Examining the Obama Administration’s Proposed Privacy Bill of Rights

Doug Bernard | Washington DC

There aren’t many things the world’s three largest web browsers – Microsoft’s Explorer, Google’s Chrome and Mozilla’s Firefox – can agree on. This week saw the unveiling of one of them.

The Obama administration is putting forward a new set of Internet privacy “principles” that it says balance privacy protection with economic growth. The proposal, dubbed a “Privacy Bill of Rights” by the White House, is earning plaudits from major players in the Internet industry, including Google, Apple and Microsoft, for choosing voluntary guidelines over strict regulation. Not surprisingly, some privacy advocates are less than convinced.

“Privacy and trust online has never been more important to both businesses and consumers as it is now,” said Secretary of Commerce John Bryson at a Thursday news conference. Bryson notes that 2011 online retail sales in the United States alone neared $200 billion – an economic engine the White House is eager to keep revving. To that end, government and industry officials crafted a voluntary set of guidelines which industry leaders like Mozilla and Google say they will agree to follow.

The 60+ page white paper spells out seven principles aimed at protecting web users’ online privacy, starting with the first principle of Individual Control. “Companies should offer consumers clear and simple choices,” reads the White House white paper. “Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.”

The other principles are a mix of consumer-oriented, such as “#2 Transparency,” and business-minded, such as “#3 Respect for Context,” meaning that individuals browsing online should be expected to understand that firms such as Google and others make money through targeted online advertising, and the only thing that can generate that is private information.

The proposal is little more than a statement of values. Rather than take a regulatory approach, requiring Congressional action, the White House has created a voluntary framework where individuals take responsibility for safeguarding their privacy while the industry will police itself against infractions. Gene Sperling, director of the White House economic council, calls it a “we can’t wait” approach; that is, waiting for the lengthy, contentious congressional hearings needed to craft regulations. It sounds good on paper, but in practice some worry these principles are unenforceable, precisely because they’re voluntary.

A central initiative of this proposal is what is called a “Do Not Track” or DNT system. In essence, large Internet firms such as Yahoo or Google collect and store a great deal of data on individuals who use its services. That information is used to tailor online ads for specific services or offerings the firms believe consumers will be more likely to click on. And this is all accomplished by placing bits of code – called tracking cookies – on user’s web browsers.

In announcing their support of the proposal, the large Internet firms and the Digital Advertising Alliance, or DAA, say they will soon voluntarily begin offering users a “Do Not Track” option in the form of a button on their browsers or their web pages. Individuals concerned about information being collected on them can simply click the button, and the firms won’t track a user’s browsing history or personal data. Some firms, such as Mozilla, already provide a Do Not Track option; others say they soon will.

“The White House is arguing that commercial and consumer interests are aligned here,” says Justin Bookman, director of Consumer Privacy at the Center for Democracy and Technology. Bookman calls the proposal a positive development, but says privacy rights groups like his argue that to be meaningful, a voluntary framework needs to be backed up by law:

“To the White House’s credit, the new version of the report does call for a law. But they also recognize that 2012 is going to be a difficult year to get anything passed, so they’re going to use the bully pulpit to get industry to come to the table to agree to negotiate binding rules with regulators and consumer groups.”

The White House’s Gene Sperling agrees that laws to ensure privacy are “appropriate, needed and fitting.” But until those laws can be created, the new “Bill of Rights” moves web users closer to the end goal of protecting their privacy.

Critics remain: David Gerwitz, writing for ZDNet this week, calls the proposal more of a public relations ploy than an actual solution:

“I’m far less concerned if Google knows I went to yet another muscle car web site than I am that my doctor’s office insists on keeping copies of my drivers’ license in a manila folder along with an image of my credit card, my social security number, my home address, my various phone numbers, and my health records.”

Vietnam Cracks Down On The Internet And Free Expression

Doug Bernard | Washington DC

Dieu Cay knows the risks and rewards of being a blogger in Vietnam. On the risk side, he’s been tossed in and out of prison cells over the last five years, today finding himself detained once more.

His reward? He’s still among the most popular online figures in his nation.

‘Điếu cày‘ is a pen name meaning “peasant’s water pipe” in Vietnamese. The real person is Nguyen Van Hai, and he started blogging in 2007, just about the moment the Internet began spreading rapidly across the country. Unhappy about China’s policies in Tibet and the Spratly Islands, Nguyen started using his blog (now no longer viewable) to organize protests of the Beijing Olympics torch relay.

