Sean Tierney over at “Scrollin’ on dubs” has a nice little rant about why he hates speed cameras and what might be done about them.

I hate photo radar. Hate it. And it’s not because occasionally I drive too fast and get a ticket. It’s because the city prostelitizes it as being a safety measure when in truth they’re using it purely as a revenue-generating tool. Last year in Scottsdale after only six months of installing speed cameras on the 101 highway, the city issued nearly $3MM in tickets… that’s just absurd. It didn’t make anyone drive slower. What it did was cause car accidents because inevitably some of the cars in traffic would hit the breaks as they approached the zones where they knew the cameras were. With a random fraction of the cars sporadically slamming on the breaks without warning, it’s no wonder that stretch of highway became one of the most dangerous in Arizona.

In the UK, drivers adopted a different countermeasure–bunching.

In response to automated speedtraps, drivers are adopting the obvious tactic of driving just below the trigger speed for the cameras, presumably on cruise control. So instead of cars on the road traveling at a spectrum of speeds with reasonable gaps between them, we are seeing “pelotons” of cars traveling closely bunched together at the same high speed, presenting unfamiliar hazards to each other and to law-abiding slower road-users.

The result is that average speeds are going up, and not down.

I wanted to include Schneier since, in Beyond Fear, he reminds us that one of the key items to consider when assessing risks are the agendas of those involved in the risky activity.

As Sean points out in the Scottsdale case, the city was on par to potentially generate over 6 million dollars a year in revenue from the cameras. Any increase in the accident rate would be largely (although not entirely–there would be some increased need for police, fire, and ambulances) an externality to the state.

This is something of a follow-up to my post on Swivel.

We recently overhauled our very dated and paper-centric information classification hierarchy.

As part of this effort, we conducted an audit of our internal Content Management System (CMS) which contains many, many terabytes of corporate data and found that while 40% of it was classified as “need to know, access control required,” only about 20% of the sample met the burden for that level of classification. In principle, people err on the side of caution.

At the same time, we looked at information leakage, and what we found there was that people tend to err the opposite direction when it comes to using and sharing data. They would routinely send information labeled as confidential/controlled outside the company.

The risks I see from Swivel are the usual risks associated with granting a third party access to information, along with the risk that a clueless but well-intentioned person will put things they shouldn’t on the public site.

Swivel is a self-described “youtube for data.”

Swivel Co-founders Dmitry Dimov and Brian Mulloy start off by describing their company as “YouTube for Data.” That’s a good start for someone trying to understand it, because the site allows users to upload data - any data - and display it to other users visually. The number of page views your website generates. Or a stock price over time. Weather data. Commodity prices. The number of Bald Eagles in Washington state. Whatever. Uploaded data can be rated, commented and bookmared by other users, helping to sort the interesting (and accurate) wheat from the chaff. And graphs of data can be embedded into websites. So it is in fact a bit like a YouTube for Data.

But then the real fun begins. You and other users can then compare that data to other data sets to find possible correlation (or lack thereof). Compare gas prices to presidential approval ratings or UFO sightings to iPod sales. Track your page views against weather reports in Silicon Valley. See if something interesting occurs.

How will they make money? By selling the ability to protect data uploaded to the service:

Not all data will be public. The companies business model is to provide the service for free for public data, and charge a fee for data that is kept private. Private data can still be compared by the owner to public data sets.

This will be incredibly cool right up to the point that people start uploading Personal Data or sensitive corporate data to the free site because they’re clueless or their company wants the analysis but isn’t willing to pay for the access control.

I can see huge opportunities to poison analysis with bad data sets. I can see this being a great tool for astroturf campaigns. It’s excellent plausible deniability: “Don’t believe me, believe the (bad) data!”

Regardless, I think it’s probably the scariest coolest thing I’ve seen all week.

Here’s a really cool article on designing research efforts which the security world would do well to learn from.

There are many academic departments (called statistics departments) that study the question of what to do with your data after you collect it. There is not even one department anywhere that studies the question of what data to collect — which is much more important, as every scientist knows.

Much of the discussion around security metrics seems to revolve around the question of what to measure. It’s good to know that we’re not alone in this regard.