Published in the Portland Phoenix
The news a few years back that the Bush administration had convinced the big telecom companies to allow the authorities to spy on customers without warrants, in the name of fighting terrorism, caused a ruckus. Americans tend to worry about protecting our privacy from the government or big Internet-based businesses. But what if it was newspapers doing the snooping, hacking into phone and e-mail records of celebrities and politicians, and then publishing what they discover?
In the United Kingdom, just this question has come up in light of revelations that a Rupert Murdoch-owned newspaper, News of the World, had journalists hack into cell-phone voicemail messages of Prince William and Prince Harry and report on personal details revealed in them.
Two men went to jail in 2007 in connection with the scandal, but recent concerns have arisen that the hacking may have been much more widespread, targeting leading politicians, sports stars, and celebrities — as the New York Times put it in a recent story on the scandal, “anyone whose personal secrets could be tabloid fodder.”
(A Parliamentary investigation found that the News editor at the time, Andy Coulson, had not known the phone hacking was taking place, and definitely did not approve it. Coulson is now the chief spokesman for Prime Minister David Cameron, giving the new attention to this scandal a strong political bent.)
Britain’s culture of celebrity-crazed tabloids looks a lot like American pop-culture lunacy, and as US media outlets continue to compete for ever-shrinking shares of an ever-shrinking financial pie, desperation for audience attention is certain to increase.
Still, this level of invasiveness is one we can hope will not darken our shores. Mainstream news organizations tend to see themselves as above that sort of stunt. Even Murdoch’s empire in the US, primarily the Fox network, has so far been content with ambushing public figures on the street and asking them unpleasant questions. (The Murdoch-owned Wall Street Journal, it must be said, seems particularly unlikely to stoop to UK-tabloid style activities.)
Celeb-focused publications and blogs haven’t debased themselves this much yet either, but they might, given the brazenness — and phenomenal popularity — of outlets like TMZ and PerezHilton.com.
The question there, and here, boils down to free-press guarantees. Some people want to outlaw this type of behavior by journalists. But that gets into a slippery slope of the government exerting control over journalists. In the UK, which has a free-press tradition but no written constitution, that is easier than here, with our First Amendment enshrining media liberty.
Some have worried that such a law would have unintended consequences, though that is being debated too: Would new restrictions prevent true public-interest disclosures of very private information, as happened in 2009, when reporters investigating lawmakers’ expense accounts revealed that some members of Parliament watched pornographic pay-per-view movies on the public’s dime?
Under existing laws, UK celebs have, with the help of a cooperative judge (who was replaced last week amid this debate), been increasingly able to get injunctions preventing publication of private information, even if what they’re trying to protect is accurate. (Which brings up other concerns about press freedom.)
In the US, judges have traditionally been much more leery of granting those kinds of “prior restraint” injunctions, preferring to let story subjects seek redress in court after publication. In a shift that shook the American legal landscape, though, a federal appeals-court ruling last year held that a person can be libeled if private information, even if true, is published with “actual malice.”
When that case was reheard in a lower court, a jury reversed the ruling. But injunctions are decided by judges, not juries. It may be just a matter of time here.
Wednesday, September 22, 2010
Wednesday, September 1, 2010
Cybersecurity: Maine breaches
Published in the Portland Phoenix
When many Mainers think of "cybersecurity," they probably remember the 2008 HANNAFORD SECURITY BREACH, when 4.2 million credit- and debit-card numbers were stolen from shoppers at the grocery chain's stores.
What received little coverage amid the hype about the vastly overstated threat of identity theft (only 1800 accounts were actually used to make fraudulent charges — 0.04 percent of the stolen numbers) was that the breach was the first documented case of a new way of stealing this kind of information.
Previously, most security breaches resulting in theft of credit-card, bank-account, or even Social Security numbers had come from a single incident — either a physical theft of a computer or drive containing that information, or by connecting to a computer via the Internet and breaking through whatever security it might have in place. (This happened, for example, to THE UNIVERSITY OF MAINE HEALTHCARE CENTER'S COMPUTERS in June, when an unauthorized person accessed data on about 4600 students who had sought mental-health help at the university.)
