Dipping Through Geometries

Stop & Shop Skimmers Stopped

2007-02-27T15:15:00.000-05:00

According to the Associated Press today, "four California men were arrested in what police said was a scheme to switch checkout-lane credit card readers at Stop & Shop supermarkets as a way to steal customers' numbers and passwords." The men, whose ages ranged frm 20 to 28, reportedly were arrested last night while attempting to switch keypads at a store in Coventry, Rhode Island. They are charged with conspiracy, computer theft and fraud. They were scheduled to be arraigned this afternoon in Kent County District Court in Rhode Island.

Clueless and Defenseless?

2007-02-08T19:27:00.001-05:00

Eurogamer just reported that a man in New Zealand has been arrested and charged with stealing an Xbox 360 during a burglary, after he called Microsoft "to register the machine and ask for a power cord to replace the one he forgot to steal."

Clueless or Defenseless?

2007-02-08T16:04:00.000-05:00

In the wake of initial media coverage about this week's attacks on DNS root servers, a Sophos press release quoted Graham Cluley, senior technology consultant at Sophos, as commending "the resilience of the root servers" but pointing to "the lax attitude of some users towards IT security" as "the root of the problem." Cluley reportedly found it "ironic that the people who depend on the web may have been the ones whose computers were secretly trying to bring it down."
Cluley's comments, unfortunately, both understate and misstate the problem. If Vint Cerf's recent estimate -- that as many as 150 million of the 600 million computers on the Internet may be infected and pressed into service in botnets -- is correct, the problem is not "some users," but vast numbers of individual and corporate users. At the same time, it is important to keep in mind that "those who depend on the web" also depend on those who provide critical security software and services.
This week, Trend Micro issued an advisory about a serious security flaw in its antivirus scan engine that could be used to trigger a buffer overflow and allow an attacker to take control of the system. One could say it's ironic that a leading security vendor provided security-minded users with products that contained their own signficant vulnerability.
Certainly, the sort of vulnerability that Trend Micro announced is far from unique -- and that's precisely the point. End-users, from naive newbies to sophisticated programmers, should bear only a portion of the total responsibility for improving IT security worldwide. While we move, haltingly, toward a better allocation of responsibility among all participants in the online world (including infrastructure and content providers and IT security vendors) for maintaining IT security, placing the blame on just "some users" simply misdirects the discussion into unproductive debate.

Email Order Bride (and Groom)

2007-02-05T14:58:00.000-05:00

BBC News recently published an intriguing article about the ways in which the Internet is helping the current generation of young Indian professionals to mediate between the deeply rooted tradition of arranged marriage and the modern desire for greater involvement in selecting one's own prospective mate. Young people can use a variety of Indian matrimonial sites to look for prospective mates from their communities, email each other to communicate more freely than in traditional face-to-face meetings that their parents arranged, and present parents with a selection whom they can still meet and approve.

But What Would Homer Simpson Say?

2007-01-28T11:40:00.000-05:00

A number of media articles have reported on the efforts of a Dr. Robert Bohannon, a Durham, North Carolina entrepreneur, to develop and market a caffeinated doughnut. The Durham Herald-Sun reported that Bohannon, a technical consultant for diagnostic companies, came up with the idea six years ago. His initial experiment with purified caffeine literally left a bitter taste in his mouth, but Bohannon persevered. After working with a company to "microencapsulate" the caffeine (i.e., to produce micron-sized caffeine particles and put a coating on them), Bohannon finally produced caffeinated doughnuts and bagels containing caffeine particles with a vegetable oil-based coating that he says doesn't dissolve until it reaches your digestive tract. Bohannon, who has now filed for a patent, recently wrote letters to Starbucks, Krispy Kreme, and Dunkin' Donuts to drum up interest in his invention.
The issue is not whether an entrepreneur ought to pursue a dream. By all accounts, Dr. Bohannon has an intense personal attachment to caffeine: he reportedly drinks four to six cups of coffee a day, and even bought a coffeehouse in Durham. Nor is it whether government regulators ought to examine this product with suspicion, although the volume of caffeine Buhannon's product contains -- 75 milligrams to 100 milligrams, compared to 100 millligrams in an 8-ounce cup of coffee -- could make for some interesting family breakfasts if small children scarf down several Buzz Donuts (Bohannon's trademark for his product) before school.
The real issue is whether the humble doughnut needs to become yet another caffeinated product in our already overcaffeinated lives. Before any company chooses to adopt Dr. Bohannon's proposal, it should consider the likely reaction of the ultimate authority on doughnuts, Homer Simpson. Homer has not only an endless appetite for doughnuts -- having risked even his soul for a doughnut -- but also boundless faith in their virtues, once proclaiming, "Donuts. Is there anything they can't do?" Homer also prizes diversity in doughnut types: as he put it, "American donuts. Glazed, powdered and raspberry-filled. Now how's that for freedom of choice?"
And yet, Homer would undoubtedly frown on Bohannon's creation. Doughnuts, to Homer (and maybe many more), represent everything that caffeine does not: sloth, inertia, and fixation on the pleasures of the moment. Surely he would take a stand against adulterating one of life's minor guilty pleasures -- if only he thought it important enough to try.

CHIP + PIN + HACK = TETRIS

2007-01-05T14:43:00.000-05:00

Two researchers at Cambridge University, Steven Murdoch and Saar Drimer, recently reported their success at hacking a chip-and-PIN terminal to make it play Tetris. As reported in The Register, "The proof-of-concept hack highlights wider security concerns about the terminals even though it was only possible after Murdoch and Drimer replaced most of the internal electronics after opening up the terminal." The researchers also did a short video that is now available (presumably to no one's surprise) on YouTube.

Shop Till Your Insula Drops

2007-01-05T13:39:00.000-05:00

Today's Scientific American includes a summary of a fascinating study published in the January 4 issue of Neuron. As summarized in Neuron Online, a research team, led by neuroscientist Brian Knutson of Stanford University, "performed functional magnetic resonance imaging (MRI) "on individuals while the subjects were deciding whether or not to purchase various items. Their results . . . support the theory that the decision to purchase involves the integration of emotional signals related to the anticipation of both obtaining the desired product and suffering the financial loss of paying for it." Among other findings, the study noted that "the response of the insula (a lateral section of the brain's cortex known to activate during responses to negative stimuli) depended on the purchasing decision--activity there increased when a participant nixed a purchase."
(Note: A link to the Neuron article is available here.)

