Author: Cem Paya

Cem Payahttps://randomoracle.wordpress.com/Building & breaking systems.
Cem Paya's avatar

Standardizing on a standards body

Greetings to the Open Web Foundation. OWF is a new organization for promoting community-driven specifications:

“The Open Web Foundation is an attempt to create a home for community-driven specifications. Following the open source model similar to the Apache Software Foundation, the foundation is aimed at building a lightweight framework to help communities deal with the legal requirements necessary to create successful and widely adopted specification.”

The next statement goes on to state that one of the objectives is to avoid creating a separate foundation for each new technology. Of course the natural reaction to that will be: “In that case, why are you creating yet another self-appointed standard organization? What is wrong with IETF or W3C?” To recap:

  • W3C is the World Wide Web Consortium. It maintains core standards related to the web: HTML, CSS, XML, XSL, XPath, SOAP– for the most part, anything involving angle brackets falls under the jurisdiction of the W3C. Most of these are commonly recognized, widely supported data formats or data manipulation frameworks. (By contrast W3C forays into protocol design such as PICS, P3P and SOAP have met with mixed results.) The consortium charters working groups and issues official, versioned specifications.
  • IETF is the Internet Engineering Task Force. IETF does not officially endorse standards. Its documents go by the more modest name RFC or “request for comments,” suggesting ideas in flux, perennially under editorial review, always open to improvement and changes. Yet many of the core protocols and specifications underlying the Internet can be attributed to an RFC. Email addresses? That would be RFC822. The HTTP protocol shuttling web pages around? RFC 2616. The official TLS protocol that gives us the peace-of-mind and security of the lock-icon on those pages? RFC 2246.

Ben Laurie seeks to preempt that question, also raised in the discussion group. Jury is out on the characterization of W3C as pay-to-play-cartel but the article does highlight a basic problem with IETF: being too inclusive. A former colleague at MSFT described it the requirements for participation in IETF as “a keyboard and Internet connection.” (We can also add: “… and an unshakeable conviction in the infallibility of your ideas.”) This model probably worked well when the workings of arcane protocols was of interest to the academic community only, and everyone that cared to participate started out on the same page, sharing common interests. Today the Internet is too large, the range of stake-holders too diverse and too much commercial success hinges on the outcome of standardization process to continue with that naive assumption of unified purpose.

That same colleague provided this insightful comment on the IETF process: It is a great forum to capture the dominant paradigm on paper and enshrine it as the Internet standard when consensus exists around one. It is not a very good forum for creating consensus in the first place, when everyone shows up at the table with different ideas and irreconcilable objectives. These words were uttered in the aftermath of the Sender ID meltdown where the working group rejected an anti-spam proposal from Microsoft.

OWF raises anew the question of who gets the privilege of a seat at the table once the IETF model (anyone is welcome or “no fool left behind”) is declared dysfunctional, because there is too much randomization. Intuitively those writing software to implement the standard emerge as obvious candidates. But are some implementors more equal than others? Surely not every crackpot with a copy of networking for dummies is entitled to derail the standard process. What about individuals who are recognized subject matter experts but not currently developing software in this space? Moving away from the core, how about companies whose products will be indireclty impacted? Do ISPs get a say in the development of a P2P filesharing protocol, considering it is their infrastructure about to get hammered? Does a firewall vendor get to express an opinion on anti-spam technology because they want to inspect traffic at the edge? Do other participants have the right to declare that they are not interested in supporting that scenario, shutting them out of a particular market segment? Even more controversially, what about companies whose business model is at risk from the existence of the technology? (Advertising networks, criticially dependent on third-party cookies for their existence, were participants in the working group tasked with developing the privacy standard P3P that Internet Exporer uses to manage cookies.)

