Memorial Day

A partial reprint from 2006:

Today I’d like every reader to pause for a moment at this point, and to honour, each in your own way, the memory of every soldier of every nation who has died in the service of his or her country and ideals, in support of their way of life. And I’d like each of you, in your own way, to look ahead to the day when there’s no more of it, because we’ll have learned how to live together peacefully, and to resolve our differences in other ways.

Thank you, to all who have served.

Happy, frolicking day...

Invaders!

Back when I had my 25th anniversary at IBM, I got the figurative gold watch — an item I got to pick out of a catalogue, which could have been an actual gold watch, or one of various other things: golf clubs, a grandfather clock, a television set... or, what I selected, a gas grill. I’ve always been happy with my selection, and I use the grill often.

The grill came with a tarp-like fabric cover, and over the last week or two a colony of wasps appears to have moved in under the cover. I know this because the other day, when I walked past it, I was stung on the top of my foot by one of the sentries, which perceived me as a threat.

And, well, actually, I am. I aim to evict them, that I might again use the grill. The trouble is that because the nest is under the cover, I can’t see it. I can see the wasps coming and going, and if I bash the operative corner of the cover with a broom, a dozen or so wasps come out to see what’s what, looking for the attacker (who has, by then, gone into the house and closed the sliding glass door).

Normally, when I find wasps I leave them alone and simply avoid them until winter, knowing that all but the queens die off, and in the spring the queens leave their nests and build others elsewhere. I can then brush away the old nest, and life is good for both me and the wasps.

That won’t work in this case, clearly, but neither do I know how to get rid of them. Bashing with the broom manages nothing but annoying them, and, satisfying though that might be, it’s not terribly productive. I figure that I might have to call in the pros and throw money at the problem.

But first, I thought I’d post something here, and see if anyone has an idea how to get rid of a wasp nest that I can neither see nor get to. The photo shows the corner of the grill where they appear to be, with the blur of a wasp circled in red (click to enlarge). If you have suggestions, please post them in the comments.

And thanks, readers, in advance for any help you can give.

More on aggregating information

For more evidence that the whole is more than the sum of its parts, we turn to some recent work at Vienna University of Technology:

An experimental website has managed to identify the names of people who visit it, by harvesting information about the groups they belong to. It’s a trick marketing teams and scammers would love to copy.

The snooping site exploits the fact that your web browser keeps track of which web addresses you have visited. Website owners can glean this information by hiding a list of web addresses in the code for their web page. When someone accesses this page, their browser will tell the website owner which of the hidden addresses they have already visited.

Basically put, the researchers snagged a set of independent bits of information that could all be tied back to a particular user. And by putting that information together, they identified the user. That the bits of information were all of the same type (groups to which the user belongs) is largely irrelevant, as is the mechanism by which they collected it (using an information leak in the web browser, which we talked about in these pages before).

What’s important to note is that if enough individual items of information are exposed and can be correlated, they can fairly easily be traced back to you, at least a good bit of the time. And that the value of enough that can effect that is smaller than you probably think.

Unfair use

Yet another politician has used a pop song in an ad without permission, and is being sued for it:

The singer and former Talking Heads frontman David Byrne has sued Gov. Charlie Crist of Florida, saying he used the Talking Heads’ song “Road to Nowhere” in a Senate campaign ad without permission.

The song was used in an online video posted in January that attacked Marco Rubio, a fellow Republican who is one of Mr. Crist’s opponents for the seat vacated by Senator Mel Martinez. The governor is now running as an independent.

Haven’t these people figured this out by now? This isn’t the first time, nor the second nor third, that this has happened. It’s not the sort of thing that’s covered by “fair use” principles.

Do they, perhaps, think that they can get away with it because they’re politicians? Politicians seem to think they can get away with nearly anything, so maybe that’s it.

Weekend hike: Anthony’s Nose

I’ve written about hiking Anthony’s Nose before, so today I’ll just post a few photos from Sunday’s hike, put into a montage (click to enlarge). The one on the upper left is very similar to one of the pics from the earlier post, but taken in a different season, this time with mountain laurel blooming in the foreground.

The application becomes the verb

The New York Times recently reported on a web site for “registering” one’s prom dress, in the hope that it would help classmates to avoid wearing the same one.

Now, the horror of wearing the same dress as someone else is something I’ll never understand; I actually think it’s cool when I see someone else wearing a shirt that I also own, and it’s even more amusing if we’re both wearing them at the same time. Be that as it may, it’s not that aspect of the story that struck me. It’s this, in the last paragraph here:

“The group is basically for seniors to put their dresses up and underclassmen to look, so they know what dresses not to get,” said Ms. Dong, who is 18.

But a month later, a junior from her school e-mailed to say she had bought the same dress — and didn’t intend to return it.

“I messengered back and said, ‘Why did it take you so long to tell me?’ ” recalled an incredulous Ms. Dong.

She “messengered”?

I’ve long thought that “messaged” was bad enough,^[1] but now we need “messengered”?

On the other hand, it’s clear where it comes from: the program that she uses to send some messages is called “Messenger”, and, as we’ve done for many years, we tend to turn the application names into the verbs for what they do.

One of the most well known, of course, is "Googling". For the generic verb “to email”, I’ve heard “Gmail” and “Hotmail” used as well, and back in mainframe days when we used PROFS (the system that took down Oliver North), folks would say, “PROFS it to me.”

For the verb “to instant-message”, everyone at IBM would say “I’ll Sametime you,” after Lotus Sametime, IBM’s instant-messaging system.

And so on. It’s a testament to ubiquity and familiarity that, just as Kleenex, Xerox, and Sanka have been used generically, computer application names get verbed into the actions that they’re used to perform.

Still... she “messengered”? Oy.

---

^[1] For reference, I’d say, “I sent a message back...”, or, “I responded”, which shows you how un-cool I am.

Carnivals!

I’ve mentioned before that when I read something about unionized workers, I momentarily think about workers who are not ionized. It takes my brain a moment to parse it correctly, as “union...ized” rather than “un...ionized”. Every time. That’s one of the hazards of spending most of one’s time thinking a certain way.

So it might not surprise some of you that when I heard on NPR last week something about anticipation of “huge tarballs washing up on the Gulf beaches,” I did not immediately think of the oil spill. I actually laughed, before I cried.

