Main

August 10, 2012

Wiped out

There are so many awful things in the story of what happened this week to technology journalist Matt Honan that it's hard to know where to start. The fundamental part - that through not particularly clever social engineering an outsider was able in about 20 minutes to take over and delete his Google account, take over and defame his Twitter account, and then wipe all the data on his iPhone, iPad, and MacBook - would make a fine nightmare, or maybe a movie with some of the surrealistic quality of Martin Scorsese's After Hours (1985). And all, as Honan eventually learned, because the hacker fancied an outing with his three-digit Twitter ID, a threat so unexpected there's no way you'd make it your model.

Honan's first problem was the thing Suw Charman-Anderson put her finger on for an Infosecurity Magazine piece I did earlier this year: gaining access to a single email address to which every other part of your digital life - ecommerce accounts, financial accounts, social media accounts, password resets all over the Web - is locked puts you in for "a world of hurt". If you only have one email account you use for everything, given access to it, an attacker can simply request password resets all over the place - and then he has access to your accounts and you don't. There are separate problems around the fact that the information required for resets is both the kind of stuff people disclose without thinking on social networks and commonly reused. None of this requires fancy technology fix, just smarter, broader thinking

There are simple solutions to the email problem: don't use one email account for everything and, in the case of Gmail, use two-factor authentication. If you don't operate your own server (and maybe even if you do) it may be too complicated to create a separate address for every site you use, but it's easy enough to have a public address you use for correspondence, a private one you use for most of your site accounts, and then maybe a separate, even less well-known one for a few selected sites that you want to protect as much as you can.

Honan's second problem, however, is not so simple to fix unless an incident like this commands the attention of the companies concerned: the interaction of two companies' security practices that on their own probably seemed quite reasonable. The hacker needed just two small bits of information: Honan's address (sourced from the Whois record for his Internet domain name), and the last four digits of a credit card number, The hack to get the latter involved adding a credit card to Honan's Amazon.com account over the phone and then using that card number, in a second phone call, to add a new email address to the account. Finally, you do a password reset to the new email address, access the account, and find the last four digits of the cards on file - which Apple then accepted, along with the billing address, as sufficient evidence of identity to issue a temporary password into Honan's iCloud account.

This is where your eyes widen. Who knew Amazon or Apple did any of those things over the phone? I can see the point of being able to add an email address; what if you're permanently locked out of the old one? But I can't see why adding a credit card was ever useful; it's not as if Amazon did telephone ordering. And really, the two successive calls should have raised a flag.

The worst part is that even if you did know you'd likely have no way to require any additional security to block off that route to impersonators; telephone, cable, and financial companies have been securing telephone accounts with passwords for years, but ecommerce sites do not (or haven't) think of themselves as possible vectors for hacks into other services. Since the news broke, both Amazon and Apple have blocked off this phone access. But given the extraordinary number of sites we all depend on, the takeaway from this incident is that we ultimately have no clue how well any of them protect us against impersonation. How many other sites can be gamed in this way?

Ultimately, the most important thing, as Jack Schofield writes in his Guardian advice column is not to rely on one service for everything. Honan's devastation was as complete as it was because all his devices were synched through iCloud and could be remotely wiped. Yet this is the service model that Apple has and that Microsoft and Google are driving towards. The cloud is seductive in its promises: your data is always available, on all your devices, anywhere in the world. And it's managed by professionals, who will do all the stuff you never get around to, like make backups.

But that's the point: as Honan discovered to his cost, the cloud is not a backup. If all your devices are hooked to it, it is your primary data pool, and, as Apple co-founder Steve Wozniak pointed out this week it is out of your control. Keep your own backups, kids. Develop multiple personalities. Be careful out there.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


March 9, 2012

Private parts

In 1995, when the EU Data Protection Directive was passed, Facebook founder and CEO Mark Zuckerberg was 11 years old. Google was three years away from incorporation. Amazon.com was a year old and losing money fast enough to convince many onlookers that it would never be profitable; the first online banner ads were only months old. It was the year eBay and Yahoo! were founded and Netscape went public. This is how long ago it was: CompuServe was a major player in online services, AOL was just setting up its international services, and both of them were still funded by per-minute usage fees.

In other words: even when it was published there were no Internet companies whose business models depended on exploiting user data. During the years it was being drafted only posers and rich people owned mobile phone, selling fax machines was a good business, and women were still wearing leggings the *first* time. It's impressive that the basic principles formulated then have held up well. Practice, however, has been another matter.

The discussions that led to the publication in January of of a package of reforms to the data protection rules began in 2008. Discussions among data protection commissioners, Peter Hustinx, the European Data Protection Supervisor, said at Thursday's Westminster eForum on data protection and electronic privacy, produced a consensus that changes were needed, including making controllers more accountable, increasing "privacy by design", and making data protection a top-level issue for corporate governance.

These aren't necessarily the issues that first spring to mind for privacy advocates, particularly in the UK, where many have complained that the Information Commissioner's Office has failed. (It was, for example, out of step with the rest of the world with respect to Google's Street View.) Privacy International has a long history of complaints about the ICO's operation. But even the EU hasn't performed as well as citizens might hope under the present regime: PI also exposed the transfer of SWIFT financial data to the US, while Edward Hasbrouck has consistently and publicly opposed the transfer of passenger name record data from the EU to the US.

Hustinx has published a comprehensive opinion of the reform package. The details of both the package itself and the opinion require study. But some of the main points are an effort to implement a single regime and the rights to erasure (aka the right to be forgotten), require breach notification within 24 hours of discovery, strengthen the data protection authorities and make them more accountable.

Of course, everyone has a complaint. The UK's deputy information commissioner, David Smith, complained that the package is too prescriptive of details and focuses on paperwork rather than privacy risk. Lord McNally, Minister of State at the Ministry of Justice, complained that the proposed fines of up to 2 percent of global corporate income are disproportionate and that 24 hours is too little time. Hustinx outlined his main difficulties: that the package has gaps, most notably surrounding the transfer of telephone data to law enforcement; that fines should be discretionary and proportionate rather than compulsory; and that there remain difficulties in dealing with national and EU laws.

We used to talk about the way the Internet enabled the US to export the First Amendment. You could, similarly, see the data protection laws as the EU's effort to export privacy rules; a key element is the prohibition on transferring data to countries without similar regimes - which is why the SWIFT and PNR cases were so problematic. In 1999, for a piece that's now behind Scientific American's paywall, PI's Simon Davies predicted that US companies might find themselves unable to trade in Europe because of data flows. Big questions, therefore, revolve around the business corporate rules, which allow companies to transfer data to third countries without equivalent data protection as long as the data stays within their corporate boundaries.

The arguments over data protection law have a lot in common with the arguments over copyright. In both cases, the goal is to find a balance of power between competing interests that keeps individuals from being squashed. Also like copyright, data protection policy is such a dry and esoteric subject that it's hard to get non-specialists engaged with it. Hard, but not impossible: copyright has never had a George Orwell to make the dangers up close and personal. Copyright law began, Lawrence Lessig argued in (I think it was) Free Culture, as a way to curb the power of publishers (although by now it has ended up greatly empowering them). Similarly while most of us may think of data protection law as protecting the abuse of personal data, a voice argued from the floor yesterday that the law was originally drafted to enable free data transfers within the single market.

There is another similarity. Rightsholders and government policymakers often talk as though the population-at-large are consumers, not creators in their own right. Similarly, yesterday, Mydex's David Alexander had this objection to make: "We seem to keep forgetting that humans are not just subjects, but participants in the management of their own personal data...Why can't we be participants?"


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


November 4, 2011

The identity layer

This week, the UK government announced a scheme - Midata - under which consumers will be able to reclaim their personal information. The same day, the Centre for the Study of Financial Innovation assembled a group of experts to ask what the business model for online identification should be. And: whatever that model is, what the the government's role should be. (For background, here's the previous such discussion.)

My eventual thought was that the government's role should be to set standards; it might or might not also be an identity services provider. The government's inclination now is to push this job to the private sector. That leaves the question of how to serve those who are not commercially interesting; at the CSFI meeting the Post Office seemed the obvious contender for both pragmatic and historical reasons.

As Mike Bracken writes in the Government Digital Service blog posting linked above, the notion of private identity providers is not new. But what he seems to assume is that what's needed is federated identity - that is, in Wikipedia's definition, a means for linking a person's electronic identity and attributes across multiple distinct systems. What I meant is a system in which one may have many limited identities that are sufficiently interoperable that you can make a choice which to use at the point of entry to a given system. We already have something like this on many blogs, where commenters may be offered a choice of logging in via Google, OpenID, or simply posting a name and URL.

The government gateway circa Year 2000 offered a choice: getting an identity certificate required payment of £50 to, if I remember correctly, Experian or Equifax, or other companies whose interest in preserving personal privacy is hard to credit. The CSFI meeting also mentioned tScheme - an industry consortium to provide trust services. Outside of relatively small niches it's made little impact. Similarly, fifteen years ago, the government intended, as part of implementing key escrow for strong cryptography, to create a network of trusted third parties that it would license and, by implication, control. The intention was that the TTPs should be folks that everyone trusts - like banks. Hilarious, we said *then*. Moving on.