New U.K. Report on Mass-Marketed Scams

2006-12-20T13:04:00.000-05:00

Today, the United Kingdom Office of Fair Trading (OFT) issued a study on the impact of mass-marketed scams (i.e., scams using direct mail, telemarketing, email, and the Internet) on U.K. consumers. Here are some of the OFT's more intriguing findings:
- An estimated £3.5 billion to scams each year, including estimated losses of £1.17 billion to holiday (vacation) club scams, £490 million to high-risk investment scams, £420 million to pyramid and get-rich-quick scams, and £260 million to foreign-lottery scams. The total equates to about £70 per year for every adult living in the United Kingdom.
- The mean amount lost per scam is £850, but the median is only £14. This means that the distribution of losses is highly skewed, as the mean is increased dramatically by “the relatively small number of persons who lost large amounts of money to scams.”
- Nearly half the U.K. adult population (about 23.5 million people) is likely to have been targeted by a scam, and 6.5 percent of the U.K. adult population fall victim to scams every year.

Q&A: E-Waste

2006-12-19T16:27:00.000-05:00

Think that those old PCs you've been dropping off for "recycling" are really getting recycled properly?. Not necessarily. E-waste, as a recent BBC News report put it, "is thought to be the fastest growing part of municipal waste in the developed world."
The United Nations Environment Programme (UNEP) estimates that as much as 50 million tons of waste from discarded electronic goods is generated each year.
E-waste is particularly problematic for certain West African nations, such as Nigeria and the Cote d'Ivoire. The BBC recently described Nigeria as "increasingly the world's PC dumping ground." Although Nigeria reportedly has a thriving second-hand computer industry, one Nigerian industry representative estimated that up to 75 percent of the PCs exported to Nigeria are outdated and unusable. Jim Puckett of the Basel Action Network, a nongovernmental environmental organization, has stated that unscrupulous brokers and exporters take machines that their former owners intended to be recycled, but do not recycle and instead commingle working and nonworking machines that are exported.
Is there recycling once the unusable computers reach nations like Nigeria? Yes, but not in the way you'd imagine or want. For example, around Lagos, which has no regular computer recycling facilities, e-waste computers reportedly "build up in huge piles" at dumps around the city. Children scavenge these dumps for the waste computers' contents, from which they can earn about US$2 per day, but also expose themselves to serious health risks in the process. Hazardous waste products in the computers include lead, arsenic, and mercury, as well as heavy metals such as nickel, cadmium, and chromium which leach into the soil and end up in plants and in people who consume vegetables.
Are there measures for international cooperation to combat e-waste? Since 1989, the Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and Their Disposal (Convention) has offered a basic legal regime for international action. While other G8 members have ratified or approved the Convention, the United States has not yet done so. The State Department's explanation of the U.S. position is that "before the United States can ratify the Convention, there is a need for additional legislation to provide the necessary statutory authority to implement its requirements." (As a point of reference, the U.S. Senate gave its advice and consent to ratification in 1992.) In the meantime, the State Department also notes that, "with respect to classifying used and scrap electronics, the current Basel system for controlling international shipments of hazardous waste makes trade in many of these materials difficult, and in some cases impossible. The U.S. supports consideration of alternative systems of control for 'e-waste' under the Convention."
Is there consensus about what those alternative systems should be? Not yet. The electronics industry and government officials are far from unanimous on what to do about e-waste. Proposals range from making manufacturers take back used electronics to imposing recycling fees on consumers and establishing cost-sharing arrangements between manufacturers, retailers, and consumers. Earlier this month, the Convention member governments issued an "urgent call for action" on e-waste, with priorities on "launching pilot projects to establish take-back systems for used electronic products, strengthening global collaboration on fighting illegal traffickers and promoting best practices through new technical guidelines."
What can individual consumers do in the meantime? Among other things, whenever you plan to recycle a computer or peripheral, start by asking the manufacturer if it has a recycling program, and ask for details that provide some assurance that they do what they say they'll do. Also, ask organizations like the Sierra Club or the Environmental Defense Fund for recommendations on reliable recycling companies or groups.
In some ways, the problem of e-waste is like the problem of conflict diamonds. No one person or company in the distribution chain is solely responsible for the problem, and most people would agree that the commodity is undesirable, yet under current legal regimes even a comparatively small number of unscrupulous enterprises can profit from its sale at the expense of innocent people. Perhaps, like conflict diamonds, e-waste needs its own "Kimberley Process," in which companies certify that they will recycle the electronics that they receive and will not ship them elsewhere for profit. Such a process could create incentives for reducing e-waste and provide a basis for concerted action by industry and governments in reducing the international spread of e-waste.

Cooper v. Universal Music Australia - Full Text

2006-12-19T14:41:00.000-05:00

For those interested in yesterday's ruling by the Australian Federal Court in Cooper v. Universal Music Australia -- which found the operator of mp3s4free.net and an ISP guilty of authorizing copyright infringement, by providing a search engine that enabled Internet users to illegally download MP3 files -- the Sydney Morning Herald provides what more online news reports on significant judicial decisions should include: a link to the full text of the decision.

Say Nyet to Time Webstore

2006-12-19T13:56:00.000-05:00

Australian authorities have expressed concern that a website purporting to offer iPods and plasma TVs at below-market prices may be fraudulent. The website, www.timewebstore.com, lists physical and P.O. Box addresses in Darwin in the Northern Territory. As The Sydney Morning Herald first reported, however, the timewebstore.com domain is registered to a Vladimir Hotovksy in Moscow.
Other facts in the Herald article strongly suggest the fraudulent nature of the site: customers have complained that they did not receive the goods they ordered; the street in Darwin where the Time Webstore's head office is supposedly located does not exist; and the bank account used to pay for a $17,000 newspaper ad directing people to the website was false. Also, for what it's worth, the administrative and technical contact for the company hosting timewebstore.com's servers, hqhost.net, is a Sergey Sabatyev in New York City, and hqhost.net has numerous links to Russian websites, including porn sites.
As of this writing, www.timewebstore.com is still up and running.

New Recipe for E-Commerce Down Under: Kiwis?

2006-12-19T13:24:00.000-05:00

A new Nielsen Media Panorama report states that more than 1.25 million New Zealanders have shopped online in 2006 -- an increase of more than 400 percent since 2001. What e-commerce sites should find even more interesting is that more than 400,000 Kiwis had made at least six online purchases in 2006 - a 700 percent increase since 2001.

Unauthorized Hacking - NZ$7500. Chutzpah - Priceless.