Assuming that OWF gains any traction, at least one benefit will be forcing some soul searching inside IETF and W3C.

cemp

One week to Pwnie Awards

Move over Antoinette Perry. There is a new award in town and it will take place at the Black Hat briefings next week in Las Vegas. Pwnie awards will honor (shame?) moments of brilliance and ineptitude in the security research community. Highlights from this year’s crop of nominations include:

  • Kernel-mode remote code execution that works on XP, W2K3 and Vista. This after MSFT speculated that the bug would be very difficult to exploit in the real world.
  • Adobe Flash null pointer dereference. What appeared to be an innocuous crash that became a cross-platform, cross-browser remote code execution vulnerability after ISS’s Mark Dowd decided to take a closer look. Once again complements of Flash, continuing to undo any improvements in Internet Explorer security by introducing its own mediocre platform on top of an already fragile HTML/Javascript alliance that years of vulnerability research was finally starting to stabilize. All flash, no subtance but millions of users can’t be wrong: the dancing hamsters are clearly worth the risk of getting 0wned.
  • QuickTime– no vulnerability required, the nomination committee decided the entire application is one colossal mistake, mired in the 1990s quality control standards (“compiles without errors when most warnings are disabled”) and providing another example of insecure context switching.
  • DNS rebinding attacks. Using the web browser to VPN into the internal network behind a firewall. Considering that Kaminsky presented on the topic at last year’s Black Hat, this one has outlived its shelf life.
  • Safari carpet bombing. Note to Apple: forcing software on user machines is not a good strategy when you are awfully slow to fix publicly reported vulnerabilities.
  • Debian/OpenSSL not-very-random number generator debacle; also nominated for most epic failure.
  • Linus Torvalds for controversial views on vulnerability research and handling security bugs.
  • Overhyped bugs: DNS poisoning and unauthenticated UPnP control over network devices.

cemp

Angle brackets are aero-dynamic: protocol buffers, ASN1, XML

Google has recently open sourced  protocol buffers, one of the building blocks used for building large-scale systems. This is a good time to recap the controversies over data formats. In this debate, opinion has been sacred and facts largely open to interpretation.

Most recent iteration from May: XML: the angle bracket tax takes issue with the inefficiency and developer-unfriendliness of XML as data format. First point is hard to dispute: all of those tags and attributes decorating the data add weight. (On the other hand, all of that redundancy means XML documents compress very well but that adds another step.) Compared to the YAML equivalent on the page, the XML variant looks manifestly verbose. In all fairness the example picked here (SOAP) is probably one of the worst case scenarios for bloat, short of even more tchotckied-up format such as WS-Trust/WS-Security/WS-anything. The jury is out on the second point. XML is not necesarily intended for direct presentation to users– that is why there is XSL as stylesheet language to add presentation. For example Internet Explorer’s default tree view for XML files with collapsible nodes is actually generated by applying a default built-in stylesheet.  Manually tweaking XML files is never intended for end users. As for developers and tinkerers stuck with that problem, there is help in the form of XML editors that allow for directly working with the high-level structure instead of low-level syntax. But even with plain-text editing, consider that XHTML is a formulation of HTML as well-formed XML and not particularly more challenging than vanilla HTML/4.0 to work with.

Skepticism against XML runs deep, including entire websites devoted to cataloging its deficiencies. But strong opinions run both ways. Inflammatory arguments bashing other formats as unnecessary reinventions of XML are also abundant; here is one comparing JSON vs XML.

In to this mess Google throws a curve-ball with protocol buffers which define a binary serialization format. The overview includes the expected comparison against XML as a data point:

Protocol buffers have many advantages over XML for serializing structured data. Protocol buffers:

  • are simpler
  • are 3 to 10 times smaller
  • are 20 to 100 times faster
  • are less ambiguous
  • generate data access classes that are easier to use programmatically

If efficiency were the primary constraint, a binary format is the way to go. The challenge then is making that format extensible. This is the catch: if a data format were known to be immutable forever, everything would be hand-coded to use up the fewest number of bits. Reality is that systems evolve, protocols change. Version #2 of the application introduces extensions and yet must remain backwards compatible in a way that it can still communicate with version #1. (Sometimes even in the opposite direction) Building this level of flexibility without rewriting code for each version is the challenge.

