" /> net.wars: August 2009 Archives

« July 2009 | Main | September 2009 »

August 28, 2009

Develop in haste, lose the election at leisure

Well, this is a first: returning to last week's topic because events have already overtaken it.

Last week, the UK government was conducting a consultation on how to reduce illegal file-sharing by 70 percent within a year. We didn't exactly love the proposals, but we did at least respect the absence of what's known as "three strikes" - as in, your ISP gets three complaints about your file-sharing habit and kicks you offline. The government's oh-so-English euphemism for this is "technical measures". Activists opposed to "technical measures" often call them HADOPI, after the similar French law that was passed in May (and whose three strikes portions were struck down in June); HADOPI is the digital rights agency that law created.

This week, the government - or more precisely, the Department for Business, Innovation, and Skills - suddenly changed its collective mind and issued an addendum to the consultation (PDF) that - wha-hey! - brings back three strikes. Its thinking has "developed", BIS says. Is it so cynical to presume that what has "developed" in the last couple of months is pressure from rights holders? Three strikes is a policy the entertainment industry has been shopping around from country to country like an unwanted refugee. Get it passed in one place and use that country a lever to make all the others harmonize.

What the UK government has done here is entirely inappropriate. At the behest of one business sector, much of it headquartered outside Britain, it has hijacked its own consultation halfway through. It has issued its new-old proposals a few days before the last holiday weekend of the summer. The only justification it's offered: that its "new ideas" (they aren't new; they were considered and rejected earlier this year, in the Digital Britain report (PDF)) couldn't be implemented fast enough to meet its target of reducing illicit file-sharing by 70 percent by 2012 if they aren't included in this consultation. There's plenty of protest about the proposals, but even more about the government's violating its own rules for fair consultations.

Why does time matter? No one believes that the Labour government will survive the next election, due by 2010. The entertainment industries don't want to have to start the dance all over again, fine: but why should the rest of us care?

As for "three strikes" itself, let's try some equivalents.

Someone is caught speeding three times in the effort to get away from crimes they've committed, perhaps a robbery. That person gets points on their license and, if they're going fast enough, might be prohibited from driving for a length of time. That system is administered by on-the-road police but the punishment is determined by the courts. Separately, they are prosecuted for the robberies, and may serve jail time - again, with guilt and punishment determined by the courts.

Someone is caught three times using their home telephone to commit fraud. They would be prosecuted for the fraud, but they would not be banned from using the telephone. Again, the punishment would be determined by the courts after a prosecution requiring the police to produce corroborating evidence.

Someone is caught three times gaming their home electrical meter so that they are able to defraud the electrical company and get free electricity. (It's not so long since in parts of the UK you could achieve this fairly simply just by breaking into the electrical meter and stealing back the coins you fed it with. You would, of course, be caught at the next reading.) I'm not exactly sure what happens in these cases, but if Wikipedia is to be believed, when caught such a customer would be switched to a higher tariff.

It seems unlikely that any court would sentence such a fraudster to live without an electricity supply, especially if they shared their home, as most people do, with other family members. The same goes for the telephone example. And in the first case, such a person might be banned from driving - but not from riding in a car, even the getaway car, while someone else drove it, or from living in a house where a car was present.

Final analogy: millions of people smoke marijuana, which remains illegal. Marijuana has beneficial uses (relieving the nausea from chemotherapy, remediating glaucoma) as well as recreational ones. We prosecute the drug dealers, not the users.

So let's look again at these recycled-reused proposals. Kicking someone offline after three (or however many) complaints from rights holders:

1- Affects everyone in their household. Kids have to go to the library to do homework, spouses/'parents can't work at home or socialize online. An entire household is dropped down the wrong side of the Digital Divide. As government functions such as filing taxes, providing information about public services, and accepting responses to consultations all move online, this household is now also effectively disenfranchised.

2- May in fact make both the alleged infringer and their spouse unemployable.

3- Puts this profound control over people's lives, private and public, personal and financial into the hands of ISPs, rights holders, and Ofcom, with no information about how or whether the judicial process would be involved. Not that Britain's court system really has the capacity to try the 10 percent of the population that's estimated to engage in file-sharing. (Licit, illicit, who can tell?)

