Security

Shopping online does carry some risk, but so does shopping at brick-and-mortar stores. At least online shoppers don't need to worry about fender-benders in the parking lot, pick pockets at the mall, or getting the flu from all those fellow shoppers.

But the nice thing about shopping online is that by following some basic guidelines you can be reasonably sure you'll have a safe experience.

Secure your PC: The first thing you need to do is be sure your computer is secure. Trend Micro's education director David Perry, says that "bad guys these days are operating by planting a keylogger on your system that listens in, surreptitiously waiting for you to use your credit card or your bank password so that they can steal your money." So, even if you're dealing with a legitimate merchant, you're at risk if your computer is infected. Your best protection from these attacks is to keep your operating system and browsers updated and use a good and up-to-date security program. If you're getting or giving a Netbook or other PC for the holidays, make sure that security software is installed right away. Most security companies offer a free-trial version that will tide you over for a month or so, but be sure to subscribe so you get ongoing protection.

Click with care: You're going to be getting a lot of offers via e-mail this holiday season. While they might be legitimate, there is the possibility of some offers coming from criminals trying to trick you into giving your password to a rogue site or visiting a site that can put malicious software on your computer. Your best protection is to not click on any links--even if the message looks legitimate--but to type in the merchant's URL manually.

Know the merchant: : If you're not familiar with the merchant, do a little research like typing its name (and perhaps the word "scam") into a search engine to see if there are any reports of scams. Look for user reviews on sites like Eopinions.com. Look for seller ratings if you locate the merchant through a shopping search engine like Google Shopping . Google doesn't certify the integrity of the sites that come up in its searches, but if you see lots of seller ratings that are mostly positive, that's a pretty good sign. You're generally pretty safe with sellers that are affiliated with shopping aggregators like Amazon.com, Yahoo Shopping, Retrevo or BizRate. Microsoft's new Bing search engine offers a cash-back program with affiliated merchants.

Look for trust seals, but verify they're legitimate

(Credit: BBBOnline)

It's a good idea to look for seals of approval from Truste or Better Business Bureau Online, but remember that a seal is only a graphic. It can be counterfeit. To be sure, visit the certifying agency's site to look up the merchant.

When you're about to enter your credit card, make sure you're on a "secure "site. The URL should have an https at the beginning (s for "security") and there should be a small gold lock in the lower right corner of the browser. This isn't an iron-clad guarantee, but still worth looking for.

If you're still not sure, look for a phone number and call them. Aside from eliminating the chance of a keylogger grabbing your information, you may get a little more assurance talking to a human being.

Pay by credit card: Credit cards offer you an extra level of protection including the right to "charge back" if you feel you're a victim of fraud. The credit company will investigate your claim and permanently remove the charge if fraud can be proven.

Also some credit card companies offer extra protections including extended warranties and protection against loss or theft. Federal law limits your liability for misuse of a credit card to $50 but many credit card companies will waive that limit. Unless you're very sure about the merchant, don't provide them with a checking account number and never disclose your social security number to online merchants.

It's also a good idea to check your online credit card statement frequently. Most credit card companies will display recent charges online within a few days of the actual transaction. While you're on your credit card company's site, check your interest rate. Credit card companies have been known to "adjust" rates (usually upward) for a variety of reasons.

Know the real price: Be sure you understand the actual cost of the item, including shipping, handling, and sales tax. That can have an enormous impact on the final price. Many merchants are offering free shipping during the holidays and some merchants that have both online physical stores will let you pick up the item in the store for free. In most states if you do business with a merchant that has a physical presence in your state, the merchant is required to collect state sales taxes. Although it's tough to enforce, some states expect you to self-report all of your online purchases and pay sales taxes when you file your state income tax return.

Happy returns: Be sure you understand the merchant's return policies including the deadline for returns and what documentation you'll need. In most cases, they won't refund the shipping charges and you'll have to pay to ship it back. Always keep your packing until you're sure you're not going to return it.

Read the privacy policy: The policy, according to the American Bar Association's Safeshopping.org, should disclose "what information the seller is gathering about you, how the seller will use this information; and whether and how you can "opt out" of these practices."

Enjoy the holidays: By paying attention to these tips, the odds of your being victimized by online fraud are pretty low --another good reason to be cheerful during the holiday season.