Strangely there is already a widely used binary serialization format: ASN1. Virtually any large scale web site is likely using it because the X509 certificates required for the SSL/TLS security protocol are encoded this way. It is more complex, slightly more powerful than protocol buffers but boasts the same level of extensibility since new optional fields can be added in such a way that the structure remains a superset of its previous version. But greatest challenge for ASN1 is ease of use. There are ASN1 compilers but the interface is nowhere as polished as the cross-language programming model for protocol buffers. Parsing ASN1 is so complex that integer overflows in the parser used on Windows featured in a remote-code execution vulnerability back in 2004.

One of the more interesting properties of ASN1 is that the abstract structure of data and its encoding are clearly separated. The same logical structure can be expressed in different ways on the wire and while the most common variant “basic encoding rules” or BER is binary, a different version called XER allows outputting directly to XML. Small step for reconciliation in the format wars.

cemp

Vintage code, common hardware and value of backwards compatibility

A data point on the value of backwards compatibility. This is an area where MSFT is frequently slammed, for its insistence on favoring compatibility with past mistakes instead of throwing everything overboard to start over again– the way Apple has done with OS-X and later switching to Intel x86 chips.

Imagine having to demonstrate an application running on Windows Mobile to a crowded room full of security professionals. This code will not run on the emulator— and even if it did, emulation hardly makes for a compelling demo. “Code always wins” as the old MSFT adage goes and working code on an actual device is the golden standard. This is the predicament confronting the blogger next week. Slide decks are not a problem; they can run off a locally installed PowerPoint or OpenOffice instance (the import process still loses some details if the latest eye-candy from Office 2007 is used) or better yet run from the cloud-hosted Google Presently. Showing UI from the device is a different challenge.

Most phones can not project the view of their own display to an external monitor using a standard VGA, DVI or HDMI output. (Oddly enough a few can project other video over Bluetooth to specialized devices and there is nascent efforst to give phones projectors of their own.) Having a dedicated, fixed camera pointing at the phone was not an option in this setting. And since it is not possible for dozens of people to cluster around a single handset trying to get a peek at the tiny screen, one option is to capture static screenshots at relevant points and project these as part of the slide-deck.

Even that is non-trivial: there is no “print screen” functionality on Windows Mobile out of the box. One quick Google search finds several third-party substitutes, including a freeware version from Ilium software. Luckily the search results also unearthed a better solution. An entry on the Windows Embedded Blog dated November 2004 references a Remote Display application included as part of the Windows Mobile Power Toys. This is good news; power toys are officially unsupported applications typically written by MSFT developers on the side. According to the description Remote Display shows real-time view of the phone display mirrored on the desktop.  Much better than static screen-shots and the audience can now follow along with the exact flow.

One problem: the Power Toys are dated December 2003. Supported operating systems on the download page include W2K SP3– long defunct– as well as “Windows Mobile 2002 based smart-phones.” In other words, this code is archaic. The MSI installed without a problem on Vista, even bearing a proper Authenticode signature to keep the inane UAC prompt happy about reporting the author. But the first attempt to run it with an HTC Diamond failed with an error message about unknown CPU type on the device. Not surprisingly 5 years after the code was written, the architecture of mobile devices, as well as the operating system MSFT is shipping to run on these devices had become unrecognizable under the assumptions the original author had made. Vista does not even have a separate Active Sync component, instead Mobile Device Center handles synchronization with phones.

But the README file provided plan B: the instructions described what to do for that particular error. The recommended fix was to manually find the correct binary over for the mobile device and copy it over. There were not exactly many choices either: Windows CE 3.0, CE 4.0 and smartphones based on CE 4.0. Each OS SKU had a corresponding array of architecture choices, including x86, MIPS and ARM4. As for the device? It is running Windows Mobile 6 on ARMv5i.