All of these effects are profoundly anti-democratic. Whose government is it, anyway?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

August 21, 2009

This means law

You probably aren't aware of this, but there's a consultation going on right now about what to do about illegal peer-to-peer file-sharing; send in comments by September 15. Tom Watson, the former minister for digital engagement, has made some sensible suggestions for how to respond in print and blog.

This topic has been covered pretty regularly in net.wars, but this is different and urgent: this means law.

Among the helpful background material provided with the consultation document are an impact assessment and a financial summary. The first of these explains that there were two policy options under consideration: 1) Do nothing. 2) (Preferred) legislate to reduce illegal downloading "by making it easier and cheaper for rightsholders to bring civil actions against suspected illegal file-sharers". Implementing that requires ISPs to cooperate by notifying their subscribers. There will be a code of practice (less harsh than this one, we trust) including options such as bandwidth capping and traffic shaping, which Ofcom will supervise, at least for now (there may yet be a digital rights agency).

The document is remarkably open about who it's meant to benefit - and it's not artists.

Government intervention is being proposed to address the rise in unlawful P2P file-sharing which can reduce the incentive for the creative industries to invest in the development, production and distribution of new content. Implementation of the proposed policy will allow right [sic] holders to better appropriate returns on their investment.

The included financial assessment, which in this case is the justification for the entire exercise (p 40), lays out the expected benefits: BERR expects rightsholders to pick up £1,700 million by "recovering displaced sales", at a cost to ISPs and mobile network operators of £250 to £500 million over ten years. Net benefit: £1.2 billion. Wha-hey!

My favorite justification for all this is the note that because that are an estimated 6.5 million file-sharers in the UK there are *too many* of us to take us all to court, rightsholders' preferred deterrence method up until now. Rightsholders have marketing experts working for them; shouldn't they be getting some message from these numbers?

There are some things that are legitimately classed as piracy and that definitely cost sales. Printing and selling counterfeit CDs and DVDs is one such. Another is posting unreleased material online without the artist's or rightsholder's permission; that is pre-empting their product launch, and whether you wind up having done them a favor or not, there's no question that it's simply wrong. The answer to the first of these is to shut down pirate pressing operations; the answer to the second is to get the industry to police its own personnel and raise the penalties for insider leaks. Neither can be solved by harassing file-sharers.

It's highly questionable whether file-sharing costs sales; the experience of most of us who have put our work online for free is that sales increase. However, there is no doubt in my mind that there are industries file-sharing hurts. Two good examples in film are the movie rental business and the pay TV broadcasters, especially the premium TV movie channels.

As against that, however, the consultation notes but dismisses the cost to consumers: it estimates that ISPs' costs, when passed on to consumers, will reduce the demand for broadband by 10,000 to 40,000 subscribers, representing lost revenue to ISPs of between £2 and £9 million a year (p50). The consultatation goes on to note that some consumers will cease consuming content altogether and that therefore the policy will exacerbate existing inequality since those on the lowest incomes will likely lose the most.

It is not possible to estimate such welfare loss with current data availability, but estimates for the US show that this welfare loss could be twice as large as the benefit derived from reducing the displacement effect to industry revenues.

Shouldn't this be incorporated into the financial analysis?

We must pause to admire the way the questions are phrased. Sir Bonar would be proud: ask if your proposals are implementing what you want to do in the right way. In other words, ask if three is the right number of warning letters to send infringers before taking stronger action (question 9), or whether it's a good idea to leave exactly how costs are to be shared between rightsholders and ISPs flexible rather than specifying (question 6). The question I'd ask, which has not figured in any of the consultations I've seen would be: is this the best way to help artists navigate the new business models of the digital age?

Like Watson, my answer would be no.

Worse, the figures do not take into account the cost to the public, analyzed last year in the Netherlands.

And the assumptions seem wrong. The consultation document claims that research shows that approximately 70 percent of infringers stop when they receive a warning letter, at least in the short term. But do they actually stop? Or do they move their file-sharing to different technologies? Does it just become invisible to their ISP?

So far, file-sharers have responded to threats by developing new technologies better at obfuscating users' activities. Napster...Gnutella...eDonkey...BitTorrent. Next: encrypted traffic that looks just like a VPN connection.

I remain convinced that if the industry really wants to deter file-sharing it should spend its time and effort on creating legal, reliable alternatives. Nothing less will save it. Oh, yeah, and it would be a really good idea for them to be nice to artists, too. Without artists, rightsholders are nothing.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on , or send email to netwars@skeptic.demon.co.uk.

