When the Olympic flame is doused on Sunday, we know the cheers will quiet, the athletes will move on and fans will go home. But will Big Brother stay behind?

Every Olympics host city goes through it: the Olympic hangover. When the athletes step off the medal podiums, the city must clean up, pay the bills and figure out how to monetize a series of shiny new venues. The most important decision, however, might seem much more subtle: What happens to all those new security cameras and other surveillance technologies that were installed for the Games? Privacy experts fret that, as with Athens, Beijing and Vancouver, the Olympics means a steep ratcheting up of security that never really gets ratcheted down.

---

"It would be a tragedy if the most visible legacy of the Games in London was a huge increase in the amount of surveillance people are subjected to in their everyday lives," said Nick Pickles, director of London-based Big Brother Watch.

Host cities tolerate massive shows of security that would otherwise be unimaginable. In London, which already has more CCTV security cameras than any other city in the world, 2,000 new cameras were installed in the Olympic Village, while nearly 2,000 more were installed around the city, according to Big Brother Watch. License plate recognition systems have been installed throughout London. There are even surface-to-air missiles atop apartment buildings and more military troops on the ground than Britain has in Afghanistan. An $877 million effort, it's been called the largest peacetime deployment of security forces in history, but the question remains: Will there be mission creep? How much of that infrastructure and the public’s newfound tolerance for being watched will remain after the Games are finished?

Earlier this year, the Electronic Frontier Foundation published an analysis of all recent Games and says the results are disheartening.  It should come as no surprise that the Beijing Summer Games were used as an excuse to install thousands of cameras that are still in operation, said the report’s author, Rebecca Bowe. But other cities have suffered similar fates, too.

"The Games bring a legacy that lives well beyond the prestige," Bowe said. "We've witnessed time and again, the security infrastructure lives on well beyond the Games."

Concrete concerns
The concerns aren't merely theoretical. Athens officials installed about 1,000 cameras for the 2004 Summer Games. In 2007, Greece amended its national data protection law to exempt the cameras; Greek privacy commissioner Dimitris Gourgourakis resigned over the incident. The cameras have since been used during protests following economic unrest there.

More Olympics coverage in London 2012: Hosting the Games

The Olympics has a long-running legacy as a massive security event, which long pre-dates post-9/11 terrorism concerns. It dates at least as far back as the Munich Summer Games of 1972, when a security breach contributed to the kidnapping of Israeli athletes from the Olympic Village; 11 were eventually murdered.  But even before that event, the Olympics were never free of international politics and the real possibility that some group might use them to violently make a point.

No one disputes the need for heightened security during the Games, but is the installation of security infrastructure, and the culture that comes with it, a one-way street? Can a security state be dismantled? Or are the Games a Trojan horse that allows those with a heavy-handed security agenda to gain the upper hand?

Olympic security plan transforms London into fortress

"The equipment has been bought and paid for. The real risk is they simply leave it in place and turn it over to local authorities, and by the back door, we have a huge increase in surveillance," Pickles said. "Government officials have made assurances that some of it is temporary, but they haven't said what."

Already, whiz-bang security technology in London has proven tempting to local authorities. Pickles pointed to minutes from a recent borough council meeting in Newham, just east of London, where officials openly expressed desire to buy Olympics surveillance technology after the Games end.

Alfredo Lopez, founder of the international privacy advocacy organization MayFirst/PeopleLink, said it's very difficult to reverse the Olympics security buildup.

"There is no way these guys are going to take down those cameras, especially with all the social unrest there," said Lopez, who is based in New York.

Lopez, a professed lover of Olympic sports, said the security issue threatens to squander any of the goodwill gained by the otherwise-peaceful international gathering.

Red Tape Chronicles on NBCNews.com

"I happen to believe, and I know this is corny, (that) the Olympics is one of the greatest things the human race does, so why do these bastards pervert it with their repressive attitudes?" he said. "How can you run a principal event of goodwill and friendship, then at same time, on top of buildings you have missiles? It's totally incongruous. It's very, very disturbing and contradictory to the Olympic spirit. It ruins the whole thing."

'It softens people up'
One fundamental problem of the Games is that they are used as an "obvious show of military capability," Lopez said, with host nations using the occasion the beat their chests about their powerful ability to respond to threats. But Pickles is worried about a much more subtle issue: Residents get used to the trade-off between privacy and heightened security practices, and their tolerance level is slowly raised, leading to fewer objections to police tactics.

"The danger is it softens people up to the next step," he said.

The next step is Brazil in 2016, where circumstances on the ground dictate what will almost inevitably be an even stronger implementation of security force and technology. (Privacy advocates are too pessimistic about the 2014 Winter Games in Sochi, Russia, to use those games as a battleground.) An active battle between paramilitary police forces and organized crime means residents are used to compromised civil liberties, and even before the 2016 Games, Rio de Janeiro will host the World Cup in 2014. Diplomatic cables released by Wikileaks suggest that U.S. government officials have encouraged use of additional surveillance tools by the Brazilian government, as well as a partnership with U.S. security agencies.