In between then and now, the government also mooted a completely centralized identity scheme - that is, the late, unlamented ID card. Meanwhile, we've seen the growth a set of competing American/global businesses who all would like to be *the* consumer identity gateway and who managed to steal first-mover advantage from existing financial institutions. Facebook, Google, and Paypal are the three most obvious. Microsoft had hopes, perhaps too early, when in 1999 it created Passport (now Windows Live ID). More recently, it was the home for Kim Cameron's efforts to reshape online identity via the company's now-cancelled CardSpace, and Brendon Lynch's adoption of U-Prove, based on Stefan Brands' technology. U-Prove is now being piloted in various EU-wide projects. There are probably lots of other organizations that would like to get in on such a scheme, if only because of the data and linkages a federated system would grant them. Credit card companies, for example. Some combination of mobile phone manufacturers, mobile network operators, and telcos. Various medical outfits, perhaps.

An identity layer that gives fair and reasonable access to a variety of players who jointly provide competition and consumer choice seems like a reasonable goal. But it's not clear that this is what either the UK's distastefully spelled "Midata" or the US's NSTIC (which attracted similar concerns when first announced, has in mind. What "federated identity" sounds like is the convenience of "single sign-on", which is great if you're working in a company and need to use dozens of legacy systems. When you're talking about identity verification for every type of transaction you do in your entire life, however, a single gateway is a single point of failure and, as Stephan Engberg, founder of the Danish company Priway, has often said, a single point of control. It's the Facebook cross-all-the-streams approach, embedded everywhere. Engberg points to a discussion paper) inspired by two workshops he facilitated for the Danish National IT and Telecom Agency (NITA) in late 2010 that covers many of these issues.

Engberg, who describes himself as a "purist" when it comes to individual sovereignty, says the only valid privacy-protecting approach is to ensure that each time you go online on each device you start a new session that is completely isolated from all previous sessions and then have the choice of sharing whatever information you want in the transaction at hand. The EU's LinkSmart project, which Engberg was part of, created middleware to do precisely that. As sensors and RFID chips spread along with IPv6, which can give each of them its own IP address, linkages across all parts of our lives will become easier and easier, he argues.

We've seen often enough that people will choose convenience over complexity. What we don't know is what kind of technology will emerge to help us in this case. The devil, as so often, will be in the details.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

October 7, 2011

In the club

Sometime around noon on October 8, 2011 I will no longer be a car owner. This is no small thing: like many Americans I started dreaming about my own car when I was 13 and got my license at 16. I have owned a car almost continuously since January 1975. What makes this a suitable topic for net.wars is that without the Internet it wouldn't have happened.

Since 1995, online retailing has progressively removed the need to drive to shops. By now, almost everything I buy is either within a few minutes' walk or online. I can no longer remember the last time I was in a physical supermarket in the UK.

The advent in 2005 of London's technology-reliant congestion charge (number plate recognition, Internet payment) meant a load of Londoners found it convenient to take advantage of the free parking in my area. I don't know what goes on in the heads of people who resent looking down their formerly empty street and seeing some strange cars parked for the day, but they promptly demanded controlled parking zones, even on my street, where daytime parking has never been an issue but the restaurants clog it up from 7pm to midnight. The CPZ made that worse. Result: escalating paranoia about taking the car anywhere in case I couldn't park when I got back.

But the biggest factor is a viable alternative. Car clubs and car-sharing were newspaper stories for some years until earlier this year, while walking a different route to the tube station, I spotted a parking space marked "CAR CLUB ONLY". It turns out that within a few minutes' walk of my house are five or six Streetcars (merging with Zipcar). For £60 a year I can rent one of these by the hour, including maintenance, insurance, tax, emergency breakdown service, congestion charge and, most important, its parking space. At £5.25 an hour it will take nearly 100 hours a year to match the base cost of car ownership - insurance, road tax, test, parking, AA membership, before maintenance. (There is no depreciation on a 24-year-old car!)

The viability of car clubs depends on the existence of both the Internet and mobile phone networks. Sharing expensive resources, even cars, is nothing new, but they would have relied on personal connections. The Internet is enabling sharing among strangers: you book via their Web site or mobile phone up to a few minutes before you want the car, and if necessary extend it by sending an SMS.

And so it was that about a month and a half ago it occurred to me that one day soon I would begin presiding over my well-loved car's slow march to scrap metal. How much should you spend on maintaining a car you hardly ever drive? If I sold it now, some other Nissan Prairie-obsessive could love it to death. A month later it passed its MOT for the cost of a replacement light bulb and promptly went up on eBay.

In journalism, they say one is a story, three is a trend. I am the second person on my street to sell their car and join the club in the last two months. The Liberal Democrat council that created the car club spaces can smirk over this: though some residents have complained in the local paper about the loss of parking for the car-owning public, the upshot will be less congestion overall.

The Internet is not going to kill the car industry, but it is going to reshape the pattern of distribution of car ownership among the population. Until now it's been a binary matter: you owned a car or you didn't. Most likely, the car industry will come out about even or a little ahead: some people who would have bought cars won't, some who wouldn't have bought cars will join a club, the clubs themselves will buy cars. City-dwellers have long been a poor market for car sales - lifelong Manhattanites often never learn how to drive - and today's teens are as likely to derive their feelings of freedom and independence from their mobile phones as from a car. The people who should feel threatened are probably local taxi drivers.

Nonetheless, removing the need to own a car to have quick access to one will remove a lot of excess capacity (as airlines would call it). What just-in-time manufacturing has done for companies like Dell and Wal-Mart, just-in-time ownership can now do for consumers: why have streets full of cars just sitting around all day?

To make it work, of course, consumers will have to defy decades of careful marketing designed to make them self-identify with particular brands and models (the car club cars are not beautiful Nissan Prairies but silly silver lozenges). Also, the club must keep its promise to provide a favorable member:car ratio, and the council must continue to allocate parking spaces.

Still, it's all in how you think about it. Membership in Zipcar in one location gives you access to the cars in all the rest. So instead of owning one car, I now have cars all over the world. Is that cool or what?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

April 8, 2011

Brought to book

JK Rowling is seriously considering releasing the Harry Potter novels as ebooks, while Amanda Hocking, who's sold a million or so ebooks has signed a $2 million contract with St. Martin's Press. In the same week. It's hard not to conclude that ebooks are finally coming of age.

And in many ways this is a good thing. The economy surrounding the Kindle, Barnes and Noble's Nook, and other such devices is allowing more than one writer to find an audience for works that mainstream publishers might have ignored. I do think hard work and talent will usually out, and it's hard to believe that Hocking would not have found herself a good career as a writer via the usual routine of looking for agents and publishers. She would very likely have many fewer books published at this point, and probably wouldn't be in possession of the $2 million it's estimated she's made from ebook sales.

On the other hand, assuming she had made at least a couple of book sales by now, she might be much more famous: her blog posting explaining her decision notes that a key factor is that she gets a steady stream of complaints from would-be readers that they can't buy her books in stores. She expects to lose money on the St. Martin's deal compared to what she'd make from self-publishing the same titles. To fans of disintermediation, of doing away with gatekeepers and middle men and allowing artists to control their own fates and interact directly with their audiences, Hocking is a self-made hero.

And yet...the future of ebooks may not be so simply rosy.

This might be the moment to stop and suggest reading a little background on book publishing from the smartest author I know on the topic, science fiction writer Charlie Stross. In a series of blog postings he's covered common misconceptions about publishing, why the Kindle's 2009 UK launch was bad news for writers, and misconceptions about ebooks. One of Stross's central points: epublishing platforms are not owned by publishers but by consumer electronics companies - Apple, Sony, Amazon.

If there's one thing we know about the Net and electronic media generally it's that when the audience for any particular new medium - Usenet, email, blogs, social networks - gets to be a certain size it attracts abuse. It's for this reason that every so often I argue that the Internet does not scale well.

In a fascinating posting on Patrick and Theresa Nielsen-Hayden's blog Making Light, Jim Macdonald notes the case of Canadian author S K S Perry, who has been blogging on LiveJournal about his travails with a thief. Perry, having had no luck finding a publisher for his novel Darkside, had posted it for free on his Web site, where a thief copied it and issued a Kindle edition. Macdonald links this sorry tale (which seems now to have reached a happy-enough ending) with postings from Laura Hazard Owen and Mike Essex that predict a near future in which we are awash in recycled ebook...spam. As all three of these writers point out, there is no system in place to do the kind of copyright/plagiarism checking that many schools have implemented. The costs are low; the potential for recycling content vast; and the ease of gaming the ratings system extraordinary. And either way, the ebook retailer makes money.

Macdonald's posting primarily considers this future with respect to the challenge for authors to be successful*: how will good books find audiences if they're tiny islands adrift in a sea of similar-sounding knock-offs and crap? A situation like that could send us all scurrying back into the arms of people who publish on paper. That wouldn't bother Amazon-the-bookseller; Apple and others without a stake in paper publishing are likely to care more (and promising authors and readers due care and diligence might help them build a better, differentiated ebook business).