August 14, 2009

We love the NHS

All wars have unexpected casualties; in the US, the rhetorical war on anything that smacks of nationalized health insurance briefly took out Stephen Hawking's citizenship. It is, as Bugs Bunny said, to laugh:

People such as scientist Stephen Hawking wouldn't have a chance in the U.K. where the National Health Service would say the quality of life of this brilliant man, because of his physical handicaps, is essentially worthless.

Language Log's Geoffrey K. Pullum surmised that the problem is that Hawking's speech synthesizer doesn't sound British. (Pullum may not be aware that American film critic Roger Ebert's voice synthesizer does have a British accent, one so fluidly and emolliently English that Ebert and his wife refer to the synthesizer as "Sir Larry". Maybe Ebert and Hawking should swap.)

IBD has admitted the error, and slightly recast its original point, claiming now that Hawking's fame means the NHS treats him differently, and look, see, his own Web site says he has 24-hour care paid for by foundations. We were right all along: the NHS is bad! Three points. First: Hawking was diagnosed with ALS when he was 21, and had many years of care before he became famous. Two: rich, famous people get the best of every health system ever invented. See also the Royal Family. Third: what does IBD imagine Hawking's situation would be were he American?

Hawking was a bystander. The real ire, astoundingly, has been saved for, of all things, the British National Health Service, surely the least likely organization to be tasked with providing health care for Americans. Why is an economic model for providing health care being evaluated as if it were about issuing axes to doctors with orders to use them on anyone over 80?

The rhetoric - one hesitates to call it a debate - over Obama's health care plan - reminds me of the 1985 campaign against legalizing divorce in the Republic of Ireland ("Divorce hurts women and children. Vote NO.")

So some US opponents of national health insurance claim Obama wants to bring in death panels, and that the quality of health care will plummet. Whereas, the reality is that even if you dispute the 47 million figure, increasing millions of Americans have no health insurance, that the majority of American bankruptcies are due to medical bills, and that more than half of those had health insurance. The reality is also that the ongoing replacement of full-time jobs with benefits with part-time jobs and "permatemps" mean that increasing numbers of what used to be the middle class will not be covered at all. Improve the detail of Obama's plan, by all means. But does anyone seriously think the problem has not grown since Hilary Rodham Clinton's plan failed? Does anyone think that fighting over things that aren't in the plan will help matters?

For people to react this viscerally to insurance proposals says there's more going on than rational opposition (and even more rational lobbying by insurance and pharmaceutical companies spouting the evils of "socialism"). This reaction is, I believe, American Dream interruptus. It is the worst side of the pioneer spirit: the US is the land of opportunity; anyone can have access to superb treatment if they work hard enough. You make your own life, you "take care of yourself", government interference will only steal from you. You can see echoes of this in Esther Dyson's "Health 2.0" piece for the FT this week, in which she seems to suggest that better information will revolutionize health care. net.wars covered the self-quantifying movement in October 2008, and better monitoring may well help many people, but it will not solve the question of how to pay for MRIs, cancer drugs, or Alzheimers care..

Americans who genuinely believe the NHS is a bad thing are, I think, making the same mistake I made in the 1970s: they read the complaints about waiting lists, geographically uneven care, and rationed treatments, and think it must be bad. Whereas the reality is that British people complain about the post yet expect letters to arrive within 24 hours, the public transport yet juggle multiple routes across London in their heads, and the weather, which by any reasonable standard is mild, even friendly.

I have learned better.

Among all the thousands of people I have met in the UK, not one has ever said they would scrap the NHS. None has ever suggested the UK would be better off with a US-style health insurance market. To be sure, some have supplemental private insurance. But everyone agrees: for catastrophic health care you can't beat the NHS. Friends of sick US friends raise funds so they don't have to choose between drugs and food; sick UK friends do not spend their limited energy fighting through insurance company paperwork and begging insurance companies for treatment. People do not go bankrupt in the UK because of medical bills. Many of my American friends now envy me my access to the NHS - for which I pay in taxes.

The NHS may be the most democratic institution ever created: it is a rational way to share an expensive resource as well as a social compact. Because sooner or later, no matter how hard you work and how pure a lifestyle you lead, health problems will come for you, too.