As a result, market research firm 6Wresearch predicts the market for security cameras will nearly quadruple, to $362 million, by 2016.

By then, Pickles warns, people have another element to worry about: increased sophistication of technologies like facial recognition. Londoners, for example, would almost certainly not tolerate a permanent military presence in the city. But as police gadgets get smaller and smarter, they also become less visible.

"It's getting more discreet, even as the processing power is getting more powerful," he said. "It's becoming much more clandestine, ... which means people won't object to it as much."

Looking to Vancouver
Brazil and London might be able to learn something from Vancouver's experience after the 2010 Winter Games. Western Canada has an active civil participation culture, and even before the Games began, Canada's privacy commissioner warned about mission creep in Olympics security plans.

"The right to privacy must be upheld, even during mega-events like the Olympic Games, where the threat to security is higher than usual," Commissioner Jennifer Stoddard said in a speech delivered before the Games calling for dismantling of surveillance technology after the Games. "Will the residents of Vancouver and the lower mainland wind up living surrounded by an array of surveillance systems that they neither want nor need?"

Partly as a result, most of the 900 video cameras installed by the Royal Canadian Mounted Police were removed after the Games. About 75 were left behind for use by the Vancouver police, said Adam Molnar, who is studying the Olympics security effect as part of his Ph.D. work at the University of Victoria.

"British Columbia civil liberties associations put pressure on the Vancouver Police Department, which was in negotiations to keep the cameras up," he said. Even some of the remaining cameras were turned off, only to be used in crisis situations, he said.

On the other hand, analysis of Vancouver's post-Olympics security hangover is muddied by the fact that in the spring of 2011, there were major riots after the Vancouver Canucks lost hockey’s Stanley Cup final. City officials have successfully turned to Twitter and other social media tools that deputized people to help identify criminals during the riots. Given the embarrassment over the riots, many residents were eager to help.

"That turns out to be an alternate route to (security) cameras everywhere," Molnar said.

The most lasting legacy of the Vancouver Games, Molnar said, was not police gadgetry, but rather reorganization of the police force into small, nimble anti-riot teams that share some characteristics with paramilitary teams.

"The extent that militarist ideal supplants community-based policing, that should concern people," he said. "And any time you have a deepening of integration between civilian and military police, like you have now in London, that's disturbing."

Molnar felt confident that Vancouver's security experience offered some hope to privacy advocates in London and Rio, however.

"You can look to Vancouver as a positive example of an active civil liberty and political community that tried to engage the government around privacy and surveillance issues, and that did earn some small victories," he said. "In many ways it's forced policing agencies to respond to public debate. ... There's certainly a need for informed civilian oversight."

'Mega-events'
But Bowe, of the Electronic Frontier Foundation, said she's worried that the Olympics will continue to be abused as one of a list of "mega-events" that give officials permission to tighten the security screws until tremendous power is concentrated in small government forces.

"The march toward a militarized, urban future will continue apace unless people push back," she said. 

And Lopez sees little room for hope at the moment.

"My general worry as a human being is about the setting up of apparatus of police states in all of these places," he said.

Even those who have faith in the good intentions of their current government are being short-sighted, he warned.

"The (U.S.) and some of these places are not a police state now. But the problem is if the apparatus is set up, it could be easily be Nazified and turned on people. ... If there's a history to the world, it's that certain small, elite groups of people usurp and pervert the great works of the majority of humanity, like the Olympic Games, for nefarious and selfish purposes."

* Follow Bob Sullivan on Facebook.
* Follow Bob Sullivan on Twitter. 

Facebook is apparently getting a lot more unfriendly.

Users are getting a lot more selective, deleting comments, photo tags and even friends at a record rate, according to a new study released Friday by the Pew Internet and American Life Project.

Pew is calling this phenomenon "the pruning" of social networks, and the study includes findings like this: 63 percent of users have unfriended people from their friends users. Another 44 percent have deleted comments made by others from their profile page, and 37 percent have removed tags from photos.

"Social network users are becoming more active in pruning and managing their accounts," says the report, written by Mary Madden, senior research specialist at Pew.

---

Users are also taking an active role in keeping their private information private, with 58 percent of users saying they use high-level privacy settings so only friends can view their pages. Women are far more restrictive, with 67 percent using the tightest privacy settings, compared to 48 percent of men. They lock down their accounts despite the fact that half of all users say they have "some difficulty" using the privacy controls.

The research seems to suggest that U.S. adults, who have so far shown little appetite for actively managing their personal privacy, are starting to get the hang of it.

"Social science researchers have long noted a major disconnect in attitudes and practices around information privacy online. When asked, people say that privacy is important to them; when observed, people’s actions seem to suggest otherwise," the report noted. The shift to more privacy on Facebook seems to belie this long-standing trend.

