Main

May 24, 2013

Forcing functions

At last Saturday's OpenTech, perennial grain-of-sand-in-the-Internet-oyster Bill Thompson, in a session on open data, asked an interesting question. In a nod to NTK's old slogan, "They stole our revolution - now we're stealing it back", he asked: how can we ensure that open data supports values of democracy, openness, transparency, and social justice? The Internet pioneers did their best to embed these things into their designs, and the open architecture, software, and licensing they pioneered can be taken without paying by any oppressive government or large company that cares to, Is this what we want for open data, too?

Thompson writes (and, if I remember correctly, actually said, more or less):

...destruction seems like a real danger, not least because the principles on which the Internet is founded leave us open to exploitation and appropriation by those who see openness as an opportunity to take without paying - the venture capitalists, startups and big tech companies who have built their empires in the commons and argue that their right to build fences and walls is just another aspect of 'openness'.

Constraining the ability to take what's been freely developed and exploit it has certainly been attempted, most famously by Richard Stallman's efforts to use copyright law to create software licenses that would bar companies from taking free software and locking it up into proprietary software. It's part of what Creative Commons is about, too: giving people the ability to easily specify how their work may be used. Barring commercial exploitation without payment is a popular option: most people want a cut when they see others making a profit from their work.

The problem, unfortunately, is that it isn't really possible to create an open system that can *only* be used by the "good guys" in "good" ways. The "free speech, not free beer" analogy Stallman used to explain "free software" applies. You can make licensing terms that bar Microsoft from taking GNU/Linux, adding a new user interface, and claiming copyright in the whole thing. But you can't make licensing terms that bar people using Linux from using it to build wiretapping boxes for governments to install in ISPs to collect everyone's email. If you did, either the terms wouldn't hold up in a court of law or it would no longer be free software but instead proprietary software controlled by a well-meaning elite.

One of the fascinating things about the early days of the Internet is the way everyone viewed it as an unbroken field of snow they could mold into the image they wanted. What makes the Internet special is that any of those models really can apply: it's as reasonable to be the entertainment industry and see it as a platform that just needs some locks and laws to improve its effectiveness as a distribution channel as to be Bill Thompson and view it as a platform for social justice that's in danger of being subverted.

One could view the legal history of The Pirate Bay as a worked example, at least as it's shown in the documentary TPB-AFK: The Pirate Bay - Away From Keyboard, released in February and freely downloadable under a Creative Commons license from a torrent site near you (like The Pirate Bay). The documentary has had the best possible publicity this week when the movie studios issued DMCA takedown notices to a batch of sites.

I'm not sure what leg their DMCA claims could stand on, so the most likely explanation is the one TorrentFreak came up with: that the notices are collateral damage. The only remotely likely thing in the documentary to have set them off - other than simple false positives - is the four movie studio logos that appear in it.

There are many lessons to take away from the movie, most notably how much more nuanced the TPB founders' views are than they came across at the time. My favorite moment is probably when Fredrik Tiamo discusses the opposing counsels' inability to understand how TPB actually worked: "We tried to get organized, but we failed every single time." Instead, no boss, no contracts, no company. "We're just a couple of guys in a chat room." My other favorite is probably the moment when Monique Wadsted, Hollywood's lawyer on the case, explains that the notion that young people are disaffected with copyright law is a myth.

"We prefer AFK to IRL," says one of the founders, "because we think the Internet is real."

Given its impact on their business, I'm sure the entertainment industry thinks the Internet is real, too. They're just one of many groups who would like to close down the Internet so it can't be exploited by the "bad guys": security people, governments, child protection campaigners, and so on. Open data will be no different. So, sadly, my answer to Bill Thompson is no, there probably isn't a way to do what he has in mind. Closed in the name of social justice is still closed. Open systems can be exploited by both good and bad guys (for your value of "good" and "bad"); the group exploiting a closed system is always *someone's* bad guy.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted irregularly during the week at the net.wars Pinboard - or follow on Twitter.


November 9, 2012

The billion-dollar spree

"This will be the grossest money election we've seen since Nixon," Lawrence Lessig predicted earlier this year. And the numbers are indeed staggering.

Never mind the 1%. In October, Lessig estimated that 42 percent of the money spent so far in the 2012 election cycle had come from just 47 Americans - the .000015 percent. At this rate, politicians - congressional as well as presidential - are perpetual candidates; fundraising leaves no time to do anything else. By comparison, the total UK expenditure by all candidates in the last general election (PDF) was £31 million - call it $50 million. A mere snip.

Some examples. CNN totals up $506,417,910 spent on advertising in just the eight "battleground" states - since April 10, 2012. Funds raised - again since April 10, 2012 - $1,021,265,691, much of it from states not in the battleground category - like New York, Texas, and California. In October, the National Record predicted that Obama's would be the first billion-dollar campaign.

The immediate source of these particular discontents is the 2010 Supreme Court decision in Citizens United v. Federal Election Commission that held that restricting political expenditure on "electioneering communications" by organizations contravened the First Amendment's provisions on freedom of expression. This is a perfectly valid argument if you accept the idea that organizations - corporations, trade unions, and so on - are people who should not be checked from spending their money to buy themselves airtime in which to speak freely.

An earlier rule retained in Citizens United was that donors to so-called SuperPACs (that is, political action committees that can spend unlimited amounts on political advertising as long as their efforts are independent of those of the campaigns) must be identified. That's not much of a consolation: just like money laundering in other contexts, if you want to buy yourself a piece of a president and don't want to be identified, you donate to a non-profit advocacy group and they'll spend or donate it for you and you can remain anonymous, at least to the wider public outside the SuperPAC..

And they worry about anonymous trolling on the Internet.

CNN cites Public Citizen as the source of the news that 60 percent of PACS spend their funds on promoting a single candidate, and that often these are set up and run by families, close associates, or friends of the politicians they support. US News has a handy list of the top 12 donors willing to be identified. Their interests vary; it's not like they're all ganging up on the rest of us with a clear congruence of policy desires; similarly, SuperPACs cover causes I like as well as causes I don't. And even if they didn't, it's not the kind of straightforward corruption where there is an obvious chain where you can say, money here, policy there.

If securing yourself access to put your views is your game, donating huge sums of money to a single candidate or party traditionally you want to donate to both sides, so that no matter who gets into office they'll listen to you. It's equally not a straightforward equation of more money here, victory there, although it's true: Obama outcompeted Romney on the money front, perhaps because so many Democrats were so afraid he wouldn't be able to keep up. But, as Lessig, has commented, even if the direct corrupt link is not there, the situation breeds distrust, doubt, and alienation in voters' minds.

The Washington Post argues that the big explosion of money this time is at least partly due to the one cause most rich people can agree on: tax policy. Some big decisions - the fiscal cliff - lie ahead in the next few months, as tax cuts implemented during the Bush (II) administration automatically expire. When those cuts were passed, the Republicans must have expected the prospect would push the electorate to vote them back in. Oops.

Some more details. Rootstrikers, the activist group Lessig founded to return the balance of power in American politics to the people, has a series of graphics intended to illustrate the sources of money behind superPACs; the president; and their backers. The Sunlight Foundation has an assessment of donors' return on investment

An even better one comes from the Federal Election Commission via Radio Boston, showing the distribution of contributions. The pattern is perfectly clear: the serious money is coming from the richer, more populated, more urbanized states. The way this can distort policy is also perfectly clear.

One of the big concerns in this election was that measures enacted in the name of combating voter fraud (almost non-existent) would block would-be voters from being able to cast ballots. Instead, it seems that Obama was more successful in getting out the vote.

The conundrum I'd like answered is this. Money is clearly a key factor in US elections - it can't get you elected, but the lack of it can certainly keep you out of office. It's clearly much less so elsewhere. So, if the mechanism by which distorted special-interest policies get adopted in the US is money, then what's the mechanism in other countries? I'd really like to know.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series.

October 26, 2012

Lie to me

I thought her head was going to explode.

The discussion that kicked off this week's Parliament and Internet conference revolved around cybersecurity and trust online, harmlessly at first. Then Helen Goodman (Labour - Bishop Auckland), the shadow minister for Culture, Media, and Sport, raised a question: what was Nominet doing to get rid of anonymity online? Simon McCalla, Nominet's CTO, had some answers: primarily, they're constantly trying to improve the accuracy and reliability of the Whois database, but it's only a very small criminal element that engage in false domain name registration. Like that.

A few minutes later, Andy Smith, PSTSA Security Manager, Cabinet Office, in answer to a question about why the government was joining the Open Identity Exchange (as part of the Identity Assurance Programme) advised those assembled to protect themselves online by lying. Don't give your real name, date of birth, and other information that can be used to perpetrate identity theft.

Like I say, bang! Goodman was horrified. I was sitting near enough to feel the splat.

It's the way of now that the comment was immediately tweeted, picked up by the BBC reporter in the room, published as a story, retweeted, Slashdotted, tweeted some more, and finally boomeranged back to be recontextualized from the podium. Given a reporter with a cellphone and multiple daily newspaper editions, George Osborne's contretemps in first class would still have reached the public eye the same day 15 years ago. This bit of flashback couldn't have happened even five years ago.

For the record, I think it's clear that Smith gave good security advice, and that the headline - the greater source of concern - ought to be that Goodman, an MP apparently frequently contacted by constituents complaining about anonymous cyberbullying, doesn't quite grasp that this is a nuanced issue with multiple trade-offs. (Or, possibly, how often the cyberbully is actually someone you know.) Dates of birth, mother's maiden names, the names of first pets...these are all things that real-life friends and old schoolmates may well know, and lying about the answers is a perfectly sensible precaution given that there is no often choice about giving the real answers for more sensitive purposes, like interacting with government, medical, and financial services. It is not illegal to fake or refuse to disclose these things, and while Facebook has a real names policy it's enforced with so little rigor that it has a roster of fake accounts the size of Egypt.

Although: the Earl of Erroll might be a bit busy today changing the fake birth date - April 1, 1900 - he cheerfully told us and Radio 4 he uses throughout; one can only hope that he doesn't use his real mother's maiden name, since that, as Tom Scott pointed out later, is in Erroll's Wikipedia entry. Since my real birth date is also in *my* Wikipedia entry and who knows what I've said where, I routinely give false answers to standardized security questions. What's the alternative? Giving potentially thousands of people the answers that will unlock your bank account? On social networking sites it's not enough for you to be taciturn; your birth date may be easily outed by well-meaning friends writing on your wall. None of this is - or should be - illegal.

It turns out that it's still pretty difficult to explain to some people how the Internet works or why . Nominet can work as hard as it likes on verifying its own Whois database, but it is powerless over the many UK citizens and businesses that choose to register under .com, .net, and other gTLDs and country codes. Making a law to enjoin British residents and companies from registering domains outside of .uk...well, how on earth would you enforce that? And then there's the whole problem of trying to check, say, registrations in Chinese characters. Computers can't read Chinese? Well, no, not really, no matter what Google Translate might lead you to believe.

Anonymity on the Net has been under fire for a long, long time. Twenty years ago, the main source of complaints was AOL, whose million-CD marketing program made it easy for anyone to get a throwaway email address for 24 hours or so until the system locked you out for providing an invalid credit card number. Then came Hotmail, and you didn't even need that. Then, as now, there are good and bad reasons for being anonymous. For every nasty troll who uses the cloak to hide there are many whistleblowers and people in private pain who need its protection.

Smith's advice only sounds outrageous if, like Goodman, you think there's a valid comparison between Nominet's registration activity and the function of the Driver and Vehicle Licensing Agency (and if you think the domain name system is the answer to ensuring a traceable online identity). And therein lies the theme of the day: the 200-odd Parliamentarians, consultants, analysts, government, and company representatives assembled repeatedly wanted incompatible things in conflicting ways. The morning speakers wanted better security, stronger online identities, and the resources to fight cybercrime; the afternoon folks were all into education and getting kids to hack and explore so they learn to build things and understand things and maybe have jobs someday, to their own benefit and that of the rest of the country. Paul Bernal has a good summary.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


June 15, 2012

A license to print money

"It's only a draft," Julian Huppert, the Liberal Democrat MP for Cambridge, said repeatedly yesterday. He was talking about the Draft Communications Data Bill (PDF), which was published on Wednesday. Yesterday, in a room in a Parliamentary turret, Hupper convened a meeting to discuss the draft; in attendance were a variety of Parliamentarians plus experts from civil society groups such as Privacy International, the Open Rights Group, Liberty, and Big Brother Watch. Do we want to be a nation of suspects?

The Home Office characterizes the provisions in the draft bill as vital powers to help catch criminals, save lives, and protect children. Everyone else - the Guardian, ZDNet UK, and dozens more - is calling them the "Snooper's charter".

Huppert's point is important. Like the Defamation Bill before it, publishing a draft means there will be a select committee with 12 members, discussion, comments, evidence taken, a report (by November 30, 2012), and then a rewritten bill. This draft will not be voted on in Parliament. We don't have to convince 650 MPs that the bill is wrong; it's a lot easier to talk to 12 people. This bill, as is, would never pass either House in any case, he suggested.

This is the optimistic view. The cynic might suggest that since it's been clear for something like ten years that the British security services (or perhaps their civil servants) have a recurring wet dream in which their mountain of data is the envy of other governments, they're just trying to see what they can get away with. The comprehensive provisions in the first draft set the bar, softening us up to give away far more than we would have in future versions. Psychologists call this anchoring, and while probably few outside the security services would regard the wholesale surveillance and monitoring of innocent people as normal, the crucial bit is where you set the initial bar for comparison for future drafts of the legislation. However invasive the next proposals are, it will be easy for us to lose the bearings we came in with and feel that we've successfully beaten back at least some of the intrusiveness.

But Huppert is keeping his eye on the ball: maybe we can not only get the worst stuff out of this bill but make things actually better than they are now; it will amend RIPA. The Independent argues that private companies hold much more data on us overall but that article misses that this bill intends to grant government access to all of it, at any time, without notice.

The big disappointment in all this, as William Heath said yesterday, is that it marks a return to the old, bad, government IT ways of the past. We were just getting away from giant, failed public IT projects like the late unlamented NHS platform for IT and the even more unlamented ID card towards agile, cheap public projects run by smart guys who know what they're doing. And now we're going to spend £1.8 billion of public money over ten years (draft bill, p92) building something no one much wants and that probably won't work? The draft bill claims - on what authority is unclear - that the expenditure will bring in £5 to £6 billion in revenues. From what? Are they planning to sell the data?

Or are they imagining the economic growth implied by the activity that will be necessary to build, install, maintain, and update the black boxes that will be needed by every ISP in order to comply with the law. The security consultant Alec Muffet has laid out the parameters for this SpookBox 5000: certified, tested, tamperproof, made by, say, three trusted British companies. Hundreds of them, legally required, with ongoing maintenance contracts. "A license to print money," he calls them. Nice work if you can get it, of course.

So we're talking - again - about spending huge sums of government money on a project that only a handful of people want and whose objectives could be better achieved by less intrusive means. Give police better training in computer forensics, for example, so they can retrieve the evidence they need from the devices they find when executing a search warrant.

Ultimately, the real enemy is the lack of detail in the draft bill. Using the excuse that the communications environment is changing rapidly and continuously, the notes argue that flexibility is absolutely necessary for Clause 1, the one that grants the government all the actual surveillance power, and so it's been drafted to include pretty much everything, like those contracts that claim copyright in perpetuity in all forms of media that exist now or may hereinafter be invented throughout the universe. This is dangerous because in recent years the use of statutory instruments to bypass Parliamentary debate has skyrocketed. No. Make the defenders of this bill prove every contention; make them show the evidence that makes every extra bit of intrusion necessary.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


April 28, 2012

Interview with Lawrence Lessig

This interview was originally intended for a different publication; I only discovered recently that it hadn't run. Lessig and I spoke in late January, while the fate of the Research Works Act was still unknown (it's since been killed.

"This will be the grossest money election we've seen since Nixon," says the law professor Lawrence Lessig, looking ahead to the US Presidential election in November. "As John McCain said, this kind of spending level is certain to inspire a kind of scandal. What's needed is scandals."

It's not that Lessig wants electoral disaster; it's that scandals are what he thinks it might take to wake Americans up to the co-option of the country's political system. The key is the vast, escalating sums of money politicians need to stay in the game. In his latest book, Republic, Lost, Lessig charts this: in 1982 aggregate campaign spending for all House and Senate candidates was $343 million; in 2008 it was $1.8 billion. Another big bump upward is expected this year: the McCain quote he references was in response to the 2010 Supreme Court decision in Citizens United legalising Super-PACs. These can raise unlimited campaign funds as long as they have no official contact with the candidates. But as Lessig details in Republic, Lost, money-hungry politicians don't need things spelled out.

Anyone campaigning against the seemingly endless stream of anti-open Internet, pro-copyright-tightening policies and legislation in the US, EU, and UK - think the recent protests against the US's Stop Internet Piracy (SOPA) and Protect Intellectual Property (PIPA) Acts and the controversy over the Digital Economy Act and the just-signed Anti-Counterfeiting Trade Agreement (ACTA) treaty - has experienced the blinkered conviction among many politicians that there is only one point of view on these issues. Years of trying to teach them otherwise helped convince Lessig that it was vital to get at the root cause, at least in the US: the constant, relentless need to raise escalating sums of money to fund their election campaigns.

"The anti-open access bill is such a great example of the money story," he says, referring to the Research Works Act (H.R. 3699), which would bar government agencies from mandating that the results of publicly funded research be made accessible to the public. The target is the National Institutes of Health, which adopted such a policy in 2008; the backers are journal publishers.

"It was introduced by a Democrat from New York and a Republican from California and the single most important thing explaining what they're doing is the money. Forty percent of the contributions that Elsevier and its senior executives have made have gone to this one Democrat." There is also, he adds, "a lot to be done to document the way money is blocking community broadband projects".

Lessig, a constitutional scholar, came to public attention in 1998, when he briefly served as a special master in Microsoft's antitrust case. In 2000, he wrote the frequently cited book Code and Other Laws of Cyberspace, following up by founding Creative Commons to provide a simple way to licence work on the Internet. In 2002, he argued Eldred v. Ashcroft against copyright term extension in front of the Supreme Court, a loss that still haunts him. Several books later - The Future of Ideas, Free Culture, and Remix - in 2008, at the Emerging Technology conference, he changed course into his present direction, "coding against corruption". The discovery that he was writing a book about corruption led Harvard to invite him to run the Edmond J. Safra Foundation Center for Ethics, where he fosters RootStrikers, a network of activists.

Of the Harvard centre, he says, "It's a bigger project than just being focused on Congress. It's a pretty general frame for thinking about corruption and trying to think in many different contexts." Given the amount of energy and research, "I hope we will be able to demonstrate something useful for people trying to remedy it." And yet, as he admits, although corruption - and similar copyright policies - can be found everywhere his book and research are resolutely limited to the US: "I don't know enough about different political environments."

Lessig sees his own role as a purveyor of ideas rather than an activist.

"A division of labour is sensible," he says. "Others are better at organising and creating a movement." For similar reasons, despite a brief flirtation with the notion in early 2008, he rules out running for office.

"It's very hard to be a reformer with idealistic ideas about how the system should change while trying to be part of the system," he says. "You have to raise money to be part of the system and engage in the behaviour you're trying to attack."

Getting others - distinguished non-politicians - to run on a platform of campaign finance reform is one of four strategies he proposes for reclaiming the republic for the people.

"I've had a bunch of people contact me about becoming super-candidates, but I don't have the infrastructure to support them. We're talking about how to build that infrastructure." Lessig is about to publish a short book mapping out strategy; later this year he will update incorporating contributions made on a related wiki.

The failure of Obama, a colleague at the University of Illinois at Chicago in the mid-1990s, to fulfil his campaign promises in this area is a significant disappointment.

"I thought he had a chance to correct it and the fact that he seemed not to pay attention to it at all made me despair," he says.

Discussion is also growing around the most radical of the four proposals, a constitutional convention under Article V to force through an amendment; to make it happen 34 state legislatures would have to apply.

"The hard problem is how you motivate a political movement that could actually be strong enough to respond to this corruption," he says. "I'm doing everything I can to try to do that. We'll see if I can succeed. That's the objective."


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this seriesand one of other interviews.


March 16, 2012

The end of the beginning

The coming months could see significant boosts to freedom of expression in the UK. Last night, the Libel Reform Campaign launched its report on alternatives to libel litigation at an event filled with hope that the Defamation Bill will form part of the Queen's speech in May. A day or two earlier, Consumer Focus hosted an event at the House of Commons to discuss responses to the consultation on copyright following the Hargreaves Review, which are due March 21. Dare we hope that a year or two from now the twin chilling towers of libel law and copyright might be a little shorter?

It's actually a good sign, said the former judge Sir Stephen Sedley last night, that the draft defamation bill doesn't contain everything reform campaigners want: all bills change considerably in the process of Parliamentary scrutiny and passage. There are some other favorable signs: the defamation bill is not locked to any particular party. Instead, there's something of a consensus that libel law needs to be reformed for the 21st century - after all, the multiple publication rule that causes Internet users so much trouble was created by the 1849 court case Duke of Bunswick v Harmer, in which the Duke of Brunswick managed to get the 17-year limit overridden on the basis that his manservant, sent from Paris to London, was able to buy copies of the magazine he believed had defamed him. These new purchases, he argued successfully, constituted a new publication of the libel. Well, you know the Internet: nothing ever really completely dies, and so that law, applied today, means liability in perpetuity. Ain't new technology grand?

The same is, of course, true in spades of copyright law, even though it's been updated much more recently; the Copyright, Designs, and Patents Act only dates to 1988 (and was then a revision of laws as recent as 1956). At the Consumer Focus event, Saskia Walzel argued that it's appropriate to expect to reform copyright law every ten to 15 years, but that the law should be based on principles, not technologies. The clauses that allow consumers to record TV programs on video recorders, for example, did not have to be updated for PVRs.

The two have something else in common: both are being brought into disrepute by the Internet because both were formulated in a time when publishers were relatively few in number and relatively powerful and needed to be kept in check. Libel law was intended to curb their power to damage the reputations of individuals with little ability to fight back. Copyright law kept them from stealing artists' and creators' work - and each other's.

Sedley's comment last night about libel reform could, with a little adaptation, apply equally well to copyright: "The law has to apply to both the wealthy bully and the small individual needing redress from a large media organization." Sedley went on to argue that it is in the procedures that the playing field can be leveled; hence the recommendation for options to speed up dispute resolutions and lower costs.

Of course, publishers are not what they were. Even as recently as 1988 the landscape of rightsholders was much more diverse. Many more independent record labels jostled for market share with somewhat more larger ones; scores of independent book publishers and bookshops were thriving; and photographers, probably the creators being damaged the most in the present situation, still relied for their livelihood on the services of a large ecology of small agencies who understood them and cared about their work. Compare that to now, when cross-media ownership is the order of the day, and we may soon be down to just two giant music companies.

It is for this reason that I have long argued (as Walzel also said on Tuesday) that if you really want to help artists and other creators, they will be better served by improving contract law so they can't be bullied into unfair terms than by tightening and aggressively enforcing copyright law.

Libel law can't be so easily mitigated, but in both cases we can greatly improve matters by allowing exceptions that serve the public interest. In the case of libel law, that means scientific criticism: if someone claims abilities that are contrary to our best understanding of science, critique on that basis should be allowed to proceed. Similarly, there is clearly no economic loss to rightsholders from allowing exceptions for parody, disabled access, and archiving.

It was Lord McNally, the Minister of Justice who called this moment in the work on libel law reform the end of the beginning, reminding those present that now is to use whatever influence campaigners have with Parliamentarians to get through the changes that are needed. He probably wouldn't think of it this way, but his comment reminded me of the 1970s and 1980s tennis champion Chris Evert, who commented that many (lesser) players focused on reaching the finals of tournaments and forgot, once there, that there was a step further to go to win the title.

So enjoy that celebratory drink - and then get back to work!

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


March 9, 2012

Private parts

In 1995, when the EU Data Protection Directive was passed, Facebook founder and CEO Mark Zuckerberg was 11 years old. Google was three years away from incorporation. Amazon.com was a year old and losing money fast enough to convince many onlookers that it would never be profitable; the first online banner ads were only months old. It was the year eBay and Yahoo! were founded and Netscape went public. This is how long ago it was: CompuServe was a major player in online services, AOL was just setting up its international services, and both of them were still funded by per-minute usage fees.

In other words: even when it was published there were no Internet companies whose business models depended on exploiting user data. During the years it was being drafted only posers and rich people owned mobile phone, selling fax machines was a good business, and women were still wearing leggings the *first* time. It's impressive that the basic principles formulated then have held up well. Practice, however, has been another matter.

The discussions that led to the publication in January of of a package of reforms to the data protection rules began in 2008. Discussions among data protection commissioners, Peter Hustinx, the European Data Protection Supervisor, said at Thursday's Westminster eForum on data protection and electronic privacy, produced a consensus that changes were needed, including making controllers more accountable, increasing "privacy by design", and making data protection a top-level issue for corporate governance.

These aren't necessarily the issues that first spring to mind for privacy advocates, particularly in the UK, where many have complained that the Information Commissioner's Office has failed. (It was, for example, out of step with the rest of the world with respect to Google's Street View.) Privacy International has a long history of complaints about the ICO's operation. But even the EU hasn't performed as well as citizens might hope under the present regime: PI also exposed the transfer of SWIFT financial data to the US, while Edward Hasbrouck has consistently and publicly opposed the transfer of passenger name record data from the EU to the US.

Hustinx has published a comprehensive opinion of the reform package. The details of both the package itself and the opinion require study. But some of the main points are an effort to implement a single regime and the rights to erasure (aka the right to be forgotten), require breach notification within 24 hours of discovery, strengthen the data protection authorities and make them more accountable.

Of course, everyone has a complaint. The UK's deputy information commissioner, David Smith, complained that the package is too prescriptive of details and focuses on paperwork rather than privacy risk. Lord McNally, Minister of State at the Ministry of Justice, complained that the proposed fines of up to 2 percent of global corporate income are disproportionate and that 24 hours is too little time. Hustinx outlined his main difficulties: that the package has gaps, most notably surrounding the transfer of telephone data to law enforcement; that fines should be discretionary and proportionate rather than compulsory; and that there remain difficulties in dealing with national and EU laws.

We used to talk about the way the Internet enabled the US to export the First Amendment. You could, similarly, see the data protection laws as the EU's effort to export privacy rules; a key element is the prohibition on transferring data to countries without similar regimes - which is why the SWIFT and PNR cases were so problematic. In 1999, for a piece that's now behind Scientific American's paywall, PI's Simon Davies predicted that US companies might find themselves unable to trade in Europe because of data flows. Big questions, therefore, revolve around the business corporate rules, which allow companies to transfer data to third countries without equivalent data protection as long as the data stays within their corporate boundaries.

The arguments over data protection law have a lot in common with the arguments over copyright. In both cases, the goal is to find a balance of power between competing interests that keeps individuals from being squashed. Also like copyright, data protection policy is such a dry and esoteric subject that it's hard to get non-specialists engaged with it. Hard, but not impossible: copyright has never had a George Orwell to make the dangers up close and personal. Copyright law began, Lawrence Lessig argued in (I think it was) Free Culture, as a way to curb the power of publishers (although by now it has ended up greatly empowering them). Similarly while most of us may think of data protection law as protecting the abuse of personal data, a voice argued from the floor yesterday that the law was originally drafted to enable free data transfers within the single market.

There is another similarity. Rightsholders and government policymakers often talk as though the population-at-large are consumers, not creators in their own right. Similarly, yesterday, Mydex's David Alexander had this objection to make: "We seem to keep forgetting that humans are not just subjects, but participants in the management of their own personal data...Why can't we be participants?"


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


February 24, 2012

Copyright U

"You cannot have democracy without a public domain," says Tracy Mitrano. She clarifies: "Where the issues that matter are part of what people think about every day and we express them to our representatives in a representative democracy."

As commentators, campaigners, and observers keep pointing out, copyright policy hasn't been like that. A key part of the street protests over the Anti-Counterfeiting Trade Agreement (ACTA) was the secrecy of the negotiations over its contents. Similarly, even if there had been widespread content with the provisions of the Digital Economy Act, the way it was passed would be disturbing: on the nod, revised at the last minute with no debate, in the wash-up before the election with many MPs already on the road to their constituencies. If these are such good policies, why do they need to be agreed and passed in such anti-democratic ways?

My conversation with Mitrano is partly an accident of geography: when you're in Ithaca, NY, and interested in the Internet and copyright she's the person you visit. Mitrano is the director of IT policy at Cornell University, one of the first academic institutions where the Internet took hold. As such, she has been on the front lines of the copyright battles of the last 15 years, trying to balance academic values and student privacy against the demands of copyright enforcement, much like a testbed for the wider population. She also convenes an annual computer policy and law conference on Internet culture in the academy.

"Higher education was the canary in the coal mine for the enforcement of copyright and intellectual property on the Internet," she says.

We don't generally think of universities as ISPs, but, particularly in the US where so many students live in dorms, that is one of their functions: to provide high-speed, campus-wide access for tens of thousands of users of all types, from students to staff to researchers, plus serving hundreds of thousands of alumni wanting those prestigious-sounding email addresses. In 2004, Cornell was one of the leaders of discussions with the music industry regarding student subscription fees.

"To have picked on us was to pick on an easy target in the sense that we're fish in a barrel given our dependence on federal funding," she says, "and we're an easily caricatured representation of the problem because of the demographic of students, who care about culture, don't have a lot of money, are interested in new technology, and it all seemed to be flowing to them so easily. And the last reason: we were a patsy, because given that we care about education and we're not competing with the content industry for profits or market share, we wanted to help."

The result: "The content industry paid for and got, through lobbying, legislation that places greater demands on higher education ISPs than on commercial ISPs." The relevant legislation is the Higher Education Act 2008. "They wanted filtering devices on all our networks," Mitrano says, "completely antithetical to all our values." Still, the industry got a clause whose language is very like what's being pushed for now in the UK, the EU, and, in fact, everywhere else.

"After they got what they wanted there, they started in Europe on "three strikes"," she says. "Not they've come back with SOPA, ACTA, and PIPA."

Higher education in the US is still paying the price for that early focus.

"Even under the least strict test of the equal protection clause, the rational basis test, there is no rational basis for why higher education as an ISP has to do anything more or less than a commercial ISP in terms of being a virtual agent of enforcement of the content industry. Their numbers prove to be wrong in every field - how much they're losing, how many alleged offenders, what percentage of offenders the students are alleged to be in the whole world in copyright infringement."

Every mid-career lawyer with an interest in Internet policy tells the story of how tiny and arcane a field intellectual property was 20 years ago. Mitrano's version is that of the 15 students in her intellectual property class, most were engineers wishing to learn about patents; two were English students who wanted to know why J.D. Salinger's biography had been pulled before publication. By the time she finished law school in 1995, the Internet had been opened up to commercial traffic, though few still saw the significance.

"Copyright, at that moment, went from backwater area to front and center in US politics, but you couldn't prove that," she says. "The day it became apparent to most people in American society was the day last month when Wikipedia went black."

Unusually for someone in the US, Mitrano thinks loosening the US's grip on Internet governance is a good idea.

"I'm not really willing to give up US control entirely," she admits, "it's in the US's interests to be thinking about Internet governance much more internationally and much more collaboratively than we do today. And there's nothing more representative than issues around copyright and its enforcement globally."


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


January 13, 2012

Pot pourri

You have to think that 2012 so far has been orchestrated by someone with a truly strange sense of humor. To wit:

- EMI Records is suing the Irish government for failing to pass laws to block "pirate sites". The way PC Pro tells it, Ireland ought to have implemented site blocking laws to harmonize with European law and one of its own judges has agreed it failed to do so. I'm not surprised, personally: Ireland has a lot of other things on its mind, like the collapse of the Catholic church that dominated Irish politics, education, and health for so long, and the economic situation post-tech boom.

- The US Congress and Senate are, respectively, about to vote on SOPA (Stop Online Piracy Act) and PIPA (Protect Intellectual Property Act), laws to give the US site blocking, search engine de-listing, and other goodies. (Who names these things? SOPA and PIPA sound like they escaped from Anna Russell's La Cantatrice Squelante.) Senator Ron Wyden (D-OR) and Representative Darrell Issa (R-CA) have proposed an alternative, the OPEN Act (PDF), which aims to treat copyright violations as a trade issue rather than a criminal one.

- Issa and Representative Carolyn Maloney (D-NY) have introduced the Research Works Act to give science journal publishers exclusive rights over the taxpayer-funded research they publish. The primary beneficiary would be Elsevier (which also publishes Infosecurity, which I write for), whose campaign contributions have been funding Maloney.

- Google is mixing Google+ with its search engine results because, see, when you're looking up impetigo, as previously noted, what you really want is to know which of your friends has it.

- Privacy International has accused Facebook of destroying someone's life through its automated targeted advertising, an accusation the company disputes.

- And finally, a British judge has ruled that a Sheffield student Richard O'Dwyer can be extradited to the US to face charges of copyright infringement; he owned the now-removed TVShack.net site, which hosted links to unauthorized copies of US movies and TV shows.

So many net.wars, so little time...

The eek!-Facebook-knows-I'm-gay story seems overblown. I'm sure the situation is utterly horrible for the young man in question, whom PI's now-removed blog posting said was instantly banished from his parents' home, but I still would like to observe that the ads were placed on his page by a robot (one without the Asimov Three Laws programmed into it). On this occasion the robot apparently guessed right but that's not always true. Remember 2002, when several TiVos thought their owners were gay? These are emotive issues and, as Forbes concludes in the article linked above, the more targeting gets good and online behavioral advertising spreads the more you have to think about what someone looking over your shoulder will see. Perhaps that's a new-economy job for 2012: the digital image consultant who knows how to game the system so the ads appearing on your personalized pages will send the "right" messages about you. Except...

It was predicted - I forget by whom - that search generally would need to incorporate social networking to make its search results more "relevant" and "personal". I can see the appeal if I'm looking for a movie to see, a book to read, or a place to travel to: why wouldn't I want to see first the recommendations of my friends, whom I trust and who likely have tastes similar to mine? But if I'm looking to understand what campaigners are saying about American hate radio (PDF), I'm more interested in the National Hispanic Media Coalition's new report than in collectively condemning Rush Limbaugh. Google Plus Search makes sense in terms of competing with Facebook and Twitter, but mix it up with the story above, and you have a bigger mess in sight. By their search results shall ye know their innermost secrets.

Besides proving Larry Lessig's point about the way campaign funding destroys our trust in our elected representatives, the Research Works Act is a terrible violation of principle. It's taken years of campaigning - by the Guardian as well as individuals pushing open standards - to get the UK government to open up its data coffers. And just at the moment when they finally do it, the US, which until now has been the model of taxpayers-paid-for-it-they-own-the-data, is thinking about going all protectionist and proprietary?

The copyright wars were always kind of ridiculous (and, says Cory Doctorow, only an opening skirmish), but there's something that's just wrong - lopsided, disproportionate, arrogant, take your pick - about a company suing a national government over it. Similarly, there's something that seems disproportionate about extraditing a British student for running a Web site on the basis that it was registered in .net, which is controlled by a US-based registry (and has now been removed from same). Granted, I'm no expert on extradition law, and must wait for either Lilian Edwards or David Allen Green to explain the details of the 2003 law. That law was and remains controversial, that much I know.

And this is only the second week. Happy new year, indeed.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


December 30, 2011

Ignorance is no excuse

My father was not a patient man. He could summon up some compassion for those unfortunates who were stupider than himself. What he couldn't stand was ignorance, particularly willful ignorance. The kind of thing where someone boasts about how little they know.

That said, he also couldn't abide computers. "What can you do with a computer that you can't do with a paper and pencil?" he demanded to know when I told him I was buying a friend's TRS-80 Model III in 1981. He was not impressed when I suggested that it would enable me to make changes on page 3 of a 78-page manuscript without retyping the whole thing.

My father had a valid excuse for that particular bit of ignorance or lack of imagination. It was 1981, when most people had no clue about the future of the embryonic technology they were beginning to read about. And he was 75. But I bet if he'd made it past 1984 he'd have put some effort into understanding this technology that would soon begin changing the printing industry he worked in all his life.

While computers were new on the block, and their devotees were a relatively small cult of people who could be relatively easily spotted as "other", you could see the boast "I know nothing about computers" as a replay of high school. In American movies and TV shows that would be jocks and the in-crowd on one side, a small band of miserable, bullied nerds on the other. In the UK, where for reasons I've never understood it's considered more admirable to achieve excellence without ever being seen to work hard for it, the sociology plays out a little differently. I guess here the deterrent is less being "uncool" and more being seen as having done some work to understand these machines.

