioned last September, is the first of several carriers the country plans to deploy over the next 15 years. It said the carrier would not reach “operational effectiveness” for three or four years, but is already set to operate in the East and South China Seas, the site of China’s territorial disputes with several neighbors, including Japan, Indonesia, the Philippines and Vietnam. The report notes a new carrier base under construction in Yuchi.

The report also detailed China’s progress in developing its stealth aircraft, first tested in January 2011.

Three months ago the Obama administration would not officially confirm reports in The New York Times, based in large part on a detailed study by the computer security firm Mandiant, that identified P.L.A. Unit 61398 near Shanghai as the likely source of many of the biggest thefts of data from American companies and some government institutions.

Until Monday, the strongest critique of China came from Thomas E. Donilon, the president’s national security adviser, who said in a speech at the Asia Society in March that American companies were increasingly concerned about “cyberintrusions emanating from China on an unprecedented scale,” and that “the international community cannot tolerate such activity from any country.” He stopped short of blaming the Chinese government for the espionage.

But government officials said the overall issue of cyberintrusions would move to the center of the United States-China relationship, and it was raised on recent trips to Beijing by Treasury Secretary Jacob J. Lew and the chairman of the Joint Chiefs of Staff, Gen. Martin E. Dempsey.

To bolster its case, the report argues that cyberweapons have become integral to Chinese military strategy. It cites two major public works of military doctrine, “Science of Strategy” and “Science of Campaigns,” saying they identify “information warfare (I.W.) as integral to achieving information superiority and an effective means for countering a stronger foe.” But it notes that neither document “identifies the specific criteria for employing a computer network attack against an adversary,” though they “advocate developing capabilities to compete in this medium.”

It is a critique the Chinese could easily level at the United States, where the Pentagon has declined to describe the conditions under which it would use offensive cyberweapons. The Iran operation was considered a covert action, run by intelligence agencies, though many techniques used to manipulate Iran’s computer controllers would be common to a military program.

The Pentagon report also explicitly states that China’s investments in the United States aim to bolster its own military technology. “China continues to leverage foreign investments, commercial joint ventures, academic exchanges, the experience of repatriated Chinese students and researchers, and state-sponsored industrial and technical espionage to increase the level of technologies and expertise available to support military research, development and acquisition.”

But the report does not address how the Obama administration should deal with that problem in an economically interconnected world where the United States encourages those investments, and its own in China, to create jobs and deepen the relationship between the world’s No. 1 and No. 2 economies. Some experts have argued that the threat from China has been exaggerated. They point out that the Chinese government — unlike, say, Iran or North Korea — has such deep investments in the United States that it cannot afford to mount a crippling cyberstrike on the country.

The report estimates that China’s defense budget is $135 billion to $215 billion, a large range attributable in part to the opaqueness of Chinese budgeting. While the figure is huge in Asia, the top estimate would still be less than a third of what the United States spends every year.

Some of the report’s most interesting elements examine the debate inside China over whether this is a moment for the country to bide its time, focusing on internal challenges, or to directly challenge the United States and other powers in the Pacific.

But it said that “proponents of a more active and assertive Chinese role on the world stage” — a group whose members it did not name — “have suggested that China would be better served by a firm stance in the face of U.S. or other regional pressure.”



This article has been revised to reflect the following correction:

Correction: May 7, 2013

An earlier version of this article gave the incorrect number for the unit identified by a New York Times article in February as the likely source of many of the biggest thefts of data from American companies and some government institutions. It is P.L.A. Unit 61398, not 21398. The name of China’s first aircraft carrier was also misspelled. It is the Liaoning, not the Lianoning.

U.S. Directly Blames China’s Military for Cyberattacks,





home Up