Google: A Friday Get Together in the Shadow of Dorian

September 7, 2019

When I worked in Sillycon Valley, Friday was a big deal. I am not sure why. Once or twice a month, I would trek to some local joint and hang out with others who worked at our whiz bang technology and cyber data company. In general, the mood was upbeat. We were making money. We did not have vulture capitals roosting on our shiny vehicles. We were not responding to US government mandated document collection tasks.

If the information in Mr. Jeff Bezos’s Washington Post is correct, the Googlers must have concluded that Dorian was pummeling them with rain, high winds, and untethered plastic pool floats. The story is titled “Google Receives Demand for Documents from Justice Dept., Acknowledging Federal Antitrust Scrutiny.” (I was able to read it after wading through the begging-for-dollars pop ups. Really, Mr. Bezos?)

I noted this statement, which may or may not be affected by someone who is breathing the fumes from the Bezos bulldozer idling in front of the Washington Post’s headquarters.

the Justice Department has requested records related to its prior antitrust investigations, marking the tech giant’s first major acknowledgment that it’s a subject of a federal competition probe. The civil-investigative demand — acknowledged in a securities filing and a blog post — comes weeks after Justice Department officials said they would open a broad review of big tech, including search.

Records requests are interesting. On the surface, the request is simple: Gather up the information from “past investigations.” On the other hand, fast-moving, high-tech companies are not really into archiving. Sure, there are document management systems, files on Google Drive, data tucked into USB sticks, paper stored in file cabinets (although some Googlers may not be familiar with actual records management conventions), and maybe –– just maybe — data in a Google social media system.

The unknown, as I understand the document landscape, is to comply with this simple government request.

But — and there is often a but — associated with a simple government request. The content Google provides will be compared with information that the investigators, lawyers, and analysts have.

Anomalies are, in general, not desirable. For example, if the government document reviewers have a document NOT in the Google collection delivered in compliance with the request, an int4eresting question can be raised:

Why did you Google not provide the same information you delivered in the prior antitrust matters? (Translation: We have info in our files from our previous look at you and you a leaving stuff out.)

Now let’s assume that there is information in the government’s file (usually maintained in accordance with assorted guidelines and regulations about US government document retention). Here’s the question:

Why did you provide a document pertinent to a prior antitrust matter that you previously did NOT provide? (Translation: The trove of documents you Google have just delivered includes information we have not seen before. Why?)

You can generate quite a string of questions from this type of matching exercise. Neither question trigger unencumbered joy of pre-demand Friday staff get togethers. (Did you know that Google owns the Sports Page in Mountain View?)

Worth monitoring for two reasons:

  1. Is Google’s record keeping up to snuff?
  2. Are the data provided congruent with what the lawyers, analysts, and investigators have in their files both paper and digital?

A digital Dorian in Mountain View?

Stephen E Arnold, September 7, 2019

Brave Is Brave: Google Allegations

September 5, 2019

I read “Brave Uncovers Google’s GDPR Workaround.” The main point of the write up seems to be that Googlers have allegedly engineered a way to work around the GDPR privacy protections. The write up asserts:

New evidence gathered by Brave gives the Irish DPC concrete proof that Google’s ad system did broadcast personal data about Dr Ryan, which infringed the GDPR. In addition, Brave has uncovered what appears to be a GDPR workaround that circumvents Google’s own publicly stated GDPR data safeguards.

“Dr. Ryan”  is Brave’s chief policy and industry relations officer. This individual allegedly stated:

“The evidence we have submitted to the Irish Data Protection Commission proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection.”

What did Google allegedly do?

First, Google allegedly used DoubleClick components. (Note: DoubleClick patents are quite interesting. You can get started on the path to grasping the nature of the systems and methods Google acquired in 2007 for about $3 billion at this link.)

We learned:

Google allowed not only one additional party, but many, to match with Google identifiers. The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other.

We noted:

Google Push Pages are served from a Google domain ( and all have the same name, “cookie_push.html”. Each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible. All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This “google_push” identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.

