RIAA pushes anti "login sharing" legislation in Tennessee, hopes others follow

Originally published on 06/06/2011 on lubbockonline.com

Sheila Burke and Lucas L. Johnson II report in the Tennessean that Tennessee has passed legislation making it illegal to share logins to "entertainment subscription services." The article focuses on Netflix logins, but it covers any kind of entertainment subscription login - whatever that means.

According to the article Recording Industry Association of America (RIAA) pushed for this bill, which makes the big focus of all the news stories - Netflix - all the stranger. The RIAA's concern would primarily be music services like Rhapsody, but the law does cover anything that could be called an "entertainment subscription service." Netflix qualifies, and sharing of logins in college dorms and by 'services' selling logins could be a problem. But is this really a big problem, or is this another case of an industry with a failing old business model looking for any excuse to explain it's problems other than the fact that old business models are changing, and businesses that won't change will fail?

The question is, how long will they be able to push legislation to prop their old, failing business model up, and how much damage will they do in that time?

Should your employer care about your (off time) privacy?

Originally posted 4/7/2011 at lubbockonline.com

Have you ever thought about how the things you do online when you're not at work could affect your job? I'm not talking about a careless rant on Facebook or an ill-considered tweet about your boss. I'm talking about all the information you put up online. Even if all you do is use Google to find information you've probably put far more than enough information online to identify you.

In 2006 AOL released "anonymized" search data that was used by the New York Times to identify several searchers. For an idea of the kinds of things available in search data, look at the Consumerists post on AOL User 927. I'm sure he didn't want anyone knowing what he was searching for. Just to make sure we understood how much we tell about ourselves online, around the same time Netflix released anonymized data that ultimately outed gay and lesbian members, or would have if the researchers had publicly released the data. An in-the-closet lesbian mother sued Netflix over their release of the data. The researchers who were able to determine sexual preference were also able to determine political affiliations. All based on the movies people rented and rated.

If so much can be discovered from supposedly anonymized data, imagine what can be learned from your Twitter and Facebook accounts. It's not uncommon for people to post their full name, birthday, all the schools they attended, the names of most of their family, pets past and current, favorite everything, first everything, and just about everything else. How many of those things are used as security questions to recover you password for your online banking? How many of those things, or some permutation of them, are used for passwords by people? How many of them are used for passwords related to work?

But even if you use randomly generated passwords all of that information is useful to bad guys. It is the ammunition for the weapons used in social engineering attacks. With the information on many peoples Facebook pages a skilled social engineer can gain trust, either from you or from someone you know. After all, if he knows so much about you he must know you. Using that trust he (or she) will get information a person would normally never give someone they barely know. It works better than you might think. A lot better. But if a salesman has ever sold you something you didn't really want or need, or if you've ever watched John Edwards on "Crossing Over" you know that.

Without privacy you can't have security, and many of us don't even think about privacy while we're online. It's bad enough when I think about all the individuals exposing themselves to all the bad guys on the internet. Then I think about the CSO's who are trying to protect data hidden behind passwords and relationships tied to all that data being published on Facebook, Twitter and the rest of the web and I wonder that we manage to keep any data secret at all.