[For the rest of you, the normal ones, who have no idea what I’m talking about: Wikipedia will tell you.]

Pointers to this fortnight’s ever-dwindling list of blog carnivals:

• Math Teachers at Play #26.
• Carnival of the Godless #142.

An unbelievable deal!

I took the photo on the right (click to enlarge) with my BlackBerry’s camera (so please forgive its being somewhat blurry) at the local Whole Foods store. It depicts an incredibly good^[1] sale price on some one-quart packages of almond milk:

Sale!   3 for $6.00
Regularly   $1.99 [each]

The unit pricing helpfully tells us that 3 one-quart boxes for 6 dollars makes it $2.00 per quart. We don’t need the unit pricing to compute that the regular, non-“Sale!” price comes to $1.99 per quart.

One wonders whether it’s possible to decline the sale price at the register.

---

^[1] Yes, that’s “unbelievable” as in not believable, and “incredible” as in not credible.

What is the cost of “free”?

One argument that I commonly hear from people who are not bothered by Facebook’s changes in their privacy policies is that Facebook can do what they want, because it’s their service, and they’re providing it to us for free. If they were charging money, we might have cause to complain, but, hey, it’s free, so we should be happy for whatever we get.

But here’s the thing: no, it’s not free. You’re paying with your information and your privacy — those are the currencies in use, here, not dollars nor euros nor shekels nor yen.

And make no mistake about it: there’s a lot of value in information, and particularly in information that people would otherwise like to put privacy restrictions on. That’s why Facebook is changing the rules, and that’s why Facebook is allowing applications and business partners to bypass the access controls that do remain available.

This doesn’t make Facebook evil, nor unique. They recognize the business value of what they have, and they’re trying to make the most of it — and we do have a choice of whether to use their service or not.

Google is using the same business model, but is so far ahead of Facebook that the latter can’t even see the former’s taillights. Google has aggregated more of our information than we can imagine, depending upon which of its services we use — our profile information; our full search history since forever; our email (Gmail); our calendars (Google Calendar); our photos (Picasa) and videos (YouTube), both what we post, and what we look at); the places we look for (Google Maps); the blogs we write (Blogger); the blogs and news we read (Google Reader); even some of our buying history — and is using it to target advertisements. It’s also stashing it away, to be data-mined later.

We make the same choice there: are we willing to pay for these services? We can buy services for money. Or we can buy services with our private information. It’s fine to make that choice, to choose to give someone else control of some of our privacy in exchange for something we want.

We should just understand that that’s what we’re doing.

Faulty logic: Post hoc, ergo propter hoc

For the next in the series on faulty logic, we have:

Post hoc, ergo propter hoc

It’s a natural tendency for people to make connections between events. “When I do this, that happens.”

When I touch something hot, I get burned.
When I don’t water my house plants, they die.
When I eat that kind of mushroom, I get sick.

As we see these connections, we often make an assumption that the prior (or coincident) event caused the other. Touching my hand to a hot stove causes my hand to be burned. Failing to water my plants kills them. Eating the wrong mushrooms makes me sick. And inferring causation is a good defense: it makes me avoid touching hot things or eating bad mushrooms. Of course, it might make me avoid eating all mushrooms, depending upon my lack of exposure to other kinds, but, you know, that’s OK: overreacting, making a rash inference can sometimes be better than the alternative.

Of course, some connections turn out to be faulty. When I go to New Jersey, it rains. We certainly know that my going to New Jersey doesn’t cause the rain. Perhaps we have a case of confirmation bias, where I’m forgetting the visits to the Garden State when it’s been sunny. Or maybe I’ve been there so few times that my sample size isn’t large enough to make any inference. I know someone who won’t eat Thai food, because “Thai food makes me sick.” How many times has that person eaten Thai food? Once.

Primitive people developed superstitions in similar ways. One year, the crops were bad. The next year, they put a basket of dead birds in the middle of the field, and the everything turned out great. Therefore, placing a basket of dead birds in the field ensures a good crop.

Coincidence (or correlation) does not imply causation.

The logical fallacy of assuming that it does is called “post hoc, ergo propter hoc”, a Latin phrase meaning “after this, therefore because of this” (or the similar “cum hoc, ergo propter hoc”, “with this, therefore because of this”).

Like the primitive farmers, we continue to make assumptions of causation, sometimes casually, sometimes to support what we already believe, sometimes to grasp at an explanation for something we desperately want explained. Post hoc, ergo propter hoc (often coupled with confirmation bias) leads us to think that vaccines are harming children, that prayer works (you pray for your sports team to win, and they win; you pray for good weather, and it's a nice day), or that taking off our shoes at the airport keeps terrorists away.

Instead, it’s important that we not jump to conclusions. We should make multiple observations. We should try different sequences in various combinations. We should design studies that test our hypotheses against alternatives, and we should consider alternative explanations.

Even with all that, we might never be sure about the real causes. But we can rule some out, and we can increase our confidence in others.

Correlation

(Click to see the cartoon on the xkcd site.)

Cracking down on cracking?

So, it turns out that on the streets and networks of China, you can buy cheap (less than $25) kits that have everything you need to sneak onto people’s wireless networks quickly and easily. Their sale is illegal, but that seems not to stop folks.

And, you know: it’s hard to get excited about this. It might actually be fun to buy one, just to play with it. But get outraged? Nah.

As the article says, the protocols securing home networks are so weak that they’ve been easily crackable for a long time, and “tutorials on how to crack WEP have been online for years.” It used to be that anyone who could sit in front of your house for an hour and knew what she was doing could break into your network. That soon went down to half an hour, and then ten minutes — ten minutes with a Linux machine, a little software, and a little savoir-faire. All these kits do is eliminate the need for savoir-faire.

The home version of WPA was introduced as a stop-gap measure. It’s better than WEP, but only somewhat: it doesn’t have the protocol weaknesses of WEP, but it’s not strong enough to be secure with today’s computers, at least not with the typical sorts of passwords that people use. And it’ll be quite some time before we’ve moved to WPA2.

That the cracking hardware and software are now all sold in a tidy package that Ma Po can take wardriving is no surprise, and nothing to be worried about. If you really care about securing your home network, use WPA2 if your hardware supports it, or WPA otherwise, and use a long, complex password that uses a good mix of characters.