2006-12-19T12:37:00.000-05:00

Not many reports about cybercrime issues are likely to induce a triple-take, but yesterday's New Zealand Herald included a report that could do just that. According to the article, one Gerry Macridis, described as a "security consultant," admitted that he had accessed the New Zealand Reserve Bank's computer-controlled telephone system without authorization. Macridis is now threatening the Reserve Bank with legal action if he is not paid NZ$7,500 for the information he gave the Bank about security flaws in the phone system.
The fact that Macridis lacked authorization to access the system is apparently both insignificant and irrelevant, as he claims the Bank then used his information to fix the security flaws he found. Macridis reportedly had taken the trouble to send the Bank a report that detailed the security flaws (although the Bank did not request it), and had called the Bank asking for payment for his unsought advice.
Now for the triple-take: Because of his unauthorized access to the Bank's system, Macridis was prosecuted in Wellington District Court, and pleaded guilty to the unauthorized access. Yet the judge -- after hearing from Macridis that "the bank's phone system was the worst he had seen in 11 years as a consultant and was vulnerable to tapping from overseas" -- discharged Macridis from conviction. The judge reportedly stated that Macridis "had acted honourably and a conviction would be disproportionate to the crime."
This ruling does not bode well for law enforcement or IT security departments in New Zealand. Under this court's apparent reasoning, any self-described "security consultant" can hack a computer system, and present the system owner with information on the vulnerability along with a bill for unrequested "services" (at least, as long as he is careful not to threaten harm to the system if he is not paid). One can only hope that Kiwi courts will give any legal action by Macridis short shrift, and perhaps recognize, as future Macridises less come along, that unauthorized access to computers -- far from being "honourable" behavior -- is criminal conduct that deserves to be recognized as such.

List vs. List?

2006-12-18T18:27:00.000-05:00

A recent TechNewsWorld.com article ascribes to Robin Bloor, a partner with a consulting and research firm, the view that antivirus software is "irrelevant" to computer security, as it represents a reactive and ineffective approach to malware. It also attributes to him the view that "[t]he correct solution to the problem" is a whitelist (rather than blacklist) approach, authenticating software before it runs.

While the article goes on to note that others concerned with online security also see virtues in whitelisting, it inadvertently sets up a false dichotomy, by suggesting that enterprises must choose between whitelist and blacklist approaches in selecting security solutions. Perhaps the competing claims of vendors that offer different solutions has something to do with this. Nonetheless, CIOs who select and implement network-security measures should put themselves in the shoes of Ansel Adams. Adams never relied on a single hue -- black, white, or gray -- in composing his masterworks, and neither should an IT department in choosing security solutions. The "right" solution may require a variety of security "shades" -- blacklist, whitelist, graylist, or a combination thereof -- as well as other elements that create a fully integrated approach to security.

More Juki Net Developments

2006-12-13T18:25:00.000-05:00

Just 11 days after the Osaka High Court allowed a suit challenging the constitutionality of the Juki Net network, the Kanazawa District Court of the Nagoya High Court overturned a lower court ruling that had found Juki Net unconstitutional. The lawyer for the 28 plaintiffs in the Kanazawa case indicated they plan to appeal to the Supreme Court. The Japan Times article reporting on the decision contains a number of excerpts from the presiding judge's opinion in the Kanazawa case.

New Woes for Juki Net

2006-12-08T12:27:00.000-05:00

In the latest setback for the Japanese Government's efforts to implement Juki Net -- the national data network that links Japanese citizens' personal data at local residency registries, such as a person's name, sex, address and date of birth, to an 11-digit identification number assigned to every Japanese citizen -- a three-judge panel of the Osaka High Court declared on November 30 that the entry of personal data into Juki Net without residents' consent was unconstitutional. The court directed three Osaka Prefecture municipalities that were defendants in the case "to remove data on four of their residents from Juki Net." The mayor of one municipality in indicated that he supported and would accept the court's decision, but two other municipalities reportedly plan to appeal the decision to the Supreme Court. Since 2002, several municipalities have opposed participation in Juki Net because of concerns about the risk of data leaks.

Phony Telephony in Japan?

2006-12-07T13:58:00.000-05:00

This week, the Japan Times has run two Kyodo News stories reporting that earlier in the week, Japanese police searched the offices of KDDI Corp., a leading telecommunications service provider, and Kinmirai Tsuushin, an Internet telephony company that had leased circuit capacity from KDDI. Kinmirai reportedly had taken in about 40 billion yen (US$348 million) from approximately 3,000 investors, promising what Kyodo News termed "unrealistically generous returns from their investments, which it claimed were being used to build a proprietary server network."
Kinmirai reportedly "had advertised that it had set up servers with state-of-the-art voice encoding technology around the globe for its Internet protocol phone service." However, during a government inspection in November 2006, Kinmirai "admitted that only seven of the 2,466 servers it claimed to have installed at 123 locations in Japan and elsewhere were operating." That same month, KDDI canceled its contract with Kinmirai after Kinmirai failed to pay KDDI approximately 32 million yen (more than US$278,000). Kinmirai also had stopped paying "returns" to investors, and shut down most of its and its subsidiaries' operation on November 20.
The article also notes that "[m]uch of the 'investment returns' are thought to have been funded by money paid in by new investors," though it does not make clear whether the thoughts are those of the police, regulators, investors, or others. Although Japanese investors have encountered larger Ponzi schemes before, in the form of "Special Purpose Vehicles" and Martin Armstrong's "Princeton notes", the possibility of a massive Ponzi scheme in a cutting-edge sector like VOIP would be unwelcome news throughout the Japanese IT and electronics industries.

A Note on POSTNotes

2006-11-19T15:38:00.000-05:00

Last month, the United Kingdom's Parliamentary Office of Science and Technology (POST) issued what it calls a "POSTNote" (i.e., a briefing paper) on computer crime. In this POSTNote, POST -- which bills itself as "the UK Parliament’s in-house source of independent, balanced and accessible analysis of public policy issues related to science and technology" -- offers an elementary but useful overview of significant trends in computer crime and legislative, enforcement, and user responses to the problem.
For those interested in a U.K. perspective on science and technology issues, POST has been publising POSTNotes and longer papers online since 1995 in four areas: biological sciences and health; environment and energy; physical sciences and information technology; and science policy. Other IT POSTNotes in the last six months include data encryption; pervasive computing; and information and communications technology in developing countries.

Who Is Valerie McNiven, and Why Does She Keep Saying Those Terrible Things About Cybercrime?

2006-11-17T15:18:00.000-05:00

The lead for a November 12 article on cybercrime by Paul Horn of Business Week Online read as follows: "Last year for the first time, proceeds from cybercrime were greater than proceeds from the sale of illegal drugs, according to recent comments by Valerie McNiven, an adviser to the U.S. Treasury Dept. 'Cybercrime is moving at such a high speed that law enforcement cannot catch up with it,' she says."
Two things about these statements are indisputable. First, unless readers define "recent" in geologic time, they are not recent. McNiven reportedly made both of these comments more than a year ago, in a November 2005 interview that got extensive online coverage. Second, they lack a reliable empirical basis. Not long after McNiven's 2005 statements, stalwarts of the computer security community, including Bruce Schneier and Robert Richardson of CSI, seriously questioned the provenance and accuracy of her data. Nonetheless, some online media have continued to cite McNiven's comments in cybercrime articles during 2006 without further scrutiny.
In fact, currently available data can support only a conclusion that the growth of cybercrime is neither inexorable nor (a slight bow to P. G. Woodhouse) exorable. "Cybercrime" remains a term for which there is no generally accepted definition. As a result, the inclusion or exclusion of various types of computer-related crime is a factor that can dramatically affect the ability to say, even anecdotally, whether cybercrime is "growing" or not. Moreover, until we move away from well-intentioned cybercrime surveys based on nonrandom samples, like the CSI survey, and toward surveys based on truly random sampling rather than self-selection by survey respondents, such as the National Computer Security Survey, thre is no reliable way to measure "growth" of cybercrime as a whole in quantitive terms.