But Hannaford's data was stolen over the course of several months, during transmission of the data from store cash registers to the system that the company used to verify card transactions. This process takes only seconds, as shoppers know, and became a target for thieves because protection had been beefed up on physical computers and their electronic defenses.
The fact that some credit-card information is not encrypted when traveling over private corporate networks remains an issue for retailers, banks, and credit-card companies to resolve. (When traveling over public networks, the data must be encrypted.) Also, the Hannaford hack was claimed by some to be an inside job — and there's little defense against data theft by a person who is allowed into a data center.
Most Mainers likely do not know that THE MAINE LEGISLATURE'S WEB SITE WAS HACKED just three months ago, resulting in some mild confusion about the lawmaking process. Specifically, the site's ability to designate the status of bills moving through the Legislature — including keeping users up-to-date on amendments and voting — was modified so that a user who clicked on various links would be taken to a Web site that would attempt to download viruses or other harmful software onto a user's computer.
State computer-support staff took the site offline entirely for several days while they fixed the security hole and reloaded correct information into the database. This went largely unnoticed because the Legislature was not in session at the time.
What received little coverage amid the hype about the vastly overstated threat of identity theft (only 1800 accounts were actually used to make fraudulent charges — 0.04 percent of the stolen numbers) was that the breach was the first documented case of a new way of stealing this kind of information.
Previously, most security breaches resulting in theft of credit-card, bank-account, or even Social Security numbers had come from a single incident — either a physical theft of a computer or drive containing that information, or by connecting to a computer via the Internet and breaking through whatever security it might have in place. (This happened, for example, to THE UNIVERSITY OF MAINE HEALTHCARE CENTER'S COMPUTERS in June, when an unauthorized person accessed data on about 4600 students who had sought mental-health help at the university.)
But Hannaford's data was stolen over the course of several months, during transmission of the data from store cash registers to the system that the company used to verify card transactions. This process takes only seconds, as shoppers know, and became a target for thieves because protection had been beefed up on physical computers and their electronic defenses.
The fact that some credit-card information is not encrypted when traveling over private corporate networks remains an issue for retailers, banks, and credit-card companies to resolve. (When traveling over public networks, the data must be encrypted.) Also, the Hannaford hack was claimed by some to be an inside job — and there's little defense against data theft by a person who is allowed into a data center.
Most Mainers likely do not know that THE MAINE LEGISLATURE'S WEB SITE WAS HACKED just three months ago, resulting in some mild confusion about the lawmaking process. Specifically, the site's ability to designate the status of bills moving through the Legislature — including keeping users up-to-date on amendments and voting — was modified so that a user who clicked on various links would be taken to a Web site that would attempt to download viruses or other harmful software onto a user's computer.
State computer-support staff took the site offline entirely for several days while they fixed the security hole and reloaded correct information into the database. This went largely unnoticed because the Legislature was not in session at the time.
Dueling ideas: Maine's senators on cybersecurity
Published in the Portland Phoenix
Both of Maine's senators, Susan Collins and Olympia Snowe, have backed cybersecurity legislation in hopes of avoiding or averting the catastrophes described in David Scharfenberg's main piece. But their approaches have been different, leading to conflicting bills in the US Senate.
Collins's effort, also backed by senators Joe Lieberman (I-Connecticut) and Tom Carper (D-Delaware), is most controversial because it would give the federal government significant authority to monitor, or even shut down, the Internet or portions of it, if the president declared a cybersecurity emergency. (The fact that the Department of Homeland Security would be in charge of actually doing this doesn't exactly make us feel warm and fuzzy inside, either.)
But beyond that — and despite creating two more federal agencies (the Office of Cyberspace Policy and the National Center for Cybersecurity and Communications) — the bill does make some sense, because it also addresses education and training of future cybersecurity professionals, even introducing some concepts as early as elementary school.
Snowe's plan, proposed jointly with Senator Jay Rockefeller (D-West Virginia), would not go quite so far. It would create a new office in the White House (the Office of the National Cybersecurity Advisor) and set new federal standards for cybersecurity, with which private companies and government agencies would have to comply. It would also provide for licensing and certification of cybersecurity professionals.
Senate Majority Leader Harry Reid (D-Nevada) is reportedly working to combine the two bills and bring the merged proposal to a vote in the Senate sometime in September.