Alternatively, consider that you needn’t care whether someone can get onto your network, and make sure your networked computers are properly protected against intrusion. Then you might even leave your network open, to be nice to your neighbours.

Expectation of privacy?

A few weeks ago, the U.S. Supreme Court heard arguments in a privacy-rights case: a police officer had a pager issued to him by the police department. He used the pager for official business, but he also used it for personal messages — some very personal. Wisdom would advise against that, but being unwise is often not against company policy.

In this case, though, the department decided to audit the use of the pagers, to determine whether they had chosen the correct payment plan for the number of work-related messages used. They got a dump of the messages.

The officer sued, claiming a privacy breach — he did not want his hot-sex messages to be read by his bosses, if you can imagine that. The Ninth Circuit Court of Appeals agreed that the department, which owned and provided the pagers, violated his privacy by reading his messages. He had, they held, an expectation of privacy in the use of the pager.

Normally, you do not have an expectation of privacy if you use company equipment for personal messages or activities. Not, as we say, on company time or furniture. In this case, though, a boss, a lieutenant, said that as long as they paid for their personal messages, the messages would not be read, and it’s that statement that turned it for the Ninth Circuit Court.

The New York Times agrees, in an editorial about the case.

The Ninth Circuit was correct. Sergeant Quon had a reasonable expectation that his messages were private. Under the Fourth Amendment, the city had a duty to seek less-intrusive methods of searching, and as the court noted, those methods were available. The City of Ontario could have had Sergeant Quon and others request the transcripts and allowed them to redact anything personal.

The Supreme Court should affirm the appellate court’s well-reasoned decision. If it rules for the city, it should do so in a narrow way, closely tied to the specific facts of this case.

Courts across the country have been unclear about what privacy rights apply to e-mail and texting, which are fast eclipsing postal mail and conventional telephones. The Supreme Court should make clear that the Fourth Amendment’s robust privacy protections apply just as robustly to 21st-century communication.

I agree with the Times in its final paragraph: searches of our personal effects, which are controlled by the Fourth Amendment, must also include searches of our electronic media, files, and messages. This is absolutely clear. We must be secure in our electronics, as well as being secure in our persons, houses, papers, and effects.

I’m less comfortable agreeing with the two previous paragraphs. The Ninth Circuit Court is probably right in this case, but only because “the lieutenant was speaking for the department” when he said that the employees’ messages would not be read. He established an expectation of privacy that would not normally be there in the case of employees using company equipment.

While it’s certainly true that the department could have used less-intrusive methods that could have accommodated the employees’ privacy, and while a kind employer might choose to do so, they should be under no obligation in that regard. If the courts give employees free rein to use company resources for personal purposes, and hold employers liable for privacy leaks, then employers will have good reason to lock down their equipment and use technology to prevent such use. And there be dragons; that serves no one well.

The better answer is to allow employers and employees to strike a happy medium, wherein employees can make personal use of company equipment, but must do it with circumspection, realizing that what they do on equipment they do not own is not completely private — that the privacy serves at the pleasure of the employer. With that, they can all find a reasonable middle ground.

To alter the Times’ penultimate paragraph, I can agree that the Supreme Court should affirm the appellate court’s decision, but that it should do so, ruling against the city, only in a narrow way, closely tied to the specific facts of this case. The general situation should be that employees not have an expectation of privacy when using their employers’ computers, networks, and other 21st-century technology.

Thinly veiled reasoning

France is considering legislation to ban the burqa or niqab, the full “veil” that some Muslim women wear, which covers the whole face. The surface reasoning is that people need to see each other’s faces — that being able to do so makes people safer by allowing identification, and establishing social connections. What some are critical of is the idea that this is anti-Muslim legislation.

In a recent op-ed piece in the New York Times, Jean-François Copé, the majority leader in the French National Assembly (UMP Party, the political conservatives), argues the UMP’s side of the question.

This criticism is unjust. The debate on the full veil is complicated, and as one of the most prominent advocates in France of a ban on the burqa, I would like to explain why it is both a legitimate measure for public safety and a reaffirmation of our ideals of liberty and fraternity.

I’ll note that he doesn’t mention “equality”, the third French ideal.

Setting aside whether or not I agree with the legislation — M Copé is correct that it’s a complicated question, and I have conflicting thoughts about it — I find his particular arguments specious, and I wanted to look at the key points here.

The ban would apply to the full-body veil known as the burqa or niqab. This is not an article of clothing — it is a mask, a mask worn at all times, making identification or participation in economic and social life virtually impossible.

This face covering poses a serious safety problem at a time when security cameras play an important role in the protection of public order. An armed robbery recently committed in the Paris suburbs by criminals dressed in burqas provided an unfortunate confirmation of this fact. As a mayor, I cannot guarantee the protection of the residents for whom I am responsible if masked people are allowed to run about.

M Copé adds that “The visibility of the face in the public sphere has always been a public safety requirement,” but this strikes me as a fairly silly argument. Before we used cameras, when we relied on human identification, the identification of random people in the street was so unreliable as to be essentially useless. Now, with street cameras, we still find that crimes are not solved by finding people on the camera recordings and linking them to the situation. Rather, we’re only able to find them afterward — once we know who the perpetrators were, we can go back to surveillance recordings and say, “Ah, yes, see, there he is.”

Now, facial identification by witnesses or security cameras at the crime scene is much more useful, and such identifications often are the linchpins of prosecutors’ cases. And, as we know, robbers wear masks of all sorts at crime scenes, all the time. I can’t see that banning facial veils in the street will make any difference to someone who wants to put on a ski mask or a gorilla suit in order to rob a convenience store.

What’s more, it is not illegal to walk around most cities in ski masks, gorilla suits, Halloween outfits, or any other form of disguise. I recently saw, in the Times Square area in New York City, someone in a Lion King outfit to promote the Broadway play, and two guys (or girls?) in Elmo outfits, promoting something, one presumes (or perhaps picking pockets; can we be sure?). One often encounters mimes with heavily painted faces, people in clown outfits, and so on. Will all those be banned as well?