Cybercrime Up in Japan? How Would We Know?

2006-11-07T21:14:00.000-05:00

The November 8 edition of the Japan Times reports that the Japanese Ministry of Justice has just issued a new "white paper" on crime for 2005. According to the story, the white paper states, among other things, that cyber crimes "have been growing steadily in the last five years but leaped substantially from 1,884 instances in 2004 to 2,811 in 2005." The white paper also states that this "leap" was attributed to a "surge in Internet fraud through online auctions, from 542 case[s] in 2004 to 1,408 in 2005." Since the article does not explain what the white paper means by an "instance" or "case," it is difficult -- as usual when the media reports on criminal justice statistics -- to know how to interpret these statistics. Posting of the white paper on the Ministry of Justice website might allow researchers and criminal justice professionals readier access to the data, and allow more meaningful analysis.

One Hammer Per Child

2006-09-05T19:06:00.000-05:00

As much of the high-tech world continues to focus its attention on the problem of the digital divide, two recent stories offer an instructive contrast in the priorities we choose for providing technology to children. eWeek reported on the efforts of the One Laptop Per Child (OLPC) organization to overcome the problem of building a $100 laptop with a display "that is rugged, inexpensive and readable in a wide variety of conditions from low light to bright sunlight." The article included an interview with Mary Lou Jepsen, the CTO of OLPC, who explained the technological choices that could make such a laptop economically feasible.
Three days later, the International Herald Tribune ran an article about child laborers in sub-Saharan Africa. More than 25 percent of children below the age of 14 in sub-Saharan Africa work for a living. Many of the children profiled -- some as young as 7 or 8 -- work in quarries, using hammers to beat "football-size chunks" of rock into powder, which can be sold for construction work at the rate of approximately $3 for half of a cement bag filled with powder. One nine-year-old boy who does not have a hammer uses a thick steel bolt to beat the rock. Still other child laborers are found in prostitution, hazardous jobs on plantations and mines, and other forms of work that are outlawed by international conventions and domestic law.
The issue is not whether it makes sense for OLPC to be pursuing a dream of $100 laptops for children around the world. In developing regions, low-cost computer and Internet access could be highly beneficial to children, and for that matter their parents and grandparents. But if some technologists can devote time and money to building and distributing cheaper laptops to the world, surely others could devote some more time to thinking about what affordable technologies might be developed for poorer regions of the world so children can survive -- and perhaps one day attend schools where those $100 laptops would be available.

From Phishing to Vishing

2006-07-16T12:28:00.000-05:00

Two noteworthy types of phishing attacks have recently been reported. The first involves the International Monetary Fund. A July 14 IMF press release warns the public about both phishing and website spoofing attacks using the IMF's name, and indicates that some of the fraudulent solicitations offer that hardy perennial of investment fraud schemes, the "high-yield" or "prime bank" scheme.
The second, reported in a July 11 Internet News article and a July 15 E-Commerce Times article, involves VoIP-based spam/phishing attacks, in which the spam purport to be from a financial institution. In this attack, which the Internet News article labels "vishing," The spam text is intended to persuade recipients to dial a telephone number and enter their bank account and PIN numbers. The E-Commerce Times article cites a senior research scientist with Cloudmark, Adam J. O'Donnell, in explaining that callers are "connected over VoIP to a PBX -- private branch exchange -- running an IVR [i.e., Interactive Voice Response] system that sounds exactly like their own bank's phone tree, directing them to specific extensions." The article adds that "VoIP-based services allow phishers to cheaply add and cancel phone numbers that are harder to trace than conventional numbers."

A New Treaty on Criminal Matters

2006-07-03T11:57:00.000-05:00

Last week, according to the Japan Times, the United States and Japan exchanged ratification documents for the Mutual Legal Assistance Treaty (MLAT), which will facilitate mutual exchanges of information between the two countries for use in criminal investigations and prosecutions. Although the United States has negotiated and signed more than 50 bilateral MLATs with foreign governments, this is the first treaty that the Government of Japan has ever signed and concluded.

Commentators from Sophocles to Charles de Gaulle have cast doubt on the efficacy of treaties. MLATs such as the U.S.-Japan Treaty, however, are an exception that proves the rule. Prior to the development of MLATs, the traditional means of obtaining evidence from other countries was the letter rogatory. As a State Department circular explains, a letter rogatory is issued by a judicial authority in one country and addressed to a judicial authority in the country whose assistance is being requested. Among other shortcomings, the letter rogatory process does not ensure that the request will reach the appropriate judicial authority, or require the government whose assistance in a criminal matter is requested even to respond.

In contrast, an MLAT makes it a mutual obligation of the parties to respond to each others' requests for assistance, and to establish central governmental authorities that ocmmunicate with each other in receiving and processing all MLAT requests. Ratification and entry into force of the new treaty can be expected to facilitate bilateral cooperation between Japan and the United States on a wide range of criminal matters.

Question: "Who Invaded Computers in the 21st Century?" Answer: "Moop"

2006-06-27T11:17:00.000-05:00

The London Times reported that police in the United Kingdom and Finland arrested three men in their homes this morning, in connection with an alleged conspiracy involving the writing and distribution of computer viruses. The men - reportedly a 63-year-old man from England, a 28-year-old man from Scotland, and a 19-year-old man from Finland - allegedly creating Trojans attached to spam that set up back doors to infected systems. Authorities believe that thousands of systems in the United Kingdom and other countries were infected with the virus, known as Ryknos, Breplibot or Stinkx, to create a zombie network.

According to a detective constable with the London Metropolitan Police Computer Crime Unit, the men allegedly coordinated their activities through a forum that they named "Moop." [Note: Although the Times ascribes the name to the garage band of South Park characters, Urban Dictionary lists no fewer than 32 definitions for "Moop."] The men were reportedly being interviewed by police on suspicion of conspiracy to commit unauthorised modification of computer material, in violation of the United Kingdom's 1992 Computer Security Act.

The Wrong Men

2006-06-25T21:32:00.000-05:00

In Alfred Hitchcock's classic film The Wrong Man, one character, Lieutenant Bowers, confidently stated, "An innocent man has nothing to fear, remember that." Two recent reports from the United Kingdom and the United States show that, even in a world of high-tech law enforcement, innocent men have something to fear when criminals turn them into victims of identity theft. In the United Kingdom, Friday's London Times recounted the case of Roderick Rigby, a 51-year-old Lancashire upholsterer, who "received 52 summonses for driving offences that he says he did not commit" and was convicted and fined in his absence -- sometime even when he was on vacation.

