An app on a smartphone (iPhone, Android) can use the phone's camera to read a bar code (QR Code) and then display information associated with the code.
For instance, Stickybits offers custom barcode stickers, where each sticker bears a unique code and refers to unique information. A user can stick the code on any physical object or space, such as a coffee pot or the door to a hotel. Then the user can direct that when a smartphone scans the code, the phone will display text, an image, a video, a web page and so on.
With the right app, the phone might display a form of “augmented reality,” which presents a live video image of the physical object or space to which the sticker is attached, together with additional information such as a video.
I ponder this Buck Rogers technology. How might it be used to present legal information in association with an object or space? Example: I could place a bar code on a bottle of medicine. Under the code might be the words “Scan for Warnings, Disclaimers and Terms of Use” . . . not unlike the “Terms of Use” hyperlink commonly at the bottom of web pages today. If a patient scans the code, his phone could present a lengthy contract, saying that the patient agrees to the contract by opening the bottle.
Thus a new frontier will open in the eternal war over contracts of adhesion. The war has included battles over shrinkwrap agreements (on boxes of software), clickwrap agreements, and end user license agreements.
A student in one of my SANS courses came to call the terms of use on web pages “drive-by contracts” because a user might be deemed to have agreed to a contract simply by visiting a web page.
How enforceable are such agreements? The answer is it depends. I suspect courts are more ready to enforce “drive-by contracts,” web no-trespassing notices*, augmented reality agreements and the like against unsympathetic, parties such as hackers or malicious intruders, and against sophisticated parties such as professional investigators.
Mr. Wright teaches cyber investigation law at the SANS Institute.
* A web no-trespassing sign might deter so-called OSINT (open source intelligence) gathering by the adversaries of the web site owner. Adversaries might include plaintiff lawyers or labor union organizers.
If a public organization doesn't embrace transparency, transparency will be thrust upon it forcibly. For any institution, its electronic records are so detailed and subject to revelation in so many ways that the institution must find a way to pre-empt their inopportune public disclosure. Better to come clean with information now – before the lawsuit (think deposition) or the FOIA request or the hacker break-in brings the information to light.
The climate research unit at the University of East Anglia is learning directly how disconcerting unexpected disclosure can be. Someone – whether an outside hacker spy or an inside whistleblower – has leaked volumes of e-mails, software, source code and programmer notes to the world. As a world leader on climate modeling, the university is shocked to see its internal discussions hung out for public scrutiny.
Some emails suggest the university's scientists had earlier tried to destroy records to prevent their disclosure under a freedom of information request. Other records arguably depict programmers manipulating data for key climate modeling software in a deceptive manner. Some emails appear to show researchers misallocating expenses against a US government research grant.
Some observers speculate all these records had been assembled for a freedom of information request, and after the request was denied, an internal whistleblower elected to liberate them. Once information leaves the confines of the institution, it's easy to broadcast through channels like Wikileaks.com.
Separately, another institution on which technology has violently imposed transparency is international banking. An IT staffer at LGT Group stole secret bank customer records and sold them to the German tax authorities, who used them to prosecute tax evaders. “Liechtenstein Under Siege Clings to Bank Secrecy to Outdo Swiss,” Bloomberg.com 2/27/08.
Then a US Senate investigative committee data-mined Homeland Security records of foreign visitors to uncover a pattern of Swiss bankers coming to the US illegally to solicit deposits from rich American taxpayers. These unsavory revelations -- made possible by new technology -- has devastated the long-standing industry of secret bank accounts in places like Switzerland. The US has largely closed down that industry as an avenue for tax evasion and other crime. Kevin McCoy, “IRS: Offshore tax crackdown should produce 'billions',” USA Today, Nov. 17, 2009.
So in this technological age of leaks and sousveillance, what are institutions to do? Here are three mild examples of proactive transparency:
* New York City allows web-empowered citizens to track their government's performance on details like response times on calls to the fire department or the street maintenance crews.
* The City lets the same citizens monitor how the city is spending federal stimulus dollars.
* 15 local governments in South Carolina now post their full check registers online so citizens can scrutinize how the governments spend cash and which vendors get how much money.
Update November 29, 2009: After thinking about it, the University of East Anglia has decided that radical transparency is the only logical policy. In the wake of the hacker break-in described above, the University has announced it will reveal "all" of its climate data as soon as possible.
Technology motivates any publicly accountable organization (nonprofit, corporation, government) to adopt a radically open style of governance.