For that matter, could I be arrested for covering my face with my hand? A floppy hat might shield one’s face from the surveillance cameras; are floppy hats allowed? Suppose someone worried that young people wearing “cargo pants” might be concealing weapons, and concluded that cargo pants should be banned... along with trench coats and who knows what else?

Public safety is neither ensured by nor compromised by clothing.

The permanent concealment of the face also raises the question of social interactions in our democracies. In the United States, there are very few limits on individual freedom, as exemplified by the guarantees of the First Amendment. In France, too, we are passionately attached to liberty.

But we also reaffirm our citizens’ equality and fraternity. These values are the three inseparable components of our national motto. We are therefore constantly striving to achieve a delicate balance. Individual liberty is vital, but individuals, like communities, must accept compromises that are indispensable to living together, in the name of certain principles that are essential to the common good.

Let’s take one example: The fact that people are prohibited from strolling down Fifth Avenue in the nude does not constitute an attack on the fundamental rights of nudists. Likewise, wearing headgear that fully covers the face does not constitute a fundamental liberty. To the contrary, it is an insurmountable obstacle to the affirmation of a political community that unites citizens without regard to differences in sex, origin or religious faith. How can you establish a relationship with a person who, by hiding a smile or a glance — those universal signs of our common humanity — refuses to exist in the eyes of others?

OK, this one’s just dumb: if someone wants to sequester herself from social interactions, legislation that blocks one way of doing that is pointless. Orthodox Jews in New York City often separate themselves socially from outsiders, and they can do that quite effectively without covering their faces. Fraternité is an ideal, not a demand; there isn’t — and there shouldn’t be — any requirement that anyone, be she a Muslim woman or anyone else, establish social connections with others in French society.

And likening it to nudism is also silly. Leaving aside, too, whether we should be allowed to walk in public in the nude, these are just not the same things.

It’s fine to say that you don’t want to live next to someone who hides her face, but then admit that that’s what’s going on, and be open about it, rather than trying to hide behind community ideals and slogans, and bogus claims about public safety.

California in March

March’s IETF meeting was in the land of Disney, at the Anaheim Hilton in California. As someone who’s not fond of theme parks, nor of the whole Disney experience, I did my best to avoid those bits — though one can’t miss all of it, as it permeates the town. I never got a blog post done about the IETF meeting, and it seems too long after it now to do it. But I did have some brief time in California, a day before and a day after the meeting, so here are a few photos therefrom (click to enlarge):

Farming in a California coastal valley	Pismo Beach	Long Beach Harbor, from a small plane
Rolling hills south of Los Angeles	California coast at Palos Verdes	Santa Monica Beach
Amusements at Santa Monica Pier	Amusements at Santa Monica Pier	Sunset off Santa Monica Pier

More Taser abuse

A 17-year-old Philadelphia Phillies fan (at least he used to be) named Steve Consalvi decided to hop onto the field and run around last Monday. Not surprisingly, the police hopped on after him, several of them. Not surprisingly, he tried to evade them. Ha-ha. Fun.

Not surprisingly, one of the officers shot him.

With a Taser.

It’s probably a good thing they had the Taser, or they’d have been forced to shoot him dead with their guns, right? That’s surely what would have happened back in Frank Rizzo’s day.

Because, as I’ve said many times, appropriate use of a Taser is to disable someone who is an imminent threat. It is an alternative to firing a gun. It is not something to be used for convenience, not just because someone’s not doing what you want him to. Wait him out. Talk him down. Surround him and nab him.

No need for the Taser.

As there was no need for it the following night, when another fan, 34-year-old Thomas Betz, took to the field. Perhaps he was looking to experience a Taser himself, but it was not to be: Phillies security staff grabbed him and escorted him to waiting police, without benefit of electricity.

As should have happened with Mr Consalvi.

Once again: we have to take a strong stand against police abuse of Tasers.

[Here’s a New York Times editorial about the Taser incident.]

Happy birthday, Jack Bruce

On this day in 1943, the bass guitarist, singer, and composer Jack Bruce was born in Scotland.

Jack Bruce is best known for his work with Eric Clapton and Ginger Baker in the “supergroup” Cream, in the late 1960s. Along with lyricist Pete Brown, with whom he frequently collaborated, he wrote several of Cream’s most popular songs, including “Sunshine of Your Love”, “White Room”, and “I Feel Free”, and he did the vocals on the group’s recordings and performances of them.

In the early 1990s, Jack Bruce reunited with Ginger Baker and, adding guitarist Gary Moore, formed an excellent but short-lived trio called BBM. They produced one album, “Around the Next Dream”, and Bruce and Moore co-wrote three of the best songs on that album. A lyric from the opening track, “Waiting in the Wings”, gives the album its title. The song’s immediately catching, with a great guitar riff, and vocals by Bruce:

She was standing in the dark, waiting in the wings,
Just around the next dream.
She was holding all the keys to set my heart free,
Behind the shadows of love.

From the distance I could see her standing alone,
Shine like a jewel in the night.
Hidden from the eyes, a thief of the soul,
Behind the shadows of love.

Set me on fire with the stories you tell,
Drown in an ocean of dreams.
Close to the flame on wings of desire,
Nothing’s what it seems.

She was waiting outside with arms open wide,
Ready to break my heart’s fall.
Oh, the lightning in her eyes, I learned how to fly
Behind the shadows of love.

Set me on fire with the stories you tell,
Drown in an ocean of dreams.
Close to the flame on wings of desire,
Nothing’s what it seems.

How Facebook sees its own privacy policies

Yesterday, I talked about something that’s not a privacy problem on Facebook. Today, we’ll look at what is.

The New York Times “Bits” blog published, the other day, a Q&A piece with Elliot Schrage, Facebook’s vice president for public policy. Readers had been asked to send in questions, and some were selected for Mr Schrage to answer. His answers make it clear, if it hadn’t been already, that Facebook’s erosion of its users’ privacy and of their privacy options are business decisions, made with full understanding of the effect on the users.