There is a mythology that those who - like the Electronic Frontier Foundation or the Open Rights Group - oppose the extension and tightening of copyright are against copyright. This is not the case: very few people want to do away with copyright altogether. What most campaigners in this area want is a fairer deal for all concerned.

This week the issue of term extension for sound recordings in the EU revived when Denmark changed tack and announced it would support the proposals. It's long been my contention that musicians would be better served by changes in the law that would eliminate some of the less fair terms of typical contracts, that would provide for the reversion of rights to musicians when their music goes out of commercial availability, and that would alter the balance of power, even if only slightly, in favor of the musicians.

This dystopian projected future for ebooks is a similar case. It is possible to be for paying artists and even publishers and still be against the imposition of DRM and the demonization of new technologies. This moment, where ebooks are starting to kick into high gear, is the time to find better ways to help authors.

*Successful: an author who makes enough money from writing books to continue writing books.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

March 4, 2011

Tax returns

In 1994, when Jeff Bezos was looking for a place to put the online bookseller he intended to grow into the giant, multi-faceted online presence it is today, he began with a set of criteria that included, high up on the list, avoiding liability for sales tax as much as possible. That meant choosing a small state, so that the vast majority of the new site's customers would be elsewhere.

Bezos could make this choice because of the 1992 Supreme Court decision in Quill Corp v. North Dakota, blocking states from compelling distance sellers to collect sales tax from customers unless the seller had a substantial physical operation (a "nexus") in the customer's state. Why, the reasoning went, should a company be required to pay taxes in a state where it receives no benefit in the form of public services? The decision helped fuel the growth of first mail-order sales and then ecommerce.

And so throughout the growth of electronic commerce Americans have gone along taking advantage of the relief from sales tax afforded by online sales. This is true despite the fact that many states have laws requiring their residents to declare and pay the sales tax on purchases over a certain amount. Until the current online tax disputes blew up, few knew about these laws - I only learned of them from a reader email some years ago - and as far as I'm aware it isn't enforced. Doing so would require comprehensive surveillance of ecommerce sites.

But this is the thing when something is new: those setting up businesses can take advantage of loopholes created for very different markets and conditions. A similar situation applies in the UK with respect to DVD and CD sales. Fulfilled by subsidiaries or partners based in the Channel Islands, the DVD and CD sales of major retailers such as Amazon, Tesco, and others take advantage of tax relief rules intended to speed shipments of agricultural products. Basically, any package valued under £18 is exempt from VAT. For consumers, this represents substantial savings; for local shops, it represents a tough challenge.

Even before that, in the early 1990s, CompuServe and AOL, as US-based Internet service providers, were able to avoid charging VAT in the UK based on a rule making services taxable based on their point of origin. That gave those two companies a significant - 17.5 percent - advantage over native ISPs like Demon and Pipex. There were many objections to this situation, and eventually the loophole was closed and both CompuServe and AOL began charging VAT.

You can't really blame companies for taking advantage of the structures that are there. No one wants to pay more tax - or pay for more administration - than is required by law, and anyone running those companies would make the same decisions. But as the recession continues to bite and state, federal, and central governments are all scrambling to replace lost revenues from a tax base that's been , the calls to level the playing field by closing off these tax-advantage workarounds are getting louder.

This type of argument is as old as mail order. But in the beginning there was a general view - implemented also in the US as a moratorium on taxing Internet services that was renewed as recently as 2007 - that exempting the Internet from as many taxes as possible would help the new medium take root and flourish. There was definitely some truth to the idea that this type of encouragement helped; an early FCC proposal to surcharge users for transmitting data was dropped after 10,000 users sent letters of complaint. Nonetheless, the FCC had to continue issuing denials for years as the dropped proposal continued to make the rounds as the "modem tax" hoax spam.

The arguments for requiring out-of-state sellers to collect and remit sales taxes (or VAT) are fairly obvious. Local retailers, especially small independents, are operating at a price disadvantage (even though customers must pay shipping and delivery charges when they buy online). Governments are losing one of their options for raising revenues to pay for public services. In addition, people buy online for many more reasons than saving money. Online shopping is convenient and offers greater choice. It is also true, though infrequently remembered, that the demographics of online shopping skew toward the wealthier members of our society - that is, the people who best afford to pay the tax.

The arguments against largely boil down to the fact that collecting taxes in many jurisdictions is administratively burdensome. There are some 8,000 different tax rates across the US's 50 states, and although there are many fewer VAT rates across Europe, once your business in a country has reached a certain threshold the rules and regulations governing each one can be byzantine and inconsistent. Creating a single, simple, and consistent tax rule to apply across the board to distance selling would answer these.

No one likes paying taxes (least of all us). But the fact that Amazon would apparently rather jettison the associates program that helped advertise and build its business than allow a state to claim those associates constitute a nexus exposing it to sales tax liability says volumes about how far we've come. And, therefore, how little the Net's biggest businesses now need the help.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

November 5, 2010

Suicidal economics

Toxic sludge is GOOD for you, observed John Stauber and Sheldon Rampton in their 1995 book by the same name (or, more completely, Toxic Sludge is Good For You!: Lies, Damn Lies, and the Public Relations Industry). In that brilliantly researched, carefully reasoned, and humorous tome they laid out for inspection the inner workings of the PR industry. After reading it, you never look at the news the same way again.

Including, as we are not the first to say, this week's news that Rupert Murdoch's News International sees extracting subscription money from 105,000 readers of the online versions of the Times and Sunday Times as a success. Nieman Labs' round-up shows how much this particular characterization was greeted by skepticism elsewhere in the media. (My personal favorite is the analogy to >Spinal Tap's manager's defense of the band when it's suggested that its popularity is waning: "I just think...their appeal is becoming more selective.") If any of a few million blogs had 105,000 paying readers they'd be in fabulous shape; but given the uncertainty surrounding the numbers, for an organization the size of the Times it seems like pocket change.

I'm not sure that the huge drop in readership online is the worst news. Everyone predicted that, even Murdoch's own people (although it is interesting that the guy who is thought to have launched this scheme has left before the long-term results are in). The really bad news is that the paper's print circulation has declined in line with everyone else's since the paywall went up. It might have turned out, for example, that faced with paying £1 for a day's access a number of people might decide they'd just as soon have the nicely printed version that is, after all, still easier to read. Instead, what seems likely from these (unclear and incomplete) numbers is that online readers don't care nearly as much as offline ones about news sources. And in many cases they're right not to: it hardly matters which news site or RSS feed supplies you with the day's Reuters stories or which journalist dutifully copies down the quotes at the press briefing.

Today's younger generation also has - again, rightfully - a much deeper cynicism about "MSM" (mainstream media) than previous ones, who had less choice. They trust Jon Stewart and Stephen Colbert far than CNN (or the Onion more than the Times). They don't have to have read Stauber's and Rampton's detailed analysis to have absorbed the message: PR distortion is everywhere. If that's the case, why bother with the middleman? Why not just read the transparently biased source - a company's own spin - rather than the obscurely biased one? Or pick the opinion-former whose take on things is the most fun?

As Michael Wolff (who himself famously burned through many of someone else's millions in the dot-com boom) correctly points out, Murdoch's history online has been a persistent effort to recreate the traditional one-to-many publishing model. He likes satellite television and print newspapers - things where you control what's published and have to deal only with a handful of competitors and a back channel composed only of the great and the good. That desire is I think a fundamental mismatch with the Internet as we currently know it and it's not about free! information but about the two-way, many-to-many nature of the medium.

Not so long ago - 2002 - Murdoch's then COO insisted that you can't make money from content on the Internet; more recently, Times editor James Harding called giving away journalism for free a quite suicidal form of economics In a similar vein, this week Bruce Eisen, the US's Dish Network vice-president of online content development and strategy complained that the online streaming service Hulu is killing the TV industry.

Back in 2002, I argued that you can make money from online content but it needs to be some combination of a) low overheads, b) necessary, c) unusual if not unique, d) timely, and e) correctly priced. From what Slate is saying, it appears that Netflix is getting c, d, and e right and that the mix is giving the company enough of an advantage to let it compete successfully with free-as-in-file-sharing. But is the Times getting enough of those things right? And does it need to?

As Emily Bell points out, Murdoch's interest in the newspapers was more for their influence than their profitability, and that this influence and therefore their importance has largely waned. "Internationally, it has no voice," she writes. But therein lies a key difference between the Times and, say, the Guardian or the BBC: enlarging the international audience for and importance of the Times means competing with his own overseas titles. The Guardian has no such internal conflict of interest, and is therefore free to pursue its mission to become the world's leading liberal voice.

Of course, who knows? In a year's time maybe we'll all be writing the astonishing story of rising paid subscriber numbers and lauding Murdoch's prescience. But if we are, I'll bet that the big winner won't be the Times but Apple.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

October 29, 2010

Wanted: less Sir Humphrey, more shark


Seventeen MPs showed up for Thursday's Backbenchers' Committee debate on privacy and the Internet, requested by Robert Halfon (Con-Harlow). They tell me this is a sell-out crowd. The upshot: Google and every other Internet company may come to rue the day that Google sent its Street View cars around Britain. It crossed a line.