So it was a surprise that copying the ARM4 binary built for CE4 worked: Vista could mirror the device screen in real time. Even more impressively, Remote Display works both ways: clicking on the phone UI from the desktop PC actually sends the mouse clicks to the phone, allowing the phone to be driven by the full-size mouse and keyboard combination.

This is one of the rare cases where the insistence on backwards compatibility paid dividends. Not only did the ARM processor have to remain backwards compatible and run binaries compiled for an earlier version, but Windows Mobile itself had to evolve such that code written for earlier CE variants could run without any changes.

cemp

Nebuad: dubious past, nebulous future

From relative obscurity, Nebuad has emerged as the star witness in the Senate hearings last Wednesday that also included representatives from Microsoft and Google.

WSJ points out that many current Nebuad executives previously worked for Gator, which almost single-handedly defined the “spyware” category earlier in this decade. Gator was one of the first examples of software bundling useful functionality appreciated by users with with intrusive, privacy invading and unwanted “features” designed to monetize that user for the benefit of advertising networks. On the surface Gator was a form-fill assistant; it helped users with the repetitive task of completing forms on websites. Web browser including Internet Explorer had an autocomplete / intelliforms feature for some time, but it was fairly primitive compared to what Gator could do. IE remembered that the user typed in some string on a particular field on a particular form on one web page; it had no concept of recognizing that as an address or recognizing other forms on other websites also asking for the address. So far so good– even Microsoft Passport was taking out full-page advertisements in the New York Times about its ability to save time by avoiding forms, because the profile data would be included in the authentication process.

But Gator had also had a dark side and it was hidden in plain sight, buried in the terms-of-use / click-wrap agreement that users seldom read. It collected information about the user’s navigation history and called home with the information. The resulting profile was used for taking targeted advertising to new levels: Gator replaced existing banner ads on websites with ads of its own choosing, disrupting the business model for many ad-funded free websites. This over-zealous tinkering with other people’s advertising brought Gator a lawsuit from several publishers including the New York Times and Washington Post.

Worse there was no meaningful opt-out possibility: no way to retain the useful functionality and opting out of the invasive tracking, other than uninstalling the app completely. And that is exactly what users decided soon after it was branded spyware (or “adware” as the preferred expression in polite company) in the public perception. On balance the inconvenience of taking two additional to provide your address one more time to another website did not outweight the potential privacy invasion from the tracking. Making matters worse, while it was possible to verify what Gator collected, users had no way to verify how the data was used once it is uploaded to the service in the cloud.

Seeing the writing on the wall, Gator soon found a more appealing application to latch on to: P2P. The popular file sharing program Kazaa was bundled with Gator (and soon several other variants of spyware) P2P created a dilemma for users who wanted to tap into the global jukebox but avoid the dubious spyware that often came bundled with the free software. Volunteer programmers responded by creating Kazaa Lite and other derivative “unauthorized” versions stripping out the dubious functionality. As for Gator, when the backlash became widespread, to the point that today Symantec has anti-spyware application that will remove Gator, the company reacted in typical fashion: by changing its name to “Claria” and hoping that will white-wash any previous associations.

Nebuad is an unmistakable here-we-go-again moment for the privacy advocacy community:

  1. Company decides to push the boundaries of accepted data collection and user tracking with new “creative scheme,” crossing the line from dubious into nefarious
  2. Technology press gets wind of the idea, at first as a curiousity, later with growing skepticism and apprehension, feeding the blogosphere.
  3. Mainstream media picks up on the story
  4. A public relations crisis results, indignant pundits demand that the company change its ways, high-level executive begin complicated song and dance for damage control.