Here's the problem: the people who by and large populate the ranks of politicians and the civil service are the *other* people. Recent events such as the UK's Government Digital Service launch suggest that this is changing. Perhaps computers have gained respectability at the top level from the presence of MPs who can boast that they misspent their youth playing video games rather than, like the last generation's Ian Taylor, getting their knowledge the hard way, by sweating for it in the industry.

There are several consequences of all this. The most obvious and longstanding one is that too many politicians don't "get" the Net, which is how we get legislation like the DEA, SOPA, PIPA, and so on. The less obvious and bigger one is that we - the technology-minded, the early adopters, the educated users - write them off as too stupid to talk to. We call them "congresscritters" and deride their ignorance and venality in listening to lobbyists and special interest groups.

The problem, as Emily Badger writes for Miller-McCune as part of a review of Clay Johnson's latest book, is that if we don't talk to them how can we expect them to learn anything?

This sentiment is echoed in a lecture given recently at Rutgers by the distinguished computer scientist David Farber on the technical and political evolution of the Internet (MP3) (the slides are here (PDF)). Farber's done his time in Washington, DC, as chief technical advisor to the Federal Communications Commission and as a member of the Presidential Advisory Board on Information Technology. In that talk, Farber makes a number of interesting points about what comes next technically - it's unlikely, he says, that today's Internet Protocols will be able to cope with the terabyte networks on the horizon, and reengineering is going to be a very, very hard problem because of the way humans resist change - but the more relevant stuff for this column has to do with what he learned from his time in DC.

Very few people inside the Beltway understand technology, he says there, citing the Congressman who asked him seriously, "What is the Internet?" (Well, see, it's this series of tubes...) And so we get bad - that is, poorly grounded - decisions on technology issues.

Early in the Net's history, the libertarian fantasy was that we could get on just fine without their input, thank you very much. But as Farber says, politicians are not going to stop trying to govern the Internet. And, as he doesn't quite say, it's not like we can show them that we can run a perfect world without them. Look at the problems techies have invented: spam, the flaky software infrastructure on which critical services are based, and so on. "It's hard to be at the edge in DC," Farber concludes.

So, going back to Badger's review of Johnson: the point is it's up to us. Set aside your contempt and distrust. Whether we like politicians or not, they will always be with us. For 2012, adopt your MP, your Congressman, your Senator, your local councilor. Make it your job to help them understand the bills they're voting on. Show them tshat even if they don't understand the technology there's votes in those who do. It's time to stop thinking of their ignorance as solely *their* fault.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


September 16, 2011

The world at ten

Like Meetup.org, net.wars-the-column is to some extent a child of 9/11 (the column was preceded by the book. four years of near-weekly news analysis pieces for the Daily Telegraph, and a sequel book, From Anarchy to Power: the Net Comes of Age). On November 2, 2011 the column will be ten years old, its creation sparked by a burst of frustrated anger when then foreign minister Jack Straw wagged a post-9/11 finger at those who had opposed his plans to restrict the use of strong encryption and implement key escrow in the mid 1990s when he was at the Home Office and blamed us.

Ten years on, we can revisit his claim. We now know, for example, that when Osama bin Laden wanted to hide, he didn't use cryptography to cloak his whereabouts. Instead, the reason his safe house stood out from those around it was that it was a technological black spot: "no phones, no broadband. In other words, bin Laden feared the power of technology as much as Straw and his cohorts: both feared it would empower their enemies. That paranoia was justified - but backfired spectacularly.

In our own case, it's clear that "the terrorists" have scored a substantial amount of victory. We - the US, the UK, Europe - would have had some kind of recession anyway, given the rapacious and unregulated behavior of banks and brokers leading up to 2008 - but we would have been much better placed to cope with it if we - the US - hadn't been simultaneously throwing $1.29 trillion at invading Iraq and Afghanistan. If you include medical and disability care for current and future veterans, according to the Eisenhower Research Project at Brown University that number rises to as much as $4 trillion.

But more than that, as Ryan Singel writes US-specifically at Wired, the West has built up a gigantic and expensive inward-turned surveillance infrastructure that is unlikely to be dismantled when or if the threat it was built to control goes away. In the last ten years, countless hundreds of millions of dollars and countless million of hours of lost productivity have been spent on airport security when, as Bruce Schneier frequently writes, the only two changes that have made a significant difference to air travel safety have been reinforcing the cockpit doors and teaching passengers to fight back. The Department of Homeland Security's budget for its 2011 financial year is $56.3 billion (PDF) - which includes $214.7 million for airport scanners and another $218.9 million for people to staff them (so much for automation).

The UK in particular has spent much of the last ten years building the database state, creating dozens of large databases aimed at tracking various portions of society through various parts of their lives. Some of this has been dismantled by the coalition, but not all. The most visible part of the ID card is gone - but the key element was always the database of the nation's residents, and as data-sharing between government departments becomes ever easier, the equivalent may be built in practice rather than by explicit plan. In every Western country CCTV cameras are proliferating, as are surveillance-by-design policies such as data retention, built-in wiretapping, and widespread filtering. Every time a new system is built - the London congestion charge, for example, or the mooted smart road pricing systems - there are choices that would allow privacy to be built in. And so far, each time those choices are not taken.

But if the policies aimed at our ourselves are misguided, as net.wars has frequently argued, the same is true of the policies we have directed at others. As part of the British Science Festival, Paul Rogers, a researcher with the Oxford Group, presented A War Gone Badly Wrong - The War on Terror Ten Years On, looking back at the aftermath of the attacks rather than the attacks themselves; the Brown research shows that in the various post-9/11 military actions 80 people have died for every 9/11 victim. Like millions of others who were ignored, the Oxford Research Group opposed the war at the time.

"The whole approach was a mistake." he told the press last Friday, arguing that the US should instead have called it an act of international criminality and sworn to work with everyone to bring the criminals to justice. "The US would have had worldwide support for that kind of action that it did not have for Afghanistan - or, especially, Iraq." He added, "If they had treated al-Qaeda as a common, bitter, vicious criminal movement, not a brave, religious movement worthy of fighting, that degrades it."

What he hopes his research will lead to now is "a really serious understanding of what wrong, and the risks of early recourse to early military responses." And, he added, "sustainable security" that focuses on conflict prevention. "Why it's important to look at the experience of the war on terror is to discern and learn those lessons."

They say that a conservative is a liberal who's been mugged. By analogy, it seems that a surveillance state is a democracy that's been attacked.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

September 9, 2011

The final countdown

The we-thought-it-was-dead specter of copyright term extension in sound recordings has done a Diabolique maneuver and been voted alive by the European Council. In a few days, the Council of Ministers could make it EU law because, as can happen under the inscrutable government structures of the EU, opposition has melted away.

At stake is the extension of copyright in sound recordings from 50 years to 70, something the Open Rights Group has been fighting since it was born. The push to extend it above 50 years has been with us for at least five years; originally the proposal was to take it to 95 years. An extension from 50 to 70 years is modest by comparison, but given the way these things have been going over the last 50 years, that would buy the recording industry 20 years in which to lobby for the 95 years they originally wanted, and then 25 years to lobby for the line to be moved further. Why now? A great tranche of commercially popular recordings is up for entry into the public domain: Elvis Presley's earliest recordings date to 1956, and The Beatles' first album came out in 1963; their first singles are 50 years old this year. It's not long after that to all the great rock records of the 1970s.

My fellow Open Rights Group advisory council member Paul Sanders, has up a concise little analysis about what's wrong here. Basically, it's never jam today for the artists, but jam yesterday, today, and tomorrow for the recording companies. I have commented frequently on the fact that the more record companies are able to make nearly pure profit on their back catalogues whose sunk costs have long ago been paid, the more new, young artists are required to compete for their attention with an ever-expanding back catalogue. I like Sanders' language on this: "redistributive, from younger artists to older and dead ones".

In recent years, we've heard a lof of the mantra "evidence-based policy" from the UK government. So, in the interests of ensuring this evidence-based policy the UK government is so keen on, here is some. The good news is they commissioned it themselves, so it ought to carry a lot of weight with them. Right? Right.

There have been two major British government reports studying the future of copyright and intellectual property law generally in the last five years: the Gowers Review, published in 2006, and the Hargreaves report was commissioned in November 2010 and released in May 2011.

From Hargreaves:

Economic evidence is clear that the likely deadweight loss to the economy exceeds any additional incentivising effect which might result from the extension of copyright term beyond its present levels.14 This is doubly clear for retrospective extension to copyright term, given the impossibility of incentivising the creation of already existing works, or work from artists already dead.

Despite this, there are frequent proposals to increase term, such as the current proposal to extend protection for sound recordings in Europe from 50 to 70 or even 95 years. The UK Government assessment found it to be economically detrimental. An international study found term extension to have no impact on output.

And further:

Such an extension was opposed by the Gowers Review and by published studies commissioned by the European Commission.

Ah, yes, Gowers and its 54 recommendations, many or most of which have been largely ignored. (Government policy seems to have embraced "strengthening of IP rights, whether through clamping down on piracy" to the exclusion of things like "improving the balance and flexibility of IP rights to allow individuals, businesses, and institutions to use content in ways consistent with the digital age".

To Gowers:

Recommendation 3: The European Commission should retain the length of protection on sound recordings and performers' rights at 50 years.

And:

Recommendation 4: Policy makers should adopt the principle that the term and scope of protection for IP rights should not be altered retrospectively.

I'd use the word "retroactive", myself, but the point is the same. Copyright is a contract with society: you get the right to exploit your intellectual property for some number of years, and in return after that number of years your work belongs to the society whose culture helped produce it. Trying to change an agreed contract retroactively usually requires you to show that the contract was not concluded in good faith, or that someone is in breach. Neither of those situations applies here, and I don't think these large companies with their in-house lawyers, many of whom participated in drafting prior copyright law, can realistically argue that they didn't understand the provisions. Of course, this recommendation cuts both ways: if we can't put Elvis's earliest recordings back into copyright, thereby robbing the public domain, we also can't shorten the copyright protection that applies to recordings created with the promise of 50 years' worth of protection.

This whole mess is a fine example of policy laundering: shopping the thing around until you either wear out the opposition or find sufficient champions. The EU, with its Hampton Court maze of interrelated institutions, could have been deliberately designed to facilitate this. You can write to your MP, or even your MEP - but the sad fact is that the shiny, new EU government is doing all this in old-style backroom deals.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

August 12, 2011

"Phony concerns about human rights"

Why can't you both condemn violent rioting and looting *and* care about civil liberties?

One comment of David Cameron's yesterday in the Commons hit a nerve: that "phony" (or "phoney", if you're British) human rights concerns would not get in the way of publishing CCTV images in the interests of bringing the looters and rioters to justice. Here's why it bothers me: even the most radical pro-privacy campaigner is not suggesting that using these images in this way is wrong. But in saying it, Cameron placed human rights on the side of lawlessness. One can oppose the privacy invasiveness of embedding crowdsourced facial recognition into Facebook and still support the use of the same techniques by law enforcement to identify criminals.

It may seem picky to focus on one phrase in a long speech in a crisis, but this kind of thinking is endemic - and, when it's coupled with bad things happening and a need for politicians to respond quickly and decisively, dangerous. Cameron shortly followed it with the suggestion that it might be appropriate to shut down access to social media sites when they are being used to plan "violence, disorder and criminality".

Consider the logic there: given the size of the population, there are probably people right now planning crimes over pints of beer in pubs, over the phone, and sitting in top-level corporate boardrooms. Fellow ORG advisory council member Kevin Marks blogs a neat comparison by Douglas Adams to cups of tea. But no, let's focus on social media.

Louise Mensch, MP and novelist, was impressove during the phone hacking hearings aside from her big gaffe about Piers Morgan. But she's made another mistake here in suggesting that taking Twitter and/or Facebook down for an hour during an emergency is about like shutting down a road or a railway station.

First of all, shutting down the tube in the affected areas has costs: innocent bystanders were left with no means to escape their violent surroundings. (This is the same thinking that wanted to shut down the tube on New Year's Eve 1999 to keep people out of central London.)

But more important, the comparison is wrong. Shutting down social networks is the modern equivalent of shutting down radio, TV, and telephones, not transport. The comparison suggests that Mensch is someone who uses social media for self-promotion rather than, like many of us, as a real-time news source and connector to friends and family. This is someone for whom social media are a late add-on to an already-structured life; in 1992 an Internet outage was regarded as a non-issue, too. The ability to use social media in an emergency surely takes pressure off the telephone network by helping people reassure friends and family, avoid trouble areas, find ways home, and so on. Are there rumors and misinformation? Sure. That's why journalists check stuff out before publishing it (we hope). But those are vastly overshadowed by the amount of useful and timely updates.

Is barring access is even possible? As Ben Rooney writes in the Wall Street Journal Europe, it's hard enough to ground one teenager these days, let alone a countryful. But let's say they decide to try. What approaches can they take?

One: The 95 percent approach. Shut down access to the biggest social media sites and hope that the crimes aren't being planned on the ones you haven't touched. Like the network that the Guardian finds was really used - Blackberry messaging.

Two: The Minority Report approach. Develop natural language processing and artificial intelligence technology to the point where it can interact on the social networks, spot prospective troublemakers, and turn them in before they commit crimes.

Three: The passive approach. Revive all the net.wars of the past two decades. Reinstate the real-world policing. One of the most important drawbacks to relying on mass surveillance technologies is that they encourage a reactive, almost passive, style of law enforcement. Knowing that the police can catch the crooks later is no comfort when your shop is being smashed up. It's a curious, schizophrenic mindset politicians have: blame social ills on new technology while imagining that other new technology can solve them.

The riots have ended - at least for now, but we will have to live for a long time with the decisions we make about what comes next. Let's not be hasty. Think of the PATRIOT Act, which will be ten years old soon.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

August 5, 2011

Cheaters in paradise

It seems that humans in general are not particularly good at analyzing incentives. How else can you explain the number of decisions we make with adverse, unintended consequences? Three examples.

One: this week US newspapers - such as the LA Times, the New York Times, and Education Week - report that myriad states have discovered a high number of erasures on standardized tests or suspiciously sudden improvement in test scores. (At one Pennsylvania school, for example, eighth graders' reading proficiency jumped from 28.9 percent to 63.8 percent between 2008 and 2009.)

The culprits: teachers and principals. When tests determined only the future of the students taking them, the only cheaters were students. Now that tests determine school rankings and therefore the economic future of teachers, principals, and schools, many more people are motivated to ensure that students score highly.

Don't imagine the kids don't grasp this. In 2002, when I wrote about plagiarism for the Independent, all the kids I interviewed noted that despite their teachers' warnings of dire consequences schools would not punish plagiarists and risk hurting their rankings in the league tables.

A kid in an American school this week might legitimately ask why he should be punished for cheating or plagiarism when his teachers are doing the same thing on a much grander scale for greater and far more immediate profit. A similar situation applies to our second example, this week's decision by the International Tennis Federation to suspend 31-year-old player Robert Kendrick for 12 months after testing positive for the banned stimulant methylhexaneamine.

At his age, a 12-month ban is an end-of-career notice. Everyone grants that he did not intend to cheat and that the amount of the drug was not performance-enhancing. Like a lot of people who travel through many time zones on the way to work, he took a jetlag pill whose ingredients he believed to be innocuous. He admits he screwed up; he and his lawyers have simply asked for what a fairer sentence. Fairer because in January 2010, when fellow player Wayne Odesnik was caught by Australian Customs with eight vials of human growth hormone, he was suspended for two years - double the sentence but far more than double the offense. And Odesnik didn't even stay out that long; his sentence was commuted to time served after seven months.

At the time, the ITF said that he had bought his way out of purgatory by cooperating with its anti-doping program, presumably under the rule that allows such a reversal when the player has turned informant. No follow-up has disclosed who Odesnik might have implicated, and although it's possible that it all forms part of a lengthy, ongoing investigation, the fact remains: his offense was a lot worse than Kendrick's but has cost him a lot less.

It says a lot that the other players are scathing about Odesnik, sympathetic to Kendrick. This is a watershed moment, where the athletes are openly querying the system's fairness despite any suspicions that might be raised by their doing so.

The anti-doping system as it is presently constructed has never made sense to me: it is invasive, unwieldly, and a poor fit for some sports (like tennis, where players are constantly on the move). The The lesson sent by these morality plays is: don't get caught. And there is enough money in professional sports to ensure that there are many actors invested in ensuring exactly that: coaches, agents, managers, corporate sponsors, and the tours themselves. Of course testing and punshing athletes is going to fail to contain the threat.

Kamakshi Tandon's ideas on this are very close to mine: do traditional policing. Instead of relying on test samples, which can be mishandled, misread, or unreliable, use other types of evidence when they're available. Why, for example, did the anti-doping authorities refuse Martina Hingis's request to do a hair strand test when a urine sample tested positive for cocaine at Wimbledon in 2007? Why are the A and B samples tested at the same lab instead of different labs? (What lab wants to say it misread the first sample?) My personal guess is that it's because the anti-doping authorities believe that anyone playing professional sports is probably guilty anyway, so why bother assembling the quality of evidence that would be required for a court case? That might even be true - but in that case anti-doping efforts to date have been a total failure.

Our third example: last week's decision by Fox to allow only verified paying cable customers to watch TV shows on Hulu in the first week after their initial broadcast. (Yet more evidence that Murdoch does not get the Internet.) We are in the 12th year of the wars on file-sharing, and still rights holders make decisions like this that increase the incentives to use unauthorized sources.

In the long scheme of things, as Becky Hogge used to say while she was the executive director of the Open Rights Group the result or poorly considered incentives that make bad law is that they teach people not to respect the law. That will have many worse consequences down the line.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series

July 15, 2011

Dirty digging

The late, great Molly Ivins warns (in Molly Ivins Can't Say That, Can She?) about the risk to journalists of becoming "power groupies" who identify more with the people they cover than with their readers. In the culture being exposed by the escalating phone hacking scandals the opposite happened: politicians and police became "publicity groupies" who feared tabloid wrath to such an extent that they identified with the interests of press barons more than those of the constituents they are sworn to protect. I put the apparent inconsistency between politicians' former acquiescence and their current baying for blood down to Stockholm syndrome: this is what happens when you hold people hostage through fear and intimidation for a few decades. When they can break free, oh, do they want revenge.

The consequences are many and varied, and won't be entirely clear for a decade or two. But surely one casualty must have been the balanced view of copyright frequently argued for in this column. Murdoch's media interests are broad-ranging. What kind of copyright regime do you suppose he'd like?

But the desire for revenge is a really bad way to plan the future, as I said (briefly) on Monday at the Westminster Skeptics.

For one thing, it's clearly wrong to focus on News International as if Rupert Murdoch and his hired help were the only contaminating apple. In the 2006 report What price privacy now? the Information Commissioner listed 30 publications caught in the illegal trade in confidential information. News of the World was only fifth; number one, by a considerable way, was the Daily Mail (the Observer was number nine). The ICO wanted jail sentences for those convicted of trading in data illegally, and called on private investigators' professional bodies to revoke or refuse licenses to PIs who breach the rules. Five years later, these are still good proposals.

Changing the culture of the press is another matter.
When I first began visiting Britain in the late 1970s, I found the tabloid press absolutely staggering. I began asking the people I met how the papers could do it.

"That's because *we* have a free press," I was told in multiple locations around the country. "Unlike the US." This was only a few years after The Washington Post backed Bob Woodward and Carl Bernstein's investigation of Watergate, so it was doubly baffling.

Tom Stoppard's 1978 play Night and Day explained a lot. It dropped competing British journalists into an escalating conflict in a fictitious African country. Over the course of the play, Stoppard's characters both attack and defend the tabloid culture.

"Junk journalism is the evidence of a society that has got at least one thing right, that there should be nobody with power to dictate where responsible journalism begins," says the naïve and idealistic new journalist on the block.

"The populace and the popular press. What a grubby symbiosis it is," complains the play's only female character, whose second marriage - "sex, money, and a title, and the parrots didn't harm it, either" - had been tabloid fodder.

The standards of that time now seem almost quaint. In the movie Starsuckers, filmmaker Chris Atkins fed fabricated celebrity stories to a range of tabloids. All were published. That documentary also showed in action illegal methods of obtaining information. In 2009, right around the time The Press Complaints Commission was publishing a report concluding, "there is no evidence that the practice of phone message tapping is ongoing".

Someone on Monday asked why US newspapers are better behaved despite First Amendment protection and less constraint by onerous libel laws. My best guess is fear of lawsuits. Conversely, Time magazine argues that Britain's libel laws have encouraged illegal information gathering: publication requires indisputable evidence. I'm not completely convinced: the libel laws are not new, and economics and new media are forcing change on press culture.

A lot of dangers lurk in the calls for greater press regulation. Phone hacking is illegal. Breaking into other people's computers is illegal. Enforce those laws. Send those responsible to jail. That is likely to be a better deterrent than any regulator could manage.

It is extremely hard to devise press regulations that don't enable cover-ups. For example, on Wednesday's Newsnight, the MP Louise Mensch, head of the DCMS committee conducting the hearings, called for a requirement that politicians disclose all meetings with the press. I get it: expose too-cosy relationships. But whistleblowers depend on confidentiality, and the last thing we want is for politicians to become as difficult to access as tennis stars and have their contact with the press limited to formal press conferences.

Two other lessons can be derived from the last couple of weeks. The first is that you cannot assume that confidential data can be protected simply by access rules. The second is the importance of alternatives to commercial, corporate journalism. Tom Watson has criticized the BBC for not taking the phone hacking allegations seriously. But it's no accident that the trust-owned Guardian was the organization willing to take on the tabloids. There's a lesson there for the US, as the FBI and others prepare to investigate Murdoch and News Corp: keep funding PBS.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

June 3, 2011

A forgotten man and a bowl of Japanese goldfish

"I'm the forgotten man," Godfrey (William Powell) explains in the 1936 film My Man Godfrey.

Godfrey was speaking during the Great Depression, when prosperity was just around the corner ("Yes, it's been there a long time," says one of Godfrey's fellow city dump dwellers) but the reality for many people was unemployment, poverty, and a general sense that they had ceased to exist except, perhaps, as curiosities to be collected by the rich in a scavenger hunt. Today the rich in question would record their visit to the city dump in an increasingly drunken stream of Tweets and Facebook postings, and people in Nepal would be viewing photographs and video clips even if Godfrey didn't use a library computer to create his own Facebook page.

The EU's push for a right to be forgotten is a logical outgrowth of today's data protection principles, which revolve around the idea that you have rights over your data even when someone else has paid to collect it. EU law grants the right to inspect and correct the data held about us and to prevent its use in unwanted marketing. The idea that we should also have the right to delete data we ourselves have posted seems simple and fair, especially given the widely reported difficulty of leaving social networks.

But reality is complicated. Godfrey was fictional; take a real case, from Pennsylvania. A radiology trainee, unsure what to do when she wanted a reality check whether the radiologist she was shadowing was behaving inappropriately, sought advice from her sister, also a health care worker before reporting the incident. The sister told a co-worker about the call, who told others, and someone in that widening ripple posted the story on Facebook, from where it was reported back to the student's program director. Result: the not-on-Facebook trainee was expelled on the grounds that she had discussed a confidential issue on a cell phone. Lawsuit.

So many things had to go wrong for that story to rebound and hit that trainee in the ass. No one - except presumably the radiologist under scrutiny - did anything actually wrong, though the incident illustrates the point that than people think. Preventing this kind of thing is hard. No contract can bar unrelated, third-hand gossipers from posting information that comes their way. There's nothing to invoke libel law. The worst you can say is that the sister was indiscreet and that the program administrator misunderstood and overreacted. But the key point for our purposes here is: which data belongs to whom?

Lilian Edwards has a nice analysis of the conflict between privacy and freedom of expression that is raised by the right to forget. The comments and photographs I post seem to me to belong to me, though they may be about a dozen other people. But on a social network your circle of friends are also stakeholders in what you post; you become part of their library. Howard Rheingold, writing in his 1992 book The Virtual Community, noted the ripped and gaping fabric of conversations on The Well when early member Blair Newman deleted all his messages. Photographs and today's far more pervasive, faster-paced technology make such holes deeper and multi-dimensional. How far do we need to go in granting deletion rights?

The short history of the Net suggests that complete withdrawal is roughly impossible. In the 1980s, Usenet was thought of as an ephemeral medium. People posted in the - they thought - safe assumption that anything they wrote would expire off the world's servers in a couple of weeks. And as long as everyone read live online that was probably true. But along came offline readers and people with large hard disks and Deja News, and Usenet messages written in 1981 with no thought of any future context are a few search terms away.

"It's a mistake to only have this conversation about absolutes," said Google's Alma Whitten at the Big Tent event two weeks ago, arguing that it's impossible to delete every scrap about anyone. Whitten favors a "reasonable effort" approach and a user dashboard to enable that so users can see and control the data that's being held. But we all know the problem with market forces: it is unlikely that any of the large corporations will come up with really effective tools unless forced. For one thing, there is a cultural clash here between the EU and the US, the home of many of these companies. But more important, it's just not in their interests to enable deletion: mining that data is how those companies make a living and in return we get free stuff.

Finding the right balance between freedom of expression (my right to post about my own life) and privacy, including the right to delete, will require a mix of answers as complex as the questions: technology (such as William Heath's Mydex), community standards, and, yes, law, applied carefully. We don't want to replace Britain's chilling libel laws with a DMCA-like deletion law.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

May 20, 2011

The world we thought we lived in

If one thing is more annoying than another, it's the fantasy technology on display in so many TV shows. "Enhance that for me!" barks an investigator. And, obediently, his subordinate geek/squint/nerd pushes a button or few, a line washes over the blurry image on screen, and now he can read the maker's mark on a pill in the hand of the target subject that was captured by a distant CCTV camera. The show 24 ended for me 15 minutes into season one, episode one, when Kiefer Sutherland's Jack Bauer, trying to find his missing daughter, thrust a piece of paper at an underling and shouted, "Get me all the Internet passwords associated with that telephone number!" Um...

But time has moved on, and screenwriters are more likely to have spent their formative years online and playing computer games, and so we have arrived at The Good Wife, which gloriously wrapped up its second season on Tuesday night (in the US; in the UK the season is still winding to a close on Channel 4). The show is a lot of things: a character study of an archetypal humiliated politician's wife (Alicia Florrick, played by Julianna Margulies) who rebuilds her life after her husband's betrayal and corruption scandal; a legal drama full of moral murk and quirky judges ( Carob chip?); a political drama; and, not least, a romantic comedy. The show is full of interesting, layered men and great, great women - some of them mature, powerful, sexy, brilliant women. It is also the smartest show on television when it comes to life in the time of rapid technological change.

When it was good, in its first season, Gossip Girl cleverly combined high school mean girls with the citizen reportage of TMZ to produce a world in which everyone spied on everyone else by sending tips, photos, and rumors to a Web site, which picks the most damaging moment to publish them and blast them to everyone's mobile phones.

The Good Wife goes further to exploit the fact that most of us, especially those old enough to remember life before CCTV, go on about our lives forgetting that everywhere we leave a trail. Some are, of course, old staples of investigative dramas: phone records, voice messages, ballistics, and the results of a good, old-fashioned break-in-and-search. But some are myth-busting.

One case (S2e15, "Silver Bullet") hinges on the difference between the compressed, digitized video copy and the original analog video footage: dropped frames change everything. A much earlier case (S1e06, "Conjugal") hinges on eyewitness testimony; despite a slightly too-pat resolution (I suspect now, with more confidence, it might have been handled differently), the show does a textbook job of demonstrating the flaws in human memory and their application to police line-ups. In a third case (S1e17, "Heart"), a man faces the loss of his medical insurance because of a single photograph posted to Facebook showing him smoking a cigarette. And the disgraced husband's (Peter Florrick, played by Chris Noth) attempt to clear his own name comes down to a fancy bit of investigative work capped by camera footage from an ATM in the Cayman Islands that the litigator is barely technically able to display in court. As entertaining demonstrations and dramatizations of the stuff net.wars talks about every week and the way technology can be both good and bad - Alicia finds romance in a phone tap! - these could hardly be better. The stuffed lion speaker phone (S2e19, "Wrongful Termination") is just a very satisfying cherry topping of technically clever hilarity.

But there's yet another layer, surrounding the season two campaign mounted to get Florrick elected back into office as State's Attorney: the ways that technology undermines as well as assists today's candidates.

"Do you know what a tracker is?" Peter's campaign manager (Eli Gold, played by Alan Cumming) asks Alicia (S2e01, "Taking Control"). Answer: in this time of cellphones and YouTube, unpaid political operatives follow opposing candidates' family and friends to provoke and then publish anything that might hurt or embarrass the opponent. So now: Peter's daughter (Makenzie Vega) is captured praising his opponent and ham-fistedly trying to defend her father's transgressions ("One prostitute!"). His professor brother-in-law's (Dallas Roberts) in-class joke that the candidate hates gays is live-streamed over the Internet. Peter's son (Graham Phillips) and a manipulative girlfriend (Dreama Walker), unknown to Eli, create embarrassing, fake Facebook pages in the name of the opponent's son. Peter's biggest fan decides to (he thinks) help by posting lame YouTube videos apparently designed to alienate the very voters Eli's polls tell him to attract. (He's going to post one a week; isn't Eli lucky?) Polling is old hat, as are rumors leaked to newspaper reporters; but today's news cycle is 20 minutes and can we have a quote from the candidate? No wonder Eli spends so much time choking and throwing stuff.

All of this fits together because the underlying theme of all parts of the show is control: control of the campaign, the message, the case, the technology, the image, your life. At the beginning of season one, Alicia has lost all control over the life she had; by the end of season two, she's in charge of her new one. Was a camera watching in that elevator? I guess we'll find out next year.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

May 6, 2011

Double exposure

So finally we know. Ever since Wikileaks began releasing diplomatic cables copyright activists have been waiting to see if the trove would expose undue influence on national laws. And this week there it was: a 2005 cable from the US Embassy in New Zealand requesting $386,158 to fund start-up costs and the first year of an industry-backed intellectual property enforcement unit and a 2009 cable offering "help" when New Zealand was considering a "three-strikes" law. Much, much more on this story has been presented and analyzed by the excellent Michael Geist, who also notes similar US lobbying pressure on Canada to "improve" its "lax" copyright laws.

My favorite is this bit, excerpted from the cable recounting an April 2007 meeting between Embassy officials and Geist himself:

His acknowledgement that Canada is a net importer of copyrighted materials helps explain the advantage he would like to hold on to with a weaker Canadian UPR protection regime. His unvoiced bias against the (primarily U.S. based) entertainment industry also reflects deeply ingrained Canadian preferences to protect and nurture homegrown artists.

In other words, Geist's disagreement with US copyright laws is due to nationalist bias, rather than deeply held principles. I wonder how they explain to themselves the very similar views of such diverse Americans as Macarthur award winner Pamela Samuelson, John Perry Barlow, Lawrence Lessig. The latter in fact got so angry over the US's legislative expansion of copyright that he founded a movement for Congressional reform, expanding to a Harvard Law School center to research broader questions of ethics.

It's often said that a significant flaw in the US Constitution is that it didn't - couldn't, because they didn't exist yet - take account of the development of multinational corporations. They have, of course, to answer to financial regulations, legal obligations covering health and safety, and public opinion, but in many areas concerning the practice of democracy there is very little to rein those in. They can limit their employees' freedom of speech, for example, without ever falling afoul of the First Amendment, which, contrary to often-expressed popular belief, limits only the power of Congress in this area.

There is also, as Lessig pointed out in his first book, Code: and Other Laws of Cyberspace, no way to stop private companies from making and implementing technological decisions that may have anti-democratic effects. Lessig's example at the time was AOL, which hard-coded a limit of 23 participants per chat channel; try staging a mass protest under those limits. Today's better example might be Facebook, which last week was accused of unfairly deleting the profiles of 51 anti-cuts groups and activists. (My personal guess is that Facebook's claim to have simply followed its own rules is legitimate; the better question might be who supplied Facebook with the list of profiles and why.) Whether or not Facebook is blameless on this occasion, there remains a legitimate question: at what point does a social network become so vital a part of public life that the rules it implements and the technological decisions it makes become matters of public policy rather than questions for it to consider on its own? Facebook, like almost all of the biggest Internet companies, is a US corporation, with its mores and internal culture largely shaped by its home country.

We have often accused large corporate rights holders of being the reason why we see the same proposals for tightening and extending copyright popping up all over the world in countries whose values differ greatly and whose own national interests are not necessarily best served by passing such laws. More recently written constitutions could consider such influences. To the best of my knowledge they haven't, although arguably this is less of an issue in places that aren't headquarters to so many of them and where they are therefore less likely to spend large amounts backing governments likely to be sympathetic to their interests.

What Wikileaks has exposed instead is the unpleasant specter of the US, which likes to think of itself as spreading democracy around the world, behaving internationally in a profoundly anti-democratic way. I suppose we can only be grateful they haven't sent Geist and other non-US copyright reform campaigners exploding cigars. Change Congress, indeed: what about changing the State Department?

It's my personal belief that the US is being short-sighted in pursuing these copyright policies. Yes, the US is currently the world's biggest exporter of intellectual property, especially in, but not limited to, the area of entertainment. But that doesn't mean it always will be. It is foolish to think that down the echoing corridors of time (to borrow a phrase from Jean Kerr) the US will never become a net importer of intellectual property. It is sheer fantasy - even racism - to imagine that other countries cannot write innovative software that Americans want to use or produce entertainment that Americans want to enjoy. Even if you dispute the arguments made by campaigning organizations such as the Electronic Frontier Foundation and the Open Rights Group that laws like "three strikes" unfairly damage the general public, it seems profoundly stupid to assume that the US will always enjoy the intellectual property hegemony it has now.

One of these days, the US policies exposed in these cables are going to bite it in the ass.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

April 1, 2011

Equal access

It is very, very difficult to understand the reasoning behind the not-so-secret plan to institute Web blocking. In a http://www.openrightsgroup.org/blog/2011/minister-confirms-voluntary-site-blocking-discussionsletter to the Open Rights Group, Ed Vaizey, the minister for culture, communications, and creative industries, confirmed that such a proposal emerged from a workshop to discuss "developing new ways for people to access content online". (Orwell would be so proud.)

We fire up Yes, Minister once again to remind everyone the four characteristics of proposals ministers like: quick, simple, popular, cheap. Providing the underpinnings of Web site blocking is not likely to be very quick, and it's debatable whether it will be cheap. But it certainly sounds simple, and although it's almost certainly not going to be popular among the 7 million people the government claims engage in illegal file-sharing - a number PC Pro has done a nice job of dissecting - it's likely to be popular with the people Vaizey seems to care most about, rights holders.

The four opposing kiss-of-death words are: lengthy, complicated, expensive, and either courageous or controversial, depending how soon the election is. How to convince Vaizey that it's these four words that apply and not the other four?

Well, for one thing, it's not going to be simple, it's going to be complicated. Web site blocking is essentially a security measure. You have decided that you don't want people to have access to a particular source of data, and so you block their access. Security is, as we know, not easy to implement and not easy to maintain. Security, as Bruce Schneier keeps saying, is a process, not a product. It takes a whole organization to implement the much more narrowly defined IWF system. What kind of infrastructure will be required to support the maintenance and implementation of a block list to cover copyright infringement? Self-regulatory, you say? Where will the block list, currently thought to be about 100 sites come from? Who will maintain it? Who will oversee it to ensure that it doesn't include "innocent" sites? ISPs have other things to do, and other than limiting or charging for the bandwidth consumption of their heaviest users (who are not all file sharers by any stretch) they don't have a dog in this race. Who bears the legal liability for mistakes?

The list is most likely to originate with rights holders, who, because they have shown over most of the last 20 years that they care relatively little if they scoop innocent users and sites into the net alongside infringing ones, no one trusts to be accurate. Don't the courts have better things to do than adjudicate what percentage of a given site's traffic is copyright-infringing and whether it should be on a block list? Is this what we should be spending money on in a time of austerity? Mightn't it be...expensive?

Making the whole thing even more complicated is the obvious (to anyone who knows the Internet) fact that such a block list will - according to Torrentfreak already has - start a new arms race.

And yet another wrinkle: among blocking targets are cyberlockers. And yet this is a service that, like search, is going mainstream: Amazon.com has just launched such a service, which it calls Cloud Drive and for which it retains the right to police rather thoroughly. Encrypted files, here we come.

At least one ISP has already called the whole idea expensive, ineffective, and rife with unintended consequences.

There are other obvious arguments, of course. It opens the way to censorship. It penalizes innocent uses of technology as well as infringing ones; torrent search sites typically have a mass of varied material and there are legitimate reasons to use torrenting technology to distribute large files. It will tend to add to calls to spy on Internet users in more intrusive ways (as Web blocking fails to stop the next generation of file-sharing technologies). It will tend to favor large (often American) services and companies over smaller ones. Google, as IsoHunt told the US Court of Appeals two weeks ago, is the largest torrent search engine. (And, of course, Google has other copyright troubles of its own; last week the court rejected the Google Books settlement.)

