|
History > 2013 > USA > Internet (I)
Closing the Door on Hackers
April 4,
2013
The New York Times
By MARC MAIFFRET
IRVINE,
Calif.
FOR most of my teenage years, I made a hobby of hacking into some of the world’s
largest government and corporate computer systems. I was “lucky” enough to be
raided by the F.B.I. when I was 17 years old. After that wake-up call, I
eventually started a software security company and now find myself helping to
plug security holes, not exploit them.
The nature of hacking has changed, too, since I left it in the late 1990s — from
a game of curiosity and occasional activism into a central tool in cybercrime
and nation-state attacks.
Alongside that shift has come a loud and often misguided conversation about what
to do to stop this new breed of hacking. Too much of the debate begins and ends
with the perpetrators and the victims of cyberattacks, and not enough is focused
on the real problem: the insecure software or technology that allows such
attacks to succeed. Instead of focusing solely on employees who accidentally
open e-mails, we should also be pressuring software makers to make significant
investments in their products’ security.
When you read headlines about the latest cyberattack, you typically do not hear
about how attackers were able to put a virus or other malware on a system in the
first place. In many cases, it begins with attackers exploiting a software
vulnerability or weakness in order to install their malware.
The unspoken truth is that for the most part, large software companies are not
motivated to make software secure. It’s a question of investment priorities:
they care more about staying competitive with their products, and that means
developing the latest features and functions that consumers and businesses are
looking to buy. Security issues are often treated more as a marketing challenge
than an engineering one.
A result is an open door to hackers inside some of the world’s most popular
software systems. Perhaps most famously, during the early to middle parts of the
last decade, hackers discovered a significant number of glaring security
weaknesses in Microsoft products (some of which were discovered by my company).
Several of these weaknesses were exploited in high-profile computer virus and
worm attacks.
To be fair, securing software is not a trivial task. Often it means building in
multiple barriers to entry and keeping those defenses current with the latest
developments in hacker techniques. Security has to be a central and significant
investment in any software development project.
Still, given the heightened impact of recent attacks on both corporate and
government operations, we must begin to hold software companies accountable for
such vulnerabilities.
Fortunately, there is a lot a company can do to secure its code, should it
choose to. After Microsoft’s software vulnerabilities drew significant negative
attention — one of the few times the public has correctly affixed blame to a
software company — Bill Gates himself addressed the issue in 2002 in his now
famous “Trustworthy Computing” memo.
In that memo, sent to all Microsoft employees, Mr. Gates made it clear that the
company’s future depended on building software and a platform that could be
reliably secure. It was more than talk: in the decade or so since, Microsoft
fundamentally changed its software development process to make security a core
part of the program.
Too many other companies, though, seem to have missed the memo.
Take Oracle, and specifically the security challenges surrounding its Java
software, which the company inherited through its 2010 acquisition of Sun
Microsystems. Java, one of the most ubiquitous pieces of software in the world,
is so full of security holes — including multiple avenues for hackers to take
control of a computer remotely — that the Department of Homeland Security
recommends that its users completely disable the software in their browsers.
Oracle is not alone. Adobe, which makes the popular Adobe Reader and Flash
applications, has seen a significant number of security weaknesses over the
years and also a sharp increase in its software’s being a gateway for
cyberattacks. The risks associated with Flash were one reason Apple decided not
to allow it on iPhones.
Like Microsoft, Adobe has made strides to increase the security of its
technology over the last couple of years, and more recently some of those
security improvements seem to be paying off. But it still has work to do.
In his 2002 memo, Mr. Gates cast the security challenge as not just a Microsoft
problem, but one for the overall industry. A computer or a network is only as
secure as its weakest link — no matter how secure one program might be, a poorly
protected bit of software could compromise everything.
That means that on top of investing in their own security, companies have to
make efforts to coordinate with other developers to present a united front.
Adobe and Microsoft have worked together in recent years to identify and close
off mutual vulnerabilities, and other companies should follow suit.
A lot of the talk around cybersecurity has centered on the role of government.
But investing in software security and cooperating across the software industry
shouldn’t take an act of Congress. It will, however, take a new mind-set on the
part of developers. They should no longer see security as an add-on feature, nor
should they regard holes in their competitors’ security efforts as merely a
competitive advantage. As the world comes to depend more and more on their
products, it should demand nothing less.
Closing the Door on Hackers, NYT, 4.3.2013,
http://www.nytimes.com/2013/04/05/opinion/closing-the-door-on-hackers.html
As Web Search Goes Mobile,
Competitors Chip at Google’s Lead
April 3,
2013
The New York Times
By CLAIRE CAIN MILLER
Say you
need a latté. You might pull out your phone, open the Yelp app and search for a
nearby cafe. If instead you want to buy an espresso machine, you will most
likely tap Amazon.com.
Either way, Google lost a customer.
Google remains the undisputed king of search, with about two-thirds of the
market. But the nature of search is changing, especially as more people search
for what they want to buy, eat or learn on their mobile devices. This has put
the $22 billion search industry, perhaps the most lucrative and influential of
online businesses, at its most significant crossroad since its invention.
No longer do consumers want to search the Web like the index of a book — finding
links at which a particular keyword appears. They expect new kinds of customized
search, like that on topical sites such as Yelp, TripAdvisor or Amazon, which
are chipping away at Google’s hold. Google and its competitors are trying to
develop the knowledge and comprehension to answer specific queries, not just
point users in the right direction.
“What people want is, ‘You ask a very simple question and you get a very simple
answer,’ ” said Oren Etzioni, a professor at the University of Washington who
has co-founded companies for shopping and flight search. “We don’t want the 10
blue links on that small screen. We want to know the closest sushi place, make a
reservation and be on our way.”
People are overwhelmed at how crowded the Internet has become — Google says
there are 30 trillion Web addresses, up from 1 trillion five years ago — and
users expect their computers and phones to be smarter and do more for them. Many
of the new efforts are services that people do not even think of as search
engines.
Amazon, for example, has a larger share than Google of shopping searches, the
most lucrative kind because people are in the mood to buy something. On sites
like Pinterest and Polyvore, users have curated their favorite things from
around the Web to produce results when you search for, say, “lace dress.”
On smartphones, people skip Google and go directly to apps, like Kayak or
Weather Underground. Other apps send people information, like traffic or flight
delays, before they even ask for it.
People use YouTube to search for things like how to tie a bow tie, Siri to
search on their iPhones, online maps to find local places and Facebook to find
things their friends have liked.
And services like LinkedIn Influencers and Quora are trying to be different
kinds of search engines — places to find high-quality, expert content and avoid
weeding through everything else on the Web. On Quora, questions like “What was
it like to work for Steve Jobs?” get answered by people with firsthand
knowledge, something Google cannot provide.
“There is a lot of pressure on search engines to deliver more customized, more
relevant results,” said Shar VanBoskirk, an analyst at Forrester. “Users don’t
need links to Web pages. We need answers, solutions, whatever intel we were
searching for.”
But Google remains the one to beat, even as alternative search sites become
popular. “They’re the specialty store you’re going into here and there,” said
Danny Sullivan, an editor of Search Engine Land, a blog, “but they’re not your
grocery store.”
Yet the promise of search is big enough that even though Microsoft loses
billions of dollars a year on Bing and has failed to make a dent in Google’s
market share, it keeps at it. Microsoft — which in February had 17 percent of
the market, and 26 percent including the searches it powered for Yahoo — has
said it views search as essential to its other products, from the Xbox to
phones. And there is still a lot of money to be made as No. 2.
“You have millions of people a day saying exactly what they want, and if you’re
an advertiser, it’s a beautiful vehicle,” Mr. Sullivan said.
EMarketer estimates that Google earns about three-quarters of search ad
spending. Search engines bring companies troves of data and a measure of control
as Internet users’ entry point to the digital world.
There are signs that people’s search behaviors are changing, however, with
consequences for these companies.
Searches on traditional services, dominated by Google, declined 3 percent in the
second half of last year after rising for years, according to comScore, and the
number of searches per searcher declined 7 percent. In contrast, searches on
topical sites, known as vertical search engines, climbed 8 percent.
While traditional searches increased again this year, other data reflects the
threat to Google.
In the first quarter, spending on search ads fell 1 percent, a significant
slowdown for Google, according to IgnitionOne, a digital marketing company. Last
year, Google lost market share in search ads for the first time, according to
eMarketer, falling to 72.8 percent from 74 percent.
This year, ad spending on traditional search engines is expected to grow more
slowly than overall online ad spending, a reversal. Its growth significantly
outpaced that of online ad spending until last year, eMarketer said.
Google is not watching from the sidelines. It is making more changes to search
offerings, at a faster pace than it has in years.
Larry Page, its co-founder and chief executive, renamed the search division
“knowledge.” Google’s mission, organizing the world’s information, was too
narrow. Now he wanted people to learn from Google.
Google now shows answers instead of just links if you search something like
“March Madness,” “weather” or even “my flight,” in which case it can pull flight
information from users’ Gmail accounts.
The company’s biggest step happened last year, when it introduced the knowledge
graph. While search generally matches keywords to Web sites, the knowledge graph
uses semantic search, which understands the meanings of and connections among
people, places and things.
A typical search engine, for instance, responds to a search for “Diana” by
showing Web pages on which that word appears, from Wikipedia entries on the
goddess of the hunt and the Princess of Wales to an engagement ring company.
But a more knowledgeable, humanlike search engine could know that you were
looking for your roommate Diana’s online profile, or that you were also
interested in Kate Middleton.
“What Google is beginning to do is share some of the knowledge in the world that
humans have in their minds,” said Ben Gomes, a Google fellow, “so users can
begin to communicate with Google in a way that’s much more natural to their
thinking.”
Google calls these small steps that show where it is headed.
In the future, Google could answer more complicated questions, Mr. Gomes said,
like “How far is it from here to the Eiffel Tower?” and “Where could I go to a
concert in warm weather next year?”
Despite the advances of alternative search services, online habits are just as
hard to break as real-world ones, especially when they are useful, said Andrew
Lipsman, vice president of industry analysis at comScore.
“Most people have this very strong Google habit,” he said. “I go there every day
and it gives me information I want, so it’s a self-reinforcing cycle. Not anyone
can come in and just do those things.”
As Web Search Goes Mobile, Competitors Chip at Google’s Lead, NYT, 3.4.2013,
http://www.nytimes.com/2013/04/04/technology/
as-web-search-goes-mobile-apps-chip-at-googles-lead.html
Facebook
Is Expected to Introduce Its Phone
April 3,
2013
The New York Times
By SOMINI SENGUPTA
SAN
FRANCISCO — Facebook does not have to build a phone, as its chief executive,
Mark Zuckerberg, has long maintained.
But it needs to find a way to play a bigger role in delivering what consumers
want from their phones: ways to communicate, find answers to questions, shop and
be entertained. The company would especially like to become that workhorse for
the vast majority of its users who live outside the United States and from whom,
so far, it barely profits.
The company will make its biggest leap yet in that direction Thursday, when it
is expected to introduce a moderately priced phone, made by HTC, powered by
Google’s Android operating system, and tweaked to showcase Facebook and its apps
on the home screen.
The Facebook phone adheres to two crucial product announcements in the last
three months: A new search tool that encourages users to use their Facebook
friend network to seek out everything from restaurants to running trails, and a
news feed remade for mobile devices.
The details of the would-be Facebook-centric phone are under wraps. But the
motivation is certain.
“Facebook would like to be, literally and figuratively, as close to its users as
its users are to their phones, within arm’s reach when they are searching for
information, news, time wasting, shopping, communication,” said Rebecca Lieb, an
analyst with the Altimeter Group.
That can be especially attractive if the new phone is affordable to emerging
market users: Brazil and India are home to the largest blocs of Facebook users
after the United States, and their numbers are growing swiftly as smartphone
penetration increases in those countries. Many Indian cellphone makers, for that
reason, have Facebook already installed on their home pages.
But Facebook makes little money by advertising to those international users.
By partnering with HTC, a phone maker based in Taiwan, the social network is
signaling that it is “making an international push,” says Michael Pachter, an
analyst with Wedbush Securities.
“The more people you get to use it on phones, the more ads you can deliver,” Mr.
Pachter said.
Facebook made a little more than $4 a user in North America and $1.71 in Europe,
but barely more than 50 cents in the rest of the world, including large markets
like Brazil and India.
Ads are its principal moneymaker, and Facebook is under intense pressure to show
Wall Street that it can make more money, and fast. Its stock market value is
still far below its initial public offering price, and many analysts blame the
company’s belated push into mobile devices.
Mr. Zuckerberg announced last year that Facebook was retooling itself as a
mobile-first company. He has consistently said that it is not in the company’s
interest to manufacture a phone.
“It’s not the right strategy for us,” he told market analysts in an earnings
call in January. He wanted rather to see Facebook integrated into every device
that its billion users hold in their hands.
Two-thirds of Facebook’s roughly one billion users worldwide log in to the
social network on mobile devices.
A study commissioned by Facebook and carried out by the research firm IDC found
that those users checked their Facebook pages an average of 14 times a day; in
short, users checked in two-minute bursts adding up to about half an hour each
day. Mostly, the users check their news feed.
The new Facebook-optimized phone will use a modified version of the Android
software, The New York Times reported last week. When turned on, it will display
the Facebook news feed.
Facebook already functions much like a phone, allowing users to chat, send group
messages and even, in one experiment with users in Canada, to make free phone
calls over the Internet. Its platform hosts a variety of applications that
deliver things like music and news, and its newsfeed has been tweaked to
showcase photos, which is what Facebook users post by the millions everyday.
There are fledgling experiments with commerce. Facebook users can buy online and
offline gifts on Facebook with their credit cards. Equally important, Facebook’s
insistence on real names means that Facebook can be something like an identity
verification service. It is well-positioned to be a kind of mobile wallet,
containing the equivalent of an identity card and seamless way to buy things.
“They want to have all the services that consumers want to use in the mobile
world,” said Karsten Weide, an analyst with IDC. “They want to be the major
consumer Internet platform.”
The Thursday announcement, which Facebook has described as an opportunity to
“come see our new home on Android,” illustrates a fundamental problem for the
company. Facebook must accommodate itself to mobile operating systems controlled
by Internet rivals, Apple and Google.
Mr. Weide described them as “frenemies, mutually dependent but competing.”
Facebook Is Expected to Introduce Its Phone, NYT, 3.4.2013,
http://www.nytimes.com/2013/04/04/technology/facebook-is-expected-to-introduce-its-phone.html
Cyberattacks Seem Meant to Destroy,
Not Just
Disrupt
March 28,
2013
The New York Times
By NICOLE PERLROTH and DAVID E. SANGER
American
Express customers trying to gain access to their online accounts Thursday were
met with blank screens or an ominous ancient type face. The company confirmed
that its Web site had come under attack.
The assault, which took American Express offline for two hours, was the latest
in an intensifying campaign of unusually powerful attacks on American financial
institutions that began last September and have taken dozens of them offline
intermittently, costing millions of dollars.
JPMorgan Chase was taken offline by a similar attack this month. And last week,
a separate, aggressive attack incapacitated 32,000 computers at South Korea’s
banks and television networks.
The culprits of these attacks, officials and experts say, appear intent on
disabling financial transactions and operations.
Corporate leaders have long feared online attacks aimed at financial fraud or
economic espionage, but now a new threat has taken hold: attackers, possibly
with state backing, who seem bent on destruction.
“The attacks have changed from espionage to destruction,” said Alan Paller,
director of research at the SANS Institute, a cybersecurity training
organization. “Nations are actively testing how far they can go before we will
respond.”
Security experts who studied the attacks said that it was part of the same
campaign that took down the Web sites of JPMorgan Chase, Wells Fargo, Bank of
America and others over the last six months. A group that calls itself the Izz
ad-Din al-Qassam Cyber Fighters has claimed responsibility for those attacks.
The group says it is retaliating for an anti-Islamic video posted on YouTube
last fall. But American intelligence officials and industry investigators say
they believe the group is a convenient cover for Iran. Just how tight the
connection is — or whether the group is acting on direct orders from the Iranian
government — is unclear. Government officials and bank executives have failed to
produce a smoking gun.
North Korea is considered the most likely source of the attacks on South Korea,
though investigators are struggling to follow the digital trail, a process that
could take months. The North Korean government of Kim Jong-un has openly
declared that it is seeking online targets in its neighbor to the south to exact
economic damage.
Representatives of American Express confirmed that the company was under attack
Thursday, but said that there was no evidence that customer data had been
compromised. A representative of the Federal Bureau of Investigation did not
respond to a request for comment on the American Express attack.
Spokesmen for JPMorgan Chase said they would not talk about the recent attack
there, its origins or its consequences. JPMorgan has openly acknowledged
previous denial of service attacks. But the size and severity of the most recent
one apparently led it to reconsider.
The Obama administration has publicly urged companies to be more transparent
about attacks, but often security experts and lawyers give the opposite advice.
The largest contingent of instigators of attacks in the private sector,
government officials and researchers say, remains Chinese hackers intent on
stealing corporate secrets.
The American and South Korean attacks underscore a growing fear that the two
countries most worrisome to banks, oil producers and governments may be Iran and
North Korea, not because of their skill but because of their brazenness. Neither
country is considered a superstar in this area. The appeal of digital weapons is
similar to that of nuclear capability: it is a way for an outgunned, outfinanced
nation to even the playing field. “These countries are pursuing cyberweapons the
same way they are pursuing nuclear weapons,” said James A. Lewis, a computer
security expert at the Center for Strategic and International Studies in
Washington. “It’s primitive; it’s not top of the line, but it’s good enough and
they are committed to getting it.”
American officials are currently weighing their response options, but the issues
involved are complex. At a meeting of banking executives, regulators and
representatives from the departments of Homeland Security and Treasury last
December, some pressed the United States to hit back at the hackers, while
others argued that doing so would only lead to more aggressive attacks,
according to two people who attended the meeting.
The difficulty of deterring such attacks was also the focus of a White House
meeting this month with Mr. Obama and business leaders, including the chief
executives Jamie Dimon of JPMorgan Chase; Brian T. Moynihan of Bank of America;
Rex W. Tillerson of Exxon Mobil; Randall L. Stephenson of AT&T and others.
Mr. Obama’s goal was to erode the business community’s intense opposition to
federal legislation that would give the government oversight of how companies
protect “critical infrastructure,” like banking systems and energy and cellphone
networks. That opposition killed a bill last year, prompting Mr. Obama to sign
an executive order promoting increased information-sharing with businesses.
“But I think we heard a new tone at this latest meeting,” an Obama aide said
later. “Six months of unrelenting attacks have changed some views.”
Mr. Lewis, the computer security expert, agreed. “The Iranian attacks have
tilted private sector opinion,” he said. “Hence the muted reaction to the
executive order versus squeals of outrage. Companies are much more concerned
about this and much more willing to see a government role.”
Neither Iran nor North Korea has shown anywhere near the subtlety and technique
in online offensive skills that the United States and Israel demonstrated with
Olympic Games, the ostensible effort to disable Iran’s nuclear enrichment plants
with an online weapon that destabilized hundreds of centrifuges, destroying many
of them. But after descriptions of that operation became public in the summer of
2010, Iran announced the creation of its own Cyber Corps.
North Korea has had hackers for years, some of whom are believed to be operating
from, or through, China. Neither North Korea nor Iran is as focused on stealing
data as they are determined to destroy it, experts contend.