“BlogDieuCay” began quietly, but soon drew a lot of attention. Other Vietnamese citizens, unhappy with various Chinese policies, also began protesting the torch relay. Still others began speaking out online, inspired to start writing about Vietnam’s religious discrimination, land rights issues, or general corruption. In just a few months Nguyen was joined by fellow bloggers ‘AnhBa SG‘ (real name Phan Thanh Hai)  and former Communist Party member Ta Phong Tan to start the “Club for Free Journalists.” Weekly viewership of their blogs skyrocketed.

That’s when authorities stepped in. In late April 2009, Nguyen was arrested on tax fraud, a charge many considered trumped up. (Phan and Ta were also arrested on unrelated crimes.) He was subsequently released and began blogging again, only to be repeatedly harassed by police. In October 2010 he was again detained by police, and has not been seen by anyone since. Officially, he’s charged with violating Article 88: “Conducting Propaganda Against the State.” Unofficially, many more call it simply “Blogging While Vietnamese.”

“Abusing Democratic Freedoms”

Nguyen isn’t alone. In just the last few months, as many as nine journalists and 33 bloggers have been jailed in what has become Vietnam’s largest ever crackdown on free speech online.

“It’s bad…it’s very bad,” says U.S. Representative Frank Wolf of Virginia. “The American ambassador (there) is a failure, the American embassy is no longer an island of freedom,” says an unsparing Wolf, condemning what he sees as an Obama administration that’s weak on human rights and freedom issues. “This administration has not done a very good job of speaking out,” says the long time rights advocate, “so these countries don’t believe that the Obama administration cares about these issues, and they feel they can do whatever they want.”

Former Communist Party member Ta Phong Tan, in better days

Others see a different reason for the crackdown: a government motivated less by opportunism and more by fear.

“The government is threatened by the increasing use of the Internet by Vietnamese citizens,” says Human Rights Watch’s Phil Robertson.  “With the expansion of the Vietnamese language Internet, their ability to control what people are reading and seeing has definitely diminished.”

Whatever the reason, there’s no doubting that Vietnamese are moving online in droves. In 2000, less than one percent of Vietnam’s population had access to the web. Ten years later, that number had bolted to 27 percent, and it’s likely higher today. Young Vietnamese crowd into Internet cafes and snatch up the latest smart phones (over 111 million mobile phones are registered in a nation with a population of 86 million). All those eyeballs online make for a declining consumption of state-controlled newspapers and broadcasts, and that, says Robertson, has Hanoi nervous:

“When you roll in what has happened in the Arab world, that has caused a great deal of concern by the Vietnamese government. They’re worried if they don’t try to correct the problem, try to control what is going out and control some of the more prominent bloggers or people sharing information, that this situation may somehow get out of control.  That’s the core of the increasing crackdown we see by the government trying to go after the more prominent people making their views known, and harassing bloggers and harassing activists; not only trying to firewall their blogs or websites, but also the more traditional harassment: police going by, inviting people out to coffees or “chats,” going in and confiscating computers or cutting people off from the Internet by terminating their phone service.”

Nervous or not, Vietnamese authorities have clearly dropped the hammer recently on the nation’s most prominent bloggers and online activists. In addition to those detained, countless more are being monitored, forced offline or have had their computers seized.

The state has a grab bag of statutes that it can charge bloggers with violating. Most popular is Article 88, but there are many others, including Article 79 – “Subversion of the People’s Administration” – or the ironically termed Article 258:  “Abusing Democratic Freedoms to Infringe the Interests of the State.” Whatever allegation is used, the punishments are tough: prison sentences of five to eight years.

“Playing an Easy and Hard Game.”

Nguyen Ngoc Nhu Quynh, 32 years old, is a mother in the central coastal city of Nha Trang. She was concerned about a controversial bauxite mining project nearby, and the Chinese partner on the project Chinalco. So in 2009 she began blogging about it, sharing news items or rumors she’d heard, her objections to the project, and what others were saying about similar projects.

Nguyen knew the dangers of blogging in Vietnam, and so adopted the pen name “Me Nam” – or “Mother Mushroom” in Vietnamese. People signed an online petition, and she printed shirts reading “Stop Bauxite – No China – Keep the country safe and clean.” Her blog became a smash success. That is, until the night of September 2, 2009, when 15 police agents smashed through her door and took her under arrest.

“The police arrested and kept  me at prison for 10 days,” Nguyen tells VOA in an email interview. “Their reason for my temporary imprison(ment) is ‘abusing democratic  freedom infringe upon national benefits.’”