But the sad fact is that although these arguments are important they're not a good fit if the main push behind Web blocking is an entrenched belief that only way to secure economic growth is to extend and tighten copyright while restricting access to technologies and sites that might be used for infringement. Instead, we need to show that this entrenched belief is wrong.

We do not block the roads leading to car boot sales just because sometimes people sell things at them whose provenance is cloudy (at best). We do not place levies on the purchase of musical instruments because someone might play copyrighted music on them. We should not remake the Internet - a medium to benefit all of society - to serve the interests of one industrial group. It would make more sense to put the same energy and financial resources into supporting the games industry which, as Tom Watson (Lab - Bromwich) has pointed out has great potential to lift the British economy.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

March 25, 2011

Return to the red page district

This week's agreement to create a .xxx generic top-level domain (generic in the sense of not being identified with a particular country) seems like a quaint throwback. Ten or 15 years ago it might have made mattered. Now, for all the stories rehashing the old controversies, it seems to be largely irrelevant to anyone except those who think they can make some money out of it. How can it be a vector for censorship if there is no prohibition on registering pornography sites elsewhere? How can it "validate" the porn industry any more than printers and film producers did? Honestly, if it didn't have sex in the title, who would care?

I think it was about 1995 when a geekish friend said, probably at the Computers, Freedom, and Privacy conference, "I think I have the solution. Just create a top-level domain just for porn."

It sounded like a good idea at the time. Many of the best ideas are simple - with a kind of simplicity mathematicians like to praise with the term "elegant". Unfortunately, many of the worst ideas are also simple - with a kind of simplicity we all like to diss with the term "simplistic". Which this is depends to some extent on when you're making the judgement..

In 1995, the sense was that creating a separate pornography domain would provide an effective alternative to broad-brush filtering. It was the era of Time magazine's Cyberporn cover story, which Netheads thoroughly debunked and leading up to the passage of the Communications Decency Act in 1996. The idea that children would innocently stumble upon pornography was entrenched and not wholly wrong. At that time, as PC Magazine points out while outlining the adult entertainment industry's objections to the new domain, a lot of Web surfing was done by guesswork, which is how the domain whitehouse.com became famous.

A year or two later, I heard that one of the problems was that no one wanted to police domain registrations. Sure. Who could afford the legal liability? Besides, limiting who could register what in which domain was not going well: .com, which was intended to be for international commercial organizations, had become the home for all sorts of things that didn't fit under that description, while the .us country code domain had fallen into disuse. Even today, with organizations controlling every top-level domain, the rules keep having to adapt to user behavior. Basically, the fewer people interested in registering under your domain the more likely it is that your rules will continue to work.

No one has ever managed to settle - again - the question of what the domain name system is for, a debate that's as old as the system itself: its inventor, Paul Mockapetris, still carries the scars of the battles over whether to create .com. (If I remember correctly, he was against it, but finally gave on in that basis that: "What harm can it do?") Is the domain name system a directory, a set of mnemonics, a set of brands/labels, a zoning mechanism, or a free-for-all? ICANN began its life, in part, to manage the answers to this particular controversy; many long-time watchers don't understand why it's taken so long to expand the list of generic top-level domains. Fifteen years ago, finding a consensus and expanding the list would have made a difference to the development of the Net. Now it simply does not matter.

I've written before now that the domain name system has faded somewhat in importance as newer technologies - instant messaging, social networks, iPhone/iPad apps - bypass it altogether. And that is true. When the DNS was young, it was a perfect fit for the Internet applications of the day for which it was devised: Usenet, Web, email, FTP, and so on. But the domain name system enables email and the Web, which are typically the gateways through which people make first contact with those services (you download the client via the Web, email your friend for his ID, use email to verify your account).

The rise of search engines - first Altavista, then primarily Google - did away with much of consumers' need for a directory. Also a factor was branding: businesses wanted memorable domain names they could advertise to their customers. By now, though probably most people don't bother to remember more than a tiny handful of domain names now - Google, Facebook, perhaps one or two more. Anything else they either put into a search engine or get from either a bookmark or, more likely, their browser history.

Then came sites like Facebook, which take an approach akin to CompuServe in the old days or mobile networks now: they want to be your gateway to everything online (Facebook is going to stream movies now, in competition with NetFlix!) If they succeed, would it matter if you had - once - to teach your browser a user-unfriendly long, numbered address?

It is in this sense that the domain name system competes with Google and Facebook as the gateway to the Net. Of all the potential gateways, it is the only one that is intended as a public resource rather than a commercial company. That has to matter, and we should take seriously the threat that all the Net's entrances could become owned by giant commercial interests. But .xxx missed its moment to make history.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

March 18, 2011

Block party

When last seen in net.wars, the Internet Watch Foundation was going through the most embarrassing moment of its relatively short life: the time it blocked a Wikipedia page. It survived, of course, and on Tuesday this week it handed out copies of its latest annual report (PDF) and its strategic plan for the years 2011 to 2014 (PDF) in the Strangers Dining Room at the House of Commons.

The event was, more or less, the IWF's birthday party: in August it will be 15 years since the suspicious, even hostile first presentation, in 1996, of the first outline of the IWF. It was an uneasy compromise between an industry accused of facilitating child abuse, law enforcement threatening technically inept action, and politicians anxious to be seen to be doing something, all heightened by some of the worst mainstream media reporting I've ever seen.

Suspicious or not, the IWF has achieved traction. It has kept government out of the direct censorship business and politicians and law enforcement reasonably satisfied. Without - as was pointed out - cost to the taxpayer, since the IWF is funded from a mix of grants, donations, and ISPs' subscription fees.

And to be fair, it has been arguably successful at doing what it set out to do, which is to disrupt the online distribution of illegal pornographic images of children within the UK. The IWF has reported for some years now that the percentage of such images hosted within the UK is near zero. On Tuesday, it said the time it takes to get foreign-hosted content taken down has halved. Its forward plan includes more of the same, plus pushing more into international work by promoting the use its URL list abroad and developing partnerships.

Over at The Register Jane Fae Ozniek has done a good job of tallying up the numbers the IWF reported, and also of following up on remarks made by Culture Minister Ed Vaizey and Home Office Minister James Brokenshire that suggested the IWF or its methods might be expanded to cover other categories of material. So I won't rehash either topic here.

Instead, what struck me is the IWF's report that a significant percentage of its work now concerns sexual abuse images and videos that are commercially distributed. This news offered a brief glance into a shadowy world that is illegal for any of us to study since under UK law (and the laws of many other countries) it's illegal to access such material. If this is a correct assessment, it certainly follows the same pattern as the world of malware writing, which has progressed from the giggling, maladjusted teenager writing a bit of disruptive code in his bedroom to a highly organized, criminal, upside-down image of the commercial software world (complete, I'm told by experts from companies like Symantec and Sophos, with product trials, customer support, and update patches). Similarly, our, or at least my, image was always of like-minded amateurs exchanging copies of the things they managed to pick up rather like twisted stamp collectors.

The IWF report says it has identified 715 such commercial sources, 321 of which were active in 2010. At least 47.7 percent of the commercially branded material is produced by the top ten, and the most prolific of these brands used 862 URLs. The IWF has attempted to analyze these brands, and believes that they are operated in clusters by criminals. To quote the report:

Each of the webpages or websites is a gateway to hundreds or even thousands of individual images or videos of children being sexually abused, supported by layers of payment mechanisms, content sores, membership systems, and advertising frames. Payment systems may include pre-pay cards, credit cards, "virtual money" or e-payment systems, and may be carried out across secure webpages, text, or email.

This is not what people predicted when they warned at the original meeting that blocking access to content would drive it underground into locations that were harder to police. I don't recall anyone saying: it will be like Prohibition and create a new Mafia. How big a problem this is and how it relates to events like yesterday's shutdown of boylovers.net remains to be seen. But there's logic to it: anything that's scarce attracts a high price and anything high-priced and illegal attracts dedicated criminals. So we have to ask: would our children be safer if the IWF were less successful?

The IWF will, I think always be a compromise. Civil libertarians will always be rightly suspicious of any organization that has the authority and power to shut down access to content, online or off. Still, the IWF's ten-person board now includes, alongside the representatives of ISPs, top content sites, and academics, a consumer representative, and seems to be less dominated by repressive law enforcement interests. There's an independent audit in the offing, and while the IWF publishes no details of its block list for researchers to examine, it advocates transparency in the form of a splash screen that tells users a site that is blocked and why. They learned, the IWF's departing head, Peter Robbins, said in conversation, a lot from the Wikipedia incident.

My summary: the organization will know it has its balance exactly right when everyone on all sides has something to complain about.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

March 11, 2011

The ten-year count

My census form arrived the other day - 32 lavender and white pages of questions about who will have been staying overnight in my house on March 27, their religions, and whether they will be cosseted with central heating and their own bedroom.

I seem to be out of step on this one, but I've always rather liked the census. It's a little like finding your name in an old phone book: I was here. Reportedly, this, Britain's 21st national census, may be the last. Cabinet Office minister Francis Maude has complained that it is inaccurate and out of date by the time it's finished, and £482 million is expensive.

Until I read the Guardian article cited above, I had never connected the census to Thomas Malthus' 1798 prediction that the planet would run out of the resources necessary to support an ever-increasing human population. I blame the practice of separating science, history, and politics: Malthus is taught in science class, so you don't realize he was contemporaneous with the inclusion of the census in the US Constitution, which you learn about in civics class.

The census seems to be the one moment when attention really gets focused on the amount and types of data the government collects about all of us. There are complaints from all political sides that it's intrusive and that the government already has plenty of other sources.

I have - both here and elsewhere - written a great deal about privacy and the dangers of thoughtlessly surrendering information but I'm inclined to defend the census. And here's why: it's transparent. Of all the data-gathering exercises to which our lives are subject it's the only one that is. When you fill out the form you know exactly what information you are divulging, when, and to whom. Although the form threatens you with legal sanctions for not replying, it's not enforced.

And I can understand the purpose of the questions: asking the size and disposition of homes, the amount of time spent working and at what, racial and ethnic background, religious affiliation, what passports people hold and what languages they speak. These all make sense to me in the interests of creating a snapshot of modern Britain that is accurate enough for the decisions the government must make. How many teachers and doctors do we need in which areas who speak which languages? How many people still have coal fires? These are valid questions for a government to consider.

But most important, anyone can look up census data and develop some understanding of the demographics government decisions are based on.

What are the alternatives? There are certainly many collections of data for various purposes. There are the electoral rolls, which collect the names and nationalities of everyone at each address in every district. There are the council tax registers, which collect the householder's name and the number of residents at each address. Other public sector sources include the DVLA's vehicle and driver licensing data, school records, and the NHS's patient data. And of course there are many private sector sources, too: phone records, credit card records, and so on.

Here's the catch: every one of those is incomplete. Everyone does not have a phone or credit card; some people are so healthy they get dropped from their doctors' registers because they haven't visisted in many years; some people don't have an address; some people have five phones, some none. Most of those people are caught by the census, since it relies on counting everyone wherever they're staying on a single particular night.

Here's another catch: the generation of national statistics to determine the allocation of national resources is not among the stated purposes for which those data are gathered. That is of course fixable. But doing so might logically lead government to mandate that these agencies collect more data from us than they do now - and with more immediate penalties for not complying. Would you feel better about telling the DVLA or your local council your profession and how many hours you work? No one is punished for leaving a question blank on the census, but suppose leaving your religious affiliation blank on your passport application means not getting a passport until you've answered it?

Which leads to the final, biggest catch. Most of the data that is collected from us is in private hands or is confidential for one reason or another. Councils are pathological about disliking sharing data with the public; commercial organizations argue that their records are commercially sensitive; doctors are rightly concerned about protecting patient data. Despite the data protection laws we often do not know what data has been collected, how it's being used, or where it's being held. And although we have the right to examine and correct our own records we won't find it easy to determine the basis for government decisions: open season for lobbyists.

The census, by contrast, is transparent and accountable. We know what information we have divulged, we know who is responsible for it, and we can even examine the decisions it is used to support. Debate ways to make it less intrusive by all means, but do you really want to replace it with a black box?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

January 7, 2011

Scanning the TSA

There are, Bruce Schneier said yesterday at the Electronic Privacy Information Center mini-conference on the TSA (video should be up soon), four reasons why airport security deserves special attention, even though it directly affects a minority of the population. First: planes are a favorite terrorist target. Second: they have unique failure characteristics - that is, the plane crashes and everybody dies. Third: airlines are national symbols. Fourth: planes fly to countries where terrorists are.

There's a fifth he didn't mention but that Georgetown lawyer Pablo Molina and We Won't Fly founder James Babb did: TSAism is spreading. Random bag searches on the DC Metro and the New York subways. The TSA talking about expanding its reach to shopping malls and hotels. And something I found truly offensive, giant LED signs posted along the Maryland highways announcing that if you see anything suspicious you should call the (toll-free) number below. Do I feel safer now? No, and not just because at least one of the incendiary devices sent to Maryland state offices yesterday apparently contained a note complaining about those very signs.

Without the sign, if you saw someone heaving stones at the cars you'd call the police. With it, you peer nervously at the truck in front of you. Does that driver look trustworthy? This is, Schneier said, counter-productive because what people report under that sort of instruction is "different, not suspicious".

But the bigger flaw is cover-your-ass backward thinking. If someone tries to bomb a plane with explosives in a printer cartridge, missing a later attempt using the exact same method will get you roasted for your stupidity. And so we have a ban on flying with printer cartridges over 500g and, during December, restrictions on postal mail, something probably few people in the US even knew about.

Jim Harper, a policy scholar with the Cato Institute and a member of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee, outlined even more TSA expansion. There are efforts to create mobile lie detectors that measure physiological factors like eye movements and blood pressure.

Technology, Lillie Coney observed, has become "like butter - few things are not improved if you add it."

If you're someone charged with blocking terrorist attacks you can see the appeal: no one wants to be the failure who lets a bomb onto a plane. Far, far better if it's the technology that fails. And so expensive scanners roll through the nation's airports despite the expert assessment - on this occasion, from Schneier and Ed Luttwak, a senior associate with the Center for Strategic and International Studies - that the scanners are ineffective, invasive, and dangerous. As Luttwak said, the machines pull people's attention, eyes, and brains away from the most essential part of security: watching and understanding the passengers' behavior.

"[The machine] occupies center stage, inevitably," he said, "and becomes the focus of an activity - not aviation security, but the operation of a scanner."

Equally offensive in a democracy, many speakers argued, is the TSA's secrecy and lack of accountability. Even Meera Shankar, the Indian ambassador, could not get much of a response to her complaint from the TSA, Luttwak said. "God even answered Job." The agency sent no representative to this meeting, which included Congressmen, security experts, policy scholars, lawyers, and activists.

"It's the violation of the entire basis of human rights," said the Stanford and Oxford lawyer Chip Pitts around the time that the 112th Congress was opening up with a bipartisan reading of the US Constitution. "If you are treated like cattle, you lose the ability to be an autonomous agent."

As Libertarian National Committee executive director Wes Benedict said, "When libertarians and Ralph Nader agree that a program is bad, it's time for our government to listen up."

So then, what are the alternatives to spending - so far, in the history of the Department of Homeland Security, since 2001 - $360 billion, not including the lost productivity and opportunity costs to the US's 100 million flyers?

Well, first of all, stop being weenies. The number of speakers who reminded us that the US was founded by risk-takers was remarkable. More people, Schneier noted, are killed in cars every month than died on 9/11. Nothing, Ralph Nader said, is spent on the 58,000 Americans who die in workplace accidents every year or the many thousands more who are killed by pollution or medical malpractice.

"We need a comprehensive valuation of how to deploy resources in a rational manner that will be effective, minimally invasive, efficient, and obey the Constitution and federal law," Nader said

So: dogs are better at detecting explosives than scanners. Intelligent profiling can whittle down the mass of suspects to a more manageable group than "everyone" in a giant game of airport werewolf. Instead, at the moment we have magical thinking, always protecting ourselves from the last attack.

"We're constantly preparing for the rematch," said Lillie Coney. "There is no rematch, only tomorrow and the next day." She was talking as much about Katrina and New Orleans as 9/11: there will always, she said, be some disaster, and the best help in those situations is going to come from individuals and the people around them. Be prepared: life is risky.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

December 31, 2010

Good, bad, ugly...the 2010 that was

Every year deserves its look back, and 2010 is no exception. On the good side, the younger generation beginning to enter politics is bringing with it a little more technical sense than we've had in government before. On the bad side, the year's many privacy scandals reminded us all how big a risk we take in posting as much information online as we do. The ugly...we'd have to say the scary new trends in malware. Happy New Year.

By the numbers:

$5.3 billion: the Google purchase offer that Groupon turned down. Smart? Stupid? Shopping and social networks ought to mix combustibly (and could hit local newspapers and their deal flyers), but it's a labor-intensive business. The publicity didn't hurt: Groupon has now managed to raise half a billion dollars on its own. They aren't selling anything we want to buy, but that doesn't seem to hurt Wal-Mart or McDonalds.

$497 million: the amount Harvard scientists Tyler Moore and Benjamin Edelman estimate that Google is earning from "typosquatting". Pocket change, really: Google's 2009 revenues were $23 billion. But still.

15 million (estimated): number of iPads sold since its launch in May. It took three decades of commercial failures for someone to finally launch a successful tablet computer. In its short life the iPad has been hailed and failed as the savior of print publications, and halved Best Buy's laptop sales. We still don't want one - but we're keyboard addicts, hardly its target market.

250,000: diplomatic cables channeled to Wikileaks. We mention this solely to enter The Economist's take on Bruce Sterling's take into the discussion. Wikileaks isn't at all the crypto-anarchy that physicist Timothy C. May wrote about in 1992. May's essay imagined the dark uses of encrypted secrecy; Wikileaks is, if anything, the opposite of it.

500: airport scanners deployed so far in the US, at an estimated cost of $80 million. For 2011, Obama has asked for another $88 million for the next round of installations. We'd like fewer scanners and the money instead spent on...well, almost anything else, really. Intelligence, perhaps?

65: Percentage of Americans that Pew Internet says have paid for Internet content. Yeah, yeah, including porn. We think it's at least partly good news.

58: Number of investigations (countries and US states) launched into Google's having sniffed approximately 600Gb of data from open WiFi connections, which the company admitted in May. The progress of each investigation is helpfully tallied by SearchEngineLand. Note that the UK's ICO's reaction was sufficiently weak that MPs are complaining.

24: Hours of Skype outage. Why are people writing about this as though it were the end of Skype? It was a lot more shocking when it happened to AT&T in 1990 - in those days, people only had one phone number!

5: number of years I've wished Google would eliminate useless shopping aggregator sites from its search results listings. Or at least label them and kick them to the curb.

2: Facebook privacy scandals that seem to have ebbed leaving less behavorial change than we'd like in their wake. In January, Facebook founder and CEO Mark Zuckerberg opined that privacy is no longer a social norm; in May the revamped its privacy settings to find an uproar in response (and not for the first time). Still, the service had 400 million users at the beginning of 2010 and has more than 500 million now. Resistance requires considerable anti-social effort, though the cool people have, of course, long fled.

1: Stuxnet worm. The first serious infrastructure virus. You knew it had to happen.

In memoriam:

- Kodachrome. The Atlantic reports that December 30, 2010 saw the last-ever delivery of Kodak's famous photographic film. As they note, the specific hues and light-handling of Kodachrome defined the look of many decades of the 20th century. Pause to admire The Atlantic's selection of the 75 best pictures they could find: digital has many wonderful qualities, but these seem to have a three-dimensional roundness you don't see much any more. Or maybe we just forget to look.

- The 3.5in floppy disk. In April, Sony announced it would stop making the 1.4Mb floppy disk that defined the childhoods of today's 20-somethings. The first video clip I ever downloaded, of the exploding whale in Oregon (famed of Web site and Dave Barry column), required 11 floppy disks to hold it. You can see why it's gone.

- Altavista: A leaked internal memo puts Altavista on Yahoo!'s list of services due for closure. Before Google, Altavista was the best search engine by a long way, and if it had focused on continuing to improve its search algorithms instead of cluttering up its front page in line with the 1995 fad for portals it might be still. Google's overwhelming success had as much to do with its clean, fast-loading design as it did with its superior ability to find stuff. Altavista also pioneered online translation with its Babelfish (and don't you have to love a search engine that quotes Douglas Adams?).

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

December 10, 2010

Payback

A new word came my way while I was reviewing the many complaints about the Transportation Security Administration and its new scanner toys and pat-down procedures: "Chertoffed". It's how "security theater" (Bruce Schneier's term) has transformed the US since 2001.

The description isn't entirely fair to Chertoff, who was only the *second* head of the Bush II-created Department of Homeland Security and has now been replaced: he served from 2005-2009. But since he's the guy who began the scanner push and also numbers scanner manufacturers among the clients of his consultancy company, The Chertoff Group - it's not really unfair either.

What do you do after defining the travel experience of a generation? A little over a month ago, Chertoff showed up at London's RSA Data Security conference to talk about what he thought needed to happen in order to secure cyberspace. We need, he said, a doctrine to lay out the rules of the road for dealing with cyber attacks and espionage - the sort of thing that only governments can negotiate. The analogy he chose was to the doctrine that governed nuclear armament, which he said (at the press Q&A) "gave us a very stable, secure environment over the next several decades."

In cyberspace, he argued, such a thing would be valuable because it makes clear to a prospective attacker what the consequences will be. "The greatest stress on security is when you have uncertainty - the attacker doesn't know what the consequences will be and misjudges the risk." The kinds of things he wants a doctrine to include are therefore things like defining what is a proportionate response: if your country is on the receiving end of an attack from another country that's taking out the electrical power to hospitals and air traffic control systems with lives at risk, do you have the right to launch a response to take out the platform they're operating from? Is there a right of self-defence of networks?

"I generally take the view that there ought to be a strong obligation on countries, subject to limitations of practicality and legal restrictions, to police the platforms in their own domains," he said.

Now, there are all sorts of reasons many techies are against government involvement - or interference - in the Internet. First and foremost is time: the World Summit on the Information Society and its successor, the Internet Governance Forum, have taken years to do...no one's quite sure what, while the Internet's technology has gone on racing ahead creating new challenges. But second is a general distrust, especially among activists and civil libertarians. Chertoff even admitted that.

"There's a capability issue," he said, "and a question about whether governments put in that position will move from protecting us from worms and viruses to protecting us from dangerous ideas."

This was, of course, somewhat before everyone suddenly had an opinion about Wikileaks. But what has occurred since makes that distrust entirely reasonable: give powerful people a way to control the Net and they will attempt to use it. And the Net, as in John Gilmore's famous aphorism, "perceives censorship as damage and routes around it". Or, more correctly, the people do.

What is incredibly depressing about all this is watching the situation escalate into the kind of behavior that governments have quite reasonably wanted to outlaw and that will give ammunition to those who oppose allowing the Net to remain an open medium in which anyone can publish. The more Wikileaks defenders organize efforts like this week's distributed denial-of-service attacks, the more Wikileaks and its aftermath will become the justification for passing all kinds of restrictive laws that groups like the Electronic Frontier Foundation and the Open Rights Group have been fighting against all along.

Wikileaks itself is staying neutral on the subject, according to the statement on its (Swiss) Web site: Wikileaks spokesman Kristinn Hrafnsson said: "We neither condemn nor applaud these attacks. We believe they are a reflection of public opinion on the actions of the targets."

Well, that's true up to a point. It would be more correct to say that public opinion is highly polarized, and that the attacks are a reflection of the opinion of a relatively small section of the public: people who are at the angriest end of the spectrum and have enough technical expertise to download and install software to make their machines part of a botnet - and not enough sense to realize that this is a risky, even dangerous, thing to do. Boycotting Amazon.com during its busiest time of year to express your disapproval of its having booted Wikileaks off its servers would be an entirely reasonable protest. Vandalism is not. (In fact the announced attack on Amazon's servers seems not to have succeeded, though others have.

I have written about the Net and what I like to call the border wars between cyberspace and real life for nearly 20 years. Partly because it's fascinating, partly because when something is new you have a real chance to influence its development, and partly because I love the Net and want it to fulfill its promise as a democratic medium. I do not want to have to look back in another 20 years and say it's been "Chertoffed". Governments are already mad about the utterly defensible publication of the cables; do we have to give them the bullets to shoot us with, too?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

December 3, 2010

Open diplomacy

Probably most people have by now lived through the embarrassment of having a (it was intended to be) private communication made public. The email your fingers oopsishly sent to the entire office instead of your inamorata; the drunken Usenet postings scooped into Google's archive; the direct Tweet that wound up in the public timeline; the close friend your cellphone pocket-dialed while you were trashing them.

Most of these embarrassments are relatively short-lived. The personal relationships that weren't already too badly damaged recover, if slowly. Most of the people who get the misdirected email are kind enough to delete it and never mention it again. Even the stock market learns to forgive those drunken Usenet postings; you may be a CEO now but you were only a frat boy back then.

But the art of government-level diplomacy is creating understanding, tolerance, and some degree of cooperation among people who fundamentally distrust each other and whose countries may have substantial, centuries-old reasons why that is utterly rational. (Sometimes these internecine feuds are carried to extremes: would you buy from a store that filed Greek and Turkish DVDs in the same bin?) It's hardly surprising if diplomats' private conversations resemble those of Hollywood agents, telling each person what they want to hear about the others and maneuvering them carefully to get the desired result. And a large part of that desired result is avoiding mass destruction through warfare.

For that reason, it's hard to simply judge Wikileaks' behavior by the standard of our often-expressed goal of open data, transparency, accountability, and net.freedoms. Is there a line? And where do you draw it?

In the past, it was well-established news organizations who had to make this kind of decision - the New York Times and the Washington Post regarding the Pentagon Papers, for example. Those organizations, rooted in a known city in a single country, knew that mistakes would see them in court; they had reputations, businesses, and personal liberty to lose. As Jay Rosen: the world's first stateless news organization. (culture, laws, norms) - contract with those who have information that can submit - will encrypt to disguise source from us as well as others - and publish - can't subpoena because stateless. Failure of the watchdog press under George Bush and anxiety on part of press derived from denial of their own death.

Wikileaks wasn't *exactly* predicted by Internet pioneers, but it does have its antecedents and precursors. Before collaborative efforts - wikis - became commonplace on the Web there was already the notion of bypassing the nation-state to create stores of data that could not be subjected to subpoenas and other government demands. There was the Sealand data bunker. There was physicist Timothy May's Crypto Anarchist Manifesto, which posited that, "Crypto anarchy will allow national secrets to be trade freely and will allow illicit and stolen materials to be traded."

Note, however, that a key element of these ideas was anonymity. Julian Assange has told Guardian readers that in fact he originally envisioned Wikileaks as an anonymous service, but eventually concluded that someone must be responsible to the public.

Curiously, the strand of Internet history that is the closest to the current Wikileaks situation is the 1993-1997 wrangle between the Net and Scientology, which I wrote about for Wired in 1995. This particular net.war did a lot to establish the legal practices still in force with respect to user-generated content: notice and takedown, in particular. Like Wikileaks today, those posting the most closely guarded secrets of Scientology found their servers under attack and their material being taken down and, in response, replicated internationally on mirror sites to keep it available. Eventually, sophisticated systems were developed for locating the secret documents wherever they were hosted on a given day as they bounced from server to server (and they had to do all that without the help of Twitter. Today, much of the gist is on Wikipedia. At the time, however, calling it a "flame war with real bullets" wasn't far wrong: some of Scientology's fiercest online critics had their servers and/or homes raided. When Amazon removed Wikileaks from its servers because of "copyright", it operated according to practices defined in response to those Scientology actions.

The arguments over Wikileaks push at many other boundaries that have been hotly disputed over the last 20 years. Are they journalists, hackers, criminals, or heroes? Is Wikileaks important because, as NYU professor Jay Rosen points out, journalism has surrendered its watchdog role? Or because it is posing, as Techdirt says, the kind of challenge to governments that the music and film industries have already been facing? On a technical level, Wikileaks is showing us the extent to which the Internet can still resist centralised control.

A couple of years ago, Stefan Magdalinski noted the "horse-trading in a fairly raw form" his group of civic hackers discovered when they set out to open up the United Nations proceedings - another example of how people behave when they think no one is watching. Utimately governments will learn to function in a world in which they cannot trust that anything is secret, just as they had to learn to cope with CNN (PDF)

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

October 29, 2010

Wanted: less Sir Humphrey, more shark


Seventeen MPs showed up for Thursday's Backbenchers' Committee debate on privacy and the Internet, requested by Robert Halfon (Con-Harlow). They tell me this is a sell-out crowd. The upshot: Google and every other Internet company may come to rue the day that Google sent its Street View cars around Britain. It crossed a line.

That line is this: "Either your home is your castle or it's not." Halfon, talking about StreetView and email he had from a vastly upset woman in Cornwall whose home had been captured and posted on the Web. It's easy for Americans to forget how deep the "An Englishman's home is his castle" thing goes.

Halfon's central question: are we sleepwalking into a privatized surveillance society, and can we stop it? "If no one has any right to privacy, we will live in a Big Brother society run by private companies." StreetView, he said, "is brilliant - but they did it without permission." Of equal importance to Halfon is the curious incident of the silent Information Commissioner (unlike apparently his equivalent everywhere else in the world) and Google's sniffed wi-fi data. The recent announcement that the sniffed data includes contents of email messages, secure Web pages, and passwords has prompted the ICO to take another look.

The response of the ICO, Halfon said, "has been more like Sir Humphrey than a shark with teeth, which is what it should be."

Google is only one offender; Julian Huppert (LibDem-Cambridge) listed some of the other troubles, including this week's release of Firesheep, a Firefox add-on designed to demonstrate Facebook's security failings. Several speakers raised the issue of the secret BT/Phorm trials. A key issue: while half the UK's population choose to be Facebook users (!), and many more voluntarily use Google daily, no one chose to be included in StreetView; we did not ask to be its customers.

So Halfon wants two things. He wants an independent commission of inquiry convened that would include MPs with "expertise in civil liberties, the Internet, and commerce" to suggest a new legal framework that would provide a means of redress, perhaps through an Internet bill of rights. What he envisions is something that polices the behavior of Internet companies the way the British Medical Association or the Law Society provides voluntary self-regulation for their fields. In cases of infringement, fines, perhaps.

In the ensuing discussion many other issues were raised. Huppert mentioned "chilling" (Labour) government surveillance, and hoped that portions of the Digital Economy Act might be repealed. Huppert has also been asking Parliamentary Questions about the is-it-still-dead? Interception Modernization Programme; he is still checking on the careful language of the replies. (Asked about it this week, the Home Office told me they can't speculate in advance about the details will that be provided "in due course"; that what is envisioned is a "program of work on our communications abilities"; that it will be communications service providers, probably as defined in RIPA Section 2(1), storing data, not a government database; that the legislation to safeguard against misuse will probably but not certainly, be a statutory instrument.)

David Davis (Con-Haltemprice and Howden) wasn't too happy even with the notion of decentralized data held by CSPs, saying these would become a "target for fraudsters, hackers and terrorists". Damien Hinds (Con-East Hampshire) dissected Google's business model (including £5.5 million of taxpayers' money the UK government spent on pay-per-click advertising in 2009).

Perhaps the most significant thing about this debate is the huge rise in the level of knowledge. Many took pains to say how much they value the Internet and love Google's services. This group know - and care - about the Internet because they use it, unlike 1995, when an MP was about as likely to read his own email as he was to shoot his own dog.

Not that I agreed with all of them. Don Foster (LibDem-Bath) and Mike Weatherley (Con-Hove) were exercised about illegal file-sharing (Foster and Huppert agreed to disagree about the DEA, and Damian Collins (Con-Folkestone and Hythe complained that Google makes money from free access to unauthorized copies). Nadine Dorries (Con-Mid Bedfordshire) wanted regulation to young people against suicide sites.

But still. Until recently, Parliament's definition of privacy was celebrities' need for protection from intrusive journalists. This discussion of the privacy of individuals is an extraordinary change. Pressure groups like PI, , Open Rights Group, and No2ID helped, but there's also a groundswell of constituents' complaints. Mark Lancaster (Con-Milton Keynes North) noted that a women's refuge at a secret location could not get Google to respond to its request for removal and that the town of Broughton formed a human chain to block the StreetView car. Even the attending opposition MP, Ian Lucas (Lab-Wrexham), favored the commission idea, though he still had hopes for self-regulation.

As for next steps, Ed Vaizey (Con-Wantage and Didcot), the Minister for Communication, Culture, and the Creative Industries, said he planned to convene a meeting with Google and other Internet companies. People should have a means of redress and somewhere to turn for mediation. For Halfon that's still not enough. People should have a choice in the first place.

To be continued...

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

October 23, 2010

An affair to remember

Politicians change; policies remain the same. Or if, they don't, they return like the monsters in horror movies that end with the epigraph, "It's still out there..."

Cut to 1994, my first outing to the Computers, Freedom, and Privacy conference. I saw: passionate discussions about the right to strong cryptography. The counterargument from government and law enforcement and security service types was that yes, strong cryptography was a fine and excellent thing at protecting communications from prying eyes and for that very reason we needed key escrow to ensure that bad people couldn't say evil things to each other in perfect secrecy. The listing of organized crime, terrorists, drug dealers, and pedophiles as the reasons why it was vital to ensure access to cleartext became so routine that physicist Timothy May dubbed them "The Four Horsemen of the Infocalypse". Cypherpunks opposed restrictions on the use and distribution of strong crypto; government types wanted at the very least a requirement that copies of secret cryptographic keys be provided and held in escrow against the need to decrypt in case of an investigation. The US government went so far as to propose a technology of its own, complete with back door, called the Clipper chip.

Eventually, the Clipper chip was cracked by Matt Blaze, and the needs of electronic commerce won out over the paranoia of the military and restrictions on the use and export of strong crypto were removed.

Cut to 2000 and the run-up to the passage of the UK's Regulation of Investigatory Powers Act. Same Four Horsemen, same arguments. Eventually RIPA passed with the requirement that individuals disclose their cryptographic keys - but without key escrow. Note that it's just in the last couple of months that someone - a teenager - has gone to jail in the UK for the first time for refusing to disclose their key.

It is not just hype by security services seeking to evade government budget cuts to say that we now have organized cybercrime. Stuxnet rightly has scared a lot of people into recognizing the vulnerabilities of our infrastructure. And clearly we've had terrorist attacks. What we haven't had is a clear demonstration by law enforcement that encrypted communications have impeded the investigation.

A second and related strand of argument holds that communications data - that is traffic data such as email headers and Web addresses - must be retained and stored for some lengthy period of time, again to assist law enforcement in case an investigation is needed. As the Foundation for Information Policy Research and Privacy International have consistently argued for more than ten years, such traffic data is extremely revealing. Yes, that's why law enforcement wants it; but it's also why the American Library Association has consistently opposed handing over library records. Traffic data doesn't just reveal who we talk to and care about; it also reveals what we think about. And because such information is of necessity stored without context, it can also be misleading. If you already think I'm a suspicious person, the fact that I've been reading proof-of-concept papers about future malware attacks sounds like I might be a danger to cybersociety. If you know I'm a journalist specializing in technology matters, that doesn't sound like so much of a threat.

And so to this week. The former head of the Department of Homeland Security, Michael Chertoff, at the RSA Security Conference compared today's threat of cyberattack to nuclear proliferation. The US's Secure Flight program is coming into effect, requiring airline passengers to provide personal data for the US to check 72 hours in advance (where possible). Both the US and UK security services are proposing the installation of deep packet inspection equipment at ISPs. And language in the UK government's Strategic Defence and Security Review (PDF) review has led many to believe that what's planned is the revival of the we-thought-it-was-dead Interception Modernisation Programme.

Over at Light Blue Touchpaper, Ross Anderson links many of these trends and asks if we will see a resumption of the crypto wars of the mid-1990s. I hope not; I've listened to enough quivering passion over mathematics to last an Internet lifetime.

But as he says it's hard to see one without the other. On the face of it, because the data "they" want to retain is traffic data and note content, encryption might seem irrelevant. But a number of trends are pushing people toward greater use of encryption. First and foremost is the risk of interception; many people prefer (rightly) to use secured https, SSH, or VPN connections when they're working over public wi-fi networks. Others secure their connections precisely to keep their ISP from being able to analyze their traffic. If data retention and deep packet inspection become commonplace, so will encrypted connections.

And at that point, as Anderson points out, the focus will return to long-defeated ideas like key escrow and restrictions on the use of encryption. The thought of such a revival is depressing; implementing any of them would be such a regressive step. If we're going to spend billions of pounds on the Internet infrastructure - in the UK, in the US, anywhere else - it should be spent on enhancing robustness, reliability, security, and speed, not building the technological infrastructure to enable secret, warrantless wiretapping.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

October 15, 2010

The elected dictatorship

I wish I had a nickel for every time I had the following conversation with some British interlocutor in the 1970s and 1980s:

BI: You should never have gotten rid of Nixon.

wg: He was a crook.