When hackers believed by American intelligence officials to be Iranians hit the
world’s largest oil producer, Saudi Aramco, last year, they did not just erase
data on 30,000 Aramco computers; they replaced the data with an image of a
burning American flag. In the assault on South Korea last week, some affected
computers displayed an ominous image of skulls.
“This attack is as much a cyber-rampage as it is a cyberattack,” Rob Rachwald, a
research director at FireEye, a computer security firm, said of the South Korea
attacks.
In the past, such assaults typically occurred through a denial-of-service
attack, in which hackers flood their target with Web traffic from networks of
infected computers until it is overwhelmed and shuts down. One such case was a
2007 Russian attack on Estonia that affected its banks, the Parliament,
ministries, newspapers and broadcasters.
With their campaign against American financial institutions, the hackers
suspected of being Iranian have taken that kind of attack to the next level.
Instead of using individual personal computers to fire Web traffic at each bank,
they infected powerful, commercial data centers with sophisticated malware and
directed them to simultaneously fire at each bank, giving them the horsepower to
inflict a huge attack.
As a result, the hackers were able to take down the consumer banking sites of
American Express, JPMorgan Chase, Bank of America, Wells Fargo and other banks
with exponentially more traffic than hit Estonia in 2007.
In the attack on Saudi Aramco last year, the culprits did not mount that type of
assault. Instead, they created malware designed for the greatest impact, coded
to spread to as many computers as possible.
Likewise, the attacks last week on South Korean banks and broadcasters were far
more sophisticated than coordinated denial-of-service attacks in 2009 that
briefly took down the Web sites of South Korea’s president and its Defense
Ministry. Such attacks were annoyances; they largely did not affect operations.
This time around in South Korea, however, the attackers engineered malware that
could evade popular South Korean antivirus products, spread it to as many
computer systems as possible, and inserted a “time bomb” to take out all the
systems at once for greatest impact.
The biggest concern, Mr. Lewis said: “We don’t know how they make decisions.
When you add erratic decision making, then you really have something to worry
about.”
Cyberattacks Seem Meant to Destroy, Not Just Disrupt, NYT, 28.3.2013,
http://www.nytimes.com/2013/03/29/technology/
corporate-cyberattackers-possibly-state-backed-now-seek-to-destroy-data.html
He Has Millions and a New Job at Yahoo.
Soon,
He’ll Be 18.
March 25,
2013
The New York Times
By BRIAN STELTER
One of
Yahoo’s newest employees is a 17-year-old high school student in Britain. As of
Monday, he is one of its richest, too.
That student, Nick D’Aloisio, a programming whiz who wasn’t even born when Yahoo
was founded in 1994, sold his news-reading app, Summly, to the company on Monday
for a sum said to be in the tens of millions of dollars. Yahoo said it would
incorporate his algorithmic invention, which takes long-form stories and
shortens them for readers using smartphones, in its own mobile apps, with Mr.
D’Aloisio’s help.
“I’ve still got a year and a half left at my high school,” he said in a
telephone interview on Monday. But he will make arrangements to test out of his
classes and work from the Yahoo office in London, partly to abide by the
company’s new and much-debated policy that prohibits working from home.
Mr. D’Aloisio, who declined to comment on the price paid by Yahoo (the
technology news site AllThingsD pegged the purchase price at about $30 million),
was Summly’s largest shareholder.
Summly’s other investors, improbably enough, included Wendi Murdoch, Ashton
Kutcher and Yoko Ono. The most important one was Li Ka-shing, the Hong Kong
billionaire, whose investment fund supported Mr. D’Aloisio’s idea early on,
before it was even called Summly.
“They took a gamble on me when I was a 15-year-old,” Mr. D’Aloisio said, by
providing seed financing that let him hire employees and lease office space.
The fund read about Mr. D’Aloisio’s early-stage app on TechCrunch, the Silicon
Valley blog of record, found his e-mail address and startled him with a message
expressing interest.
The others signed up later. “Because it was my first time around, people just
wanted to help,” he said.
For teenagers who fancy themselves entrepreneurs — and their parents, too — the
news of the sale conjured up some feelings of inadequacy, but also awe. For
Brian Wong, the 21-year-old founder of Kiip, a mobile rewards company, the
reaction was downright laughable: “I feel old!”
A few years ago, Mr. Wong was described in the news media as the youngest person
ever to receive venture capital funding. But a couple of younger founders came
along — “and then Nick broke all of our records,” Mr. Wong said on Monday.
Among the attributes that helped Mr. D’Aloisio, he said, was a preternatural
ability to articulate exactly what he wanted Summly to be. “There were no umms,
no uhhs, no hesitations, no insecurities,” Mr. Wong said.
Mr. D’Aloisio, for his part, sounded somewhat uninterested in answering
questions about his age on Monday. He acknowledged that it was an advantage in
some pitch meetings, and certainly in the news media, “but so was the strength
of the idea.” He was more eager to talk about his new employer, Yahoo, which is
trying to reinvent itself as a mobile-first technology company (having dropped
the digital media tagline it used before Marissa Mayer became chief executive
last year).
“People are kind of underestimating how powerful it’s going to become and how
much opportunity is there,” he said.
For a company that badly wants to be labeled innovative, those words are worth a
lot.
Mr. D’Aloisio’s father, who works at Morgan Stanley, and his mother, a lawyer,
had no special knowledge of technology. But they nurtured their son’s
fascination with it and he started coding at age 12. Eventually he decided to
develop an app with what he calls an “automatic summarization algorithm,” one
that “can take pre-existing long-form content and summarize it.” In other words,
it tries to solve a problem that is often summed up with the abbreviation tl;dr:
“too long; didn’t read.”
Summly officially came online last November. By December, Mr. D’Aloisio was
talking to Yahoo and other suitors.
Yahoo said in a statement that while the Summly app would be shut down, “we will
acquire the technology and you’ll see it come to life throughout Yahoo’s mobile
experiences soon.”
Other news-reading apps have attracted corporate attention as of late,
reflecting the scramble by media companies to adapt to skyrocketing traffic from
mobile devices. The social network LinkedIn was said to be pursuing an app
called Pulse earlier this month. Still, the eight-figure payday for a teenage
entrepreneur on Monday struck some as outlandish and set off speculation that
Yahoo was willing to pay almost any price for “cool.”
Mr. D’Aloisio, though, will have plenty of time to prove his and his algorithm’s
worth. As for the sizable paycheck from Yahoo, he said he did not have any
specific plans for the sudden windfall. “It’s going to be put into a trust fund
and my parents will help manage it,” he said.
He did say, however, that “angel investing could be really fun.” When not
working at Yahoo, he will keep up with his hobbies — cricket in particular — and
set his sights on attending college at Oxford. His intended major is philosophy.
He Has Millions and a New Job at Yahoo. Soon, He’ll Be 18., NYT, 25.3.2013,
http://www.nytimes.com/2013/03/26/business/media/nick-daloisio-17-sells-summly-app-to-yahoo.html
Big Data Is Opening Doors, but Maybe Too Many
March 23,
2013
The New York Times
By STEVE LOHR
IN the
1960s, mainframe computers posed a significant technological challenge to common
notions of privacy. That’s when the federal government started putting tax
returns into those giant machines, and consumer credit bureaus began building
databases containing the personal financial information of millions of
Americans. Many people feared that the new computerized databanks would be put
in the service of an intrusive corporate or government Big Brother.
“It really freaked people out,” says Daniel J. Weitzner, a former senior
Internet policy official in the Obama administration. “The people who cared
about privacy were every bit as worried as we are now.”
Along with fueling privacy concerns, of course, the mainframes helped prompt the
growth and innovation that we have come to associate with the computer age.
Today, many experts predict that the next wave will be driven by technologies
that fly under the banner of Big Data — data including Web pages, browsing
habits, sensor signals, smartphone location trails and genomic information,
combined with clever software to make sense of it all.
Proponents of this new technology say it is allowing us to see and measure
things as never before — much as the microscope allowed scientists to examine
the mysteries of life at the cellular level. Big Data, they say, will open the
door to making smarter decisions in every field from business and biology to
public health and energy conservation.
“This data is a new asset,” says Alex Pentland, a computational social scientist
and director of the Human Dynamics Lab at the M.I.T. “You want it to be liquid
and to be used.”
But the latest leaps in data collection are raising new concern about
infringements on privacy — an issue so crucial that it could trump all others
and upset the Big Data bandwagon. Dr. Pentland is a champion of the Big Data
vision and believes the future will be a data-driven society. Yet the
surveillance possibilities of the technology, he acknowledges, could leave
George Orwell in the dust.
The World Economic Forum published a report late last month that offered one
path — one that leans heavily on technology to protect privacy. The report grew
out of a series of workshops on privacy held over the last year, sponsored by
the forum and attended by government officials and privacy advocates, as well as
business executives. The corporate members, more than others, shaped the final
document.
The report, “Unlocking the Value of Personal Data: From Collection to Usage,”
recommends a major shift in the focus of regulation toward restricting the use
of data. Curbs on the use of personal data, combined with new technological
options, can give individuals control of their own information, according to the
report, while permitting important data assets to flow relatively freely.
“There’s no bad data, only bad uses of data,” says Craig Mundie, a senior
adviser at Microsoft, who worked on the position paper.
The report contains echoes of earlier times. The Fair Credit Reporting Act,
passed in 1970, was the main response to the mainframe privacy challenge. The
law permitted the collection of personal financial information by the credit
bureaus, but restricted its use mainly to three areas: credit, insurance and
employment.
The forum report suggests a future in which all collected data would be tagged
with software code that included an individual’s preferences for how his or her
data is used. All uses of data would have to be registered, and there would be
penalties for violators. For example, one violation might be a smartphone
application that stored more data than is necessary for a registered service
like a smartphone game or a restaurant finder.
The corporate members of the forum say they recognize the need to address
privacy concerns if useful data is going to keep flowing. George C. Halvorson,
chief executive of Kaiser Permanente, the large health care provider, extols the
benefits of its growing database on nine million patients, tracking treatments
and outcomes to improve care, especially in managing costly chronic and
debilitating conditions like heart disease, diabetes and depression. New
smartphone applications, he says, promise further gains — for example, a person
with a history of depression whose movement patterns slowed sharply would get a
check-in call.
“We’re on the cusp of a golden age of medical science and care delivery,” Mr.
Halvorson says. “But a privacy backlash could cripple progress.”
Corporate executives and privacy experts agree that the best way forward
combines new rules and technology tools. But some privacy professionals say the
approach in the recent forum report puts way too much faith in the tools and too
little emphasis on strong rules, particularly in moving away from curbs on data
collection.
“We do need use restrictions, but there is a real problem with getting rid of
data collection restrictions,” says David C. Vladeck, a professor of law at
Georgetown University. “And that’s where they are headed.”
“I don’t buy the argument that all data is innocuous until it’s used
improperly,” adds Mr. Vladeck, former director of the Bureau of Consumer
Protection at the Federal Trade Commission.
HE offers this example: Imagine spending a few hours looking online for
information on deep fat fryers. You could be looking for a gift for a friend or
researching a report for cooking school. But to a data miner, tracking your
click stream, this hunt could be read as a telltale signal of an unhealthy habit
— a data-based prediction that could make its way to a health insurer or
potential employer.
Dr. Pentland, an academic adviser to the World Economic Forum’s initiatives on
Big Data and personal data, agrees that limitations on data collection still
make sense, as long as they are flexible and not a “sledgehammer that risks
damaging the public good.”
He is leading a group at the M.I.T. Media Lab that is at the forefront of a
number of personal data and privacy programs and real-world experiments. He
espouses what he calls “a new deal on data” with three basic tenets: you have
the right to possess your data, to control how it is used, and to destroy or
distribute it as you see fit.
Personal data, Dr. Pentland says, is like modern money — digital packets that
move around the planet, traveling rapidly but needing to be controlled. “You
give it to a bank, but there’s only so many things the bank can do with it,” he
says.
His M.I.T. group is developing tools for controlling, storing and auditing flows
of personal data. Its data store is an open-source version, called openPDS. In
theory, this kind of technology would undermine the role of data brokers and,
perhaps, mitigate privacy risks. In the search for a deep fat fryer, for
example, an audit trail should detect unauthorized use.
Dr. Pentland’s group is also collaborating with law experts, like Scott L. David
of the University of Washington, to develop innovative contract rules for
handling and exchanging data that insures privacy and security and minimizes
risk.
The M.I.T. team is also working on living lab projects. One that began recently
is in the region around Trento, Italy, in cooperation with Telecom Italia and
Telefónica, the Spanish mobile carrier. About 100 young families with young
children are participating. The goal is to study how much and what kind of
information they share on smartphones with one another, and with social and
medical services — and their privacy concerns.
“Like anything new,” Dr. Pentland says, “people make up just-so stories about
Big Data, privacy and data sharing,” often based on their existing beliefs and
personal bias. “We’re trying to test and learn,” he says.
Big Data Is Opening Doors, but Maybe Too Many, NYT, 23.3.2013,
http://www.nytimes.com/2013/03/24/technology/big-data-and-a-renewed-debate-over-privacy.html
Face-Lift at Facebook,
to Keep
Its Users Engaged
March 6,
2013
The New York Times
By SOMINI SENGUPTA
SAN
FRANCISCO — Facebook plans to announce on Thursday a substantial redesign of its
News Feed — a makeover aimed at both keeping users glued to the social network
and luring more advertising dollars.
Company executives have broadly said they want to make the News Feed, the first
page every user sees upon logging in, more relevant.
In an earnings call with Wall Street analysts in January, the company’s founder
and chief executive, Mark Zuckerberg, offered some hints of what a reimagined
News Feed might look like: bigger photos, more videos and “more engaging ads.”
“Advertisers want really rich things like big pictures or videos, and we haven’t
provided those things historically,” Mr. Zuckerberg said at the time.
Facebook declined to comment on the redesign, which is scheduled to be announced
at its headquarters in Menlo Park, Calif. But the adjustments will reflect the
tricky balance Facebook faces now that it is a public company: to keep drawing
users to the site while not alienating them with more finely targeted
advertisements, which is Facebook’s chief source of revenue.
The pressures are acute, given Facebook’s still anemic performance on Wall
Street. It came out of the box last May with an extraordinarily high valuation
of $38 a share, which slumped to half last fall, and has remained for the most
part under $30.
“They have to walk a fine line between the user’s needs and advertiser’s needs,”
said Karsten Weide, an analyst with IDC. The user, he went on, could use
“better, more intelligent filtering,” while the advertiser needs “smarter, more
flexible advertising formats.”
Facebook’s challenge is all the more important considering some warning signs of
boredom.
Earlier this year came worrying news that 61 percent of users had taken a
sabbatical from the social network, sometimes for months at a time; boredom was
one of the reasons cited in the survey by the Pew Research Center. Even worse,
20 percent had deactivated their account entirely.
Advertisers have for years wanted to find new ways to show targeted ads to
Facebook users, based on the vast data that the social network has about them.
But Facebook has at times run into problems with new advertising products.
For example, last year, just before it filed for its public offering, it began
to show advertisements in the News Feed, largely in the form of the
controversial Sponsored Stories, where one user’s “like” for a brand was
deployed to market that brand to a user’s Facebook “friends.”
Last fall, again in an effort to drum up new revenue, Facebook offered brands
and individual users a way to pay Facebook to promote a particular post on the
News Feed. Those who did not pay could expect an average post to reach about a
third of their Facebook friends, according to the company’s own analysis. That
immediately drew criticism, including from Mark Cuban, a technology investor and
owner of the Mavericks basketball team, who wrote in an angry post on his blog
(http://blogmaverick.com/) last fall that Facebook had made it too expensive for
a brand like the Mavericks to reach its fans.
This week, responding to fresh criticism, Facebook said it did not “artificially
suppress” content to feature paid posts.
The social networking giant has tweaked its News Feed over the years. Since
2009, Facebook has filtered what every user sees on the News Feed, based on the
wisdom of its proprietary algorithm, called Edge Rank, which determines which
posts a particular user is likely to find most interesting.
In 2010, it allowed users to chronologically filter the contents of the
scrolling feed. The next year, it introduced a separate right-hand-side ticker —
Twitter-esque, some said — of everything that every “friend” and brand page had
posted.
At the heart of Facebook’s business is to hold the attention of its one billion
users worldwide. That means keeping them entertained and on the site as
frequently as possible.
It seems to be losing this battle somewhat with its youngest users. Teenagers
are increasingly turning to other services, including Instagram, which Facebook
now owns, so much so that David A. Ebersman, the company’s chief financial
officer, said last week in a conference sponsored by Morgan Stanley that
Facebook considered the photo-sharing site a competitor.
Instagram is not its only worry. Americans are increasingly turning to Pinterest
to share shopping desires with their friends; Tumblr is a popular forum for
self-expression, and Twitter continues to grow as a platform for news and
entertainment.
Many people may no longer know all their “friends” on Facebook, which makes it
difficult for the company to stuff the News Feed with posts that users will find
relevant. Then there are ads.
“The bigger opportunity for Facebook is in cracking the relevance nut,” said
Travis Katz, founder of an online travel service, Gogobot, that is integrated
with Facebook.
“The noise-to-signal ratio in the feed has increased dramatically,” he added,
“to the point where I often miss stories that were important to me.”
At the Morgan Stanley conference, Mr. Ebersman said the company’s filtering
algorithms get “smarter” the more a Facebook user clicks on what is displayed on
the News Feed.
“So of all the information we are able to show you on Facebook, we are trying
algorithmically to pick out which pieces of content to put at the top of your
News Feed because we think you will find them most engaging.”
Face-Lift at Facebook, to Keep Its Users Engaged, NYT, 6.3.2013,
http://www.nytimes.com/2013/03/07/technology/
facebooks-redesign-hopes-to-keep-users-engaged.html
As Hacking Against U.S. Rises,
Experts
Try to Pin Down Motive
March 3,
2013
The New York Times
By NICOLE PERLROTH, DAVID E. SANGER and MICHAEL S. SCHMIDT
SAN
FRANCISCO — When Telvent, a company that monitors more than half the oil and gas
pipelines in North America, discovered last September that the Chinese had
hacked into its computer systems, it immediately shut down remote access to its
clients’ systems.
Company officials and American intelligence agencies then grappled with a
fundamental question: Why had the Chinese done it?
Was the People’s Liberation Army, which is suspected of being behind the hacking
group, trying to plant bugs into the system so they could cut off energy
supplies and shut down the power grid if the United States and China ever
confronted each other in the Pacific? Or were the Chinese hackers just trolling
for industrial secrets, trying to rip off the technology and pass it along to
China’s own energy companies?
“We are still trying to figure it out,” a senior American intelligence official
said last week. “They could have been doing both.”
Telvent, which also watches utilities and water treatment plants, ultimately
managed to keep the hackers from breaking into its clients’ computers.
At a moment when corporate America is caught between what it sees as two
different nightmares — preventing a crippling attack that brings down America’s
most critical systems, and preventing Congress from mandating that the private
sector spend billions of dollars protecting against that risk — the Telvent
experience resonates as a study in ambiguity.
To some it is prime evidence of the threat that President Obama highlighted in
his State of the Union address, when he warned that “our enemies are also
seeking the ability to sabotage our power grid, our financial institutions, our
air traffic control systems,” perhaps causing mass casualties. Mr. Obama called
anew for legislation to protect critical infrastructure, which was killed last
year by a Republican filibuster after intensive lobbying by the Chamber of
Commerce and other business groups.