Collins's effort, also backed by senators Joe Lieberman (I-Connecticut) and Tom Carper (D-Delaware), is most controversial because it would give the federal government significant authority to monitor, or even shut down, the Internet or portions of it, if the president declared a cybersecurity emergency. (The fact that the Department of Homeland Security would be in charge of actually doing this doesn't exactly make us feel warm and fuzzy inside, either.)
But beyond that — and despite creating two more federal agencies (the Office of Cyberspace Policy and the National Center for Cybersecurity and Communications) — the bill does make some sense, because it also addresses education and training of future cybersecurity professionals, even introducing some concepts as early as elementary school.
Snowe's plan, proposed jointly with Senator Jay Rockefeller (D-West Virginia), would not go quite so far. It would create a new office in the White House (the Office of the National Cybersecurity Advisor) and set new federal standards for cybersecurity, with which private companies and government agencies would have to comply. It would also provide for licensing and certification of cybersecurity professionals.
Senate Majority Leader Harry Reid (D-Nevada) is reportedly working to combine the two bills and bring the merged proposal to a vote in the Senate sometime in September.
Corporate Albatross Dept.: FairPoint's struggles continue
Published in the Portland Phoenix
It has been a very long time since our last FairPoint update, but you can rest assured that the North Carolina-based landline provider's downward slide has continued, as the company attempts to restructure its way out of crushing debt through bankruptcy-court protection. Here are a few gems from the past few months.
First up, and most recently, on August 5, MAINE TAXPAYERS GAVE FAIRPOINT A $1.1 MILLION GIFT, when Maine Revenue Services agreed to accept just shy of $400,000 as payment "in full" of a $1.5 million tax bill the company owed the state.
But new math appears to be the way, as the COMPANY'S ACTUAL VALUE IS IN SERIOUS DOUBT. In its October 2009 bankruptcy filing, the company claimed its assets, as of June 2009, were $3.236 billion, with debts of $3.234 billion. An independent valuation of the company, however, set its total worth at between $1.8 billion and $2.1 billion. In another filing, FairPoint says its northern New England assets are worth $1.2 billion — far less than the $2.3 billion the company paid (including $1.7 billion in actual cash), to Verizon to take over landline service in Maine, New Hampshire, and Vermont, a takeover that was delayed several times before finally becoming effective at the end of 2008.
Also, ITS BUSINESS MODEL IS FAILING. The bankruptcy filing is clear: "FairPoint has been unable to attain the performance levels it projected at the time of the acquisition" of Verizon's northern New England business. In 2008, 8.5 percent of customers who had been with FairPoint before the merger cut their landlines. That's pretty bad, but customers who joined FairPoint in the Verizon switch left even more quickly: 12.3 percent of them bailed in 2008 alone, according to court documents. That's a big increase from the 7.3 percent subscriber loss Verizon experienced in 2007, which FairPoint's plan had projected it would beat (meaning lower losses, not higher).
The COMPANY HAS TROUBLE FORESEEING THE FUTURE in other ways, too. Beyond FairPoint's bizarre pre-merger projections, Vermont's Public Service Board (its equivalent of Maine's Public Utilities Commission) ruled in late June that "FairPoint has provided virtually no explanation" for its service-quality promises, saying that "based upon the record before us, we cannot find that FairPoint has demonstrated the financial capability to meet its obligations under Vermont law and its (state license) as a telecommunications carrier."
For that matter, FAIRPOINT HAS PROBLEMS VIEWING THE PAST ACCURATELY. In February, the company announced that it had overstated 2009 revenue by 3 percent, or $26 million.
The COMPANY HAS LEVERAGED ITS BANKRUPTCY TO TAKE ADVANTAGE OF STATE REGULATORS in Maine and New Hampshire, getting permission to delay paying millions in poor-service-quality penalties, and even the potential for them to be waived altogether, if service improves. FairPoint also was given extra time in those two states to roll out its outdated version of broadband Internet access to rural customers. Vermont regulators have so far held firm, but FairPoint is asking them to reconsider, and if that fails the company is expected to ask a federal judge to overrule the state officials.