Perhaps regret has something to do with that.  The report found that 11 percent of Facebook users say they've posted something that they regret on a social network. Men are twice as likely to say so (15 percent to 8 percent). Users 50 and older, at 5 percent, are much less likely than young adults under 29 (15 percent), to express such regret. 

One area where there was a surprising lack of age gap: Overall privacy settings. While 23 percent of users 65 and over choose fully public settings, 22 percent of users 18-29make the same choice.

"The choices that adults make regarding their privacy settings are also virtually identical to those of teenage social media users," the report said.  "Private settings are the norm, regardless of age."

Young adults are more likely to "unfriend," however at 71 percent, compared to just 41 percent for the oldest users.

The Pew report is based on a survey of 2,277 U.S. adults conducted in May, and has a margin of error of +/- 3 percent.  In nearly all "pruning" related categories, and within nearly all age groups, use of privacy-related tools gained ground since the last time Pew conducted the study in 2009. Back then, only 30 percent of all users had untagged a photo, compared to 37 percent in 2011; and 56 percent had unfriended someone, compared to 63 percent in 2011. 

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.  

Facial recognition software. Trace portal machines. The Total Information Awareness database. And now, body scanners.  All these new technologies have enjoyed their day in the sun, immediately following terrorist attacks, as a potential magic bullet to keep us safe while traveling.

But repeatedly, gadget defenses have shown themselves to be costly, flawed and difficult to implement. Meanwhile, they take precious resources away from tried and true counterterrorism measures, like hiring more highly trained airline screeners or additional State Department officials.

"Our reaction has been predictably irrational," complains Bruce Schneier, author of numerous books on security, including "Beyond Fear." "We're going to spend a lot of money and it won't make us safer."

---

Body scanners became an immediate focus of attention the days after the failed Christmas Day plot to bring down a Northwest jetliner. There are plans to more than triple the number of scanners in U.S. airports this year.  At $150,000 each, plus operations and maintenance costs, the machines represent a significant investment. David Schanzer, director of the Triangle Center on Terrorism and Homeland Security at Duke University, says U.S. officials should think long and hard before spending that kind of money on terrorism-fighting technology.

"There's never a discussion of trade-offs," Schanzer said. "...Everyone acts as if we can do everything. We can't. Public officials are often attracted to things that are visible, that they can point to and say, 'We're taking action to make you safer,' when instead they should be looking at the types of things that might give you more bang for your buck."

For example, he continued, “Extra staff in State Department consular offices reviewing visa applications, people going to more interagency meetings, placing more personnel in our embassies to work with the British government so when they deny a visa we know. ... These are unglamorous and can get lost in the budget. But they work."

Fighting terrorism and securing air travel involves tricky, nuanced discussions about resource allocation and risk.  But reasonable choices about risk are challenging in the emotionally charged atmosphere of terrorism, he said.

"We need to asses risk and look at limited resources and figure out where to most effectively deploy them," he said.

'Magical thinking'
Schanzer said that, because fighting terrorism is as much about perception as reality, there is some value in taking steps simply to reassure the public. 

"Measures make people feel more secure, maybe that is a part of Homeland Security," he said.

But Schneier said U.S. officials have fallen into the bad habit of encouraging "magical thinking," suggesting that security technologies can make the world substantially safer.

"I wish Barack Obama would get up on stage and treat us all like adults and say, 'We're doing our best but sometimes these things are going to get through, but we're not going to change our way of life,'" he said.  "But politically he can't do that. So instead he's going to respond to movie plot threats and we'll waste money. … It's very human that we fear stories, and the way to make people feel better is to secure against the story."

While body scanners are the technology du jour, it is unclear whether they would have stopped Umar Farouk Abdulmutallab's alleged plot.  A scanner may or may not have shown a suspicious lump in his underwear, revealing the bomb-making material he allegedly secreted there. But even if it did, an airport screener may not have noticed it or deemed it a threat.

Other existing technologies, such as the trace portal or "puffer" machine, may have also detected the presence of explosives on Abdulmutallab's skin or clothes.  Chemical swabbing -- more commonly used today -- might also have detected elements. But they can also be circumvented.

Regardless, the cat-and-mouse game of implementing technology and screening tactics to defeat already-used terrorist attack techniques is largely ineffective. After nearly 10 years of removing shoes while entering security lines, it is still highly doubtful another attacker will attempt a shoe bomb.  Explosives hid in body cavities will not be detected by new body scanners.

"All these strategies require that we guess the plot. Security that requires us to guess the plot correctly doesn't work," Schneier said.  "If we spend money on technology that protects against liquid explosives and they use solids then we've wasted our money.  If we spend money to protect the Olympics and they attack the Super Bowl we wasted our money. "

The sudden focus on body scanner technology is also misplaced, Schanzer said, because the attack technique used on Christmas Day wasn't new.