That line is this: "Either your home is your castle or it's not." Halfon, talking about StreetView and email he had from a vastly upset woman in Cornwall whose home had been captured and posted on the Web. It's easy for Americans to forget how deep the "An Englishman's home is his castle" thing goes.

Halfon's central question: are we sleepwalking into a privatized surveillance society, and can we stop it? "If no one has any right to privacy, we will live in a Big Brother society run by private companies." StreetView, he said, "is brilliant - but they did it without permission." Of equal importance to Halfon is the curious incident of the silent Information Commissioner (unlike apparently his equivalent everywhere else in the world) and Google's sniffed wi-fi data. The recent announcement that the sniffed data includes contents of email messages, secure Web pages, and passwords has prompted the ICO to take another look.

The response of the ICO, Halfon said, "has been more like Sir Humphrey than a shark with teeth, which is what it should be."

Google is only one offender; Julian Huppert (LibDem-Cambridge) listed some of the other troubles, including this week's release of Firesheep, a Firefox add-on designed to demonstrate Facebook's security failings. Several speakers raised the issue of the secret BT/Phorm trials. A key issue: while half the UK's population choose to be Facebook users (!), and many more voluntarily use Google daily, no one chose to be included in StreetView; we did not ask to be its customers.

So Halfon wants two things. He wants an independent commission of inquiry convened that would include MPs with "expertise in civil liberties, the Internet, and commerce" to suggest a new legal framework that would provide a means of redress, perhaps through an Internet bill of rights. What he envisions is something that polices the behavior of Internet companies the way the British Medical Association or the Law Society provides voluntary self-regulation for their fields. In cases of infringement, fines, perhaps.

In the ensuing discussion many other issues were raised. Huppert mentioned "chilling" (Labour) government surveillance, and hoped that portions of the Digital Economy Act might be repealed. Huppert has also been asking Parliamentary Questions about the is-it-still-dead? Interception Modernization Programme; he is still checking on the careful language of the replies. (Asked about it this week, the Home Office told me they can't speculate in advance about the details will that be provided "in due course"; that what is envisioned is a "program of work on our communications abilities"; that it will be communications service providers, probably as defined in RIPA Section 2(1), storing data, not a government database; that the legislation to safeguard against misuse will probably but not certainly, be a statutory instrument.)

David Davis (Con-Haltemprice and Howden) wasn't too happy even with the notion of decentralized data held by CSPs, saying these would become a "target for fraudsters, hackers and terrorists". Damien Hinds (Con-East Hampshire) dissected Google's business model (including £5.5 million of taxpayers' money the UK government spent on pay-per-click advertising in 2009).

Perhaps the most significant thing about this debate is the huge rise in the level of knowledge. Many took pains to say how much they value the Internet and love Google's services. This group know - and care - about the Internet because they use it, unlike 1995, when an MP was about as likely to read his own email as he was to shoot his own dog.

Not that I agreed with all of them. Don Foster (LibDem-Bath) and Mike Weatherley (Con-Hove) were exercised about illegal file-sharing (Foster and Huppert agreed to disagree about the DEA, and Damian Collins (Con-Folkestone and Hythe complained that Google makes money from free access to unauthorized copies). Nadine Dorries (Con-Mid Bedfordshire) wanted regulation to young people against suicide sites.

But still. Until recently, Parliament's definition of privacy was celebrities' need for protection from intrusive journalists. This discussion of the privacy of individuals is an extraordinary change. Pressure groups like PI, , Open Rights Group, and No2ID helped, but there's also a groundswell of constituents' complaints. Mark Lancaster (Con-Milton Keynes North) noted that a women's refuge at a secret location could not get Google to respond to its request for removal and that the town of Broughton formed a human chain to block the StreetView car. Even the attending opposition MP, Ian Lucas (Lab-Wrexham), favored the commission idea, though he still had hopes for self-regulation.

As for next steps, Ed Vaizey (Con-Wantage and Didcot), the Minister for Communication, Culture, and the Creative Industries, said he planned to convene a meeting with Google and other Internet companies. People should have a means of redress and somewhere to turn for mediation. For Halfon that's still not enough. People should have a choice in the first place.

To be continued...

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

October 23, 2010

An affair to remember

Politicians change; policies remain the same. Or if, they don't, they return like the monsters in horror movies that end with the epigraph, "It's still out there..."

Cut to 1994, my first outing to the Computers, Freedom, and Privacy conference. I saw: passionate discussions about the right to strong cryptography. The counterargument from government and law enforcement and security service types was that yes, strong cryptography was a fine and excellent thing at protecting communications from prying eyes and for that very reason we needed key escrow to ensure that bad people couldn't say evil things to each other in perfect secrecy. The listing of organized crime, terrorists, drug dealers, and pedophiles as the reasons why it was vital to ensure access to cleartext became so routine that physicist Timothy May dubbed them "The Four Horsemen of the Infocalypse". Cypherpunks opposed restrictions on the use and distribution of strong crypto; government types wanted at the very least a requirement that copies of secret cryptographic keys be provided and held in escrow against the need to decrypt in case of an investigation. The US government went so far as to propose a technology of its own, complete with back door, called the Clipper chip.

Eventually, the Clipper chip was cracked by Matt Blaze, and the needs of electronic commerce won out over the paranoia of the military and restrictions on the use and export of strong crypto were removed.

Cut to 2000 and the run-up to the passage of the UK's Regulation of Investigatory Powers Act. Same Four Horsemen, same arguments. Eventually RIPA passed with the requirement that individuals disclose their cryptographic keys - but without key escrow. Note that it's just in the last couple of months that someone - a teenager - has gone to jail in the UK for the first time for refusing to disclose their key.

It is not just hype by security services seeking to evade government budget cuts to say that we now have organized cybercrime. Stuxnet rightly has scared a lot of people into recognizing the vulnerabilities of our infrastructure. And clearly we've had terrorist attacks. What we haven't had is a clear demonstration by law enforcement that encrypted communications have impeded the investigation.

A second and related strand of argument holds that communications data - that is traffic data such as email headers and Web addresses - must be retained and stored for some lengthy period of time, again to assist law enforcement in case an investigation is needed. As the Foundation for Information Policy Research and Privacy International have consistently argued for more than ten years, such traffic data is extremely revealing. Yes, that's why law enforcement wants it; but it's also why the American Library Association has consistently opposed handing over library records. Traffic data doesn't just reveal who we talk to and care about; it also reveals what we think about. And because such information is of necessity stored without context, it can also be misleading. If you already think I'm a suspicious person, the fact that I've been reading proof-of-concept papers about future malware attacks sounds like I might be a danger to cybersociety. If you know I'm a journalist specializing in technology matters, that doesn't sound like so much of a threat.

And so to this week. The former head of the Department of Homeland Security, Michael Chertoff, at the RSA Security Conference compared today's threat of cyberattack to nuclear proliferation. The US's Secure Flight program is coming into effect, requiring airline passengers to provide personal data for the US to check 72 hours in advance (where possible). Both the US and UK security services are proposing the installation of deep packet inspection equipment at ISPs. And language in the UK government's Strategic Defence and Security Review (PDF) review has led many to believe that what's planned is the revival of the we-thought-it-was-dead Interception Modernisation Programme.

Over at Light Blue Touchpaper, Ross Anderson links many of these trends and asks if we will see a resumption of the crypto wars of the mid-1990s. I hope not; I've listened to enough quivering passion over mathematics to last an Internet lifetime.

But as he says it's hard to see one without the other. On the face of it, because the data "they" want to retain is traffic data and note content, encryption might seem irrelevant. But a number of trends are pushing people toward greater use of encryption. First and foremost is the risk of interception; many people prefer (rightly) to use secured https, SSH, or VPN connections when they're working over public wi-fi networks. Others secure their connections precisely to keep their ISP from being able to analyze their traffic. If data retention and deep packet inspection become commonplace, so will encrypted connections.

And at that point, as Anderson points out, the focus will return to long-defeated ideas like key escrow and restrictions on the use of encryption. The thought of such a revival is depressing; implementing any of them would be such a regressive step. If we're going to spend billions of pounds on the Internet infrastructure - in the UK, in the US, anywhere else - it should be spent on enhancing robustness, reliability, security, and speed, not building the technological infrastructure to enable secret, warrantless wiretapping.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

May 2, 2008

Bet and sue

Most net.wars are not new. Today's debates about free speech and censorship, copyright and control, nationality and disappearing borders were all presaged by the same discussions in the 1980s even as the Internet protocols were being invented. The rare exception: online gambling. Certainly, there were debates about whether states should regulate gambling, but a quick Usenet search does not seem to throw up any discussions about the impact the Internet was going to have on this particular pastime. Just sex, drugs, and rock 'n' roll.

The story started in March, when the French Tennis Federation (FFT - Fédération Française de Tennis) filed suit in Belgium against Betfair, Bwin, and Ladbrokes to prevent them from accepting bets on matches played at the upcoming French Open tennis championships, which start on May 25. The FFT's arguments are rather peculiar: that online betting stains the French Open's reputation; that only the FFT has the right to exploit the French Open; that the online betting companies are parasites using the French Open to make money; and that online betting corrupts the sport. Bwin countersued for slander.