BI: They're all crooks. He was the best foreign policy president you ever had.

As if it were somehow touchingly naïve to expect that politicians should be held to standards of behaviour in office. (Look, I don't care if they have extramarital affairs; I care if they break the law.)

It is, however, arguable that the key element of my BIs' disapproval was that Americans had the poor judgment and bad taste to broadcast the Watergate hearings live on television. (Kids, this was 1972. There was no C-Span then.) If Watergate had happened in the UK, it's highly likely no one would ever have heard about it until 50 or however many years later the Public Records Office opened the archives.

Around the time I founded The Skeptic, I became aware of the significant cultural difference in how people behave in the UK versus the US when they are unhappy about something. Britons write to their MP. Americans...make trouble. They may write letters, but they are equally likely to found an organization and create a campaign. This do-it-yourself ethic is completely logical in a relatively young country where democracy is still taking shape.

Britain, as an older - let's be polite and call it mature - country, operates instead on a sort of "gentlemen's agreement" ethos (vestiges of which survive in the US Constitution, to be sure). You can get a surprising amount done - if you know the right people. That system works perfectly for the in-group, and so to effect change you either have to become one of them (which dissipates your original desire for change) or gate-crash the party. Sometimes, it takes an American...

This was Heather Brooke's introduction to English society. The daughter of British parents and the wife of a British citizen, burned out from years of investigative reporting on murders and other types of mayhem in the American South, she took up residence in Bethnal Green with her husband. And became bewildered when repeated complaints to the council and police about local crime produced no response. Stonewalled, she turned to writing her book Your Right to Know, which led her to make her first inquiries about viewing MPs' expenses. The rest is much-aired scandal.

In her latest book, The Silent State, Brooke examines the many ways that British institutions are structured to lock out the public. The most startling revelation: things are getting worse, particularly in the courts, where the newer buildings squeeze public and press into cramped, uncomfortable spaces but the older buildings. Certainly, the airport-style security that's now required for entry into Parliament buildings sends the message that the public are both unwelcome and not to be trusted (getting into Thursday's apComms meeting required standing outside in the chill and damp for 15 minutes while staff inspected and photographed one person at a time).

Brooke scrutinizes government, judiciary, police, and data-producing agencies such as the Ordnance Survey, and each time finds the same pattern: responsibility for actions cloaked by anonymity; limited access to information (either because the information isn't available or because it's too expensive to obtain); arrogant disregard for citizens' rights. And all aided by feel-good, ass-covering PR and the loss of independent local press to challenge it. In a democracy, she argues, it should be taken for granted that citizens should have a right to get an answer when they ask the how many violent attacks are taking place on their local streets, take notes during court proceedings or Parliamentary sessions, or access and use data whose collection they paid for. That many MPs seem to think of themselves as members of a private club rather than public servants was clearly shown by the five years of stonewalling Brooke negotiated in trying to get a look at their expenses.

In reading the book, I had a sudden sense of why electronic voting appeals to these people. It is yet another mechanism for turning what was an open system that anyone could view and audit - it doesn't take an advanced degree to be able to count pieces of paper - into one whose inner workings can effectively be kept secret. That its inner workings are also not understandable to MPs =themselves apparently is a price they're willing to pay in return for removing much of the public's ability to challenge counts and demand answers. Secrecy is a habit of mind that spreads like fungus.

We talk a lot about rolling back newer initiatives like the many databases of Blair's and Brown's government, data retention, or the proliferation of CCTV cameras. But while we're trying to keep citizens from being run down by the surveillance state we should also be examining the way government organizes its operations and block the build-out of further secrecy. This is a harder and more subtle thing to do, but it could make the lives of the next generation of campaigners easier.

At least one thing has changed in the last 30 years, though: people's attitudes. In 2009, when the scandal over MPs' expenses broke, you didn't hear much about how other qualities meant we should forgive MPs. Britain wanted *blood*.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

September 17, 2010

Science is vital

"Should I burn the check or eat it?" a broke friend with with bank account difficulties asked once.

Deciding what you can do without in a financial crisis is always tough, whether you're an individual or a government. Do you cut cold weather payments to the elderly? Dump pre-school programs? Sell off nationalized industries, pocket the debt, and use the cash as if it were income instead of irreplaceable capital? Slash arts funding knowing that you will be attacked by every high-profile actor and creator as a philistine? Flood prevention. Investment in new technologies to combat climate change. Police. Every group has its own set of arguments about why it shouldn't bear the brunt of government cuts. Everyone is special.

That may in fact be why the coalition government warned at the outset that slashing budgets would be across the board and that everyone would feel the chill. The UK Film Council, Becta, public sector...

And science research, spending on which is due to be reviewed next month. Even Harris, the former LibDem MP for Oxford West and Abingdon, has argued that science research is the foundation of future economic growth; Professor Brian Cox has compared the possibility of mothballing the expensive particle accelerator projects Diamond and Isis to "building the Olympic stadium and then not using it". (Not building the Olympic stadium - not winning the Olympics - not *bidding* on the Olympics would all have been fine with me, but this is the problem with trying to balance interest groups.)

At first glance, it's easy to see why business secretary Vince Cable would think it's a good idea for scientists to become more commercial: get industry to provide more funding and discontinue work that is "neither commercially useful nor theoretically outstanding", as the Guardian has him saying. While we've all heard the jokes about Drunken Goldfish and Other Irrelevant Scientific Research, the thing is that science - especially basic research - isn't so neatly categorized. When it is - when commercial interests take over too strongly - the underlying fundamental advances are lost, taking with them the next generation of new ideas.

Twenty years ago, when I first started doing technology journalism, I was told there were three great corporate research labs in the US: Xerox PARC, IBM Watson, and Bell Labs. Bell Labs was broken up along with its parent company, AT&T; PARC is not the force it was. Only IBM is still making news with its research. A lot of talent is now congregating at Google. In any event, over the last two decades most corporate research has in general become much more tightly focused on producing results the funding companies can use right away. That was a major reason why MIT's Media Lab was so successful at attracting funding from so many companies: it offered them a way to back less specifically focused research for relatively modest sums.

But basic research is the real blue-sky stuff, where you don't know what you have until some time later. In its heyday, IBM did both: it invented dye lasers, which had relatively little impact within the company but much more outside it, as well as DRAM and disk drives, which more obviously benefited the company itself. James McGroddy, then director of IBM research, told me in 1991 (for Personal Computer World) that even apparently irrelevant scientific research did have benefits for IBM even if they couldn't be easily quantified. For example, the company can more easily take advantage of advances if the people who made them are in its employ. Plus, expertise can cross disciplines: he cited the example of IBM mathematicians who find hard problems to work on within IBM customer needs (such as how to optimize airline schedules). More subtly, the production of Nobel prize-winning work made IBM the kind of place that the best people wanted to be.

All these points are relevant to national research programs, too, and lead directly to points Harris and others have made: that if you remove the facilities that allow scientists to work they will perforce go elsewhere. It is unfortunate but true that highly educated, very talented, creative people - and that is what scientists are - have choices about these things. And once you start to lose this generation of scientists, the next generation will follow of necessity because the way you become a great scientist is to be trained by and work with great scientists during your developmental years. The decisions made in this area today will make the difference between the UK's continuing to be a country that punches well above its weight in terms of size, population, and natural resources and the UK's becoming the third world country the Pope's aide already thinks it is (although hasn't anyone who's had to take one of those buses from plane to jetway thought the same thing?).

There must be some way of balancing the finances such that we do not throw away the future to pay for the present. Julian Huppert has tabled an Early Day Motion in Parliament, and there are demonstrations brewing. Imagine: Sheldon is marching.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

August 27, 2010

Trust the data, not the database

"We're advising people to opt out," said the GP, speaking of the Summary Care Records that are beginning to be uploaded to what is supposed to be eventually a nationwide database used by the NHS. Her reasoning goes this way. If you don't upload your data now you can always upload it later. If you do upload it now - or sit passively by while the National Health Service gets going on your particular area - and live to regret it you won't be able to get the data back out again.

You can find the form here, along with a veiled hint that you'll be missing out on something if you do opt out - like all those great offers of products and services companies always tell you you'll get if you sign up for their advertising, The Big Opt-Out Web site has other ideas.

The newish UK government's abrupt dismissal of the darling databases of last year has not dented the NHS's slightly confusing plans to put summary care records on a national system that will move control over patient data from your GP, who you probably trust to some degree, to...well, there's the big question.

In briefings for Parliamentarians conducted by the Open Rights Group in 2009, Emma Byrne, a researcher at University College, London who has studied various aspects of healthcare technology policy, commented that the SCR was not designed with any particular use case in mind. Basic questions that an ordinary person asks before every technology purchase - who needs it? for what? under what circumstances? to solve what problem? - do not have clear answers.

"Any clinician understands the benefits of being able to search a database rather than piles of paper records, but we have to do it in the right way," Fleur Fisher, the former head of ethics, science, and information for the British Medical Association said at those same briefings. Columbia University researcher Steve Bellovin, among others, has been trying to figure out what that right way might look like.

As comforting as it sounds to say that the emergency care team looking after you will be able to look up your SCR and find out that, for example, you are allergic to penicillin and peanuts, in practice that's not how stuff happens - and isn't even how stuff *should* happen. Emergency care staff look at the patient. If you're in a coma, you want the staff to run the complete set of tests, not look up in a database, see you're a diabetic and assume it's a blood sugar problem. In an emergency, you want people to do what the data tells them, not what the database tells them.

Databases have errors, we know this. (Just last week, a database helpfully moved the town I live in from Surrey to Middlesex, for reasons best known to itself. To fix it, I must write them a letter and provide documentation.) Typing and cross-matching blood drawn by you from the patient in front of you is much more likely to have you transfusing the right type of blood into the right patient.

But if the SCR isn't likely to be so much used by the emergency staff we're all told would? might? find it helpful, it still opens up much broader possibilities of abuse. It's this part of the system that the GP above was complaining about: you cannot tell who will have access or under what circumstances.

GPs do, in a sense, have a horse in this race, in that if patient data moves out of their control they have lost an important element of their function as gatekeepers. But given everything we know about how and why large government IT projects fail, surely the best approach is small, local projects that can be scaled up once they're shown to be functional and valuable. And GPs are the people at the front lines who will be the first to feel the effects of a loss of patient trust.

A similar concern has kept me from joining at study whose goals I support, intended to determine if there is a link between mobile phone use and brain cancer. The study is conducted by an ultra-respectable London university; they got my name and address from my mobile network operator. But their letter notes that participation means giving them unlimited access to my medical records for the next 25 years. I'm 56, about the age of the earliest databases, and I don't know who I'll be in 25 years. Technology is changing faster than I am. What does this decision mean?

There's no telling. Had they said I was giving them permission for five years and then would be asked to renew, I'd feel differently about it. Similarly, I'd be more likely to agree had they said that under certain conditions (being diagnosed with cancer, dying, developing brain disease) my GP would seek permission to release my records to them. But I don't like writing people blank checks, especially with so many unknowns over such a long period of time. The SCR is a blank check.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series

August 13, 2010

Pirate flags

Wednesday's Future Human - The Piracy Panacea event missed out on a few topics, among them network neutrality, an issue I think underlies many net.wars debates: content control, privacy, security. The Google-Verizon proposals sparked much online discussion this week. I can only reiterate my belief that net neutrality should be seen as an anti-trust issue. A basic principle of anti-trust law (Standard Oil, the movie studios) is that content owners should not be allowed to own the means of distribution, and I think this readily applies to cable companies that own TV stations and telephone companies that are carriers for other people's voice services.

But the Future Human event was extraordinary enough without that. Imagine: more than 150 people squished into a hot, noisy pub, all passionately interested in...copyright! It's only a few years ago that entire intellectual property law school classes would fit inside a broom cupboard. The event's key question: does today's "piracy" point the way to future innovation?

The basis of that notion seemed to be that historically pirates have forced large imperial powers to change and weren't just criminals. The event's light-speed introduction whizzed through functionally democratic pirate communities and pirate radio, and a potted history of authorship from Shakespeare and Newton to Lady Gaga. There followed mock trials of a series of escalating copyright infringements in which it became clear that the audience was polarized and more or less evenly divided.

There followed our panel: me, theoretically representing the Open Rights Group; Graham Linehan, creator of Father Ted and The IT Crowd; Jamie King, writer and director of Steal This Film; and economist Thierry Rayna. Challenged, of course, by arguers from the audience, one of whom declined to give her affiliation on the grounds that she'd get lynched (I doubt this). Partway through the panel someone complained on Twitter that we weren't answering the question the event had promised to tackle: how can the creative industries build on file-sharing and social networks to create the business models of the future?

It seems worth trying to answer that now.

First, though, I think it's important to point out that I don't think there's much that's innovative about downloading a TV show or MP3. The people engaged in downloading unauthorized copies of mainstream video/audio, I think, are not doing anything particularly brave. The people on the front lines are the ones running search engines and services. These people are indeed innovators, and some of them are doing it at substantial personal risk. And they cannot, in general, get legal licenses from rights holders, a situation that could be easily changed by the rights holders. Napster, which kicked the copyright wars into high gear and made digital downloads a mainstream distribution method, is now ten years ago. Yet rights holders are still trying to implement artificial scarcity (to replace real scarcity) and artificial geography (to replace real geography). The death of distance, as Economist writer Frances Cairncross called it in 1997, changes everything, and trying to pretend it doesn't is absurd. The download market has been created by everyone *but* the record companies, who should have benefited most.

Social networks - including the much-demonized P2P networks - provide the greatest mechanism for word of mouth in the history of human culture. And, as we all know, word of mouth is the most successful marketing available, at least for entertainment.

It also seems obvious that P2P and social networks are a way for companies to gauge the audience better before investing huge sums. It was obvious from day one, for example, that despite early low official ratings and mixed reviews, Gossip Girl was a hit. Why? Because tens of thousands of people were downloading it the instant it came online after broadcast. Shouldn't production company accountants be all over this? Use these things as a testbed instead of having the fall pilots guessed on by a handful of the geniuses who commissioned Cavemen and the US version of Coupling and cancelled Better Off Ted. They could have a lot clearer picture of what kind of audience a show might find and how quickly.

Trying to kill P2P and other technologies just makes them respawn like the Hydra. The death of Napster (central server) begat Gnutella and eDonkey (central indexes), lawsuits against whose software developers begat the even more decentralized BitTorrent. When millions and tens of millions of people are flocking to a new technology rights holders should be there, too.

The real threat is always going to be artists taking their business into their own hands. For every Lady Gaga there are thousands of artists who, given some basic help can turn their work into the kind of living wage that allows them to pursue their art full-time and professionally. I would think there is a real business in providing these artists with services - folksingers, who've never had this kind of help, have produced their own recordings for decades, and having done it myself I can tell you it's not easy. This was the impulse behind the foundation of CDBaby, and now of Jamie King's VoDo. In the long run, things like this are the real game-changers.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

August 6, 2010

Bride of Clipper

"It's the Clipper chip," said Ross Anderson, or more or less, "risen out of its grave trailing clanking chains and covered in slime." Anderson was talking about the National Strategy for Trusted Identities in Cyberspace, a plan hatched in the US and announced by cybersecurity czar Howard Schmidt in June.

The Clipper chip was the net.war in progress when I went to my first Computers, Freedom, and Privacy conference, the 1994 edition, held in Chicago. The idea behind Clipper was kind of cute: the government, in the form of the NSA, had devised a cryptographic chip that could be installed in any telecommunications device to encrypt and decrypt any communications it transmitted or received. The catch: the government would retain a master key to allow it to decrypt anything it wanted whenever it felt the need. Privacy advocates and civil libertarians and security experts joined to fight a battle royal against its adoption as a government standard. We'll never know how that would have come out because while passions were still rising a funny thing happened: cryptographer Matt Blaze discovered he could bypass the government's back door (PDF) and use the thing to send really encrypted communications. End of Clipper chip.

At least, as such.

The most important element of the Clipper chip, however - key escrow - stayed with us a while longer. It means what it sounds like: depositing a copy of your cryptographic key, which is supposed to be kept secret, with an authority. During the 1990s run of fights over key escrow (the US and UK governments wanted it; technical experts, civil libertarians, and privacy advocates all thought it was a terrible idea) such authorities were referred to as "trusted third parties" (TTPs). At one event Privacy International organised to discuss the subject, government representatives made it clear their idea of TTPs were banks. They seemed astonished to discover that in fact people don't trust their banks that much. By the time the UK's Regulation of Investigatory Powers Act was passed in 2000, key escrow had been eliminated.

But it is this very element - TTPs and key escrow - that is clanking along to drip slime on the NSTIC. The proposals are, of course, still quite vague, as the Electronic Frontier Foundation has pointed out. But the proposals do talk of "trusted digital identities" and "identity providers" who may be from the public or private sectors. They talk less, as the Center for Democracy and Technology has pointed out, about the kind of careful user-centric, role-specific, transactional authentication that experts like Jan Camenisch and Stefan Brands have long advocated. (Since I did that 2007 interview with him, Brands' company, Credentica, has been bought by Microsoft and transformed into its new authentication technology, U-Prove.) Have an identity ecosystem, by all means, but the key to winning public trust - the most essential element of any such system - will be ensuring that identity providers are not devised as Medium-sized Brothers-by-proxy.

Blaze said at the time that the Feds were pretty grown-up about the whole thing. Still, I suppose it was predictable that it would reappear. Shortly after the 9/11 attacks Jack Straw, then foreign minister, called those of us who opposed key escrow in the 1990s "very naïve". The rage over that kicked off the first net.wars column.

The fact remains that if you're a government and you want access to people's communications and those people encrypt those communications there are only two approaches available to you. One: ban the technology. Two: install systems that let you intercept and decode the communications at will. Both approaches are suddenly vigorously on display with respect to Blackberry devices, which offer the most secure mobile email communications we have (which is why businesses and governments love them so much for their own use).

India wants to take the second approach, but will settle for the first if Research in Motion doesn't install a server in India, where it can be "safely" monitored. The UAE, as everyone heard this week, wants to ban it starting on October 11. (I was on Newsnight Tuesday to talk about this with Kirsty Wark and Alan West.)

No one, not CDT, PI, or EFF, not even me, disputes that there are cases where intercepting and reading communications - wiretapping - is necessary in the interest of protecting innocent lives. But what key escrow and its latter variants enables, as Susan Landau, a security researcher and co-author of Privacy on the Line: The Politics of Wiretapping and Encryption, has noted, is covert wiretapping. Or, choose your own favorite adjective: covert, warrantless, secret, unauthorized, illegal... It would be wonderful to be able to think that all law enforcement heroes are noble, honorable, and incapable of abusing the power we give them. But history says otherwise: where there is no oversight, abuse follows. Judicial oversight of wiretapping requests is our bulwark against mass surveillance.

CDT, EFF, and others are collecting ideas for improving NSTIC, starting with extending the period for public comments, which was distressingly short (are we seeing a pattern develop here?). Go throw some words at the problem.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

July 30, 2010

Three-legged race

"If you are going to do this damn silly thing, don't do it in this damn silly way," Sir Humphrey Appleby tells Jim Hacker in a fit of unaccustomed straight talking.

We think of this often these days, largely because it seems as though lawmakers, having been belittled by impatient and malcontent geeks throughout the 1990s for being too slow to keep up with Internet time, are trying to speed through the process of creating legislation by eliminating thought, deliberation, and careful drafting. You can see why they'd want to get rid of so many civil servants, who might slow this process down.

In that particular episode of Yes, Minister, "The Writing on the Wall" (S1e05), Appleby and Hacker butt heads over who will get the final say over the wording of a draft proposal on phased Civil Service reductions (today's civil servants and ministers might want to watch episode S1e03, "The Economy Drive", for what their lives will soon be like). Hacker wins that part of the battle only to discover that his version, if implemented, will shut down his own department. Oops.

Much of the Digital Economy Act (2010) was like this: redrafted at the last minute in all sorts of unhelpful ways. But the devil is always in the details, and it was not unreasonable to hope that Ofcom, charging with defining and consulting on those details, would operate in a more measured fashion. But apparently not, and so we have a draft code of practice that's so incomplete that it could be a teenager's homework.

Both Consumer Focus and the Open Rights Group have analyses of the code's non-compliance with the act and a helpful <"a href=http://e-activist.com/ea-campaign/clientcampaign.do?ea.client.id=1422&ea.campaign.id=7268">online form should you wish to submit your opinions. The consultation closes today, so run, do not walk, to add your comments.

What's more notable is when it opened: May 28, only three days after the State Opening of the post-election parliamentary session, three weeks after the election, and six weeks after the day that Gordon Brown called the election. Granted, civil servants do not down pencils while the election is proceeding. But given that the act went through last-second changes and then was nodded through the House of Commons in the frantic dash to get home to start campaigning, the most time Ofcom can have had to draft this mish-mash was about six weeks. Which may explain the holes and inadequacies, but then you have to ask: why didn't they take their time and do it properly?

The Freedom bill, which is to repeal so many of the items on our wish list, is mute on the subject of the Digital Economy Act, despite a number of appearances on the Freedom bill's ideas site. (Big Brother Watch has some additional wish list items.)

The big difficulty for anyone who hates the copyright protectionist provisions in the act - the threat to open wi-fi, the disconnection or speed-limitation of Internet access ("technical measures") to be applied to anyone who is accused of copyright infringement three times ("three-strikes", or HADOPI, after the failed French law attempting to do the same) - is that what you really want is for the act to go away. Preferably back where it came from, some copyright industry lobbyist's brain. A carefully drafted code of practice that pays attention to ensuring that the evidentiary burden on copyright holders is strong enough to deter the kind of abuse seen in the US since the passage of the Digital Millennium Copyright Act (1998) is still not a good scenario, merely a least-worst one.

Still, ORG and Consumer Focus are not alone in their unhappiness. BT and TalkTalk have expressed their opposition, though for different reasons. TalkTalk is largely opposed to the whole letter-writing and copyright infringement elements; but both ISPs are unhappy about Ofcom's decision to limit the code to fixed-line ISPs with more than 400,000 customers. In the entire UK, there are only seven: TalkTalk, BT, Post Office, Virgin, Sky, Orange, and O2. Yet it makes sense to exclude mobile ISPs for now: at today's prices it's safe to guess that no one spends a lot of time downloading music over them. For the rest...these ISPs can only benefit if unauthorised downloading on their services decreases, don't all ISPs want the heaviest downloaders to leech off someone else's service?

LINX, the largest membership organisation for UK Internet service providers has also objected (PDF) to the Act's apportionment of costs: ISPs, LINX's Malcolm Hutty argues, are innocent third parties, so rather than sharing the costs of writing letters and retaining the data necessary to create copyright infringement reports ISPs should be reimbursed for not only the entire cost of implementing the necessary systems but also opportunity costs. It's unclear, LINX points out, how much change Ofcom has time to make to the draft code and still meet its statutory timetable.

So this is law on Internet time: drafted for, if not by, special interests, undemocratically rushed through Parliament, hastily written, poorly thought-out, unfairly and inequitably implemented in direct opposition to the country's longstanding commitment to digital inclusion. Surely we can do better.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

July 16, 2010

Music tax

According to various press write-ups Music Education in the 21st Century in the United Kingdom, published yesterday, worries that older forms of music like brass bands, classical, and folk music could become extinct. Despite the fact that you can put any kind of music you want on an iPod, kids just aren't hearing anything but pop, rock, hip-hop, and rap.

This is in the same week that the Performing Rights Society for Music released a paper proposing to levy fees on ISPs in proportion to the amount of copyrighted material being illegally downloaded via their networks.

These are connected issues.

There are so many problems with the "music tax" proposal that you barely know where to start. The paper describes ISPs as "next-generation broadcasters" and unlicensed media consumption as providing value to ISPs; and proposes using Detica's deep packet inspection to analyze traffic and track "plausibly illicit file sharing".

ISPs are infrastructure providers. A few, mostly cable companies, are broadcasters - Virgin in the UK and Comcast in the US - whose core business is providing TV. But most are phone companies, landline or mobile - BT, Verizon, Vodafone, T-Mobile. To ISPs serving the mass market heavy downloaders who soak up their bandwidth are pariahs who don't pay proportionately for their usage. Finally, the belief that it's easy to tell identify illicit data streams is laughable.

And that's without considering the civil liberties implications of having a private company snoop on everyone's downloads at the behest of a single industry sector.

But we've been through what's wrong with this type of proposal before. What may not be obvious is the connection between the decay we began with of older musical forms and the enactment of policies that make the recording industry happy. Brass band music varies considerably in its provenance, but if there's one thing almost all classical music and traditional folk music have in common besides holding an important place in British cultural heritage it's this: they're out of copyright. Policies enacted at the behest of the copyright industries - for example the Digital Economy Act (which BT and TalkTalk| want to challenge, by the way) - do nothing for these types of music and their performers.

The 2003 Licensing Act brought in a requirement for pubs and other locations that have long hosted small music events to get entertainment licenses. The upshot: it's easier and cheaper for pubs to have a television or recorded music playing than it is to allow live musicians to sit in a corner and play folk music, even though acoustic music is typically less likely to annoy the neighbors with noise overspill. There have been consultationsa bout changing this and there is currently a bill in the House of Lords, but in the meantime dozens of small folk clubs and acoustic sessions have ended for lack of a welcoming venue. Most of those could have been saved by the exemptions proposed in the bill: audiences of under 200, acoustic music only, ending before midnight, and so on. These issues have been much discussed on the Usenet newsgroup uk.music.folk, and the Live Music Forum delivered a petition with 17,000 signatures to number 10 Downing Street on July 8.

It's particularly ironic that this has happened at a time when the folk scene has had the best influx of energizing young performers for several decades: John Spiers and Jon Boden, Bellowhead, Faustus, the Emily and Hazel Askew, and many others (as a general rule, anything involving Tim Van Eyken is good). These are fresh, high-energy reinterpretations of English folk music created by superb, passionate musicians, not at all the dying, airless flatness of academia some might imagine. The fact that most folk performers consider a turnout of 200 a great night doesn't mean they're - it is to laugh! - less competent than Lady Gaga.

But a lot of the point of folk music - like the open-source software movement - is that it's participatory (If you can sing, then you can write a song, sings my friend Bill Steele, writer of "Garbage!", the song made famous by Pete Seeger). Music, like sports, software coding, and scientific exploration, is something that people need to believe they can do themselves - and of all the genres folk is probably the most accessible in that regard. It would certainly suit the recording business for music to become a black box like a mobile phone or a game console, something people pay to use without looking inside it. But society as a whole would be poorer for it. Government and education should be encouraging kids to play, learn, and experiment, to be fellow creators, not consumers.

So, Messrs Cameron and Clegg: if you want to do something for music and musicians, amend the Licensing Act to encourage live performance by live musicians in small venues. Amend contract law so that musicians aren't forced into giving away all rights in perpetuity with no reversion. Require the new owners of failed record labels to pay royalties on the back catalogues they've acquired instead of allowing them to take the assets and dump the liabilities. Music is bigger than just those four big labels, y'know.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of the earlier columns in this series.

June 11, 2010

Bonfire of the last government's vanities

"We have no hesitation in making the national identity card scheme an unfortunate footnote in history. There it should remain - a reminder of a less happy time when the Government allowed hubris to trump civil liberties," the Home Secretary, Theresa May, told the House of Commons at the second reading of the Identity Documents Bill 2010, which will erase the 2006 act introducing ID cards and the National Identity Register. "This will not be a literal bonfire of the last Government's vanities, but it will none the less be deeply satisfying." Estimated saving: £86 million over the next four years.

But not so fast...

An "unfortunate footnote" sounds like the perfect scrapheap on which to drop the National Identity Register and its physical manifestation, ID cards, but if there's one thing we know about ID cards it's that, like the monster in horror movies, they're always "still out there".

In 2005, Lilian Edwards, then at the Centre for Research in Intellectual Property and Law at the University of Edinburgh, invited me to give a talkIdentifying Risks, on the history of ID cards, an idea inspired by a comment from Ross Anderson. The gist: after the ID card was scrapped in 1952 at the end of World War II, attempts to bring it back an ID card were made, on average, about every two or three years. (Former cabinet minister Peter Lilley, speaking at Privacy International's 2002 conference, noted that every new IT minister put the same set of ID card proposals before the Cabinet.)

The most interesting thing about that history is that the justification for bringing in ID cards varied so much; typically, it drew on the latest horrifying public event. So, in 1974 it was the IRA bombings in Guildford and Birmingham. In 1988, football hooliganism and crime. In 1989, social security fraud. In 1993, illegal immigration, fraud, and terrorism.

Within the run of just the 2006 card, the point varied. The stated goals began with blocking benefit fraud, then moved on to include preventing terrorism and serious crime, stopping illegal immigration, and needing to comply with international standards that require biometric features in passports. It is this chameleon-like adaptation to the troubles of the day that makes ID cards so suspect as the solution to anything.

Immediately after the 9/11 attacks, Tony Blair rejected the idea of ID cards (which he had actively opposed in 1995, when John Major's government issued a green paper). But by mid-2002 a consultation paper had been published and by 2004 Blair was claiming that the civil liberties objections had vanished.

Once the 2006 ID card was introduced as a serious set of proposals in 2002, events unfolded much as Simon Davies predicted they would at that 2002 meeting. The government first clothed the ID card in user-friendly obfuscation: an entitlement card. The card's popularity in the polls, at first favourable (except, said David Blunkett for a highly organised minority), slid inexorably as the gory details of its implementation and costs became public. Yet the (dear, departed) Labour government clung to the proposals despite admitting, from time to time, their utter irrelevance for preventing terrorism.

Part of the card's sliding popularity has been due to people's increased understanding of the costs and annoyance it would impose. Their apparent support for the card was for the goals of the card, not the card itself. Plus, since 2002 the climate has changed: the Iraq war is even less popular and even the 2005 "7/7" London attacks did not keep acceptance of the "we are at war" justification for increased surveillance from declining. And the economic climate since 2008 makes large expenditure on bureaucracy untenable.

Given the frequency with which the ID card has resurfaced in the past, it seems safe to say that the idea will reappear at some point, though likely not during this coalition government. The LibDems always opposed it; the Conservatives have been more inconsistent, but currently oppose large-scale public IT projects.

Depending how you look at it, ID cards either took 54 years to resurface (from their withdrawal in1952 to the 2006 Identity Cards Act), or the much shorter time to the first proposals to reinstate them. Australia might be a better guide. In 1985, Bob Hawke made the "Australia card" a central plank of his government. He admitted defeat in 1987, after widespread opposition fueled by civil liberties groups. ID card proposals resurfaced in Australia in 2006, to be withdrawn again at the end of 2007. That's about 21 years - or a generation.

In 2010 Britain, it's as important that much of the rest of the Labour government's IT edifice, such as the ContactPoint database, intended to track children throughout their school years, is being scrapped. Left in place, it might have taught today's generation of children to perceive state tracking as normal. The other good news is that many of today's tireless campaigners against the 2006 ID card will continue to fight the encroachment of the database state. In 20 years - or sooner, if (God forbid) some catastrophe makes it politically acceptable - when or if an ID card comes back, they will still be young enough to fight it. And they will remember how.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of the earlier columns in this series.

June 4, 2010

Return to the hacker crackdown

Probably many people had forgotten about the Gary McKinnon case until the new government reversed their decision to intervene in his extradition. Legal analysis is beyond our expertise, but we can outline some of the historical factors at work.

By 2001, when McKinnon did his breaking and entering into US military computers, hacking had been illegal in the UK for just over ten years - the Computer Misuse Act was passed in 1990 after the overturned conviction of Robert Schifreen and Steve Gold for accessing Prince Philip's Prestel mailbox.

Early 1990s hacking (earlier, the word meant technological cleverness) was far more benign than today's flat-out crimes of identity fraud, money laundering, and raiding bank accounts. The hackers of the era - most famously Kevin Mitnick were more the cyberspace equivalent of teenaged joyriders: they wandered around the Net rattling doorknobs and playing tricks to get passwords, and occasionally copied some bit of trophy software for bragging rights. Mitnick, despite spending four and a half years in jail awaiting trial, was not known to profit from his forays.

McKinnon's claim that he was looking for evidence that the US government was covering up information about alternative energy and alien visitations seems to me wholly credible. There was and is a definite streak of conspiracy theorists - particularly about UFOs - among the hacker community.

People seemed more alarmed by those early-stage hackers than they are by today's cybercriminals: the fear of new technology was projected onto those who seemed to be its masters. The series of 1990 "Operation Sundown" raids in the US, documented in Bruce Sterling's book , inspired the creation of the Electronic Frontier Foundation. Among other egregious confusions, law enforcement seized game manuals from Steven Jackson Games in Austin, Texas, calling them hacking instruction books.

The raids came alongside a controversial push to make hacking illegal around the world. It didn't help when police burst in at the crack of dawn to arrest bright teenagers and hold them and their families (including younger children) at gunpoint while their computers and notebooks were seized and their homes ransacked for evidence.

"I think that in the years to come this will be recognized as the time of a witch hunt approximately equivalent to McCarthyism - that some of our best and brightest were made to suffer this kind of persecution for the fact that they dared to be creative in a way that society didn't understand," 21-year-old convicted hacker Mark Abene ("Phiber Optik") told filmmaker Annaliza Savage for her 1994 documentary, Unauthorized Access (YouTube).

Phiber Optik was an early 1990s cause célèbre. A member of the hacker groups Legion of Doom and Masters of Deception, he had an exceptionally high media profile. In January 1990, he and other MoD members were raided on suspicion of having caused the AT&T crash of January 15, 1990, when more than half of the telephone network ceased functioning for nine hours. Abene and others were eventually charged in 1991, with law enforcement demanding $2.5 million in fines and 59 years in jail. Plea agreements reduced that a year in prison and 600 hours of community service. The company eventually admitted the crash was due to its own flawed software upgrade.

There are many parallels between these early days of hacking and today's copyright wars. Entrenched large businesses (then AT&T; now RIAA, MPAA, BPI, et al) perceive mostly young, smart Net users as dangerous enemies and pursue them with the full force of the law claiming exaggeratedly large-figure sums in damages. Isolated, often young, targets were threatened with jail and/or huge sums in damages to make examples of them to deter others. The upshot in the 1990s was an entrenched distrust of and contempt for law enforcement on the part of the hacker community, exacerbated by the fact that back then so few law enforcement officers understood anything about the technology they were dealing with. The equivalent now may be a permanent contempt for copyright law.

In his 1990 essay Crime and Puzzlement examining the issues raised by hacking, EFF co-founder John Perry Barlow wrote of Phiber Optik, whom he met on the WELL: "His cracking impulses seemed purely exploratory, and I've begun to wonder if we wouldn't also regard spelunkers as desperate criminals if AT&T owned all the caves."

When McKinnon was first arrested in March 2002 and then indicted in a Virginia court in October 2002 for cracking into various US military computers - with damage estimated at $800,000 - all this history will still fresh. Meanwhile, the sympathy and good will toward the US engendered by the 9/11 attacks had been dissipated by the Bush administration's reaction: the PATRIOT Act (passed October 2001) expanded US government powers to detain and deport foreign citizens, and the first prisoners arrived at Guantanamo in January 2002. Since then, the US has begun fingerprinting all foreign visitors and has seen many erosions to civil liberties. The 2005 changes to British law that made hacking into an extraditable offense were controversial for precisely these reasons.

As McKinnon's case has dragged on through extradition appeals this emotional background has not changed. McKinnon's diagnosis with Asperger's Syndrome in 2008 made him into a more fragile and sympathetic figure. Meanwhile, the really dangerous cybercriminals continue committing fraud, theft, and real damage, apparently safe from prosecution.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

May 7, 2010

Wish list

It's 2am on election night, so of course no one can think about anything except the returns. Reported so far: 57 of 650 seats. Swing from Labour to Conservative: 4 percent.

The worst news of the night so far is that people have been turned away from polling stations because the queues couldn't be processed fast enough to get everyone through before the official closing time of 10pm. Creative poll workers locked the unvoted inside the station and let them vote. Uncreative ones sent them home, or tried to - I'm glad to see there were angry protests and, in some cases, sit-ins. Incredibly, some people couldn't vote because their stations ran out of ballot papers. In one area, hundreds of postal ballots are missing. It's an incredible shambles considering Britain's centuries of experience of running elections. Do not seize on this mess as an excuse to bring in electronic voting, something almost every IT security expert warns is a very bad idea. Print some more ballot papers, designate more polling stations, move election day to Saturday.