"Nothing changed the other day," he said. "We knew about the threat (of a passenger carrying an explosive combination of chemicals onto a plane). Everyone was aware this was a possibility and the potential path of attack and yet we were not devoting extraordinary new resources into full body scanners. What's changed is the perception of the threat."

List is ignored
While even expensive new technology may have been ineffective against the failed attack or similar future attacks, existing tools might produce better results, Schanzer said.  Abdulmutallab had left plenty of red flags in his wake, including his father's warning to U.S. officials. But that warning, and other intelligence, wasn't enough to place Abdulmutallab on the "no-fly" list that would have prevented him from boarding the plane to Detroit.  On Tuesday, President Obama placed the blame on a "failure to connect the dots." In the future, similar suspects will not be allowed to board flights headed for the U.S., he promised.

But Abdulmutallab was on a list – a government database called the Terrorist Identities Datamart Environment, or TIDE. While there may not have been enough information to permanently ban him from entering the U.S., clearly there was enough to flag him for additional, intense screening. It's unclear why all travelers in TIDE aren't always subjected to increased scrutiny, but lack of resources is a likely explanation. Atlantic magazine reported this week that the National Counterterrorism Center, which maintains the database, was slated for budget cuts in 2010 – and workers who maintain TIDE were slated for layoffs.

It's hard to understand the lack of added screening, given how easily the list might be narrowed on a daily basis, Schanzer said.

 "How many on that list have a visa? How many have international airline tickets? How many are paying in cash? There's lots of information out there," he said. "I don't think data mining is a dirty word to narrow down the people who present the greatest risk and should get far greater scrutiny. ... Doing so is far more effective them applying expensive technology to everyone."

In fact, Schneier argues, some steps taken since the Christmas attack have made U.S. travelers less safe.  Profiling large groups of people -- such as travelers from the 14 nations that are now subject to additional scrutiny -- creates a dangerous two-tiered security system.

"Once you profile, you invite the bad guys to get around the profile," he said. "When you create a hard way and an easy way through security, you invite the bad guys to figure out how to take the easy way."

In the end, while the Christmas Day plot failed, terrorists may ultimately gain if substantial money is wasted on new technologies and Americans are subjected to longer airport lines and more hassles.

"Even after he failed, he succeeded," Schneier said. "But if we didn't react with all this fear and panic, he would have failed even if he succeeded. Terrorism requires us to be accomplices. And we're really good at terrifying ourselves."

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.

Why does Twitter work inside Iran even after other Internet services have been disrupted?  The key feature enabling it to evade government censorship, some observers say, is something that might otherwise be considered Twitter's Achilles' heel.

Unlike Facebook, and most other social networking sites, Twitter users don't need to visit Twitter.com to use the service. In the business world, that's a terrible idea. Twitter has no way to promise potential advertisers that its enormous audience will ever see ads placed on the site.

Instead, Twitter has a completely open architecture that allows users to both send and receive messages on a variety of platforms -- cell phones, Blackberries and, of course, other Web sites.  This openness is proving to be particularly effective at avoiding government interference.

"You can connect to Twitter without going through Twitter's front door," said Jonathan Zittrain, a Harvard law school professor who runs Herdict.org, which tracks censorship efforts worldwide.  "These services run interference between you and Twitter."

---

Because nearly all of Iran connects to the Internet through a single government-run provider, TCI, it's relatively easy for the government to control Web access. So far, Iranian officials have not shut down the pipe.  But over the weekend, it appeared that Web traffic into and out of Iran was substantially slowed -- perhaps intentionally, through a government "throttling" effort.

Zittrain said Iran also deploys filters to cut off access to Facebook.com and some politically oriented Web sites.

But Twitter keeps right on humming, as evidenced by thousands of messages apparently being sent from inside Iran.  Some of them are fakes -- and the importance of Twitter in organizing protests in the country is likely overstated: BusinessWeek.com reported that there are only about 8,600 Twitter users whose profiles indicate they are from Iran, citing the Toronto-based firm Sysomos.

Still Twitter's robustness in the face of hostility is impressive. How does it work?

Twitter users theoretically have an infinite number of channels to view each other's posts and send their own. In fact, you don't even have to be a Twitter member to read along at a site like TwitterFall.com, which continuously streams one 140-character post after another.

That makes filtering Twitter.com a useless tactic for would-be censors.

Those trying to evade Web censorship have long used proxy servers as ad-hoc intermediaries, or relays, to connect to the Internet.  A cat-and-mouse game ensues: Governments quickly add such proxy servers to their list of blocked sites, new proxies emerge, they are blocked, and so on.

Zittrain said Twitter is not fundamentally different from the proxy server model.

Alternative sites like TwitterFall.com simply act as a relay. They are harder to shut down, however, because the use of intermediary services is part of every Twitter user's experience.  While setting up proxy servers can be a technical hurdle for many Web users, Twitter users do it all the time. If one Twitter service isn't working, switching to another is easy.