On Tuesday of this week, the Liège court ruled comprehensively against the FFT and awarded the betting companies costs.

The FFT will still, of course, control the things it can: fans will be banned from using laptops and mobile phones in the stands. The convergence of wireless telephony, smart phones, and online sites means that in the second or two between the end of a point and the electronic scoreboard updating, there's a tiny window in which people could bet on a sure thing. Why this slightly improbable scenario concerns the FFT isn't clear; that's a problem for the betting companies. What should concern the FFT is ensuring a lack of corruption within the sport. That means the players and their entourages.

The latter issue has been a touchy subject in the tennis world ever since last August, when Russian player Nikolay Davydenko, currently fourth in the world rankings, retired in the third and final set of a match in Poland against 87th ranked Marin Vassallo Arguello, citing a foot injury. Davydenko was accused of match-fixing; the investigation still drags on. In the resulting publicity, several other players admitted being approached to fix matches. As part of subsequent rule-tightening by the Association of Tennis Professionals, the governing body of men's professional tennis, three Italian players were suspended briefly late last year for betting on other players' matches.

Probably the most surprising thing is that tennis, along with soccer and horse racing, is actually among the most popular sports for betting. A minority sport like tennis? Yet according to USA Today, the 2007 Paris Masters event saw $750 million to $1.5 billion in bets. I can only assume that the inverted pyramid of matches every week involving individual players fits well with what bettors like to do.

Fixing matches seems even more unlikely. The best payouts come from correctly picking upsets, the bigger the better. But top players are highly unlikely to throw matches to order. Most of them play a relatively modest number of events (Davydenko is admittedly the exception) and need all the match wins and points from those events to sustain their rankings. Plus, they're just too damn rich.

In 2007, Roger Federer, the ultra-dominant number one player since the end of 2003, earned upwards of $10 million in prize money alone; Davydenko picked up over $2 million (and has already won another $1 million in 2008). All of the top 12 earned over $1 million. Add in endorsements, and even after you subtract agents' fees, tax, and travel costs for self and entourage, you're still looking at wealthy guys. They might tank matches at events where they're being paid appearance fees (which are legal on the men's tour at all but the top 14 events, but proving they've done so is exceptionally difficult. Fixing matches, which could cost them in lost endorsements on top of the tour's own sanctions, surely can't be worth it.

There are several ironies about the FFT's action. First of all (something most of the journalists covering this story don't mention, probably because they don't spend a lot of time watching tennis on TV), Bwin has been an important advertiser sponsoring tennis on Eurosport. It's absolutely typical of the counter-productive and intricately incestuous politics that characterize the tennis world that one part of the sport would sue someone who pays money into another part of the sport.

Second of all, as Betfair and Bwin pointed out, all three of these companies are highly regulated European licensed operations. Ruling them out of action would mean shift online betting to less well regulated offshore companies. They also pointed out the absurdity of the parasites claim: how could they accept bets on an event without using its name? Betfair in particular documented its careful agreements with tennis's many governing bodies.

Third of all, the only reason match-fixing is an issue in the tennis world right now is that Betfair spotted some unusual betting patterns during that Polish Davydenko match, cancelled all the bets, and went public with the news. Without that, Davydenko would have avoided the fight over his family's phone records. Come to think of it, making the issue public probably explains the FFT's behavior: it's revenge.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

February 29, 2008

Phormal ware

In the last ten days or so a stormlet has broken out about the announcement that BT, Carphone Warehouse, and TalkTalk, who jointly cover about 70 percent of British Internet subscribers, have signed up for a new advertising service. The supplier, Phorm (previously, 121Media), has developed Open Internet Exchange (OIX), a platform to serve up "relevant" ads to ISPs' customers. Ad agencies and Web sites also sign up to the service which, according to Phorm's FAQ, can serve up ads to any Web site "in the regular places the website shows ads". Partners include most British national newspapers, iVillage, and MGM OMD.

A brief chat with BT revealed that the service, known to consumers as Webwise, will apply only to BT's retail customers, not its wholesale division. Consumers will be able to opt out, and BT is planning an educational exercise to explain the service.

Obviously all concerned hope Webwise will be acceptable to consumers, but to make it a little more palatable, not signing out of it gets you warnings if you land on suspected phishing sites. I don't think improved security should, ethically, be tied to a person's ad-friendliness, but this is the world we live in.

"We've done extensive research with our customer base," says BT's spokesman, "and it's very clear that when customers know what is happening they're overwhelmingly in favor of it, particularly in terms of added security."

But the Net folk are suspicious folk, and words like "spyware" and "adware" are circling, partly because Phorm's precursor, 121Media, was blocked by Symantec and F-Secure as spyware. Plus, The Register discovered that BT had been sharing data with Phorm as long ag as last summer, and, apparently, lying about it.

Phorm's PR did not reply to a request for an interview, but a spokeswoman contacted briefly last week defended the company. "We are absolutely not and in no way an adware product at all."

The overlooked aspect: Phorm called in Privacy International's new commercial arm, 80/20, to examine its system.

PI's executive director, Simon Davies, one of the examiners, says, "Phorm has done its very best to eliminate and minimise the use of personal information and build privacy into the core of the technology. In that sense, it's a privacy-friendly technology, but that does not get us away from the intrusion aspect." In general, the principle is that ads shouldn't be served on an opt-out basis; users should have to opt in to receive them.

Tailoring advertising to the clickstream of user interests is of course endemic online now; it's how Google does AdSense, and it's why that company bought DoubleClick, which more or less invented the business of building up user profiles to create personalized ads. Phorm's service, however, does not build user profiles.

A cookie with a unique ID is stored on the user's system - but does not associate that ID with an individual or the computer it's stored on. Say you're browsing car sites like Ford and Nissan. The ISP does not give Phorm personally identifiable information like IP addresses, but does share the information that the computer this cookie is on is looking at car sites right now. OIX serves up car ads. The service ignores niche sites, secure sites (HTTPS), and low-traffic sites. Firewalling between Phorm and the ISP means that the ISP doesn't know and can't deduce the information that the OIX platform knows about what ads are being served. Nothing is stored to create a profile. Phorm instead offers advertisers instead is the knowledge that they are serving ads that reflect users' interests in real time.

The difference to Davies is that Google, which came last in Privacy International's privacy rankings, stores search histories and browsing data and ties them to personal identifiers, primarily login IDs and IP addresses. (Next month, the Article 29 Group will report its opinion as to whether IP addresses are personal information, so we will know better then which way the cookie crumbles.)

"The potential to develop a profile covertly is extremely limited, if not eliminated," says Davies.

Phorm itself says, "We really think what our stuff does dispells the myth that in order to provide relevance you have to store data."

I hate advertising as much as the next six people. But most ISPs are operating on razor-thin margins if they make money at all, and they're looking at continuously increasing demand for bandwidth. That demand can only get worse as consumers flock to the iPlayer and other sources of streaming video. The pressure on pricing is steadily downward with people like TalkTalk and O2 offering free or extremely cheap broadband as an add-on to mobile phone accounts. Meanwhile, the advertising revenues go to everyone but them. Is it surprising that they'd leap at this? Analysts estimate that BT will pick up £85 million in the first year. Nice if you can get it.

We all want low-cost broadband and free content. None of us wants ads. How exactly do we propose all this free stuff is going to be paid for?

As for Phorm, it's going to take a lot to make some users trust them. I'd say, though, that the jury is still out. Sometimes people do learn from past mistakes.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

February 15, 2008

Greedbay?

If you log onto ebay.com (not .co.uk or eBay's other international sites) next week you may find gaping holes: a number of sellers have pledged to boycott from February 18 to 25 to protest changes eBay is making in listing fees, commissions, some payment requirements, and, probably most contentious, the feedback system. The short version: sellers will no longer be able to leave feedback for buyers, and eBay will require sellers who are new or have low feedback ratings to use Paypal as a payment option and also give their listings less exposure in searches. There will also be penalties for overcharging for postage and handling (a sneaky way of making up for low prices).

Whether these changes are good changes or bad, eBay's feedback system has been broken for a long time, as Jim Griffith comments. The essence of a reputation-based system is holding buyers and sellers accountable for bad behavior. But no one dares leave negative feedback any more for fear of retaliation.

Sellers have reacted angrily to the announced change and some are threatening a strike in which they pull all their items from sale from February 18 to 25. Logically, however, what good do buyer ratings do? The system is inherently unbalanced: buyers choose their sellers but sellers can't discriminate among buyers.

Sellers can't, for example, use the buyer ratings to ring-fence sales. If a buyer fails to pay or rips off a seller by instigating a chargeback after the item has been delivered, the seller's only recourse is through eBay's trust and fraud department. eBay's argument that the change should result in a more accurate reputation system is probably justified.

If it doesn't feel fairly balanced, that's emotion, not logic, based on nostalgia for the early days, when eBay was a democratic site where all users were amateurs who both bought and sold. eBay now is full of businesses and professional sellers, and what the feedback changes make explicit is that over time eBay has become a class system.