The write up argues:

Brave’s evidence shows that Google’s Push Page mechanism undermines Google’s purported data protection measures. They are also vulnerable to abuse by other parties. We are aware that companies other than Google have used the Push Page mechanism to establish their own Push Pages to share data with their own business partners. This appears to happen without Google’s knowledge. The loss of control over personal data in Google’s RTB system is again evident, and it is clear that Google’s policies have provided no protection.

Let’s assume Brave’s data are accurate. Furthermore, let’s assume that the Irish Data Protection Commission integrates these data into its deliberations. What’s the outcome?

DarkCyber believes that Google’s credibility would take another hit. Fines are unlikely to apply friction to the alleged behavior. Understanding the nuances of what it means when Google operates in a way that is not easily understood by anyone other than specialists is a type of digital circumvallation. It worked for Caesar, and it seems to be working for Google. Of course, if Brave’s data are inaccurate, then Google is just another simple online outfit selling ads. Simple. Efficient. Business as usual.

Stephen E Arnold, September 5, 2019

Conference Presentation Peril

August 29, 2019

No wonder giving a talk at a conference is a terrifying experience for some people. DarkCyber noted “Cryptography Startup Sues Black Hat Conference after Getting Booed and Heckled.” The write up explains:

Crown Sterling, was heckled during its presentation of the paper titled “Discovery of Quasi-Prime Numbers: What Does this Mean for Encryption”

The procedure described in the talk has some value to those engaged in horoscope generation.

A lousy and stupid talk at a conference – so what?

The answer to this question is a lawsuit charging Black Hat “for not upholding its standards of conduct for attendees and for violating their terms of Crown Sterling’s sponsorship package.”

The “sponsorship” angle is very popular at some technology conference venues. Here’s the basic idea:

  1. Pick a sponsorship package like hosting a luncheon, leasing a booth or “stand” in an exhibit hall, providing a mostly useless bag or carry all for marketing collateral, or some other activity. (The conference organizers call these deals by such names as “platinum sponsor” or “open bar courtesy of XYZ Corp.”
  2. Get one or more speaking slots. You can spot the lack of objectivity in the programs of sponsor supported conferences. Just look for the companies which have two or more presentations; for example, one keynote (big bucks), one thought piece presentation with minimal sales spin, and/or one product presentation (a pure sales pitch).
  3. A list of names of people who stopped by the booth courtesy of a bar code scanner which sucks in a person’s conference ID code and the handful of people who stop by the conference organizer office and ask, “Could you give my card to XYZ Corp’s rep. She was not available when I stopped by the booth.”
  4. Watch for conferences at which the “organizer” gives lengthy presentations. These conferences often have an agenda, and it may not be the attendees’ or reflect significant issues of interest to those who have an annual migration to an event.

The problem with this approach to conferences is that when one pays money, maybe as much as $150,000, the company buying a package wants results. Getting heckled is not what the sponsor expects. Therefore, the lawsuit sallies forth.

Attendees, check out who is speaking and how these people get on the program. Conference organizers, why not put on better events so the “sponsorship” lawsuit becomes impossible?

Note: I do attend a few conferences each year. I still get invited to give a talk. This is semi gratifying, but I will be 76 this year, and I have watched the decline in presentation quality and program value. Like many aspects of the tech world, deterioration and Las Vegas razzle dazzle are now the norm.

Stephen E Arnold, August 29, 2019

Capital One and Surprising Consequences

August 4, 2019

DarkCyber noted the ZDNet article “GitHub Sued for Aiding Hacking in Capital One Breach.” According to the “real news” outfit:

While Capital One is named in the lawsuit because it was its data that the hacker stole, GitHub was also included because the hacker posted some of the stolen information on the code-sharing site.

Github (now owned by Microsoft) allegedly failed to detect the stolen data. Github did not block the posting of Social Security numbers. These follow a specific pattern. Many text parsing methods identify and index the pattern and link the number to other data objects.

What law did Github violate? Management lapses are not usually the stuff that makes for a good legal drama, at least on “Law and Order” reruns. The write up reports:

The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act.