Owing to email, data logs, text messages and the like, the quantity of official business records ascends skyward, while the granularity of those records grows ever more fine. Detailed within these innumerable records are the secrets of the organization.
Stored this way, secrets are dangerous.
Keeping secrets –- or just withholding information -- is becoming harder and harder. Secrets and records can leak out by way of FOIA, spies, gossip, hackers, mistakes, e-discovery, whistleblowers, external surveillance, or just the natural course of events (sousveillance). In finance, a "trusted" banker will leak to a friend secrets about exotic instruments like credit default swaps, which are so new that the law has yet to establish "insider trading" rules applicable to them. Kara Scannell, "Trader's 'Nice Little Kiss' Tests Reach of Regulations," Wall Street Journal, March 31, 2010.
A leak is dangerous.
The leak is an invitation for an adversary to allege malfeasance. When a secret leaks, the adversary's storyline becomes (a) the organization possessed information that the public needed, (b) the organization wrongfully withheld the information and (c) the public now knows the information only because a righteous force external to the organization brought it to light.
For a smart organization, the best posture is to preempt the leaking. Before the leak happens, it should embrace transparency and publish (most all of) its records and activities onto the public Internet. It should expose its information to independent review and debate. Authors Tapscott and Ticoll admiringly call such an organization the naked corporation.
False Statement?
Take for example the story of the small, grassroots political action committee named “Take Back Your City,” which is promoting a vote by citizens against red light cameras in the municipality of College Station, Texas. Through freedom of information act, the PAC obtained extensive email records regarding the city government’s use of the cameras. In this trove of information, the PAC found what it believes is smoking gun evidence that the city is engaged in false, illegal political advertising about the effectiveness of the cameras. The city claims – in a flyer to be inserted in monthly utility bills -- that the cameras have reduced traffic accidents, but the PAC says an internal city email contradicts that claim. The PAC attached the email as evidence to a formal complaint it filed with the Texas Ethics Commission.
Whether this complaint will result in ethics sanctions against the city (or more particularly the city manager cited in the complaint), I don’t know. But the city’s defense would be easier had it been more open and transparent with its records. When it gave the email records to the PAC, it could have also posted them all on its web page as well. (Why not? The city had already gone to the trouble to compile them.) Then, when it prepared its flyer for the utility bills, it could have made its point about accident reductions while also saying, “Each citizen can draw his or her own conclusions. The city has posted on its web page exhaustive records regarding traffic cameras.”
Such openness takes the punch out of allegations that the city lied. Effectively, it enables the city to say, “We drew a conclusion from the data and told citizens our conclusion, but our statements to citizens were more than just that. We also made all the data available to the citizens and told them they could read it themselves and draw their own conclusions. We've opened the data to third party review.”
Investigating Leaks
Another lesson in transparency derives from the contrast in styles between the board of directors at Hewlett-Packard Company and the town council at Watertown, Massachusetts.
When HP saw that someone on its board was leaking company secrets, it assumed cloak-and-dagger mode. It didn’t talk about the problem. It secretly hired private investigators to spy on members of its board as well as reporters in the media. The private eyes violated the privacy of the directors by hijacking their telephone calling records. AT&T discovered the hijacking and reported it to its customer, Tom Perkins, one of the directors targeted by the spying. The result was an embarrassing, debilitating scandal, with lawsuits, criminal complaints, an SEC investigation, a congressional investigation, and the end of career for two of the company’s top lawyers.
HP followed the old-fashioned, closed approach to resolving a crisis. But in this Internet age -- where clandestine activities are hard to keep clandestine -- that approach led to disaster.
Compare the youtube video below. It shows the town council dealing with the same problem as the HP board – insider leaks. The leaks pertained to closed-door deliberations about contracts. But rather than spying on its members in the dark of night, the Watertown council brought the issue into the open. It discussed the topic in public, video-broadcast session!
Notice that Watertown’s transparency immediately deters future leaks. The leaker has to be thinking, “My leaks are attracting negative attention. Now all the citizens are on alert, and some knowledgeable witness watching out there may come forward with embarrassing information that reveals me as the leaker. I’d best stop leaking.”
By being transparent, the council uses the Internet as its enforcer, and it avoids the risk of a HP-style scandal. Legal compliance meets modern public communications.
–Benjamin Wright
At the SANS Institute, Mr. Wright stresses that, in the wake of a data security incident, the delivery of a effective public message is as important as the technical and legal response.
Recent Comments