After 10 days and no charges filed, Nguyen was released, but warned about continuing her blog. Despite that, she kept writing – posting her discontents with the government and its land policies. Since then she’s had police stationed outside her home, her landlord and employer have been pressured to fire her, she’s seen her family and friends harassed, and spent more time in jail.

Mother Mushroom says she, too, has noticed a marked increase in the level of harassment directed at her and her online colleagues. “Beside Dieu Cay and AnhBa SG, many young Catholic bloggers  are still in jail,” she writes.

“I think that they are warning the others have to be careful when using blog to speak out the idea about the Communist Party’s policy. Being a Vietnamese blogger, it looks like playing an easy and hard game. It will be fine if you just write about the daily simple life. However, you should be arrested at any time if you step over the ‘sensitive areas.’ I still keep writing because it made me feel free in my mind, at least. And the most important thing, we do not feel human if we don’t have the right to speak our mind.”

Nguyen is free at the moment, but acknowledges, amid the current crackdown, that she might be next to be imprisoned. Asked why “Mother Mushroom” keeps writing, she writes simply “Who will speak if you don’t?”

Fighting a Losing Battle?

“Clearly the activists recognize that they’re pushing the edge and they’re potentially facing long prison terms if they push too hard,” says Human Rights Watch’s Phil Robertson:

“But when you talk to them, they’ll say very clearly ‘Look, I’ve done nothing wrong. This is my right to speak out.’ And in fact, they’re right. Vietnam has ratified the International Covenant on Civil and Political Rights, which clearly contains an Article 19 guaranteeing the right to freedom of expression. So by saying ‘I’ve done nothing wrong,’ they’re not backing off on this, and the government is just forced to continue to tilt after these activists, to chase them and harass them, and ultimately is continuing to imprison them.”

Early in her term at the U.S. State Department, Secretary of State Hillary Clinton called freedom of online expression a basic human right, and pledged the Obama administration would do everything possible to lift the new “digital Iron Curtain” that was falling on various nations around the world. But critics say that since then, little has been done to help, while the situation in countries like Vietnam has grown only worse.

“In the old days…everyone was singing from the same page, and that’s that we were going to advocate for human rights and religious freedom around the world no matter where it would be,” laments Congressman Wolf. “That’s really what has to be done now, but that’s the exact opposite of what’s being done today.”

With all the other foreign policy issues at stake in the U.S. presidential election this year, online freedom of speech and the persecution of Vietnamese bloggers isn’t likely to rate very high. But that’s not to say there isn’t hope.

Columbia University professor Anne Nelson recently traveled to Vietnam, and wrote of her impressions:

“We can’t underestimate the suffering — to say nothing of the nuisance — inflicted by Vietnam’s cyber-cop crackdowns. But at the same time, it appears they’re fighting a losing battle. Vietnam’s media audience is moving online rapidly, partly because they are constantly learning new techniques for outmaneuvering the authorities — and partly because the Communist Party’s traditional news media have failed to hold on to their audience and advertising base.”

As in neighboring China, Vietnam is seeking to have it both ways: expanding access to the web and wiring the nation for the future while limiting what its citizens can do and say online. It’s a tricky balance, and one technology is constantly shifting.

In the meantime, somewhere in Vietnam, Dieu Cay sits in a prison cell, awaiting his fate.

The Battles To Keep Iran’s Web Up And Running

Doug Bernard | Washington DC

It’s no secret the Iranian government doesn’t much care for the Internet. At least, when it comes to their own citizens.

While maintaining its oil and financial industries’ links to the rest of the world via the Internet, Tehran continues to boast about creating it’s own “Halal Internet”, a one-nation-only intra-net that would cut off most of its population from the World Wide Web. “Aimed at Muslims on a ethical and moral level,” says Deputy Minister for Economic Affairs Ali Agha Mohammad, the Iran-only intranet would prevent all but the most web-savvy Iranians from accessing any website not based there.

There is precedent: North Korea operates what it calls the “Kwangmyong”, a nation-wide computer network that keeps its citizens safely confined within a tiny network controlled entirely by Pyongyang. But North Korea is a vastly different society, and one that has never had relatively free (if occasionally restricted) access to the entirety of the World Wide Web.  Iran’s population is young, tech-smart and blog-crazy; approximately 30 million Iranians surf the web daily. That’s a population unlikely to quietly accept being unplugged from the Internet.

But this week, Iran might have begun trying to do just that.

“They are afraid of any kind of demonstration.”