Reported: 69 Swing: 3.8 percent: Both Conservatives and LibDems have said they will scrap the ID card. Whether they'll follow through remains to be seen. My sense from interviews with Conservative spokespeople for articles in the last year is that they want to scrap large IT projects in favor of smaller, more manageable ones undertaken in partnership with private companies. That should spell death for the gigantic National Identity Register database and profound change for the future of NHS IT; hopefully smaller systems should give individuals more control. It does raise the question of handing over data to private companies in, most likely, other countries. The way LibDem peers suddenly switched sides on the Digital Economy Act last month dinged our image of the LibDems as the most sensible on net.wars issues of all the parties. Whoever gets in, yes, please, scrap the National Identity Register and stick to small, locally grown IT projects that serve their users. That means us, not the Whitehall civil service.

Reported: 82. Swing: 3.6 percent: Repeal the Digital Economy Act and take time out for a rethink and public debate. The copyright industries are not going to collapse without three-strikes and disconnection notices. Does the UK really want laws that France has rejected?

Reported: 104. Swing: 4.1 percent: Coincidentally, today I received today a letter "inviting" me to join a study on mobile phones and brain cancer; I would be required to answer periodic surveys about my phone use. The explanatory leaflet notes: "Imperial College will review your health directly through routine medical and other health-related records" using my NHS number, name, address, and date of birth - for the next 20 to 30 years. Excuse me? Why not ask me to report relevant health issues, and request more detailed access only if I report something relevant? This Labour government has fostered this attitude of We Will Have It All. I'd participate in the study if I could choose what health information I give; I'm not handing over untrammeled right of access. New government: please cease to regard our health data as yours to hand over "for research purposes" to whomever you feel like. Do not insult our intelligence and knowledge by claiming that anonymizing data protects our privacy; such data can often be very easily reidentified.

Reported: 120. Swing: 3.9 percent: Reform libel law. Create a public interest defense for scientific criticism, streamline the process, and lower costs for defendants. Re-allocate the burden of proof to the plaintiff. Stop hearing cases with little or no connection to the UK.

Reported: 149. Swing: 4.3 percent: While you're reforming legal matters, require small claims court to hear cases in which photographers (and other freelances) pursue publishers who have infringed their copyright. Photographers say these courts typically kick such "specialist" cases up to higher levels, making it impracticably expensive to get paid.

Reported: 231. Swing: 4.8 percent: Any government that's been in power as long as Labour currently has is going to seem tired and in need of new ideas. But none of the complaints above - the massive growth in surveillance, the lack of regard for personal privacy, the sheer cluelessness about IT - knocked Labour down. Even lying about the war didn't do it. It was, as Clinton's campaign posted on its office walls, the economy. Stupid.

Reported: 327. Swing: 5 percent: Scrap ContactPoint, the (expensive, complicated) giant database intended to track children through their school days to adulthood - and, by the time they get there, most likely beyond. Expert reports the government commissioned and paid for advised against taking the risk of data breaches. Along with it modernize data protection instead of data retention.

Reported: 626. Swing: 5.3 percent:
A hung Parliament (as opposed to hanging chad). Good. For the last 36 years Britain has been ruled by an uninterrupted elected dictatorship. It is about time the parties were forced to work together again. Is anyone seriously in doubt that the problems the country has are bigger than any one party's interests? Bring on proportional representation. Like they have in Scotland.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

April 2, 2010

Not bogus!


"If I lose £1 million it's worth it for libel law reform," the science writer Simon Singh was widely reported as saying this week. That was even before yesterday's ruling in the libel case brought against him by the British Chiropractic Association.

Going through litigation, I was told once, is like having cancer. It is a grim, grueling, rollercoaster process that takes over your life and may leave you permanently damaged. In the first gleeful WE-WON! moments following yesterday's ruling it's easy to forget that. It's also easy to forget that this is only one stage in a complex series.

Yesterday's judgment was the ruling in Singh's appeal (heard on February 22) against the ruling of Justice David Eady last May, which itself was only a preliminary ruling on the meaning of the passage in dispute, with the dispute itself to be resolved in a later trial. In October Singh won leave to appeal Eady's ruling; February's hearing and today's judgment constituted that appeal and its results. It is now two years since the original article appeared, and the real case is yet to be tried. Are we at the beginning of Jarndyce and Jarndyce or SCO versus Everyone?

The time and costs of all this are why we need libel law reform. English libel cases, as Singh frequently reminds us, cost 144 times as much as similar cases in the rest of the EU.

But the most likely scenario is that Singh will lose more than that million pounds. It's not just that he will have to pay the costs of both sides if he loses whatever the final round of this case eventually turns out to be (even if he wins the costs awarded will not cover all his expenses). We must also count what businesses call "opportunity costs".

A couple of weeks ago, Singh resigned from his Guardian column because the libel case is consuming all his time. And, he says, he should have started writing his next book a year ago but can't develop a proposal and make commitments to publishers because of the uncertainty. These withdrawals are not just his loss; we all lose by not getting to read what he'd write next. At a time when politicians can be confused enough to worry that an island can tip over and capsize, we need our best popular science educators to be working. Today's adults can wait, perhaps; but I did some of my best science reading as a teenager: The Microbe Hunters; The Double Helix (despite its treatment of Rosalind Franklin); Isaac Asimov's The Human Body: Its Structure and Operation; and the pre-House true medical detection stories of Berton Roueché. If Singh v BCA takes five years that's an entire generation of teenagers.

Still, yesterday's ruling, in which three of the most powerful judicial figures in the land agreed - eloquently! - with what we all thought from the beginning deserves to be celebrated, not least for its respect for scientific evidence,

Some favorite quotes from the judgment, which makes fine reading:

Accordingly this litigation has almost certainly had a chilling effect on public debate which might otherwise have assisted potential patients to make informed choices about the possible use of chiropractic.

A similar situation, of course, applies to two other recent cases that pitted libel law against the public interest in scientific criticism. First, Swedish academic Francisco Lacerda, who criticized the voice risk analysis principles embedded in lie detector systems (including one bought by the Department of Work and Pensions at a cost of £2.4 million). Second, British cardiologist Peter Wilmshurst is defending charges of libel and slander over comments he made regarding a clinical trial in which he served as a principal investigator. In all three cases, the public interest is suffering. Ensuring that there is a public interest defense is accordingly a key element of the libel law reform campaign's platform.

The opinion may be mistaken, but to allow the party which has been denounced on the basis of it to compel its author to prove in court what he has asserted by way of argument is to invite the court to become an Orwellian ministry of truth.

This was in fact the gist of Eady's ruling: he categorized Singh's words as fact rather than comment and would have required Singh to defend a meaning his article went on to say explicitly was not what he was saying. We must leave it for someone more English than I am to say whether that is a judicial rebuke.

We would respectfully adopt what Judge Easterbrook, now Chief Judge of the US Seventh Circuit Court of Appeals, said in a libel a2ction over a scientific controversy, Underwager v Salter: "[Plaintiffs] cannot, by simply filing suit and crying 'character assassination!', silence those who hold divergent views, no matter how adverse those views may be to plaintiffs' interests. Scientific controversies must be settled by the methods of science rather than by the methods of litigation.

What they said.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

March 19, 2010

Digital exclusion: the bill

The workings of British politics are nearly as clear to foreigners as cricket; and unlike the US there's no user manual. (Although we can recommend Anthony Trollope's Palliser novels and the TV series Yes, Minister as good sources of enlightenment on the subject.) But what it all boils down to in the case of the Digital Economy Bill is that the rights of an entire nation of Internet users are about to get squeezed between a rock and an election unless something dramatic happens.

The deal is this: the bill has completed all the stages in the House of Lords, and is awaiting its second reading in the House of Commons. Best guesses are that this will happen on or about March 29 or 30. Everyone expects the election to be called around April 8, at which point Parliament disbands and everyone goes home to spend three weeks intensively disrupting the lives of their constituency's voters when they're just sitting down to dinner. Just before Parliament dissolves there's a mad dash to wind up whatever unfinished business there is, universally known as the "wash-up". The Digital Economy Bill is one of those pieces of unfinished business. The fun part: anyone who's actually standing for election is of course in a hurry to get home and start canvassing. So the people actually in the chamber during the wash-up while the front benches are hastily agreeing to pass stuff thought on the nod are likely to be retiring MPs and others who don't have urgent election business.

"What we need," I was told last night, "is a huge, angry crowd." The Open Rights Group is trying to organize exactly that for this Wednesday, March 24.

The bill would enshrine three strikes and disconnection into law. Since the Lords' involvement, it provides Web censorship. It arguably up-ends at least 15 years of government policy promoting the Internet as an engine of economic growth to benefit one single economic sector. How would the disconnected vote, pay taxes, or engage in community politics? What happened to digital inclusion? More haste, less sense.

Last night's occasion was the 20th anniversary of Privacy International (Twitter: @privacyint), where most people were polite to speakers David Blunkett and Nick Clegg. Blunkett, who was such a front-runner for a second Lifetime Menace Big Brother Award that PI renamed the award after him, was an awfully good sport when razzed; you could tell that having his personal life hauled through the tabloid press in some detail has changed many of his views about privacy. Though the conversion is not quite complete: he's willing to dump the ID card, but only because it makes so much more sense just to make passports mandatory for everyone over 16.

But Blunkett's nearly deranged passion for the ID card was at least his own. The Digital Economy Bill, on the other hand, seems to be the result of expert lobbying by the entertainment industry, most especially the British Phonographic Industry. There's a new bit of it out this week in the form of the Building a Digital Economy report, which threatens the loss of 250,000 jobs in the UK alone (1.2 million in the EU, enough to scare any politician right before an election). Techdirt has a nice debunking summary.

A perennial problem, of course, is that bills are notoriously difficult to read. Anyone who's tried knows these days they're largely made up of amendments to previous bills, and therefore cannot be read on their own; and while they can be marked up in hypertext for intelligent Internet perusal this is not a service Parliament provides. You would almost think they don't really want us to read these things.

Speaking at the PI event, Clegg deplored the database state that has been built up over the last ten to 15 years, the resulting change in the relationship between citizen and state, and especially the omission that, "No one ever asked people to vote on giant databases." Such a profound infrastructure change, he argued, should have been a matter for public debate and consideration - and wasn't. Even Blunkett, who attributed some of his change in views to his involvement in the movie Erasing David (opening on UK cinema screens April 29), while still mostly defending the DNA database, said that "We have to operate in a democratic framework and not believe we can do whatever we want."

And here we are again with the Digital Economy Bill. There is plenty of back and forth among industry representatives. ISPs estimate the cost of the DEB's Web censorship provisions at up to £500 million. The BPI disagrees. But where is the public discussion?

But the kind of thoughtful debate that's needed cannot take place in the present circumstances with everyone gunning their car engines hoping for a quick getaway. So if you think the DEB is just about Internet freedoms, think again; the way it's been handled is an abrogation of much older, much broader freedoms. Are you angry yet?


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

February 12, 2010

Light year

This year is going to be the first British general election in which blogging is going to be a factor, someone said on Monday night at the event organized by the Westminster Skeptics on the subject of political blogging: does it make any difference? I had to stop and think: really? Things like the Daily Kos have been part of the American political scene for so long now - Kos was founded in 2002 - that they've been through two national elections already.

But there it was: "2005 was my big break," said Paul Staines, who blogs as Guido Fawkes. "I was the only one covering it. 2010 is going to be much tougher." To stand out, he went on to say, you're going to need a good story. That's what they used to tell journalists.

Due to the wonders of the Net, you can experience the debate for yourself. The other participants were Sunny Hundal (Liberal Conspiracy), Mick Fealty (Slugger O'Toole), Jonathan Isaby (Conservative Home), and the Observer journalist Nick Cohen, there to act as the token nay-sayer. (I won't use skeptic, because although the popular press like to see a "skeptic" as someone who's just there to throw brickbats, I use the term rather differently: skepticism is inquiry and skeptics ask questions and examine evidence.)

All four of political bloggers have a precise idea of what they're trying to do and who they're writing for. Jonathan Isaby, who claims he's the first British journalist to leave a full-time newspaper job (at the Telegraph) for new media, said he's read almost universally among Conservative candidates. Paul Staines aims Guido Fawkes at "the Westminster bubble". Mick Fealty uses Slugger O'Toole to address a "differentiated audience" that is too small for TV, radio, and newspapers. Finally, Sunny Hundal uses Liberal Conspiracy to try to "get the left wing to become a more coherent force".

Despite their various successes, Cohen's basic platform defended newspapers. Blogging, he said, is not replacing the essential core of journalism: investigation and reporting. He's right up to a point. But some do exactly that. Westminster Skeptics convenor David Allen Green, then standing approximately eight inches away, is one example. But it's probably true that for every blogger with sufficient curiosity and commitment to pick up a phone or bang on someone's door there are a couple of hundred more who write blog postings by draping a couple of hundred words of opinion around a link to a story that appeared in the mainstream media.

Of course, as Cohen didn't say, plenty of journalists\, through lack of funding, lack of time, or lack of training, find themselves writing news stories by draping a couple of hundred words of rewritten press release around the PR-provided quotes - and soul-destroying work it is, too. My answer to Cohen, therefore, is to say that commercial publishers have contributed to their own problems, and that one reason blogs have become such an entrenched medium is that they cover things that no newspaper will allow you to write about in any detail. And it's hard to argue with Cohen's claim that almost any blogger finding a really big story will do the sensible thing and sell it to a newspaper.

If you can. Arguably the biggest political story of 2009 was MPs' expenses. That material was released because of the relentless efforts of Heather Brooke, who took up the 2005 arrival into force of the UK's Freedom of Information Act as a golden opportunity. It took her nearly five years to force the disclosure of MPs' expenses - and when she finally succeeded the Telegraph wrote its own stories after poring over the details that were disclosed.

The fact is that political blogging has been with us for far longer than one five-year general election cycle. It's just that most of it does not take the same form as the "inside politics" blogs of the US or the traditional Parliamentary sketches in the British newspapers. The push for Libel reform began with Jack of Kent (David Allen Green); the push to get the public more engaged with their MPs began with MySociety's Fax Your MP. It was clear as long ago as 2006 that MPs were expert users of They Work For You: it's how they keep tabs on each other. MySociety's sites are not blogs - but they are the source material without which political blogging would be much harder work.

I don't find it encouraging to hear Isaby predict that in the upcoming election (expected in May) blogging "will keep candidates on their toes" because "gaffes will be more quickly reported". Isn't this the problem with US elections? That everyone gets hung up on calumnies such as that Al Gore claimed to have invented the Internet. Serious issues fall by the wayside, and good candidates can be severely damaged by biased reporting that happens to feed an eminently quotable sarcastic joke. Still: anything for a little light into the smoke-filled back rooms where British politics is still made. Even with smoking now banned, it's murky back there.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

January 22, 2010

Music night

Most corporate annual reports seek to paint a glowing picture of the business's doings for the previous year. By law they have to disclose anything really unfortunate - financial losses, management malfeasance, a change in the regulatory landscape. The International Federation of the Phonographic Industry was caught in a bind writing its Digital Music Report 2010 (PDF) (or see the press release). Paint too glowing a picture of the music business, and politicians might conclude no further legislation is needed to bolster the sector. Paint too gloomy a picture, and ministers might conclude theirs is a lost cause, and better to let dying business models die.

So IFPI's annual report veers between complaining about "competing in a rigged market" (by which they mean a market in which file-sharing exists) and stressing the popularity of music and the burgeoning success of legally sanctioned services. Yay, Spotify! Yay, Sky Songs! Yay, iTunes! You would have to be the most curmudgeonly of commentators to point out that none of these are services begun by music companies; they are services begun by others that music companies have been grudgingly persuaded to make deals with. (I say grudgingly; naturally, I was not present at contract negotiations. Perhaps the music companies were hopping up and down like Easter bunnies in their eagerness to have their product included. If they were, I'd argue that the existence of free file-sharing drove them to it. Without file-sharing there would very likely be no paid subscription services now; the music industry would still be selling everyone CDs and insisting that this was the consumer's choice.)

The basic numbers showed that song downloads increased by 10 percent - but total revenue including CDs fell by 12 percent in the first half of 2009. The top song download: Lady Gaga's "Poker Face".

All this is fair enough - an industry's gotta eat! - and it's just possible to read it without becoming unreasonable. And then you hit this gem:

Illegal file-sharing has also had a very significant, and sometimes disastrous, impact on investment in artists and local repertoire. With their revenues eroded by piracy, music companies have far less to plough back into local artist development. Much has been made of the idea that growing live music revenues can compensate for the fall-off in recorded music sales, but this is, in reality, a myth. Live performance earnings are generally more to the benefit of veteran, established acts, while it is the younger developing acts, without lucrative careers, who do not have the chance to develop their reputation through recorded music sales.
So: digital music is ramping up (mostly through the efforts of non-music industry companies and investors). Investment in local acts and new musicians is down. And overall sales are down. And we're blaming file-sharing? How about blaming at least the last year or so of declining revenues on the recession? How about blaming bean counters at record companies who see a higher profit margin in selling yet more copies of back catalogue tried-and-tested, pure-profit standards like Frank Sinatra and Elvis Presley than in taking risks on new music? At some point, won't everyone have all the copies of the Beatles albums they can possibly use? Er, excuse me, "consume". (The report has a disturbing tendency to talk about "consuming" music; I don't think people have the same relationship with music that they do with food. I'd also question IFPI's whine about live music revenues: all young artists start by playing live gigs, that's how they learn; *radio play* gets audiences in; live gigs *and radio play* sell albums, which help sell live gigs in a virtuous circle, but that's a topic for another day.)

It is a truth rarely acknowledged that all new artists - and all old artists producing new work - are competing with the accumulated back catalogue of the past decades and centuries.

IFPI of course also warns that TV, book publishing, and all other media are about to suffer the same fate as music. The not-so-subtle underlying message: this is why we must implement ferocious anti-file-sharing measures in the Digital Economy Bill, amendments to which, I'm sure coincidentally, were discussed in committee this week, with more to come next Tuesday, January 26.

But this isn't true, or not exactly. As a Dutch report on file-sharing (original in Dutch) pointed out last year, file-sharing, which it noted goes hand-in-hand with buying, does not have the same impact on all sectors. People listen to music over and over again; they watch TV shows fewer but still multiple times; if they don't reread books they do at least often refer back to them; they see most movies only once. If you want to say that file-sharing displaces sales, which is debatable, then clearly music is the least under threat. If you want to say that file-sharing displaces traditional radio listening, well, I'm with you there. But IFPI does not make that argument.

Still, some progress has been made. Look what IFPI says here, on page 4 in the executive summary right up front: "Recent innovations in the à-la-carte sector include...the rollout of DRM-free downloads internationally." Wha-hey! That's what we told them people wanted five years ago. Maybe five years from now they'll be writing how file-sharing helps promote artists who, otherwise, would never find an audience because no one would ever hear their work.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

November 27, 2009

Women and children first

The Irish author Tim Pat Coogan has commented that Ireland was colonized twice: once by the British, and once by the Catholic church. I was reminded of that yesterday when reading that the leader of the Irish Catholic church, Cardinal Sean Brady, the Irish government, and the commissioner of the Irish police have all apologized for decades of systematically covering up child abuse by Catholic priests, uncovered in the damning report of a three-year inquiry into the Archdiocese of Dublin from 1975 to 2004. It seems that the cover-up went, like Watergate, all the way to the top.

When I was living in Ireland in the late 1980s few people talked about abuse by priests. One who did was Frank Crummey, whom I interviewed for one of my first-ever published pieces, for the Guardian's women's page about the prosecution of the Irish Family Planning Association for giving away condoms at Virgin's Dublin Megastore. (Richard Branson funded the IFPA's defense, and flew in for the court hearing.) The chain of contacts led to Margaret Gaj, a veteran of contraceptive campaigns, and she sent me to Crummey.

He told me that his interest in contraception began as a campaign to redress the imbalance in subsidies between the Gaeltacht - Irish-language - and English-speaking agricultural areas. Working on that got him into the schools, where he saw that children were being abused - he mentioned in particular the Christian Brothers. But trying to engage their mothers on the issue failed: they were too poor and too dependent on their priests for help and charity to risk confrontation. Often, he told me, the priests would divulge even to abusive husbands what their wives said in the supposedly safe confessional. As the Irish writer Seán Mac Mathúna asked in one of his short stories, "Who'd be a woman in Ireland?" The situation with respect to child abuse seems not to have been much different: clergy and police cooperated to protect the guilty.

Unable to interest the authorities in the problems he was finding in the schools - a problem he encountered again, reportedly, in Ireland's industrial schools - Crummey concluded that the underlying problem was that too many children consigned them to poverty and powerlessness. That's when he began smuggling contraceptives into Ireland and, with his family's help, distributing them by post. The letters he got from desperate women telling their stories to beg for help, he said, were heart-rending.

It is hard to convey to anyone who didn't live in Ireland in or before the 1980s how deeply embedded the Church was. It owned 90 percent of the primary schools and most of the hospitals. The Irish Constitution, although it includes a US-like clause guaranteeing the separation of church and state clearly intended "freedom of religion" to mean "freedom to be Catholic". The late Leslie Shepard, editor of The Encyclopedia of Occultism and Parapsychology and an early supporter of The Skeptic frequently talked about the unique position of priests in rural villages in earlier times. Often, he noted, they were the only people who could read and write.

In fact, the village priest figured heavily in one of the topics covered in the early issues of The Skeptic (and revisited in the soon-to-be forthcoming Why Statues Weep: the Best of The Skeptic from Philosophy Press). The Trinity College Dublin professor David Berman had discovered new documents showing that the local priest was behind the Knock Apparitions. (Shepard always vehemently disputed that any village priest could be so deceptive.) I'm not sure a similar strategy will work now.

Noticeable change had begun while I was living there, often attributed to economic improvement that meant that many of Ireland's emigrants could afford to return, bringing with them experiences of life in other countries. A few of these founded the Campaign to Separate Church and State; others banded together to build non-denominational charter schools for their kids. In the 1990s, of course, then along came the technology boom which, at least for a time, charged the economy.

The Church was already in trouble before the scandals broke. Writing in Disillusioned Decades: Ireland 1966-1987 (Gill and Macmillan, 1987), Coogan noted that, "...though the presence of the church is all-pervasive there has been a diminution of the grip which it is able to maintain on an increasingly well-educated society. Increasing affluence (of a sort) and mobility mean that people can move in and out of the purview of the church without permitting it to have any great influence on their conduct (unless, of course, they want an abortion or a divorce)." From 1970 to 1985, the numbers entering the priesthood dropped by a quarter.

Now, according to the Independent, the abuse scandals have not only dramatically accelerated the already notable decline in numbers applying to enter the priesthood but is emptying the churches. For a country that only a little over 20 years ago could be persuaded through the power of the pulpit to vote down a constitutional amendment allowing divorce, it's staggering. The change may be less of a hard road for Ireland than it appears: one of the key messages the CSCS tried to impart in the late 1980s and early 1990s was that the church paid for less than people thought, since the religious-owned schools and hospitals had and have considerable State funding.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

November 20, 2009

Thou shalt not steal

As we're so fond of saying, technology moves fast, and law moves slowly. What we say far less often is that law should move slowly. It is not a sign of weakness to deliberate carefully about laws that affect millions of people's lives and will stay on the books for a long, long time. It's always seemed to me that the Founding Fathers very deliberately devised the US system to slow things down - and to ensure that the further-reaching the change the more difficult it is to enact.

Cut to today's Britain. The Internet may perceive censorship as damage and route around it, but politicians seem increasingly to view due and accountable legal process as an unnecessary waste of time and try to avoid it. Preventing this is, of course, what we have constitutions for; democracy is a relatively mature technology.

Today's Digital Economy bill is loaded with provisions for enough statutory instruments to satisfy the most frustrated politician's desire to avoid all that fuss and bother of public debate and research. Where legislation requires draft bills, public consultations, and committee work, a statutory instrument can pass both houses of Parliament on the nod. For minor regulatory changes - such as, for example, the way money is paid to pensioners (1987) - limiting the process to expert discussion and a quick vote makes sense. But when it comes to allowing the Secretary of State to change something as profound and far-reaching in impact as copyright law with a minimum of public scrutiny, it's an outrageous hijack of the democratic process.

Here is the relevant quote from the bill, talking about the Copyright, Designs, and Patents Act 1988:

The Secretary of State may by order amend Part 1 or this Part for the purpose of preventing or reducing the infringement of copyright by means of the internet, if it appears to the Secretary of State appropriate to do so having regard to technological developments that have occurred or are likely to occur.

Lower down, the bill does add that:

Before making any order under this section the Secretary of State must consult such persons who the Secretary of State thinks likely to be affected by the order, or who represent any of those persons, as the Secretary of State thinks fit.

Does that say he (usually) has to consult the public? I don't think so; until very recently it was widely held that the only people affected by copyright law were creators and rights holders - these days rarely the same people even though rights holders like, for public consumption, to pretend otherwise (come contract time, it's a whole different story). We would say that everyone now has a stake in copyright law, given the enormously expanded access to the means to create and distribute all sorts of media, but it isn't at all clear that the Secretary of State would agree or what means would be available to force him to do so. What we do know is that the copyright policies being pushed in this bill come directly from the rights holders.

Stephen Timms, talking to the Guardian, attempted to defend this provision this way:

The way that this clause is formed there would be a clear requirement for full public consultation [before any change] followed by a vote in favour by both houses of Parliament."

This is, put politely, disingenuous: this government has, especially lately - see also ID cards - a terrible record of flatly ignoring what public consultations are telling them, even when the testimony submitted in response to such consultations comes from internationally recognized experts.

Timms' comments are a very bad joke to anyone who's followed the consultations on this particular bill's provisions on file-sharing and copyright, given that everyone from Gowers to Dutch economists are finding that loosening copyright restrictions has society-wide benefits, while Finland has made 1Mb broadband access a legal right and even France's courts see Internet access as a fundamental human right (especially ironic given that France was the first place three strikes actually made it into law).

In creating the Digital Economy bill, not only did this government ignore consultation testimony from everyone but rights holders, it even changed its own consultation mid-stream, bringing back such pernicious provisions as three-strikes-and-you're-disconnected even after agreeing they were gone. This government is, in fact, a perfect advertisement for the principle that laws that are enacted should be reviewed with an eye toward what their effect will be should a government hostile to its citizenry come to power.

Here is some relevant outrage from an appropriately native British lawyer specializing in Net issues, Lilian Edwards:

So clearly every time things happen fast and the law might struggle to keep up with them, in future, well we should just junk ordinary democratic safeguards before anyone notices, and bow instead to the partisan interests who pay lobbyists the most to shout the loudest?

Tell me to "go home if you don't like it here" because I wasn't born in the UK if you want to, but she's a native. And it's the natives who feel betrayed that you've got to watch out for.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of the earlier columns in this series. Readers are welcome to post here, follow on , or send email to netwars@skeptic.demon.co.uk.

October 30, 2009

Kill switch

There's an old sort-of joke that goes, "What's the best way to kill the Internet?" The number seven answer, according to Simson Garfinkel, writing for HotWired in 1997: "Buy ten backhoes." Ba-boom.

The US Senate, never folks to avoid improving a joke, came up with a new suggestion: install a kill switch. They published this little gem (as S.773) on April 1. It got a flurry of attention and then forgotten until the last week or two. (It's interesting to look back at Garfinkel's list of 50 ways to kill the Net and notice that only two are government actions, and neither is installing a "kill switch").

To be fair, "kill switch" is an emotive phrase for what they have in mind, which is that the president:

may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network
.

Now, there's a lot of wiggle room in a vague definition like "critical infrastructure system". That could be the Federal government's own servers. Or the electrical grid, the telephone network, the banking system, the water supply, or even, arguably, Google. (It has 64+ percent of US search queries, and if you can't find things the Internet might as well be dead.) But what this particular desire of the Senate's sounds most like is those confused users who think they can catch a biological virus from their computers.

Still, for the media, calling the Senate's idea a "kill switch" is attention-getting political genius. We don't call the president's power to order the planes out of the sky, as happened on 9/11 a "crash switch", but imagine the outcry against it if we did.

Technically, the idea that there's a single off switch waiting to be implemented somewhere, is of course ridiculous.

The idea is also administrative silliness: Obama, we hope, is kind of busy. The key to retaining sanity when you're busy is to get other people to do all the things they can without your input. We would hope that the people running the various systems powering the federal government's critical infrastructure could make their own, informed decisions - faster than Obama can - about when they need to take down a compromised server.

Despite wishful thinking, John Gilmore's famous aphorism, "The Net perceives censorship as damage and routes around", doesn't really apply here. For one thing, even a senator knows - probably - that you can't literally shut down the entire Internet from a single switch sitting in the President's briefcase (presumably next to the nuclear attack button). Much of the Internet is, after all, outside the US; much of it is in private ownership. (Perhaps the Third Amendment could be invoked here?)

For another, Gilmore's comment really didn't apply to individual Internet-linked computer networks; Google's various bits of outages this year ought to prove that it's entirely possible for those to be down without affecting the network at large. No, the point was that if you try to censor the Net its people will stop you by putting up mirror servers and passing the censored information around until everyone has a copy. The British Chiropractic Association (quacklash!) and Trafigura are the latest organizations to find out what Gilmore knew in 1993. He also meant, I suppose, that the Internet protocols were designed for resilience and to keep trying by whatever alternate routes are available if data packets don't get through.

Earlier this week another old Net hand, Web inventor Tim Berners-Lee, gave some rather sage advice to the Web 2.0 conference. One key point: do not build your local laws into the global network. That principle would not, unfortunately, stop the US government from shutting off its own servers (to spite its face?), but it does nix the idea of, say, building the network infrastructure to the specification of any one particular group - the MPAA or the UK government, in defiance of the increasingly annoyed EU. In the same talk, Berners-Lee also noted (according to CNET): "I'm worried about anything large coming in to take control, whether it's large companies or government."

Threats like these were what he set up W3C to protect against. People talk with reverence of Berners-Lee's role as inventor, but many fewer understand that the really big effort is the 30 years since the aha! moment of creation, during which Berners-Lee has spent his time and energy nurturing the Web and guiding its development. Without that, it could easily have been strangled by competing interests, both corporate and government. As, of course, it still could be, depending on the outcome of the debates over network neutrality rules.

Dozens of decisions like Berners-Lee's were made in creating the Internet. They have not made it impossible to kill - I'm not sure how many backhoes you'd need now, but I bet it's still a surprisingly finite number - but they have made it a resilient and robust network. A largely democratic medium, in fact, unlike TV and radio, at least so far. The Net was born free; the battles continue over whether it should be in chains.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or by email to netwars@skeptic.demon.co.uk.

October 23, 2009

The power of Twitter

It was the best of mobs, it was the worst of mobs.

The last couple of weeks have really seen the British side of Twitter flex its 140-character muscles. First, there was the next chapter of the British Chiropractic Association's ongoing legal action against science writer Simon Singh. Then there was the case of Jan Moir, who wrote a more than ordinarily Daily Mailish piece for the Daily Mail about the death of Boyzone's Stephen Gately. And finally, the shocking court injunction that briefly prevented the Guardian from reporting on a Parliamentary question for the first time in British history.

I am on record as supporting Singh, and I, too, cheered when, ten days ago, Singh was granted leave to appeal Justice Eady's ruling on the meaning of Singh's use of the word "bogus". Like everyone, I was agog when the BCA's press release called Singh "malicious". I can see the point in filing complaints with the Advertising Standards Authority over chiropractors' persistent claims, unsupported by the evidence, to be able to treat childhood illnesses like colic and ear infections.

What seemed to edge closer to a witch hunt was the gleeful take-up of George Monbiot's piece attacking the "hanging judge", Justice Eady. Disagree with Eady's ruling all you want, but it isn't hard to find libel lawyers who think his ruling was correct under the law. If you don't like his ruling, your correct target is the law. Attacking the judge won't help Singh.

The same is not true of Twitter's take-up of the available clues in the Guardian's original story about the gag to identify the Parliamentary Question concerned and unmask Carter-Ruck, the lawyers who served it and their client, Trafigura. Fueled by righteous and legitimate anger at the abrogation of a thousand years of democracy, Twitterers had the PQ found and published thousands of times in practically seconds. Yeah!

Of course, this phenomenon (as I'm so fond of saying) is not new. Every online social medium, going all the way back to early text-based conferencing systems like CIX, the WELL, and, of course, Usenet, when it was the Internet's town square (the function in fact that Twitter now occupies) has been able to mount this kind of challenge. Scientology versus the Net was probably the best and earliest example; for me it was the original net.war. The story was at heart pretty simple (and the skirmishes continue, in various translations into newer media, to this day). Scientology has a bunch of super-secrets that only the initiate, who have spent many hours in expensive Scientology training, are allowed to see. Scientology's attempts to keep those secrets off the Net resulted in their being published everywhere. The dust has never completely settled.

Three people can keep a secret if two of them are dead, said Mark Twain. That was before the Internet. Scientology was the first to learn - nearly 15 years ago - that the best way to ensure the maximum publicity for something is to try to suppress it. It should not have been any surprise to the BCA, Trafigura, or Trafigura's lawyers. Had the BCA ignored Singh's article, far fewer people would know now about science's dim view of chiropractic. Trafigura might have hoped that a written PQ would get lost in the vastness that is Hansard; but they probably wouldn't have succeeded in any case.

The Jan Moir case, and the demonstration outside Carter-Ruck's offices are, however rather different. These are simply not the right targets. As David Allen Green (Jack of Kent) explains, there's no point in blaming the lawyers; show your anger to the client (Trafigura) or to Parliament.

The enraged tweets and Facebook postings about Moir's article helped send a record number of over 25,000 complaints to the Press Complaints Commission, whose Web site melted down under the strain. Yes, the piece was badly reasoned and loathsome, but isn't that what the Daily Mail lives for? Tweets and links create hits and discussion. The paper can only benefit. In fact, it's reasonable to suppose that in the Trafigura and Moir cases both the Guardian and the Daily Mail manipulated the Net perfectly to get what they wanted.

But the stupid part about let's-get-Moir is that she does not *matter*. Leave aside emotional reactions, and what you're left with is someone's opinion, however distasteful.

This concerted force would be more usefully turned to opposing the truly dangerous. See for example, the AIDS denialism on parade by Fraser Nelson at The Spectator. The "come-get-us" tone e suggests that they saw attention New Humanist got for Caspar Melville's mistaken - and quickly corrected - endorsement of the film House of Numbers and said, "Let's get us some of that." There is no more scientific dispute about whether HIV causes AIDS than there is about climate change or evolutionary theory.

If we're going to behave like a mob, let's stick to targets that matter. Jan Moir's column isn't going to kill anybody. AIDS denialism will. So: we'll call Trafigura a win, chiropractic a half-win, and Moir a loser.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

August 28, 2009

Develop in haste, lose the election at leisure

Well, this is a first: returning to last week's topic because events have already overtaken it.

Last week, the UK government was conducting a consultation on how to reduce illegal file-sharing by 70 percent within a year. We didn't exactly love the proposals, but we did at least respect the absence of what's known as "three strikes" - as in, your ISP gets three complaints about your file-sharing habit and kicks you offline. The government's oh-so-English euphemism for this is "technical measures". Activists opposed to "technical measures" often call them HADOPI, after the similar French law that was passed in May (and whose three strikes portions were struck down in June); HADOPI is the digital rights agency that law created.

This week, the government - or more precisely, the Department for Business, Innovation, and Skills - suddenly changed its collective mind and issued an addendum to the consultation (PDF) that - wha-hey! - brings back three strikes. Its thinking has "developed", BIS says. Is it so cynical to presume that what has "developed" in the last couple of months is pressure from rights holders? Three strikes is a policy the entertainment industry has been shopping around from country to country like an unwanted refugee. Get it passed in one place and use that country a lever to make all the others harmonize.

What the UK government has done here is entirely inappropriate. At the behest of one business sector, much of it headquartered outside Britain, it has hijacked its own consultation halfway through. It has issued its new-old proposals a few days before the last holiday weekend of the summer. The only justification it's offered: that its "new ideas" (they aren't new; they were considered and rejected earlier this year, in the Digital Britain report (PDF)) couldn't be implemented fast enough to meet its target of reducing illicit file-sharing by 70 percent by 2012 if they aren't included in this consultation. There's plenty of protest about the proposals, but even more about the government's violating its own rules for fair consultations.

Why does time matter? No one believes that the Labour government will survive the next election, due by 2010. The entertainment industries don't want to have to start the dance all over again, fine: but why should the rest of us care?

As for "three strikes" itself, let's try some equivalents.

Someone is caught speeding three times in the effort to get away from crimes they've committed, perhaps a robbery. That person gets points on their license and, if they're going fast enough, might be prohibited from driving for a length of time. That system is administered by on-the-road police but the punishment is determined by the courts. Separately, they are prosecuted for the robberies, and may serve jail time - again, with guilt and punishment determined by the courts.

Someone is caught three times using their home telephone to commit fraud. They would be prosecuted for the fraud, but they would not be banned from using the telephone. Again, the punishment would be determined by the courts after a prosecution requiring the police to produce corroborating evidence.