I found three answers to be of particular note, so I’ll comment on them here:

Q: It used to be that I could limit what strangers saw about me to almost nothing. I could not show my profile picture, not allow them to “poke” or message me, certainly not allow them to view my profile page. Now, even my interests have to be public information. Why can’t I control my own information anymore? — sxchen, New York

A: Joining Facebook is a conscious choice by vast numbers of people who have stepped forward deliberately and intentionally to connect and share. We study user activity. We’ve found that a few fields of information need to be shared to facilitate the kind of experience people come to Facebook to have. That’s why we require the following fields to be public: name, profile photo (if people choose to have one), gender, connections (again, if people choose to make them), and user ID number. Facebook provides a less satisfying experience for people who choose not to post a photo or make connections with friends or interests. But, other than name and gender, nothing requires them to complete these fields or share information they do not want to share. If you’re not comfortable sharing, don’t.

I’ll buy that Facebook might decide that certain information has to be public. I won’t buy

1. that they should change that decision after the fact, nor
2. that the list needs to be so broad as to include “connections with friends or interests.”

And it’s disingenuous to say that, well, people don’t have to make connections or list interests if they don’t want them made public, because a great deal of the value of Facebook, for those who find it valuable, lies in those aspects. It’s not that users aren’t “comfortable sharing” these things, but that they want to control with whom they share them.

This answer just says that Facebook has found value in forcing these items to be public, and they don’t care that some users want to be more circumspect about it. Further, even if users choose to delete some of this information now that Facebook will make it public... Facebook still has it, and will still share it with applications and partner web sites, even after the owner thinks it’s scrapped. Because that’s just the kind of experience people come to Facebook to have.

Q: Why not simply set everything up for opt-in rather than opt-out? Facebook seems to assume that users generally want all the details of their private lives made public. — abycats, New York

A: Everything is opt-in on Facebook. Participating in the service is a choice. We want people to continue to choose Facebook every day. Adding information — uploading photos or posting status updates or “like” a Page — are also all opt-in. Please don’t share if you’re not comfortable. That said, we certainly will continue to work to improve the ease and access of controls to make more people more comfortable. Your assumption about our assumption is simply incorrect. We don’t believe that. We’re happy to make the record on that clear.

Oh, please: saying that Facebook itself is opt-in, so that makes everything in it opt-in... is a cop-out. Just as with the question above, the answer is really that Facebook gets the most value out of defaulting privacy controls to “public” (thus making users opt out of things they want to keep closer, assuming that Facebook even gives them a way to do that). As long as users are hooked on Facebook, and are willing to use it no matter what changes are made, Facebook has no incentive to make it easy to keep information private.

Q: I love Facebook, but I am increasingly frustrated by the convoluted nature of the privacy settings. It’s clearly within Facebook’s ability to make the privacy settings clear and easy to use — why hasn’t this been a focus? — Ben, Chicago

A: Unfortunately, there are two opposing forces here — simplicity and granularity. By definition, if you make content sharing simpler, you lose granularity and vice versa. To date, we’ve been criticized for making things too complicated when we provide granular controls and for not providing enough control when we make things simple. We do our best to balance these interests but recognize we can do even better and we will.

And this one is just complete bullshit. There are no opposing forces here. It’s very easy for them to provide two (or more) tiers of content sharing settings: a simple set for the most common sets options (or for what they would like to be most common), and an “advanced” button to let people control more and go further.

Even Windows was able to get that. There’s a global privacy setting that sets up file access controls in a way that will work for most users. A user who wants to can make simple changes to the access controls for specific files or directories (allow another user to have certain pre-defined access settings). And for fine-tuned control, one can make advanced changes that let one get down to the nitty-gritty.

Most users never see the Windows advanced access control settings, just as most Facebook users would never use the advanced privacy settings, if they were provided. Yet for the users who want to use them, they’re necessary, and their absence is a real problem.

But, again, Facebook has no incentive to provide them unless people start voting with their fingers, and abandon Facebook because it doesn’t give them the controls they want.

Realistically, though, it’s unlikely that the exodus of a handful — even large handfuls — of techies will make any difference to Facebook’s policies. And it’s unlikely that the average Facebook user will care enough to leave. Some will grumble that they don’t really want everyone to see everything, but in the end it won’t matter enough to them, and they’ll stay and accept it.

Facebook knows this.

Email, IP addresses, and privacy

Facebook has some nasty privacy-violation things going on, and it just gets worse over time, as they eat more and more into what the users have control of, taking the control away. They’re getting a lot of bad press about it, including some high-profile recommendations to bail out of Facebook entirely, and groups developing alternatives. The Facebook privacy thing has gotten bad. Really bad.

But that doesn’t mean everything is a privacy violation. Last week, Xeni, at BoingBoing, posted about how Facebook “exposes” your IP address when you send mail:

As Matt points out in the blog post, this may not be the most onerous of Facebook’s privacy problems, and it’s certainly not the only one. But no good purpose for users is served by leaking user IPs, and there are many good reasons not to. Facebook, get your shit together for chrissakes.

And Facebook has “fixed” it, as of last weekend; this from Facebook’s Barry Schnitt, in the BoingBoing comments:

We originally included IP address information in these email headers as part of industry best practices designed to improve spam filters. This is similar to what many webmail providers do. However, we agree this practice no longer makes sense for Facebook and we’ve discontinued it. Thank you for bringing this to our attention.

The thing is, the reason they included it was exactly right. They did have “their shit together”, and they’ve now broken the normal audit trail that exists in email for various trace purposes, including abuse tracking. Email standards specify that a “Received:” line be added to the email headers each time a message is passed from one place to another. Including the sending computer’s IP address in the “from” clause of the first “Received:” line is not considered a “privacy violation” in any other context.

For example, here are the operative lines from each of a number of different messages I have in my inbox now. I chose ones sent by a variety of webmail systems, as well as a couple sent using “traditional” email programs (Outlook and Thunderbird, here). I’ve obscured the IP addresses, as well as any other information that might point to the senders... but the addresses in my inbox are real, and give me the identities of the senders’ Internet service providers and the senders’ geographic locations.