Black Friday is almost upon us, and the steep hardware discounts mean new computers for many. To help you during these tough economic times, we've refreshed the Download.com Security Starter Kit for 2010. Although nothing can replace common-sense browsing, this collection of freeware security tools will help you protect new machines and old from pernicious threats, large and small. Longtime readers will notice that in addition to changing up our recommended antivirus program, we've fleshed out the Web browsing safety category, and made other changes as well. If you're looking for more than freeware security programs, check out the CNET Download.com Windows Starter Kit for 2010.

In this year's version, you can expect to see Avast chosen ahead of AntiVir as our most favored antivirus app. Despite its odd interface, Avast scored higher than any other freeware antivirus in a third-party test, and it doesn't skimp on protection, either, with e-mail, network, rootkit, and behavioral guards along with its top-rated virus protections.

We're still recommending Malwarebytes Anti-Malware for spyware removal, but we've also added PC Tools' standalone ThreatFire as an excellent way to strengthen behavioral detections and prevent spyware from infecting you in the first place. Recent improvements to the program have made it incredibly light on resources, and in our days of empirical testing we didn't notice it slowing down our computers at all.

New this year is the expanded in-browser security category. We've recommended five browsing tools that are available as add-ons, and we took care to make sure that they applied to as many of the major browsers as possible. However, Firefox's deep add-on toolbox makes it naturally the browser with the most diverse collection of security tools, so expect to see it heavily, although not exclusively, represented.

PC Tools' ThreatFire.

(Credit: Screenshot by Seth Rosenblatt/CNET)

Firewalls used to be the forefront of security, but now they're just another tool you should have. Microsoft has made the native Windows 7 firewall impressively useful, but we realize that not everybody has Windows 7, and even those who do might want an alternative. This year, Online Armor joins Comodo on the list.

In Encryption, TrueCrypt remains the gold standard. The Thunderbird extension Enigmail joins it as a must-have tool for keeping your private e-mails as you intended them--away from prying eyes. In Parental Control, we've added OnlineFamily.Norton. It's not strictly desktop based, although to use it you must use its desktop hook, called Norton Safety Minder. Symantec has created what looks to be a unique and free approach that includes an emphasis on parental education and attempts to foster parent-child communication about how to use the Internet safely. We're of the opinion that anything that helps parents realize that browsing the Internet is far more than a TV with options is a good thing.

If you disagree with our security and safety choices for the Security Starter Kit, please let us know in the comments below.

As the World Trade Center and Pentagon were ablaze on September 11, 2001, the U.S. Secret Service's presidential protective detail was informed that a "Korean airliner has been hijacked" en route to San Francisco, prompting already-skittish agents to worry about another wave of terrorist attacks.

That morning and afternoon, Secret Service agents assigned to protect the president and his family found their pagers constantly buzzing with alerts both true and false. There was a false alarm about a car bomb in downtown Washington, D.C., a report of "two Arab males detained" after asking for directions to the presidential retreat at Camp David, and reassurances that "Twinkle and Turq"--code names for the Bush daughters--were safe and accounted for.

This unusual glimpse into the events of 9/11 comes from messages sent to alphanumeric pagers that were anonymously published on the Internet on Wednesday, via WikiLeaks.org....

Read the full story of "Egads! Confidential 9/11 Pager Messages Disclosed at CBSNews.com.

Microsoft on Monday said it is investigating a possible vulnerability in Internet Explorer after exploit code that allegedly can be used to take control of computers, if they visit a Web site hosting the code, was posted to a security mailing list.

Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not IE 8, and it said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," according to a statement.

The exploit code was published to the BugTraq mailing list on Friday with no explanation.

"The exploit targets a vulnerability in the way Internet Explorer uses Cascading Style Sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites' content," Symantec wrote in a blog post this weekend.

"The exploit currently exhibits signs of poor reliability, but we expect that a fully functional, reliable exploit will be available in the near future," Symantec said. Symantec urges IE users to keep their antivirus software up-to-date, disable JavaScript, and visit only trusted Web sites, until Microsoft issues a patch for the hole.

Anyone believed to have been affected can visit Microsoft's Consumer Security Support Center, report it to the Internet Crime Complaint Center, and contact the FBI or law enforcement in the particular country, Microsoft said. U.S. residents can also call Microsoft's PC Safety Customer Service and Support number at 1-866-727-2338.