Graphic images of recent fall-off of Iranian web traffic (Courtesy: Tor)

Last week, analysts began tracking a significant drop in Internet traffic from Iran connecting to the rest of the web. Most of that traffic, writes Joe Brodkin at the excellent Ars Technica, involved security or encryption protocols, such as the “HTTPS” secure connection, or the SSL and TLS encryption layers that can cloak a user’s identity. For years Iranians have used these and other anonymizing services like Tor or Freegate* to evade Tehran’s censorship of certain parts of the web.

But as Thomas Erdbrink wrote recently in the Washington Post, many of those services have now stopped working. “When it sporadically returns, speeds are so excruciatingly slow that sites such as Facebook and Balatarin.com – which evaluates unofficial news and rumors in Farsi — become unusable,” he writes. As of this writing (Feb. 17, 3 hours UTC), web traffic from Iran appears to be bouncing back.

A quick check shows Iran continues to block some sites (voanews.com, unsurprisingly, among them, as are Facebook and Twitter.) Others, such as Google, remain unblocked, but only as long as the web user isn’t using any security-enhanced tools.

“They have invariably messed with HTTPS,” says Ken Berman, who heads up Information Systems and Technology for the International Broadcasting Bureau (and the parent agency of VOA.)  “HTTPS was shut down for almost a week. Even banking systems were down last Thursday till Sunday.”

Iran watchers noted the timing of the traffic squeeze – centering around Feb. 14. Last year that day, known as Bahman 25 in Iran, saw wide-scale protests in Iranian cities. Those protests were organized in part by bloggers, wanting to voice solidarity with the so-called “Arab Spring” protesters in Tunisia, Yemen and Egypt.

This year, bloggers had hoped to mount similar demonstrations. But they were unable to communicate, largely because the web was largely useless. One Iranian blogger, Dara 1390, posted (in translation)

“Without any doubt the February 14th demonstrations are the reason why the government has interrupted the internet. They are afraid of any kind of demonstration in the streets. We do not know how people will react on February 14 but the regime is making itself ready for the day.”

This year Feb. 14 came and went without any major protests. The Iranian opposition group at Kaleme.com posted that security forces were out in heavy numbers in Tehran, leaving Azadi Square “…surrounded by security forces as well as special protection and special guards.” For the moment, the police have left the streets and web appears to be running again – if slowly.

So was this a crackdown to smother protests, a dry run for the national intranet, or something else? And whatever the answer, what can be done if (more like when) this happens again?

“An ace up our sleeves.”

Web encryption is very much a cat and mouse game: the encryptors develop some new technique to evade blocks, the censors respond and refine their techniques to counter the encryptors, and the encryptors implement a new new technique. Round and round, each side tries to keep a step ahead of the other in a game that never ends but always escalates.

Iranian journalism students at work at an Internet cafe (AP Photo/Vahid Salemi)

The Tor Project eludes the censors by wrapping an individual’s web activities in layers of benign activity, routing traffic through a global volunteer network of what they call “bridges.” Tor’s encryption is considered among the best available, but last week, Iran figured out how to block it. Within a day, Tor fired back.

“We’ve long had an ace up our sleeves for this exact moment in the arms race but it’s perhaps come while the User Interface edges are a bit rough still,” they posted on their blog. It’s complicated, and still somewhat obscure – perhaps the reason why Tor called this new workaround “Obfsproxy”, short for for “Obscured Bridge Proxy.”

Although still in rough testing, Tor says its new obfsproxy bridge is currently undetectable by Iranian censors. Data seems to bear that out; while large chucks of the Internet remain blocked in Iran, users there are once again able to reach the outside world via Tor. For the time being.

Of course, Tehran’s cyber-censors will respond, probably very soon. But Tor is just one of many privacy and encryption solutions, and each of them will keep Iranian censors busy with new upgrades and techniques.  They key, say encryption coders, is keeping as many Internet bridges outside the target country open as long as possible.

With the approaching elections and rising tensions in the Persian Gulf, it’s a sure bet Iranian authorities won’t be relaxing their Internet censorship anytime soon. However, points out the IBB’s Ken Burman, there are limits to what they can do.  Shutting down the Internet – as Egypt learned – is not a long-term option, says Berman:

“The Iranian public will not tolerate it, when it affects banking connection, a member of Parliament’s personal communications, and the business community.  It is really a balancing game whereby the regime continues to experiment with how much filtering they can introduce before the elite personally are affected and protest.  As stated, during recent https shut down even some of the members of the parliament voiced concern.”