DarkCyber thanks ZDNet for including a link to the complaint.

Lawyers, gotta love ‘em because we have a former Amazon employee, a financial institution with a remarkable track record of security issues, and a company owned by Microsoft. What about the people affected? Oh, them. What if Github is “guilty”? Perhaps a new chapter in open source and public posting sites begins?

Stephen E Arnold, August 4, 2019

Facebook: Fine, We Are Cooperative

July 25, 2019

Other than sharing fake news, being a hotspot for senior citizens, and causing more drama than a family reunion, Facebook is known to not cooperate with authorities. As a private business, Facebook chooses its own autonomy but the French are fed up and Facebook might comply. A story from Reuters shares that it is an “Exclusive: In A World First, Facebook To Give Data On Hate Speech In French Courts.”

Facebook is notorious for not protecting its users’ privacy, because they sell it to advertisers. However in an odd turn of non-self-serving events, Facebook complied with French courts to turn over information on users that post hate speech. French Minister for Digital Affairs Cedric O is a big supporter of French President Emmanuel Macron and has advised him on numerous issues related to technology companies.

Macron wants France to exhibit model behavior:

“The decision by the world’s biggest social media network comes after successive meetings between Zuckerberg and Macron, who wants to take a leading role globally on the regulation of hate speech and the spread of false information online. So far, Facebook has cooperated with French justice on matters related to terrorist attacks and violent acts by transferring the IP addresses and other identification data of suspected individuals to French judges who formally demanded it.”

Facebook already turns over information related to terrorism and violent actions, but the inclusion of hate speech will allow French judicial processes to run as intended. O maintains connections with Facebook executives. Since O took office, he has made it a priority to target hate speech. O is also not against US tech companies buying smaller, promising French startups.

Facebook has not revealed hate speech users’ information in the past, because the company says it upholds freedom of speech and does not want other governments misusing that power.

Facebook may be a freed of speech champion, but we known they are ruled by the almighty dollar or, in this case, euro. Or is it eur O?

Whitney Grace, July 25, 2019

Snowden: Struggling for Relevance?

July 20, 2019

Notorious government information leaker, Edward Snowden recently explained how he protected himself during his treasonous acts. The Next Web shares the details in, “Edward Snowden Used Bitcoin To Buy Servers For 2013 Mass Surveillance Leak.” Snowden revealed that he relied on Bitcoin’s censorship resistance to leak information in 2013. He revealed this information at Bitcoin 2019, a conference held in San Francisco.

Snowden said he transferred the sensitive information about the National Security Agency and Five Eyes Intelligence Agency to servers paid for with Bitcoin. Snowden lauded Bitcoin’s permission less and decentralized infrastructure that allows users to exchange funds without being watched. Snowden praised Bitcoin more:

“ ‘Bitcoin is free money […] you are able to exchange and interact permissionless. And when I think about privacy, that’s what it’s all about. What does liberty mean? It’s freedom from permission, it means we live our lives in a way that we can experiment, we can engage, we can try things, we can even fail, and we don’t have to get a permission slip from the principal’s office. We are not watched, we are not recorded […] this ability to act without permission […] is the foundation of all rights. It used to be that governments could watch you […] but now all of this happens with devices that we, ourselves, pay for,” said Snowden, adding “and while we do that privacy stops being the status quo and liberty stops being the natural state of things,’ he noted.”

Snowden reiterated his support that privacy is not about needing to hide something, but more about protecting oneself. He also addressed that criminals use Bitcoin, but stated that more criminals use the US dollar. Snowden was charged in 2012 and his passport was revoked. Russia currently grants him asylum, but his residency permit will run out in 2020.

DarkCyber awaits the next Snowden announcement. Perhaps a rah rah for Facebook and Libra?

Whitney Grace, July 20, 2019

Professional Publishers, Release the Legal Eagles

July 19, 2019

Most people don’t pay any attention to professional publishing. There are some folks who live and breathe the world of academics who write, fame loving lawyers who write essays about the “law”, and bright individuals who just want to share what graduate students have discovered. There’s also wonky papers cooked up so that the “authors” can attend a conference in Las Vegas, where some dreams can become reality.