According to the Times, Rigby started receiving mailed notices of fines for driving offenses, though the notices were for people with different names. He also learned that people were registering cars under his name and then accumulating parking and speeding tickets. In May 2004, he himself was arrested after someone named Royle, who was wanted for driving a car without a license or insurance, gave Rigby's address. The arresting officer apparently cautioned Rigby in the "names of Royle or Rigby". [A note on United Kingdom criminal law: A "caution" means that the suspect must go to a police station, where a senior police officer formally addresses the suspect and warns him or her about the alleged conduct and the consequences if the suspect commits a further offense. The caution is then recorded in writing. According to the U.K. Criminal Justice System Online website, a caution is not a conviction, but "can be put before a court if the suspect is convicted of another offence."] After the Driver and Vehicle Licensing Agency confirmed to magistrates that Rigby was not the offender, the caution was expunged from the record.

Nonetheless, later in 2004 a driver stopped for speeding somehow knew Rigby's name and address and gave them to police, along with a close approximation of Rigby's date of birth. When the driver failed to show up at a police station to produce his driver's license, insurance certificate, and vehicle registration, as required under U.K. law, Rigby received a summons ordering him to appear in court. He also started to receive other parking tickets and speeding fines, and had to appear nine times in court just on the initial summons. In another case, a court threatened him with contempt of court when he tried to explain that his was a case of mistaken identity. A conviction on one charge gave Rigby a £540 fine and six points on his license. His barrister later estimated that contesting the charges cost Rigby £30,000. Subsequently, Rigby was present at a hearing on one of the charges against him, when he heard a Crown Prosecution Service (CPS) prosecutor tell the court "that the defendant was excused from appearing in person because he was in prison for wounding." In a scene that would seem implausible in a B-movie, Rigby jumped to his feet and said, “No, I am not. I’m here.” Ultimately, a judge stated "that heads would roll at the CPS if it could not explain the matter."

A CPS spokeswoman later stated that the suggestion that Rigby was in prison for a wounding was "an administrative error," evidently due to the fact that Rigby had been confused with a real prisoner, Roderick James Rigby, who was serving a 14-month prison sentence. The spokeswoman confirmed that the Rigby in prison and the Rigby in court were not the same man.

Today's Washington Post reported the case of Elias Fishburne IV, a hairdresser from Maryland who was mistakenly arrested after a traffic accident in which he was involved. More than a decade ago, Fishburne had lost his Navy identification before shipping out for Desert Storm. On his return, he found that someone had bought thousands of dollars of furniture, clothing, and cellphones in his name. In the case of a $4,000 furniture purchase, a letter from his former captain, swearing that Fishburne was at sea at the time of the purchase, apparently cleared up the matter.

On May 5, 2005, however, Fishburne was arrested after his accident by a Maryland state trooper, after a Georgia arrest warrant listed Elias Fishburne as one of several aliases used by a career criminal, Jarvis Tucker. Even though, according to Fishburne, a booking officer at the county jail could see that Fishburne's date of birth, height, weight, and facial features were clearly different from those of Tucker, another officer dismissed the doubt and Fishburne was processed.

Over the next 37 days that Fishburne spent in custody, the criminal justice system repeatedly fell short in the fundamental task of verifying that Fishburne was indeed the man Georgia was seeking. According to the Post, the arresting officer did not perform a required computer check in the National Crime Information Center computer "because the computer system was out of service." Five Maryland law enforcement and corrections agencies and the Georgia sheriff responsible for the warrant regarded someone else as responsible for confirming Fishburne's identity. Fishburne was advised to waive extradition to Georgia without being told that waiver, in effect, would suggest that he was the person being sought. Even after arriving in Georgia for processing at the Fulton County jail, and the booking officer taking his fingerprints could see the prints of Tucker on her computer screen, she reportedly agreed that "[i]t doesn't add up" but continued to process him.

Thirty-six hours after his arrival at the jail, a background check by Fulton County authorities finally showed that they had the wrong man. Fishburne was released with no cash, no apologies, and no ticket home. Authorities did give him an $80 check to refund money that his mother and friends had deposited in a jail commissary account. The check was made out to Jarvis Tucker.

Power Trips in India

2006-06-19T11:50:00.000-05:00

Last Monday's Washington Post ran an interesting feature about the efforts of S.K. Das, a utility company enforcement manager in New Delhi, India, to track down individuals and businesses who steal power from his company. The theft of electrical power in New Delhi is a substantial problem. The New Delhi power ministry reports that about 36 percent of all power consumed in this city of 14 million is stolen. The substantial number of free-riders places significant strain on the city's power grid, which can experience blackouts of whole districts of the city when residents use fans and air conditioners to get relief from oppressive summer heat.
Part of the solution, according to the article, is technological: new power meters equipped with computer chips and modems, which enables monitoring of tampering from remote locations; and replacement of low-voltage lines, which individuals can tap simply by throwing metal hooks over the lines, with high-voltage lines. For now, however, human intervention, involving both power company employees and the police, appears the most effective deterrent to continued power theft. Power thieves span the social classes, from slum dwellers to the affluent. The work of cutting off power theft is not without its risks: earlier this year, while trying to conduct an enforcement raid, Das and his enforcement team "were beaten by a mob that a local politician had whipped up." To his credit, Das recognizes that power theft has been a habit for "the past 20 or 30 years," and sees his work as a way of changing "the mind-set of the people."
Das's efforts can be seen as a microcosm of India's struggles to curb power theft and upgrade its electrical infrastructure. A recent BBC News report estimated that "somewhere between a third and half of the country's electricity supply is unpaid for." Moreover, Indian farmers, whose irrigation systems reportedly consume at least 20 percent of India's power, are accustomed to getting free or unfairly low-priced power (i.e., low set rates that take no account of the volume of power consumption). The Christian Science Monitor reported last year that farmers did not take kindly to government cutoffs of free electricity in many areas. Even after the Indian Parliament made power theft a criminal offense in 2003, some politicians are reluctant to challenge the farmers' lobby or upset constituents by pressing the power theft issue too vigorously. Reported "high-level collusion involving big industrialists and politicians" may also make some utilities cautious about challenging the politically powerful.
In the end, what may work best in changing Indian attitudes about power theft is a combination of simple changes in technology and the enlistment of community and religious leaders' support. A June 13 article in the Indian Express noted that in Godhra, India, the local power company laid PVC-covered cables to defeat the hook-and-wire method of pilferage, and installed pole meters to measure power disbursement from each pole. But the company also initiated a dialogue in communities to build support for change, and found religious leaders who were willing to speak about the issue. In his sermons at a local mosque, one maulvi [i.e., an Islamic religious cleric or teacher] "explained to people how bad theft is from [a] religious point of view. Some other religious leaders also pitched in and told people that if they do namaz [defined as the five daily prayers by Muslims to Allah] after washing hands with water obtained through power theft, it wouldn't be heard by Allah . . . ."