At least for now, the Iranian regime has decided not to burn down the bridges to the rest of the Internet. How much traffic is allowed to cross is another matter altogether.

*Full disclosure: VOA and Freegate have worked together in the past, and continue to do so, on a variety of anti-censorship privacy and encryption tools.

An Old Hack Technique Gets A New Twist

Doug Bernard | Washington DC

Hackers may not always be the most innovative group. But as a rule, they are sneaky.

That’s exactly how the latest hack target, Cryptome.org, summed up the recent hit on its website: “sneaky.”

One version of a black hole (Creative Commons: Gallery of Space Time Travel)

A well known anti-secrecy site, Cryptome tends more to be a repository of information that others have obtained using various computer hacks, rather than the victim of a hack itself. But this week thousands of visitors who thought they were visiting the Cryptome website instead found themselves redirected to malicious websites. At the root of the attack is a rapidly growing technique that some are calling “malvertising.”

It works like this. A hacker creates a legitimate-looking ad that has malware hidden deep inside. Now a Trojan horse, that ad is submitted to the large online advertising networks, which then distributes the harmless-looking ad to specific websites. When a visitor clicks on the bad ad, they launch the attack and their computer is compromised.

In and of itself, this is hardly a new technique. However, the Cryptome attack is just the most recent in a growing string of attacks using something called the Blackhole Exploit Kit.  This can get a little geeky, so we’ll try and keep it basic.

Created by Russian hackers, Blackhole is essentially a bag of bad computer code, all designed to target vulnerabilities in a target computer’s operating system. A recent report from M86 Security notes the Blackhole Exploit Kit has become the tool of choice for many hackers, in part because of its “capability to update frequently and rapidly to take advantage of application vulnerabilities.” Driving the point home, a Sophos Corporation analysis of 2012 Internet security trends says these redirect ploys account for 67% of all computer hacks, with Blackhole accounting for a full 31% all by itself.

What was new in the Cryptome hack was security analysts are calling “drive-by” technology. In other words, a visitor to a website with an infected Blackhole ad no longer has to click on the ad; just viewing the page can be enough to inject malware onto your computer. Additionally, as Fahmida Rashid of eWeek.com reports, the Cryptome attack “specifically avoided targeting IP addresses from Google to prevent the search engine from blacklisting the site.” Meaning users were unlikely to know they were under attack until it was too late, and the bad bug was created to avoid being targeted by the world’s largest search engine.

In a word: sneaky.

Cyber security analyst Brian Krebs has a good piece exploring how users of Blackhole malware specifically profit from their misdeeds, while writers at the Imperva Corp’s “Security Blog” have a highly detailed dissection of Blackhole and how it works. Neither are light reading, so we’ll skip to the point: no matter how careful you are on the Internet, it’s becoming harder not to fall into a black hole.

The Internet’s Love/Hate Relationship with the Day of Love

Doug Bernard | Washington DC

Question: if someone texts “<3″ to you, does that count as a Valentine?

I pondered that this morning when I noticed my mobile phone blinking, warning me I had a new text message. “<3″ it read, the Internet-speak version of a heart. My real-life sweetheart sent it this morning, and while I smiled on receiving it, it didn’t quite feel the same as, say, finding a card in a red envelope on my pillow.

Sweet expression of affection, or mawkish display? (AP Photo/Czarek Sokolowski)

In fact, as the Internet and mobile communications continue to invade our lives, holidays like St. Valentine’s Day are changing, and not always to everyone’s satisfaction.

To be fair, V-Day (as it’s abbreviated) is a mixed bag in various parts of the world. For example, for many centuries the holiday was unheard of in India, a culture with its own pantheon of love spirits (such as Kamadev, who – like Cupid – shoots lovers through the heart with a bow of flowers.) But with cultures mixing and globalizing through the web and mass communications, swelling ranks of  young, amorous Indians are embracing the holiday, emulating Western-style traditions of giving flowers, sweets or jewelry.

Not soin neighboring Iran, where religious authorities scowl at what’s considered a gaudy, over-commercialized ritual from the West. Valentine’s Day is a very big day in Japan, where modern tradition has women giving men gifts, but almost nonexistent in Uzbekistan, where authorities actively suppress any celebrations. It isn’t because the Uzbek’s don’t like love, it’s just they would rather their citizens mark their own cultural homage to affection, known as St. Zaxiriddin’s Day.