This is particularly ironic in Maine, because FAIRPOINT HAS SPENT MONEY TO LOBBY AGAINST A HIGH-CAPACITY BROADBAND NETWORK to be built with state, federal, and private funds. The company has argued that such an effort would unfairly compete with the slower-speed and later-arriving service FairPoint promises it will one day get around to providing. But federal funds aren't the real issue: having failed to receive any of the $38 million in economic stimulus money it applied for a year ago, the company has nevertheless applied again, this time seeking $20 million in federal funds to build out its network.
In the past five months, two TOP EXECUTIVES HAVE LEFT, AND ARE BEING REPLACED WITH EXECUTIVES WITH PRIOR CORPORATE BANKRUPTCIES ON THEIR RESUMES. Alfred Giammarino, who became FairPoint's chief financial officer in September 2008, resigned March 31 for what were called "personal reasons." He was replaced July 18 with Ajay Sabherwal, who was CFO for Choice One Communications leading up to, during, and after that company's 2004 bankruptcy restructuring. And David Hauser, appointed CEO in June 2009, was asked to resign by the company's major creditors and did so in mid-August. He has been replaced with Paul Sunu, who was CFO of Hawaiian Telecom when that company, another former Verizon landline property, entered bankruptcy protection in 2008.
And then, if all that wasn't enough, FAIRPOINT HAS ARGUED THAT IT SHOULD FACELESS SCRUTINY FROM STATE AND FEDERAL REGULATORS after it emerges from bankruptcy. Specifically, the company told Vermont regulators that their oversight puts the company at a competitive disadvantage when offering Internet and television services that are not regulated by the state, in combined packages with landline service, which is regulated.
In making this argument, FAIRPOINT HAS FORGOTTEN THAT IT PROMISED THE PUBLIC MORE AND FASTER INTERNET ACCESS as a key element in its argument that its takeover of Verizon would benefit the public. Now that it has sought — and received — permission from state regulators to delay and renege on those promises, the public benefit is reduced. No wonder FairPoint wants less regulation.
It has been a very long time since our last FairPoint update, but you can rest assured that the North Carolina-based landline provider's downward slide has continued, as the company attempts to restructure its way out of crushing debt through bankruptcy-court protection. Here are a few gems from the past few months.
First up, and most recently, on August 5, MAINE TAXPAYERS GAVE FAIRPOINT A $1.1 MILLION GIFT, when Maine Revenue Services agreed to accept just shy of $400,000 as payment "in full" of a $1.5 million tax bill the company owed the state.
But new math appears to be the way, as the COMPANY'S ACTUAL VALUE IS IN SERIOUS DOUBT. In its October 2009 bankruptcy filing, the company claimed its assets, as of June 2009, were $3.236 billion, with debts of $3.234 billion. An independent valuation of the company, however, set its total worth at between $1.8 billion and $2.1 billion. In another filing, FairPoint says its northern New England assets are worth $1.2 billion — far less than the $2.3 billion the company paid (including $1.7 billion in actual cash), to Verizon to take over landline service in Maine, New Hampshire, and Vermont, a takeover that was delayed several times before finally becoming effective at the end of 2008.
Also, ITS BUSINESS MODEL IS FAILING. The bankruptcy filing is clear: "FairPoint has been unable to attain the performance levels it projected at the time of the acquisition" of Verizon's northern New England business. In 2008, 8.5 percent of customers who had been with FairPoint before the merger cut their landlines. That's pretty bad, but customers who joined FairPoint in the Verizon switch left even more quickly: 12.3 percent of them bailed in 2008 alone, according to court documents. That's a big increase from the 7.3 percent subscriber loss Verizon experienced in 2007, which FairPoint's plan had projected it would beat (meaning lower losses, not higher).
The COMPANY HAS TROUBLE FORESEEING THE FUTURE in other ways, too. Beyond FairPoint's bizarre pre-merger projections, Vermont's Public Service Board (its equivalent of Maine's Public Utilities Commission) ruled in late June that "FairPoint has provided virtually no explanation" for its service-quality promises, saying that "based upon the record before us, we cannot find that FairPoint has demonstrated the financial capability to meet its obligations under Vermont law and its (state license) as a telecommunications carrier."
For that matter, FAIRPOINT HAS PROBLEMS VIEWING THE PAST ACCURATELY. In February, the company announced that it had overstated 2009 revenue by 3 percent, or $26 million.