Someone is caught three times gaming their home electrical meter so that they are able to defraud the electrical company and get free electricity. (It's not so long since in parts of the UK you could achieve this fairly simply just by breaking into the electrical meter and stealing back the coins you fed it with. You would, of course, be caught at the next reading.) I'm not exactly sure what happens in these cases, but if Wikipedia is to be believed, when caught such a customer would be switched to a higher tariff.

It seems unlikely that any court would sentence such a fraudster to live without an electricity supply, especially if they shared their home, as most people do, with other family members. The same goes for the telephone example. And in the first case, such a person might be banned from driving - but not from riding in a car, even the getaway car, while someone else drove it, or from living in a house where a car was present.

Final analogy: millions of people smoke marijuana, which remains illegal. Marijuana has beneficial uses (relieving the nausea from chemotherapy, remediating glaucoma) as well as recreational ones. We prosecute the drug dealers, not the users.

So let's look again at these recycled-reused proposals. Kicking someone offline after three (or however many) complaints from rights holders:

1- Affects everyone in their household. Kids have to go to the library to do homework, spouses/'parents can't work at home or socialize online. An entire household is dropped down the wrong side of the Digital Divide. As government functions such as filing taxes, providing information about public services, and accepting responses to consultations all move online, this household is now also effectively disenfranchised.

2- May in fact make both the alleged infringer and their spouse unemployable.

3- Puts this profound control over people's lives, private and public, personal and financial into the hands of ISPs, rights holders, and Ofcom, with no information about how or whether the judicial process would be involved. Not that Britain's court system really has the capacity to try the 10 percent of the population that's estimated to engage in file-sharing. (Licit, illicit, who can tell?)

All of these effects are profoundly anti-democratic. Whose government is it, anyway?


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

August 21, 2009

This means law

You probably aren't aware of this, but there's a consultation going on right now about what to do about illegal peer-to-peer file-sharing; send in comments by September 15. Tom Watson, the former minister for digital engagement, has made some sensible suggestions for how to respond in print and blog.

This topic has been covered pretty regularly in net.wars, but this is different and urgent: this means law.

Among the helpful background material provided with the consultation document are an impact assessment and a financial summary. The first of these explains that there were two policy options under consideration: 1) Do nothing. 2) (Preferred) legislate to reduce illegal downloading "by making it easier and cheaper for rightsholders to bring civil actions against suspected illegal file-sharers". Implementing that requires ISPs to cooperate by notifying their subscribers. There will be a code of practice (less harsh than this one, we trust) including options such as bandwidth capping and traffic shaping, which Ofcom will supervise, at least for now (there may yet be a digital rights agency).

The document is remarkably open about who it's meant to benefit - and it's not artists.

Government intervention is being proposed to address the rise in unlawful P2P file-sharing which can reduce the incentive for the creative industries to invest in the development, production and distribution of new content. Implementation of the proposed policy will allow right [sic] holders to better appropriate returns on their investment.

The included financial assessment, which in this case is the justification for the entire exercise (p 40), lays out the expected benefits: BERR expects rightsholders to pick up £1,700 million by "recovering displaced sales", at a cost to ISPs and mobile network operators of £250 to £500 million over ten years. Net benefit: £1.2 billion. Wha-hey!

My favorite justification for all this is the note that because that are an estimated 6.5 million file-sharers in the UK there are *too many* of us to take us all to court, rightsholders' preferred deterrence method up until now. Rightsholders have marketing experts working for them; shouldn't they be getting some message from these numbers?

There are some things that are legitimately classed as piracy and that definitely cost sales. Printing and selling counterfeit CDs and DVDs is one such. Another is posting unreleased material online without the artist's or rightsholder's permission; that is pre-empting their product launch, and whether you wind up having done them a favor or not, there's no question that it's simply wrong. The answer to the first of these is to shut down pirate pressing operations; the answer to the second is to get the industry to police its own personnel and raise the penalties for insider leaks. Neither can be solved by harassing file-sharers.

It's highly questionable whether file-sharing costs sales; the experience of most of us who have put our work online for free is that sales increase. However, there is no doubt in my mind that there are industries file-sharing hurts. Two good examples in film are the movie rental business and the pay TV broadcasters, especially the premium TV movie channels.

As against that, however, the consultation notes but dismisses the cost to consumers: it estimates that ISPs' costs, when passed on to consumers, will reduce the demand for broadband by 10,000 to 40,000 subscribers, representing lost revenue to ISPs of between £2 and £9 million a year (p50). The consultatation goes on to note that some consumers will cease consuming content altogether and that therefore the policy will exacerbate existing inequality since those on the lowest incomes will likely lose the most.

It is not possible to estimate such welfare loss with current data availability, but estimates for the US show that this welfare loss could be twice as large as the benefit derived from reducing the displacement effect to industry revenues.

Shouldn't this be incorporated into the financial analysis?

We must pause to admire the way the questions are phrased. Sir Bonar would be proud: ask if your proposals are implementing what you want to do in the right way. In other words, ask if three is the right number of warning letters to send infringers before taking stronger action (question 9), or whether it's a good idea to leave exactly how costs are to be shared between rightsholders and ISPs flexible rather than specifying (question 6). The question I'd ask, which has not figured in any of the consultations I've seen would be: is this the best way to help artists navigate the new business models of the digital age?

Like Watson, my answer would be no.

Worse, the figures do not take into account the cost to the public, analyzed last year in the Netherlands.

And the assumptions seem wrong. The consultation document claims that research shows that approximately 70 percent of infringers stop when they receive a warning letter, at least in the short term. But do they actually stop? Or do they move their file-sharing to different technologies? Does it just become invisible to their ISP?

So far, file-sharers have responded to threats by developing new technologies better at obfuscating users' activities. Napster...Gnutella...eDonkey...BitTorrent. Next: encrypted traffic that looks just like a VPN connection.

I remain convinced that if the industry really wants to deter file-sharing it should spend its time and effort on creating legal, reliable alternatives. Nothing less will save it. Oh, yeah, and it would be a really good idea for them to be nice to artists, too. Without artists, rightsholders are nothing.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on , or send email to netwars@skeptic.demon.co.uk.

August 14, 2009

We love the NHS

All wars have unexpected casualties; in the US, the rhetorical war on anything that smacks of nationalized health insurance briefly took out Stephen Hawking's citizenship. It is, as Bugs Bunny said, to laugh:

People such as scientist Stephen Hawking wouldn't have a chance in the U.K. where the National Health Service would say the quality of life of this brilliant man, because of his physical handicaps, is essentially worthless.

Language Log's Geoffrey K. Pullum surmised that the problem is that Hawking's speech synthesizer doesn't sound British. (Pullum may not be aware that American film critic Roger Ebert's voice synthesizer does have a British accent, one so fluidly and emolliently English that Ebert and his wife refer to the synthesizer as "Sir Larry". Maybe Ebert and Hawking should swap.)

IBD has admitted the error, and slightly recast its original point, claiming now that Hawking's fame means the NHS treats him differently, and look, see, his own Web site says he has 24-hour care paid for by foundations. We were right all along: the NHS is bad! Three points. First: Hawking was diagnosed with ALS when he was 21, and had many years of care before he became famous. Two: rich, famous people get the best of every health system ever invented. See also the Royal Family. Third: what does IBD imagine Hawking's situation would be were he American?

Hawking was a bystander. The real ire, astoundingly, has been saved for, of all things, the British National Health Service, surely the least likely organization to be tasked with providing health care for Americans. Why is an economic model for providing health care being evaluated as if it were about issuing axes to doctors with orders to use them on anyone over 80?

The rhetoric - one hesitates to call it a debate - over Obama's health care plan - reminds me of the 1985 campaign against legalizing divorce in the Republic of Ireland ("Divorce hurts women and children. Vote NO.")

So some US opponents of national health insurance claim Obama wants to bring in death panels, and that the quality of health care will plummet. Whereas, the reality is that even if you dispute the 47 million figure, increasing millions of Americans have no health insurance, that the majority of American bankruptcies are due to medical bills, and that more than half of those had health insurance. The reality is also that the ongoing replacement of full-time jobs with benefits with part-time jobs and "permatemps" mean that increasing numbers of what used to be the middle class will not be covered at all. Improve the detail of Obama's plan, by all means. But does anyone seriously think the problem has not grown since Hilary Rodham Clinton's plan failed? Does anyone think that fighting over things that aren't in the plan will help matters?

For people to react this viscerally to insurance proposals says there's more going on than rational opposition (and even more rational lobbying by insurance and pharmaceutical companies spouting the evils of "socialism"). This reaction is, I believe, American Dream interruptus. It is the worst side of the pioneer spirit: the US is the land of opportunity; anyone can have access to superb treatment if they work hard enough. You make your own life, you "take care of yourself", government interference will only steal from you. You can see echoes of this in Esther Dyson's "Health 2.0" piece for the FT this week, in which she seems to suggest that better information will revolutionize health care. net.wars covered the self-quantifying movement in October 2008, and better monitoring may well help many people, but it will not solve the question of how to pay for MRIs, cancer drugs, or Alzheimers care..

Americans who genuinely believe the NHS is a bad thing are, I think, making the same mistake I made in the 1970s: they read the complaints about waiting lists, geographically uneven care, and rationed treatments, and think it must be bad. Whereas the reality is that British people complain about the post yet expect letters to arrive within 24 hours, the public transport yet juggle multiple routes across London in their heads, and the weather, which by any reasonable standard is mild, even friendly.

I have learned better.

Among all the thousands of people I have met in the UK, not one has ever said they would scrap the NHS. None has ever suggested the UK would be better off with a US-style health insurance market. To be sure, some have supplemental private insurance. But everyone agrees: for catastrophic health care you can't beat the NHS. Friends of sick US friends raise funds so they don't have to choose between drugs and food; sick UK friends do not spend their limited energy fighting through insurance company paperwork and begging insurance companies for treatment. People do not go bankrupt in the UK because of medical bills. Many of my American friends now envy me my access to the NHS - for which I pay in taxes.

The NHS may be the most democratic institution ever created: it is a rational way to share an expensive resource as well as a social compact. Because sooner or later, no matter how hard you work and how pure a lifestyle you lead, health problems will come for you, too.

Yes, we love the NHS. Millions of us.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on , or send email to netwars@skeptic.demon.co.uk.

July 24, 2009

Security for the rest of us


Many governments, faced with the question of how to improve national security, would do the obvious thing: round up the usual suspects. These would be, of course, the experts - that is, the security services and law enforcement. This exercise would be a lot like asking the record companies and film studios to advise on how to improve copyright: what you'd get is more of the same.

This is why it was so interesting to discover that the US National Academies of Science was convening a workshop to consult on what research topics to consider funding, and began by appointing a committee that included privacy advocates and usability experts, folks like Microsoft researcher Butler Lampson, Susan Landau, co-author of books on privacy and wiretapping, and Donald Norman, author of the classic book The Design of Everyday Things. Choosing these people suggests that we might be approaching a watershed like that of the late 1990s, when the UK and the US governments were both forced to understand that encryption was not just for the military any more. The peace-time uses of cryptography to secure Internet transactions and protect mobile phone calls from casual eavesdropping are much broader than crypto's war-time use to secure military communications.

Similarly, security is now everyone's problem, both individually and collectively. The vulnerability of each individual computer is a negative network externality, as NYU economist Nicholas Economides pointed out. But, as many asked, how do you get people to understand remote risks? How do you make the case for added inconvenience? Each company we deal with makes the assumption that we can afford the time to "just click to unsubscribe" or remember one password, without really understanding the growing aggregate burden on us. Norman commented that door locks are a trade-off, too: we accept a little bit of inconvenience in return for improved security. But locks don't scale; they're acceptable as long as we only have to manage a small number of them.

In his 2006 book, Revolutionary Wealth, Alvin Toffler comments that most of us, without realizing it, have a hidden third, increasingly onerous job, "prosumer". Companies, he explained, are increasingly saving money by having us do their work for them. We retrieve and print out our own bills, burn our own CDs, provide unpaid technical support for ourselves and our families. One of Lorrie Cranor's students did the math to calculate the cost in lost time and opportunities if everyone in the US read annually the privacy policy of each Web site they visited once a month. Most of these things require college-level reading skills; figure 244 hours per year per person, $3,544 each...$781 billion nationally. Weren't computers supposed to free us of that kind of drudgery? As everything moves online, aren't we looking at a full-time job just managing our personal security?

That, in fact, is one characteristic that many implementations of security share with welfare offices - and that is becoming pervasive: an utter lack of respect for the least renewable resource, people's time. There's a simple reason for that: the users of most security systems are deemed to be the people who impose it, not the people - us - who have to run the gamut.

There might be a useful comparison to information overload, a topic we used to see a lot about ten years back. When I wrote about that for ComputerActive in 1999, I discovered that everyone I knew had a particular strategy for coping with "technostress" (the editor's term). One dealt with it by never seeking out information and never phoning anyone. His sister refused to have an answering machine. One simply went to bed every day at 9pm to escape. Some refused to use mobile phones, others to have computers at home..

But back then, you could make that choice. How much longer will we be able to draw boundaries around ourselves by, for example, refusing to use online banking, file tax returns online, or participate in social networks? How much security will we be able to opt out of in future? How much do security issues add to technostress?

We've been wandering in this particular wilderness a long time. Angela Sasse, whose 1999 paper Users Are Not the Enemy talked about the problems with passwords at British Telecom, said frankly, "I'm very frustrated, because I feel nothing has changed. Users still feel security is just an obstacle there to annoy them."

In practice, the workshop was like the TV game Jeopardy: the point was to generate research questions that will go into a report, which will be reviewed and redrafted before its eventual release. Hopefully, eventually, it will all lead to a series of requests for proposals and some really good research. It is a glimmer of hope.

Unless, that is, the gloominess of the beginning presentations wins out. If you listened to Lampson, Cranor, and to Economides, you got the distinct impression that the best thing that could happen for security is that we rip out the Internet (built to be open, not secure), trash all the computers (all of whose operating systems were designed in the pre-Internet era), and start over from scratch. Or, like the old joke about the driver who's lost and asking for directions, "Well, I wouldn't start from here".

So, here's my question: how can we make security scale so that the burden stays manageable?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

July 10, 2009

The public interest

It's not new for journalists to behave badly. Go back to 1930s plays-turned-movies like The Front Page (1931) or Mr Smith Goes to Washington (1939), and you'll find behavior (thankfully, fictional) as bad as this week's Guardian story that the News of the World paid out £1 million to settle legal cases that would have revealed that its staff journalists were in the habit of hiring private investigators to hack into people's phone records and voice mailboxes.

The story's roots go back to 2006, when the paper's Royal editor, Clive Goodman, was jailed for illegally intercepting phone calls. The paper's then editor, Andy Coulson, resigned and the Press Complaints Commission concluded the paper's executives did not know what Goodman was doing. Five months later, Coulson became the chief of communications for the Tory party.

There are so many cultural failures here that you almost don't know where to start counting. The first and most obvious is the failure of a newsroom to obey the dictates of common sense, decency, and the law. That particular failure is the one garnering the most criticism, and yet it seems to me the least surprising, especially for one of Britain's most notorious tabloids. Journalists have competed for stories big enough to sell papers since the newspaper business was founded; the biggest rewards generally go to the ones who expose the stories their subjects least wanted exposed. It's pretty sad if any newspaper's journalists think the public interest argument is as strong for listening to Gwyneth Paltrow's voice mail as it was to exposing MPs' expenses, but that leads to the second failure: celebrity culture.

This one is more general: none of this would happen if people didn't flock to buy stories about intimate celebrity details. And newspapers are desperate for sales.

The third failure is specific to politicians: under the rubric of "giving people a second chance" Tory leader David Cameron continues to defend Coulson, who continues to claim he didn't know what was going on. Either Coulson did know, in which case he was condoning it, or he didn't, in which case he had only the shakiest grasp of his newsroom. The latter is the same kind of failure that at other papers and magazines has bred journalistic fraud: surely any editor now ought to be paying attention to sourcing. Either way, Coulson does not come off well and neither does Cameron. It would be more tolerable if Cameron would simply say outright that he doesn't care whether Coulson is honorable or not because he's effective at the job Cameron is paying him for.

The fourth failure is of course the police, the Press Complaints Commission, and the Information Commissioner, all of whom seem to have given up rather easily in 2007.

The final failure is also general: the problem that more and more intimate information about each of us is held in databases whose owners may have incentives (legal, regulatory, commercial) for keeping them secured but which are of necessity accessible by minions whose risks and rewards are different. The weakest link in security is always the human factor, and the problem of insiders who can be bribed or conned into giving up confidential information they shouldn't is as old as the hills, whether it's a telephone company employee, a hotel chambermaid, or a former Royal nanny. Seemingly we have learned little or nothing since Kevin Mitnick pioneered the term "social engineering" some 20 years ago or since Squidgygate, when various Royals' private phone conversations were published. At least some ire should be directed at the phone companies involved, whose staff apparently find it easy to refuse to help legitimate account holders by citing the Data Protection Act but difficult to resist illegitimate blandishments.

This problem is exacerbated by what University College of London security researcher Angela Sasse calls "security fatigue". Gaining access to targets' voice mail was probably easier than you think if you figure that many people never change the default PIN on their phones. Either your private investigator turned phone hacker tries the default PIN or, as Sophos senior fellow Graham Cluley suggests, convinces the phone company to reset the PIN to the default. Yes, it's stupid not to change the default password on your phone. But with so many passwords and PINs to manage and only so much tolerance for dealing with security, it's an easy oversight. Sasse's paper (PDF) fleshing out this idea proposes that companies should think in terms of a "compliance budget" for employees. But this will be difficult to apply to consumers, since no one company we interact with will know the size of the compliance burden each of us is carrying.

Get the Press Complaints Commission to do its job properly by all means. And stop defending the guy who was in charge of the newsroom while all this snooping was going on. Change a culture that thinks that "the public interest" somehow expands to include illegal snooping just because someone is famous.

But bear in mind that, as Privacy International has warned all along, this kind of thing is going to become endemic as Britain's surveillance state continues to develop. The more our personal information is concentrated into large targets guarded by low-paid staff, the more openings there will be for those trying to perpetrate identity fraud or blackmail, snoop on commercial competitors, sell stories about celebrities and politicians, and pry into the lives of political activists.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or email netwars@skeptic.demon.co.uk.

July 3, 2009

What's in an assigned name?

There's a lot I didn't know at the time about the founding of the Internet Corporation for Assigned Names and Numbers, but I do remember the spat that preceded it. Until 1998, the systems for assigning domain names (DNS) and assigning Internet numbers (IANA) were both managed by one guy, Jon Postel, who by all accounts and records was a thoughtful and careful steward and an important contributor to much of the engineering that underpins the Internet even now. Even before he died in October 1998, however, plans were underway to create a successor organization to take over the names and numbers functions.

The first proposal was to turn these bits of management over to the International Telecommunications Union, and a memorandum of understanding was drawn up that many, especially within the ITU, assumed would pass unquestioned. Instead, there was much resentment and many complaints that important stakeholders (consumers, most notably) had been excluded. Eventually, ICANN was created under the auspices of the US Department of Commerce intended to become independent once it had fulfilled certain criteria. We're still waiting.

As you might expect, the US under Bush II wasn't all that interested in handing off control. The US government had some support in this, in part because many in the US seem to have difficulty accepting that the Internet was not actually built by the US alone. So alongside the US government's normal resistance to relinquishing control was an endemic sense that it would be "giving away" something the US had created.

All that aside, the biggest point of contention was not ICANN's connection to the US government, as desirable as that might be to those outside the US. Nor was it the assignment of numbers, which, since numbers are the way the computers find each other, is actually arguably the most important bit of the whole thing. It wasn't even, or at least not completely, the money (PDF), as staggering as it is that ICANN expects to rake in $61 million in revenue this year as its cut of domain name registrations. No, of course it was the names that are meaningful to people: who should be allowed to have what?

All this background is important because on September 30 the joint project agreement with DoC under which ICANN operates expires, and all these debates are being revisited. Surprisingly little has changed in the arguments about ICANN since 1998. Michael Froomkin argued in 2000 (PDF) that ICANN bypassed democratic control and accountability. Many critics have argued in the intervening years that ICANN needs to be reined in: its mission kept to a narrow focus on the DNS, and its structure designed to be transparent and accountable, and kept free of not only US government inteference but that of other governments as well.

Last month, the Center for Democracy and Technology published its comments to that effect. Last year, and in 2006, former elected ICANN board member Karl Auerbach">argued similarly, with much more discussion of ICANN's finances, which he regards as a "tax". Perhaps even more than might have been obvious then: ICANN's new public dashboard has revealed that the company lost $4.6 million on the stock market last year, an amount reporter John Levine equates to the 20-cent fee from 23 million domain name registrations. As Levine asks, if they could afford to lose that amount then they didn't need the money - so why did they collect it from us? There seems to be no doubt that ICANN can keep growing in size and revenues by creating more top-level domains, especially as it expands into long-mooted non-ASCII names (iDNs).

Arguing about money aside, the fact is that we have not progressed much, if at all, since 1998. We are asking the same questions and having the same arguments. What is the DNS for? Should it be a directory, a handy set of mnemonics, a set of labels, a zoning mechanism, or a free-for-all? Do languages matter? Early discussions included the notion that there would be thousands, even tens of thousands of global top-level domains. Why shouldn't Microsoft, Google, or the Electronic Frontier Foundation operate their own registries? Is managing the core of the Internet an engineering, legal, or regulatory problem? And, latterly, given the success and central role of search engines, do we need DNS at all? Personally, I lean toward the view that the DNS has become less important than it was, as many services (Twitter, instant messaging, VOIP) do not require it. Even the Web needs it less than it did. But if what really matters about the DNS is giving people names they can remember, then from the user point of view it matters little how many top-level domains there are. The domain info.microsoft is no less memorable than microsoft.info or microsoft.com.

What matters is that the Internet continues to function and that anyone can reach any part of it. The unfortunate thing is that none of these discussions have solved the problems we really have. Four years after the secured version of DNS (DNSsec) was developed to counteract security threats such as DNS cache poisoning that had been mooted for many more years than that, it's still barely deployed.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on , or send email to netwars@skeptic.demon.co.uk.

March 13, 2009

Threat model

It's not about Phorm, it's about snooping. At Wednesday morning's Parliamentary roundtable, "The Internet Threat", the four unhappy representatives I counted from Phorm had a hard time with this. Weren't we there to trash them and not let them reply? What do you mean the conversation isn't all about them?

We were in a committee room many medieval steps up unside the House of Lords. The gathering, was convened by Baroness Miller of Chilthorne Domer with the idea of helping Parliamentarians understand the issues raised not only by Phorm but also by the Interception Modernisation Programme, Google, Microsoft, and in fact any outfit that wants to collect huge amounts of our data for purposes that won't be entirely clear until later.

Most of the coverage of this event has focused on the comments of Sir Tim Berners-Lee, the indefatigable creator of the 20-year-old Web (not the Internet, folks!), who said categorically, "I came here to defend the integrity of the Internet as a medium." Using the Internet, he said, "is a fundamental human act, like the act of writing. You have to be able to do it without interference and/or snooping." People use the Internet when they're in crisis; even just a list of URLs you've visited is very revealing of sensitive information.

Other distinguished speakers included Professor Wendy Hall, Nicholas Bohm representing the Foundation for Information Policy Research, the Cambridge security research group's Richard Clayton, the Open Rights Group's new executive director, Jim Killock, and the vastly experienced networking and protocol consultant Robb Topolski.

The key moment, for me, was when one of the MPs the event was intended to educate asked this: "Why now?" Why, in other words, is deep packet inspection suddenly a problem?

The quick answer, as Topolski and Clayton explained, is "Moore's Law." It was not, until a couple-three years ago, possible to make a computer fast enough to sit in the middle of an Internet connection and not only sniff the packets but examine their contents before passing them on. Now it is. Plus, said Clayton, "Storage."

But for Kent Ertegrul, Phorm's managing director, it was all about Phorm. The company had tried to get on the panel and been rejected. His company's technology was being misrepresented. Its system makes it impossible for browsing habits to be tracked back to people. Tim Berners-Lee, of all people, if he understood their system, would appreciate the elegance of what they've actually done.

Berners-Lee was calm, but firm. "I have not at all criticized behavioral advertising," he pointed out. "What I'm saying is a mistake is snooping on the Internet."

Right on.

The Internet, Berners-Lee and Topolski explained, was built according to the single concept that all the processing happens at the ends, and that the middle is just a carrier medium. That design decision has had a number of consequences, most of them good. For example, it's why someone can create the new application of the week and deploy it without getting permission. It's why VOIP traffic flows across the lines of the telephone companies whose revenues it's eating. It is what network neutrality is all about.

Susan Kramer, saying she was "the most untechie person" (and who happens to be my MP), asked if anyone could provide some idea of what lawmakers can actually do. The public, she said, is "frightened about the ability to lose privacy through these mechanisms they don't understand".

Bohm offered the analogy of water fluoridation: it's controversial because we don't expect water flowing into our house to have been tampered with. In any event, he suggested that if the law needs to be made clearer it is in the area of laying down the purposes for which filtering, management, and interference can be done. It should, he said, be "strictly limited to what amounts to matters of the electronic equivalent of public health, and nothing else."

Fluoridation of water is a good analogy for another reason: authorities are transparent about it. You can, if you take the trouble, find out what is in your local water supply. But one of the difficulties about a black-box-in-the-middle is that while we may think we know what it does today - because even if you trust, say, Richard Clayton's report on how Phorm works (PDF) there's no guarantee of how the system will change in the future. Just as, although today's government may have only good intentions in installing a black box in every ISP that collects all traffic data, the government of ten years hence may use the system in entirely different ways for which today's trusting administration never planned. Which is why it's not about Phorm and isn't even about behavioural advertising; Phorm was only a single messenger in a bigger problem.

So the point is this: do we want black boxes whose settings we don't know and whose workings we don't understand sitting at the heart of our ISPs' networks examining our traffic? This was the threat Baroness Miller had in mind - a threat *to* the Internet, not the threat *of* the Internet beloved of the more scaremongering members of the press. Answers on a postcard...


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML)

February 6, 2009

Forty-five years

This week the EU's legal affairs committee, JURI, may vote - again - on term extension in sound recordings. As of today, copyright is still listed on the agenda.

Opposing term extension was a lot simpler at the national level in the UK; the path from proposal to legislation is well-known, well trodden, and well-watched by the national media. At the EU level, JURI is only one of four committees involved in proposing and amending term extension on behalf of the European Parliament - and then even after the Parliament votes it's the Commission who makes the final decision. The whole thing drags on for something close to forever, which pretty much guarantees that only the most obsessed stay in touch through the whole process. If you had designed a system to ensure apathy except among lobbyists who like good food, you'd have done exactly this.

There are many reasons to oppose term extension, most of which we've covered before. Unfortunately, these seem invisible to some politicians. As William Patry blogs, the harm done by term extension is diffuse and hard to quantify while easily calculable benefits accrue to a small but wealthy and vocal set of players.

What's noticeable is how many independent economic reviews agree with what NGOs like the Electronic Frontier Foundation and the Open Rights Group have said all along.

According to a joint report from several European intellectual property law centers (PDF), the Commission itself estimates that 45 extra years of copyright protection will hand the European music industry between €44 million and €843 million - uncertain by a factor of 20! The same report also notes that term extension will not net performers additional broadcast revenue; rather, the same pot will be spread among a larger pool of musicians, benefiting older musicians at the expense of young incomers. The report also notes that performers don't lose control over their music when the term of copyright ends; they lose it when they sign recording contracts (so true).

Other reports are even less favorable. In 2005, for example, the Dutch Institute for Information Law concluded that copyright in sound recordings has more in common with design rights and patents than with other areas of copyright, and it would be more consistent to reduce the term rather than extend it. More recently, an open letter from Bournemouth University's Centre for Intellectual Property Policy Management questioned exactly where those estimated revenues were going to come from, and pointed out the absurdity of the claim that extension would help performers.

And therein is the nub. Estimates are that the average session musician will benefit from term extension in the amount of €4 to €58 (there's that guess-the-number-within-a-factor-of-20 trick again). JURI's draft opinion puts the number of affected musicians at 7,000 per large EU member state, less in the rest. Call it 7,000 in all 27 and give each musician €20; that's €3.78 million, hardly enough for a banker's bonus. We could easily hand that out in cash, if handouts to aging performers are the purpose of the exercise.

Benefiting performers is a lobbyists' red herring that cynically plays on our affection for our favorite music and musicians; what term extension will do, as the Bournemouth letter points out, is benefit recording companies. Of that wackily wide range of estimated revenues in the last paragraph, 90 percent, or between €39 million and €758 million will go to record producers, even according to the EU's own impact assessment (PDF), based on a study carried out by PriceWaterhouseCooper.

If you want to help musicians, the first and most important thing you should do is improve the industry's standard contracts and employment practices. We protect workers in other industries from exploitation; why should we make an exception for musicians? No one is saying - not even Courtney Love - that musicians deserve charity. But we could reform UK bankruptcy law so that companies acquiring defunct labels are required to shoulder ongoing royalty payment obligations as well as the exploitable assets of the back catalogue. We could put limits on what kind of clauses a recording company is allowed to impose on first-time recording artists. We could set minimums for what is owed to session musicians. And we could require the return of rights to the performers in the event of a recording's going out of print. Any or all of those things would make far more difference to the average musician's lifetime income than an extra 45 years of copyright.

Current proposals seem to focus on this last idea as a "use it or lose it" clause that somehow makes the rest of term extension all right. Don Foster, the conservative MP who is shadow minister for the Department of Culture, Media, and Sport, for example, has argued for it repeatedly. But by itself it's not enough of a concession to balance the effect of term extension and the freezing of the public domain.

If you want to try to stop term extension, this is a key moment. Lobby your MEP and the members of the relevant committees. Remind them of the evidence. And remind them that it's not just the record companies and the world's musicians who have an interest in copyright; it's the rest of us, too.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

January 2, 2009

No rest for 2009

It's been a quiet week, as you'd expect. But 2009 is likely to be a big year in terms of digital rights.

Both the US and the UK are looking to track non-citizens more closely. The UK has begun issuing foreigners with biometric ID cards. The US, which began collecting fingerprints from visiting tourists two years ago says it wants to do the same with green card holders. In other words, you can live in the US for decades, you can pay taxes, you can contribute to the US economy - but you're still not really one of us when you come home.

The ACLU's Barry Steinhardt has pointed out, however, that the original US-VISIT system actually isn't finished: there's supposed to be an exit portion that has yet to be built. The biometric system is therefore like a Roach Motel: people check in but they never leave.

That segues perfectly into the expansion of No2ID's "database state". The UK is proceeding with its plan for a giant shed to store all UK telecommunications traffic data. Building the data shed is a lot like saying we're having trouble finding a few needles in a bunch of haystacks so the answer is to build a lot bigger haystack.

Children in the UK can also look forward to ContactPoint (budget £22.4 million) going live at the end of January, only the first of several. The conservativers apparently have pledged to scrap ContactPoint in favor of a less expensive system that would track only children deemed to be at risk. If the conservatives don't get their chance to scrap it - probably even if they do - the current generation may be the last that doesn't get to grow up taking for granted that their every move is being tracked. Get 'em young, as the Catholic church used to say, and they're yours for life.

The other half of that is, of course, the National Identity Register. Little has been heard of the ID card in recent months; although the Home Office says 1,000 people have actually requested one. Since these have begun rolling out to foreigners, it's probably best to keep an eye on them.

On January 19, look for the EU to vote on copyright term extension in sound recordings. They have now: 50 years. They want: 95 years. The problem: all the independent reviewers agree it's a bad idea economically. Why does this proposal keep dogging us? Especially given that even the UK government accepts that recording contracts mean that little of the royalties will go to the musicians the law is supposedly trying to help, why is the European Parliament even considering it? Write your MEP. Meanwhile, the economic downturn reaches Cliff Richards; his earliest recordings begin entering the public domain...oh, look - yesterday, January 1, 2009.

Those interested in defending file-sharing technology, the public domain, or any other public interest in intellectual property will find themselves on the receiving end of a pack of new laws and initiatives out to get them.

The RIAA recently announced it would cease suing its customers in the US. It plans to "work with ISPs". Anyone who's been around the UK and France in recent months should smell the three-strikes policy that the Open Rights Group has been fighting against. ORG's going to find it a tougher battle, now that the govermment is considering a stick and carrot approach: make ISPs liable for their users' copyright infringement, but give them a slice of the action for legal downloads. One has to hope that even the most cash-strapped ISPs have more sense.

Last year's scare over the US's bald statement that customs authorities have the right to search and impound computers and other electronic equipment carried by travellers across the national borders will probably be followed up with lengthy protest over new rules known as the Anti-Counterfeiting Trade Agreement and being negotiated by the US, EU, Japan, and other countries. We don't know as much as we'd like about what the proposals actually are, though some information escaped last June. Negotiations are expected to continue in 2009.

The EU has said that it has no plans to search individual travellers, which is a relief; in fact, in most cases it would be impossible for a border guard to tell whether files on a computer were copyright violations. Nonetheless, it seems likely that this and other laws will make criminals of most of us; almost everyone who owns an MP3 player has music on it that technically infringes the copyright laws (particularly in the UK, where there is as yet no exemption for personal copying).

Meanwhile, Australia's new $44 million "great firewall" is going ahead despiteknown flaws in the technology. Nearer home, British Culture Secretary Andy Burnham would like to rate the Web, lest it frighten the children.

It's going to be a long year. But on the bright side, if you want to make some suggestions for the incoming Obama administration, head over to Change.org and add your voice to those assembling under "technology policy".

Happy new year!

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

December 5, 2008

Saving seeds

The 17 judges of the European Court of Human Rights ruled unanimously yesterday that the UK's DNA database, which contains more than 3 million DNA samples, violates Article 8 of the European Convention on Human Rights. The key factor: retaining, indefinitely, the DNA samples of people who have committed no crime.

It's not a complete win for objectors to the database, since the ruling doesn't say the database shouldn't exist, merely that DNA samples should be removed once their owners have been acquitted in court or the charges have been dropped. England, the court said, should copy Scotland, which operates such a policy.

The UK comes in for particular censure, in the form of the note that "any State claiming a pioneer role in the development of new technologies bears special responsibility for striking the right balance..." In other words, before you decide to be the first on your block to use a new technology and show the rest of the world how it's done, you should think about the consequences.

Because it's true: this is the kind of technology that makes surveillance and control-happy governments the envy of other governments. For example: lacking clues to lead them to a serial killer, the Los Angeles Police Department wants to copy Britain and use California's DNA database to search for genetic profiles similar enough to belong to a close relative .The French DNA database, FNAEG, was proposed in 1996, created in 1998 for sex offenders, implemented in 2001, and broadened to other criminal offenses after 9/11 and again in 2003: a perfect example of function creep. But the French DNA database is a fiftieth the size of the UK's, and Austria's, the next on the list, is even smaller.

There are some wonderful statistics about the UK database. DNA samples from more than 4 million people are included on it. Probably 850,000 of them are innocent of any crime. Some 40,000 are children between the ages of 10 and 17. The government (according to the Telegraph) has spent £182 million on it between April 1995 and March 2004. And there have been suggestions that it's too small. When privacy and human rights campaigners pointed out that people of color are disproportionately represented in the database, one of England's most experienced appeals court judges, Lord Justice Sedley, argued that every UK resident and visitor should be included on it. Yes, that's definitely the way to bring the tourists in: demand a DNA sample. Just look how they're flocking to the US to give fingerprints, and how many more flooded in when they upped the number to ten earlier this year. (And how little we're getting for it: in the first two years of the program, fingerprinting 44 million visitors netted 1,000 people with criminal or immigration violations.)

At last week's A Fine Balance conference on privacy-enhancing technologies, there was a lot of discussion of the key technique of data minimization. That is the principle that you should not collect or share more data than is actually needed to do the job. Someone checking whether you have the right to drive, for example, doesn't need to know who you are or where you live; someone checking you have the right to borrow books from the local library needs to know where you live and who you are but not your age or your health records; someone checking you're the right age to enter a bar doesn't need to care if your driver's license has expired.

This is an idea that's been around a long time - I think I heard my first presentation on it in about 1994 - but whose progress towards a usable product has been agonizingly slow. IBM's PRIME project, which Jan Camenisch presented, and Microsoft's purchase of Credentica (which wasn't shown at the conference) suggest that the mainstream technology products may finally be getting there. If only we can convince politicians that these principles are a necessary adjunct to storing all the data they're collecting.