There have always been critics of St. Valentine’s Day, such as people who consider it to be a manufactured celebration by retailers to use guilt to prod couples to shop.  Witness “The Simpsons” parody of “Love Day“ – a summertime holiday created by merchants merely to boost sluggish sales. And the Internet, with its emphasis on easy cynicism and off-color humor, has only amplified those criticisms. These days you can advertise your celebration of “Anti-Valentine’s Day” on Facebook, or send your friends some decidedly anti-loving sentiments with heavily marketed email cards. “I want to grow old and disgusting with you,” reads one of the tamer greetings.

As digital texts and emails have proliferated, traditional ink-on-paper mail and cards have greatly decreased. That goes for general mail as well as holiday cards, and sales of St. Valentine’s Day greeting cards have plummeted. True, candy and flower sales surge in many countries, and in the U.S. restaurants fill up with couples on this day. But increasingly, the days of opening a Valentine’s card envelope are falling by the wayside, as digital greetings become commonplace.

Like many, I have a love/hate relationship with the holiday dedicated to love. Flowers and a kiss are always preferred. But if I’m to co-exist with our new, digital world, a “<3″ text on my mobile phone will do.

Pushing Bounds And Tempting A Fight

Doug Bernard | Washington DC

If one could speak about Anonymous as a singular entity, then it’s clear that Anonymous is spoiling for a fight.

But of course, Anonymous is anything but a singular thing. It’s been called a hive of numberless drones, an amorphous hidden collective of computer hackers and even “The Borg.” By definition it’s a group that has no boundaries, and thus no members. Officially, at least.

“We are not a group. You cannot join us.  We are an idea,” taunts the computer-generated voice in one of their many online videos.

OK, “Anonymous.”  But for a group with no members, you sure have been busy of late. Consider that in just the last week or two, some tentacle of Anonymous has claimed responsibility for hacking the following people or groups:

“Ultimate Champion.” After feuding with anti-SOPA activists via Twitter, Dan White, founder of the lucrative “Ultimate Fighting Championship” found his website cracked and his personal information published online and shared via his own Twitter account. White has since gone silent on the web.

The FBI and Scotland Yard. Following the recent seizing (and freezing) of the Megaupload.com website and the arrest of its flashy owner Kim Dotcom in New Zealand, Anonymous brazenly recorded an entire conversation between FBI and Scotland Yard agents discussing last year’s arrest and prosecution of seven individuals believed connected to an earlier Anonymous hack. While the call wasn’t on a secure line, they were able to record without detection, and likely with help of cracked email files either at the FBI or Scotland Yard.

Puckett & Faraj. One of the more prestigious (and expensive) legal firms in the United States, Puckett & Farai represented U.S. marine Frank Wuterich, who was charged with dereliction of duty and convicted in a court-martial relating to the 2005 killings of 24 Iraqis in Haditha.  Segments of Anonymous felt the conviction wasn’t enough, so promptly released 2 gigabytes of private information from the law firm for public view. So thorough was the data grab that Puckett & Faraj’s business manager is on record as saying “this may completely destroy the law firm.” (The Puckett & Faraj website is still nothing but a blank screen.)

Syrian President Bashar al-Assad.  Yet another offshoot of Anonymous obtained what it calls the email addresses and passwords of hundreds of Syrian government officials, among many other documents, and predictably posted them all online, amid much smirking and self-congratulation. (As of 1900 UTC, Feb. 7, the list at Pastebin is still publicly viewable.)*

They hacked Polish government websites after that nation’s parliament passed the Anti-Counterfeiting Trade Act, as well as government websites in Italy, the Czech Republic and those of the EU.  They released personal information about top city officials in Oakland, California, after that city’s confrontation with the “Occupy Oakland” protest group. They redirected online customers of CBS and Universal to dummy sites following their support of SOPA/PIPA. They even hacked Symantec, the firm whose software is supposed to protect computers against invasion and hacking, and released its source code (albeit old code, says the company.)

All this, not even counting the 100-odd small credit card hits along the way, spells a lot of busy little hacker hands, all calling themselves “Anonymous.”

Different Names, Same Result

As we’ve noted, Anonymous calls itself a group with no membership or leadership; that’s what it says, at least. But in reality, there are leaders and core members. There must be.

In truth there may actually be many competing leaders and subgroups all operating under the umbrella cover of “Anonymous.” AnonOps, AntiSec, LulzSec, AnonymousIRC, Anon_Sexy: these and many others look and sound like separate groups, with separate messages and pet causes. They even speak with different voices: a tweet or a posting by the now disbanded LulzSec reads like that of a cocksure 12 year-old boy, while videos and “news releases” from AnonOps have what you might almost call a seriousness about them.