Yes, we love the NHS. Millions of us.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on , or send email to netwars@skeptic.demon.co.uk.

August 7, 2009

The five percent solution

So much has been said about Australia's Internet filtering this year that nearby New Zealand's project has mostly escaped notice. The plan is to implement filtering sometime in the next couple of months. Unlike the UK, where the blocklist is maintained by the Internet Watch Foundation under a voluntary arrangement, in New Zealand the list is being administered by the Department of Internal Affairs.

It turns out that the technology New Zealand is putting in place is coming into use in the UK, courtesy of Watchdog International, which recently signed a deal to supply it to Talk Internet.

Watchdog's managing director, Peter Mancer, says the idea for the technical implementation comes from Sweden.

"I was impressed at the cooperation of police and NGOs," he said of the work he observed there, "but I don't like DNS poisoning. It's not effective enough and it's too broad a brush, and my ten-year-old can bypass it by putting someone else's DNS servers in the browser settings. But it's easy to employ from the ISP's point of view." DNS poisoning - or rather, blocking selected domains - is, of course, what is implemented in the UK through BT's Cleanfeed.

The system Mancer was shown by the Swedish royal technical college and now supplies via his company relies instead on Border Gateway Protocol, or BGP, the core routing protocol of the Internet. Users don't interact with it directly; it's used among ISPs to route traffic correctly. In New Zealand's case, the necessary servers are all managed and hosted by the government. Mancer's explanation: "All ISPs connect to those servers via Internet tunnels using BGP, so the URL list is managed independently of the ISPs, and there is very little cost to the ISP - a few configurations and they're connected to it."

The point for the UK: Cleanfeed requires implementation effort from the ISP. If you're Virgin or another huge ISP, you have sufficient resources and in-house expertise to do it. But the difficulty and expense is, says Mancer, one of the reasons why smaller ISPs haven't adopted it - and why the percentage of British consumer broadband users covered by the IWF blocklist has remained stuck at 90 to 95 percent for years.

Smaller ISPs, says Mancer, "find it quite a challenge. Cleanfeed is not suitable for a lot of ISPs, and there's no commercially available system." So, he says, to the "remaining 5 percent tail which the Home Office and the government keep jumping up and down about a commercially available solution is more attractive." Watchdog's system starts at €2,000 per year, or about £200 per month, and the cost per user goes down as the number of users goes up. Despite the horrid economics of running a small ISP, 5p per customer per month ought in theory to be affordable.

All of this leads back to the question we posed in a panel at this year's Computers, Freedom, and Privacy conference: can the Internet still route around censorship? Images of child abuse (the IWF's preferred term) are illegal in most countries.

Even the US is beginning to show signs of moving in the hotline-voluntary blocklist direction. Last year, for example, Qwest began blocking access to a list of sites that the National Center for Missing and Exploited Children has identified as containing child pornography. (This is not, by the way, a violation of the First Amendment right to free speech as far as I can make out. The First Amendment says, "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances." It does not prohibit private companies like Qwest from making their own rules, a reality that seems to be widely misunderstood.)

Mancer himself is passionate on the topic: "I sat on a Swedish hotline and took some of the reports and looked at sites. It really does impact you, and it's worth fighting against." He adds, "We're a bit frustrated. We believe we have a good solution that's affordable, but a lot of ISPs are sitting on the fence." There isn't, he concludes, enough pressure.

Given some odds and ends of possible failures - the link to Watchdog's servers has to stay up, the ISP has to configure its systems correctly - Watchdog's system seems likely to be hard for Web users to bypass, although Richard Clayton, the expert in these matters, queries whether the technology will be able to track changes fast enough to deal with the fast-flux technology in use on botnets.

But Clayton also sugests that blocking Web sites is becoming quaintly old-fashioned.