In fact, Twitter use doesn't even require an Internet connection.  The service can be used with cell phone SMS text messages.

"Twitter is more naturally resistant because it doesn't require any intervention from users. It's much more welcoming of proxies," Zittrain said. "It's just so easy to capture a Twitter stream."

Indeed, the 19-year-old inventors of TwitterFall.com say they had their service up and running in a couple of hours.

Of course, shutting down the entire Internet would cut into Twitter access, but that step is probably too Draconian for Iranian authorities.  And cutting off text message service -- as the Iranian government apparently did last weekend, immediately after the election -- would still leave more than 20 million Iranians with Web connections and the ability to find Twitter streams. Zittrain said the Iranian government could try to individually eliminate all the services that relay Twitter messages. But in that case, the mouse would appear to have the upper hand.

"My sense is that the authorities have their hands full," he said. Should Iran turn off access to the top 10 Twitter alternatives, users might have some trouble, Zittrain said. But he thinks a Twitter shutdown would be difficult -- because it really is just as easy to set up a new Twitter feed as it is to shut one down. "The cycles we're looking at are measured in hours, not days or weeks. There is furious improvisation going on."

The headline for voting technology 2008 might be this: Back where we started. Back to paper ballots, that is.

For the first time since touch-screen voting was invented, use of the high-tech voting machines has declined sharply. On Nov. 4, the majority of Americans will be filling out their ballots using old-fashioned paper and No. 2 pencils.

---

But it's been a long-strange trip back to the beginning. The gyrations of America's voting rituals began with hanging chads in 2000. Then came the Help America Vote Act of 2002, which set aside $3 billion to upgrade America's antiquated ballot system. Then came the gold rush towards space-aged, touch screen electronic voting systems. Next, computer scientists uncovered multiple security flaws in electronic vote machines, with the controversy culminating in an HBO film called "Hacking Democracy."

That was enough for election officials in California, Florida, Maryland, and several other states that have placed their pricey touch-screen machines in moth balls. Most have returned to a system that relies -- at least in part -- on pencils.

According to Election Data Services, nearly 10 million fewer ballots will be cast on electronic voting systems this year than in 2006. Then, 38 percent of the electorate was registered in districts that used touch-screen systems; today, only 33 percent do.

"When you think of the alternatives, you could go with flawed machines or just shift people off of them and encourage people to go back to old-fashioned methods," said security researcher Herbert Thompson of People Security, a critic of some electronic voting systems.

The retreat from technology, however, shouldn't be overstated. While 56 percent Americans live in a district where voters will fill out paper ballots on Nov. 4, those ballots will be counted by optical scan readers – a system that is a hybrid between paper and computers.

Optical scanning machines have won the day, at least in 2008. Since 2006, 86 districts have changed voting systems -- all moving to optical readers. But Kimball Brace of Election Data Systems states that, despite the current trend, touch-screen systems have not fallen completely out of favor.

"This isn't a settled question. … It all depends on what happens," he said. "If we have a close election and or have problems that highlight a certain type of machine, that could have significant impact on what we end up doing in the future."

Problems with touch-screen systems -- known in the industry as DRE or direct-recording electronic machines -- are well documented. A series of confrontations between computer security researchers and voting machine manufacturers left a grey cloud over their ability to ward off hackers. Private manufacturers like Diebold have repeatedly refused to turn over their proprietary software for inspection and audits by academics.

Meanwhile, charges of "vote-switching" at polling places continue. In West Virginia, a handful of early voters claimed this month that their votes had been switched from one candidate to another by touch-screen machines. Some voters caught the error, but others told local newspapers they believe their vote was cast for the wrong person.

Brace said that human error, rather than conspiracy, is likely to blame. Anyone with a touch-screen phone is familiar with the ritual of recalibration that follows a series of misclicks. Also, screens can register touches by hanging sleeves or other incidental contact. Finally, anyone who's ever used an ATM has likely discovered the difficulty of using the machine from an incorrect angle; it's easy to hit the wrong button if you are too tall or too short.

Pencils make mistakes, too
No voting system is perfect, Brace said. And those who worked hard to discredit touch-screen systems may end up lamenting the end result. Paper and pencil, for example, are hardly infallible.

"There are problems with optical scanners, most notably American voters," he said. "They seem to know how to foul up a ballot, particularly when the ballot is piece of paper." Some might circle the candidates they prefer rather than fill in a box, for example, he said.

Thompson, the e-voting critic, also sees problems with paper. Each time a system become popular, he said, it faces greater likelihood of problems.

"These are what we call 'scale-oriented' problems in computer science," Thompson said. "This increased burden on paper increases the chance for a problem."

Complicating matters further for voters is the unprecedented change that's taken place inside the voting booth. No matter what technology is used to cast ballots, change always introduces errors, Brace said. More than 40 percent of voters will encounter a new voting tool this season, given that many voters only cast ballots during presidential election years.