Professional sellers (everyone from substantial businesses who also run their own ecommerce sites and probably list on Amazon Marketplace and Google Checkout as well) are in a different league from the casual seller who maybe wants to get rid of that old DVD player and doesn't see why it shouldn't be for a bit of cash. If online discussion forums are 90 percent lurkers and 10 percent posters, it wouldn't be surprising if eBay's user community was 90 percent buyers and 10 percent sellers. I'm a good example: I've sold two items on eBay, but bought dozens, some of them repeat business with the same crafts people and some one-off purchases. For casual sellers, I do look at sellers' feedback - largely to eliminate obvious frauds. (I had to stop buying DVDs on eBay at all - the site is overrun with Asian counterfeits). For the professional sellers, however, the more important reputation information lies in recommendations outside of eBay from people interested in the same sorts of things I am.

There are people the changes will hurt, but the big sellers probably won't be among them.; do enough volume successfully and a few negative reviews won't hurt you that much. Individuals won't be able to benefit from an established reputation as a reliable buyer when they sell items. Small sellers will have no way of defending themselves publicly if an unreasonable buyer chooses to trash them. (If the buyer doesn't pay at all, of course, sellers can still work to get the user barred from the service.)

Do eBay sellers have, as some are insisting, a real choice? Some, yes, even though the received wisdom for a long time has been in online auctions size of the user base is everything. Some craftspeople have been migrating to Etsy, which is becoming an interesting place to browse. The big sellers generally already sell through multiple channels. People selling off used DVDs, books, and other media would probably do better listing on Amazon Marketplace, where their items will show up, presumably favorably priced, in the same listing with new copies. It's the flea market crowd - the people selling off old tires, strange collectibles, and odd bits of clothing - for whom the size of eBay's audience is indispensable. That is very much eBay's roots, but who wants to move back in with their parents?

Online communities - including commercial ones, like eBay - all tend to exhibit the same social characteristics. One such is the rule that users hate change. Especially, they hate specific changes that threaten to remove one or more freedoms they're used to. eBay's new CEO is right to say it would be more surprising if people didn't protest, given the community's passionate nature. But plenty of online communities have had userbases just as passionate - and did not survive their own arrogance once technology changes created other options. In this battle, eBay's true opponent is Google.

It is Google, now, whose product search puts eBay listings alongside many others, and where people are increasingly likely to start looking for unfamiliar items. And it will be Google that wins if sellers leave eBay en masse, because that's how we will find them in their new homes.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

February 1, 2008

Microhoo!

Large numbers are always fun, and $44.6 billion is a particularly large number. That's how much Microsoft has offered to pay, half cash, half stock, for Yahoo!

Before we get too impressed, we should remember two things: first, half of it is stock, which isn't an immediate drain on Microsoft's resources. Second, of course, is that money doesn't mean the same thing to Microsoft as it does to everyone else. As of last night, Microsoft had $19.09 billion in a nice cash heap, with more coming in all the time. (We digress to fantasise that somewhere inside Microsoft there's a heavily guarded room where the cash is kept, and where Microsoft employees who've done something particularly clever are allowed to roll naked as a reward.)

Even so, the bid is, shall we say, generous. As of last night, Yahoo!'s market cap was $25.63 billion. Yahoo!'s stock has dropped more than 32 percent in the last year, way outpacing the drop of the broader market. When issued, Microsoft's bid of $31 a share represented a 62 percent premium. That generosity tells us two things. First, since the bid was, in the polite market term, "unsolicited", that Microsoft thought it needed to pay that much to get Yahoo!'s board and biggest shareholders to agree. Second, that Microsoft is serious: it really wants Yahoo! and it doesn't want to have to fight off other contenders.

In some cases – most notably Google's acquisition of YouTube – you get the sense that the acquisition is as much about keeping the acquired company out of the hands of competitors as it is about actually wanting to own that company. If Google wanted a slice of whatever advertising market eventually develops around online video clips, it had to have YouTube. Google Video was too little, too late, and if anyone else had bought YouTube Google would never have been able to catch up.

There's an element of that here, in that MSN seems to have no immediate prospect of catching up with Google in the online advertising market. Last May, when a Microsoft-Yahoo! merger was first mooted, CNN noted that even combined MSN and Yahoo! would trail Google in the search market by a noticeable margin. Google has more than 55 percent of the search market; Yahoo! trails distantly with 17 percent and MSN is even further behind with 13 percent. Better, you can hear Microsoft thinking, to trail with 30 percent of the market than 13 percent; unlike most proposals to merge the numbers two and three players in a market, this merger would create a real competitor to the number one player.

In addition, despite the fact that Yahoo!'s profits dropped by 4.6 percent in the last quarter (year on year), its revenues grew in the same period by 11.8 percent. If Microsoft thought about it like a retail investor (or Warren Buffett), it would note two things: the drop in Yahoo!'s share prices make it a much more attractive buy than it was last May; and Yahoo!'s steady stream of revenues makes a nice return on Microsoft's investment all by itself. One analyst on CNBC estimated that return at 5 percent annually – not bad given today's interest rates.

Back in 2000, at the height of the bubble, when AOL merged with Time-Warner (a marriage both have lived to regret), I did a bit of fantasy matchmaking that regrettably has vanished off the Telegraph's site, pairing dot-coms and old-world companies for mergers. In that round, Amazon.com got Wal-Mart (or, more realistically, K-Mart), E*Trade passed up Dow-Jones, publisher of the Wall Street Journal (and may I just say how preferable that would have been to Rupert Murdoch's having bought it) in favor of greater irony with the lottery operator G-Tech, Microsoft got Disney (to split up the ducks), and Yahoo! was sent off to buy Rupert Murdoch's News International.

Google wasn't in the list; at the time, it was still a privately held geeks' favorite, out of the mainstream. (And, of course, some companies that were in the list – notably eToys and QXL – don't exist any more.) The piece shows off rather clearly, however, the idea of the time, which was that online companies could use their ridiculously inflated stock valuations to score themselves real businesses and real revenues. That was before Google showed the way to crack online advertising and turn visitor numbers into revenues.

It's often said that the hardest thing for a new technology company is to develop a second product. Microsoft is one of the few who succeeded in that. But the history of personal computing is still extremely short, and history may come to look at DOS, Windows, and Office as all one product: commercial software. Microsoft has seen off its commercial competitors, but open-source is a genuine threat to drive the price of commodity software to zero, much like the revenues from long distance telephone calls. Looked at that way, there is no doubt that Microsoft's long-term survival as a major player depends on finding a new approach. It has kept pitching for the right online approach: information service, portal, player/DRM, now search/advertising. And now we get to find out whether Google, like very few companies before it, really can compete with Microsoft. Game on.


Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

January 18, 2008

Harmony, where is thy sting?

On the Net, John Perry Barlow observed long ago, everything is local and everything is global, but nothing is national. It's one of those pat summations that sometimes is actually right. The EU, in the interests of competing successfully with the very large market that is the US, wants to harmonize the national laws that apply to content online.

They have a point. Today's market practices were created while the intangible products of human ingenuity still had to be fixed in a physical medium. It was logical for the publishers and distributors of said media to carve up the world into national territories. But today anyone trying to, say, put a song in an online store, or create a legal TV download service has to deal with a thicket of national collection societies and licensing authorities.

Where there's a problem there's a consultation document, and so there is in this case: the EU is giving us until February 29 (leap year!) to tell them what we think (PDF).

The biggest flaw in the consultation document is that the authors (who needed a good copy editor) seem to have bought wholesale the 2005 thinking of rightsholders (whom they call "right holders"). Fully a third of the consultation is on digital rights management: should it be interoperable, should there be a dispute resolution process, should SMEs have non-discriminatory access to these systems, should EULAs be easier to read?

Well, sure. But the consultation seems to assume that DRM is a) desirable and b) an endemic practice. We have long argued that it's not desirable; DRM is profoundly anti-consumer. Meanwhile, the industry is clearly fulfilling Naxos founder Klaus Heymann's April 2007 prophecy that DRM would be gone from online music within two years. DRM is far less of an issue now than it was in 2006, when the original consultation was launched. In fact, though, these questions seem to have been written less to aid consumers than to limit the monopoly power of iTunes.

That said, DRM will continue to be embedded in some hardware devices, most especially in the form of HDCP, a form of copy protection being built, invisibly to consumers until it gets in their way, into TV sets and other home video equipment. Unfortunately, because the consultation is focused on "Creative Content Online", such broader uses of DRM aren't included.