Nature published “The Plan to Mine the World’s Research Papers.” The subtitle asks the question, “A giant data store quietly being built in India could free vast swathes of science for computer analysis — but is it legal?”

The answer may be, “Sure, the project is in India, a country which has taken an interesting approach to production of name brand pharmaceuticals.”

The write up is very long: Here’s a summary.

Copy journal, technical, and professional papers. Extract the text and images. Tag the content. Make the data available for data mining.

Simple enough.

DarkCyber noted this statement in the write up:

When Nature contacted 15 publishers about the JNU data depot, the six who responded said that this was the first time they had heard of the project, and that they couldn’t comment on its legality without further information. But all six — Elsevier, BMJ, the American Chemical Society, Springer Nature, the American Association for the Advancement of Sciences and the US National Academy of Sciences — stated that researchers looking to mine their papers needed their authorization. (Springer Nature publishes this journal; Nature’s news team is editorially independent of its publisher.)

How many universities, researchers, and editors working at professional publishing companies would find a use for this information when it is free?

Enough to tip over the classy, little understood worlds of:

  • Tenure track processes
  • Library budgets
  • Professional publishing companies themselves.

Worth watching? Yes, indeed.

Stephen E Arnold, July 19, 2019

More Encouragement for Bad Actors

July 19, 2019

If one is looking to avoid censorship or regional blocking online, the best option is really to set up a VPN. However, for those who prefer a browser-based solution, PirateBrowser may be the answer. MakeUseOf gives us “3 Shocking Reasons to Use PirateBrowser in Your Country.” Reporter Christian Cawley begins with a little background:

“First released in 2013, the PirateBrowser is a web browser issued by the Pirate Bay website. The notorious file sharing site created the browser to help members find the site after it was banned. … The PirateBrowser is a version of Mozilla Firefox with the FoxyProxy add-on. There is also Tor integration (using Vidalia), which helps to beat censorship. For example, sites blocked in countries across the European Union, Iran, and North Korea can be accessed using the Pirate Browser. Sites blocked or limited by ISPs are unblocked when viewing with the PirateBrowser.”

Pirate Bay went on to make another version, PirateSnoop, which is based on Chrome instead of Firefox. So, yes, if one wants to get around censorship or geo-blocked streaming services, these are good options. The third reason may surprise some, but makes perfect sense—getting better prices on hotels, flights, and other purchases. Cawley writes:

“Online stores of all kinds base their pricing on where you are based. With a tool like PirateBrowser, you can visit sites selling technology and other goods and get a different price. This might even be substantially lower than the price on offer in your usual browser. This is a trick that is regularly used with a VPN. Usually, booking flights and hotel stays can prove cheaper by visiting a different version of the usual site. For example, you might live in country A and book from country B to make a saving. While this option isn’t available in PirateBrowser, its ability to circumvent website detection can result in lower prices.”

The article assures us that we need not navigate to Pirate Bay to access PirateBrowser or PirateSnoop, so they are completely legal to download (see the links above). We are cautioned, though, that the browser does not render users anonymous. Websites and internet providers will be able to see what you do, which is more or less of a problem depending on which country you are in. Once again we come to the notion of setting up a VPN—it is your best bet if you need your privacy. In case readers wish to know more about that option, the article supplies this link to MakeUseOf’s list of The Best VPN Services.

Cynthia Murrell, July 19, 2019

Google Is a Curious Outfit: Who, How, Why, Where, Buy, and Build?

July 16, 2019

Ah, the familiar Silicon Valley question: Buy or build?

Reuters, a “real news” outfit, published “Google Accused of Ripping Off Digital Ad Technology in U.S. Lawsuit.” DarkCyber has no idea if the alleged lawsuit is valid or if Google “ripped off” a company called Impact Engine.

According to the “real news” story:

Impact Engine Inc filed the complaint in federal court in San Diego, California, alleging various Google online advertising platforms, including Google Ads and Google AdSense, infringed on six patents.

