“I Can Stalk U” using online pictures

A new website entitled I Can Stalk U has arrived fresh on the heels of the website Please Rob Me. Both websites try and raise awareness about over sharing on the internet today. Please Rob Me focused on how people proactively share their location online. I Can Stalk U looks a a slightly more scaring form of over sharing, meta data in online photographs.

I Can Stalk U looks through Twitter for posts that include pictures. It then scans the meta data for the picture and tries to find the address where the picture was taken. If successful it posts the username and the location in the ICanStalkU feed.

Trevis – a new tree visualization package

The Software Programmer and Efficiency group (SAPE) has created a new tree visualization package that looks promising. Of course it isn’t actually out yet so we will see.

The perils of accidentally skipping TSA secondary screening

This is the story of how I managed to wander around the secure part of an airport for several hours and missed my flight because TSA failed to perform the secondary security screening that was clearly marked on my ticket.

I arrived at Sea-Tac airport over two hours early for a 1 AM flight because I had to check several bags. (Also Sea-Tac offers free wireless.) I checked my bags and got through TSA security with the normal amount of annoyance. I wandered over to my gate and sat and played on the internet for the next hour or so, waiting for boarding to start.

When my zone was finally called I wandered up and gave the lady at the gate my boarding pass, which she scanned. But instead of the normal happy beep, the machine gave me an unhappy beep and a “Random Security Screening” message. I was asked to step aside as the gate lady looked over my pass and typed stuff into a terminal. At this point I’m thinking “great they have to check my ID again for some random pointless security check.” The ticket agent asked for my ID and wandered over to the main desk. She started conferring with the older gate attendant, both of whom seemed a bit confused.

Finally the gate attendant called me over and explained that my ticket is marked with “SSSS” which stands for “Secondary Security Screening Selection”, meaning TSA needs to do a special screening because I fit a profile. I had purchased a one way ticket less than two weeks in advance of the flight. The fact that I got flagged wasn’t that surprising. The younger attendant then told me that I couldn’t board the plane because I hadn’t gone through this secondary screening and that I needed to go back to TSA right now and get screened. At this point zone 3 is already boarding the plane and I’m at the S terminal, so there is at least a 4-5 minute train ride between me and the main terminal. The older lady tells me that because it’s nearing 1 AM all but one of the TSA stations have been closed, and tells me how to get to the only open TSA station. At this point I’m thinking “You have got to be kidding!” and ask if they really think I can get to TSA and back before the plane leaves. Both women looked really sorry for me and said that they will hold the plane as long as possible, but that I had better hurry.

So I, a known potential security risk who has already managed to sneak past TSA, am now turned loose in a virtually empty airport with nothing but verbal orders to go find TSA to get screened. Thankfully I’m not a terrorist, and just really really wanted to make my flight, so I started running back to the main gate. A run, train ride and another run later I managed to make it to the only open TSA screening point after approximately ten minutes.

It took a bit to flag down a TSA officer since I’ve never tried to approach TSA screening from the wrong side before and I didn’t have the time to insert myself into the normal line. Apparently no one had told them I was coming because they were surprised to see me. They were also surprised that I had managed to get through the line the first time and tried to decipher the signature on my ticket without success. They also asked me when I had come through and what the screener had looked like.

The TSA people were as nice as TSA people can be while still doing a thorough job. A female officer patted me down and two other officers went through my bags and scanned my larger bag four times. They found and emptied my full water bottle (I’d originally brought an empty one through and filled it on the secure side of the checkpoint). They also found a cute pen with a vial of glitter filled liquid at the top which they decided to let me keep. When satisfied they signed my ticket with a sharpie and sent me back to my gate.

Another run, train ride and run later I, unsurprisingly, discovered that my plane had left without me. The ladies at the gate re-booked me for a 6am flight. They kept the main part of my original ticket that contained the signature of the screener that had let me through. They let me keep the ticket stub which also contained a TSA signature.

After five hours of trying to sleep upright in a airport chair I tried to board my new airplane. This time round the lady taking tickets wasn’t scanning them. Instead she was tearing off the stubs and handing them to the lady next to her who was typing them in. The first gate attendant happily tore off my new ticket stub completely missing the SSSS marked on it and handed it to the second gate attendant next to her for typing in. At this point I really didn’t want to get pulled back off the plane when they discovered the “Random Security Check” message so I intervened and told the first gate attendant that she might have a problem when the other attendant typed it in. I showed the first attendant the signature from TSA. She wanted to keep the ticket but I wouldn’t let her because I might need it for my connecting flight. She told me this wouldn’t be a problem because once I got on my first flight they didn’t check it on the next one. I wasn’t willing to take the risk with a 40min layover and insisted on keeping it which she finally let me do.