At this point, the story normally continues with the dust settling down, contrite executives offering token changes to appease the privacy wonks and all concerned individuals move on to the next crisis-of-the-day. This time it is different. Charter canceled plans to pilot Nebuad, other ISPs are backing out and the Senate has taken an interest in the problem. Quiet possibly Nebuad picked the worst possible timing: with concerns about monitoring Internet traffic and ongoing FISA discussion around retroactive immunity for carriers, the technology community has been collectively primed to watch for the slightest incursion into the privacy of electronic communications. CDT released an interesting report suggesting that an ISP contracting with Nebuad would be violating a provision of the Wiretapping Act around unauthorized disclosure of private communications, a possibility hinted at earlier by Peter Wu.

Predictions? Keeping in mind Yogi Berra’s warning here, it is a reasonable bet that high burden of opt-in proof (as opposed to the current opt-out structure or simple click-through agreement) will be required if Nebuad-type systems are to be operational in the US. These barriers will make it unlikely that many subscribers will in fact participate voluntarily, unless the ISP offers heavy discounts on the Internet service, which is going to defeat the purpose of collecting additional revenue from Nebuad. Even if the economics worked out, the participation incentives will skew the data towards customers that were willing to make that trade-off and it is unlikely that this demographic will be very interesting for many advertisers. Bottom line is that Nebuad and its ilk are currently sailing into terra incognita with an extremely shaky business model.

cemp

Fuel pumps and the “Y2K8 crisis”: security feature gone awry

Crude oil at $100/barrel may have been the first psychological barrier for traders. Now long crossed and $150 looming on the horizon, it turns out there is an equivalent one for drivers: the $100 refueling at the friendly local gas station. New York Times reports in the article titled When a tank of gast costs $100 several large trucks and SUVs have enough capacity for hitting the three digits during a refueling stop.

But they often do not quite get there for two reasons. First one is the unwillingness to see the register ringing up that amount. The article cites owners who prefer to refuel long before they are running on fumes, to avoid seeing the full price– and possible wasting more fuel with more frequent visits to the gas station, as well as slightly higher  weight of the car on average from carrying more fuel.

The second one is a “security feature:” many pumps that accept credit cards will shut off at $75 to prevent overcharges as well as stolen cards from being used. It seems strange that a criminal in possession of someone else’s credit card would be going on a shopping spree for fuel. Electronics, jewelry and other high value goods that can pawned off appear as more likely candidates. (Never mind the cartoon strips— these measures have been in place since the times when fuel was relatively inexpensive.)

That’s not the worst limitation: in an echo of the Y2K crisis, it turns out that many older pumps are not capable of registering three digits at all. (No word on whether they simply roll back to $0.00 and start counting from there or getting stuck at $99.99.)

cemp

GMail starts enforcing DomainKeys for eBay and PayPal

In a sign that Domain Keys Identified Mail deployments have become reliable enough to depend on, Google has started to enforce DKIM signatures on eBay and PayPal.

Quick recap: DKIM is an anti-spam scheme intended to block forged of email messages and verify the sender by using digital signatures. The  short version is every large email service provider signs messages originating from their site and the recipients verify them. Strictly speaking this is purely an authentication technology, defined by an open IETF standard— nothing prevents spammers from also signing their message but there is an implicit assumption that somewhere a reputation system will spring into existence to allow vetting the verified identities and blacklisting the miscreants. Microsoft has backed a competing solution called SenderID.

Major challenge with deploying these solutions is dealing with the “gray area.” If a message is properly signed by eBay, it is clearly coming from eBay. (Leaving aside the fact that eBay may have been handing out email accounts to its own sellers and one or more of them are spammers.) That email can be safely accepted. If the message is signed but the signature does not validate, it can be rejected– although even then there are edge cases where innocuous message modifications can cause the signature to invalidate. By design cryptographic signatures are designed to be very brittle; any change to the message invalides them. Domain Keys had to work around this.  But what about unsigned messages? It could mean that eBay does not implement the DKIM standard at all. Or perhaps they have not gotten around to deploying DKIM on all the servers. A large service may have hundreds of server dedicated to handling outbound email and the conservative approach is doing a small-scale pilot project first. The final possibility is the message did not originate with eBay and is indeed a forgery, an attempt at phishing for example. It’s important to distinguish these cases because the accept/reject decision for the message will be different.