But the security breach of Telvent, which the Chinese government has denied,
also raises questions of whether those fears — the subject of weekly research
group reports, testimony and Congressional studies — may be somewhat overblown,
or whether the precise nature of the threat has been misunderstood.
American intelligence officials believe that the greater danger to the nation’s
infrastructure may not even be China, but Iran, because of its avowal to
retaliate for the Stuxnet virus created by the United States and Israel and
unleashed on one of its nuclear sites. But for now, these officials say, that
threat is limited by gaps in Iranian technical skills.
There is no doubt that attacks of all kinds are on the rise. The Department of
Homeland Security has been responding to intrusions on oil pipelines and
electric power organizations at “an alarming rate,” according to an agency
report last December. Some 198 attacks on the nation’s critical infrastructure
systems were reported to the agency last year, a 52 percent increase from the
number of attacks in 2011.
Researchers at McAfee, a security firm, discovered in 2011 that five
multinational oil and gas companies had been attacked by Chinese hackers. The
researchers suspected that the Chinese hacking campaign, which they called Night
Dragon, had affected more than a dozen companies in the energy industry. More
recently, the Department of Energy confirmed in January that its network had
been infiltrated, though it has said little about what damage, if any, was done.
But security researchers say that the majority of those attacks were as
ambiguous as the Telvent case. They appeared to be more about cyberespionage,
intended to bolster the Chinese economy. If the goal was to blow up a pipeline
or take down the United States power grid, the attacks would likely have been of
a different nature.
In a recent report, Critical Intelligence, an Idaho Falls security company, said
that several cyberattacks by “Chinese adversaries” against North American energy
firms seemed intended to steal fracking technologies, reflecting fears by the
Chinese government that the shale energy revolution will tip the global energy
balance back in America’s favor. “These facts are likely a significant
motivation behind the wave of sophisticated attacks affecting firms that operate
in natural gas, as well as industries that rely on natural gas as an input,
including petrochemicals and steelmaking,” the Critical Intelligence report
said, adding that the attack on Telvent, and “numerous” North American pipeline
operators may be related.
American intelligence experts believe that the primary reason China is deterred
from conducting an attack on infrastructure in the United States is the simple
economic fact that anything that hurts America’s financial markets or
transportation systems would also have consequences for its own economy. It
could interrupt exports to Walmart and threaten the value of China’s investments
in the United States — which now include a new, big investment in oil and gas.
Iran, however, may be a different threat. While acknowledging that “China is
stealing our intellectual property at a rate that qualifies as an epidemic,”
Representative Mike Rogers, the Michigan Republican who chairs the House
Intelligence Committee, added a caveat in an interview on Friday. “China is a
rational actor,” he said. “Iran is not a rational actor.”
A new National Intelligence Estimate — a classified document that has not yet
been published within the government, but copies of which are circulating for
final comments — identifies Iran as one of the other actors besides China who
would benefit from the ability to shut down parts of the American economy.
Unlike the Chinese, the Iranians have no investments in the United States. As a
senior American military official put it, “There’s nothing but upside for them
to go after American infrastructure.”
While the skills of Iran’s newly created “cybercorps” are in doubt, Iranian
hackers gained some respect in the technology community when they brought down
30,000 computers belonging to Saudi Aramco, the world’s largest oil producer,
last August, replacing their contents with an image of a burning American flag.
The attack did not affect production facilities or refineries, but it made its
point.
“The main target in this attack was to stop the flow of oil and gas to local and
international markets and thank God they were not able to achieve their goals,”
Abdullah al-Saadan, Aramco’s vice president for corporate planning, told Al
Ekhbariya television.
President Obama has been vague about how the United States would respond to such
an attack. No one in the administration argues that the United States should
respond with cyber- or physical retaliation for the theft of secrets. Attorney
General Eric H. Holder Jr. has made clear that would be dealt with in criminal
courts, though the prosecutions of cybertheft by foreign sources have been few.
But the question of whether the president could, or should, order military
retaliation for major attacks that threaten the American public is a roiling
debate.
“Some have called for authorizing the military to defend private corporate
networks and critical infrastructure sectors, like gas pipelines and water
systems,” Candace Yu, who studies the issue for the Truman National Security
Project, wrote recently. “This is unrealistic. The military has neither the
specialized expertise nor the capacity to do this; it needs to address only the
most urgent threats.”
But the administration has failed to convince Congress that the first line of
defense to avert catastrophic cyberattack is to require private industry — which
controls the cellphone networks and financial and power systems that are the
primary target of infrastructure attacks — that it must build robust defenses.
A bill containing such requirements was defeated last year amid intense lobbying
from the United States Chamber of Commerce and others, which argued that the
costs would be prohibitive. Leading members of Congress say they expect the
issue will come up again in the next few months.
“We are in a race against time,” Michael Chertoff, the former secretary of
homeland security, said last week. “Most of the infrastructure is in private
hands. The government is not going to be able to manage this like the air
traffic control system. We’re going to have to enlist a large number of
independent actors.”
The administration’s cybersecurity legislation last year failed despite
closed-door simulations for lawmakers about what a catastrophic attack would
look like.
During one such simulation that the Department of Homeland Security allowed a
New York Times reporter to view at a department facility in Virginia, a woman
played the role of an “evil hacker” who successfully broke into a power plant’s
network. To get in, the hacker used a method called “spearphishing,” in which
she sent a message to a power plant employee that induced the employee to click
on a link to see pictures of “cute puppies.”
When the employee clicked on the link, it surreptitiously allowed the hacker to
gain access to the employee’s computer, enabling her to easily turn the switches
to the plant’s breakers on and off.
Although the officials providing the briefing acknowledged that the simulation
was a bit simplistic, their message was clear: with so many vulnerable critical
infrastructure systems across the country, such an attack could easily occur,
with huge consequences. No one rules out that scenario — whatever the current
motivations and abilities of countries like China and Iran.
“There are 12 countries developing offensive cyberweapons; Iran is one of them,”
James Lewis, a former government official and cybersecurity expert at the Center
for Strategic and International Studies in Washington, said at a security
conference in San Francisco. Those countries have a long way to go, he said, but
added: “Like nuclear weapons, eventually they’ll get there.”
Nicole
Perlroth and Michael S. Schmidt reported from San Francisco,
and David E.
Sanger from Washington.
As Hacking Against U.S. Rises, Experts Try to Pin Down Motive, 3.3.2013,
http://www.nytimes.com/2013/03/04/us/us-weighs-risks-and-motives-of-hacking-by-china-or-iran.html
Soldier to Face More Serious Charges in Leak
March 1,
2013
The New York Times
By SCOTT SHANE
FORT MEADE,
Md. — Military prosecutors announced on Friday that they had decided to try Pfc.
Bradley Manning on the most serious charges they have brought against him and
seek a sentence that could be life without parole, despite his voluntary guilty
plea to 10 lesser charges that carry a maximum total sentence of 20 years.
Private Manning admitted in court on Thursday that he had provided about 700,000
government documents to WikiLeaks, the antisecrecy group, in the most extensive
leak of confidential and classified material in American history. But he pleaded
guilty to the lesser charges in what is known as a “naked plea” — one made
without the usual agreement with prosecutors to cap the potential sentence in
return.
After the plea, prosecutors and their boss, the commanding general of the
Washington Military District, had the option of settling for the 10 charges to
which he had admitted his guilt and proceeding directly to sentencing. Instead,
they said they would continue with plans for a court-martial beginning June 3,
with 141 prosecution witnesses scheduled to testify.
“Given the scope of the alleged misconduct, the seriousness of the charged
offenses, and the evidence and testimony available, the United States intends to
proceed with the court-martial to prove Manning committed the charged offenses
beyond the lesser charges to which he has already pled guilty,” said a statement
from the military district.
Eugene R. Fidell, who teaches military law at Yale, said the prosecutors’
decision suggested that they believed that his admissions, as extensive as they
were, did not capture the full seriousness of his crimes or guarantee an
adequate sentence. Most important, he said, the government wants to deter others
from taking advantage of the Internet and portable storage devices to follow his
example and leak government secrets on a grand scale.
“They want to scare the daylights out of other people,” Mr. Fidell said.
On Thursday, Private Manning, slight and bespectacled and dressed in a crisp
Army uniform, was permitted to read a 35-page statement he had written to
explain how he came to deliver to WikiLeaks voluminous archives of war reports
from Iraq and Afghanistan, detainee assessments from the prison at Guantánamo
Bay, Cuba, a quarter-million diplomatic cables and video showing helicopter
gunships killing civilians in Iraq.
His statement allowed him to put on the record his political motives — he said
he leaked the material in part “to spark a debate about foreign policy” — which
have drawn support from a long list of critics of American policies and
open-government advocates around the world. Private Manning may also have won
some points with the judge, Col. Denise R. Lind, for not forcing the government
to prove that he supplied the documents to WikiLeaks and for acknowledging that
he broke the law.
But the confession, to the unauthorized possession and transmission of
“protected information,” appears to have done nothing to alter the government’s
determination to make an example of him or to limit the sentence he will
ultimately serve. The military prosecutors’ statement said they would seek to
prove all the charges to which Private Manning pleaded not guilty: aiding the
enemy, violating the Espionage Act and the Computer Fraud and Abuse Act, larceny
and the improper use of government information systems.
Perhaps the biggest battle in what is expected to be a 12-week trial will be
over the prosecutors’ attempt to prove the rare charge of aiding the enemy — in
the words of the charging document, that Private Manning did “without proper
authority, knowingly give intelligence to the enemy, through indirect means.”
That charge can carry the death penalty, but since prosecutors have ruled that
punishment out, he would face a maximum sentence of life without parole if
convicted.
The government has said that some of the documents that Private Manning gave to
WikiLeaks ended up in the hands of Osama bin Laden, and the prosecution and
defense sparred on Friday over whether and how that evidence would be presented
at trial. Prosecutors said they wanted a witness who participated in the 2011
raid that killed Bin Laden to testify in disguise at the trial.
In his testimony on Thursday, Private Manning went out of his way to suggest
that while he corresponded online with someone from WikiLeaks who he assumed to
be the group’s founder, Julian Assange, no one from the organization directed
his actions.
That could be significant for a continuing federal grand jury investigation of
WikiLeaks in Alexandria, Va. Prosecutors are exploring whether Mr. Assange or
his associates conspired with Private Manning to break any laws. Mr. Assange,
now hiding out in the Ecuadorean Embassy in London to avoid being extradited to
Sweden to face sexual offense charges, has maintained that he merely publishes
documents that others provide to the group.
Reached by The Associated Press, Mr. Assange called Private Manning a political
prisoner and accused the United States of trying to punish critics of its
military and foreign policies.
Soldier to Face More Serious Charges in Leak, 1.3.2013,
http://www.nytimes.com/2013/03/02/us/manning-to-face-more-serious-charges-in-leak.html
Soldier Admits Providing Files to WikiLeaks
February
28, 2013
The New York Times
By CHARLIE SAVAGE
FORT MEADE,
Md. — Pfc. Bradley Manning on Thursday confessed in open court to providing vast
archives of military and diplomatic files to the antisecrecy group WikiLeaks,
saying that he released the information to help enlighten the public about “what
happens and why it happens” and to “spark a debate about foreign policy.”
Appearing before a military judge for more than an hour, Private Manning read a
statement recounting how he joined the military, became an intelligence analyst
in Iraq, decided that certain files should become known to the American public
to prompt a wider debate about foreign policy, downloaded them from a secure
computer network and then ultimately uploaded them to WikiLeaks.
“No one associated with WLO” — an abbreviation he used to refer to the WikiLeaks
organization — “pressured me into sending any more information,” Private Manning
said. “I take full responsibility.”
Before reading the statement, Private Manning pleaded guilty to 10 criminal
counts in connection with the huge amount of material he leaked, which included
videos of airstrikes in Iraq and Afghanistan in which civilians were killed,
logs of military incident reports, assessment files of detainees held at
Guantánamo Bay, Cuba, and a quarter-million cables from American diplomats
stationed around the world.
The guilty pleas exposed him to up to 20 years in prison. But the case against
Private Manning, a slightly built 25-year-old who has become a folk hero among
antiwar and whistle-blower advocacy groups, is not over. The military has
charged him with a far more serious set of offenses, including aiding the enemy,
and multiple counts of violating federal statutes, including the Espionage Act.
Prosecutors now have the option of pressing forward with proving the remaining
elements of those charges.
That would involve focusing only on questions like whether the information he
provided counted as the sort covered by the Espionage Act — that is, whether it
was not just confidential but also could be used to injure the United States or
aid a foreign nation.
Private Manning described himself as thinking carefully about the kind of
information he was releasing, and taking care to make sure that none of it could
cause harm if disclosed.
The only material that initially gave him pause, he said, were the diplomatic
cables, which he portrayed as documenting “back-room deals and seemingly
criminal activity.”
But he decided to go forward after discovering that the most sensitive cables
were not in the database. He was also motivated, he said, by a book about “open
diplomacy” after World War I and “how the world would be a better place if
states would not make secret deals with each other.”
“I believed the public release of these cables would not damage the United
States,” he said. “However, I did believe the release of the cables might be
embarrassing.”
Private Manning said the first set of documents he decided to release consisted
of hundreds of thousands of military incident reports from Afghanistan and Iraq.
He had downloaded them onto a disk because the network connection at his base in
Iraq kept failing, and he and his colleagues needed regular access to them.
Those reports added up to a history of the “day-to-day reality” in both war
zones that he believed showed the flaws in the counterinsurgency policy the
United States was then pursuing. The military, he said, was “obsessed with
capturing or killing” people on a list, while ignoring the impact of its
operations on ordinary people.
Private Manning said he put the files on a digital storage card for his camera
and took it home with him on a leave in early 2010. He then decided to give the
files to a newspaper.
“I believed if the public — in particular the American public — had access to
the information” in the reports, “this could spark a debate about foreign policy
in relation to Iraq and Afghanistan,” he said.
Private Manning said he first called The Washington Post and spoke to an
unidentified reporter for about five minutes. He decided that the reporter did
not seem particularly interested because she said The Post would have to review
the material before making any commitment.
He said he then tried to reach out to The New York Times by calling a phone
number for the newspaper’s public editor — an ombudsman who is not part of the
newsroom — and leaving a voice mail message that was not returned.
In January 2010, around the time when Mr. Manning called the public editor’s
line, voice mail messages were checked by Michael McElroy, the assistant to
Clark Hoyt, then the public editor. Both Mr. Hoyt, now the editor at large at
Bloomberg News, and Mr. McElroy, now a staff editor at The Times, said on
Thursday that they had no recollection of hearing such a message.
“We got hundreds of calls a week, and I tried to go through them all,” Mr.
McElroy said. “If I’d heard something like that, I certainly hope I would have
flagged it immediately.”
Private Manning eventually decided to release the information by uploading it to
WikiLeaks. To do it, he said, he used a broadband connection at a Barnes & Noble
store because his aunt’s house in a Maryland suburb, where he was staying, had
lost its Internet connection in a snowstorm.
In February 2010, after he returned to Iraq, Private Manning sent more files to
WikiLeaks, including a helicopter gunship video of a 2007 episode in Iraq in
which American forces killed a group of men, including two Reuters journalists,
and then fired again on a van that pulled up to help the victims.
Private Manning said the video troubled him, both because of the shooting of the
second group of people, who “were not a threat but merely good Samaritans,” and
because of what he described as the “seemingly delightful blood lust” expressed
by the airmen in the recording. He also learned that Reuters had been seeking
the video without success.
Private Manning said he copied the files from the secure network onto disks,
which he took back to his quarters and transferred to his personal laptop before
uploading them to WikiLeaks — initially through its Web site, and later using a
directory the group designated for him on a “cloud drop box” server.
One set of files, he said, described the arrest by the Iraqi police, supported
by Americans, of 15 people for printing “anti-Iraqi” pamphlets. None were tied
to militants, he said, and the pamphlets were “merely a scholarly critique” of
government corruption. To his frustration, WikiLeaks did not publish those
files.
After that episode, Private Manning said, he became interested in detainees,
which led him to the Guantánamo files. He said the United States was holding
detainees who were “innocent, low-level foot soldiers, or didn’t have useful
intelligence and who would be released” if they were still in the war zone.
At the same time, he was increasingly engaged in online conversations with
someone from WikiLeaks who he said he assumed was a senior figure like Julian
Assange, its founder, whose name he mispronounced as “as-sahn-JAY.” He said he
greatly valued those talks because he felt isolated in Iraq. But, in retrospect,
he said the relationship was “artificial.” He did not elaborate.
The judge, Col. Denise Lind, pressed Private Manning to explain how he could
admit that his actions were wrong if his motivation was the “greater good” of
enlightening the public. Private Manning replied, “Your Honor, regardless of my
opinion or my assessment of documents such as these, it’s beyond my pay grade —
it’s not my authority to make these decisions” about releasing confidential
files.
Scott Shane
contributed reporting from Washington.
Soldier Admits Providing Files to WikiLeaks, NYT, 28.2.2013,
http://www.nytimes.com/2013/03/01/us/
bradley-manning-admits-giving-trove-of-military-data-to-wikileaks.html
A New Cold War, in Cyberspace,
Tests
U.S. Ties to China
February
24, 2013
The New York Times
By DAVID E. SANGER
WASHINGTON
— When the Obama administration circulated to the nation’s Internet providers
last week a lengthy confidential list of computer addresses linked to a hacking
group that has stolen terabytes of data from American corporations, it left out
one crucial fact: that nearly every one of the digital addresses could be traced
to the neighborhood in Shanghai that is headquarters to the Chinese military’s
cybercommand.
That deliberate omission underscored the heightened sensitivities inside the
Obama administration over just how directly to confront China’s untested new
leadership over the hacking issue, as the administration escalates demands that
China halt the state-sponsored attacks that Beijing insists it is not mounting.
The issue illustrates how different the worsening cyber-cold war between the
world’s two largest economies is from the more familiar superpower conflicts of
past decades — in some ways less dangerous, in others more complex and
pernicious.
Administration officials say they are now more willing than before to call out
the Chinese directly — as Attorney General Eric H. Holder Jr. did last week in
announcing a new strategy to combat theft of intellectual property. But
President Obama avoided mentioning China by name — or Russia or Iran, the other
two countries the president worries most about — when he declared in his State
of the Union address that “we know foreign countries and companies swipe our
corporate secrets.” He added: “Now our enemies are also seeking the ability to
sabotage our power grid, our financial institutions and our air traffic control
systems.”
Defining “enemies” in this case is not always an easy task. China is not an
outright foe of the United States, the way the Soviet Union once was; rather,
China is both an economic competitor and a crucial supplier and customer. The
two countries traded $425 billion in goods last year, and China remains, despite
many diplomatic tensions, a critical financier of American debt. As Hillary
Rodham Clinton put it to Australia’s prime minister in 2009 on her way to visit
China for the first time as secretary of state, “How do you deal toughly with
your banker?”
In the case of the evidence that the People’s Liberation Army is probably the
force behind “Comment Crew,” the biggest of roughly 20 hacking groups that
American intelligence agencies follow, the answer is that the United States is
being highly circumspect. Administration officials were perfectly happy to have
Mandiant, a private security firm, issue the report tracing the cyberattacks to
the door of China’s cybercommand; American officials said privately that they
had no problems with Mandiant’s conclusions, but they did not want to say so on
the record.