What makes the DNA database more than just a high-tech fingerprint database is that over time the DNA stored in it will become increasingly revealing of intimate secrets. As Ray Kurzweil kept saying at the Singularity Summit, Moore's Law is hitting DNA sequencing right now; the cost is accordingly plummeting by factors of ten. When the database was set up, it was fair to characterize DNA as a high-tech version of fingerprints or iris scans. Five - or 15, or 25, we can't be sure - years from now, we will have learned far more about interpreting genetic sequences. The coded, unreadable messages we're storing now will be cleartext one day, and anyone allowed to consult the database will be privy to far more intimate information about our bodies, ourselves than we think we're giving them now.

Unfortunately, the people in charge of these things typically think it's not going to affect them. If the "little people" have no privacy, well, so what? It's only when the powers they've granted are turned on them that they begin to get it. If a conservative is a liberal who's been mugged, and a liberal is a conservative whose daughter has needed an abortion, and a civil liberties advocate is a politician who's been arrested...maybe we need to arrest more of them.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

June 27, 2008

Mistakes were made

This week we got the detail on what went wrong at Her Majesty's Revenue and Customs that led to the loss of those two CDs full of the personal details of 25 million British households last year with the release of the Poynter Review (PDF). We also got a hint of how and whether the future might be different with the publication yesterday of Data Handling: Proecures in Government (PDF), written by Sir Gus O'Donnell and commissioned by the Prime Minister after the HMRC loss. The most obvious message of both reports: government needs to secure data better.

The nicest thing the Poynter review said was that HMRC has already made changes in response to its criticisms. Otherwise, it was pretty much a surgical demonstration of "institutional deficiencies".

The chief points:


- Security was not HMRC's top priority.

- HMRC in fact had the technical ability to send only the selection of data that NAO actually needed, but the staff involved didn't know it.

- There was no designated single point of contact between HMRC and NAO.

- HMRC used insecure methods for data storage and transfer.

- The decision to send the CDs to the NAO was taken by junior staff without consulting senior managers - which under HMRC's own rules they should have done.

- The reason HMRC's junior staff did not consult managers was that they believed (wrongly) that NAO had absolute authority to access any and all information HMRC had.

- The HMRC staffer who dispatched the discs incorrectly believed the TNT Post service was secure and traceable, as required by HMRC policy. A different TNT service that met those requirements was in fact available.

- HMRC policies regarding information security and the release of data were not communicated sufficiently through the organization and were not sufficiently detailed.

- HMRC failed on accountability, governance, information security...you name it.

The real problem, though, isn't any single one of these things. If junior staff had consulted senior staff, it might not have mattered that they didn't know what the policies were. If HMRC used proper information security and secure methods for data storage (that is, encryption rather than simple password protection), they wouldn't have had access to send the discs. If they'd understood TNT's services correctly, the discs wouldn't have gotten lost - or at least been traceable if they had.

The real problem was the interlocking effect of all these factors. That, as Nassim Nicholas Taleb might say, was the black swan.

For those who haven't read Taleb's The Black Swan: The Impact of the Highly Improbable, the black swan stands for the event that is completely unpredictable - because, like black swans until one was spotted in Australia, no such thing has ever been seen - until it happens. Of course, data loss is pretty much a white swan; we've seen lots of data breaches. The black swan, really, is the perfectly secure system that is still sufficiently open for the people who need to use it.

That challenge is what O'Donnell's report on data handling is about and, as he notes, it's going to get harder rather than easier. He recommends a complete rearrangement of how departments manage information as well as improving the systems within individual departments. He also recommends greater openness about how the government secures data.

"No organisation can guarantee it will never lose data," he writes, "and the Government is no exception." O'Donnell goes on to consider how data should be protected and managed, not whether it should be collected or shared in the first place. That job is being left for yet another report in progress, due soon.

It's good to read that some good is coming out of the HMRC data loss: all departments are, according to the O'Donnell report, reviewing their data practices and beginning the process of cultural change. That can only be a good thing.

But the underlying problem is outside the scope of these reports, and it's this government's fondness for creating giant databases: the National Identity Register, ContactPoint, the DNA database, and so on. If the government really accepted the principle that it is impossible to guarantee complete data security, what would they do? Logically, they ought to start by cancelling the data behemoths on the understanding that it's a bad idea to base public policy on the idea that you can will a black swan into existence.

It would make more sense to create a design for government use of data that assumes there will be data breaches and attempts to limit the adverse consequences for the individuals whose data is lost. If my privacy is compromised alongside 50 million other people's and I am the victim of identity theft does it help me that the government department that lost the data knows which staff member to blame?

As Agatha Christie said long ago in one of her 80-plus books, "I know to err is human, but human error is nothing compared to what a computer can do if it tries." The man-machine combination is even worse. We should stop trying to breed black swans and instead devise systems that don't create so many white ones.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

May 30, 2008

Ten

It's easy to found an organization; it's hard to keep one alive even for as long as ten years. This week, the Foundation for Information Policy Research celebrated its tenth birthday. Ten years is a long time in Internet terms, and even longer when you're trying to get government to pay attention to expertise in a subject as difficult as technology policy.

My notes from the launch contain this quote from FIPR's first director, Caspar Bowden, which shows you just how difficult FIPR's role was going to be: "An educational charity has a responsibility to speak the truth, whether it's pleasant or unpleasant." FIPR was intended to avoid the narrow product focus of corporate laboratory research and retain the traditional freedoms of an academic lab.

My notes also show the following list of topics FIPR intended to research: the regulation of electronic commerce; consumer protection; data protection and privacy; copyright; law enforcement; evidence and archiving; electronic interaction between government, businesses, and individuals; the risks of computer and communications systems; and the extent to which information technologies discriminate against the less advantaged in society. Its first concern was intended to be researching the underpinnings of electronic commerce, including the then recent directive launched for public consultation by the European Commission.

In fact, the biggest issue of FIPR's early years was the crypto wars leading up to and culminating in the passage of the Regulation of Investigatory Powers Act (2000). It's safe to say that RIPA would have been a lot worse without the time and energy Bowden spent listening to Parliamentary debates, decoding consultation papers, and explaining what it all meant to journalists, politicians, civil servants, and anyone else who would listen.

Not that RIPA is a fountain of democratic behavior even as things are. In the last couple of weeks we've seen the perfect example of the kind of creeping functionalism that FIPR and Privacy International warned about at the time: the Poole council using the access rules in RIPA to spy on families to determine whether or not they really lived in the right catchment area for the schools their children attend.

That use of the RIPA rules, Bowden said at at FIPR's half-day anniversary conference last Wednesday, sets a precedent for accessing traffic data for much lower level purposes than the government originally claimed it was collecting the data for. He went on to call the recent suggestion that the government may be considering a giant database, updated in real time, of the nation's communications data "a truly Orwellian nightmare of data mining, all in one place."

Ross Anderson, FIPR's founding and current chair and a well-known security engineer at Cambridge, noted that the same risks adhere to the NHS database. A clinic that owns its own data will tell police asking for the names of all its patients under 16 to go away. "If," said Anderson, "it had all been in the NHS database and they'd gone in to see the manager of BT, would he have been told to go and jump in the river? The mistake engineers make too much is to think only technology matters."

That point was part of a larger one that Anderson made: that hopes that the giant databases under construction will collapse under their own weight are forlorn. Think of developing Hulk-Hogan databases and the algorithms for mining them as an arms race, just like spam and anti-spam. The same principle that holds that today's cryptography, no matter how strong, will eventually be routinely crackable means that today's overload of data will eventually, long after we can remember anything we actually said or did ourselves, be manageable.

The most interesting question is: what of the next ten years? Nigel Hickson, now with the Department of Business, Enterprise, and Regulatory Reform, gave some hints. On the European and international agenda, he listed the returning dominance of the large telephone companies on the excuse that they need to invest in fiber. We will be hearing about quality of service and network neutrality. Watch Brussels on spectrum rights. Watch for large debates on the liability of ISPs. Digital signatures, another battle of the late 1990s, are also back on the agenda, with draft EU proposals to mandate them for the public sector and other services. RFID, the "Internet for things" and the ubiquitous Internet will spark a new round of privacy arguments.

Most fundamentally, said Anderson, we need to think about what it means to live in a world that is ever more connected through evolving socio-technological systems. Government can help when markets fail; though governments themselves seem to fail most notoriously with large projects.

FIPR started by getting engineers, later engineers and economists, to talk through problems. "The next growth point may be engineers and psychologists," he said. "We have to progressively involve more and more people from more and more backgrounds and discussions."

Probably few people feel that their single vote in any given election really makes a difference. Groups like FIPR, PI, No2ID, and ARCH remind us that even a small number of people can have a significant effect. Happy birthday.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).


May 23, 2008

The haystack conundrum

Early this week the news broke that the Home Office wants to create a giant database in which will be stored details of all communications sent in Britain. In other words, instead of data retention, in which ISPs, telephone companies, and other service providers would hang onto communications data for a year or seven in case the Home Office wanted it, everything would stream to a Home Office data center in real time. We'll call it data swallowing.

Those with long memories - who seem few and far between in the national media covering this sort of subject - will remember that in about 1999 or 2000 there was a similar rumor. In the resulting outraged media coverage it was more or less thoroughly denied and nothing had been heard of it since, though privacy advocates continued to suspect that somewhere in the back of a drawer the scheme lurked, dormant, like one of those just-add-water Martians you find in the old Bugs Bunny cartoons. And now here it is again in another leak that the suspicious veteran watcher of Yes, Minister might think was an attempt to test public opinion. The fact that it's been mooted before makes it seem so much more likely that they're actually serious.

This proposal is not only expensive, complicated, slow, and controversial/courageous (Yes, Minister's Fab Four deterrents), but risk-laden, badly conceived, disproportionate, and foolish. Such a database will not catch terrorists, because given the volume of data involved trying to use it to spot any one would-be evil-doer will be the rough equivalent of searching for an iron filing in a haystack the size of a planet. It will, however, make it possible for anyone trawling the database to make any given individual's life thoroughly miserable. That's so disproportionate it's a divide-by-zero error.

The risks ought to be obvious: this is a government that can't keep track of the personal details of 25 million households, which fit on a couple of CDs. Devise all the rules and processes you want, the bigger the database the harder it will be to secure. Besides personal information, the giant communications database would include businesses' communication information, much of likely to be commercially sensitive. It's pretty good going to come up with a proposal that equally offends civil liberties activists and businesses.

In a short summary of the proposed legislation, we find this justification: "Unless the legislation is updated to reflect these changes, the ability of public authorities to carry out their crime prevention and public safety duties and to counter these threats will be undermined."

Sound familiar? It should. It's the exact same justification we heard in the late 1990s for requiring key escrow as part of the nascent Regulation of Investigatory Powers Act. The idea there was that if the use of strong cryptography to protect communications became widespread law enforcement and security services would be unable to read the content of the messages and phone calls they intercepted. This argument was fiercely rejected at the time, and key escrow was eventually dropped in favor of requiring the subjects of investigation to hand over their keys under specified circumstances.

There is much, much less logic to claiming that police can't do their jobs without real-time copies of all communications. Here we have real analogies: postal mail, which has been with us since 1660. Do we require copies of all letters that pass through the post office to be deposited with the security services? Do we require the Royal Mail's automated sorting equipment to log all address data?

Sanity has never intervened in this government's plans to create more and more tools for surveillance. Take CCTV. Recent studies show that despite the millions of pounds spent on deploying thousands of cameras all over the UK, they don't cut crime, and, more important, the images help solve crime in only 3 percent of cases. But you know the response to this news will not be to remove the cameras or stop adding to their number. No, the thinking will be like the scheme I once heard for selling harmless but ineffective alternative medical treatments, in which the answer to all outcomes is more treatment. (Patient gets better - treatment did it. Patient stays the same - treatment has halted the downward course of the disease. Patient gets worse - treatment came too late.)

This week at Computers, Freedom, and Privacy, I heard about the Electronic Privacy Information Center's work on fusion centers, relatively new US government efforts to mine many commercial and public sources of data. EPIC is trying to establish the role of federal agencies in funding and controlling these centers, but it's hard going.

What do these governments imagine they're going to be able to do with all this data? Is the fantasy that agents will be able to sit in a control room somewhere and survey it all on some kind of giant map on which criminals will pop up in red, ready to be caught? They had data before 9/11 and failed to collate and interpret it.

Iron filing; haystack; lack of a really good magnet.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

April 18, 2008

Like a Virgin

Back in November 2005 the CEO of AT&T, Ed Whitacre, told Business Week that he was tired of big Internet sites like Google and Yahoo! using "my pipes" "for free". With those words he launched the issue of network neutrality onto the front pages and into the public consciousness. At the time, it seemed like what one of my editors used to grandly dismiss as an "American issue". (One such issue, it's entertaining to remember now, was spam. That was in 1997.) The only company dominant enough and possessed of sufficient infrastructure to impose carriage charges on content providers in the UK was BT - and if BT had tried anything like that Ofcom would - probably - have stomped all over it.

But what starts in America usually winds up here a few years later, and this week, the CEO of Virgin Media, Neil Berkett, threatened that video providers who don't pay for faster service may find their traffic being delivered in slow "bus lanes". Network neutrality, he said, was "a load of bollocks".

His PR people recanted - er, clarified a day or two later. We find it hard to see how a comment as direct as "a load of bollocks" could be taken out of context. However. Let's say he was briefly possessed by the spirt of Whitacre, who most certainly meant what he said.

The recharacterization of Berkett's comments: the company isn't really going to deliberately slow down YouTube and the BBC's iPlayer. Instead, it "could offer content providers deals to upgrade their provisioning." I thought this sounded like the wheeze where you're not charged more for using a credit card, you're given a discount for paying cash. But no: what they say they have in mind is direct peering, in which no money changes hands, which they admit could be viewed as a "non-neutral" solution.

But, says Keith Mitchell, a fellow member of the Open Rights Group advisory board, "They are in for a swift education in the way the global transit/peering market works if they try this." Virgin seems huge in the context of the UK, where its ownership of the former ntl/Telewest combine gives it a lock on the consumer cable market - but in the overall scheme of things it's "a very small fish in the pond compared to the Tier 1 transit providers, and the idea that they can buck this model single-handedly is laughable."

Worse, he says, "If Virgin attempts to cost recover for interconnects off content providers on anything other than a sender-keeps-all/non-settlement basis, they'll quickly find themselves in competition with the transit providers, whose significantly larger economies of scale put them in a position to provide a rather cheaper path from the content providers."

What fun. In other words, if you're, say, the BBC, and you're faced with paying extra in some form to get your content out to the Net you'd choose to pay the big trucking company with access to all the best and fastest roads and the international infrastructure rather than the man-with-a-van who roams your local neighborhood.

ISPs versus the iPlayer seems likely to run and run. It's clear, for example, that streaming is growing at a hefty clip. Obviously, within the UK the iPlayer is the biggest single contributor to this; viewers are watching a million programs a week online, sopping up 3 to 5 percent of all Internet traffic in Britain.

We've seen exactly this sort of argument before: file-sharing (music, not video!), online gaming, binary Usenet newsgroups. Why (ancient creaking voice) I remember when the big threat was the advent of the graphical Web, which nearly did kill the Net (/ancient creaking voice). The difference this time is that there is a single organization with nice, deep, taxpayer-funded pockets to dig into. Unlike the voracious spider that was Usenet, the centipede that is file-sharing, or the millipedes who were putting up Web sites, YouTube and the BBC make up an easily manageable number of easily distinguished targets for a protection racket. At the same time, the consolidation of the consumer broadband market from hundreds of dial-up providers into a few very large broadband providers means competition is increasingly mythical.

But the iPlayer is only one small piece of the puzzle. Over the next few years we're going to see many more organizations offering streaming video across the Net. For example, a few weeks ago I signed up for an annual pass for the streaming TV service for the nine biggest men's tennis tournaments of the year. The economics make sense: $70 a year versus £20 a month for Sky Sports - and I have no interest in any of Sky's other offerings - or pay nothing and "watch" really terrible low-resolution video over a free Chinese player offering rebroadcasts of uncertain legality.

The real problem, as several industry insiders have said to me lately, is pricing. "You have a product," said one incredulously, "that people want more and more of, and you can't make any money selling it?" When companies like O2 are offering broadband for £7.50 a month as a loss-leading add-on to mobile phone connections, consumers don't see why they should pay any more than that. Jerky streaming might be just the motivator to fix that.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

April 11, 2008

My IP address, my self

Some years back when I was writing about the data protection directive, Simon Davies, director of Privacy International, predicted a trade war between the US and Europe over privacy laws. It didn't happen, or at least it hasn't happened yet.

The key element to this prediction was the rule in the EU's data protection laws that prohibited sending data on for processing to countries whose legal regimes aren't as protective as those of the EU. Of course, since then we've seen the EU sell out on supplying airline passenger data to the US. Even so, this week the Article 29 Data Protection Working Party made recommendations about how search engines save and process personal data that could drive another wedge between the US and Europe.

The Article 29 group is one of those arcane EU phenomena that you probably don't know much about unless you're a privacy advocate or paid to find out. The short version: it's a sort of think tank of data protection commissioners from all over Europe. The UK's Information Commissioner, Richard Thomas, is a member, as are his equivalents in countries from France to Lithuania.

The Working Party (as it calls itself) advises and recommends policies based on the data protection principles enshrined in the EU Data Protection Directive. It cannot make law, but both its advice to the European Commission and the Commission's action (or lack thereof) are publicly reported. It's arguable that in a country like the UK, where the Information Commissioner operates with few legal teeth to bite with, the existence of such a group may help strengthen the Commissioner's hand.

(Few legal teeth, at least in respect of government activities: the Information Commissioner has issued an opinion about Phorm indicating that the service must be opt-in only. As Phorm and the ISPs involved are private companies, if they persisted with a service that contravened data protection law, the Information Commissioner could issue legal sanctions. But while the Information Commissioner can, for example, rule that for an ISP to retain users' traffic data for seven years is disproportionate, if the government passes a law saying the ISP must do so then within the UK's legal system the Information Commissioner can do nothing about it. Similarly, the Information Commissioner can say, as he has, that he is "concerned" about the extent of the information the government proposes to collect and keep on every British resident, but he can't actually stop the system from being built.)

The group's key recommendation: search engines should not keep personally identifiable search histories for longer than six months, and it specifically includes search engines whose headquarters are based outside the EU. The group does not say which search engines it studied, but it was reported to be studying Google as long ago as last May. The report doesn't look at requirements to keep traffic data under the Data Retention Directive, as it does not apply to search engines.

Google's shortening the life of its cookies and anonymizing its search history logs after 18 months turns out to have a significance I didn't appreciate when, at the time, I dismissed it as insultingly trivial (which it was): it showed the Article 29 working group that the company doesn't really need to keep all that data for so long. In

One of the key items the Article 29 group had to decide in writing its report on data protection issues related to search engines (PDF) is this: are IP addresses personal information? It sounds like one of those bits of medieval sophistry, like asking how many angels can dance on the head of a pin. In the dial-up days, it might not have mattered, at least in Britain, where local phone charges forced limited usage, so users were assigned a different IP address every time they logged in. But in the world of broadband, where even the supposedly dynamic IP addresses issued by cable suppliers may remain with a single subscriber for years on end. Being able to track your IP address's activities is increasingly like being able to track your library card, your credit card, and your mobile phone all at the same time. Fortunately, the average ISP doesn't have the time to be that interested in most of its users.

The fact is that any single piece of information that identifies your activities over a long period and can be mapped to your real-life identity has to be considered personal information or the data protection laws make no sense. The libertarian view, of course, would be that there are other search engines. You do not actually have to use Google, Gmail, or even YouTube. But if all search engines adopted Google's habits the choice would be more apparent than real. Time was when the US was the world's policeman. With respect to data, it seems that the EU has taken on this role. It will be interesting to see whether this decision has any impact on Google's business model and practices. If it does, that trade war could finally be upon us. If not, then Google was building up a vast data store just because we can.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

March 7, 2008

Techitics

This year, 2008, may go down in history as the year geeks got politics. At etech this week I caught a few disparaging references to hippies' efforts to change politics. Which, you know, seemed kind of unfair, for two reasons. First: the 1960s generation did change an awful lot of things, though not nearly as many as they hoped. Second: a lot of those hippies are geeks now.

But still. Give a geek something that's broken and he'll itch to fix it. And one thing leads to another. Which is why on Wednesday night Lawrence Lessig explained in an hour-long keynote that got a standing ovation how he plans to fix what's wrong with Congress.

No, he's not going to run. Some 4,500 people on Facebook were trying to push him into it, and he thought about it, but preliminary research showed that his chances of beating popular Silicon Valley favorite, Jackie Speier, were approximately zero.

"I wasn't afraid of losing," he said, noting ruefully that in ten years of copyfighting he's gotten good at it. Instead, the problem was that Silicon Valley insiders would have known that no one was going to beat Jackie Speier. But outsiders would have pointed, laughed, and said, "See? The idea of Congressional reform has no legs." And on to business as usual. So, he said, counterproductive to run.

Instead, he's launching Change Congress. "Obama has taught us that it's possible to imagine many people contributing to real change."

The point, he said, will be to provide a "signalling function". Like Creative Commongs, Change Congress will give candidates an easy way to show what level of reform they're willing to commit tto. The system will start with three options: 1) refusing money from lobbyists and political action committees (private funding groups); 2) ban earmarks (money allocated to special projects in politicians' home states); 3) commit to public financing for campaigns. Candidates can then display the badge generated from those choices on their campaign materials.

From there, said Lessig, layer something like Emily's List on top, to help people identify candidates they're willing to suppot with monthly donations, thereby subsidizing reform.

Money, he admitted, isn't the entire problem. But, like drinking for an alcoholic, it's the first problem you must solve to be able to tackle any of the others with any hope of success.

In a related but not entirely similar vein, the guys who brought us They Work For You nearly four years ago are back with UN democracy, an attempt to provide a signalling function to the United Nations> by making it easy to find out how your national representatives are voting in UN meetings. The driving force behind UNdemocracy.com is Liverpool's Julian Todd, who took the UN's URL obscurantism as a personal challenge. Since he doesn't fly, presenting the new service were Tom Loosemore, Stefan Mogdalinski, and Danny O'Brien, who pointed out that when you start looking at the decisions and debates you start to see strange patterns: what do the US and Israel have in common with Palau and Micronesia?

The US Congress and the British Parliament are all, they said, now well accustomed to being televised, and their behaviour has adapted to the cameras. At the UN, "They don't think they're being watched at all, so you see horse trading in a fairly raw form."

The meta-version they believe can be usefully and widely applied: 1) identify broken civic institution; 2) liberate data from said institution. There were three more ingredients, but they vanished the slide too quickly. But Mogdalinski noted that where in the past they have said "Ask forgiveness, not permission", alluding to the fact that most institutions if approached will behave as though they own the data. He's less inclined to apologise now. After all, isn't it *our* data that's being released in the public interest?

Data isn't everything. But the Net community has come a long way since the early days, when the prevailing attitude was that technological superiority would wash away politics-as-usual by simply making an end run around any laws governments tried to pass. Yes, technology can change the equation a whole lot. For example, once PGP escaped laws limiting the availability of strong encryption were pretty much doomed to fail (though not without a lot of back-and-forth before it became official). Similarly, in the copyright wars it's clear that copyrighted material will continue to leak out no matter how hard they try to protect it.

But those are pretty limited bits of politics. Technology can't make such an easy end run around laws that keep shrinking the public domain. Nor can it by itself solve policies that deny the reality of global climate change or that, in one of Lessig's examples, back government recommendations off from a daily caloric intake of 10 percent sugar to one of 25 percent. Or that, in another of his examples, kept then Vice-President Al Gore from succeeding with a seventh part to the 1996 Communications Act deregulating ADSL and cable because without anything to regulate what would Congressmen do without the funds those lobbyists were sending their way? Hence, the new approach.

"Technology," Lessig said, "doesn't solve any problems. But it is the only tool we have to leverage power to effect change."

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

February 22, 2008

Strikeout

There is a certain kind of mentality that is actually proud of not understanding computers, as if there were something honorable about saying grandly, "Oh, I leave all that to my children."

Outside of computing, only television gets so many people boasting of their ignorance. Do we boast how few books we read? Do we trumpet our ignorance of other practical skills, like balancing a cheque book, cooking, or choosing wine? When someone suggests we get dressed in the morning do we say proudly, "I don't know how"?

There is so much insanity coming out of the British government on the Internet/computing front at the moment that the only possible conclusion is that the government is made up entirely of people who are engaged in a sort of reverse pissing contest with each other: I can compute less than you can, and see? here's a really dumb proposal to prove it.

How else can we explain yesterday's news that the government is determined to proceed with Contactpoint even though the report it commissioned and paid for from Deloitte warns that the risk of storing the personal details of every British child under 16 can only be managed, not eliminated? Lately, it seems that there's news of a major data breach every week. But the present government is like a batch of 20-year-olds who think that mortality can't happen to them.

Or today's news that the Department of Culture, Media, and Sport has launched its proposals for "Creative Britain", and among them is a very clear diktat to ISPs: deal with file-sharing voluntarily or we'll make you do it. By April 2009. This bit of extortion nestles in the middle of a bunch of other stuff about educating schoolchildren about the value of intellectual property. Dare we say: if there were one thing you could possibly do to ensure that kids sneer at IP, it would be to teach them about it in school.

The proposals are vague in the extreme about what kind of regulation the DCMS would accept as sufficient. Despite the leaks of last week, culture secretary Andy Burnham has told the Financial Times that the "three strikes" idea was never in the paper. As outlined by Open Rights Group executive director Becky Hogge in New Statesman, "three strikes" would mean that all Internet users would be tracked by IP address and warned by letter if they are caught uploading copyrighted content. After three letters, they would be disconnected. As Hogge says (disclosure: I am on the ORG advisory board), the punishment will fall equally on innocent bystanders who happen to share the same house. Worse, it turns ISPs into a squad of private police for a historically rapacious industry.

Charles Arthur, writing in yesterday's Guardian, presented the British Phonographic Institute's case about why the three strikes idea isn't necessarily completely awful: it's better than being sued. (These are our choices?) ISPs, of course, hate the idea: this is an industry with nanoscale margins. Who bears the liability if someone is disconnected and starts to complain? What if they sue?

We'll say it again: if the entertainment industries really want to stop file-sharing, they need to negotiate changed business models and create a legitimate market. Many people would be willing to pay a reasonable price to download TV shows and music if they could get in return reliable, fast, advertising-free, DRM-free downloads at or soon after the time of the initial release. The longer the present situation continues the more entrenched the habit of unauthorized file-sharing will become and the harder it will be to divert people to the legitimate market that eventually must be established.

But the key damning bit in Arthur's article (disclosure: he is my editor at the paper) is the BPI's admission that they cannot actually say that ending file-sharing would make sales grow. The best the BPI spokesman could come up with is, "It would send out the message that copyright is to be respected, that creative industries are to be respected and paid for."

Actually, what would really do that is a more balanced copyright law. Right now, the law is so far from what most people expect it to be - or rationally think it should be - that it is breeding contempt for itself. And it is about to get worse: term extension is back on the agenda. The 2006 Gowers Review recommended against it, but on February 14, Irish EU Commissioner Charlie McCreevy (previously: champion of software patents) has announced his intention to propose extending performers' copyright in sound recordings from the current 50-year term to 95 years. The plan seems to go something like this: whisk it past the Commission in the next two months. Then the French presidency starts and whee! new law! The UK can then say its hands are tied.

That change makes no difference to British ISPs, however, who are now under the gun to come up with some scheme to keep the government from clomping all over them. Or to the kids who are going to be tracked from cradle to alcopop by unique identity number. Maybe the first target of the government computing literacy programs should be...the government.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

February 8, 2008

If you have ID cards, drink alcohol


One of the key identifiers of an addiction is that indulgence in it persists long after all the reasons for doing it have turned from good to bad.

A sobered-up Scottish alcoholic once told me the following examplar of alcoholic thinking. A professor is lecturing to a class of alcoholics on the evils of drinking. To make his point, he takes two glasses, one filled with water, the other with alcohol. Into each glass he drops a live worm. The worm in the glass of water lives; the worm in the glass of alcohol dies.

"What," the professor asks, "can we learn from this?"

One of the alcoholics raises his hand. "If you have worms, drink alcohol."

In alcoholic thinking, of course, there is no circumstance in which the answer isn't "Drink alcohol."

So, too, with the ID card. The purpose as mooted between 2001 and 2004 was preventing benefit fraud and making life more convenient for UK citizens and residents. The plan promised perfect identification via the combination of a clean database (the National Identity Register) and biometrics (fingerprints and iris scans). The consultation document made a show of suggesting the cheaper alternative of a paper card with minimal data collection, but it was clear what they really wanted: the big, fancy stuff that would make them the envy of other major governments.

Opponents warned of the UK's poor track record with large IT projects, the privacy-invasiveness, and the huge amount such a system was likely to cost. Government estimates, now at £5.4 billion, have been slowly rising to meet Privacy International's original estimate of £6 billion.

By 2006, when the necessary legislation was passed, the government had abandoned the friendly "entitlement card" language and was calling it a national ID card. By then, also, the case had changed: less entitlement, more crime prevention.

It's 2008, and the wheels seem to be coming off. The government's original contention that the population really wanted ID cards has been shredded by the leaked documents of the last few weeks. In these, it's clear that the government knows the only way it will get people to adopt the ID card is by coercion, starting with the groups who are least able to protest by refusal: young people and foreigners.

Almost every element deemed important in the original proposal is now gone - the clean database populated through interviews and careful documentation (now the repurposed Department of Work and Pensions database); the iris scans (discarded); probably the fingerprints (too expensive except for foreigners). The one element that for sure remains is the one the government denied from the start: compulsion.

The government was always open about its intention for non-registration to become increasingly uncomfortable and eventually to make registration compulsory. But if the card is coming at least two years later than they intended, compulsion is ahead of schedule.

Of course, we've always maintained that the key to the project is the database, not the card. It's an indicator of just how much of a mess the project is that the Register, the heart of the system, was first to be scaled back because of its infeasibility. (I mean, really, guys. Interview and background-check the documentation of every one of 60 million people in any sort of reasonable time scale?)

The project is even fading in popularity with the very vendors who want to make money supplying the IT for it. How can you specify a system whose stated goals keep changing?

The late humorist and playwright Jean Kerr (probably now best known for her collection of pieces about raising five boys with her drama critic husband in a wacky old house in Larchmont, NY, Please Don't Eat the Daisies) once wrote a piece about the trials and tribulations of slogging through the out-of-town openings of one of her plays. In these pre-Broadway trial runs, lines get cut and revised; performances get reshaped and tightened. If the play is in trouble, the playwright gets no sleep for weeks. And then, she wrote, one day you look up at the stage, and, yes, the play is much better, and the performances are much better, and the audience seems to be having a good time. And yet - the play you're seeing on the stage isn't the play you had in mind at all.

It's one thing to reach that point in a project and retain enough perspective to be honest about it. It may be bad - but it isn't insane - to say, "Well, this play isn't what I had in mind, but you know, the audience is having a good time, and it will pay me enough to go away and try again."

But if you reach the point where the project you're pushing ahead clearly isn't any more the project you had in mind and sold hard, and yet you continue to pretend to yourself and everyone else that it is - then you have the kind of insanity problem where you're eating worms in order to prove you're not an alcoholic.

The honorable thing for the British government to do now is say, "Well, folks, we were wrong. Our opponents were right: the system we had in mind is too complicated, too expensive, and too unpopular because of its privacy-invasiveness. We will think again." Apparently they're so far gone that eating worms looks more sensible.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 23, 2007

Road block

There are many ways for a computer system to fail. This week's disclosure that Her Majesty's Revenue and Customs has played lost-in-the-post with two CDs holding the nation's Child Benefit data is one of the stranger ones. The Child Benefit database includes names, addresses, identifying numbers, and often bank details, on all the UK's 25 million families with a child under 16. The National Audit Office requested a subset for its routine audit; the HMRC sent the entire database off by TNT post.

There are so many things wrong with this picture that it would take a village of late-night talk show hosts to make fun of them all. But the bottom line is this: when the system was developed no one included privacy or security in the specification or thought about the fundamental change in the nature of information when paper-based records are transmogrified into electronic data. The access limitations inherent in physical storage media must be painstakingly recreated in computer systems or they do not exist. The problem with security is it tends to be inconvenient.

With paper records, the more data you provide the more expensive and time-consuming it is. With computer records, the more data you provide the cheaper and quicker it is. The NAO's file of email relating to the incident (PDF) makes this clear. What the NAO wanted (so it could check that the right people got the right benefit payments): national insurance numbers, names, and benefit numbers. What it got: everything. If the discs hadn't gotten lost, we would never have known.

Ironically enough, this week in London also saw at least three conferences on various aspects of managing digital identity: Digital Identity Forum, A Fine Balance, and Identity Matters. All these events featured the kinds of experts the UK government has been ignoring in its mad rush to create and collect more and more data. The workshop on road pricing and transport systems at the second of them, however, was particularly instructive. Led by science advisor Brian Collins, the most notable thing about this workshop is that the 15 or 20 participants couldn't agree on a single aspect of such a system.

Would it run on GPS or GSM/GPRS? Who or what is charged, the car or the driver? Do all roads cost the same or do we use differential pricing to push traffic onto less crowded routes? Most important, is the goal to raise revenue, reduce congestion, protect the environment, or rebalance the cost of motoring so the people who drive the most pay the most? The more purposes the system is intended to serve, the more complicated and expensive it will become, and the less likely it is to answer any of those goals successfully. This point has of course also been made about the National ID card by the same sort of people who have warned about the security issues inherent in large databases such as the Child Benefit database. But it's clearer when you start talking about something as limited as road charging.

For example: if you want to tag the car you would probably choose a dashboard-top box that uses GPS data to track the car's location. It will have to store and communicate location data to some kind of central server, which will use it to create a bill. The data will have to be stored for at least a few billing cycles in case of disputes. Security services and insurers alike would love to have copies. On the other hand, if you want to tag the driver it might be simpler just to tie the whole thing to a mobile phone. The phone networks are already set up to do hand-off between nodes, and tracking the driver might also let you charge passengers, or might let you give full cars a discount.

The problem is that the discussion is coming from the wrong angle. We should not be saying, "Here is a clever technological idea. Oh, look, it makes data! What shall we do with it?" We should be defining the problem and considering alternative solutions. The people who drive most already pay most via the fuel pump. If we want people to drive less, maybe we should improve public transport instead. If we're trying to reduce congestion, getting employers to be more flexible about working hours and telecommuting would be cheaper, provide greater returns, and, crucially for this discussion, not create a large database system that can be used to track the population's movements.

(Besides, said one of the workshop's participants: "We live with the congestion and are hugely productive. So why tamper with it?")

It is characteristic of our age that the favored solution is the one that creates the most data and the biggest privacy risk. No one in the cluster of organisations opposing the ID card - No2ID, Privacy International, Foundation for Information Policy Research, or Open Rights Group - wanted an incident like this week's to happen. But it is exactly what they have been warning about: large data stores carry large risks that are poorly understood, and it is not enough for politicians to wave their hands and say we can trust them. Information may want to be free, but data want to leak.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 9, 2007

Watching you watching me

A few months ago, a neighbour phoned me and asked if I'd be willing to position a camera on my windowsill. I live at the end of a small dead-end street (or cul-de-sac), that ends in a wall about shoulder height. The railway runs along the far side of the wall, and parallel to it and further away is a long street with a row of houses facing the railway. The owners of those houses get upset because graffiti keeps appearing alongside the railway where they can see it and covers flat surfaces such as the side wall of my house. The theory is that kids jump over the wall at the end of my street, just below my office window, either to access the railway and spray paint or to escape after having done so. Therefore, the camera: point it at the wall and watch to see what happens.

The often-quoted number of times the average Londoner is caught on camera per day is scary: 200. (And that was a few years ago; it's probably gone up.) My street is actually one of those few that doesn't have cameras on it. I don't really care about the graffiti; I do, however, prefer to be on good terms with neighbours, even if they're all the way across the tracks. I also do see that it makes sense at least to try to establish whether the wall downstairs is being used as a hurdle in the getaway process. What is the right, privacy-conscious response to make?

I was reminded of this a few days ago when I was handed a copy of Privacy in Camera Networks: A Technical Perspective, a paper published at the end of July. (We at net.wars are nothing if not up-to-date.)

Given the amount of money being spent on CCTV systems, it's absurd how little research there is covering their efficacy, their social impact, or the privacy issues they raise. In this paper, the quartet of authors – Marci Lenore Meingast (UC Berkeley), Sameer Pai (Cornell), Stephen Wicker (Cornell), and Shankar Sastry (UC Berkeley) – are primarily concerned with privacy. They ask a question every democratic government deploying these things should have asked in the first place: how can the camera networks be designed to preserve privacy? For the purposes of preventing crime or terrorism, you don't need to know the identity of the person in the picture. All you want to know is whether that person is pulling out a gun or planting a bomb. For solving crimes after the fact, of course, you want to be able to identify people – but most people would vastly prefer that crimes were prevented, not solved.