Strictly enforcing DK would mean that unsigned messages are rejected but that can not be done until there is good reason to believe that the service provider has committed to signing 100% of outbound traffic. In October 2007 eBay (and PayPal, which is owned by eBay) announced plans for adopting DKIM. But until both services could commit to signing all traffic, strict enforcement could mean legitimate messages getting dropped or sent to the junk folder and unhappy users.

cemp

Customer lock-in and US mobile market

Dated story from The Unofficial Apple Weblog hints at the sad state of competition in the US wireless market. As the release date for the second-generation iPhone draws near, news stories pointed out that AT&T and Apple are trying harder to lock down the phones. The widespread use of jailbreaking on first generation phones caused AT&T to miss out on significant revenue as customers bought the devices  without any intention of signing up for the corresponding wireless service. This time around buyers are forced encouraged to surrender the money upfront: phones are pre-bricked according to CNet and must be activated in the store, along with minimum 2 year commitment to a wireless contract. (AT&T to Apple customers: “submit to our authority!”) Expect delays as the purchase itself got complicated by doing credit checks and all the other ceremonies that go with signing up for service plans.

It is still possible to purchase the device itself, but at steep premium. This is standard in the US market where phones are subsidized by the wireless service contract, and sold below cost. There are early-termination fees in case the user decides to part ways with the carrier before they generated enough revenue to offset the cost of the subsidy.  But there is still a gap in the logic as the TUAW points out in the article Doing the wacky AT&T math: it is still more economical to sign up for the contract and then break it after one month instead of purchasing the unlocked device.

On that note, Jonathan Zittrain was at Google NYC yesterday to talk about his recently published book “The Future of the Internet and how to stop it.” One of the highlights from the presentation involved a picture of Steve Jobs on stage discussing the application approval process for iPhone, describing the criteria used to decide when code is unworthy of running on the sacred device. Alongside the usual suspects “malicious” and “bandwidth hog” were one that captured Apple’s attitude towards open platforms: “unforeseen.”

cemp

Cherry-picking identity providers in the open eco-system

Recap from a story developing last week:

  • MSFT announced that it was accepting OpenIDs for the new HealthVault service, a cloud-based solution for managing health records. But not just any OpenID: only accounts issued by Trustbearer and Verisign are accepted. Both companies have two-factor authentication with portable hardware tokens.
  • The blog ConnectID objected to the restriction, claiming that it violates the spirit of “open” in OpenID. Why is the user not free to choose any identity he/she prefers to use?
  • MSFT’s identity architect fired back, joined by another blogger, both arguing that cherry-picking identity providers is fair game.

Underlying this exchange is a misunderstanding: agreement on protocols is necessary but not sufficient for identity federation. Accepting an identity issued by another company is a risk management decision– or under a broader perspective, it is a business decision. The mere fact that the aspiring ID provider has successfully implemented some protocol, is compliant with this other standard or runs the most popular software package for authentication is not enough.

Authentication is a security-critical function. Getting it wrong leaves any resource protected by that system vulnerable. And if something does break, it will always be the service provider’s problem downstream, even they are provably not at fault. Suppose that HealthVault accepted identities from Keys-Are-Us, a hypothetical incompetent OpenID provider operating out of a basement. This is an external dependency; when Keys-Are-Us makes an assertion about the identity of the user, HealthVault will accept that assertion on face value and provide access to controlled resources such as health records. This is essentially betting on the ability of this shady outfit to properly run an identity management system. If Keys-Are-Us experiences a security breach, and the health records accessed by unauthorized persons as a result, MSFT is still on the hook. Yes, in principle it was not their fault: Keys-Are-Us made the error. But try getting that message across to the media and blogosphere pouncing on the incident as another indication of everything that is wrong with the Internet. More importantly, by agreeing to accept identities from Keys-Are-Us, HealthVault is implicated in the risk management decision.