That explains why China went unmentioned as the location of the suspect servers
in the warning to Internet providers. “We were told that directly embarrassing
the Chinese would backfire,” one intelligence official said. “It would only make
them more defensive, and more nationalistic.”
That view is beginning to change, though. On the ABC News program “This Week” on
Sunday, Representative Mike Rogers, Republican of Michigan and chairman of the
House Intelligence Committee, was asked whether he believed that the Chinese
military and civilian government were behind the economic espionage. “Beyond a
shadow of a doubt,” he replied.
In the next few months, American officials say, there will be many private
warnings delivered by Washington to Chinese leaders, including Xi Jinping, who
will soon assume China’s presidency. Both Tom Donilon, the national security
adviser, and Mrs. Clinton’s successor, John Kerry, have trips to China in the
offing. Those private conversations are expected to make a case that the sheer
size and sophistication of the attacks over the past few years threaten to erode
support for China among the country’s biggest allies in Washington, the American
business community.
“America’s biggest global firms have been ballast in the relationship” with
China, said Kurt M. Campbell, who recently resigned as assistant secretary of
state for East Asia to start a consulting firm, the Asia Group, to manage the
prickly commercial relationships. “And now they are the ones telling the Chinese
that these pernicious attacks are undermining what has been built up over
decades.”
It is too early to tell whether that appeal to China’s self-interest is getting
through. Similar arguments have been tried before, yet when one of China’s most
senior military leaders visited the Joint Chiefs of Staff at the Pentagon in May
2011, he said he didn’t know much about cyberweapons — and said the P.L.A. does
not use them. In that regard, he sounded a bit like the Obama administration,
which has never discussed America’s own cyberarsenal.
Yet the P.LA.’s attacks are largely at commercial targets. It has an interest in
trade secrets like aerospace designs and wind-energy product schematics: the
army is deeply invested in Chinese industry and is always seeking a competitive
advantage. And so far the attacks have been cost-free.
American officials say that must change. But the prescriptions for what to do
vary greatly — from calm negotiation to economic sanctions and talk of
counterattacks led by the American military’s Cyber Command, the unit that was
deeply involved in the American and Israeli cyberattacks on Iran’s nuclear
enrichment plants.
“The problem so far is that we have rhetoric and we have Cyber Command, and not
much in between,” said Chris Johnson, a 20-year veteran of the C.I.A. team that
analyzed the Chinese leadership. “That’s what makes this so difficult. It’s easy
for the Chinese to deny it’s happening, to say it’s someone else, and no one
wants the U.S. government launching counterattacks.”
That marks another major difference from the dynamic of the American-Soviet
nuclear rivalry. In cold war days, deterrence was straightforward: any attack
would result in a devastating counterattack, at a human cost so horrific that
neither side pulled the trigger, even during close calls like the Cuban missile
crisis.
But cyberattacks are another matter. The vast majority have taken the form of
criminal theft, not destruction. It often takes weeks or months to pin down
where an attack originated, because attacks are generally routed through
computer servers elsewhere to obscure their source. A series of attacks on The
New York Times that originated in China, for example, was mounted through the
computer systems of unwitting American universities. That is why David Rothkopf,
the author of books about the National Security Council, wrote last week that
this was a “cool war,” not only because of the remote nature of the attacks but
because “it can be conducted indefinitely — permanently, even — without
triggering a shooting war. At least, that is the theory.”
Administration officials like Robert Hormats, the under secretary of state for
business and economic affairs, say the key to success in combating cyberattacks
is to emphasize to the Chinese authorities that the attacks will harm their
hopes for economic growth. “We have to make it clear,” Mr. Hormats said, “that
the Chinese are not going to get what they desire,” which he said was
“investment from the cream of our technology companies, unless they quickly get
this problem under control.”
But Mr. Rogers of the Intelligence Committee argues for a more confrontational
approach, including “indicting bad actors” and denying visas to anyone believed
to be involved in cyberattacks, as well as their families.
The coming debate is over whether the government should get into the business of
retaliation. Already, Washington is awash in conferences that talk about
“escalation dominance” and “extended deterrence,” all terminology drawn from the
cold war.
Some of the talk is overheated, fueled by a growing cybersecurity industry and
the development of offensive cyberweapons, even though the American government
has never acknowledged using them, even in the Stuxnet attacks on Iran. But
there is a serious, behind-the-scenes discussion about what kind of attack on
American infrastructure — something the Chinese hacking groups have not
seriously attempted — could provoke a president to order a counterattack.
This article
has been revised to reflect the following correction:
Correction: February 24, 2013
An earlier version of this article gave an incorrect month
for a visit to
the Pentagon by a senior Chinese military leader.
The visit took
place in May 2011, not April 2011.
A New Cold War, in Cyberspace, Tests U.S. Ties to China, NYT, 24.2.2013,
http://www.nytimes.com/2013/02/25/world/asia/us-confronts-cyber-cold-war-with-china.html
Some Victims of Online Hacking Edge Into the Light
February
20, 2013
The New York Times
By NICOLE PERLROTH
SAN
FRANCISCO — Hackers have hit thousands of American corporations in the last few
years, but few companies ever publicly admit it. Most treat online attacks as a
dirty secret best kept from customers, shareholders and competitors, lest the
disclosure sink their stock price and tarnish them as hapless.
Rarely have companies broken that silence, usually when the attack is reported
by someone else. But in the last few weeks more companies have stepped forward.
Twitter, Facebook and Apple have all announced that they were attacked by
sophisticated cybercriminals. The New York Times revealed its experience with
hackers in a front-page article last month.
The admissions reflect the new way some companies are calculating the risks and
benefits of going public. While companies once feared shareholder lawsuits and
the ire of the Chinese government, some can’t help noticing that those that make
the disclosures are lauded, as Google was, for their bravery. Some fear the
embarrassment of being unable to fend off hackers who may still be in high
school.
But as hacking revelations become more common, the threat of looking foolish
fades and more companies are seizing the opportunity to take the leap in a
crowd.
“There is a ‘hide in the noise’ effect right now,” said Alan Paller, director of
research at the SANS Institute, a nonprofit security research and education
organization. “This is a particularly good time to get out the fact that you got
hacked, because if you are one of many, it discounts the starkness of the
announcement.”
In 2010, when Google alerted some users of Gmail — political activists, mostly —
that it appeared Chinese hackers were trying to read their mail, such
disclosures were a rarity. In its announcement, Google said that it was one of
many — two dozen — companies that had been targeted by the same group. Google
said it was making the announcement, in part, to encourage other companies to
open up about the problem.
But of that group, only Intel and Adobe Systems reluctantly stepped forward, and
neither provided much detail.
Twitter admitted that it had been hacked this month. Facebook and Apple followed
suit two weeks later. Within hours after The Times published its account, The
Wall Street Journal chimed in with a report that it, too, had been attacked by
what it believed to be Chinese hackers. The Washington Post followed.
Not everyone took advantage of the cover. Bloomberg, for example, has repeatedly
denied that its systems were also breached by Chinese hackers, despite several
sources that confirmed that its computers were infected with malware.
Computer security experts estimate that more than a thousand companies have been
attacked recently. In 2011, security researchers at McAfee unearthed a vast
online espionage campaign, called Operation Shady Rat, that found more than 70
organizations had been hit over a five-year period, many in the United States.
“I am convinced that every company in every conceivable industry with
significant size and valuable intellectual property and trade secrets has been
compromised (or will be shortly) with the great majority of the victims rarely
discovering the intrusion or its impact,” Dmitri Alperovitch, then McAfee’s vice
president for threat research, wrote in his findings.
“In fact,” said Mr. Alperovitch, now the chief technology officer at
Crowdstrike, a security start-up, “I divide the entire set of Fortune Global
2000 firms into two categories: those that know they’ve been compromised and
those that don’t yet know.”
Of that group, there are still few admissions. A majority of companies that have
at one time or another been the subject of news reports of online attacks refuse
to confirm them. The list includes the International Olympic Committee, Exxon
Mobil, Baker Hughes, Royal Dutch Shell, BP, ConocoPhillips, Chesapeake Energy,
the British energy giant BG Group, the steel maker ArcelorMittal and Coca-Cola.
Like Google, some companies have stepped forward in the interest of increasing
awareness and improving security within their respective industries, often to
little avail. In 2009, Heartland Payment Systems, a major payment processing
company, took the unusual step of disclosing a major data breach on its systems
that potentially exposed millions of credit and debit card customers to fraud.
It did so against the advice of its lawyers.
“Until then, most people tried to sweep breaches under the rug,” said Steve
Elefant, then Heartland’s chief information officer. “We wanted to make sure
that it didn’t happen to us again and didn’t want to sit back while the bad guys
tried to pick us off one by one.”
Heartland helped set up the Payments Processors Information Sharing Council to
share information about security threats and breaches within the industry.
Again, the company’s lawyers thought it was a bad idea. “But we felt it was
important.”
The effort did not stop its other members from sweeping their own breaches under
the rug. Last year, Global Payments, a major payment processor, did not disclose
that it had been the victim of two major breaches that potentially affected
millions of accounts, until the attacks were reported by a well-known security
blogger. Even then, it did not offer details that other companies could use to
fortify their systems. Last week, President Obama signed an executive order that
encouraged increased information-sharing about online threats between the
government and private companies. But compliance with the order is voluntary, a
weakened alternative to an online security bill that stalled in Congress last
year after the Chamber of Commerce, a lobbying group that itself was hacked, led
an effort to block it, saying that the regulations would be too burdensome.
In Washington on Wednesday, several senior administration officials presented a
new strategy for protecting American intellectual property by urging firms to
step forward when attacked.
“There has been a reluctance by companies to come forward because of the concern
about the impact on their shareholders or others,” said Lanny A. Breuer, the
assistant attorney general in charge of the criminal division of the Justice
Department.
In October 2011, the Securities and Exchange Commission issued a new guidance
that specifically outlined how publicly traded companies should disclose online
attacks, but few disclosures have come because of it.
“Quite frankly, since then, there hasn’t been an abundance of reporting on
cyberevents despite the fact that they are clearly happening,” said Jacob
Olcott, a specialist in online risks who managed a Senate investigation into the
disclosure practices.
The best hope, Mr. Olcott said, is that as investors start paying more attention
to the threats, they will demand that companies disclose them. “I wouldn’t hold
my breath,” Mr. Elefant said. “There are an awful lot of lawyers out there
trying to keep companies from exposing that these breaches are happening. And
they are happening.”
David E.
Sanger contributed reporting from Washington.
Some Victims of Online Hacking Edge Into the Light, NYT, 20.2.2013,
http://www.nytimes.com/2013/02/21/technology/hacking-victims-edge-into-light.html
China’s
Cybergames
February
19, 2013
The New York Times
Washington
has not had much success persuading Beijing to rein in its hackers even though
American officials and security experts have long known that China is the main
source of cyberattacks on the United States. Two recent developments, however,
should raise the political costs for China and may cause it to alter its
calculus. Refusal to change its conduct could make its relations with the United
States even more difficult than they are.
On Tuesday, a new report from Mandiant, an American computer security firm,
publicly documented an explicit link between Chinese hackers and the People’s
Liberation Army. The report cites a growing body of digital forensic evidence
that most of the attacks on American corporations, organizations and government
agencies originate in and around a 12-story office tower on the outskirts of
Shanghai that is the headquarters of P.L.A. Unit 61398.
Mandiant tracked individual members of the most sophisticated of the Chinese
hacking groups, known as “Comment Crew” or “Shanghai Group,” to the headquarters
of the military unit, which is central to China’s computer espionage operations.
It followed “Comment Crew” for six years, monitoring 141 attacks by looking at
Web domains, malware, Internet protocol addresses and embedded codes.
Reporters for The Times confirmed the evidence contained in the report with
American intelligence officials who say they have tapped into the activity of
the army unit for years.
Chinese officials denounced the report, but their reaction was hardly a denial.
“Hacking attacks are transnational and anonymous. Determining their origins are
extremely difficult. We don’t know how the evidence in this so-called report can
be tenable,” said Hong Lei, a Foreign Ministry spokesman.
In a second development that could further raise the stakes for Beijing,
Washington decided to share with American Internet providers and antivirus
vendors information about the unique signatures of the largest of the Chinese
groups, including those originating from the area where Unit 61398 is based. The
government warnings will not link the hackers and their computers to the Chinese
Army per se, but the effects will be felt when the hackers and computers are
denied access to American networks, as many of the Internet providers and
antivirus vendors are expected to do.
American officials are increasingly concerned about cyberattacks intended not
just to steal corporate secrets but also, as President Obama said in his recent
State of the Union address, to “sabotage our power grid, our financial
institutions, our air traffic control systems.”
As a defensive measure, Mr. Obama last week signed an executive order promoting
increased information-sharing about cyberthreats between the government and
private companies that oversee the country’s critical infrastructure, including
its electrical power grid, gas lines and waterworks. Congress still has not
acted on legislation setting minimum requirements for how this infrastructure
should be protected. A reasonably strong bill offered in the Senate last summer
has been stymied by objections from some legislators that it would be too
intrusive. So far, Mr. Obama has chosen not to have a public collision with
China. He and his aides have largely raised their concerns in private. But
patience is wearing thin as China-emanated attacks have grown and the
administration pursues a more aggressive response.
China and the United States have to cooperate on numerous international security
issues. But that won’t happen if they end up in a cyberwar. Publicizing China’s
transgressions and blocking Internet access to hackers should be a warning to
Beijing. Washington is right to defend its interests. But the two nations need
to take the lead in negotiating new international understandings about what
constitutes cyberaggression and how governments should respond.
China’s Cybergames, NYT, 19.2.2013,
http://www.nytimes.com/2013/02/20/opinion/chinas-cybergames.html
The
Trouble With Online College
February
18, 2013
The New York Times
Stanford University ratcheted up interest in online education when a pair of
celebrity professors attracted more than 150,000 students from around the world
to a noncredit, open enrollment course on artificial intelligence. This
development, though, says very little about what role online courses could have
as part of standard college instruction. College administrators who dream of
emulating this strategy for classes like freshman English would be irresponsible
not to consider two serious issues.
First, student attrition rates — around 90 percent for some huge online courses
— appear to be a problem even in small-scale online courses when compared with
traditional face-to-face classes. Second, courses delivered solely online may be
fine for highly skilled, highly motivated people, but they are inappropriate for
struggling students who make up a significant portion of college enrollment and
who need close contact with instructors to succeed.
Online classes are already common in colleges, and, on the whole, the record is
not encouraging. According to Columbia University’s Community College Research
Center, for example, about seven million students — about a third of all those
enrolled in college — are enrolled in what the center describes as traditional
online courses. These typically have about 25 students and are run by professors
who often have little interaction with students. Over all, the center has
produced nine studies covering hundreds of thousands of classes in two states,
Washington and Virginia. The picture the studies offer of the online revolution
is distressing.
The research has shown over and over again that community college students who
enroll in online courses are significantly more likely to fail or withdraw than
those in traditional classes, which means that they spend hard-earned tuition
dollars and get nothing in return. Worse still, low-performing students who may
be just barely hanging on in traditional classes tend to fall even further
behind in online courses.
A five-year study, issued in 2011, tracked 51,000 students enrolled in
Washington State community and technical colleges. It found that those who took
higher proportions of online courses were less likely to earn degrees or
transfer to four-year colleges. The reasons for such failures are well known.
Many students, for example, show up at college (or junior college) unprepared to
learn, unable to manage time and having failed to master basics like math and
English.
Lacking confidence as well as competence, these students need engagement with
their teachers to feel comfortable and to succeed. What they often get online is
estrangement from the instructor who rarely can get to know them directly.
Colleges need to improve online courses before they deploy them widely.
Moreover, schools with high numbers of students needing remedial education
should consider requiring at least some students to demonstrate success in
traditional classes before allowing them to take online courses.
Interestingly, the center found that students in hybrid classes — those that
blended online instruction with a face-to-face component — performed as well
academically as those in traditional classes. But hybrid courses are rare, and
teaching professors how to manage them is costly and time-consuming.
The online revolution offers intriguing opportunities for broadening access to
education. But, so far, the evidence shows that poorly designed courses can
seriously shortchange the most vulnerable students.
The Trouble With Online College, NYT, 18.2.2013,
http://www.nytimes.com/2013/02/19/opinion/the-trouble-with-online-college.html
Chinese
Army Unit Is Seen
as Tied
to Hacking Against U.S.
February
18, 2013
The New York Times
By DAVID E. SANGER, DAVID BARBOZA and NICOLE
PERLROTH
On the
outskirts of Shanghai, in a run-down neighborhood dominated by a 12-story white
office tower, sits a People’s Liberation Army base for China’s growing corps of
cyberwarriors.
The building off Datong Road, surrounded by restaurants, massage parlors and a
wine importer, is the headquarters of P.L.A. Unit 61398. A growing body of
digital forensic evidence — confirmed by American intelligence officials who say
they have tapped into the activity of the army unit for years — leaves little
doubt that an overwhelming percentage of the attacks on American corporations,
organizations and government agencies originate in and around the white tower.
An unusually detailed 60-page study, to be released Tuesday by Mandiant, an
American computer security firm, tracks for the first time individual members of
the most sophisticated of the Chinese hacking groups — known to many of its
victims in the United States as “Comment Crew” or “Shanghai Group” — to the
doorstep of the military unit’s headquarters. The firm was not able to place the
hackers inside the 12-story building, but makes a case there is no other
plausible explanation for why so many attacks come out of one comparatively
small area.
“Either they are coming from inside Unit 61398,” said Kevin Mandia, the founder
and chief executive of Mandiant, in an interview last week, “or the people who
run the most-controlled, most-monitored Internet networks in the world are
clueless about thousands of people generating attacks from this one
neighborhood.”
Other security firms that have tracked “Comment Crew” say they also believe the
group is state-sponsored, and a recent classified National Intelligence
Estimate, issued as a consensus document for all 16 of the United States
intelligence agencies, makes a strong case that many of these hacking groups are
either run by army officers or are contractors working for commands like Unit
61398, according to officials with knowledge of its classified content.
Mandiant provided an advance copy of its report to The New York Times, saying it
hoped to “bring visibility to the issues addressed in the report.” Times
reporters then tested the conclusions with other experts, both inside and
outside government, who have examined links between the hacking groups and the
army (Mandiant was hired by The New York Times Company to investigate a
sophisticated Chinese-origin attack on its news operations, but concluded it was
not the work of Comment Crew, but another Chinese group. The firm is not
currently working for the Times Company but it is in discussions about a
business relationship.)
While Comment Crew has drained terabytes of data from companies like Coca-Cola,
increasingly its focus is on companies involved in the critical infrastructure
of the United States — its electrical power grid, gas lines and waterworks.
According to the security researchers, one target was a company with remote
access to more than 60 percent of oil and gas pipelines in North America. The
unit was also among those that attacked the computer security firm RSA, whose
computer codes protect confidential corporate and government databases.