In July, critical holes in IE prompted Microsoft to issue a rare out-of-cycle (in other words, pre-Patch Tuesday) fix.

With most computers threatened by attacks coming through Web applications, it's no surprise that security would be a key piece of Chrome OS, Google's browser-based operating system that stores data in the cloud.

In this video, Google security engineer Will Drewry explains how Chrome OS separates user data from root or system data, which makes the system more secure and easier to re-install the operating system.

(Credit: Google)

Google showed off its new lightweight operating system designed for Netbooks and cloud computing on Thursday. As anticipated, it will rely on many of the same security features and concepts used by the Chrome browser.

"The browser is the operating system. We've expanded the browser to add operating system functionality," Caesar Sengupta, a group product manager at Google, said in an interview.

Chrome OS uses a combination of operating system-level protections and exploit mitigation techniques to limit the attack surface, or amount of code that can be targeted in an attack, and to reduce the likelihood of an attack being successful. "The biggest security impact is that all applications run within the browser," Sengupta said.

Chrome relies heavily on sandboxing, keeping different processes and applications in separate partitions. This limits the interaction between applications and the OS kernel.

For example, with conventional operating systems, if an application crashes, it can crash or otherwise affect other programs that are running, Sengupta said. "But if everything is sandboxed, that becomes more difficult to do," he added.

Many systems are compromised by deceptive attacks, such as when a user opens an innocent-looking PowerPoint file which unleashes a virus or other malware that can get access to everything on the computer.

With Chrome, "applications can't just download any binary and run it," Sengupta said.

Chrome has a verified boot process that uses cryptography to ensure that the Linux kernel, the nonvolatile system memory, and the partition table are not tampered with when the system starts up, according to a security overview of Chrome. (Google security engineer Will Drewry explains the security concepts of Chrome OS in a video on YouTube.)

"Right now, on your conventional operating system, any kind of process can run, which makes it difficult to predict what any process will do," Sengupta said. "On Chrome, because the whole operating system is essentially signed by Google, there is a lot we can do to make it secure."

If an application manages somehow to break out of the browser sandbox, to get through the kernel hardening and processing infrastructure, and manages to change something on the operating system, the changes will be detected the next time the user boots up the machine. "As soon as it detects something is different and not signed by Google, it will warn the user and try to clean itself again," Sengupta said.

Cleaning up is easier than with a standard operating system, too, because the system data is separated from the user data, which includes user preferences, system settings, and a local cache of data stored on the Google servers in the cloud, he said.

All user data stored by the operating system, browser, and any plug-ins are encrypted and users cannot access each others' data on a shared device, according to the Chrome OS security page.

Meanwhile, Chrome will automatically update to get the most recent software and patches for the operating system, just like the Chrome browser updates in the background while users are online, Sengupta said. Users will not run the risk of having their system get infected or compromised before they can install updates, as happens with Windows and other software.

In addition, the antiphishing technology found in the Chrome browser will protect Chrome OS users from inadvertently visiting malicious Web sites, he said.

Google is publishing detailed design documents on Chrome OS, which will allow security experts to scour the code for weaknesses over the next year before the operating system is released to the public, according to Sengupta.

There are some security and networking technologies that are supported in other operating systems that Google is passing on, at least for now.

Google will keep an eye on biometric authentication technologies, but believes that the cost/reliability trade-off is not where it needs to be just yet, according to the security overview for Chrome OS. Smart cards and USB crypto tokens are "interesting technology, but we don't want our users to have to keep track of a physically distinct item just to use their devices," the overview concludes.

Google is likewise not interested in Bluetooth, a wireless protocol widely used in laptops and handheld devices, for authentication. "Bluetooth adds a whole new software stack to our login/screenlocker code that could potentially be buggy, and the security of the pairing protocol has been criticized in the past," the security overview says.

Updated November 24to clarify that Bluetooth is not being considered for authentication.

First, the good news for consumers: the U.S. government's investigation into how dozens of well-known online stores worked with controversial marketers to "deceive" customers out of $1.4 billion has prompted some retailers, including Continental Airlines, to sever ties with the marketers.

Mark Goldston, chairman and CEO of United Online, parent company of Classmates.com, which banked $70 million from marketing practices now under investigation by the Senate Commerce committee.