Swarm attacks like DDoS hacks don’t just happen, they have to be planned and timed. While no one may be leading any particular hack, every one of them must get rolling at someone’s suggestion or instigation. And the more sophisticated multipronged attacks – like those that humiliated cyber-security firm HB Gary last year – require coordinated resources and actions. By definition, someone (or a group of someones) must be orchestrating the whole affair.

Take, for example, this week’s news of a new search engine for felons. Called “MegaSearch.cc” it coordinates the many separate lists of stolen credit card numbers held by various criminals around the world into one searchable database. That kind of coordination requires someone to register the site, maintain the data set and pay the bills, even if by theft.  (By the way, a quick search of Megasearch’s registration suggests, unsurprisingly, that it is connected to a noted malware server, so readers are encouraged not to go exploring without protection.)

Part of the problem may also be the success of the Anonymous brand itself. As hacks have grown bolder and grabbed bigger headlines, unaffiliated hackers have no doubt been tempted to test their abilities for mischief and advertise their misdeeds under the “Anonymous” shadow, thus creating a new round of headlines, and on and on.  Thus it seems like the “group” is constantly growing, but in fact it’s merely getting credit for the work of others it inspired.

Either way, the end result is the same. More hacker hands mean more hacks.

How Far Is Too Far?

Anonymous has its admirers, but it also has enemies, and not just those whose websites it has broken. One of them is “th3j35t3r” – code for “The Jester” – who self-describes as a”hacktivist for good” and has frequently taken shots at Anonymous (which has shot back). As generalizations go, it’s fairly true that hackers tend not to always play well with each other, and infighting among those who claim some Anonymous connection is common.

And there are missteps as well. Earlier this year someone claiming to be Anonymous released a video threatening to take down the servers of major international banks, the United Nations, Microsoft, YouTube, Twitter, and Facebook. “Operation Global Blackout” was billed as punishment for the megaupload.com seizure, and the voice warned that unless megaupload’s servers weren’t released within 72 hours, Anonymous would darken the web.

72 hours came…and went, with no serious activity. Shortly after, in a second video release, a voice claiming to be Anonymous explained:

“Why haven’t any of the things stated in the initial video happened yet? Simple. Because this proposed idea doesn’t have a set period of time when it will go into effect, as it is an on-g0ing operation. Like I said…I explained what we can do, not what we will do.”

Critics are unconvinced. Apart from the backtracking, the two statements have a different tone. Anonymous videos almost never use “I” or its variants, but the updated video is filled with them. Was it a mistake? Or are different hacker groups within or near Anonymous fighting again?

We’ve said before and say again that the safest bet is that Anonymous will soon be linked to another high profile, highly embarrassing hack attack. Private data will be released, faces will redden and Anonymous will gloat. But is that it? Nobody has ever been physically hurt, or worse, because of an Anonymous hack; no government has fallen and no commerce has been permanently disrupted. Which begs the question: is Anonymous little more than an embarrassment machine? Will anything seriously consequential ever result from their efforts?

How far will Anonymous go before it goes too far?

The answer may come sometime soon.

*Ed. Note: beyond the seriousness of any individual or group hacking and publishing government officials pass codes, we couldn’t help but note that nearly every password used wouldn’t even pass the most basic security analysis.  “12345″ is never, ever, a smart pass word; a drunken bear could probably crack that.

And Other Surprising Findings From a New Facebook Study

Doug Bernard | Washington DC

“Facebook was not originally created to be a company,” wrote founder Mark Zuckerberg in a letter this week. “Facebook exists to make the world more open and connected, and not just to build a company. We expect everyone at Facebook to focus every day on how to build real value for the world in everything they do.”

A not-so-subtle request (AP Photo/Paul Sakuma)

Those familiar with the story of Zuckerberg’s rapid rise from mischievous hacker to CEO of the globe’s most popular social network might find his claim a bit altruistic, but not unexpected. The letter was just one part of Facebook’s official request to the U.S. Securities and Exchange Commission in support of its bid to begin selling stock publicly. The entire filing is massive, and analysts have been combing through its 150 pages (not counting index and associated documents) for hints about Facebook’s market value and economic potential. Billions of dollars are at stake.

But the real measure of its long-term viability may not be lay in balance sheets and profit statements, but in the little bits of time some 840 million registered users* spend every day updating their status, catching up with friends, or just “liking” something they’ve found on the web.

And so Facebook’s SEC filing begs the question: is it building “real value for the world,” or is it little more than a website for selling ads and wasting time?