Contacted Monday, officials at the Chinese embassy in Washington again insisted
that their government does not engage in computer hacking, and that such
activity is illegal. They describe China itself as a victim of computer hacking,
and point out, accurately, that there are many hacking groups inside the United
States. But in recent years the Chinese attacks have grown significantly,
security researchers say. Mandiant has detected more than 140 Comment Crew
intrusions since 2006. American intelligence agencies and private security firms
that track many of the 20 or so other Chinese groups every day say those groups
appear to be contractors with links to the unit.
While the unit’s existence and operations are considered a Chinese state secret,
Representative Mike Rogers of Michigan, the Republican chairman of the House
Intelligence Committee, said in an interview that the Mandiant report was
“completely consistent with the type of activity the Intelligence Committee has
been seeing for some time.”
The White House said it was “aware” of the Mandiant report, and Tommy Vietor,
the spokesman for the National Security Council, said, “We have repeatedly
raised our concerns at the highest levels about cybertheft with senior Chinese
officials, including in the military, and we will continue to do so.”
The United States government is planning to begin a more aggressive defense
against Chinese hacking groups, starting on Tuesday. Under a directive signed by
President Obama last week, the government plans to share with American Internet
providers information it has gathered about the unique digital signatures of the
largest of the groups, including Comment Crew and others emanating from near
where Unit 61398 is based.
But the government warnings will not explicitly link those groups, or the giant
computer servers they use, to the Chinese army. The question of whether to
publicly name the unit and accuse it of widespread theft is the subject of
ongoing debate.
“There are huge diplomatic sensitivities here,” said one intelligence official,
with frustration in his voice.
But Obama administration officials say they are planning to tell China’s new
leaders in coming weeks that the volume and sophistication of the attacks have
become so intense that they threaten the fundamental relationship between
Washington and Beijing.
The United States government also has cyberwarriors. Working with Israel, the
United States has used malicious software called Stuxnet to disrupt Iran’s
uranium enrichment program. But government officials insist they operate under
strict, if classified, rules that bar using offensive weapons for nonmilitary
purposes or stealing corporate data.
The United States finds itself in something of an asymmetrical digital war with
China. “In the cold war, we were focused every day on the nuclear command
centers around Moscow,” one senior defense official said recently. “Today, it’s
fair to say that we worry as much about the computer servers in Shanghai.”
A Shadowy Unit
Unit 61398 — formally, the 2nd Bureau of the People’s Liberation Army’s General
Staff Department’s 3rd Department — exists almost nowhere in official Chinese
military descriptions. Yet intelligence analysts who have studied the group say
it is the central element of Chinese computer espionage. The unit was described
in 2011 as the “premier entity targeting the United States and Canada, most
likely focusing on political, economic, and military-related intelligence” by
the Project 2049 Institute, a nongovernmental organization in Virginia that
studies security and policy issues in Asia.
While the Obama administration has never publicly discussed the Chinese unit’s
activities, a secret State Department cable written the day before Barack Obama
was elected president in November 2008 described at length American concerns
about the group’s attacks on government sites. (At the time American
intelligence agencies called the unit “Byzantine Candor,” a code word dropped
after the cable was published by WikiLeaks.)
The Defense Department and the State Department were particular targets, the
cable said, describing how the group’s intruders send e-mails, called
“spearphishing” attacks, that placed malware on target computers once the
recipient clicked on them. From there, they were inside the systems.
American officials say that a combination of diplomatic concerns and the desire
to follow the unit’s activities have kept the government from going public. But
Mandiant’s report is forcing the issue into public view.
For more than six years, Mandiant tracked the actions of Comment Crew, so named
for the attackers’ penchant for embedding hidden code or comments into Web
pages. Based on the digital crumbs the group left behind — its attackers have
been known to use the same malware, Web domains, Internet protocol addresses,
hacking tools and techniques across attacks — Mandiant followed 141 attacks by
the group, which it called “A.P.T. 1” for Advanced Persistent Threat 1.
“But those are only the ones we could easily identify,” said Mr. Mandia. Other
security experts estimate that the group is responsible for thousands of
attacks.
As Mandiant mapped the Internet protocol addresses and other bits of digital
evidence, it all led back to the edges of Pudong district of Shanghai, right
around the Unit 61398 headquarters. The group’s report, along with 3,000
addresses and other indicators that can be used to identify the source of
attacks, concludes “the totality of the evidence” leads to the conclusion that
“A.P.T. 1 is Unit 61398.”
Mandiant discovered that two sets of I.P. addresses used in the attacks were
registered in the same neighborhood as Unit 61398’s building.
“It’s where more than 90 percent of the attacks we followed come from,” said Mr.
Mandia.
The only other possibility, the report concludes with a touch of sarcasm, is
that “a secret, resourced organization full of mainland Chinese speakers with
direct access to Shanghai-based telecommunications infrastructure is engaged in
a multiyear enterprise-scale computer espionage campaign right outside of Unit
61398’s gates.”
The most fascinating elements of the Mandiant report follow the
keystroke-by-keystroke actions of several of the hackers who the firm believes
work for the P.L.A. Mandiant tracked their activities from inside the computer
systems of American companies they were invading. The companies had given
Mandiant investigators full access to rid them of the Chinese spies.
One of the most visible hackers it followed is UglyGorilla, who first appeared
on a Chinese military forum in January 2004, asking whether China has a “similar
force” to the “cyber army” being set up by the American military.
By 2007 UglyGorilla was turning out a suite of malware with what the report
called a “clearly identifiable signature.” Another hacker, called “DOTA” by
Mandiant, created e-mail accounts that were used to plant malware. That hacker
was tracked frequently using a password that appeared to be based on his
military unit’s designation. DOTA and UglyGorilla both used the same I.P.
addresses linked back to Unit 61398’s neighborhood.
Mandiant discovered several cases in which attackers logged into their Facebook
and Twitter accounts to get around China’s firewall that blocks ordinary
citizen’s access, making it easier to track down their real identities.
Mandiant also discovered an internal China Telecom memo discussing the
state-owned telecom company’s decision to install high-speed fiber-optic lines
for Unit 61398’s headquarters.
China’s defense ministry has denied that it is responsible for initiating
attacks. “It is unprofessional and groundless to accuse the Chinese military of
launching cyberattacks without any conclusive evidence,” it said last month, one
of the statements that prompted Mandiant to make public its evidence.
Escalating Attacks
Mandiant believes Unit 61398 conducted sporadic attacks on American corporate
and government computer networks; the earliest it found was in 2006. Two years
ago the numbers spiked. Mandiant discovered some of the intrusions were
long-running. On average the group would stay inside a network, stealing data
and passwords, for a year; in one case it had access for four years and 10
months.
Mandiant has watched the group as it has stolen technology blueprints,
manufacturing processes, clinical trial results, pricing documents, negotiation
strategies and other proprietary information from more than 100 of its clients,
mostly in the United States. Mandiant identified attacks on 20 industries, from
military contractors to chemical plants, mining companies and satellite and
telecommunications corporations.
Mandiant’s report does not name the victims, who usually insist on anonymity. A
2009 attack on Coca-Cola coincided with the beverage giant’s failed attempt to
acquire the China Huiyuan Juice Group for $2.4 billion, according to people with
knowledge of the results of the company’s investigation.
As Coca-Cola executives were negotiating what would have been the largest
foreign purchase of a Chinese company, Comment Crew was busy rummaging through
their computers in an apparent effort to learn more about Coca-Cola’s
negotiation strategy.
The attack on Coca-Cola began, like hundreds before it, with a seemingly
innocuous e-mail to an executive that was, in fact, a spearphishing attack. When
the executive clicked on a malicious link in the e-mail, it gave the attackers a
foothold inside Coca-Cola’s network. From inside, they sent confidential company
files through a maze of computers back to Shanghai, on a weekly basis,
unnoticed.
Two years later, Comment Crew was one of at least three Chinese-based groups to
mount a similar attack on RSA, the computer security company owned by EMC, a
large technology company. It is best known for its SecurID token, carried by
employees at United States intelligence agencies, military contractors and many
major companies. (The New York Times also uses the firm’s tokens to allow access
to its e-mail and production systems remotely.) RSA has offered to replace
SecurID tokens for customers and said it had added new layers of security to its
products.
As in the Coca-Cola case, the attack began with a targeted, cleverly fashioned
poisoned e-mail to an RSA employee. Two months later, hackers breached Lockheed
Martin, the nation’s largest defense contractor, partly by using the information
they gleaned from the RSA attack.
Mandiant is not the only private firm tracking Comment Crew. In 2011, Joe
Stewart, a Dell SecureWorks researcher, was analyzing malware used in the RSA
attack when he discovered that the attackers had used a hacker tool to mask
their true location.
When he reverse-engineered the tool, he found that the vast majority of stolen
data had been transferred to the same range of I.P. addresses that Mandiant
later identified in Shanghai.
Dell SecureWorks says it believed Comment Crew includes the same group of
attackers behind Operation Shady RAT, an extensive computer espionage campaign
uncovered in 2011 in which more than 70 organizations over a five-year period,
including the United Nations, government agencies in the United States, Canada,
South Korea, Taiwan and Vietnam were targeted.
Infrastructure at Risk
What most worries American investigators is that the latest set of attacks
believed coming from Unit 61398 focus not just on stealing information, but
obtaining the ability to manipulate American critical infrastructure: the power
grids and other utilities.
Staff at Digital Bond, a small security firm that specializes in those
industrial-control computers, said that last June Comment Crew unsuccessfully
attacked it. A part-time employee at Digital Bond received an e-mail that
appeared to come from his boss, Dale Peterson. The e-mail, in perfect English,
discussed security weaknesses in critical infrastructure systems, and asked the
employee to click a link to a document for more information. Mr. Peterson caught
the e-mail and shared it with other researchers, who found the link contained a
remote-access tool that would have given the attackers control over the
employee’s computer and potentially given them a front-row seat to confidential
information about Digital Bond’s clients, which include a major water project, a
power plant and a mining company.
Jaime Blasco, a security researcher at AlienVault, analyzed the computer servers
used in the attack, which led him to other victims, including the Chertoff
Group. That firm, headed by the former secretary of the Department of Homeland
Security, Michael Chertoff, has run simulations of an extensive digital attack
on the United States. Other attacks were made on a contractor for the National
Geospatial-Intelligence Agency, and the National Electrical Manufacturers
Association, a lobbying group that represents companies that make components for
power grids. Those organizations confirmed they were attacked but have said they
prevented attackers from gaining access to their network.
Mr. Blasco said that, based on the forensics, all the victims had been hit by
Comment Crew. But the most troubling attack to date, security experts say, was a
successful invasion of the Canadian arm of Telvent. The company, now owned by
Schneider Electric, designs software that gives oil and gas pipeline companies
and power grid operators remote access to valves, switches and security systems.
Telvent keeps detailed blueprints on more than half of all the oil and gas
pipelines in North and South America, and has access to their systems. In
September, Telvent Canada told customers that attackers had broken into its
systems and taken project files. That access was immediately cut, so that the
intruders could not take command of the systems.
Martin Hanna, a Schneider Electric spokesman, did not return requests for
comment, but security researchers who studied the malware used in the attack,
including Mr. Stewart at Dell SecureWorks and Mr. Blasco at AlienVault,
confirmed that the perpetrators were the Comment Crew.
“This is terrifying because — forget about the country — if someone hired me and
told me they wanted to have the offensive capability to take out as many
critical systems as possible, I would be going after the vendors and do things
like what happened to Telvent,“ Mr. Peterson of Digital Bond said. “It’s the
holy grail.”
Mr. Obama alluded to this concern in the State of the Union speech, without
mentioning China or any other nation. “We know foreign countries and companies
swipe our corporate secrets,” he said. “Now our enemies are also seeking the
ability to sabotage our power grid, our financial institutions, our air-traffic
control systems. We cannot look back years from now and wonder why we did
nothing.”
Mr. Obama faces a vexing choice: In a sprawling, vital relationship with China,
is it worth a major confrontation between the world’s largest and second largest
economy over computer hacking?
A few years ago, administration officials say, the theft of intellectual
property was an annoyance, resulting in the loss of billions of dollars of
revenue. But clearly something has changed. The mounting evidence of state
sponsorship, the increasing boldness of Unit 61398, and the growing threat to
American infrastructure are leading officials to conclude that a far stronger
response is necessary.
“Right now there is no incentive for the Chinese to stop doing this,” said Mr.
Rogers, the House intelligence chairman. “If we don’t create a high price, it’s
only going to keep accelerating.”
Chinese Army Unit Is Seen as Tied to Hacking Against U.S., NYT, 18.2.2013,
http://www.nytimes.com/2013/02/19/technology/
chinas-army-is-seen-as-tied-to-hacking-against-us.html
Facebook Says Hackers Breached Its Computers
February
15, 2013
6:22 pm
The New York Times
By NICOLE PERLROTH and NICK BILTON
Facebook
admitted that it was breached by sophisticated hackers in recent weeks, two
weeks after Twitter made a similar admission. Both Facebook and Twitter were
breached through a well-publicized vulnerability in Oracle's Java software.
In a blog post late Friday afternoon, Facebook said it was attacked when a
handful of its employees visited a compromised site for mobile developers.
Simply by visiting the site, their computers were infected with malware. The
company said that as soon as it discovered the malware, it cleaned up the
infected machines and tipped off law enforcement.
"We have found no evidence that Facebook user data was compromised," Facebook
said.
On Feb. 1, Twitter said hackers had breached its systems and potentially
accessed the data of 250,000 Twitter users. The company suggested at that time
that it was one of several companies and organizations to be have been similarly
attacked.
Facebook has known about its own breach for at least a month, according to
people close to the investigation, but it was unclear why the company waited
this long to announce it. Fred Wolens, a Facebook spokesman, declined to
comment.
Like Twitter, Facebook said it believed that it was one of several organizations
that were targeted by the same group of attackers.
"Facebook was not alone in this attack," the company said in its blog post. "It
is clear that others were attacked and infiltrated recently as well."
The attacks add to the mounting evidence that hackers were able to use the
security hole in Oracle's Java software to steal information from a broad range
of companies. Java, a widely used programming language, is installed on more
than three billion devices. It has long been hounded by security problems.
Last month, after a security researcher exposed a serious vulnerability in the
software, the Department of Homeland Security issued a rare alert that warned
users to disable Java on their computers. The vulnerability was particularly
disconcerting because it let attackers download a malicious program onto its
victims' machines without any prompting. Users did not even have to click on a
malicious link for their computers to be infected. The program simply downloaded
itself.
After Oracle initially patched the security hole in January, the Department of
Homeland Security said that the fix was not sufficient and recommended that,
unless "absolutely necessary", users should disable it on their computers
completely. Oracle did not issue another fix until Feb. 1.
Social networks are a prime target for hackers, who look to use people's
personal data and social connections in what are known as "spearphishing"
attacks. In this type of attack, a target is sent an e-mail, ostensibly from a
connection, containing a malicious link or attachment. Once the link is clicked
or attachment opened, attackers take control of a user's computer. If the
infected computer is inside a company's system, the attackers are able to gain a
foothold. In many cases, they then extract passwords and gain access to
sensitive data.
Facebook said in its blog post that the updated patch addressed the
vulnerability that allowed hackers to access its employees' computers.
Hackers have been attacking organizations inside the United States at an
alarming rate. The number of attacks reported by government agencies last year
topped 48,500 - a ninefold jump from the 5,500 attacks reported in 2006,
according to the Government Accountability Office.
In the last month alone, The New York Times, The Wall Street Journal and The
Washington Post all confirmed that they were targets of sophisticated hackers.
But security experts say that these attacks are just the tip of the iceberg.
A common saying among security experts is that there are now only two types of
American companies: Those that have been hacked and those that don't know
they've been hacked.
Facebook Says Hackers Breached Its Computers, NYT, 15.2.2013,
http://bits.blogs.nytimes.com/2013/02/15/facebook-admits-it-was-hacked/
Keeping an Eye on Bouncing Prices Online
January 27,
2013
The New York Times
By STEPHANIE CLIFFORD
Jen Hughes
used to have the time to hunt for online coupon codes and refresh her Web
browser to see if the clothes she wanted had gone on sale yet. But after she had
her first child, she said, trying to track e-commerce prices had to go.
“I spend my day chasing my daughter around, so I don’t have the luxury of
sitting at my computer,” said Ms. Hughes, 29, of Reading, Mass. Many sites “have
sales every other day, but I don’t have time to go on and see if the things I
actually want have made it onto the sale yet.”
Now she doesn’t have to.
With retailers’ Internet prices now changing more often — sometimes several
times within the space of a day — a new group of tools is helping shoppers
outwit the stores. Rather than requiring shoppers to do the work by entering an
item into price-comparison engines throughout the day, the tools automatically
scan for price changes and alert customers when the price drops.
Some tools, including one from Citibank’s Citi Card, even scour sites for lower
prices after a purchase and help customers get a refund for any price
difference.
Web sites that help shoppers compare prices and track online deals have existed
as long as e-commerce itself. But rapid changes in pricing at many major
retailers have made it more difficult for shoppers to keep on top of it all.
The research company Dynamite Data, which follows prices on behalf of retailers
and brands, tracked hundreds of holiday products at major retailers in 2011 and
2012. During a two-week period around Thanksgiving, Amazon and Sears were
changing prices on about a quarter of those products daily, a significant
increase from the previous year. Walmart, Toys “R” Us, Kmart and Best Buy also
changed prices more frequently in 2012.
Even the Web browser a customer uses can make a difference. The Web site Digital
Folio, which shows consumers price changes, did side-by-side comparisons of
televisions. On Newegg using the Chrome browser, the firm was offered a $997
price on a Samsung television. Using Firefox and Internet Explorer, the price
was $1,399.
The firm found a difference on another Samsung television model at Walmart.com,
where using Firefox yielded a $199 price and Chrome and Internet Explorer $168.
“A lot of times the price will have a big difference on consumer behavior,” said
Larry S. Freed, chief executive of ForeSee, which analyzes customer experiences.
One of the new price-tracking tools is Hukkster, introduced last year by two
former J. Crew merchants. It asks shoppers to install a “hukk it” button on
their browsers. Then, when a shopper sees an item she likes, she clicks the
button, chooses the color, size and discount she is interested in, tells
Hukkster to alert her when the price drops, and waits for an e-mail to that
effect.
“We wanted a way to know, on a specific style we want, when it goes on sale,”
said a co-founder, Erica Bell. Hukkster also looks for coupon codes that apply
to specific items, so a J. Crew nightshirt that was originally $128 came out to
$62.99 after a site markdown combined with a 30 percent discount code that
Hukkster found.
Currently, Hukkster makes money from referral traffic — it is paid a fee when
shoppers buy something via a link from its e-mails. The founders say they are
approaching retailers about ways of working with them by, for instance, offering
personalized discounts based on shoppers’ “hukks.”
“Retailers are forced to do, say, 30 percent off all sweaters when what they’re
really trying to move is the green merino sweater. This provides them the option
to do that on a one-to-one basis,” a co-founder, Katie Finnegan, said.
Ms. Hughes, the Massachusetts mother, “hukks” items in specific sizes and
colors, and then waits for the notification, like one on a Boden sweater she
recently bought for her daughter.
“Now, of course, I’m hukking everything under the sun, including diapers, which
I don’t think is their target audience,” she said.
Digital Folio charts the 30-day price history on electronics items at a number
of retailers so shoppers can see not only where the lowest price is, but also
whether that price might go lower still.