(Credit: United Online)

Now, the bad news: the marketers--Affinion, Vertrue, and Webloyalty--are still in business and judging from the responses of many of the retailers involved, such as Priceline, Classmates.com, FTD, Shutterfly, and Orbitz, it will be business as usual. They see nothing wrong with the marketing practices that millions of angry online shoppers and members of the U.S. Senate have called a "scam," "robbery" and "theft."

While the U.S. Senate Commerce committee produced a staggering amount of documentation during a hearing last week that appears to show consumers are misled into signing up for so-called loyalty programs, the retailers continue to suggest it's their customers who are at fault.

The controversy began last May, when the Commerce committee launched an investigation into the practices employed by Vertrue, Affinion, and Webloyalty. The committee's investigators found thousands of complaints going back years from people who said they discovered "mysterious charges" on their credit cards and struggled to discover how they got there.

The Senate's investigators said they learned that the retailers had made an unholy alliance with the marketers. Under most of the agreements between the marketing firms and retailers, an advertising page is presented to a shopper while they complete a transaction at the retailer's online store. Many shoppers say they entered their e-mail address and pushed a large "Yes" button on the ad because it appears to be a $10 cash-back offer or coupon. Many of those that complain say they thought they were being rewarded by the retailer for making a purchase.

Written in much smaller print within the ad are the full terms of the deal. A customer is notified there that by providing their e-mail address they are joining a membership program and agreeing to pay one of the marketing firms a monthly fee, typically between $10 and $20.

Despite being blasted last week by members of the Commerce committee, most of the retailers involved haven't done much repenting.

Orbitz "does not pass on any personally identifiable customer information to third party vendors without their permission," the travel site said in a statement.

United Online, parent company of FTD and Classmates.com, a company that the government said banked $70 million via the three marketers said: "We believe that our marketing practices provide clear disclosure. We do not transfer our customer's credit or debit card information to third parties without our customer's consent."

Priceline said the terms of the deal have "been clearly and fully explained."

It's all your fault
The inference is clear: The people complaining about this are the ones who screwed up. The terms of the deal were all in the ad so that means anyone who was charged the monthly fee either wanted it at the time or was negligent.

I can start by listing all the information that the government has found that shows that as many as 30 million consumers were unaware that they were signing up for the loyalty programs. But first, let's look at the obvious.

Webloyalty, Affinion and Vertrue all say they do their best to make it clear to consumers what they're signing up for. That's nonsense of course. If their claim was true, they would simply insert the following graph or something like it high up into their ads:

BY ENTERING YOUR CREDIT CARD NUMBER YOU ARE REGISTERING FOR MEMBERSHIP PROGRAM AND YOUR CREDIT CARD WILL BE CHARGED $12 PER MONTH FOR THIS SERVICE UNTIL YOU CANCEL YOUR MEMBERSHIP. ENTER CARD NUMBER HERE:________. EXPIRATION DATE HERE:________.

Voila. End of confusion.

This simple fact was presented in a Jan. 8, 2007, court filing that was part a class-action lawsuit filed against Webloyalty, one of several suits filed against the three marketing companies over the years. In this case, the attorneys representing plaintiff Joe Kuefler sized up why they believed Webloyalty doesn't display its terms in this clear way or ask consumers to input their credit card information themselves.

"The answer is nefarious," the lawyers wrote. "If customers had to retype their credit card numbers, they would know that they were registering for a monthly fee-based service and defendants would not be able to get rich by fooling people into signing up."

Confusion breeds deception
Here's the next obvious fact that readers should know: burying important contractual information deep inside big blocks of text isn't new. Creating confusion around a purchasing experience and then obtaining a consumer's credit card information from someone other than the owner to make charges isn't novel. These ideas have been around in some form or another for decades and are outlawed in many parts of the brick-and-mortar world. These tactics won't fool everyone, but they will mislead enough consumers for the companies to profit.

In the court filing against Webloyalty, Kuefler's lawyers said that if they could get their hands on the company's internal documents they could prove Webloyalty knew that most "members" were duped into signing up. Well, the government did obtain documents.

According to the Senate Commerce committee's report a Vertrue employee once wrote that "cancellation calls represent approximately 98 percent of call volume" to the company's customer service operations. One Webloyalty employee said in an e-mail that "90 percent of our members don't know anything about the membership."

Documents obtained by the government show Affinion estimated that the chances of obtaining money from a consumer would be four times higher if a retailer handed over a customer's credit-card information to the marketing firm than if the firm had to get it from the actual cardholder.