DarkCyber believes that Impact Engine is convinced that Googlers took technology developed by the smaller firm. Google’s present senior management is probably unaware of the actions of young at heart Googlers.

Based on DarkCyber’s experience interacting with large, successful corporations, Google-type outfits ask a lot of questions. But these are predictable and probably should not be answered without prior thought. Scripting answers is a reasonable way to prepare for a lunch with a predator.

Now what about the basic questions. Here are a few I have experienced:

  • Who are you?
  • Who developed the innovation?
  • Why was it developed?
  • Why is it better than existing innovations?
  • When did you develop the innovation?
  • Did you patent the innovation and receive a patent?
  • Where can this innovation be implemented?
  • How much of a revenue boost does the innovation represent?
  • How much did you spend in cash to create the innovation?
  • How long did it take to create the innovation?
  • How many people worked on the innovation in [a] its preliminary phase, [b] its testing phase, and [c] its commercialization phase?
  • What is the programming language used?
  • Does the innovation run from the cloud or on premises?
  • What are the next series of enhancements you plan to add to your innovation?
  • How long will those take?
  • How much money do you need to implement the enhancements in half your time estimate?
  • Who are your competitors?
  • What are the gotchas in your innovation?
  • Who is your nightmare competitor?
  • What do you worry about relative to this innovation when you go to bed at night?
  • If you had a magic wand, what changes would you make in the innovation as it exists at this time?
  • Would you rough out a block diagram of the major components of the innovation?
  • Would you walk us through your basic slide deck?

There are other questions, of course.

Now a company talking with a Google-type firm is likely to be darned excited to be in proximity to a deep pocket power center. Consequently the visitors are probably going to say too much, be too specific, and reveal more than the visiting team thought was possible.

Yep, well, there’s the fact that power and potential money loosens lips.

What happens when the small outfit leaves with booth leftovers in hand, a reasonable vegan lunch, and worshipful praise from the big company’s “team players”?

Let me boil down the gist of the debriefs in which I have participated:

  1. Is this innovation any good?
  2. Can we duplicate it quickly and easily? (Build?)
  3. If not, how much do you think the innovation is worth?
  4. Can we just license the innovation? (Semi-buy?)
  5. Should we forget this outfit and go to the competitors named in the meeting?
  6. Don’t we already have this functionality?
  7. Does anybody remember meeting with this company or anyone who works there before?
  8. Should we buy this outfit?

There are other considerations, of course.

In short, when big Google type outfits meet with small innovative outfits, the expectations of the small company are likely to be different from those at the big company.

Therefore, the legal dust up. Worth monitoring this particular action. But the matter of patents, prior art, and the patents which the big company may have tucked in their cloud storage device are likely to have some bearing on the matter.

One thing is certain: The lawyers involved will get paid a lot of money. And the money people? Sure. Money people.

Stephen E Arnold, July 16, 2019

Facebook: Fine and a Reminder of Ozymandius?

July 13, 2019

I just wanted to document that Facebook will have to pay a fine. Well. allegedly. On the other hand, the rumored penalty evokes the trunkless legs of stone. Ozymandius time in Silicon Valley. For details, navigate to “Facebook Reportedly Fined $5B over Cambridge Analytica Fiasco.” No high flier wants to wear a t shirt with the word “fiasco” stenciled in red. Perhaps if it were paired with the Nike Betsy Ross shoes and “fiasco” spelled “phiasco”, the label could be trendy. The t shirt would collect likes like a hamburger gathers flies at a picnic on a 90 degree day in Mountain View. I noted this statement in the write up:

The FTC approved the settlement in a 3-to-2 vote with Republican commissioners in favor and Democrats opposing, according to Wall Street Journal sources. The arrangement and further details have yet to be confirmed publicly, and any agreement will still have to be reviewed by the Department of Justice.

Yep, some money, just a bit tardy.

Stephen E Arnold, July 13, 2019

Next Page »

  • Archives

  • Recent Posts

  • Meta