"The IWF list is down to c. 400 sites (from 1500+, of which about 1/3 are 'free' sites - ie: a single phone call would remove the material)," he said by email. In other words, the Web may not be able to bypass the technology - but things like TOR, Freenet, closed peer-to-peer networks, and that wacky darknet-in-a-browser project showed off at Black Hat last week probably can because they were deliberately created to bypass the domain name system entirely. The Web is not the Internet. The Web may no longer be able to route around censorship, but the Internet still can in the time-honored way: by changing technologies. Originally, John Gilmore's aphorism referred to...Usenet.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

August 1, 2009


Let's face it: Las Vegas ought not to exist. A city in the middle of the desert that shows off extravagant water fountains. (No matter how efficient these are, they must lose plenty of water to the 110F dry desert air.) Where in a time of energy crisis few can live without cars or air-conditioning and many shops and hotels air-condition to a climate approximating that of Britain in winter. A city that specializes in gigantic, all-night light displays. And, a city with so little respect for its own history that it tears itself down and rebuilds every five years, on average. (It even tore down the hotel that Elvis made famous and replaced it.)

In fact, of course, the Strip is all façade. Go a block east or west and look at the backs of the hotels and what you see is the rear side of a movie set.

There is of course a real Las Vegas away from the Strip that's cooler and much prettier, but much of the above still applies: it is a perfect advertisement for unsustainability. Which is why it seemed particularly apt this year as the location for the annual Black Hat and Defcon security/hacker conferences. Just as Las Vegas itself is an exemplar of the worst abuse of a fragile ecosystem, so increasingly do the technologies we use and trust daily.

If you're not familiar with these twin conferences, they're held on successive days in Las Vegas in late July. At Black Hat during the week, a load of (mostly) guys in (mostly) suits present their latest research into new security problems and their suggested fixes. On Thursday night, (mostly) the same crowd trade in their (mostly) respectable clothes for (mostly) cargo shorts and T-shirts and head for Defcon for the weekend to present (many of) the same talks over again to a (mostly) younger, wilder crowd. Black Hat has executive stationery for sale and sit-down catered lunches; Defcon has programmable badges, pizza in the hotel's food court, and is much, much cheaper.

It's noticeable that, after years when people have been arrested for or sued to prevent their disclosures, a remarkable number of this year's speakers took pains to emphasize the responsible efforts they'd made to contact manufacturers and industry associations and warn them about what they'd found. Some of the presentations even ended with, "And they've fixed it in the latest release." What fun is that?

The other noticeable trend this year was away from ordinary computer issues and into other devices. This was only to be (eventually) expected: as computers infiltrate all parts of our lives they're bringing insecurity along with them into areas where it pretty much didn't exist before. Electric meters: once mechanical devices that went round and round; now smart gizmos that could be remotely reprogrammed. Flaws in the implementation of SMS mean that phishing messages and other scams most likely lie in the future of our mobile phones.

Even such apparently stolid mechanisms such as parking meters can be gamed. Know what's inside those things? Z80 chips! Yes, the heart of those primitive 1980s computers live on in that parking meter that just clicked over to VIOLATION.

Las Vegas seems to go on as if the planet were not in danger. Similarly, we know - because we write and read it daily - that the Internet was built as a sort of experiment on underpinnings that are ludicrously, laughably wrongly designed for the weight we're putting on them. And yet every day we go on buying things with credit cards, banking, watching our governments shift everything online, all I suppose with the shared hope that it will all come right somehow.

You do wonder, though, after two days of presentations that find the same fundamental errors we've known about for decades: passwords submitted in plain text, confusion between making things easy for users and depriving them of valuable information to help them spot frauds. The failure, as someone said in the blur of the last few days, to teach beginning programmers about the techniques of secure coding. Plus, of course, the business urgency of let's get this thing working and worry about security later.

On the other hand, it was just as alarming to hear Robert Lentz, deputy assistant secretary of Defense, say it was urgent to "get the anonymity out of the network" and ensure that real-world and cyber identities converge with multifactor biometric identification in both logical and physical worlds. My laptop computer was perfectly secure against all the inquisitors at Black Hat because it never left my immediate possession and I couldn't connect to the wireless; but that's not how I want to live.

The hardest thing about security seems to be understanding when we really need it and how. But the thing about Vegas - as IBM's Jeff Jonas so eloquently explained at etech in 2008 - is that behind the Strip (which I always like to say is what you'd get if you gave a band of giant children an unlimited supply of melted plastic and bad taste) and its city block-sized casinos lies a security system so sophisticated that it doesn't interfere with customers' having a good time. Vegas, so fake in other ways, is the opposite of security theater. Whereas, so much of our security - which is often intrusive enough to feel real - might as well be the giant plastic Sphinx in front of the Luxor.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, to follow on Twitter or send email to netwars@skeptic.demon.co.uk.