Prentiss Cox, a former assistant attorney general and now a Minnesota law professor, says that in his decade-long experience studying the marketing practices employed by Affinion, Vertrue and Webloyalty, it's clear to him that those who voluntarily sign up for the loyalty memberships run by those companies is less than 5 percent.

Since I began writing about this in July, I've seen a lot of reader feedback from people who don't believe they could ever be misled into signing up for the membership programs. But I've also read thousands of complaints, which can be found here, here, and here. Among those that have claimed to have been duped are lawyers, computer programmers, vice presidents, U.S. Army veterans, and journalists.

The government wrote that more than 35 million people have been enrolled in Affinion, Vertrue, and Webloyalty's clubs.

Cox says the marketing techniques used by Affinion, Webloyalty, and Vertue work because shoppers have been conditioned to believe that on the Web they can't be charged without entering their credit card information. He notes the ads that Affinion, Vertrue and Webloyalty stick in the faces of consumers come late in the transaction process, when a consumer might think they need to click the "yes" button and enter their e-mail address to verify their identities. In addition, the ads "are sold as free offers," Cox said. This lowers a shopper's guard.

Another effective technique employed by the marketing companies is that they know many people will be embarrassed. Many consumers will hear that they entered their e-mail address and will assume they erred. Some won't make a stink because they don't want to admit that they don't check their bank statements well enough.

By saying, "we never release credit card information without the consumers authorization," the marketing companies and their retail partners imply that the money their customers lost was caused by their own negligence.

Affinion, Vertrue, Webloyalty, and their retail partners are all profiting from their customers' shame, when it is they who should be ashamed.

Webloyalty illustrated for potential clients how much easier it is to generate "high revenue" from a consumer when the firm can get their credit card information from a retailer ('card on file') instead of the card owner. Members of a Senate committee have called such practices a 'scam.'

(Credit: U.S. Senate Commerce committee)

Click here for a related podcast.

Retailers aren't the only ones gearing up for the holiday season. Criminals are also out in force.

To highlight the increased crime during the holidays, security company McAfee has come up with the "12 Scams of Christmas" ranging from bogus electronic greeting cards that deliver malware instead of cheer to fake charities that steal your money and your identity.

It's especially important to be extra careful this time of year, says McAfee's David Marcus. "The bad guys know people are spending more time online, they're paying more bills online so [the criminals] stand a chance of being a bit more successful this time of year.

In a podcast interview (scroll down to listen), Marcus counted down the 12 scams of Christmas starting with:

1. Charitable phishing scams: Marcus warns consumers to be wary of e-mails that appear to be from legitimate charities. Not only will they take your money and deprive charities of needed funds, but they will also steal your credit card information and identity.


2. Fake invoices from delivery services: During this period, scammers will send out fake invoices and delivery notifications appearing to come from Federal Express, UPS, the U.S. Postal Service or even the U.S. Customs Service saying that they were unable to deliver a package to your address. They ask you to confirm your address and give them credit card information to pay for delivery.


3. Social networking friend requests: Bad guys take advantage of this social time of year by sending out authentic looking friend requests via e-mail. Marcus recommends that you not click on those links but sign into Facebook and other services and look for friend requests from the site itself. Clicking on a link could install malware on your computer or trick you into revealing your password.


4. Holiday e-cards: Be careful before clicking on a holiday e-card, especially if it's from a site you haven't heard of. This is a way to deliver malware, pop-ups, and other forms of unwanted advertising. Some fake e-cards will look like they come from Hallmark or other legitimate companies, so pay close attention and make sure it's from someone you know. If you're going to send an e-card, be sure you're dealing with a reputable service lest you risk infecting yourself and your friends.


5. Fake "luxury" jewelry: If you see an offer for luxury gifts from companies like Cartier, Gucci, and Tag Heuer at a price that's too good to be true, it probably isn't true. These links could lead you to malware and take your money or merchandise that will probably never arrive (or be fake if it does). Some of these sites, according to McAfee, even display the logos of the Better Business Bureau.


6. Practice safe holiday shopping. Make sure your wireless network is secure and be sure you're shopping on sites that are secure. Though it isn't an iron clad guarantee, you should look for the lock icon in the lower right corner of your browser and make sure the Web page starts with https. The "s" stands for "secure."


