Saturday, February 26, 2011

Lawless Border Region or Federally-Administered Tribal Area? The World of "Enemy Combatants", "Militant Extremists", and "Terrorist Threats"...

Once upon a time it was fashionable to be a samurai on the internet: bushido was the only code one had to live by.  Honor was everything and corporations were held to the same standard as individuals.

Somewhere along the line things changed; the internet became ubiquitous and little more corporate.  Gone were the days of feeling like the internet was a well-worn sweatshirt or a portly uncle.  Although there are now billions of people online and zillions of profit motives there seems to be little attention paid to business "basics": no account "passports", no account security, no particular mindfulness of standards, no promise of satisfaction.  How it's possible that anyone could get away with suggesting that changing one's password regularly might yield some measure of security is beyond reason; how so many otherwise "technology-savvy" individuals could believe such a thing is beyond comprehension.

An introductory survey of fascism leads one to understand how rapid industrialization takes place.  Observing the growth of the internet from the late 90's until today offers a real-world lesson in a fascism of sorts and it's legacy can still be seen today: why are so many sites/start-ups/companies focused on growth at the expense of the experience offered?  Perhaps the fascism has given way to a kleptocracy: once upon a time being at the center of internet power was a function of being literate in code and knowledgeable of engineering arts; these days it seems that being part of the 1% is good enough.

Truth be told: were it not for getting the short end of a security stick over the last two years I would still assume that one can stay high and dry despite the existence of a cesspool.  My experience with a small set of companies (beginning in Fall 2010) is telling...

As a customer since 1999 I had made a few purchases here and there (no more than 5-10 in any given year) and was always pleased with's customer service and vast catalog of products.  At one point I even had an credit card (which I closed for the sake of my credit score) and was able to get a pair of accounts merged as a courtesy.  When got into the MP3 business I used some Pepsi Rewards Points to download a Metallica album (take that Napster!); when cloud computing services became available I installed the command-line tools and created some machine images.  Although I never signed up for's "Prime" service (I don't make enough purchases to make such a decision cost-effective) I had always considered myself to be a model customer.

My account was closed in late September 2010.  As I would later learn such closure is not unheard of and has been known to occur when customers are suspected (though not necessarily proven) to have abused's returns policy.  In my particular case the basis for my account being closed was the account's security having been compromised: a Sony Playstation 3 was somehow ordered and shipped to my home.  Further review of the account history shows a number of gift cards being purchased (more on that under "Paypal") by one "".  I have since learned that such purchases are made for something known as "dropshipping" (using to engage in shipping fee arbitrage).

All of the same wouldn't necessarily be remarkable but the manner in which the events were brought to my attention and they way in which they were resolved is worth noting.  Although it may be hard to believe the actual account closure email message was somehow not delivered.  When the Playstation arrived it became clear that something was wrong but only later would I find out that $1560 worth of charges had been processed (I was not held responsible); discussions with Customer Service (via the listed customer service phone number) regarding the errant shipment resulted in my account being closed but it was only after a dozen or so email messages (to '' and '', which is the only way to request assistance with security-related account issues) and a final direct plea to Jeff Bezos' office that my account was returned.  While I did my best to point out some of the issues which the incident broached (i.e. no notification of any change to account policies which would allow account seizure, a typo in's Conditions of Use help page, and no established account reinstatement process) I was lucky enough not to require use of my account for the year it took for the matter to be resolved.  The most curious aspect of the situation was that representatives stated that there was no way to transfer a community profile (i.e. reviews, Listmania Lists, etc.) or item ratings to a new account; even the $75 gift card which was sent was to me was not enough incentive to just forget the old account (I had my mom open her own account to make use of the card).  While customer service was able to offer me a copy of my order history and a transfer of my Wish List items and Amazon EC2 support was ready to provide directions for moving over my AMIs it turns out that there was (and possibly is) no way to recover the MP3 files which one has purchased when one's account is closed.

To me it's strange to think that these type of things (i.e. customers having their accounts closed for suspected drop-shipping activity) have been covered by the local news in Seattle or that an email to Jeff Bezos would be needed for resolution; after all, claims to be "the world's most customer-centric company" and (in my experience anyway) has always had a very friendly veneer.


Apparently I really like Playstation 3 because two of them were bought under my account in late September 2010; also, my name is Mohammed and I live in Ohio (according to the shipping details anyway).  Nevertheless, a 10-minute online chat with eBay resolved the issue with no out-of-pocket cost; there was no effect to my eBay profile (i.e. feedback) either, which was fortunate since I've garnered a positive score of more than 100 as a result of small transactions over the last ten years.

The thought occurred to me that, at this rate of Playstation accumulation, my weapons program will be ahead of Sadam's in no time...