However, because of this and because some live streaming services similarly use DRM to prevent consumers from keeping copies of their broadcasts (and probably more will in future as Internet broadcasting becomes more widespread), public interest limitations on how DRM can be used seem like a wise idea. The problem with both DRM and EULAs is that the user has no ability to negotiate terms. The consultation leaves out an important consumer consideration: what should happen to content a consumer pays for and downloads that's protected with DRM if the service that sold it closes down? So far, subscribers lose it all; this is clea

The questions regarding multi-territory licensing are far more complicated, and I suspect answers to those depend largely on whether you're someone trying to clear rights for reuse, someone trying to protect your control over your latest blockbuster's markets, or someone trying to make a living as a creative person. The first of those clearly wants to buy one license rather than dozens. The second wants to sell dozens of licenses rather than one (unless it's for a really BIG sum of money). The third, who is probably part of the "Long Tail" mentioned in the question, may be very suspicious of any regime that turns everything he created before 2005 into "back catalogue works" that are subject to a single multi-territory license. Science fiction authors, for example, have long made significant parts of their income by selling their out-of-print back titles for reprint. An old shot in a photographer's long tail may be of no value for 30 years – until suddenly the subject emerges as a Presidential candidate. Any regime that is adopted must be flexible enough to recognize that copyrighted works have values that fluctuate unpredictably over time.

The final set of question has to do with the law and piracy. Should we all follow France's lead and require ISPs to throw users offline if they're caught file-sharing more than three times? We have said all along that the best antidote to unauthorized copying is to make it easy for people to engage in authorized copying. If you knew, for example, that you could reliably watch the latest episode of The Big Bang Theory (if there ever is one) 24 hours after the US broadcast, would you bother chasing around torrent sites looking for a download that might or might not be complete? Technically, it's nonsense to think that ISPs can reliably distinguish an unauthorized download of copyrighted material from an authorized one; filtering cannot be the answer, no matter how much AT&T wants to kill itself trying. We would also remind the EU of the famed comment of another Old Netizen, John Gilmore: "The Internet perceives censorship as damage, and routes around it."

But of course no consultation can address the real problem, which isn't how to protect copyright online: it's how to encourage creators.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

October 19, 2007

Money talks

One of the fun things about making predictions is that, as every year-end psychic knows, you can generally count on people to remember only the successful ones. For them to remember the unsuccessful ones the prediction has to be really outrageous. And even then it may not matter – people do remember Ed Yardeni's prediction that the Year 2000 would bring global doom and chaos, but he is, astonishingly, still working.

Most predictions don't involve putting your money where your mouth is. But buying companies does. This week, eBay announced it was taking a $1.43 billion one-off charge on Skype, which it acquired just a little over two years ago for $2.6 billion, half cash and half stock. I think it's pretty meaningless to talk about how much a deal is worth when it's a staight stock swap: stock costs the acquiring company comparatively little, for one thing, and for another, stock deals are always inflated to ensure that the company being bought up doesn't get shafted if the stock goes down. You can buy a lot more stuff in boom times – say, 1999 – than after sane valuations return. Just ask Time-Warner.

In this case, though, eBay paid half cash (and of course its stock has gone up a good bit since then) and the writedown it took this week is known as a goodwill impairment charge. Goodwill is the set of intangible assets – branding, intellectual property, good customer and employee relations – that a company brings with it when it's acquired. It's hard to value directly; in practice it's the difference between the acquired company's tangible assets (physical plant, inventory, receivables) and the price the buyer paid. The inflated valuations of the dot-com boom have left behind an SEC requirement that goodwill must be assessed annually and charged off if its fair value differs too much from the value the company is carrying for it. eBay's charge, therefore, is an admission that the company overpaid for Skype.

The charge turns eBay's profitable quarter into an overall loss. Bear in mind that of all the Internet businesses eBay is the only one I'm aware of that has been profitable throughout: as a weird, new business in 1995, as an established Internet name taking off during the boom, and as a mainstream phenomenon ever since. It's not like Amazon.com, which lost money for years before finally turning black, or AOL, which was always going to struggle once the conditions that sent it skywards changed, or Yahoo!, whose volatility reflects that of advertising spend. eBay has always had a solid business model, for a simple reason: the more you buy on eBay the more you buy on eBay.

In an economic downturn, people turn to eBay to get stuff cheaper or turn the unwanted items in their attics into money. In an upturn, people turn to eBay to flesh out their collections of antique Tasmanian Zorks. Of course, over time the stock has gone down as well as up, but the business has remained solid. As it does, even now. So does Skype's: according to eBay's SEC filing, Skype has continued to grow in all geographical areas, and its net revenues nearly doubled in the past year on an increase in accounts of 81 percent.

Two years after the acquisition, Skype's usefulness to eBay is less clear. Of course, there's the diversification argument: I am frequently told that the hardest thing for a technology company is coming up with its second product. Google, for all the embellishments it's added to its search engine, basically has one core product that produces revenues: text-based, contextual advertising. But if diversification is why eBay bought Skype, it might as well have bought the perfectly profitable kind of thing Warren Buffett is famous for buying: brick, carpeting, and paint. ("Try to contain your excitement," he wrote dryly to his shareholders in 2001.)

At the time, I thought owning Skype would enable eBay to increase the interconnectedness of its user community. This was much what the companies themselves said : eBay would be able to offer, essentially, premium call services, and Skype would help buyers and sellers communicate.

In fact, that hasn't happened: people do not have Skype options to enable on their eBay accounts that would allow other users to make direct contact with questions, and you do not see Skype buttons, whether talk or chat, under buyers' or sellers' names, next to "email the seller". The number one way that buyers and sellers communicate is email, both inside eBay's secured Web platform and outside it once communication has been established. And this despite the fact that systems allowing live telephone callbacks from or real-time chats with a live customer service representative have been well established for a long time, and are built into many of the bigger ecommerce sites. PayPal, which eBay acquired in 2002 for $1.5 billion, has been much more successfully integrated into eBay's core business.

The good news in all this is that financial analysts covering the Internet seem to have matured. No one is writing that eBay is doomed, or that VoIP is all hype, though some are arguing that Skype may still become roadkill. It seems unlikely: Skype's revenues are robustly increasing and after all, it does have pretty smart owners.


Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

April 27, 2007

My so-called second life

It's a passing fad. It's all hype. They've got good PR. Only sad, pathetic people with no real lives would be interested.
All things that were said about the Internet 12 years ago. All things being said now about Second Life today. Wrong about the Internet. Wrong, too, about Second Life.

Hanging around a virtual world dressed as a cartoon character isn't normally my idea of a good time, but last weekend Wired News asked me to attend the virtual technology exposition going on inworld, and so I finally fired up Gwyndred Wuyts, who I'd created some weeks back.

Second Life is of course a logical continuation of the virtual worlds that went before it. The vending machines, avatars, attachments (props such as fancy items of clothing, laptops, or, I am given to understand, quite detailed, anatomically correct genitals), and money all have direct ancestors in previous virtual worlds such as Worlds Away (Fujitsu), The Palace, and Habitat (Lucasfilm). In fact, though, the prior art Second Life echoed most at first was CompuServe, which in 1990 had no graphics except ASCII art and little sense of humor – but was home to technology companies of all sizes, who spoke glowingly of the wonders of having direct contact with their customers. In 1990 every techie had a CompuServe ID.

Along came the Web, and those same companies gratefully retreated to the Web, where they could publish their view of the world and their support documents and edit out the abuse and backtalk. Now, in Second Life, the pendulum is swinging back it's flattened hierarchies all over again.

"You have to treat everyone equally because you can't tell who anyone is. They could be the CEO of a big company," Odin Liam Wright (SL: Liam Kanno) told me this week. " In SL, he says, what you see is "more the psyche than the economic class or vocation or stature."

Having to take people as they present themselves without the advantage of familiar cues and networked references was a theme frequently exploited by Agatha Christie. Britain was then newly mobile, and someone moving to a village no longer came endorsed by letters from mutual friends. People could be anybody, her characters frequently complain.

Americans are raised to love this kind of social mobility. But its downside was on display yesterday in a panel on professionalism at the Information Security conference, where several speakers complained that the informal networks they used to use to check out their prospective security hires no longer exist. International mobility has made it worse: how do you assess a CV when both the credentials and the organizations issuing them are unknown to you?

Well, great: if the information security professionals don't know whom to trust, what hope is there for the rest of us?

Nonetheless, the speaker was wrong. The informal networks exist, just not where he's looking for them. When informal networks get overrun by the mainstream, they move elsewhere. In the late 1980s, Usenet was such a haven; by 1994, when September stopped ending and AOL moved in, everyone had retreated to gated communities (private forums, mailing lists, and so on). Right now, some of those informal networks are on Second Life, and the window is closing as the mainstream becomes more aware of the potential of the virtual world as a platform.

Previous world were popular and still died. But Second Life is different, first and foremost because of timing. People have broadband. They have computers powerful enough to handle the graphics and multiple applications. Their movement around the virtual world is limited only by their manual dexterity and the capacity of the servers to handle so many interacting simulations at once.

Second: experimentation. At this week's show, I picked up a (beta) headset that plugs Skype into Second Life (Second Talk). People (Cattle Puppy Productions) are providing inworld TV displays (and extracted video clips for the rest of us). Reallusion, one of the show's main sponsors, does facial animation it hopes will transform Second Life from a world of text-typing avatars into one of talking characters. You can pick up a portable office including virtual laptop, unpack it in a park, and write and post real blog entries. Why would you do this when you already have blogging software on your desktop? Because Second Life has the potential to roll everything – all the different forms of communication open on your desktop today – into a single platform. And if you grew up with computer games, it's a more familiar platform than the desktop metaphor generations of office workers required.