Snakes on a Train

2006-06-19T10:01:00.000-05:00

A brief article in the Japan Times provides a cogent reminder of how even the most advanced nations can find unexpected vulnerabilities in their infrastructures. Last Saturday morning, a rat snake made its way into a railway transmission substation in Wakayama Prefecture. When the snake touched a live wire and was electrocuted, the short-circuit reportedly caused a power outage that resulted in the cancellation of 12 train runs and the stranding of about 350 passengers for a couple of hours.

Big Phish, Little Phish

2006-05-31T21:29:00.000-05:00

Today's Japan Times reports that Japanese police arrested eight people yesterday for alleged involvement in a "phishing" ring that obtained personal information from Internet users through a bogus Yahoo! Japan auction site. The Tokyo-based ring allegedly obtained personal data for about 1,000 people since last year and used some of those data to defraud about 700 people out of approximately 100 million yen (more than $890,000). From September 2005 to April 2006, the ring allegedly spammed users of Yahoo! Japan with email that purported to show their auction records. Clicking on the link in the spam took users to a bogus Yahoo! auction site at which many evidently disclosed their IDs and passwords. The members of the ring allegedly then used some of these identifying data to access the real Yahoo! Japan site and conduct bogus auctions, in which bidders who thought they were successful wired payments to the ring's bank accounts.
Interestingly, police reportedly disclosed more details than usual in Internet crime cases about how they tracked down the ring members. According to the article, police said that investigators analyzed Internet access records "and videos from security monitors at financial institutions where the wired money was withdrawn."
The same article also reported that the Tokyo Metropolitan Police Department had turned over to prosecutors the case of a 14-year-old boy who allegedly ran a separate phishing scheme. The scheme reportedly involved obtaining names and email addresses of dozens of people who thought they were registering for an online gaming site. The boy, who allegedly admitted to the scheme, said that he used these data to access a real online gaming site to play online games and send threatening emails to some of his victims. Police also said that they do not plan to arrest the boy "because he lives with his parents and there is little risk that he will flee or destroy evidence."

Beyond Panchira

2006-05-21T00:24:00.000-05:00

The Mainichi Daily News recently reported on a loathsome trend in Japan that makes "upskirting" ("panchira" in Japanese) look tame. In the underground DVD market in Japan, the new attraction is footage - distributed via the Net and DVDs - that shows men running up to unsuspecting women, pulling up their dresses, and pulling down their underwear. One writer told the Daily News reporter, "They're all underground movies, so the faces and other parts you see are all real. And it's the horrified reaction of these women that's apparently the biggest turn-on for the perverts who are into this kind of thing. They're really popular." The writer also estimated that with five DVDs of this type on the market, each containing about 30 filmings, at least 150 woman have been subjected to these assaults. Some filmmakers are reportedly expanding into footage that shows women wearing tube tops having their tops ripped off.

In the United States, there is supposedly active debate in some quarters on whether upskirting should receive First Amendment protection, at least in some situations when the upskirting is shot in a public place. [See Wikipedia.] This new wave of behavior in Japan isn't even close to upskirting -- it's sexual assault, plain and simple, and should be treated as such. It's also, like upskirting, a paramount example of the need for laws that vindicate, as Justice Brandeis elegantly put it more than a century ago, "the right to be let alone." If upskirting can be made a misdemeanor, as the State of Maryland just did, this new practice, if it's not already covered by current sexual-assault statutes, should be made a felony before it catches on anywhere else in the world.

BB = Barely Bothersome or Big Bucks?

2006-05-20T23:57:00.000-05:00

Yesterday's Japan Times reported that on Friday, May 19, the Osaka District Court ordered BB Technology Corp., a Yahoo! BB ISP, to pay 6,000 yen (about $53.75 at today's exchange rate) in compensation to each of five former or current BB subscribers for the theft of their personal data from BB Technology's server. [http://search.japantimes.co.jp/cgi-bin/nn20060520b1.html] On two occasions between June 2003 and January 2004, former employees of a company that was doing business with BB Technology reportedly stole personal information, including names, addresses, and telephone numbers, of about 11 million Yahoo! BB subscribers.

According to the article, the presiding judge said "the company failed to protect its customers' data from illegal access through such measures as regularly changing passwords." While the damages award is de minimis in this case, lawyers in Japan and elsewhere will likely pay close attention to the precedent it sets for future civil actions involving data breaches.

Fondly METI

2006-05-20T23:41:00.000-05:00

Today's Japan Times reports that the Japanese Ministry of Economy, Trade, and Industry (METI) is planning to issue safety guidelines for future robots that will provide services in industry sectors such as nursing, security, and cleaning. [http://search.japantimes.co.jp/cgi-bin/nn20060521a7.html] METI officials reportedly indicated that "the guidelines will require manufacturers to install ample sensors to minimize the risk of the robots running into people and use soft lightweight materials so they do not cause harm if they do so," and to install emergency shut-off buttons.

The article's explanation for the demand for these new robots is "the looming labor shortage stemming from Japan's sharp population decline." It also says that METI plans to complete the guidelines by the end of this year, "after consulting with users at hospitals, event sites and other areas." It's too much to hope that the writers of the METI guidelines will find a way to squeeze in a citation to Asimov or Bester. Reet!

Click Once for Mail Fraud, Twice for Wire Fraud

2006-05-15T17:48:00.000-05:00

One Internet-related criminal prosecution that has gotten surprisingly little public attention so far involves the hot topic of “click fraud.” On March 28, a federal grand jury in the Northern District of California indicted a man on charges of conspiracy, mail fraud, and wire fraud for allegedly running a “click fraud” scheme against the online business FreeRide from 2000 to 2002. [See http://www.usdoj.gov/usao/can/press/html/2006_03_29_tam.indictment.press.htm]

The press release by the U.S. Attorney’s Office alleges that the defendant obtained computer source code from his employer, K.C. Multimedia, and used that source code to develop a “robot” program for use on FreeRide’s website. [For the current FreeRide.com site, see http://www.freeride.com/signUp.out.php.] At the time, FreeRide offered a “rewards” program to Internet users, based on various online activities in which registered users engaged on the FreeRide site. These activities reportedly included viewing banner ads, completing consumer surveys, and purchasing products online. The indictment alleges that the defendant used the “robot” program he developed to fraudulently generate and accumulate FreeRide points by emulating activities on the FreeRide site, then redeemed those points for products that other Internet retailers, including Amazon, offered for sale.

Even though this may be the first federal prosecution for “click fraud” in the country, it’s interesting to note that so far the indictment got only passing attention from UPI [http://www.physorg.com/news62920503.html], the San Jose Mercury News [http://www.mercurynews.com/mld/mercurynews/news/columnists/14360231.htm], and a law firm [http://www.theregister.co.uk/2006/04/03/click_fraud_perpetrator_charged/].