"History shows us that the greatest likelihood of election errors occurs the first time a jurisdiction changes voting systems," Brace said. "While many of these jurisdictions have tested out their procedures in the past four years, it's the voters themselves -- both newly registered and those that haven't voted since 2004 -- that could cause problems this November."

According to an Associated Press survey, 108 voting districts have switched from touch-screen to paper and optical ballots since the last election.

The benefits of touch screen
Brace laments the fall of touch-screen machines, because he says they can do some things better than any other voting technology. They are particularly adept at providing foreign-language ballots or accessible ballots for the blind, for example. And when programmed properly, they can make overvotes -- when a voter accidentally picks two candidates for one office -- impossible. And they provide quick vote tallies.

In larger districts using optical scan readers, the tally machines are generally available right at the polling place, allowing voters to leave with a "receipt" of their ballot and providing near-instant counting when polls close. But in smaller, rural districts, the ballots must be hand-carried to a central optical scanner, which delays the counting.

Barring some surprise event – such as a poor performance by optical scanners – Brace believes touch-screens will slowly disappear from voting booths around the country.

Counties that wanted Help America Vote Act money had to buy new systems by 2006. Many purchased touch-screen systems without fully examining them and are now warehousing the machines, Thompson said.

Without upgrades, there won't be a market for them, but touch-screen machines are unlikely to be fixed any time soon. The federal money that fueled their popularity is gone.

"These problems can be addressed but you need the investment money, and now the manufacturers have no incentive to fix them because there is no money," Thompson said.

CAMBRIDGE, Mass. -- For years, The Amazing Randi sat next to Johnny Carson performing magic tricks on The Tonight Show. But last week, James Randi was holding court for a very different audience -- an invitation-only collection of three dozen computer security experts at MIT's famed Stata Center near Boston. There, in what might be called the hall of fame for hacking, Randi couldn't stop himself from pulling gags. But when he wasn't bending spoons, making things disappear, or stroking his foot-long white beard and wizened chin, Randi revealed secrets about the art of deception.

"Many times," he confessed, "Magicians don't really know why their tricks work. They just work."

Put another way: Charlatans don't bother creating detailed schemes for deception. They just have a feel for what fools people.

On the other hand, the scientists who are working hard to make computers, airports, cities, and everything else safe for us often aren't endowed with this same feeling. They study problems, write papers, review their code, and write sophisticated cryptographic schemes. Then, with heavy hearts, they walk through rows of cubicles at American companies and see Post-It notes tacked onto computer screens with passwords.

---

At the first ever "Security and Human Behavior"conference last week, many of the world's top minds in computer science gathered to address this paradox. Their self-assessment was refreshingly honest and direct.

"In a field that has been marked by great human achievement during the past several decades, our branch of it can only be called a failure," conceded Matt Blaze, a computer science professor at the University of Pennsylvania, eliciting nervous laughter.

He wasn't really kidding. Despite remarkable advances in technology, most consumers are using the exact same clumsy security procedures they have for decades. And many feel even less secure.
In the meantime, the charlatans have continued to hone their deception skills. And they've enjoyed remarkable success at mucking things up. A trivial trick such as phishing e-mails – look-alike notes designed to steal personal information which appear to come from banks -- has wreaked havoc with companies and consumers alike for years.

That's why this ad hoc geeky group invited a magician, an architect, a photographer, a philosopher, several economists, a few psychologists and about a dozen other experts in behavioral studies to come give them an education in how people think. This high-powered collection of computer scientists humbly arrived at MIT asking for help, in an effort to get a better feel for the people they are trying to protect.

Famed cryptogrpahy experts Bruce Schneier, now of British Telecom, and Ross Anderson, a U.K. proferssor, assembled the small group -- including the magician -- as a way of getting at new answers to old problems.
"Many real attacks on information systems exploit psychology more than technology," Schneier says. "Security design is by nature psychological, yet many systems ignore this."

MIT's Stata Center, designed by Frank Gehry, has impossible towers and absurdly bright colors, and wouldn't look out of place in a Dr. Seuss book. Its hallways are full of plaques memorializing the greatest pranks ever pulled by MIT students - the security squad car that somehow made it onto the top of the campus rotunda, for example. The car actually sits high up on a ledge in the middle of the building's center hall (Forget the rotunda stunt, how did it get there?).

This hall of pranks seemed the perfect place to discuss the failures of technology -- and technologists -- in the modern age.

Bad guys have better people skills
Criminals usually don't bother learning all the ins and out of the technology they exploit -- they simply learn enough to be dangerous. But they spend endless hours understanding the people they plan to fool. Hackers long ago learned a short cut, what they call social engineering: Why spend years trying to hack into a bank when you can just ask an account holder to give you their name and password?