Third: advertising. The virtual show looked empty compared to a real-world show; it had 6,000-plus visitors over three days. The emptiness was by design to allow more visitors while minimizing lag. Nonetheless, Dell was there with a virtual configurator on which you could specify your new laptop. Elsewhere inworld, you can drive your new Toyota or Pontiac and read your Reuters news. Moving into Second Life is a way for old, apparently stuffy companies to reinvent their image for the notoriously hard-to-reach younger crowd who are media-savvy and ad-cynical. There is real gold in them thar virtual hills.

Finally, a real reason to upgrade my desktop.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

September 8, 2006

Crossing the streams

OK, this is weird. I'm sitting at my desk in London watching a match from the U.S, Open (a modestly sized tennis tournament finishing up this week in New York City. I'm watching it on the laptop. Not so strange; lots of people watch TV on their computers these days. Only in this case I'm watching the match as broadcast on USA Network, a satellite channel people get by cable. In the US.

Some months back in the online tennis forum I hang out in, you started seeing mention of "streams" of live tennis, all coming from Asia somewhere, somehow And damn if it wasn't true. Forget all those P2P networks that make you wait a day or two while someone seeds their digital copy of last night's broadcast – if anyone else is even interested enough in that quarter-final Jankovic-Dementieva match to upload it. Pick a player, and although the picture is small, you can have it live. Complete with commercials. At last I can see the ads repeating 12 times an hour that everyone else is complaining about. Whee!

It's weird the frisson of excitement with which you can welcome ads when they're part of something exotic and slightly forbidden. Believe me, if I were sitting in my friends' living room in Pennsylvania – I'd be complaining away with the best of them about *how many times* do we have to see that Sharapova-as-Leona Helmsley commercial (what's she supposed to be selling, anyway? Noblesse oblige?). But viewed this way it's suddenly so cool, like huddling around the short wave radio and tuning in South Africa.

The closer analogy is the early days of satellite television, when satellite nuts (this was before we learned the politically correct phrase "early adopters") had big dishes in their backyards, and found all sorts of interesting things in the sky, like free HBO (in those days, still known as Home Box Office). When dish owners numbered 1.7 million, the pay-TV services got bothered began encrypting their services to force dish owners to pay cable rates. The upshot: one of the great moments of satellite television; href="http://www.findarticles.com/p/articles/mi_m1511/is_v7/ai_4293600">"Captain Midnight" hijacked HBO's output for four and a half minutesin protest. Captain Midnight was later identified as John MacDougall, a satellite TV salesman, and he was eventually fined $5,000.

Things are likely to be less kindly in the Internet era. For one thing, the companies that own the biggest broadcast networks are bigger, meaner, and have more laws. The first Internet TV casualty was probably the Canadian-targeted iCraveTv, which for a few months in 2000 had 17 American and Canadian channels online,. The service got squashed like a bug, despite offering to pay broadcasters. Bear in mind that the first cable companies operated much the way iCraveTV did: they put up a repeating and ran a bunch of wires.

Well, we know how the Internet works. Take out one guy and in return you get a lot more guys that are harder to deal with. I've lost count now of the players and sites: TVUPlayer, TVAnts, PPLive, Sopcast. All are Asian, all stream live TV, and all use peer-to-peer networking technologies to spread the load. Which means, in turn, that the single biggest expense in streaming – bandwidth – is shared among the users. Most of whom, as far as I can tell, are sports nuts, which is only logical. The picture you get from these players is, while good enough to watch, still relatively small and low-resolution. For scripted television, you can get a better experience by waiting the day and downloading a torrent or a legal copy from the pay services that are beginning to open up.

But the whole experience of sports is the fact that it is live, and no one really knows how it's going to come out. Within some limits, a bad, live picture is often preferable to a perfect, delayed one. Even if you can't really see what Federer is doing when he hits the ball, you want the emotional rush of being there with him. You can always watch the full-size version later for artistic appreciation.

Theoretically, the fact that the pictures are small ought to give broadcasters the same kind of confidence that publishers have when it comes to file-sharing. People will pay for big-screen viewing just as they'll pay for books. Nonetheless, we're standing on the brink of the WIPO broadcast treaty that net.wars wrote about in February, 2005.

James Love has a lengthy critique of the current proposals (PDF). But one thing he leaves out is that as far as I can make out, today's streaming players "rebroadcast" their signals by pointing at an IP address where the broadcaster itself is streaming its own output. Are we talking about making it illegal to access or publish IP addresses based on the content that's available at them? TEOTIAWKI. (The End of the Internet as we know it.)

I can't believe these streams are really legal, despite this argument regarding law enforcement actions in Italy. Even if they include ads, someone in London is not in the target demographic for the USTA. Presumably, eventually everybody will encrypt their streams and we'll all have to have protected players and subscriptions in order to view them. In the meantime, enjoy your giant satellite dish.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

April 7, 2006

Becoming virtual

There are three reasons to visit a physical-world store over an online one: convenience; a chance to sample in person a wide range of goods; good customer service. All right, there's a fourth: it's fun. At least, number four on that list is the reasoning behind such phenomena as Niketown or those airport hangar-sized Levi's stores that try to look like night clubs (at least, I guess that's what they're trying for).

Dixons, which this week threw in the towel as a British High Street retailer in favor of turning itself into an Internet-only retailer, has been scoring pretty low on all of those for some time now. Convenient locations – if you work in town – it had. However, notorious for being staffed by young, ill-trained (particularly with respect to computer equipment) kids detailed to sell extended warranties, it was never going to win awards for customer service. The stores were too small to carry a really wide range of merchandise. They couldn't compete on price with the big, out-of-town stores (including the chain's own PC World or its electrical retailer, Currys, which is to be renamed the so-1999 "currys.digital"). And visiting one of those stores was certainly never fun. I can't think of a direct US equivalent, in part because it's so long since most parts of the US have had comparable city centers. In Britain, where public transportation has kept city centers (mostly) alive by keeping foot traffic going past stores the "High Street" – the generic (and often specific) term for the main shopping drag in any given city, like Main Street in the US – has continued in its traditional role. Britain has some out-of-town malls and category killer stores, and it has many, many chains, but you can still find a local butcher or hardware store.

Pretty much all the headlines blamed the growth of ecommerce. Yet Dixons is being squeezed by all the factors above, not just the Web. And in fact, if they attempt to compete on the Web with their current high prices, it's hard to believe that its own brand name is going to be sufficient to make it a long-term success online. The same increasing competition that's squeezing the bricks-and-plastic Dixons – supermarkets like Tesco, which has expanded into electrical goods – are already firmly entrenched online. Sure, you can buy an MP3 player from Dixons. But without the real-world stores to advertise its existence like a painted van touring the streets, Dixons as an online brand name can't compete with Amazon, eBay, or Google's or Yahoo!'s shopping engines. And those are its main competition. Despite its ecommerce operation having grown by 50 percent year-on-year since 2002, does Dixons itself command the kind of loyalty that will get its less Net-savvy shoppers to follow it online? It seems hard to believe.

Among the non-Neterate of my acquaintance, I note that when they want to buy something confusing, like a computer, they do want to buy from a company they've heard of – but they typically want that company to be in the physical world, where they can go see what they're buying. The Web's habit of reducing such purchases to a list of features and specifications works well only if you are experienced and knowledgeable. Of course, we know there's nothing to see when you look at a computer that tells you anything valuable other than whether you like the keyboard, but the presence of a human to explain things and promise to fix them if anything goes wrong is infinitely reassuring. Even if that human is completely ignorant, barely out of school, and gives the wrong advice. I may react in horror when one of these folks goes to PC World instead of the much nearer and more helpful local computer shop, but they do it because they've heard of it and they think that fact offers some security in unfamiliar blocked drains.

It's mildly amusing to look back about eight years and remember that at the time everyone was predicting that the big offline retailers would come online and stomp all over the cyberupstarts. And then again to about five years ago, when everyone was saying that "clicks and mortar" was the way to success. Instead, what seems to be happening is that retail, like so many other things in life and business, is becoming increasingly polarized between the huge names and the niche players. You're the local café or you're Starbucks. You're Cybercandy or you're Tesco. Increasingly, the middle is squeezed out.

Meanwhile, branding is supposed to be the answer for everything. Sometimes – for example, Interfauna – it is the shop's brand that matters. But more often these days, especially in consumer electrical goods, it's the brand of the goods you are buying. No one buys anything from Wal-Mart because the name "Wal-Mart" conveys quality; the one quality that name conveys is "cheap". You choose Wal-Mart as the retailer because of the price, and you choose the brand of the merchandise for its design, functionality, quality, style, or perceived value. Retailer branding is comparatively fragile, even something as apparently unassailable as Amazon.com.

The most likely is that Dixons is a dying brand, and its Web operation will eventually be folded into a single operation that ecompasses currys.digital and PC World. And then Tesco or Wal-Mart will buy it.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. She has an intermittent blog. Readers are welcome to post there, at the official net.wars blogor to send email, but please turn off HTML.