Skimming the Surface of Japanese ATM Fraud

2006-05-02T22:12:00.000-05:00

In the May 3 issue of the Daily Yomiuri Online, there’s an article about ATM fraud in Tokyo that, if the details are true, provides a fascinating glimpse into possible ties between traditional Japanese organized crime and Chinese identity-theft operations. [http://www.yomiuri.co.jp/dy/national/20060503TDY02001.htm] According to the article, an alleged gangster with ties to the Yamaguchi-gumi crime syndicate, Koji Shishido, was arrested by Tokyo Metropolitan Police on charges relating to an ATM fraud case.

Shishido reportedly told the Tokyo police on April 13 that in August 2005, he was sitting in a coffee house in Ueno, Tokyo, when a late-middle-aged Chinese man who spoke Japanese approached him. The man supposedly told Shishido that “he was counterfeiting ATM cards using [miniature] cameras [mounted near ATMs], and that he had a plan to use the cards to take money out of people's accounts." When the police asked why someone would approach him in that manner, Shishido reportedly replied – tongue presumably planted firmly in cheek – that "I guess he thought I looked and dressed like a gangster."

The deal that they struck gave Shishido a 20 percent commission on funds that were withdrawn using counterfeit ATM cards that the Chinese group helped to make. Shishido reportedly proceeded to recruit people from cellphone Internet message boards to participate in the ATM fraud scheme. At least 20 recruits “were put up in hotels in August in Asakusa, Tokyo, and near JR Sugamo Station, where they were based during their two months of repeated identity theft.” Also, cameras were mounted near ATMs of what was then UFJ Bank to record data on the bank's customers. To date, the Daily Yomiuri reports that 17 Japanese men and women, including Shishido, have been arrested in connection with the case.

One critical detail, however, is missing from the article. While the cameras could certainly record PINs that customers typed on the keypads, how did the counterfeit-card ring get the bank account numbers associated with the real customers’ cards? The most logical conclusion, given the speed with which bank customers would have approached ATMs and conducted transactions, would be skimmers mounted on the ATMs. Reports of portable credit-card skimmers in Japan go back to at least 2002 [http://search.japantimes.co.jp/print/features/media2005/fd20050130tc.htm], but the only reason to use cameras near the ATMs is to capture the PIN while the actual card is in the customer’s possession. Hand-held skimmers wouldn’t have fit the bill.

Last year, a Japanese Financial Services Agency panel that studied bank card-related crime recommended several measures to reduce the incidence of ATM fraud: replacing magnetic-stripe cards with integrated-circuit cards to make the cards harder to counterfeit, putting expiration dates on cards, lowering the maximum ATM withdrawal to perhaps 500,000 yen (equivalent at that time to a surprising US $4,585) per day, and considering changing the standard four-digit PIN to something more complex. [http://search.japantimes.co.jp/print/business/nb06-2005/nb20050625a2.htm] Curiously, there was no mention of measures to counteract ATM-mounted skimmers, even though those have been in use in Asia, Australia, New Zealand, and North America for some time. Nor is there any mention of ATM-mounted skimmers in other articles about ATM fraud in Japan. A substantial part of the story about ATM fraud trends in Japan has yet to be told.

Judge Not, Lest Ye Be Deleted

2006-04-29T11:57:00.000-05:00

An associate justice of the Philippines Supreme Court, Antonio Carpio, recently suggested that judges who are computer-illiterate should be fired “for gross ignorance.” [http://news.inq7.net/infotech/index.php?index=1&story_id=73852] The joking, but edged, remark is a reflection of a serious commitment by the Supreme Court to complete the computerization and Internet connection of all Philippine courts by 2007.

The court, according to Justice Carpio, wants to move all of the country’s 1,583 justices and judges toward use of an e-library (see http://www.supremecourt.gov.ph/elibrary/HTML/Advisory/Advisory_Guidelines.htm) to which all judges would have access in researching and writing their decisions, and to eliminate printed copies of its own decisions and circulars once all judges are computer-literate. To that end, the Supreme Court has a computer-literacy program for judges. Although newer judges get hands-on computer training before taking the bench, the Supreme Court’s chief librarian, Milagros Ong, commented that their concern is “more for old appointees who may not know how to open a compact disc or surf the Internet."

Telling judges that some of them are computer-illiterate is like the old lawyers’ gag of referring to a particular judge as Judge Necessity because “Necessity knows no law.” Both remarks are less likely to cause offense to judges if it’s another judge making the remarks. But computer literacy in any country’s judicial system is actually important not only for improving general research and communications, but for increasing the visibility, transparency, and credibility of that judicial system
as a whole.

When USAID funds and supports computer-literacy training for Afghan judges and court personnel http://www.usaid.gov/locations/asia_near_east/afghanistan/
weeklyreports/072305_report.html ), for example, it improves the odds that others in Afghanistan and elsewhere will perceive the Afghan judiciary as a credible and stable component of government. And when the Philippines (or any other country, for that matter), publishes its judicial decisions electronically, it increases the access to those decisions by lawyers and legal scholars in many parts of the world. Anything that enhances the access to, and visibility of, published judicial decisions for the public and the legal profession is likely to enhance the transparency and respectability of those decisions.

Share and Share a Like

2006-04-29T10:57:00.000-05:00

According to the Japan Times, the Mainichi Shimbun, one of the leading newspapers in Japan, announced that information on about 66,000 subscribers had “leaked” onto the Internet via the file-sharing program Share. (See http://search.japantimes.co.jp/cgi-bin/nn20060428a3.html.) The subscriber data – which reportedly included only “names, addresses, phone numbers, dates of birth and e-mail addresses, but no financial information” – were from a newspaper readers’ club called Mainichi Friend, which was closed in March 2006.

The data security vulnerability, however, apparently stemmed not from vulnerabilities in Mainichi’s own in-house systems, but from the actions of a Mainichi employee, who (for reasons not explained) moved the data to his own computer, which had Share installed. At some later date, it is believed, the employee’s computer was infected with a virus. The employee was quoted as saying “that he never thought his PC was infected.” The Japan Times also reported that Trend Micro officials characterized this case as the first major incident involving data “leakage” due to Share.

The Mainichi incident provides yet another example (not that another is needed) of how enterprises of all types, in all regions of the world, need to conduct continuous elementary data-security training for their officers and employees. The idea that it would be permissible or appropriate to move large quantities of customer data from enterprise systems to a personal computer is itself troubling, but the employee’s comment that he never thought his computer was infected is even more so.

The Japan Times doesn't say what data-security training Mainichi gives its employees, but the incident reaffirms that employees should be told at least three things as a part of such training: (1) they have no business taking enterprise data of any kind and putting it on their home computers without explicit permission from a supervisor (who, by the way, should be educated about the risks before giving such permission); (2) file-sharing, on enterprise or home computers, poses significant risks to the security of everything on those computers; and (3) if they install any file-sharing program on any computer that handles enterprise data, they will be terminated. As the Mainichi Shimbun found out to its regret, allowing someone to drop personal identifying information into a system with file-sharing installed is like the high-school kid’s prank of dropping a block of sodium into a toilet: the results can be dramatic, messy, and unpleasant to clean up.