The technologists, on the other hand, tend to fight this battle with one hand tied behind their back. They generally spend most of their time studying technology, learning all its nooks and crannies from the ground up. They write careful research papers following the strict rules of scientific method. They must spend endless hours defend their findings against all comers, and they can't hurt anyone while conducting studies. They know the technology well, but they have little time to sit around understanding how people work.

But all that is starting to change, say some in this group of security researchers turned amateur psychologists. Several years ago, a quiet alliance was formed between behavioral economists – who study why people make irrational choices – and security professionals. Scientists and economists began writing papers together and sharing research costs. With last week's MIT meeting, the computer folks cast a much wider net in their search for answers.

Security, Schneier told the gathering, is "both a feeling and a reality," and both are important. Local police, for example, fight both crime and the perception of crime. Failure in either area can have serious consequences. Regardless of actual crime data, crime fighting is useless if residents of a town don't feel safe.

Pedophelia and the "License to Hug"
To that end, researcher Jean Camp at the Indiana University points out that people can easily assess risk when there are physical clues. People have a natural aversion to dark, empty parking lots for example, but there's no correlation to these kinds of physical clues online. That tends to keep older users from feeling safe while surfing. Camp studies this trust problem with residents at a nearby nursing home. She has created a large glowing box which sits next to a computer screen that turns green when fellow residents recommend a site is safe, and red when it's risky. Seniors find the large, obvious signal, reassuring, she said, and they are more likely to take advantage of the Internet to stay in touch with family.

But the battle to make people feel secure can sometimes feels like a losing cause. Frank Furendi, a noted British author on the subject of Risk and Fear, described what he calls a growing "hysteria" on the subject of pedophilia in the U.K. By next year, he said, one-third of all British citizens will have been subject to police checks. As a result, some parents won't let their children play with kids of parents who haven't been checked. He describes the problem in a new pamphlet, "License to Hug."

"Now we're not worried about pedophiles, we're worried about people who haven't been police checked," he said. "In response to an insecurity, we've created more sources of insecurity."

Often, Furendi noted, it's much easier for governments to create the appearance of security than the reality of security.

Among the fresh ideas discussed at MIT: computers might be too friendly. Our natural risk sensors do a good job of telling us when something physically dangerous is nearby (like a hungry bear), but do a terrible job of warning us about cyber-danger. Meanwhile, software makers have gone to great pains to make computers user-friendly. Perhaps that's a mistake, said Nicholas Humphrey of the London School of Economics. Occasionally, some healthy fear might help online, Humphrey said. Forget small padlocks on e-commerce sites – how about a large shark abruptly appearing on the screen to stoke primal fears?

Security fire drills called for
Privacy expert Alessandro Acquisti of Carnegie Mellon University brought a similar concept from the area of learning science -- the idea of the "teachable moment." Employees rarely read and digest memos about security with great zest and eagerness, he notes. But giving them the equivalent of a security fire drill can immediately change behavior.

Imagine, for example, if once each month or so your company's IT department send a legitimate-looking e-mail with a faux virus attached. Employees who "fall" for the e-mail would get a slightly embarrassing reminder not to click on unexpected e-mail attachments. In some more critical circumstances, failure in such random tests could impact an employees' annual review or raise. In a controlled test, Acquisti said, computer users were far more likely to learn safe computing behavior from this kind of random testing than traditional memos and warnings.

Not so easy to 'Fix the World'
After two days with 35 intense presentations each followed raucous question and answer sessions, things got strikingly quiet during the last panel, called "How Do We Fix the World." The topic of security ranges from keeping the family digital photos safe to keeping terrorists off airplanes. It also has no end-point. Terrorism researchers are plagued by the troubling question: "When will we know we've won the war on terror?" Security researchers face the same rhetorical problem.

But Aquisiti said he is hopeful this first-ever meeting will spur more interdisciplinary discussions. There was even talk of a "dating service," for researchers from different area to help them find each other ("I'm an economist studying the cost of antivirus software looking for a psychologist who is an expert in primal fear of predators.") Aquisiti was even hopeful a new field of study might be born. He struggled a bit to name it, however.

"Hmm…Perhaps the behavioral psychology of privacy and security," he said.

Or perhaps, they could just call it magic.

LendingTree has told its customers that former employees helped unauthorized mortgage lenders hack into its systems and steal customer information from 2006 to 2008.

The incident reveals just how aggressive the mortgage loan business was during the height of the housing boom, and also raises fears for consumers who share their information with companies that help them shop around for the best deal. And it highlights what experts say is an often overlooked source of data theft -- the inside job.

According to a letter sent to customers recently, former LendingTree LLC employees shared "confidential passwords" with lenders, who in turn used the login information to "access LendingTree's customer loan request forms."

---

The forms contained critical personal data, including names, addresses, Social Security numbers, income and employment information. The company said the lenders did not use the information to commit identity theft or fraud, but simply to "market their own mortgage loans to ... customers."

In connection with the incident, LendingTree, based in Charlotte, N.C., has filed lawsuits against three small California-based home loan companies.