7. Christmas carol lyrics can be dangerous: Bad guys know that people are searching for holiday related sites for music, holiday graphics, and other festive media. During this time, they create fraudulent holiday related sites.


8. Job search related scams: With the unemployment rate at 10.2 percent, there are plenty of job seekers looking for work. Beware of online offers for high paying jobs or at-home money making schemes. Some of these sites ask for money up front, which is a good way for criminals not only to steal your "set up fee" but misuse your credit card too. Marcus said that some "get rich quick" sites are all about money laundering, asking you to accept an inbound financial transfer and pay them.


9. Auction site fraud: McAfee has observed a rise in fake auction sites during the holidays. Make sure you're actually going to eBay or whatever site you plan to deal with.


10. Password stealing scams: Criminals use low-cost tools to uncover passwords, in some cases planting key logger software to record keystrokes. Once they get your passwords, they gain access to bank accounts and credit card accounts and send spam from your e-mail accounts.


11. E-mail banking scams: A common type of phishing scam is sending out official looking e-mails that appear to come from your bank. Don't click on any links but type in your bank's Web address manually if you need to access your account.


12. Files for ransom: Hackers use malware to gain control of your computer and lock your data files. To access your own data you have to pay them ransom.

Listen to Larry's interview with McAfee's David Marcus

Listen now: Download today's podcast

Cisco is offering a free iPhone app that will allow people to get customized alerts on new security threats and other information for safe Web browsing.

The app, which will be available on Friday in the Apple iTunes store, provides information about new malware signatures, bulletins for how to mitigate against threats, ways to see if particular Web sites are compromised, as well as links to podcasts and videos.

The Cisco SIO To Go iPhone app gets its information from the company's Security Intelligence Operations (SIO) system which gathers information in real time from 700,000 sensors located at customer sites, ISPs, and other sites around the world. The data from the disparate sources allows Cisco engineers to do threat correlation to detect Internet attacks and spam campaigns.

The app is designed for professionals and security geeks, not the average consumer, said Michael Weir, Cisco security marketing director.

"I can make it applicable to my needs and the security needs of my [enterprise] network," he said.

The Cisco SIO To Go iPhone app offers information about the safety of particular Web sites.

(Credit: Cisco)

Tiburon, Calif., is a twee little place. If you aren't familiar with the old-country colloquialism "twee," it means, well, something like "precious." Like one of those dogs Paris Hilton used to carry in her purse.

When one wanders through its little streets, just north of San Francisco, one gets the sense that a few of the residents, on seeing someone who appears not to be from around those parts, reach for their handkerchief and hand sanitizer.

How can one, therefore, be surprised that a meeting of the Tiburon Town Council voted on Wednesday by 4 to 0 to install cameras to photograph every single car that enters or leaves this little Disneyland?

The San Francisco Chronicle reported that this may be the first community in the country to have defended itself with cameras in such a way. The idea is to photograph the license plates of every car that treads Tiburon's hallowed roads and compare the information with the police's list of the stolen and nefarious.

Tiburon. Such a tranquil place.

(Credit: CC Stewart/Flickr)

The Tiburon police chief, Michael Cronin, told the Chronicle: "I think it makes the community safer."

There are certainly even more definitions of the word "safety" than of the word "twee." However, it is heartwarming that the Tiburon police--inspired, perhaps, by Google--promise that the information will be kept for only 30 days.

The strange thing is that Tiburon, a northern suburb of San Francisco, isn't exactly Oakland. It doesn't enjoy high crime figures. Indeed, some might say that the most criminal elements in the place are to be seen on the racks of its clothes stores.

The town is fortunate, however, in that it is on a peninsula, from which there are only two roads. So the total cost of putting up six cameras is estimated to be no more than $200,000, which works out at something near $20 per resident. (Tiburon residents enjoy, by the way, a median income somewhere above $125,000.)

I know there will be some who believe you can never have enough security cameras in this heinous and half-witted world. But perhaps some will worry that the police might make rather instinctive judgments about the provenance of certain cars and their intentions.

Others will wonder whether this decision might affect businesses in Tiburon. Still others will ponder whether the police might be willing to offer a Web site showing the movements of all its officers.

I merely wonder how many people, knowing they might have to go to Tiburon for a meal of organic Kobe beef, rosemary ice cream, and plenty of Stags Leap cabernet, will choose to remove their front license plates. You know, just to be on the safe side.