The COMPANY HAS LEVERAGED ITS BANKRUPTCY TO TAKE ADVANTAGE OF STATE REGULATORS in Maine and New Hampshire, getting permission to delay paying millions in poor-service-quality penalties, and even the potential for them to be waived altogether, if service improves. FairPoint also was given extra time in those two states to roll out its outdated version of broadband Internet access to rural customers. Vermont regulators have so far held firm, but FairPoint is asking them to reconsider, and if that fails the company is expected to ask a federal judge to overrule the state officials.
This is particularly ironic in Maine, because FAIRPOINT HAS SPENT MONEY TO LOBBY AGAINST A HIGH-CAPACITY BROADBAND NETWORK to be built with state, federal, and private funds. The company has argued that such an effort would unfairly compete with the slower-speed and later-arriving service FairPoint promises it will one day get around to providing. But federal funds aren't the real issue: having failed to receive any of the $38 million in economic stimulus money it applied for a year ago, the company has nevertheless applied again, this time seeking $20 million in federal funds to build out its network.
In the past five months, two TOP EXECUTIVES HAVE LEFT, AND ARE BEING REPLACED WITH EXECUTIVES WITH PRIOR CORPORATE BANKRUPTCIES ON THEIR RESUMES. Alfred Giammarino, who became FairPoint's chief financial officer in September 2008, resigned March 31 for what were called "personal reasons." He was replaced July 18 with Ajay Sabherwal, who was CFO for Choice One Communications leading up to, during, and after that company's 2004 bankruptcy restructuring. And David Hauser, appointed CEO in June 2009, was asked to resign by the company's major creditors and did so in mid-August. He has been replaced with Paul Sunu, who was CFO of Hawaiian Telecom when that company, another former Verizon landline property, entered bankruptcy protection in 2008.
And then, if all that wasn't enough, FAIRPOINT HAS ARGUED THAT IT SHOULD FACELESS SCRUTINY FROM STATE AND FEDERAL REGULATORS after it emerges from bankruptcy. Specifically, the company told Vermont regulators that their oversight puts the company at a competitive disadvantage when offering Internet and television services that are not regulated by the state, in combined packages with landline service, which is regulated.
In making this argument, FAIRPOINT HAS FORGOTTEN THAT IT PROMISED THE PUBLIC MORE AND FASTER INTERNET ACCESS as a key element in its argument that its takeover of Verizon would benefit the public. Now that it has sought — and received — permission from state regulators to delay and renege on those promises, the public benefit is reduced. No wonder FairPoint wants less regulation.
Thursday, August 26, 2010
Press Releases: Maine's broken e-mail system
Published in the Portland Phoenix
When Naomi Schalit of the Maine Center for Public Interest Reporting asked for electronic copies of e-mails between the chairman of the Maine Public Utilities Commission and representatives of companies the PUC dealt with, she did not expect to receive a cost estimate of $10,000 from the state — nor to be required to pay $80 for the privilege of receiving that estimate.
And when she wrote back asking for that exorbitant fee to be waived, as allowed in state law, because she is a reporter for a non-profit organization publishing its material in more than 20 newspapers around the state, she did not expect to get a revised estimate of $36,239.52. (Happily, she was not charged to receive that new figure, though in a passing encounter with the PUC's chief lawyer, she did have to hear complaints about "all the work you're making us do.")
The cost is clearly outrageous, and a barrier to public access to information that belongs to the public. But here's the really surprising thing the Portland Phoenix has learned from just a little research into the matter: the estimate reflects the state's actual cost to extract the information from its e-mail archive, which is so cumbersome that it's next to impossible to actually use.
Greg McNeal, Maine's chief information officer, says he and his staff have calculated that responding to a similar request (from an attorney involved in a lawsuit relating to state government) would take one of his two e-mail technicians an entire year of full-time work.
Hence the sky-high dollar amount: Even with a statutory limit of $10 per hour of state-employee time responding to freedom-of-information requests, the process of e-mail recovery is so lengthy that expenses easily rise into tens of thousands of dollars.
This clearly is not just delaying — and inflating the cost of — Schalit's request, but court proceedings, and even internal state investigations performed at taxpayer expense (McNeal confirms that his agency bills other state agencies similar amounts for similar services.)