More Social, Emotional Support and Companionship

“Facebook looks like a social good,” says Rutgers University researcher Keith Hampton. “People who use Facebook tend to do better on average than other folks.”

Hampton is the lead author of a new analysis, released by the Pew Internet Project, exploring how people actually use Facebook.  Titled “Why most Facebook users get more than they give” the study tracked a sample of users over the course of a month, exploring patterns of use, behavior and interaction.

What they learned was in parts expected and surprising.

“Facebook users are just busy,” notes Hampton:

“We see the majority of them are moderately active on any given day. But there’s a group of users, about 20 to 30 percent, who are very active in doing a lot of different things. And it’s really interesting to see that those 20 or 30 percent, on whatever metric we’re using, really drags along that group of other users, and makes them more involved.”

These members, dubbed “power users” in the study, post, comment, like, friend and play on Facebook significantly more than most other users. And, consistent with previous studies, it’s these users that provide much of the “real value” that Facebook members experience.  They’re the ones more likely to comment on you rather than the other way around. In other words, these are your friends who give more than they get: the ones who walk into a room and everyone notices.

All fine and well, in the digital sphere. But researchers constantly wonder whether the online “friend” experience has any relation to real world, flesh-and-blood experiences. According to Keith Hampton, the line between cyber and life is becoming blurrier:

“The overlap, and what we’ve found in the past, is that not many of these people are actual strangers. These are people you encounter in your everyday life, and our work shows that those people using Facebook a lot, they’re getting more social support, emotional support and companionship. They’re also more politically involved, and they tend to have more friends in the real world, and more diverse friends. We don’t see any tendency for people using Facebook, or really any Internet technology, be more socially isolated, or more cut off from a diverse set of people, or even having fewer close relationships. We see the opposite.”

So those who spend a lot of time online in social networks tend not to be of the classic, introverted dude-in-the-basement scenario. At least, on average.

Surprising as that may (or may  not) be, there are what Hampton calls paradoxes in the study. For example, the finding that your Facebook friends, on average, have more friends than you do.

Af first glance, that finding seems mathematically impossible, in the long run. However, says Hampton, it’s really an expression of the asymmetric relationships people have in the real world. In other words, if you think about it, it’s more likely you know someone who knows lots of people than someone who has a very small friendship base:

“If you think about it, very few people are socially isolated; very few people have a very small number of friends. And naturally, those people show up in your friendship networks less often. But people who have a lot of friends, they show up a lot in your networks. And when you look at these averages, these people get counted more than once. So as it works, you see that your friends tend to have more friends than you, and the magnitude of this fact is real. So for the typical Facebook user, as they look out over their Facebook friends, their friends appear to have on average about twice as many friends as they do.”

Other findings: women update their status significantly more often than men; people who are active online tend to be more politically active, and while your Facebook “friends” may have little connection with each other,  users who are active – for example, “tagging” real-world photos of their friends – tend to have more robust real-world (or “offline”) social networks as well.

It would seem, at least according to Hampton’s study, that by and large people who are more engaged in their offline social friend network are going to be more engaged in their online one as well.

And this, frankly, should surprise no one.

“A Success So Far”

So big shock: people who are popular in the real world tend to be popular in the online one as well. So what?

Despite the blurring of differences people may feel sharing a coffee with a friend at a cafe and sharing messages online on Facebook, there are, says Prof. Hampton, still real differences between our real-world experience and that online – particularly when it comes to friendships:

“This is a very unique thing about Facebook and social networking websites, in that they provide networks that are persistent and pervasive in ways that we never had before. We used to go through life with various stages where we would lose friends – we would go off to college or start a new job. That’s no longer the case. These people stick with us forever, and we get these little tidbits of information about them on a regular basis on our Facebook feeds. That I think is very powerful, and it really reduces the separation between using this technology and what happens in what we call real life.”

“Pervasive” is another term for “sticky” – one that Internet financial analysts use to describe how long a user stays on a website, and how often they come back, to evaluate its financial well-being. If Facebook is successful in keeping people “stuck” to its site and services, its financial future looks fairly bright.

You can read the entire report online at the Pew Internet and American Life Project.

*Ed. note: We noted before the various debates about the actual size of Facebook’s user base. The company asserts over 840 million registrations; however that number hasn’t been independently verified, and would also include individuals with multiple accounts (something Facebook discourages) and those users who have simply stopped using the network. The independent ranking firm Alexa estimates that for February 2, 2012, 640 million individuals visited the website. By either measure, Facebook would be the second-most visited website in the world, far behind rival Google.