Case in point, HealthVault accepts Windows Live ID, the identity management service operated by MSFT. (Full disclosure: this blogger worked on WLID security in a former life.) Because both of these organizations roll up to the same corporate entity, HealthVault designers have visibility into and more importantly, influence over the risks of accepting these identities. Similarly the Verisign and Trustbearer systems are known quantities, and their reliance on hardware tokens makes it possible to gauge the security assurance level in a way that is not possible for random OpenID provider.

cemp

Charter and Project Canoe: one step forward, two steps back

Charter communications announced that it was canceling a controversial plan to sell advertisers information about the web usage patterns of customers. The plan had sparked backlash from privacy advocates, soon spreading to regulatory agencies, culminating in Connecticut Attorney General formally asking Charter to throw in the towel. As CNN/Money reports the market barely shrugged, sending the stock down a mere 3.5%, leaving it trading well above its 52-week low. All of that effort for nothing? Once the dust settles, Charter may be remembered for successfully generating free PR (but not necessarily of the desirable variety) and positioning itself as an ISP ready to make aggressive, ill-advised moves in the name of monetizing existing subscribers with complete disregard for privacy.

With the ink on that story barely drying, another news item from Reuters reports on privacy concerns about US cable providers have teaming up to mine the TV viewership data from their subscribers. Objective: stop the advertising revenue from shifting over to the web. Individual, targeting is the main differentiating factor for advertisement the web, whether this is done by profiling users over time or derived from point-in-time context, such as a search query. By contrast mass media suffers from its “broadcast” nature where many people by definition will see the same content. The ability to tailor the message to the audience is very crude by comparison, despite heavy investments to improve that over the years. For example today newspaper can target particular zipcode– it is possible to get New York Times to print a full page ad but only for certain zipcodes in Manhattan. Impressive as that sounds for an old school newspaper, this is primitive compared to the level of customization on the web.

There are two pieces to the puzzle: first one is being able to understand the audience better and the second one is being able to deliver unique, personalized content for each subscriber. Digital cable in principle already solves the second problem. Unlike analog systems where all channels are delivered to the user at all times and a “tuner” picks out the particular one, with digital cable the subscribers set-top unit requests a particular channel from the provider. That also allows solving the first problem: getting to know the subscriber. DVRs were the first devices with visibility into everything a user is watching and the ability to call home with this information. TiVo unwittingly created the first privacy scare over DVR tracking by commenting on the 2004 Super Bowl. Cable providers have long been able to derive similar conclusions. (The DVR does have an advantage in that it can report on multiple-views, including the number of times a recorded program is watched and when. But then again many DVRs today are bundled with cable packages and cobranded by the provider so it is not clear who is calling the shots on the device logic.)

With both pieces in place, what remains is creating the platform. Enter Project Canoe. Backing this new initiative are Time Warner, Comcast, Cox, Cablevision — and Charter. From a privacy perspective there is good reason for concern. The extent of data mining is unclear. A key question is whether it will be limited to TV content. Several of these companies are both cable providers and broadband Internet providers. Charter crossed the line once before backing down. The current attitude is summed up in this quote:

“The cable industry is betting that full disclosure to subscribers about the information being collected, the ability for them to opt out, and the attraction of more relevant ads would help overcome potential misgivings.

The problem is few people read the disclosures and even fewer understand the extent of data collection and its implications to make an informed decision on whether this practice is consistent with the person’s personal values on privacy. Even for users who decide to take issue, some fraction will be deterred by the difficulty of the opt-out process. Quoting an analyst about the initiative the article concludes:

“It’s all but certain that the cable operators will have to set a third-party clearing house for information to safeguard privacy concerns,” Moffett said.

The article does not speculate on which independent entity would be stepping up to the plate for that role. In general the idea of trusted third-parties safeguarding information is very attractive in principle, but so far there have been no takers. Even the organization trying to offer a much simpler service, third-party verification of privacy practices have been dogged by skepticism about their effectiveness.

cemp