McNeal calls the backup mechanism "archaic," and says he has been lobbying to improve it for some time now, but the state lacks both funding and a working example to adapt to Maine's needs.
State archivist David Cheever uses the word "nightmare" to describe this situation, and goes on to say the e-mail backup system is "entirely unworkable."
But Cheever and McNeal both say this is not a problem unique to Maine, which has roughly 12,000 state e-mail accounts, with thousands upon thousands of actual messages, which must all be backed up in a way that must somehow or other be accessible to the public and yet secure from destruction (and, in e-mail messages with criminal-justice information, secured from prying eyes according to strict federal rules).
Neither of them is aware of a state government that has a timely, inexpensive storage-and-retrieval method for state officials' e-mail messages. (For that matter, Cheever says he just got back from a trip to the National Archives, which has also not yet devised a functioning system for billions of federal e-mails.)
The state can't afford to experiment to find something that might work: "We don't have the money to be wrong," Cheever says. But every state is in that boat, and so all of them are sitting around waiting for someone else to experiment long enough to make something work.
Schalit's reaction to this information was partially relief (that she apparently isn't being singled out for obstructionism by state officials wary of her reporting), but also outrage. Calling the existence of a system like this "mind-boggling for anybody who has an interest in history," she says, "If this is the kind of system they have installed for government business, there's something wrong with the system."
But it's Cheever who has the best summary of the way things are right now for anyone interested in how state government is actually functioning: "There's your haystack. Good luck with the needle."
And when she wrote back asking for that exorbitant fee to be waived, as allowed in state law, because she is a reporter for a non-profit organization publishing its material in more than 20 newspapers around the state, she did not expect to get a revised estimate of $36,239.52. (Happily, she was not charged to receive that new figure, though in a passing encounter with the PUC's chief lawyer, she did have to hear complaints about "all the work you're making us do.")
The cost is clearly outrageous, and a barrier to public access to information that belongs to the public. But here's the really surprising thing the Portland Phoenix has learned from just a little research into the matter: the estimate reflects the state's actual cost to extract the information from its e-mail archive, which is so cumbersome that it's next to impossible to actually use.
Greg McNeal, Maine's chief information officer, says he and his staff have calculated that responding to a similar request (from an attorney involved in a lawsuit relating to state government) would take one of his two e-mail technicians an entire year of full-time work.
Hence the sky-high dollar amount: Even with a statutory limit of $10 per hour of state-employee time responding to freedom-of-information requests, the process of e-mail recovery is so lengthy that expenses easily rise into tens of thousands of dollars.
This clearly is not just delaying — and inflating the cost of — Schalit's request, but court proceedings, and even internal state investigations performed at taxpayer expense (McNeal confirms that his agency bills other state agencies similar amounts for similar services.)
McNeal calls the backup mechanism "archaic," and says he has been lobbying to improve it for some time now, but the state lacks both funding and a working example to adapt to Maine's needs.
State archivist David Cheever uses the word "nightmare" to describe this situation, and goes on to say the e-mail backup system is "entirely unworkable."
But Cheever and McNeal both say this is not a problem unique to Maine, which has roughly 12,000 state e-mail accounts, with thousands upon thousands of actual messages, which must all be backed up in a way that must somehow or other be accessible to the public and yet secure from destruction (and, in e-mail messages with criminal-justice information, secured from prying eyes according to strict federal rules).
Neither of them is aware of a state government that has a timely, inexpensive storage-and-retrieval method for state officials' e-mail messages. (For that matter, Cheever says he just got back from a trip to the National Archives, which has also not yet devised a functioning system for billions of federal e-mails.)
The state can't afford to experiment to find something that might work: "We don't have the money to be wrong," Cheever says. But every state is in that boat, and so all of them are sitting around waiting for someone else to experiment long enough to make something work.
Schalit's reaction to this information was partially relief (that she apparently isn't being singled out for obstructionism by state officials wary of her reporting), but also outrage. Calling the existence of a system like this "mind-boggling for anybody who has an interest in history," she says, "If this is the kind of system they have installed for government business, there's something wrong with the system."
But it's Cheever who has the best summary of the way things are right now for anyone interested in how state government is actually functioning: "There's your haystack. Good luck with the needle."
Subscribe to:
Posts (Atom)