A LendingTree spokeswoman said the company was not granting interviews to discuss the data theft. She would not say how many customers were affected nor how much data was stolen, but instead supplied a copy of the customer letter sent by the firm.

While LendingTree says in the letter it has no reason to suspect its consumers are at heightened risk for identity theft, it did suggest consumers obtain a free credit report and file a fraud alert with the nation's credit bureaus.

Upon learning of the security breach, LendingTree says, it "promptly enhanced the security of our system."

Given that data was accessed from 2006 to early 2008, it can be inferred that passwords used by former employees remained operational for months or even years after their employment was terminated, generally considered poor security practice, said identity theft expert Rob Douglas, editor of InsideIDTheft.info.

"This plays into everybody's fear that this happens all the time," Douglas said. "When consumers share their information with companies, they assume it ends up in other companies' hands."

One victim who received the LendingTree letter -- but who requested anonymity -- was annoyed that LendingTree offered no compensation for the trouble.

"Rather than offer a free credit report they suggest that I use my annual free credit report," the consumer said, referring to the once-per-year free peek that consumers get at their report by visiting AnnualCreditReport.com.

In its letter, LendingTree includes a pamphlet called "Guide to Protecting Your Credit and Identity." Consumers who obtain their credit report and see anything suspicious are told to "contact the credit bureau."

Consumers who visit LendingTree expect their personal information to be shared with other companies. They are hoping LendingTree will help them find a mortgage firm with the best rate, and expect several companies to "bid" for the right to supply their home loan.

But in this incident, loan applications were viewed by unauthorized lenders, who used the information to market their own loan products, LendingTree said.

"We suggest that you remain vigilant by reviewing account statements and monitoring your credit reports for the next 24 months," the letter says.

It was good to see the Hannaford Bros. grocery chain step forward Monday and admit it was the retailer that had suffered a credit card and debit card hacker attack. Criminals had access to account numbers from Dec. 7 to March 10, and stole a whopping 4.2 million credit and debit card numbers while they were transmitted for authorization, the company said. (see full story)

The company's announcement came only hours after the Massachusetts Bankers Association issued a statement indicating that it had been warned about a leak at a "major retailer" by Visa and MasterCard, while complaining that the credit card associations wouldn't reveal the name of the store chain. An initial version of this column offered the same lament.

The card associations routinely keep such information a secret, and banks are getting tired of that. You should be, too

---

"Releasing the name of the retailer would make all of our lives easier and safer," Daniel J. Forte, the association's CEO, said said before Hannaford was identified as target of the data theft. "Customers who didn't shop there would be put at ease, and banks could do more efficient investigations to better protect

Credit card users are often the last to know when a criminal has access to their data. That's because it usually falls to the affected banks to decide which consumers – if any -- to tell.

Even when the name of the retailer is made public, disclosure takes place in fits and starts. The infamous TJ Maxx data leak, which ultimately was determined to have affected nearly 50 million account numbers, occurred in December 2006. The company announced the leak one month later, but only recently did it begin notifying individual consumers.

In other data leaks, disclosure of the impacted retailer can take months. Sometimes, the name is never revealed.

"Consumers always want to know where the breach took place. That's one of the first things affected consumers ask their banks, right after 'will I get my money back?'" said Avivah Litan, a bank security analyst at consulting firm Gartner. "They ... have a right to know. After all it's their money and their time that is involved, and it may influence their future purchasing decisions."

One reason that credit card associations maintain a policy of not naming retailers involved in data leaks is that the fault might lie with the store's credit card processing firm or somewhere else along the data chain.

Chris Monteiro, a spokesman for MasterCard, the MasterCard spokesman, said that the credit card association also cannot release the information because it is "the subject of an ongoing law enforcement investigation."

Banks, on the other hand, are increasingly calling for early disclosure of data leakers, says Litan.

"The banks obviously want to be able to inform their cardholders where the breach took place, so that consumers don't blame their bank for the theft," she said.

Credit card associations like Visa and MasterCard are often the first to notice when a large block of account numbers is stolen, because they see the fraud pattern before the merchant. Consumers could benefit from early warning -- particularly debit card holders, who may find their checking accounts drained by thieves.

In either case, consumers are entitled to prompt refunds of money taken by account number thieves, and have zero liability for fraudulent charges made by credit card crooks.

RED TAPE WRESTLING TIPS
Sometimes when data is stolen or missing, it's not clear whether ID thieves actually have control of it. Not so in this case; Hannaford told the Associated Press it's aware of 1,800 cases of fraud related to the data theft.

Consumers simply have to challenge fraudulent charges with their credit card companies. Those who lose money in their checking accounts to fraudulent debit card transactions must get refunds from their banks withing 10 days, according to federal banking regulations.

Meanwhile, it's always a good idea to use online banking services to check account balances every few days and make sure nothing is out of whack. If there is, the sooner your report the problem the better.