The lady taking tickets was ultimately correct, the next flight did not ask for proof of extra screening.

Several interesting points from this experience:

  • Kudos to Delta personnel for identifying the lack of screening before I got on the plane and correctly not letting me board. As much as I’m irritated, they did do the correct thing.
  • Human screeners are not perfect and will not spot everything they should. The TSA security screener who completely missed this, created a potentially dangerous situation AND caused me to miss my flight. I was told by both TSA officers and the gate personnel that seeing SSSS is now a rare occurrence which likely why it was missed. This is likely a true observation and an argument for why having human-only initial screeners isn’t the best security option.
  • I don’t think there is a protocol for dealing with this type of situation at the gate. The gate attendants I worked with seemed confused and other than sending me back to TSA they didn’t have a good plan. No call was made to TSA to make sure I showed up. TSA didn’t call them back to say I had actually been screened. I could have happily gone out of sight and scribbled on my ticket with a sharpie and they would have likely let me on the plane.
  • TSA also seemed unsure how to deal with the situation. They simply processed me as if I had been flagged initially and while doing so they were asking each other about things like if they should empty my water bottle or not since I had filled it inside of the security.
  • Accountability didn’t seem to be maintained. I’ve always wondered about the signatures the people who check IDs put on tickets. I now know that there is no clear tie between that signature and the signer. Neither the gate personnel nor the TSA officers knew how to map the signature back to the person who signed it. Though the gate personnel did retain the signature so they could try.

Email for authentication

Many sites online are starting to use email as a type of identity authentication but this only works if your email hasn’t been compromised too.

A Pittsburgh girl found this out when her Facebook account was compromised by a person who put up vulgar posts. She tried re-setting her password only to find that she couldn’t get into her email either. Eventually Facebook deleted her account but that was after weeks of someone pretending to be her online.

Researchers such as Stuart Schechter of Microsoft have done some interesting work looking at how to get back into compromised accounts.

Periodic Table of Visualizations

Visual-literacy.org has a nicely done Periodic Table of Visualizations.

Blogs about data

Quota has an interesting question What are the best blogs about data?  with allot of good answers.

SOUPS: Feasibility of Structural Network Clustering for Group-Based Privacy Control in Social Networks

Simon Jones presented Feasibility of Structural Network Clustering for Group-Based Privacy Control in Social Networks this week at SOUPS

The researchers accessed the participants friend connections (list of friends), they also looked at connections between their friends. Used list of friends to do a card sorting exercise. One contact per card (“cards” were digital and shown on the computer).

They found six common grouping criteria

  • Social circles & cliques
  • The strength of their relationship – commonly used to divide other groups into people with strong ties or weak times
  • Geographical locations
  • Organizational boundaries
  • Temporal episodes – For example childhood or undergrad
  • Functional roles – People they had met at events

Used the groups created by participants and compared them with groups created by a clustering algorithm. You can read the details of the algorithm in the paper.  Their algorithm was 45% similar with the user created groups.

Had users find a privacy sensitive item and asked them to rank their willingness to share with different contacts in their network. People who were outliers in the social network were more often not shared with. The authors hypothesize that outliers could be used to automatically identify people who users may not want to share sensitive information with.

Using web technologies for research

At the NSF IGERT 2010 Project Meeting this week I will be giving a set of 5 minute talks on how Blogs, Twitter, Wikis, and GoogleDocs can be used in research. Below are some of the links and examples I used in the talk along with short descriptions of how these technologies can be used.

Blogs

My lab, CUPS, maintains a blog where we post everything from news about the lab to detailed reports from conferences we go to. The blog lets us post information others might be interested in even if it isn’t necessarily a paper worthy event.

Blogs are also an excellent way to learn about new information related to your area. Since there can be many blogs to track I use an RSS feed aggregater, such as Google Reader, to subscribe and keep track of multiple blogs.

Finally, blogs can be an excellent way to collect information about your area in one place where you and others can find it again. I use my personal blog, http://kamivaniea.com, to keep track of news articles related to my research. Also when I solve a particularly intricate technological problem that was impeding my research I post the solution to my blog for others to use.