AOL webmail

Received: from 88.188.88.188 by Webmail-d123.sysops.aol.com
        (205.188.108.132) with HTTP (WebMailUI);
        Wed, 05 May 2010 11:17:04 -0400

Yahoo! webmail

Received: from [77.177.77.77] by web65510.mail.ac4.yahoo.com via HTTP;
        Mon, 10 May 2010 15:06:12 PDT

Mac.com webmail

Received: from [ 44.14.144.144] from webmail.me.com with HTTP;
        Mon, 10 May 2010 22:56:47 -0400

Gmail webmail

Received: by 10.100.48.20 with HTTP; Wed, 5 May 2010 02:02:24 -0700 (PDT)

Gmail Thunderbird

Received: from xxxxxxxxx (66-166-66-222.xxxxx.com [66.166.66.222])
        by mx.google.com with ESMTPS id xxxx.xxxx.xxxx
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Wed, 05 May 2010 04:39:32 -0700 (PDT)

Earthlink, Outlook

Received: from [22.222.222.22] (helo=xxxxxxxxxx)
        by elasmtp-spurfowl.atl.sa.earthlink.net with esmtpa (Exim 4.67)
        (envelope-from <xxxxxxxx@earthlink.net>) id xxxx-xxxx-xxxx
        for xxxx@xxxx.xxxx; Sat, 08 May 2010 15:50:40 -0400

As you can see, only Gmail’s web interface chose to omit the “from” clause, and did not “expose” the sender’s IP address. In all other cases, the information is there. And, in fact, the lack of it in the Gmail web message means that for mail sent that way, the sender’s IP address and ISP can’t be used as filtering criteria, and it’s harder to do forensic analysis to track down abuse (spammers, phishers, and so on) because one need’s Gmail’s cooperation.

Facebook can certainly choose not to include that information (and as it goes, it was included in a non-standard way, anyhow, with an “X-Facebook:” header field, rather than a “Received:” header field), but including it should not have been thought of as a privacy violation.

Sales tax and the Internet

It’s long been popular to buy things mail-order from an out-of-state concern, in order to avoid paying sales tax on the items. Mail-order houses are often not required to charge out-of-state customers sales tax, the shipping charges are usually less than the sales tax would have been (and are sometimes waived entirely), and consumers think they’re getting away without paying sales tax.

What we often didn’t know is that when sales tax is not charged and paid to the state by the seller, the buyer is legally responsible for paying it anyway. We didn’t know that because states didn’t generally publicize that fact, and didn’t enforce it either.

New York decided to start enforcing it a few years ago. The trouble is that now they’re doing some double dipping.

First they set up a new line on the state income tax form, a line for declaring “sales or use tax” that you owe. Here’s the line from the 2009 tax form:

The instructions explicitly forbid you from leaving that line blank — you can fill it in with zero, but that has to be explicit, and there’s a strong implication that doing so might result in an audit. Here’s the applicable page from the instructions (PDF), and here are some excerpts:

You owe sales or compensating use tax if you:

• purchased an item or service subject to tax that is delivered to you in New York State without payment of New York State and local tax to the seller; or
• purchased an item or service outside New York State that is subject to tax in New York State (and you were a resident of New York State at the time of purchase) with subsequent use in New York State.

[...]

An unpaid sales or use tax liability commonly arises if you made purchases through the Internet, by catalog, from television shopping channels, or on an Indian reservation, or if you purchased items or services subject to tax in another state and brought them back to New York for use here.

Example 1: You purchased a computer over the Internet that was delivered to your house in Monroe County, New York, from an out-of-state company and did not pay sales tax to that company.

Example 2: You purchased a book on a trip to New Hampshire that you brought back to your residence in Nassau County, New York, for use there.

[...]

Failure to pay sales or use tax may result in the imposition of penalty and interest. The Tax Department conducts routine audits based on information received from third parties, including the U.S. Customs Service and other states.

Then they give you a nice, convenient table that shows how much sales and use tax you should pay if you want to take the easy way out and not have to document everything: $23 if your adjusted gross income is between $30,000 and $50,000, for example, and $44 if your AGI is between $75,000 and $100,000.

And that’s all fine for what it is: it’s always been the law that these taxes be paid — though we can certainly argue that the example of buying a book while on a trip to New Hampshire is stretching the point too far (and they picked New Hampshire because that state has no sales tax of its own) — and this is a convenient way for the state to enforce it, and for the taxpayers to cope with it.

Is it “fair”? $44 represents, at my local tax rate, sales tax on about $600 worth of purchases. So they’re assuming that someone making, say, $90,000/year will buy around $600 worth of things by mail order (to oversimplify a bit). Just using my own purchases from 2009 as a guide, that seems close enough, though, obviously, different people will have vastly different purchase patterns. Some people buy a lot of things online, and some do almost none of their shopping that way.

But then New York did something else. They passed a law requiring that out-of-state companies that sell products to be shipped to New York charge sales tax on those purchases, and remit the tax to New York. The result was that some sellers stopped selling to New York residents, and others, such as Amazon, started adding New York sales tax to the bills.

In 2009, all of the out-of-state purchases I made were from vendors that charged me New York sales tax. Yet there’s still that pesky line 59 on the tax form, isn’t there? I put a zero on that line, but they’re clearly trying to intimidate us into not doing that, and into using the table to determine what should go there.

But if we do that, we are, for the most part, being taxed twice for our Internet purchases. By having both the new law and line 59 on the tax form (along with the ominous text in the instructions), New York state is trying to have it both ways, to have the vendors tax us and to have us voluntarily pay the tax again when we file our income taxes.

That’s why I can’t fully agree with the New York Times editorial blasting Amazon for resisting New York’s efforts. Amazon’s reasons may seem lame, but it’s trying to keep things equitable.

The right answer is for all vendors to charge sales tax, and for the state to stop trying to extort it from us after the fact.

Crime in the City

This is an example, from today’s New York Times, of why my father moved us out of New York City almost 50 years ago. Some teenagers were having a birthday party at an apartment in the Bronx:

Witnesses said that a group of older, seemingly drunken men entered the party, at a first-floor apartment at 1776 Weeks Avenue in Tremont, and behaved inappropriately with some of the younger female guests. That prompted an argument and a fight before the men left the apartment.

Thirty minutes later, about 2 a.m., as some from the party spilled into the building’s lobby, the men returned with guns and began firing, witnesses said.

While tourists and visitors from the suburbs are, these days, mostly safe in the city, residents — in some areas more than in others, clearly — have a day-to-day risk that accumulates to significance over time. Break-ins, burglaries, robberies and other personal attacks... these are far too common, still. Murders are down, we hear, but, of course, that’s little consolation to the families of these victims.