Rather than coming back to the site each time they want to check a product,
shoppers can use Digital Folio as a sidebar in the browser. As a shopper pokes
around Amazon’s electronics section, for example, the sidebar lists live
comparison pricing for the products.
Alerts can give shoppers a competitive edge, said Patrick Carter, president of
Digital Folio. He gave the example of a Nikon L26 camera: Amazon was out of
stock, but at 10 p.m. one evening, it got the cameras back in stock at a reduced
price. By the next morning, Amazon was out of stock again. “You get the alert
and you get in on the feeding frenzy,” he said.
Decide.com, which offers price alerts and predictions about where prices are
going, recently introduced a price guarantee. If shoppers become a Decide.com
member for $4.99 a month and follow Decide’s recommendations to buy something,
Decide will refund the difference if it finds a lower price within two weeks of
the purchase.
Retailers generally appreciate the sales traffic generated by the tracking tools
and do not try to block them even if that means some customers will reap extra
discounts.
In some cases, retailers are even changing their practices to adapt to the new
landscape. Target, for example, announced this month that it would match prices
from online competitors like Amazon, extending a promotion it tried during the
holidays..
Even banks see a potential role for themselves as price monitors. Citibank
recently added a feature to its consumer credit cards that gives customers a
refund when it finds a lower price on an item within 30 days of purchase.
“Everyone can relate to the buyer’s remorse of buying an item and seeing it for
a lower price a day or a couple of days later,” said Jud Linville, chief
executive of Citi Cards.
For Citi, the idea is to get consumers using their Citi cards rather than
competitors’ cards on big purchases, Mr. Linville said. Consumers must register
the purchase online, and there is a long list of exclusions (live animals don’t
qualify, nor do antiques, boats or airline tickets).
The price difference must be $25 or more, and Citi searches the retailers’ sites
itself. When Citi finds a big enough difference, it e-mails the consumer, asks
for a receipt and then mails a check for the difference.
Mr. Linville said about a quarter of purchases over $100 that had been
registered so far got a refund, and almost 40 percent of those over $1,000. Some
eligible items included a Whirlpool washer, a DKNY suit and a Canon Rebel
camera. On average, said a Citi spokeswoman, those who register items get back
$80 an item.
While those budget-conscious shoppers are clearly interested in buying, they may
not be the type of long-term customers that retailers want to cultivate, said
Mr. Freed of ForeSee.
Shoppers who are not price-sensitive, he said, “are the consumers they really
want, that they can build loyalty out of — not the consumers that are strictly
taking a deal.”
Keeping an Eye on Bouncing Prices Online, NYT, 27.1.2013,
http://www.nytimes.com/2013/01/28/business/new-online-price-trackers-alert-shoppers-to-good-deals.html
Search Option From Facebook Is Privacy Test
January 18,
2013
The New York Times
By SOMINI SENGUPTA and CLAIRE CAIN MILLER
SAN
FRANCISCO — Facebook’s greatest triumph has been to persuade a seventh of the
world’s population to share their personal lives online.
Now the social network is taking on its archrival, Google, with a search tool to
mine that personal information, just as people are growing more cautious about
sharing on the Internet and even occasionally removing what they have already
put up.
Whether Facebook’s more than one billion users will continue to divulge even
more private details will determine whether so-called social search is the next
step in how we navigate the online world. It will also determine whether
Facebook has found a business model that will make it a lot of money.
“There’s a big potential upside for both Facebook and users, but getting people
to change their behaviors in relation to what they share will not be easy,” said
Andrew T. Stephen, who teaches marketing at the University of Pittsburgh and
studies consumer behavior on online social networks.
This week, Facebook unveiled its search tool, which it calls graph search, a
reference to the network of friends its users have created. The company’s
algorithms will filter search results for each person, ranking the friends and
brands that it thinks a user would trust the most. At first, it will mine users’
interests, photos, check-ins and “likes,” but later it will search through other
information, including status updates.
“While the usefulness of graph search increases as people share more about their
favorite restaurants, music and other interests, the product doesn’t hinge on
this,” a Facebook spokesman, Jonathan Thaw, said.
Nevertheless, the company engineers who created the tool — former Google
employees — say that the project will not reach its full potential if Facebook
data is “sparse,” as they call it. But the company is confident people will
share more data, be it the movies they watch, the dentists they trust or the
meals that make their mouths water.
The things people declare on Facebook will be useful, when someone searches for
those interests, Tom Stocky, one of the creators of Facebook search, said in an
interview this week. Conversely, by liking more things, he said, people will
become more useful in the eyes of their friends.
“You might be inclined to ‘like’ what you like so when your friends search,
they’ll find it,” he said. “I probably would never have liked my dentist on
Facebook before, but now I do because it’s a way of letting my friends know.”
Mr. Stocky offered these examples of how more information may be desirable: A
single man may want to be discovered when a friend of a friend is searching for
eligible bachelors in San Francisco or a restaurant that stays open late may
want to be found by a night owl.
“People have shared all this great stuff on Facebook,” Mr. Stocky said. “It’s
latent value. We wanted a way to unlock that.”
Independent studies suggest that Facebook users are becoming more careful about
how much they reveal online, especially since educators and employers typically
scour Facebook profiles.
A Northwestern University survey of 500 young adults in the summer of 2012 found
that the majority avoided posting status updates because they were concerned
about who would see them. The study also found that many had deleted or blocked
contacts from seeing their profiles and nearly two-thirds had untagged
themselves from a photo, post or check-in.
“These behavioral patterns seem to suggest that many young adults are less keen
on sharing at least certain details about their lives rather than more,” said
Eszter Hargittai, an associate professor of communication studies at
Northwestern, who led the yet unpublished study among men and women aged 21 and
22.
Also last year, the Pew Internet Center found that social network users,
including those on Facebook, were more aggressively pruning their profiles —
untagging photos, removing friends and deleting comments.
Graph search is something of a coming-of-age moment for social search. Companies
from Google to Yelp to TripAdvisor to small start-ups like Hunch have all tried
to make search more social, by providing personal answers from people you know
and not just links to Web sites, in an effort to bring word-of-mouth
recommendations online. Bing, which has a partnership with Facebook, announced
this week that it would add more social recommendations to standard Web links in
search queries.
But no company has tried social search on Facebook’s scale.
“This is a watershed moment,” said Oren Etzioni, a computer science professor at
the University of Washington and a co-founder of the price comparison site
Decide.com.
“There have been other attempts at social search,” he continued, “but it’s the
scale at which Facebook operates, especially once they fully index everything
we’ve said or say or like.”
Facebook’s social search is also a step forward in a new type of Web search, one
in which Google has made great strides. Engineers call it structured or semantic
search, which means search engines that understand how people, places and things
relate to one another, and not just key words.
Graph search holds great value for advertisers seeking to target more precise
audiences — like mothers in their 30s who listen to hip-hop and run marathons —
and advertising remains Facebook’s principal source of profit. Additionally, the
more data people share and search for, the longer they are glued to the site.
But the company is aware of concerns about privacy. When announcing the tool, it
took pains to point out that it would respect users’ privacy. If people do not
want an embarrassing photograph to be ferreted out by a potential employer, for
instance, they can make it visible only to those who have been winnowed down as
“close friends.”
Users have been encouraged to check their privacy settings in order to fine-tune
whom they wish to share with. At the same time, Facebook eliminated a
longstanding option that users enjoyed: if someone is searching for them, they
will no longer be able to remain obscure.
Still, some Facebook users may be skeptical. Jana Uyeda, 35, a photographer and
social media consultant in Seattle, said, “I love my friends, but sometimes
their taste in restaurants is terrible.”
Like the subjects of the Northwestern study, Ms. Uyeda, said she was not so sure
she wanted to reveal more. “I’m slowly trying to close down the doors on
Facebook, instead of opening myself up,” she said.
Ms. Uyeda added, “There would have to be a lot of other incentives, and I don’t
even know what that would be, in order for me to add more information about
myself and be more open.”
Search Option From Facebook Is Privacy Test, NYT, 18.1.2013,
http://www.nytimes.com/2013/01/19/technology/with-graph-search-facebook-bets-on-more-sharing.html
Google Gains From Creating Apps
for the Opposition
January 13,
2013
The New York Times
By NICK WINGFIELD and CLAIRE CAIN MILLER
For many
people, smartphone shopping comes down to a choice of Apple’s iPhone or one
powered by Google’s Android software.
But now consumers can get an iPhone and fill it with Google.
Google has become one of the most prolific and popular developers of apps for
the iPhone, in effect helping its competitor make more appealing products — even
as relations between the companies have deteriorated.
While some of its Internet services were built into the iPhone from the start,
Google has stepped up its presence in the last eight months, pumping out major
new iPhone apps or improving old ones. It also has expanded efforts to hire
developers to make more such apps.
A maps app Google released in December has been the most downloaded program for
the iPhone for much of the last month. The company has cranked out a YouTube
app, an iPhone version of its Chrome Web browser and better software for gaining
access to its Gmail service. Two dozen iPhone apps from Google are available on
Apple’s App Store, with variations for the iPad.
Google’s strategy may look self-defeating at first. But analysts and technology
executives say it is simply acknowledging the obvious: that there is an enormous
market of avid iPhone users it wants to reach, an audience that is a target for
ads and that can yield a bonanza of data that will allow Google to improve the
online products that produce much of its profits.
Google’s support for the iPhone also looks like a win for Apple, which, after
all, makes money when it sells an iPhone that is used to gain access to Google
services.
But potential risks lie in Google’s growing presence on Apple’s devices,
especially when it comes to apps that replace basic functions like Web browsing,
maps and e-mail.
IPhone users who spend much of their time in Google apps could deprive Apple of
valuable data it needs to improve its own online services like maps. And those
apps could help Google build a deeper connection with users that makes them more
likely to switch entirely to Android smartphones later.
“The best way to recruit users to those devices is to get them using the
services,” said Chris Silva, a mobile analyst at Altimeter Group, a tech
industry research business. “Find them where they are, get them using the
services and ramp them up so when they have devices equivalent to the iPhone,
they are already in the market.”
Stephen Stetelman, a real estate agent in Hattiesburg, Miss., is a prime example
of an iPhone user whose loyalties are divided between Apple and Google. The
first thing Mr. Stetelman, 25, said he did when he got a new iPhone two weeks
ago was to download all of Google’s major apps, including Gmail, Chrome and
Google Maps — all of which he said he considered better than the comparable
Apple apps that came with the phone.
“It’s a little ironic,” Mr. Stetelman said. “But I think honestly the grace of
Apple is in their design and in their hardware. As far as online services and
applications and stuff, I think Google is still top of the line.”
People like Mr. Stetelman make executives at Apple nervous. Early in the iPhone
era, Steven P. Jobs, the company’s former chief executive, who died in October
2011, did not want Apple to approve any apps for the device that replaced its
core functions, one former senior Apple employee said.
Apple executives have long believed that they would need to build up many of the
same services that Google offers to compete long-term in the mobile market,
according to this person, who did not want to be named to avoid jeopardizing
relationships.
Eventually, under scrutiny from federal regulators, Apple softened its stance
and began allowing apps for the iPhone, like Web browsers, that competed with
important built-in apps.
Natalie Kerris, a spokeswoman for Apple, declined to comment for this article.
Apple has moved to reduce the presence of Google services in apps that come
installed on its phones. Last year it removed the YouTube app — one that Apple
created for the earliest iPhones so they would have access to YouTube videos. It
also stopped using Google data to power its mapping application.
Instead, Apple began using its own maps service, which has been widely
criticized for mistakes, including misplaced landmarks and inaccurate addresses.
Timothy D. Cook, Apple’s chief executive, issued a rare apology last September
for its maps product and later shook up the company’s management ranks, in part
because of the problems.
Apple’s decision to stop including Google’s services on its devices forced
Google to quickly ramp up its own software development for Apple’s mobile
operating system, iOS.
While Google had engineers devoted to iOS projects, it had to hire outsiders to
help quickly design a Google Maps app for the iPhone.
That app appears to be a huge hit. Widely praised by technology reviewers,
Google Maps for the iPhone was downloaded more than 10 million times in the 48
hours after its release last December, Jeff Huber, a Google senior vice
president, said in an online post at the time.
Other Google apps are among the most commonly used on the iPhone. Last November
there were 11.8 million unique users of a new Google-created YouTube app for the
iPhone in the United States, and 6.4 million users of its Google Search app,
placing them both in the top 20 list of iPhone apps with the biggest audience,
according to Nielsen.
In October, Google updated its search application for the iPhone with voice
capabilities that more closely resembled those of Siri, the often-maligned
virtual assistant included in the iPhone.
Google also bolstered its efforts last year to hire more iOS developers, many of
whom might be unlikely to consider working for the company because of its focus
on promoting the Android operating system on mobile devices.
Last July, Google bought Sparrow, a Paris-based start-up that made a popular app
for using Gmail on the iPhone, and moved some of its engineers to Silicon
Valley.
Last December, it began posting Web ads to recruit iOS developers, providing a
link to a Q.&A. on the subject with the headline, “Wait, Google has iOS mobile
apps teams?”
Chris Hulbert, a freelance programmer who spent three months working for Google
in Australia last year, wrote a blog post in which he compared working on iOS
apps there to “working behind enemy lines.”
Google said it had not changed its strategy on Apple devices, but rather was
continuing to build apps for all devices.
“Our goal is to make a simple, easy-to-use Google experience available to as
many people as possible,” said Christopher Katsaros, a Google spokesman. “We’ve
developed apps for iOS for some time now, and we’re delighted to see the recent
enthusiasm for them.”
Unlike Apple, Google makes its money not from selling phones but from selling
ads that appear on those phones. So it cares less about which phone a consumer
uses and more about whether that consumer uses Google apps — and shares data
with Google and sees Google ads.
When a consumer uses Chrome on the desktop at work, for instance, then opens the
same tabs and continues using Chrome on phones elsewhere, Google knows much more
about that consumer’s behavior, including the consumer’s location and the
searches. The company’s hunger for such data has, of course, raised privacy
concerns.
Chetan Sharma, an independent mobile analyst, says Google’s focus on iOS should
concern Apple. “It just pushes Apple to up their game in software,” he said.
“They’re kind of behind.”
Google Gains From Creating Apps for the Opposition, NYT, 13.1.2013,
http://www.nytimes.com/2013/01/14/technology/google-gains-from-creating-apps-for-the-opposition.html
A Data
Crusader, a Defendant and Now, a Cause
January 13,
2013
The New York Times
By NOAM COHEN
At an
afternoon vigil at the Massachusetts Institute of Technology on Sunday, Aaron
Swartz, the 26-year-old technology wunderkind who killed himself on Friday, was
remembered as a great programmer and a provocative thinker by a handful of
students who attended.
And he was recalled as something else, a hero of the free culture movement — a
coalition as varied as Wikipedia contributors, Flickr photographers and online
educators, and prominent figures like Julian Assange, the WikiLeaks founder, and
online vigilantes like Anonymous. They share a belief in using the Internet to
provide easy, open access to the world’s knowledge.
“He’s something to aspire toward,” said Benjamin Hitov, a 23-year-old Web
programmer from Cambridge, Mass., who said he had cried when he learned the news
about Mr. Swartz. “I think all of us would like to be a bit more like him. Most
of us aren’t quite as idealistic as he was. But we still definitely respect
that.”
The United States government has a very different view of Mr. Swartz. In 2011,
he was arrested and accused of using M.I.T.’s computers to gain illegal access
to millions of scholarly papers kept by Jstor, a subscription-only service for
distributing scientific and literary journals.
At his trial, which was to begin in April, he faced the possibility of millions
of dollars in fines and up to 35 years in prison, punishments that friends and
family say haunted him for two years and led to his suicide.
Mr. Swartz was a flash point in the debate over whether information should be
made widely available. On one side were activists like Mr. Swartz and advocacy
groups like the Electronic Frontier Foundation and Students for Free Culture. On
the other were governments and corporations that argued that some information
must be kept private for security or commercial reasons.
After his death, Mr. Swartz has come to symbolize a different debate over how
aggressively governments should pursue criminal cases against people like Mr.
Swartz who believe in “freeing” information.
In a statement, his family said in part: “Aaron’s death is not simply a personal
tragedy. It is the product of a criminal justice system rife with intimidation
and prosecutorial overreach. Decisions made by officials in the Massachusetts
U.S. attorney’s office and at M.I.T. contributed to his death.”
On Sunday evening, M.I.T.’s president, L. Rafael Reif, said he had appointed a
prominent professor, Hal Abelson, to “lead a thorough analysis of M.I.T.’s
involvement from the time that we first perceived unusual activity on our
network in fall 2010 up to the present.” He promised to disclose the report,
adding, “It pains me to think that M.I.T. played any role in a series of events
that have ended in tragedy.”
M.I.T.’s Web site was inaccessible at times on Sunday. Officials there did not
provide a cause, but hackers claimed responsibility.
While Mr. Swartz viewed his making copies of academic papers as an unadulterated
good, spreading knowledge, the prosecutor compared Mr. Swartz’s actions to using
a crowbar to break in and steal someone’s money under the mattress. On Sunday,
she declined to comment on Mr. Swartz’s death out of respect for his family’s
privacy.
The question of how to treat online crimes is still a vexing one, many years
into the existence of the Internet.
Prosecutors have great discretion on what to charge under the Computer Fraud and
Abuse Act, the law cited in Mr. Swartz’s case, and how to value the loss. “The
question in any given case is whether the prosecutor asked for too much, and
properly balanced the harm caused in a particular case with the defendant’s true
culpability,” said Marc Zwillinger, a former federal cybercrimes prosecutor.
The belief that information is power and should be shared freely — which Mr.
Swartz described in a treatise in 2008 — is under considerable legal assault.
The immediate reaction among those sympathetic to Mr. Swartz has been anger and
a vow to soldier on. Young people interviewed on Sunday spoke of the
government’s power to intimidate.
“Using certain people as poster children for deterring others from doing that
same action, ultimately it won’t work,” Jennifer Baek, a third-year student at
New York Law School, said by telephone, referring to Pfc. Bradley Manning, who
has been charged with multiple counts in the leaking of confidential documents,
and Mr. Swartz. Ms. Baek, a member of the board of Students for Free Culture,
said the comments on blogs and discussion boards she had visited since Mr.
Swartz’s death showed that “people aren’t afraid to say this is what the
injustice was.”
The ingredients for trouble perhaps lay in Mr. Swartz’s personal and direct
approach to solving problems. As one mentor, Cory Doctorow of the popular Web
site Boing Boing, wrote in tribute, he was highly impressionable and sought
after and was forgiven by those he worked with and worked for.
A permanent “kid genius,” Mr. Swartz had often put his skills to the task of
making information more accessible. At 14 he was a co-creator of RSS, a tool
that allows online content to be distribute, and then made a tidy sum as one of
the creators of the social-news site Reddit, now part of Condé Nast.
But even before, and certainly after, he crusaded for open access to data. His
projects include a range of influential efforts like the Internet Archive,
Creative Commons, Wikipedia and the Recap collection of legal documents.
He also began more traditional projects for subjects he took an interest in. At
19, he volunteered to upload the archive of a defunct magazine he loved, Lingua
Franca. In 2005, he called up the writer Rick Perlstein to offer to create a Web
page for him after reading a book of his he liked.
“I smelled a hustle, asking him how much it would cost, and he said, no, he
wanted to do it for free,” Mr. Perlstein wrote in The Nation over the weekend.