Twitter

Twitter is an excellent way to aggregate and disseminate information quickly.  Good examples are: CyLab, Electronic Freedom Frontier, and Wombat Security. You can easily create a Twitter account for a lab or research group and post interesting and exiting news about your lab.

Twitter is an excellent way to keep track of what others are doing. For example I have a list of security and privacy twitter feeds that I follow. Everyone on the list posts interesting things about security and privacy so I monitor their feeds for important information.

Twitter is also an excellent way to connect with people online during conferences. In Twitter anything that starts with a # symbol is called a tag. Using Twitter it is easy to search for tags. For example searching for #igert on Twitter brings up a list of all the Twitter posts tagged as #igert.

Wikis

Wikis are a type of website that let people easily create linked content. Wikis are extremely useful for research for keeping track of information. Basically, using a wiki, you can setup your own Wikipedia that is dedicated to just your research. There are many different types of wikis, most wikis let you create web pages like what you see on Wikipedia but each type of wiki is special in its own way.  Here are some popular ones:

  • MediaWiki – Originally designed to support Wikipedia, one of the more popular wiki softwares.
  • Trac – Wiki software designed to support people who are all working the same project or code base. It has an issue tracking system built in which lets people submit bug reports and mark bugs as fixed. It also integrates with SVN (version tracking) installations.
  • TikiWiki – Fairly standard wiki software with lots of features and plug-ins.

Not all Wikis are public like Wikipedia. My lab manages a wiki that is only visible to members of the lab that we use to coordinate shared resources such as laptops and archive information, such as study procedures, for latter use.

Some good wiki examples:

Google Docs

Google Docs is an online document editing site that lets you create and edit Document, Presentation, Spreadsheet, Form and Drawings online through Google’s interface. What is really nice about GoogleDocs is that you can create one document online and let other people see and edit it.

Google Docs is an extremely useful tool for working with collaborators in other parts of the world. You can easily create a shared document and edit it together at the same time. GoogleDocs also supports a chat functionality so you can talk to the other person while you are both working on the same document.

Google Docs is also very useful for running surveys or setting up registration forms. I’ve created an example form where you can rate this presentation and tell me about how you use these types of technology in your research.

The Boucher Bill

Issues of behavioral advertising and online collection of personally identifiable information have been major issues of late. I previously blogged about behavioral advertising and the different ways online advertisers can track you as you move around the internet. But behavioral advertisers aren’t the only source of concern.

Large social networking sites have access to a bewildering amount of personally identifiable and potentially very private data. Sure they have privacy policies in which they claim to respect your privacy but most of the policies also state that the company can change their privacy policy at any time and the new policy immediately applies to all exiting data they have on you. The EFF recently posted a nice time lapse of Facebook’s privacy policy changes from 2005 to 2010 and the New York times recently showed that the current Facebook privacy policy is longer than the US Constitution.   Amongst its many clauses is the fact that other websites are automatically given access to your data when you use Facebook Connect, developers can infinitely store your data, and any applications your friends use have the right to access and store your data too.

The Boucher Bill is an attempt by law makers to force organizations who collect data online and off to provide informed consent to their consumers. The information law group has an excellent breakdown of the Boucher Bill which is definitely worth a read.

Some major points from the bill:

  • Organizations need to provide privacy policies but they can assume that users who use the service have implicitly consented to the policy (opt-out).
  • The bill requires companies to have users opt-in to major privacy policy changes.
  • Express affirmative consent (opt-in) must be obtained before personal data can be sold to other organizations.
  • Organizations can share personally identifiable information with parents and affiliates without notifying users provided the information is not used for marketing purposes.
  • Organizations must provide the policy and get express consent (opt-in) from customers before collecting any sensitive information such as medial information.
  • Consumers must opt-in to any sharing of location information.
  • Organizations cannot collect information about consumer’s browsing across site behavior unless they obtain express consent from the consumer before collecting information (0pt-in).
  • Organizations collecting information from less than 5,000 people per year are exempt.

Update: The CDT has a set of comments on the Boucher Bill.

SIGBOVIK Paper

For April Fools Day this year I published a paper entitled “How to successfully prevent the flow of information in research presentations” in SIGBOVIK.

Its an excellent satirical guide on how to create good but incomprehensible research presentations that emphasis that the presenter has an important research goal but obfuscate what they actually did.