What I always want to know when I hear about these sorts of things is what makes people behave worse than wild animals? Sometimes it’s subsistence, when attacking someone for his money, or stealing his things to sell, is the only way one knows to eat and survive. But stories like this just make me shake my head in disbelief, to see that people can be so callous, so senselessly violent.

I wonder why, and I wonder whether there’s any way to address it, to change it.

Carnivals!

In the “I think I’ve identified the problem” department, we have this bumper sticker, seen on a recent walk in my neighbourhood:

GIRLFRIEND WANTED
Nagging bitches need not apply.

Pointers to this fortnight’s blog carnivals:

• Skeptics’ Circle #136 was not posted; is it going away too?
• Carnival of Mathematics #65.
• Carnival of the Godless #141.

Hi, Mom!

Q: Tomorrow is...

1. Mothers’ Day
2. Mother’s Day
3. Mothers Day
4. All of the above
5. None of the above

Well, whichever one: Hi, Mom! Happy Day.

None shall pass!

Because Faisal Shahzad nearly got airborne en route to Dubai, and we only narrowly managed to stop the takeoff and snag him, everyone wants to know why the no-fly list didn’t work. One issue is that Mr Shahzad was only added to the list that same day, so we’re responding by tightening the rules for using the no-fly list:

Airlines have been required to check the no-fly list for updates only every 24 hours. But the new rule, sent to airlines on Wednesday to take effect immediately, requires that they check within two hours of receiving notification that a high-priority name has been added to the list.

Hm. That sort of goes without saying, doesn’t it? I mean, if the list can be updated any time, then it makes sense to refresh it more than once a day, and it especially makes sense to respond to high-priority requests to refresh it. It boggles the mind that this isn’t already being done. Moreover, this should all be computerized, and the lists that are being used should be updated in close to real time. Are they actually printing paper lists?

But that’s assuming that the list has much value, in general, and it seems clear that it doesn’t. How many people have we really stopped from flying, who we actually wanted to stop from flying? We don’t have numbers on that — it’s a secret, of course — but wouldn’t the TSA be crowing about its success if it were significant? Yet we know that we’ve used it to turn Yusuf Islam (the former popular singer Cat Stevens) away at the border. We know we’ve used it to hassle and delay numerous honest, respectable, non-threatening people with unfortunate names, from five-year-old boys to aged grandparents.

A list of names simply doesn’t scale to the level we need it to for this task. And, yet, a list of names is what we have — a list of names that isn’t refreshed often enough to catch a suspect on the lam. We’re told the list makes us safer. I don’t believe it does. Show me the numbers to prove it.

Oh, and we have a no-fly list, but we don’t have a no-weapon list. Faisal Shahzad bought himself a powerful gun last month. He wasn’t on the no-fly list then... but if he had been, it wouldn’t have stopped him from snagging the weapon, legally, a weapon he could have easily taken on a killing spree through Times Square, just in case the bomb didn’t work.

Mayor Bloomberg thinks that should be fixed:

When gun dealers run background checks, should F.B.I. agents have the authority to block sales of guns and explosives to those on the terror watch lists — and deemed too dangerous to fly? I believe strongly that they should.

I agree, and I find it mystifying that we haven’t already done that.

I also think the NRA will bust a blood vessel on this, which would seem somewhat ironic.

---

Update, 11:00 — And in the New York Times, Gail Collins has an op-ed piece about the gun issue.

Here's an excerpt from what Ms Collins says:

Terror threats make politicians behave somewhat irrationally. But the subject of guns makes them act like a paranoid mother ferret protecting her litter. The National Rifle Association, the fiercest lobby in Washington, grades every member of Congress on how well they toe the N.R.A. line. Lawmakers with heavily rural districts would rather vote to legalize carrying concealed weapons in kindergarten than risk getting less than 100 percent.

Why can’t the voices favouring sensible control of dangerous weapons establish equal sway?

Update, 17:00 — And a New York Times editorial about the gun issue.

Terrorists are so trying

Of course, now that an arrest has been made for the Times Square bombing attempt, the idiots conservatives idiots conservatives in congress are falling over themselves arguing about how the suspect’s civil rights should be curtailed. We’re not surprised, and we’ve seen this before.

The handling of Mr. Shahzad touched off the same sort of argument that followed the attempted Christmas Day bombing of a passenger jet bound for Detroit. Some Republicans urged the Obama administration to interrogate Mr. Shahzad without affording him Miranda rights and to classify him as an enemy combatant, which would allow authorities to detain him indefinitely. But Democrats said his quick arrest and his reported confession showed the system can respond to threats of terrorism without resorting to extraordinary tactics.

What should we do with Faisal Shahzad? According to various folks, we should...

1. ...deny him his rights to remain silent and to be represented by an attorney — these are the “Miranda rights”, which are actually guaranteed by the Fifth and Sixth Amendments to the U.S. Constitution.
2. ...classify him as an “enemy combatant”, which changes a lot of rules about his handling.
3. ...make him talk with “harsh” interrogation. This seems singularly unnecessary; all reports are that he’s talking all we want him to as it is.
4. ...try him in a military tribunal, definitely not as a civilian.
5. ...revoke his citizenship. This one comes from the delightful Joe Lieberman, who says this about it:

   It’s time for us to look at whether we want to amend that law to apply it to American citizens who choose to become affiliated with foreign terrorist organizations, whether they should not also be deprived automatically of their citizenship and therefore be deprived of rights that come with that citizenship when they are apprehended and charged with a terrorist act.

All this, of course, before he is convicted of anything.

Allow me to remind people that presumption of innocence doesn’t only apply when white Christians are accused of embezzlement and insider trading. It applies also to black people accused of drug possession, Latinos charged with burglary, and, oh yes, Muslims charged with attempted bombing.

Christopher Bond, a Republican senator from Missouri, has this to say:

We’ve got to be far less interested in protecting the privacy rights of these terrorists than in collecting information that may lead us to details of broader schemes to carry out attacks in the United States,

A reminder, Senator Bond: we’re not talking about minor “privacy rights”, here. These are basic rights to fair and due process, guaranteed to every U.S. citizen who’s accused of a crime. Every indication at this point is that he’s guilty of at least part of the plot, here. But he has not yet been convicted. This is important.