“I thought: ‘What a loser this guy must be. Someone with nothing better to do.’
” Mr. Perlstein writes that he ended up becoming friends, and he sent chapters
of his next book, “Nixonland,” to Mr. Swartz before he showed them to anyone
else.
Mr. Swartz outlined his views in the manifesto: “It’s called stealing or piracy,
as if sharing a wealth of knowledge were the moral equivalent of plundering a
ship and murdering its crew. But sharing isn’t immoral — it’s a moral
imperative. Only those blinded by greed would refuse to let a friend make a
copy.”
And he said the stakes were clear: “We need to take information, wherever it is
stored, make our copies and share them with the world. We need to take stuff
that’s out of copyright and add it to the archive. We need to buy secret
databases and put them on the Web. We need to download scientific journals and
upload them to file sharing networks.”
Still, even many of his allies concede that Mr. Swartz’s passion for free
information may have taken him too far in the Jstor downloads. According to the
government’s indictment, in September 2010 Mr. Swartz broke into a
computer-wiring closet on the M.I.T. campus; when retrieving a computer he
connected, he hid his face behind a bicycle helmet, peeking out through the
ventilation holes. At the time, he was a student at nearby Harvard.
Some would say that perhaps a punishment for trespassing would have been
warranted, but the idea that he could have seen serious prison time was
infuriating. Lawrence Lessig, the Harvard Law professor who founded Creative
Commons to advocate greater sharing of creative material online, called the
prosecution’s case absurd and said that boxing in Mr. Swartz with an aggressive
case and little ability to mount a defense “made it make sense to this brilliant
but troubled boy to end it.”
E.J. Hilbert, a former cybercrimes investigator for the Federal Bureau of
Investigation, said that the broader issues around such activist transgressions
raise many complex questions that are subject to “a lot of discretion from
prosecutors.” He added that the United States Attorney’s Office for the District
of Massachusetts has long been renowned for a particularly aggressive pursuit of
cybercrimes.
Jstor, for its part, declined to pursue the case and posted a note over the
weekend describing Mr. Swartz as “a truly gifted person who made important
contributions to the development of the Internet and the Web from which we all
benefit.”
Michael McCarthy, a 30-year-old animator from Providence who was also at the
M.I.T. vigil, said Mr. Swartz was let down by the university. “If places like
M.I.T. aren’t safe for people to be a little miscreant in their quest for truth
and understanding, then we’re in a lot of trouble,” he said.
It’s unclear how much the impending case contributed to Mr. Swartz’s decision to
take his own life. Years back, he wrote about his struggle with depression in
his blog, Raw Thoughts.
The last post he wrote on that blog, in November, was a detailed analysis of the
final installment of the “Batman” series.
Having warned his readers that he was about to reveal the conclusion of the
movies, he ended the post by writing: “Thus Master Wayne is left without
solutions. Out of options, it’s no wonder the series ends with his staged
suicide.”
Jess Bidgood
and Ravi Somaiya contributed reporting.
A Data Crusader, a Defendant and Now, a Cause, NYT, 13.1.2013,
http://www.nytimes.com/2013/01/14/technology/aaron-swartz-a-data-crusader-and-now-a-cause.html
Internet Activist, a Creator of RSS,
Is Dead
at 26, Apparently a Suicide
January 12,
2013
The New York Times
By JOHN SCHWARTZ
Aaron
Swartz, a wizardly programmer who as a teenager helped develop code that
delivered ever-changing Web content to users and who later became a steadfast
crusader to make that information freely available, was found dead on Friday in
his New York apartment.
An uncle, Michael Wolf, said that Mr. Swartz, 26, had apparently hanged himself,
and that a friend of Mr. Swartz’s had discovered the body.
At 14, Mr. Swartz helped create RSS, the nearly ubiquitous tool that allows
users to subscribe to online information. He later became an Internet folk hero,
pushing to make many Web files free and open to the public. But in July 2011, he
was indicted on federal charges of gaining illegal access to JSTOR, a
subscription-only service for distributing scientific and literary journals, and
downloading 4.8 million articles and documents, nearly the entire library.
Charges in the case, including wire fraud and computer fraud, were pending at
the time of Mr. Swartz’s death, carrying potential penalties of up to 35 years
in prison and $1 million in fines.
“Aaron built surprising new things that changed the flow of information around
the world,” said Susan Crawford, a professor at the Cardozo School of Law in New
York who served in the Obama administration as a technology adviser. She called
Mr. Swartz “a complicated prodigy” and said “graybeards approached him with
awe.”
Mr. Wolf said he would remember his nephew, who had written in the past about
battling depression and suicidal thoughts, as a young man who “looked at the
world, and had a certain logic in his brain, and the world didn’t necessarily
fit in with that logic, and that was sometimes difficult.”
The Tech, a newspaper of the Massachusetts Institute of Technology, reported Mr.
Swartz’s death early Saturday.
Mr. Swartz led an often itinerant life that included dropping out of Stanford,
forming companies and organizations, and becoming a fellow at Harvard
University’s Edmond J. Safra Center for Ethics.
He formed a company that merged with Reddit, the popular news and information
site. He also co-founded Demand Progress, a group that promotes online campaigns
on social justice issues — including a successful effort, with other groups, to
oppose a Hollywood-backed Internet piracy bill.
But he also found trouble when he took part in efforts to release information to
the public that he felt should be freely available. In 2008, he took on PACER,
or Public Access to Court Electronic Records, the repository for federal
judicial documents.
The database charges 10 cents a page for documents; activists like Carl Malamud,
the founder of public.resource.org, have long argued that such documents should
be free because they are produced at public expense. Joining Mr. Malamud’s
efforts to make the documents public by posting legally obtained files to the
Internet for free access, Mr. Swartz wrote an elegant little program to download
20 million pages of documents from free library accounts, or roughly 20 percent
of the enormous database.
The government shut down the free library program, and Mr. Malamud feared that
legal trouble might follow even though he felt they had violated no laws. As he
recalled in a newspaper account, “I immediately saw the potential for
overreaction by the courts.” He recalled telling Mr. Swartz: “You need to talk
to a lawyer. I need to talk to a lawyer.”
Mr. Swartz recalled in a 2009 interview, “I had this vision of the feds crashing
down the door, taking everything away.” He said he locked the deadbolt on his
door, lay down on the bed for a while and then called his mother.
The federal government investigated but did not prosecute.
In 2011, however, Mr. Swartz went beyond that, according to a federal
indictment. In an effort to provide free public access to JSTOR, he broke into
computer networks at M.I.T. by means that included gaining entry to a utility
closet on campus and leaving a laptop that signed into the university network
under a false account, federal officials said.
Mr. Swartz turned over his hard drives with 4.8 million documents, and JSTOR
declined to pursue the case. But Carmen M. Ortiz, a United States attorney,
pressed on, saying that “stealing is stealing, whether you use a computer
command or a crowbar, and whether you take documents, data or dollars.”
Founded in 1995, JSTOR, or Journal Storage, is nonprofit, but institutions can
pay tens of thousands of dollars for a subscription that bundles scholarly
publications online. JSTOR says it needs the money to collect and to distribute
the material and, in some cases, subsidize institutions that cannot afford it.
On Wednesday, JSTOR announced that it would open its archives for 1,200 journals
to free reading by the public on a limited basis.
Mr. Malamud said that while he did not approve of Mr. Swartz’s actions at
M.I.T., “access to knowledge and access to justice have become all about access
to money, and Aaron tried to change that. That should never have been considered
a criminal activity.”
Mr. Swartz did not talk much about his impending trial, Quinn Norton, a close
friend, said on Saturday, but when he did, it was clear that “it pushed him to
exhaustion. It pushed him beyond.”
Recent years had been hard for Mr. Swartz, Ms. Norton said, and she
characterized him “in turns tough and delicate.” He had “struggled with chronic,
painful illness as well as depression,” she said, without specifying the
illness, but he was still hopeful “at least about the world.”
Cory Doctorow, a science fiction author and online activist, posted a tribute to
Mr. Swartz on BoingBoing.net, a blog he co-edits. In an e-mail, he called Mr.
Swartz “uncompromising, principled, smart, flawed, loving, caring, and
brilliant.”
“The world was a better place with him in it,” he said.
Mr. Swartz, he noted, had a habit of turning on those closest to him: “Aaron
held the world, his friends, and his mentors to an impossibly high standard —
the same standard he set for himself.” Mr. Doctorow added, however, “It’s a
testament to his friendship that no one ever seemed to hold it against him
(except, maybe, himself).”
In a talk in 2007, Mr. Swartz described having had suicidal thoughts during a
low period in his career. He also wrote about his struggle with depression,
distinguishing it from sadness.
“Go outside and get some fresh air or cuddle with a loved one and you don’t feel
any better, only more upset at being unable to feel the joy that everyone else
seems to feel. Everything gets colored by the sadness.”
When the condition gets worse, he wrote, “you feel as if streaks of pain are
running through your head, you thrash your body, you search for some escape but
find none. And this is one of the more moderate forms.”
Ravi Somaiya
contributed reporting.
This article
has been revised to reflect the following correction:
Correction: January 12, 2013
An earlier version of this article incorrectly identified the police who
arrested Mr. Swartz, and when they did so. The police were from Cambridge,
Mass., not the Massachusetts Institute of Technology campus force, and the
arrest occurred two years before Mr. Swartz’s suicide, but not two years to the
day.
Internet Activist, a Creator of RSS, Is Dead at 26, Apparently a Suicide, NYT,
12.1.2013,
http://www.nytimes.com/2013/01/13/technology/aaron-swartz-internet-activist-dies-at-26.html
After Immigration Arrests,
Online Outcry, and Release
January 11,
2013
The New York Times
By FERNANDA SANTOS
PHOENIX —
Immigration agents arrested the mother and brother of a prominent activist
during a raid at her home here late Thursday, unleashing a vigorous response on
social media and focusing new attention on one of the most controversial aspects
of the Obama administration’s policies on deportation.
The agents knocked on Erika Andiola’s door shortly after 9 p.m., asking for her
mother, Maria Arreola.
Ms. Arreola had been stopped by the police in nearby Mesa last year and detained
for driving without a license. Her fingerprints were sent to federal immigration
officials as part of a controversial program called Secure Communities, which
the Obama administration has been trying to expand nationwide.
That routine check revealed that Ms. Arreola had been returned to Mexico in 1998
after she was caught trying to illegally cross the border into Arizona with
Erika and two of her siblings in tow. As a result, she was placed on a priority
list for deportation.
After being seized on Thursday, she could have been sent back to Mexico in a
matter of hours, but Obama administration officials moved quickly to undo the
arrests. Officials had been pressured by the robust response from advocates —
through phone calls, e-mails and online petitions, but primarily on Twitter,
where they mobilized support for Ms. Andiola, a well-known advocate for young
illegal immigrants, under the hashtag #WeAreAndiola.
The reaction offered the Obama administration a taste of what it might expect
when it gets into the thick of the debate over an immigration overhaul, which
Congress is expected to tackle this year. President Obama has already been under
harsh criticism for the number of illegal immigrants deported since he took
office — roughly 400,000 each year, a record unmatched since the 1950s.
Ms. Andiola, 25, posted a tearful video on YouTube shortly after her mother and
brother were handcuffed and driven away. “I need everybody to stop pretending
that nothing is wrong,” she said in the video, “stop pretending that we’re all
just living normal lives, because we’re not. This could happen to any of us
anytime.”
She is the co-founder of the Arizona Dream Act Coalition, one of the groups
pushing for a reprieve for immigrants brought illegally to the United States as
children, as she was. She has been arrested while camped in front of Senator
John McCain’s office here, protested outside the United States Capitol, and
appeared on the cover of Time magazine in June under the headline, “We are
Americans — just not legally.”
In November, Ms. Andiola got a work permit under a program begun by the Obama
administration last year that gives certain young illegal immigrants temporary
reprieve from deportation. She graduated from Arizona State University in 2009.
On Friday afternoon, her mother returned home from a detention center in
Florence, 70 miles southeast of Phoenix and usually the last stop for certain
illegal immigrants before they are deported. Her brother, Heriberto Andiola
Arreola, 36, who had been kept in Phoenix, was let go earlier, at 6 a.m.
Their swift releases underline the power of the youth-immigrant movement and
their social media activism, which was critical in spreading Ms. Andiola’s story
overnight.
In a statement, Barbara Gonzalez, a spokeswoman for Immigration and Customs
Enforcement, said a preliminary review of the case revealed that it contains
some of the elements outlined in the agency’s “prosecutorial discretion policy”
and would “merit an exercise of discretion.” Advocates have long argued that the
policy has done little to keep families from being broken apart by deportations.
Ms. Andiola said in an interview that she told her mother to go to her room
before opening the door Thursday night; she suspected the men standing outside
worked for immigration. By the time the men came in, her brother, who was
outside talking to a neighbor, was already in handcuffs, she said.
“Where’s Maria?” the men asked her, she recalled.
Ms. Arreola walked out of the room and, in Spanish, the men asked her to
accompany them outside, where they placed her under arrest.
Though she and her son are free, their future is uncertain, as they could be
arrested again while their cases are under review or deported should the
eventual ruling go against them, said Marielena Hincapié, executive director of
the National Immigration Law Center, one of the groups helping the family.
Stories like this, Ms. Hincapié went on, “happen every day, in every state,”
outside of the media spotlight. What made it different this time is that Ms.
Andiola had connections and wasted no time mobilizing them. There are others,
she said, whom “you never hear about.”
Julia Preston
contributed reporting from New York.
After Immigration Arrests, Online Outcry, and Release, NYT, 11.1.2013,
http://www.nytimes.com/2013/01/12/us/immigration-arrests-lead-to-online-outcry-and-release.html
Bank Hacking Was the Work of Iranians,
Officials Say
January 8,
2013
The New York Times
By NICOLE PERLROTH and QUENTIN HARDY
SAN
FRANCISCO — The attackers hit one American bank after the next. As in so many
previous attacks, dozens of online banking sites slowed, hiccupped or ground to
a halt before recovering several minutes later.
But there was something disturbingly different about the wave of online attacks
on American banks in recent weeks. Security researchers say that instead of
exploiting individual computers, the attackers engineered networks of computers
in data centers, transforming the online equivalent of a few yapping Chihuahuas
into a pack of fire-breathing Godzillas.
The skill required to carry out attacks on this scale has convinced United
States government officials and security researchers that they are the work of
Iran, most likely in retaliation for economic sanctions and online attacks by
the United States.
“There is no doubt within the U.S. government that Iran is behind these
attacks,” said James A. Lewis, a former official in the State and Commerce
Departments and a computer security expert at the Center for Strategic and
International Studies in Washington.
Mr. Lewis said the amount of traffic flooding American banking sites was
“multiple times” the amount that Russia directed at Estonia in a monthlong
online assault in 2007 that nearly crippled the Baltic nation.
American officials have not offered any technical evidence to back up their
claims, but computer security experts say the recent attacks showed a level of
sophistication far beyond that of amateur hackers. Also, the hackers chose to
pursue disruption, not money: another earmark of state-sponsored attacks, the
experts said.
“The scale, the scope and the effectiveness of these attacks have been
unprecedented,” said Carl Herberger, vice president of security solutions at
Radware, a security firm that has been investigating the attacks on behalf of
banks and cloud service providers. “There have never been this many financial
institutions under this much duress.”
Since September, intruders have caused major disruptions to the online banking
sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital
One, Fifth Third Bank, BB&T and HSBC.
They employed DDoS attacks, or distributed denial of service attacks, named
because hackers deny customers service by directing large volumes of traffic to
a site until it collapses. No bank accounts were breached and no customers’
money was taken.
By using data centers, the attackers are simply keeping up with the times.
Companies and consumers are increasingly conducting their business over
large-scale “clouds” of hundreds, even thousands, of networked computer servers.
These clouds are run by Amazon and Google, but also by many smaller players who
commonly rent them to other companies. It appears the hackers remotely hijacked
some of these clouds and used the computing power to take down American banking
sites.
“There’s a sense now that attackers are crafting their own private clouds,”
either by creating networks of individual machines or by stealing resources
wholesale from poorly maintained corporate clouds, said John Kindervag, an
analyst at Forrester Research.
How, exactly, attackers are hijacking data centers is still a mystery. Making
matters more complex, they have simultaneously introduced another weapon:
encrypted DDoS attacks.
Banks encrypt customers’ online transactions for security, but the encryption
process consumes system resources. By flooding banking sites with encryption
requests, attackers can further slow or cripple sites with fewer requests.
A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in
online posts that it was responsible for the attacks.
The group said it attacked the banks in retaliation for an anti-Islam video that
mocked the Prophet Muhammad, and pledged to continue its campaign until the
video was scrubbed from the Internet. It called the campaign Operation Ababil, a
reference to a story in the Koran in which Allah sends swallows to defeat an
army of elephants dispatched by the king of Yemen to attack Mecca in A.D. 571.
But American intelligence officials say the group is actually a cover for Iran.
They claim Iran is waging the attacks in retaliation for Western economic
sanctions and for a series of cyberattacks on its own systems. In the last three
years, three sophisticated computer viruses — called Flame, Duqu and Stuxnet —
have hit computers in Iran. The New York Times reported last year that the
United States, together with Israel, was responsible for Stuxnet, the virus used
to destroy centrifuges in an Iranian nuclear facility in 2010.
“It’s a bit of a grudge match,” said Mr. Lewis of the Center for Strategic and
International Studies.
Researchers at Radware who investigated the attacks for several banks found that
the traffic was coming from data centers around the world. They discovered that
various cloud services and public Web hosting services had been infected with a
particularly sophisticated form of malware, called Itsoknoproblembro, that was
designed to evade detection by antivirus programs. The malware has existed for
years, but the banking attacks were the first time it used data centers to
attack external victims.
Botnets, or networks of individual infected slave computers, can typically be
traced back to a command and control center, but security experts say
Itsoknoproblembro was engineered to make it very difficult to tie it to one
party. Security researchers have come up with a new name for servers infected
with Itsoknoproblembro: they call them “bRobots.”
In an amateur botnet, the command and control center can be easily identified,
but Mr. Herberger said it had been nearly impossible to do so in this case,
suggesting to him that “the campaign may be state-sponsored versus amateur
malware.”
Attackers used the infected servers to fire traffic simultaneously at each
banking site until it slowed or collapsed.
By infecting data centers instead of computers, the hackers obtained the
computing power to mount enormous denial of service attacks. One of the banks
had 40 gigabits of Internet capacity, Mr. Herberger said, a huge amount when you
consider that a midsize business may only have one gigabit. But some banks were
hit with a sustained flood of traffic that peaked at 70 gigabits.
Mr. Herberger declined to say which cloud service providers had been
compromised, citing nondisclosure agreements with Radware’s clients, but he said
that each new bank attack provided evidence that more data centers had been
infected and exploited.
The attackers said last week that they had no intention of halting their
campaign. “Officials of American banks must expect our massive attacks,” they
wrote. “From now on, none of the U.S. banks will be safe.”
Bank Hacking Was the Work of Iranians, Officials Say, NYT, 8.1.2013,
http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html
Their Apps Track You. Will Congress Track Them?
January 5, 2013
The New York Times
By NATASHA SINGER
WASHINGTON
THERE are three things that matter in consumer data collection: location,
location, location.