Fretting About the Future

2006-04-19T19:54:00.000-05:00

An April 18 Financial Times article about the resurgence of the U.S. guitar manufacturer Gibson Guitar (http://news.ft.com/cms/s/39e1ac52-ce77-11da-a032-000079e2340.html) reports that the owner, Henry Juszkiewicz, "is also planning a digital future for Gibson, which this summer plans to introduce its first digital guitar -- fitted with a high-tech pickup that converts the sound of each string into bits and bytes. Ultimately, Mr Juszkiewicz sees Gibson upgrading the guitar's electronics with plug-in expansion cards. Players would buy the cards in the same way that computer users upgrade software, creating a new and potentially lucrative business." This kind of innovation would be truly noteworthy.

Hand(cuff)s Across the Sea

2006-04-12T10:43:00.000-05:00

The Register reported yesterday that a 24-year-old Spanish man, José Manuel García Rodríguez, has been extradited from Argentina to Spain to stand trial on cybercrime-related charges stemming from his allegedly stealing hundreds of thousands of euros from online bank accounts. (http://www.theregister.co.uk/2006/04/11/argentina_extradites_spanish_hacker/)

Identity Theft and Statistics 101

2006-04-11T07:40:00.000-05:00

"Facts are stubborn things," Mark Twain once wrote, "but statistics are more pliable." Not more so than public understanding of statistics, if one is to judge from initial reactions to the recent Bureau of Justice Statistics report on identity theft-related survey data (at http://www.ojp.usdoj.gov/bjs/pub/pdf/it04.pdf). Here are some of the more egregious errors in reporting on the BJS data:

- According to ConsumerAffairs.com, "The repport [sic] found that 3.6 million Americans were affected by identity theft in 2004, a significant drop from a similar report issued conducted [sic] by the Federal Trade Commission (FTC)." (http://www.consumeraffairs.com/news04/2006/04/id_theft_stats02.html) It is hard to imagine a more careless misreading of the data. First, the BJS bulletin plainly refers to 3.6 million households -- not individuals. Second, it notes that in those households, "at least one member of the household had been the victim of identity theft during the previous 6 months." Thus, 3.6 million is the minimum (not the maximum) possible number of victims, based on the survey data. Third, if the article is referring to the only identity theft survey conducted for the FTC, Synovate issued that survey in September 2003, using random-digit-dialing survey data from March and April 2003. (http://www.ftc.gov/os/2003/09/synovatereport.pdf) In that survey, 4.6 percent of survey respondents, which the survey extrapolates to nearly 10 million Americans, reported that they had been victims of identity theft within the past year. By contrast, the BJS survey dealt only with identity theft victimization within the previous six months. It is highly probable (to say the least) that the number of people who have had any kind of experience -- identity theft, a meeting with a college roommate, a traffic accident -- within one year's time will be greater than the number of people who have had that same kind of experience within six months' time. At any rate, there is no valid basis for concluding, on the basis of these two surveys, that the BJS data represent "a significant drop" from the Synovate data.

- The headline for a SecurityProNews article on the BJS survey data declared in red letters: "Identity Theft 20X Bigger Problem Than Reported." (http://www.securitypronews.com/news/securitynews/spn-45-20060410IdentityTheft20XBiggerProblemThanReported.html) Actually, no, on two grounds. First, if the calculation is based on the 3.6 million households divided by the 246,847 identity-theft complaints filed with the FTC for 2004, identity theft is only a "14.58X Bigger Problem." Nothing else in the article supports the 20X figure. Second, if -- instead of mixing apples and oranges by dividing the number of households by the number of individuals who filed complaints -- the article had divided the 246,847 complaints into the 9.3 million individuals who reportedly were identity-theft victims in 2004, based on a Better Business Bureau - Javelin Strategy survey (see http://www.javelinstrategy.com), the headline should have read: "Identity Theft 37.68X Bigger Problem Than Reported." As for the article itself, it stated that the BJS report "reveals that the [FTC's] initial 2004 identity theft report missed severely missed [sic] the mark, according to the National Crime Prevention Center [sic] (NCPC)." Again, no. If a report accurately states the number and types of complaints to a government agency about a particular problem, that report does not "miss the mark" merely because the majority of people who experience that problem do not complain about it to that agency. The complaint data are what they are. Because the FTC has never claimed that the complaints it receives reflect the true incidence of identity theft, the "misses the mark" comment is unwarranted.

- An E-Commerce Times article states that the BJS numbers "suggest that the incidence of identity theft might be lower than what has been reported in the past." (http://www.ecommercetimes.com/story/Cr3GF4pG2kKwjx/DoJ-Identity-Theft-Touches-Millions-in-US.xhtml) This statement is more carefully couched, but still subject to misinterpretation. Because the survey addresses households rather than individuals, and the number of individuals per household can range from one to ten or more, there is a range of possibilities as to the prevalence of identity theft. If one takes the low end of that range, then 3.6 million individuals would be victims of identity theft. But if one takes the average number of persons per household, 2.59, based on 2000 U.S. Census data (http://quickfacts.census.gov/qfd/states/00000.html), and multiplies that by the 3.6 million households, there could have been as many as 9.3 million identity-theft victims -- coincidentally, the same number of victims that the BBB - Javelin survey found for 2004. The only thing that the BJS data "suggest" is what can be directly inferred from those data. Followup studies by BJS for later periods will be necessary before reliable conclusions can be drawn about possible trends in the prevalence of identity theft.

The Gold of Our Error #1

2006-04-10T17:13:00.000-05:00

An April 9 report by Zeenews.com (at http://www.zeenews.com/znnew/articles.asp?aid=287220&sid=WOR) states that in a study of 184 countries around the world, the International Centre for Missing Exploited Children, in cooperation with Interpol, found that 138 countries did not criminalize the possession of child pornography and 122 countries have no law that specifically addresses the distribution of child pornography by computer and the Internet. Zeenews also states that the only countries with legislation comprehensive enough to have a meaningful impact on the crime are Australia, Belgium, France, South Africa, and the United States.

Why The Title?

2006-04-10T16:51:00.000-05:00

The phrase is from Robert Penn Warren's poem Evening Hawk. The first 11 lines are:
From plane of light to plane, wings dipping through
Geometries and orchids that the sunset builds,
Out of the peak's black angularity of shadow, riding
The last tumultuous avalanche of
Light above pines and the guttural gorge,
The hawk comes.
His wing
Scythes down another day, his motion
Is that of the honed steel-edge, we hear
The crashless fall of stalks of Time.

The head of each stalk is heavy with the gold of our error.