For the longest time my biggest gripe about PayPal was not that it wasn't GNUCash but rather that one had to upgrade one's account to "Premier"/"Business" in order to accept credit card payments; such a policy is understandable if one is processing many transactions... but is it reasonable for someone who gets the occasional payment funded via credit card by a new user/clueless friend/etc.?  A few years ago PayPal changed its policies so my decade-old gripe (which I not only had mentioned to company representatives on multiple occasions but even had a cousin submit in person when he interviewed for a job) became irrelevant.  Nothing more to consider, yeah?

As it turns out one's PayPal account can become a subject of one's consideration counter to one's will; discovering that a number of transactions have occurred (in the form of payments being sent to parties which are not known) means that one has officially descended into the seventh layer of hell.  OK, calling PayPal and getting the transactions marked as fraudulent was actually not that bad; getting a two-factor authorization key and then having to mark more (subsequent) transactions as fraudulent... still not *that* bad (in practice anyway - such an event sort of dispels any illusion one might have that, in theory, two-factor authentication is a panacea for all woes security-related).  Finding out that the PayPal Resolution Center web form doesn't play nice with Safari... annoying, but not catastrophic.  Realizing that PayPal can decide a dispute in some way other than in your favor and not provide you with a bit of information aside from an address where you can send a subpoena... irritating, but not a physical harm.  Taken together?  Perhaps Dante's Inferno is not altogether an inappropriate analogy for where I found myself in September 2010.

Looking into how one might handle such a situation I discovered that there are websites that advocate something like full-scale media war in order to get PayPal's attention; one such website ('F*', etc.) has a picture of George W. Bush flipping the reader the bird and lists a number of organizations (media outlets, Congressional representatives, etc.) that can be contacted on your behalf.

Rather than taking what I thought to be a drastic approach I decided to wait.  Ultimately my funds were returned (about six months after the initial transactions) and I sent a letter to PayPal detailing the situation which had occurred such that the algorithms used to identify unauthorized transactions can be reviewed to confirm that transactions are properly correlated (e.g. identifying that multiple large-sum payments to a single party in an account with sparse low-sum activity to varied parties might be suspect) and hopefully improved.  It seems odd that the funds were used to purchase gift cards (more on that under "") and later hosting, files ("Hotfiles" and "Rapidshare"), and small-denomination private-party transactions; why would anyone want to buy any of these things, let alone feel the need to steal the money for them?

Antecedent to the incident which occurred the only security problem I had ever had with PayPal was when my PayPal Plus MasterCard was blocked from making an exhaust purchase in 2007 "for my protection"; when I called to explain that (a) I had never agreed to such terms of service, (b) such terms were not explicitly part of the membership agreement in place when I signed up for an account, and (c) my preference is to opt-out of any such "protection" (as any freedom-loving American would) I was informed of the fact that this is PayPal's world, not mine (i.e. that one cannot opt-out of such "protection" and that accountability regarding changes to membership agreements is not something to which I can hold PayPal to account).  One later incident in which a payment for a flight lesson was similarly rejected has led me to rely on another credit card for purchases but I'm pretty sure PayPal is an eBay company and, as such, is headquartered (and governed) by American law; maybe one of my elected officials will ultimately become aware of the problem and help PayPal out.


Having lived in The United States of America for most of my life (sans the occasional holiday travel abroad) it takes quite a bit for me to think of a customer service experience as having set a new low in customer relations; somehow Skype lowered the bar.

The five or so chats with Skype customer service which took place before I could even get to the point where someone understood what I was asking was like talking to Luna Lovegood (from the Harry Potter movies)... only with her having suffered a full-frontal lobotomy and with a severe case of amnesia.  When I got stuck I tried posting to '' as I had read that others had gotten results by way of Skype employees who were monitoring the forum... though I had no such luck (the site has since been closed).  Getting my account back was a relief in some sense as one's ID is linked to an account and can't be re-used under a new account.

A few additional chats resulted in the payments which had been made being reversed but it's not clear why someone would need to use my Skype account to make unauthorized calls to Egypt in October 2010 (fomenting revolution perhaps?); as John Chambers said over ten years ago "bandwidth is free" (long-distance phone calls are correspondingly cheap and have been so for quite some time)... apparently whoever used my account didn't get the memo.  While it's annoying that there was no offer to clean the call history as a result of the unauthorized activity it was nice to not ultimately have to quit using Skype (though at this point Google Voice seems more compelling on a cost basis).

...It's foreboding (and scary) to think that an organization like TRUSTe (with whom I interviewed in late 2010) has become a for-profit business.  What hope do we have of seeing sites/start-ups/companies become compliant with a more well-reasoned set of standards, practices, policies, and procedures?

Although there are some aspects of internet security which have been a joke for as long as can be remembered (e.g. arbitrary session timeouts, junk email, CAPTCHA, etc.) I've always found that such things can be safely ignored: some researchers can't get past security pork and the public is always an object of abuse... but we still go on living.  It's too bad that things get more complicated when there's money involved and it seems pretty obvious that culture has a large part to play in what becomes of that which has captivated and charmed so many: the internet experience.