It’s very easy to say that the probable cause is enough to whisk him away and leave his rights behind, but think carefully about where that leads us — and where it leaves you. What happens when someone falsely accuses you of a terrorist act? Would you be ready to give up your rights because, after all, we can’t allow terrorists an opportunity to slip through the system?

Don’t think it couldn’t happen to you. You’re protected by the civil rights you’re assured by the constitution and its amendments, and by the interpretations made by the Supreme Court. Without those protections, you’re vulnerable — you’re only safe until the moment you’re accused.

This is an ideal time to show that those protections work the way they’re intended to, and that we can work within the system and still hold criminals, even those we’ve labelled as “terrorists”, accountable for their actions. Damn, even Glenn Beck agrees with that, Senators.

---

Update, 15:30 — Here’s today’s New York Times editorial on the same thing.

...but only God can make a slick.

According to the “Green” blog in the New York Times, Texas governor Rick Perry says that the oil-rig disaster in the Gulf of Mexico was “an act of God.”

Indeed, hm.

Why would God do that? This isn’t like the Great Flood, cleaning things up and sorting things out. In fact, quite the opposite: it’s making a horrible mess of things. Only a relatively few people will suffer greatly. Louisiana fishermen and oil workers are out of work; did God do it to test the mettle of the fishermen, maybe?

Some animal species in the area will be seriously affected, so perhaps God did it to punish those animals. But, again, it’s only a portion of their population, those in the area, that are affected. The ones down by the Yucatan, or over by Florida will manage. And the ones by Texas, since Reverend Governor Perry prophesies that there will be “no impact on the Texas coast.”

And has God considered the long-term consequences of this? We presume so, omnipotent being, and all. But if we can’t contain this, the oil could spread and contaminate a large area of sea for a very long time. If God did it, will God act to stop it before it goes too far? Or is God now off causing a disaster in the neighbourhood of Antares now, and not paying attention to us at the moment?

The part I find the most fascinating about this is that Governor Perry is so hung up on not blaming BP that he’s willing to put it out there and blame God.

But maybe that makes sense: I guess God has the chops to take it, eh?

A million!

It seems that as of last Friday, there are one million sheep early adopters of the Apple iPad. Let’s see: that’s less than a month to go to one million. As with the iPhone before it, people had lined up ahead of time to be the first ones to buy it, and Steve Jobs notes that it took more than twice as long — 74 days — to hit a million on the iPhone. And that’s just the iPad WiFi-only version. The version that includes 3G just went on sale over the weekend, after the Friday figures.

It is slick, that’s true. I bopped down to the local Apple store a couple of weeks ago, to have a look at one, to hold one in my hand and try it out. Yes, it’s slick. The screen is crisp, and it’s a nice piece of technology.

But I found it a little bit too heavy. As light as it is, at only a pound and a half (680 grams), remember that you have to hold it in one hand while you do the taps and gestures, and use the on-screen keyboard, with the other. And it seems just a tad too heavy for that to be comfortable.

More important to me, though, is the fact that it has no multitasking, and is a specialized machine that only runs specially-designed applications. For me, that just took it off the table. That was also the reason I ruled out the Lenovo Skylight that I’d been mulling over. I want a real computer, with a real operating system, running real applications.

But a million people — OK, somewhat fewer, since I’m sure some folks bought two (or more) — disagree with me. And I hope they’re enjoying their snazzy, spiffy new toys.

Anyway, on the day the iPad went on sale^[1], I bought one of these little guys at the local Best Buy store. And I quite like it. It’s small enough, it’s light enough (heavier than the iPad, but you’re not expecting to hold it while you use it), it has a decent keyboard and a crisp screen, and it runs Windows 7^[2] and all the usual Windows applications. No 3G, but I didn’t really need that and wasn’t looking for it.

The only hassle is getting used to Windows 7, especially since I’m not using it all the time (the MacBook is still my primary computer). I never used Vista, and so many things have changed between Windows XP and Windows 7 that it’s almost like learning things all over again.

---

^[1] Coincidentally, not through any particular planning.

^[2] Yes, ha-ha. I’ve heard all the snide comments about whether Windows is a “real operating system.” Stop that; it is, whether or not you like it.

Never too old

Mary Tattersall has gotten a hole-in-one.

Ms Tattersall is 90, and just started playing golf two years ago. The news media are having fun with this human-interest story, and Ms Tattersall is having fun with all the fuss — I heard her on the BBC World Service radio this morning.

The media, of course, are going with the “amazing feat” thing, but for her part, Mary is being more circumspect. Anyone can, after all, hit a hole-in-one purely by chance. From the Daily Mirror:

Mary, a retired nurse, said: “I don’t think it’s a skill until I’ve done it five times which is unlikely. I’m no Tiger Woods but golf makes me feel alive.”

She certainly sounded very much alive on the radio this morning. Have fun golfing, Ms Tattersall, and we’ll listen for you again after number five!

On the sad side of the news, Lynn Redgrave has died.

Sigh.

Thoughts on lawn mowing

I mowed my lawn last week, the first time for the season. I thought I might make it wait until May, but it didn’t quite... and the weather was so nice for it, that day.

It’s not always, of course, the weather. In the dog days,^[1] when New York hits the upper 90s in both degrees Fahrenheit and percent humidity, it can be a pretty miserable hour. At those times, I’ve thought of finding a neighbourhood kid to do it, as I used to do for others in Florida, forty years ago.

Back then, I got $5 for a lawn. Well, except for my own: my father only gave me $1. On the other hand, Dad also took care of the food and clothing, and bought me lots of other things I wanted, so I think I can give him a break on the lawn thing. Anyway, gasoline prices have gone up by a factor of about ten since then, so at the same rate of increase, I guess I’d expect to pay at least $50 now.

But whenever I think about doing that, I back off. I actually like doing the lawn, even in those dog days. It’s a kind of zen thing, a meditative activity, the drone of the mower acting as a sort of mantra as I go to and fro, to and fro, across the yard, some sixty feet one way and then sixty feet the other, over and over for an hour, thinking about whatever comes to mind. I’d miss that time of enforced meditation.

Sometimes, what I think about turns into something on these pages.

Like this.

---

^[1] And where does that idiom come from?

Contradancing at NEFFA

Here’s a video clip from last Saturday evening’s dance — it’ll give an idea of how many people were there, dancing and having fun.