E-ZPasses clock the routes we drive. Metro passes register the subway stations
we enter. A.T.M.’s record where and when we get cash. Not to mention the credit
and debit card transactions that map our trajectories in comprehensive detail —
the stores, restaurants and gas stations we frequent; the hotels and health
clubs we patronize.
Each of these represents a kind of knowing trade, a conscious consumer
submission to surveillance for the sake of convenience.
But now legislators, regulators, advocacy groups and marketers are squaring off
over newer technology: smartphones and mobile apps that can continuously record
and share people’s precise movements. At issue is whether consumers are
unwittingly acquiescing to pervasive tracking just for the sake of having mobile
amenities like calendar, game or weather apps.
For Senator Al Franken, the Minnesota Democrat, the potential hazard is that by
compiling location patterns over time, companies could create an intimate
portrait of a person’s familial and professional associations, political and
religious beliefs, even health status. To give consumers some say in the
surveillance, Mr. Franken has been working on a locational privacy protection
bill that would require entities like app developers to obtain explicit one-time
consent from users before recording the locations of their mobile devices. It
would prohibit stalking apps — programs that allow one person to track another
person’s whereabouts surreptitiously.
The bill, approved last month by the Senate Judiciary Committee, would also
require mobile services to disclose the names of the advertising networks or
other third parties with which they share consumers’ locations.
“Someone who has this information doesn’t just know where you live,” Mr. Franken
said during the Judiciary Committee meeting. “They know the roads you take to
work, where you drop your kids off at school, the church you attend and the
doctors that you visit.”
Yet many marketers say they need to know consumers’ precise locations so they
can show relevant mobile ads or coupons at the very moment a person is in or
near a store. Informing such users about each and every ad network or analytics
company that tracks their locations could hinder that hyperlocal marketing, they
say, because it could require a new consent notice to appear every time someone
opened an app.
“Consumers would revolt if this was the case, and applications could be rendered
useless,” said Senator Charles Grassley, the Iowa Republican, who promulgated
industry arguments during the committee meeting. “Worse yet, free applications
that rely on advertising could be pushed by the consent requirement to become
fee-based.”
Mr. Franken’s bill may seem intended simply to protect consumer privacy. But the
underlying issue is the future of consumer data property rights — the question
of who actually owns the information generated by a person who uses a digital
device and whether using that property without explicit authorization
constitutes trespassing.
In common law, a property intrusion is known as “trespass to chattels.” The
Supreme Court invoked the legal concept last January in United States v. Jones,
in which it ruled that the government had violated the Fourth Amendment — which
protects people against unreasonable search and seizure — by placing a GPS
tracking device on a suspect’s car for 28 days without getting a warrant.
Some advocacy groups view location tracking by mobile apps and ad networks as a
parallel, warrantless commercial intrusion. To these groups, Mr. Franken’s bill
suggests that consumers may eventually gain some rights over their own digital
footprints.
“People don’t think about how they broadcast their locations all the time when
they carry their phones. The law is just starting to catch up and think about
how to treat this,” says Marcia Hofmann, a senior staff lawyer at the Electronic
Frontier Foundation, a digital rights group based in San Francisco. “In an ideal
world, users would be able to share the information they want and not share the
information they don’t want and have more control over how it is used.”
Even some marketers agree.
One is Scout Advertising, a location-based mobile ad service that promises to
help advertisers pinpoint the whereabouts of potential customers within 100
meters. The service, previously known as ThinkNear and recently acquired by
Telenav, a personalized navigation service, works by determining a person’s
location; figuring out whether that place is a home or a store, a health club or
a sports stadium; analyzing weather and other local conditions; and then showing
a mobile ad tailored to the situation.
Eli Portnoy, general manager of Scout Advertising, calls the technique
“situational targeting.” He says Crunch, the fitness center chain, used the
service to show mobile ads to people within three miles of a Crunch gym on rainy
mornings. The ad said: “Seven-day pass. Run on a treadmill, not in the rain.”
When a person clicks on one of these ads, Mr. Portnoy says, a browser-based map
pops up with turn-by-turn directions to the nearest location. Through GPS
tracking, Scout Advertising can tell when someone starts driving and whether
that person arrives at the site.
Despite the tracking, Mr. Portnoy describes his company’s mobile ads as
protective of privacy because the service works only with sites or apps that
obtain consent to use people’s locations. Scout Advertising, he adds, does not
compile data on individuals’ whereabouts over time.
Still, he says, if Congress were to enact Mr. Franken’s location privacy bill as
written, it “would be a little challenging” for the industry to carry out,
because of the number and variety of companies involved in mobile marketing.
“We are in favor of more privacy,” Mr. Portnoy says, “but it has to be done
within the nuances of how mobile advertising works so it can scale.”
A SPOKESMAN for Mr. Franken said the senator planned to reintroduce the bill in
the new Congress. It is one of several continuing government efforts to develop
some baseline consumer data rights.
“New technology may provide increased convenience or security at the expense of
privacy and many people may find the trade-off worthwhile,” Justice Samuel Alito
wrote last year in his opinion in the Jones case. “On the other hand,” he added,
“concern about new intrusions on privacy may spur the enactment of legislation
to protect against these intrusions.”
Their Apps Track You. Will Congress Track
Them?, NYT, 5.1.2013,
http://www.nytimes.com/2013/01/06/technology/legislation-would-regulate-tracking-of-cellphone-users.html
Google
Wins an Antitrust Battle
January 4,
2013
The New York Times
Google
scored a big victory last week when the Federal Trade Commission concluded that
the company was not manipulating search results in ways that harmed consumers.
But the agency’s finding does not completely settle the question of whether the
company, which is used for more than 70 percent of all Internet searches in the
United States, has abused its dominance. The European Commission and attorneys
general in Texas, New York and other states who are also investigating Google
could come to very different conclusions about that question.
While reaching a settlement with Google on a handful of relatively modest
issues, the F.T.C. has left unresolved the legitimate fears that Internet
companies like Expedia and Yelp have about how Google uses its power to push
into online businesses like travel bookings and restaurant reviews while pushing
aside rivals.
Even if that does not immediately leave users worse off, Google’s critics
rightly argue that it could eventually result in fewer choices for consumers if
worthy Internet services fail because Google actively makes it difficult for
people to find them. Competitors of Google, including Microsoft, have argued
that Google often displays search results to highlight its own products, like
Google Maps, Google Flights and Google Shopping. They say that by doing so it is
acting as Microsoft did in the 1990s when it forced PC makers to pre-install its
Internet Explorer software with the Windows operating system at the expense of
rivals like Netscape.
But the F.T.C. did not buy that argument and concluded that Google had not
harmed competition in the marketplace, even if it may have hurt individual
rivals.
Although Google dominates Internet search today, Web users have many options.
And the company’s continued dominance is far from assured when it comes to the
fast-growing world of smartphones and tablets, where many users download apps
without relying on Google. But the company clearly stepped over the line with
the practices it has agreed to change.
Google will now be required to make it easier for competitors to license certain
patents that it had previously agreed to provide. It will also change policies
that make it hard for businesses to manage their advertising campaigns on Google
and other search engines, and it will give Web sites the ability to opt out of
having their content used to bolster its specialized services like Google Local.
Fifteen years ago, few people predicted that Microsoft’s commanding position
would be undercut so drastically by the rise of Google, Apple and others.
History, however, is not necessarily prologue to the future. Antitrust
regulators must remain watchful that Google does not abuse its dominant position
in ways that unfairly limit consumer choices and competition.
Google Wins an Antitrust Battle, NYT, 4.1.2013,
http://www.nytimes.com/2013/01/06/opinion/sunday/google-wins-an-antitrust-battle.html
Is
Google Like Gas or Like Steel?
January 4,
2013
The New York Times
By BRUCE D. BROWN and ALAN B. DAVIDSON
AFTER a
two-year investigation, the Federal Trade Commission concluded this week that
Google’s search practices did not violate antitrust law. Those who wanted to see
an epic battle like the one the government fought with Microsoft in the 1990s
were sorely disappointed. But the analogy to the browser war of the Web’s early
days was never the right one. It failed to capture the dangers free speech would
have faced if regulators had agreed with Google’s critics.
The theories that many critics advanced — that search must be “neutral” because
it is akin to a public utility, or that computer-generated search results are
not speech and therefore not protected under the First Amendment — would have
undermined free press principles across the Internet. That the F.T.C. decision
permits Google to continue to use its judgment in analyzing search requests and
presenting pertinent results is a victory for online expression and is
consistent with First Amendment law since the 1940s.
Seven decades ago, a lawsuit against The Associated Press applied antitrust
rules to the media and was resolved in a way that ultimately protected First
Amendment interests. This case was always a better parallel than Microsoft to
the F.T.C. investigation of Google. Like Google today, The A.P. had
extraordinary influence. Then as now there were questions about whether
something more than common antitrust law should govern companies that play such
an important role in the delivery of information to the public.
Back then, the Justice Department alleged that A.P. bylaws allowed its member
papers to impede local competitors by denying them access to The A.P.’s
expansive news network. A trial court agreed but applied a theory far broader
than routine antitrust law. It held that news was not an “ordinary” product like
“steel” governed solely by antitrust, but rather something more “vital” because
it was “clothed with a public interest.”
In other words, the trial court wanted to treat the mass media like a public
utility, which carried considerable consequences. For example, while it would be
illegal under antitrust law for a large steel company to conspire with
competitors to fix prices, that company has no obligation to sell to every
carmaker that wants steel. A public utility, on the other hand, has to serve
everyone in the marketplace equally. Applying that standard to The A.P. would
have opened the door to far broader regulation and could, in theory, have meant
something as absurd as requiring newspapers to cover every press release or
publish every letter to the editor.
When the case reached the Supreme Court in 1945, the modern understanding of the
First Amendment, with its insistence on an independent news media, had yet to
take shape. So it was with great significance that — even though The A.P. lost
its appeal and had to allow more access to its services — the court steered
entirely clear of the public-utility model. It looked instead to standard
antitrust law in finding The A.P.’s conduct to be a classic restraint on trade.
The court went further in setting down a marker that to this day restrains
government regulation of the media. Justice Hugo L. Black, who would become a
leading champion of the First Amendment, wrote that nothing in the ruling could
“compel A.P. or its members to permit publication of anything which their
‘reason’ tells them should not be published.”
This began a historic run in which the court transformed the media into an
institution with the autonomy to serve as a check on government power. The First
Amendment as we know it would look very different if public utility obligations
had been forced onto the press that day.
If The A.P. was concerned about a regulator in every newsroom, Google was
concerned about a regulator in every algorithm.
Advocates of aggressive action against Google saw the computer algorithms behind
search as a utility that should be heavily regulated like the gas or electricity
that flows into our homes. But search engines need to make choices about what
results are most relevant to a query, just as a news editor must decide which
stories deserve to be on the front page. Requiring “search neutrality” would
have placed the government in the business of policing the speech of the
Internet’s information providers. To quote Justice Black, it would have made
search engines publish those results “which their ‘reason’ tells them should not
be published.”
Others argued that the F.T.C. did not need to be guided by First Amendment
concerns at all because search results are created by computers, not by human
beings. Yet computers “speak” in many ways today. Lawmakers could have used
F.T.C. precedent against Google to regulate the content of Amazon’s book
recommendations, the locations on Bing’s maps, the news stories that trend on
Facebook and Twitter, and many other online expressions of social and political
importance.
The F.T.C. resisted these harmful theories, and as a result speakers all over
the Internet won. But that doesn’t mean Google is exempt from regulation. The
First Amendment is not a grant of immunity for any business, and antitrust
scrutiny does not end where editorial judgment begins. But the A.P. case shows
that antitrust laws can be enforced while protecting the right of a free press
to print what it chooses and nothing more.
This makes regulation of the media difficult. But regulating speech should not
be easy, like regulating a public utility, but hard, as the F.T.C. has correctly
found.
Bruce D. Brown
is the executive director
of the
Reporters Committee for Freedom of the Press
and a lecturer
at the University of Virginia Law School.
Alan B.
Davidson is a visiting scholar at M.I.T.’s Technology and Policy Program
and a former
director of public policy for the Americas at Google.
Is Google Like Gas or Like Steel?, NYT, 4.1.2013,
http://www.nytimes.com/2013/01/05/opinion/is-google-like-gas-or-like-steel.html
Google Pushed Hard Behind the Scenes
to
Convince Regulators
January 3,
2013
The New York Times
By CLAIRE CAIN MILLER and NICK WINGFIELD
SAN
FRANCISCO — For 19 months, Google pressed its case with antitrust regulators
investigating the company. Working relentlessly behind the scenes, executives
made frequent flights to Washington, laying out their legal arguments and
shrewdly applying lessons learned from Microsoft’s bruising antitrust battle in
the 1990s.
After regulators had pored over nine million documents, listened to complaints
from disgruntled competitors and took sworn testimony from Google executives,
the government concluded that the law was on Google’s side. At the end of the
day, they said, consumers had been largely unharmed.
That is why one of the biggest antitrust investigations of an American company
in years ended with a slap on the wrist Thursday, when the Federal Trade
Commission closed its investigation of Google’s search practices without
bringing a complaint. Google voluntarily made two minor concessions.
“The way they managed to escape it is through a barrage of not only political
officials but also academics aligned against doing very much in this particular
case,” said Herbert Hovenkamp, a professor of antitrust law at the University of
Iowa who has worked as a paid adviser to Google in the past. “The first sign of
a bad antitrust case is lack of consumer harm, and there just was not any
consumer harm emerging in this very long investigation.”
The F.T.C. had put serious effort into its investigation of Google. Jon
Leibowitz, the agency’s chairman, has long advocated for the commission to flex
its muscle as an enforcer of antitrust laws, and the commission had hired
high-powered consultants, including Beth A. Wilkinson, an experienced litigator,
and Richard J. Gilbert, a well-known economist.
Still, Mr. Leibowitz said during a news conference announcing the result of the
inquiry, the evidence showed that Google “doesn’t violate American antitrust
laws.”
“The conclusion is clear: Google’s services are good for users and good for
competition,” David Drummond, Google’s chief legal officer, wrote in a company
blog post.
The main thrust of the investigation was into how Google’s search results had
changed since it expanded into new search verticals, like local business
listings and comparison shopping. A search for pizza or jeans, for instance, now
shows results with photos and maps from Google’s own local business service and
its shopping product more prominently than links to other Web sites, which has
enraged competing sites.
But while the F.T.C. said that Google’s actions might have hurt individual
competitors, over all it found that the search engine helped consumers, as
evidenced by Google users’ clicking on the products that Google highlighted and
competing search engines’ adopting similar approaches.
Google outlined these kinds of arguments to regulators in many meetings over the
last two years, as it has intensified its courtship of Washington, with Google
executives at the highest levels, as well as lawyers, lobbyists and engineers
appearing in the capital.
One of the arguments they made, according to people briefed on the discussions,
was that technology is such a fast-moving industry that regulatory burdens would
hinder its evolution. Google makes about 500 changes to its search algorithm
each year, so results look different now than they did even six months ago.
The definition of competition in the tech industry is also different and
constantly changing, Google argued.
For instance, just recently Amazon and Apple, which used to be in different
businesses than Google, have become its competitors. Google’s share of the
search market has stayed at about two-thirds even though competing search
engines are “just a click away,” as the company repeatedly argued. That would
become the company’s mantra to demonstrate that it was not abusing its market
power.
To underline these arguments, Google spent $13.1 million on lobbying in the
first three quarters in 2012, up from $5.9 million in the same period in 2011.
And Google’s lobbyist in chief, Eric E. Schmidt, the company’s executive
chairman and former chief executive, has made himself a Washington insider as a
close adviser to President Obama.
Then there were the lessons of the Microsoft case.
“Google had the Microsoft case as a template,” said Kevin Werbach, an associate
professor at the Wharton School at the University of Pennsylvania. “Google just
had to convince the regulators it was sufficiently different from Microsoft.”
One lesson for Google executives was to play nicely with the regulators.
Microsoft’s executives were known for their uncooperative demeanors during their
tangle with the government. But even Mr. Schmidt, known for speaking candidly,
was on his best behavior.
Google, and its lawyers and hired experts, also argued forcefully that this case
was different than the one against Microsoft. For one, they pointed out again,
the technology world is so different. At the time of the Microsoft inquiry, its
software was the main on-ramp to the Internet.
“Search today is not a bottleneck monopoly for anything,” said Tim Bresnahan, an
economics professor at Stanford who studies competition in computing and has
worked as a paid expert for Google recently and for Microsoft in the past.
“That’s not the same as everyone who wants to do mass market computing has to go
through Google, like back then everyone who wanted to do mass market computing
had to go through Microsoft,” he added.
Microsoft, leading a chorus of unsatisfied Google competitors, said Thursday
that it was disappointed in the F.T.C.’s decision.
In a blog post published Thursday night, Dave Heiner, a Microsoft vice president
and deputy general counsel, called the decision a “missed opportunity.” “The
F.T.C.’s overall resolution of this matter is weak and — frankly — unusual,” Mr.
Heiner wrote. “We are concerned that the F.T.C. may not have obtained adequate
relief even on the few subjects that Google has agreed to address.”
Mr. Heiner added that Microsoft remained hopeful that other antitrust agencies,
including those in Europe, would take more forceful action against Google.
Harsh criticism of the decision also came from Gary Reback, an experienced
Silicon Valley antitrust lawyer who represents a collection of Internet
companies that complained to the F.T.C. about Google’s behavior.
“I’ve been doing this almost 40 years, been involved in scores of antitrust
investigations,” he said. “I’ve never seen anything so incomplete and lacking
and even incompetent as what happened here.”
Richard Feinstein, director of the F.T.C.’s bureau of competition, dismissed Mr.
Reback’s comment as “silly.”
“This was a very thorough, very professional investigation performed by very
diligent and dedicated staff,” he said.
Regulators had anticipated criticism from Google’s rivals and tried to answer
the complaints in their news conference.
“Some believe the commission should have done more in this case, perhaps because
they are locked in a hand in hand combat with Google around the world,” Mr.
Liebowitz said. But, he said, “We really do follow the facts where they lead.”
He added, “The focus of our law is on protecting competition, not competitors.”
Tim Wu, a law professor at Columbia who was a senior adviser to the F.T.C. until
last summer, said the outcome of the Google case reflected a change in thinking
about antitrust enforcement. “It used to be like the way we dealt with the mob,”
said Mr. Wu, who was involved in the agency’s Google inquiry but who emphasized
that he was not speaking for the F.T.C.
“I don’t believe it’s the position of antitrust agencies to invent competition
where there isn’t any,” he said. “People like Google better than Bing. Microsoft
is trying to do everything it can to change that, but people still seem to
prefer Google.”
Still, some veterans of the technology industry said that even though the agency
did not find an antitrust violation, it still was sending a message to Google
that it was not off the hook for good.
“There’s a long track record of government never really going away,” said David
Farber, a professor of computer science at Carnegie Mellon University and a
former chief technology for the Federal Communications Commission who testified
as a government witness in the Microsoft case. “They will come back.”
Claire Cain
Miller reported from San Francisco,
and Nick Wingfield from Seattle.
Google Pushed Hard Behind the Scenes to Convince Regulators,
NYT,
3.1.2013,
http://www.nytimes.com/2013/01/04/
technology/googles-lawyers-work-behind-the-scenes-to-carry-the-day.html
|