The paper cites model legislation (PDF) drawn up by the Constitution Project. Reading it is depressing: so many of the principles in it are such logical, even obvious, derivatives of the principles that democratic governments are supposed to espouse. And yet I can't remember any public discussion of the idea that, for example, all CCTV systems should be accompanied by identification of and contact information for the owner. "These premises are protected by CCTV" signs are everywhere; but they are all anonymous.

Even more depressing is the suggestion that the proposals for all public video surveillance systems should specify what legitimate law enforcement purpose they are intended to achieve and provide a privacy impact assessment. I can't ever remember seeing any of those either. In my own local area, installing CCTV is something politicians boast about when they're seeking (re)election. Look! More cameras! The assumption is that more cameras equals more safety, but evidence to support this presumption is never provided and no one, neither opposing politicians nor local journalists, ever mounts a challenge. I guess we're supposed to think that they care about us because they're spending the money.
The main intention of Meingast, Pai, et al, however, is to look at the technical ways such networks can be built to preserve privacy. They suggest, for example, collecting public input via the Internet (using codes to identify the respondents on whom the cameras will have the greatest impact). They propose an auditing system whereby these systems and their usage is reviewed. As the video streams become digital, they suggest using layers of abstraction of the resulting data to limit what can be identified in a given image. "Information not pertinent to the task in hand," they write hopefully, "can be abstracted out leaving only the necessary information in the image." They go on into more detail about this, along with a lengthy discussion of facial recognition.

The most depressing thing of all: none of this will ever happen, and for two reasons. First, no government seems to have the slightest qualm of conscience about installing surveillance systems. Second, the mass populace don't seem to care enough to demand these sorts of protections. If these protections are to be put in place at all, it must be done by technologists. They must design these systems so that it's easier to use them in privacy-protecting ways than to use them in privacy-invasive ways. What are the odds?

As for the camera on my windowsill, I told my neighbour after some thought that they could have it there for a maximum of a couple of weeks to establish whether the end of my street was actually being used as an escape route. She said something about getting back to me when something or other happened. Never heard any more about it. As far as I am aware, my street is still unsurveilled.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

October 12, 2007

The permission-based society

It was Edward Hasbrouck who drew my attention to a bit of rulemaking being proposed by the Transportation Security Agency. Under current rules, if you want to travel on a plane out of, around, into, or over the US you buy a ticket and show up at the airport, where the airline compares your name and other corroborative details to the no-fly list the TSA maintains. Assuming you're allowed onto the flight, unbeknownst to you, all this information has to be sent to the TSA within 15 minutes of takeoff (before, if it's a US flight, after if it's an international flight heading for the US).

Under the new rules, the information will have to arrive at the TSA 72 hours before the flight takes off – after all, most people have finalised their travel plans by that time, and only 7 to 10 percent of itineraries change after that – and the TSA has to send back an OK to the airline before you can be issued a boarding pass.

There's a whole lot more detail in the Notice of Proposed Rulemaking, but that's the gist. (They'll be accepting comments until October 22, if you would like to say anything about these proposals before they're finalised.)

There are lots of negative things to say about these proposals – the logistical difficulties for the travel industry, the inadequacy of the mathematical model behind this (which at the public hearing the ACLU's Barry Steinhardt compared to trying to find a needle in a haystack by pouring more hay on the stack), and the privacy invasiveness inherent in having the airlines collect the many pieces of data the government wants and, not unnaturally, retaining copies while forwarding it on to the TSA. But let's concentrate on one: the profound alteration such a scheme will make to American society at large. The default answer to the question of whether you had the right to travel anywhere, certainly within the confines of the US, has always been "Yes". These rules will change it to "No".

(The right to travel overseas has, at times, been more fraught. The folk scene, for example, can cite several examples of musicians who were denied passports by the US State Department in the 1950s and early 1960s because of their left-wing political beliefs. It's not really clear to me why the US wanted to keep people whose views it disapproved of within its borders but some rather hasty marriages took place in order to solve some of these immigration problems, though everyone's friends again now and it's fresh passports all round.)

Hasbrouck, Steinhardt, and EFF founder John Gilmore, who sued the government over the right to travel anonymously within the US, have all argued that the key issue here is the right to assemble guaranteed in the First Amendment. If you can't travel, you can't assemble. And if you have to ask permission to travel, your right of assembly is subject to disruption at any time. The secrecy with which the TSA surrounds its decision-making doesn't help.

Nor does the amount of personal data the TSA is collecting from airline passenger name records. The Identity Project's recent report on the subject highlights that these records may include considerable detail: what books the passenger is carrying, what answer you give when asked where you've been or are going, names and phone numbers given as emergency contacts, and so on. Despite the data protection laws, it isn't always easy to find out what information is being stored; when I made such a request of US Airways last year, the company refused to show me my PNR from a recent flight and gave as the reason: "Security." Civilisation as we know it is at risk if I find out what they think they know about me? We really are in trouble.

In Britain, the chief objections to the ID card and, more important, the underlying database, have of course been legion, but they have generally focused on the logistical problems of implementing it (huge cost, complex IT project, bound to fail) and its general privacy-invasiveness. But another thing the ID card – especially the high-tech, biometric, all-singing, all-dancing kind – will do is create a framework that could support a permission-based society in which the ID card's interaction with systems is what determines what you're allowed to do, where you're allowed to go, and what purchases you're allowed to make. There was a novel that depicted a society like this: Ira Levin's This Perfect Day, in which these functions were all controlled by scanner bracelets and scanners everywhere that lit up green to allow or red to deny permission. The inhabitants of that society were kept drugged, so they wouldn't protest the ubiquitous controls. We seem to be accepting the beginnings of this kind of life stone, cold sober.

American children play a schoolyard game called "Mother, May I?" It's one of those games suitable for any number of kids, and it involves a ritual of asking permission before executing a command. It's a fine game, but surely it isn't how we want to live.


Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

September 28, 2007

Anything worth having is worth cheating for

How can you tell if someone is lying? The American civil rights lawyer Alan Dershowitz said during the OJ Simpson trial that even though we all want to believe we can, most people can't. That, he said, is why we must always look at the evidence.

I was thinking about this last week, when the cyclist Floyd Landis was stripped of his 2006 Tour de France title after an arbitration panel ruled two to one to uphold a two-year suspension after testing positive for synthetic testosterone. In his book, Positively False, Landis does a better job than you might expect of casting doubt on the test's validity. But the ritual public shaming will proceed unabated.

These morality plays cover no one with glory, least of all Dick Pound, the self-righteous, moralizing head of the World Anti-Doping Agency who sees all things in black and white.

Take, for example, his comment in the case of tennis player Mariano Puerta, the 2005 French Open finalist: ""You're dealing with somebody who's tested positive twice in less than two years and clearly doesn't think the rules apply to him."

Puerta's second positive test, which got him a two-year suspension and forfeiture of the money and ranking points he won at that French Open, was for traces of etilefrine so slight that the tribunal hearing the case agreed there was no performance-enhancing benefit he could have derived from it. The tribunal was slightly skeptical of Puerta's story, which was that etilefrine is a component of a medication his wife takes for low blood pressure and they must have switched glasses. But there was enough doubt to reduce his suspension from eight years to two.

Puerta's first positive test was for clenbuterol, administered for an asthma attack. The tribunal agreed that the only performance-enhancing benefit he derived from it was not being dead. Under the rules they had no choice but to suspend him. They made it as short and painless as possible, given the circumstances. Pound's attitude does nothing to win hearts and minds.

There's no question that a lot of lethal stuff is going on: this week the Drug Enforcement Administration mounted a comprehensive steroids raid that shut down 26 underground labs, made more than 50 arrests, and identified major suppliers in China. Surely high-profile top athletes with million-dollar endorsements are not buying their steroids online via hot tips from strangers on MySpace. The military and police that Pound, in his book Inside Dope pegs as heavy users also surely have better sources. It's worse: these steroids are (or were) being sold over the Internet to amateur bodybuilders and high school kids.

But it is arguable that this underground distribution network is a logical by-product of the anti-doping empire that has been built up since Ben Johnson's 1988 disqualification from the Seoul Olympics, just as Prohibition created the Mafia in the form of friendly bootleggers. The steroid message boards now are filled with warnings not to buy anything for a while.

Landis has, I think legitimately, pointed out flaws in the anti-doping system as it's presently constituted. For one thing, its courts are not governed by the due process and civil liberties that normally apply. The testing regime is privacy-invasive: urine or blood samples may be demanded at any time, without notice, and a missed test is treated as a positive test. In the case of a positive test, athletes can only call on assistance from experts who are not part of the WADA system – which means almost all the experts on the subject. Finally, the system is set up to presume guilt.

Based on experience, that may seem reasonable. There's no doubt cycling has a serious drug problem: Reading the former soigneur Willy Voet's 2000 Breaking the Chain is sufficient to show that. If you need more, read David Walsh's From Lance to Landis, Paul Kimmage's Rough Ride, or Werner Reiterer's Positive. Baseball player Jose Canseco's Juiced makes it clear that underneath many sports welcome the results. In baseball, club owners have shrunk the size of parks to increase the rate of home runs – more excitement, more paying fans. Steroids do this, too, by as much as 50 to 100 percent, according to this calculation.

Professionalism in sports has brought with it early entry, better training methods, and better nutrition, plus the freedom from other work that allows full-time effort. But American team sports like football, baseball, and hockey have been professional for a long time, and yet the change in body shapes in the last decade or two is striking.

Even so: in other areas of law enforcement it isn't enough to *know* someone is guilty, and the technicalities of how the law is applied do matter. Every year WADA expands its reach, into new sports, into new tests, into new areas of sport, including amateur competitions. We are creating the framework for an international legal system in which any legal issues to do with an ever-changing list of drugs and doping techniques are controlled by a single non-democratic organisation with multinational government funding that makes and administers its own laws. Is this what people mean by "clean sport"?

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

September 21, 2007

The summer of lost hats

I seem to have spent the summer dodging in and out of science fiction novels featuring four general topics: energy, security, virtual worlds, and what someone at the last conference called "GRAIN" technologies (genetic engineering, robotics, AI, and nanotechnology). So the summer started with doom and gloom and got progressively more optimistic. Along the way, I have mysteriously lost a lot of hats. The phenomena may not be related.

I lost the first hat in June, a Toyota Motor Racing hat (someone else's joke; don't ask) while I was reading the first of many very gloomy books about the end of the world as we know it. Of course, TEOTWAWKI has been oft-predicted, and there is, as Damian Thompson, the Telegraph's former religious correspondent, commented when I was writing about Y2K – a "wonderful and gleeful attention to detail" in these grand warnings. Y2K was a perfect example: a timetable posted to comp.software.year-2000 had the financial system collapsing around April 1999 and the cities starting to burn in October…

Energy books can be logically divided into three categories. One, apocalyptics: fossil fuels are going to run out (and sooner than you think), the world will continue to heat up, billions will die, and the few of us who survive will return to hunting, gathering, and dying young. Two, deniers: fossil fuels aren't going to run out, don't be silly, and we can tackle global warming by cleaning them up a bit. Here. Have some clean coal. Three, optimists: fossil fuels are running out, but technology will help us solve both that and global warming. Have some clean coal and a side order of photovoltaic panels.

I tend, when not wracked with guilt for having read 15 books and written 30,000 words on the energy/climate crisis and then spent the rest of the summer flying approximately 33,000 miles, toward optimism. People can change – and faster than you think. Ten years ago, you'd have been laughed off the British isles for suggesting that in 2007 everyone would be drinking bottled water. Given the will, ten years from now everyone could have a solar collector on their roof.

The difficulty is that at least two of those takes on the future of energy encourage greater consumption. If we're all going to die anyway and the planet is going inevitably to revert to the Stone Age, why not enjoy it while we still can? All kinds of travel will become hideously expensive and difficult; go now! If, on the other hand, you believe that there isn't a problem, well, why change anything? The one group who might be inclined toward caution and saving energy is the optimists – technology may be able to save us, but we need time to create create and deploy it. The more careful we are now, the longer we'll have to do that.

Unfortunately, that's cautious optimism. While technology companies, who have to foot the huge bills for their energy consumption, are frantically trying to go green for the soundest of business reasons, individual technologists don't seem to me to have the same outlook. At Black Hat and Defcon, for example (lost hats number two and three: a red Canada hat and a black Black Hat hat), among all the many security risks that were presented, no one talked about energy as a problem. I mean, yes, we have all those off-site backups. But you can take out a border control system as easily with an electrical power outage as you can by swiping an infected RFID passport across a reader to corrupt the database. What happens if all the lights go out, we can't get them back on again, and everything was online?

Reading all those energy books changes the lens through which you view technical developments somewhat. Singapore's virtual worlds are a case in point (lost hat: a navy-and-tan Las Vegas job): everyone is talking about what kinds of laws should apply to selling magic swords or buying virtual property, and all the time in the back of your mind is the blog posting that calculated that the average Second Life avatar consumes as much energy as the average Brazilian. And emits as much carbon as driving an SUV for 2,000 miles. Bear in mind that most SL avatars aren't figured up that often, and the suggestion that we could curb energy consumption by having virtual conferences instead of physical ones seems less realistic. (Though we could, at least, avoid airport security.) In this, as in so much else, the science fiction writer Vernor Vinge seems to have gotten there first: his book Marooned in Real Time looks at the plight of a bunch of post-Singularity augmented humans knowing their technology is going to run out.

It was left to the most science fictional of the conferences, last week's Center for Responsible Nanotechnology conference (my overview is here) to talk about energy. In wildly optimistic terms: technology will not only save us but make us all rich as well.

This was the one time all summer I didn't lose any hats (red Swiss everyone thought was Red Cross, and a turquoise Arizona I bought just in case). If you can keep your hat while all around you everyone is losing theirs…

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

August 31, 2007

Snouting for bandwidth

Our old non-friend Comcast has been under fire again, this time for turning off Internet access to users it deems to have used too much bandwidth. The kicker? Comcast won't tell those users how much is too much.

Of course, neither bandwidth caps nor secrecy over what constitutes heavy usage is anything new, at least in Britain. ntl brought in a 1Gb per day bandwidth cap as long ago as 2003. BT began capping users in 2004. And Virgin Media, which now owns ntl and apparently every other cable company in the UK, is doing it, too.

As for the secrecy, a few years ago when "unlimited" music download services were the big thing, it wasn't uncommon to hear heavy users complain that they'd been blocked for downloading so much that the service owner concluded they were sharing the account. (Or, maybe hoarding music to play later, I don't know.) That was frustrating enough, but the bigger complaint was that they could never find out how much was too much. They would, they said, play by the rules – if only someone would tell them what those rules were.

This is the game Comcast is now playing. It is actually disconnecting exceptionally heavy users – and then refusing to tell them what usage is safe. Internet service, as provided by Franz Kafka. The problem is that in a fair number of areas of the US consumers have no alternative if they want broadband. Comcast owns the cable market, and DSL provision is patchy. The UK is slightly better off: Virgin Media now owns the cable market, but DSL is widespread, and it's not only sold by BT directly but also by smaller third parties under a variety of arrangements with BT's wholesale department.

I am surprised to find I have some – not a lot, but some – sympathy with Comcast here. I do see that publishing the cap might lead to the entire industry competing on how much you can download a month – which might in turn lead to everyone posting the "unlimited" tag again and having to stick with it. On the other hand, as this Slashdot comment says, subscribers don't have any reliable way of seeing how much they actually are downloading. There is no way to compare your records with the company's equivalent to balancing your check book. But at least you can change banks if the bank keeps making mistakes or your account is being hacked. As already noted, this isn't so much of an option for Comcast subscribers.

This type of issue is resurfacing in the UK as a network neutrality dispute with the advent of the BBC's iPlayer. Several large ISPs want the BBC to pay for bandwidth costs, perhaps especially because its design makes it prospectively a bandwidth hog. It's an outrageous claim when you consider that both consumers and the BBC already pay for their bandwidth.

Except…we don't, quite. The fact is that the economics of ISPs have barely changed since they were all losing money a decade ago. In the early days of the UK online industry, when the men were men, the women were (mostly) men, and Demon was the top-dog ISP, ISPs could afford to offer unlimited use of their dial-up connections for one very simple reason. They knew that the phone bills would throw users offline: British users paid by the minute for local calls in those days. ISPs could, therefore, budget their modem racks and leased lines based on the realistic assessment that most of their users would be offline at any given time.

Cut to today. Sure, users are online all the time with broadband. But most of them go out to work (or, if they're businesses, go home at night), and heavy round-the-clock usage is rare. ISPs know this, and budget accordingly. Pipes from BT are expensive, and their size is, logically, enough, specified based on average use. There isn't a single ISP whose service wouldn't fall over if all its users saturated all their bandwidth 24/7. And at today's market rates, there isn't a single ISP who could afford to provide a service that wouldn't fall over under that level of usage. If an entire nation switches even a sizable minority of its viewing habits to the iPlayer ISPs could legitimately have a problem. Today's bandwidth hogs are a tiny percentage of Internet users, easily controlled. Tomorrow's could be all of us. Well, all of us and the FBI.

Still, there really has to be a middle ground. The best seems to be the ideas in the Slashdot posting linked about: subscribers should be able to monitor the usage on their accounts. Certainly, there are advantages to both sides in having flexible rules rather than rigid ones. But the ultimate sanction really can't be to cut subscribers off for a year, especially if they have no choice of supplier. If that's how Comcast wants to behave, it could at least support plans for municipal wireless. Let the burden of the most prolific users of the Internet, like those of health care, fall on the public purse. Why not?


Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

July 27, 2007

There ain't no such thing as a free Benidorm

This has been the week for reminders that the border between real life and cyberspace is a permeable blood-brain barrier.

On Wednesday, Linden Labs announced that it was banning gambling in Second Life. The resentment expressed by some of SL residents is understandable but naive. We're not at the beginning of the online world any more; Second Life is going through the same reformation to take account of national laws as Usenet and the Web did before it.

Second, this week MySpace deleted the profiles of 29,000 American users identified as sex offenders. That sounds like a lot, but it's a tiny percentage of MySpace's 180 million profiles. None of them, be it noted, are Canadian.

There's no question that gambling in Second Life spills over into the real world. Linden dollars, the currency used in-world, have active exchange rates, like any other currency, currently running about L$270 to the US dollar. (When I was writing about a virtual technology show, one of my interviewees was horrified that my avatar didn't have any distinctive clothing; she was and is dressed in the free outfit you are issued when you join. He insisted on giving me L$1,000 to take her shopping. I solemnly reported the incident to my commissioning editor, who felt this wasn't sufficiently corrupt to worry about: US$3.75! In-world, however, that could buy her several cars.) Therefore: the fact that the wagering takes place online in a simulated casino with pretty animated decorations changes nothing. There is no meaningful difference between craps on an island in Second Life and poker on an official Web-based betting site. If both sites offer betting on real-life sporting events, there's even less difference.

But the Web site will, these days, have gone through considerable time and money to set up its business. Gaming, even outside the US, is quite difficult to get into: licenses are hard to get, and without one banks won't touch you. Compared to that, the $3,800 and 12 to 14 hours a day Brighton's Anthony Smith told Information Week he'd invested in building his SL Casino World is risibly small. You have to conclude that there are only two possibilities. Either Smith knew nothing about the gaming business - if he did, he know that the US has repeatedly cracked down on online gambling over the last ten years and that ultimately US companies will be forced to decide to live within US law. He'd also have known how hard and how expensive it is to set up an online gambling operation even in Europe. Or, he did know all those things and thought he'd found a loophole he could exploit to avoid all the red tape and regulation and build a gaming business on the cheap.

I have no personal interest in gaming; risking real money on the chance draw of a card or throw of dice seems to me a ridiculous waste of the time it took to earn it. But any time you have a service that involves real money, whether that service is selling an experience (gaming), a service, or a retail product, when the money you handle reaches a certain amount governments are going to be interested. Not only that, but people want them involved; people want protection from rip-off artists.

The MySpace decision, however, is completely different. Child abuse is, rightly, illegal everywhere. Child pornography is, more controversially, illegal just about everywhere. But I am not aware of any laws that ban sex offenders from using Web sites, even if those Web sites are social networks. Of course, in the moral panic following the MySpace announcement, someone is proposing such a law. The MySpace announcement sounds more like corporate fear (since the site is now owned by News International) than rational response. There is a legitimate subject for public and legislative debate here: how much do we want to cut convicted sex offenders out of normal social interaction? And a question for scientists: will greater isolation and alienation be effective strategies to keep them from reoffending? And, I suppose, a question for database experts: how likely is it that those 29,000 profiles all belonged to correctly identified, previously convicted sex offenders? But those questions have not been discussed. Still, this problem, at least in regards to MySpace, may solve itself: if parents become better able to track their kids' MySpace activities, all but the youngest kids will surely abandon it in favour of sites that afford them greater latitude and privacy.

A dozen years ago, John Perry Barlow (in)famously argued that national governments had no place in cyberspace. It was the most hyperbolic demonstration of what I call the "Benidorm syndrome": every summer thousands of holidaymakers descend on Benidorm, in Spain, and behave in outrageous and sometimes lawless ways that they would never dare indulge in at home in the belief that since they are far away from their normal lives there are no consequences. (Rinse and repeat for many other tourist locations worldwide, I'm sure.) It seems to me only logical that existing laws apply to behaviour in cyberspace. What we have to guard against is deforming cyberspace to conform to laws that don't exist.


Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

July 13, 2007

Constitutional convention

One of the things that surprises outsiders most about Britain is that there is no written constitution. I can only judge what that discovery is like for an American, and in the US in particular our written constitution is regarded with such reverence that the notion of not having one is kind of shocking.

There have been various efforts to change this situation. The best known in the time I've been hanging around Britain is, or was, Charter 88. Founded (logically enough) in 1988, the group seemed to fizzle out in the 1990s, though apparently not entirely. The ideas didn't die, in any case, and the dear departed Blair had been making constitutional noises, and now his replacement, Gordon Brown, has made a commitment to constitutional reform.

Wednesday, July 18, therefore, sees the first of what will doubtless be a series of events at the LSE, organized by Fellows Simon Davies and Gus Hosein and featuring a raft of interesting speakers: Exploring options for the process of constitutional change. The project, known as Future Britain, will launch its Web site on Monday, July 16.

It was only after I'd been living in Britain for a while that it occurred to me that the unwritten constitution is that most quintessentially British thing, a gentleman's agreement. The principles by which Britain is governed have accreted over nine centuries, and for much of that time the people in charge of making decisions based on those principles were in fact gentlemen. I always had the sense that Britons regarded our constant American perusal of the Constitution's text as rather childish, a petty, dogmatic insistence on the exact terms of our written contract. Grown-ups trust each other.

Things are of course different now. The country is no longer so homoegeneous; you can't count on the people in charge of making laws to be gentlemen. It was, I think, no coincidence that Charter 88 started up during Margaret Thatcher's years as Prime Minister. She did things that would simply not be possible under the American Constitution, mostly notably abolishing the Greater London Council and several other local governments. That was the moment when I understood just how centralized British government is. It was, or had been, inconceivable to me that in an old and famous democracy a properly elected leader could be deposed in such a way. What was even more amazing was that despite a few protests, these actions were accepted and the country went on as usual. There is no local government if it can be abruptly terminated in that single-handed way, only delegated authority. Britain, I learned from that, is an elected dictatorship.

Writing down a constitution is not the same as reforming one. A constitution is not a blueprint; it has to be flexible enough and general enough in its principles to be adaptable to changing conditions. One of the significant failures of the US Constitution in today's world is that the Founding Fathers left no room for controlling large, multinational corporations. It would not have mattered that there were no such things in the 18th century if they had simply allowed for the possibility of third-party private interests of economic power. But they thought they had it covered when they put in the clause to separate church and state, since at the time the church was the only multinational corporation in town.
Brown's list of desired reforms does not make the kind of deep-rooted change that Charter 88 was calling for. The case for that is made on Open Democracy, by Neal Ascherson, who argues that this is really just an English problem.

The US Constitution, when I read it now, seems to me to be focused on prohibiting the kinds of abuses its drafters had experienced. Separating church and state, limiting the power of government to interfere in individuals' lives, guaranteeing freedom of speech and of assembly – these all speak of bitter experience. Ascherson's argument seems to suggest that something similar happened in creating Britain's undocumented government: the abuse to overthrow was the power of the king. Parliamentary absolutism was an adequate answer. Even the US's Founding Fathers didn't trust the people unless they were sufficiently wealthy land-owning men.

And that's the thing about constitutions: they are not enough by themselves even if they are written down. This point was made to me by the Campaign to Separate Church and State when I was living in Ireland in the late 1980s. The lifetime of the Irish constitution is still measured in decades, and the clause guaranteeing freedom of religion clearly meant the freedom to be Catholic after centuries of British Protestant rule. It did not guarantee equality for atheists, agnostics, or even Jews. So the broader point my Irish friends made was that the constitutional guarantee was meaningless without supporting legislation to enforce it. A constitution is, therefore, only a beginning.

As a foreigner, I don't think it's up to me to say what a British – or English – constitution should be. But I do know it shouldn't be written by the elected dictatorship in power. To have meaning, a constitution must be written by the people. It's our chance to devise a governmental design to which we give consent.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

June 22, 2007

Many hidden returns

This week, the Open Rights Group released its report on the May 7 electronic voting pilots, conducted during by-elections in various locations in England and across all of Scotland. ORG observed these as closely as it could through the eyes of 25 volunteers.

Much of the report should be familiar to anyone who's read about similar trials and pilot projects in the US and elsewhere (especially the UK's own 2003 trials). There were technical problems when equipment failed or had to be rebooted. There were people problems, when both voters and officials were uncertain how to make machines work. There were security issues, as when ORG observers found PCs and switches with open ports and no one watching them. And there were design problems, when ballot layouts confused voters into spoiling ballots. Sound familiar?

More than that, the process of tallying votes just isn't transparent. At some point in the process, a miracle occurred and numbers were produced. Anti-evoting activists have been talking about "black box voting" for years, and here it was, live and in the silicon.

Probably no one expected ORG to come away from the trials glowing with enthusiasm about the technology. But the group put a significant amount of effort into observing the process and reporting fairly what it saw. The report needs to be taken seriously by the people in charge of choosing how we vote.

The job for the observers, from the sounds of it, wasn't easy. Rules were inconsistent, inconsistently applied, and subject to abrupt change. My favourite was the constituency that apparently got its security advice from someone used to working with banks: they were told not to let anyone see the screens of the laptops. But the whole point of elections is to make the process publicly accountable – which means the nuts and bolts need to be visible.
Curiously enough, it may be the black-box nature of these systems that kills them after all, just not for the reason we always thought.

If there is one consistent refrain throughout the mad rush to move ballot boxes inside computers it's that new technology will engage a new generation of currently disaffected voters. One of the most intriguing observations to come out of the Open Rights Group's report on the recent e-voting trials, therefore, is: "People passionate about local politics were consistently being turned off by the e-voting and e-counting pilot counts in areas observed" (p20).

People who don’t' care that much may just want the counts. But if you're a politician running for office, his agent, or one of the dozens (or thousands) of people who participated in the political process by campaigning for him or who cares about specific issues, just getting the count out of a black box is as much missing the point as watching a tennis match by looking up the final score on the Internet. Worse, since what's at stake is who runs the country (rather an Oscar or a trophy), you need to have confidence that the count has some relation to how people actually voted. If I lived in any of the constituencies where these pilots took place, I'd be demanding they rerun the election.

That might be the thing that kills it, more than the security problems or any philosophical problem the general public might have with privatizing voting. Without passionate supporters there would be no candidates.
Politics, sports, and entertainment all face the same challenge of engaging fans. The lesson from sports in particular is that the more detail you give fans the more obsessive they become. If there were some way to project each ballot, one at a time, on a giant screen, without destroying the secrecy of individual ballots, maybe every election would have the magnetic quality of Bush vs. Gore 2000. It would be quite a show, especially if people had the option of standing up at a microphone and explaining just why they voted the way they did. How's that for public access TV?

As things were, electronic counting meant agents, candidates, and various others couldn't tell what was going on. Internet voters can't be interviewed on existing the poll station, so local parties can't get a sense of how the vote is going. The campaigners who show up on people's doorsteps to get out the vote don't know whose doorsteps to canvass. This may not seem like much of a loss. But, as ORG points out, one way candidates have traditionally decided whether to ask for a recount is by comparing the posted returns with the information the parties have worked to compile throughout the day. (For US voters: after you exit UK polling areas you typically find party representatives conducting exit polls.)

I'm not convinced that the end users – that is, the voters – count for much in any of this. So far, the best efforts of computer scientists, hackers, and activists have had little success in trying to turn back the clock to pencil and paper or other forms of tried and trusted technology. \But if the insiders don't like it – the politicians who award funds, the parties who elect them – there might just be a chance it won't fly permanently. If so, they'd better act now, before the vendors become big enough to own us all.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

May 11, 2007

The Blair we left behind

So, he's gone, or almost.

Ten years is a long time for anyone to remain in power. Blair hasn't quite made it as long as Margaret Thatcher did, but by virtue of the UK's different ways in electing the people who fill its top office it's longer than either Reagan or Bush II. There are children who don't remember what it was like to have the Conservatives in power. And so on.

What's startling in reading the reviews is that although at least some of them do point out how unpopular Blair has been in recent years and point the finger squarely at his policies on Iraq, they generally tend to praise the state in which he's left Britain. What none of these seem to mention is the significant erosion of civil liberties under Blair's time in office. The Britain he leaves is considerably less democratic than the one he inherited.

The most obvious symptom of this is the national ID card, whose acknowledged cost has now reached the £6 billion the LSE report (PDF) predicted – with, no doubt, considerably more to come. The project may yet founder under the weight of its own technological aspirations. But it seems to have been designed to be maximally privacy invasive. Blair also selected as the card's champions first Jack Straw (who used the 9/11 attacks as an excuse to attack those of us who were key escrow); then David Blunkett, who essentially became addicted to the idea; and then Charles Clarke…all, we suppose, in the intersets of proving that Labour was tougher on crime than the Conservatives.

The justification for implementing the card – and the massive databases behind it – has changed over the five years since it was first proposed, but the desire to do it has not. With or without the ID card, Blair leaves behind biometrics in passports – but that we can blame on the International Civil Aeronautics Organization.

Blair talked about making Britain a leader in ecommerce. But first we had lengthy wrangles over key escrow, which eventually even Blair admitted was a mistake, and then we had the achingly slow growth of broadband.

We also had the passage of the Regulation of Investigatory Powers Act in 2000, and the Anti-terrorism, Crime, and Security Act in 2001, the latter passed with unseemly haste after 9/11. Taken together, the two provide law enforcement and the security services with the right to intercept communications or demand data retention, which itself has been the subject of another very long battle. ISPs have universally argued against it; Blair's government has refused to listen.

Yes, Blair's government brought in a Freedom of Information Act – but its availability keeps narrowing. The latest: Blair refuses to condemn proposals to exempt Parliament from it. These are our public servants. Supposedly.

Blair was also for involving faith organizations in policy-making and supported faith schools.

There have also been hotly disputed changes to legislation such as the Police and Criminal Evidence act (1984, revised 2003, and being reviewed again right now – comments to the consultation are due May 31).

During Blair's time in office the right to silence was diluted. You have the right to remain silent under arrest and questioning, to be sure, but if you do the judge and jury at your eventual trial are allowed to infer guilt from your silence.

During Blair's time, CCTV cameras have proliferated everywhere, making Londoners likely to be captured upwards of 200 times a day on camera. This government brought in anti-social behaviour orders, which opponents argue can easily be abused.

And so on, without a clear idea whether any of it is effective (PDF).

But probably the most insidious legacy Blair leaves behind is an important change in the way legislation and policy are enacted. Much new legislation – RIPA and ATCS are cases in point – is now drafted with the details left for secondary legislation that does not require a return to Parliamentary debate. The impact of legislation may be very different depending on how those details are laid out, and removing them from the debate bypasses the democratic process.

The second, the way policy is devised, is a game many countries now play: policy laundering. The game goes something like this. The US wants, say, biometrics in passports, and the UK likes the idea, too. The UK proposes it and when people object the government says, no choice, gotta have it, or the US won't let Brits into their country. When this gets old, they get the idea adopted by, say, ICAO – and thereafter they can say, no choice, it is an international standard mandated by this authority and agreed upon by all these other countries.

Of course these initiatives are not solely Blair's ideas; these proposals are showing up everywhere. But isn't the point of a good leader to resist bad ideas?

Blair was a nominee for "Worst Public Official" in Privacy International's global Big Brother awards. You can argue some geocentrism there, since PI is based in London. Still, here's what they said his credentials were: "his relentless work over ten years to expand the UK into the greatest surveillance society amongst democratic nations".

It's the "democratic" that gets you. There are plenty of countries whose leaders make Blair look like a moderate. But most of them, that's what you expect.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

April 20, 2007

Green spies

Some months back I blogged a breakdown of the various fees that are added on to each airline ticket and tagged it "What we're paying." A commenter took issue: society at large, he wrote, was paying a good deal more than that for my evil flying habits, and I shouldn't be going to Miami anyway. He had a point. What's offending one niece by missing her wedding? I have more.

The intemperateness of the conversation is the kind of thing smokers used to get from those who've already quit.
Just how acrimonious the whole thing is getting was brought home to me this week when Ian Angell surfaced to claim that it is not really possible to be a privacy advocate and an environmentalist at the same time. Of course, Angell was in part just trying to make trouble and get people arguing. But he says he has a serious point.

"The green issues are providing a moral justification for the invasion of privacy," he says, "and the green lobby must take it on board as part of what they're doing. And the fact that they're not taking it on board makes them guilty."

I wouldn't go that far – I do not think you can blame people for unintended consequences. But there are a number of proposals floating around in the UK that could provide yet more infrastructure for endemic surveillance, even if the intention at the moment is to protect the environment.

For example: the idea of the personal carbon allowance, first mooted in 2005 with the notion that it could be linked to the ID card. Last July, environment minister, David Miliband, proposed issuing swipe cards to all consumers, which you'd have to produce whenever you bought anything like petrol or heating – or plane tickets. That at least would give me ammunition against my blog commenter, because other than flying my carbon footprint is modest. In fact, we could have whole forums of moral superiors boasting about how few carbon points they used, like we now have people who boast about how early they get up in the morning. And we could have billboards naming and shaming those who – oh, the horror – had to buy extra carbon points, like they do for TV license delinquents.

Or take the latest idea in waste management, the spy bin fitted with a microchip sensor that communicates with the garbage truck to tell your local council how much you've contributed to the landfill. Given the apparent eagerness of manufacturers to enhance their packaging with RFID chips, this could get really interesting over time.

This is also a country where the congestion charge – a scheme intended to reduce the amount of traffic in central London – is enforced by cameras that record the license plates of every vehicle as it crosses the border. Other countries have had road tolls for decades, but London's mayor, formerly known as "Red Ken" Livingstone because of his extreme left-wing leanings, chose the most privacy-invasive way to do it. Proposals for nationwide road charging follow the same pattern, although the claim is that there will be safeguards against using the installed satellite tracking boxes to actually track motorists. Why on earth is this huge infrastructure remotely necessary? We already have per-mile road use charging. It's called buying fuel.

Privacy International's executive director, Simon Davies, points out that none of these proposals – nor those to expand the use of CCTV (talking cameras!) – are supported by research to show how the environment will benefit.

Of course, if there's one rule about environmentalism it is, as Angell says, "The best tax is the tax the other guy pays." Personally, I'd ban airconditioning; it doesn't get that hot in the UK anyway, and a load of ceiling fans and exhaust fans would take care of all but the most extreme cases of medical need. It certainly does seem ironic that just at the moment when everyone's getting exercised about saving energy and global warming – they're all putting in airconditioning so cold you have to carry a sweater with you if you go anywhere in the "summer".

So, similarly, when Angell says there are "straightforward, immediate answers" he's perfectly right. The problem is they'll all enrage some large group of businesses. "You could reduce garbage by 80 percent by banning packaging in shops. We are squabbling about tiny little changes when quite substantial changes are just not on the cards."
And then, he adds, "They jump on airline travel because you can bump up the taxes and it's morally justified."

I am convinced, however, that it's possible to be a privacy advocate and an environmentalist simultaneously. This is a type of issue that has come up before, most notably in connection with epidemiology. If you make AIDS a notifiable disease you make it easier to track the patterns of infection and alert those most at risk; but doing so invades patient privacy. But in the end, although Angell's primary goal was to stir up trouble, he's right to say that environmentalists need to ensure that their well-meaning desire to save the planet is not hijacked. Or, he says, "they will be blamed for the taxation and the intrusion."

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

March 23, 2007

Double the networks, double the neutralities

Back in 1975, the Ithaca, New York apartment building I was living in had a fire in the basement, and by the time it was out so was my telephone line. The repairman's very first move was to disconnect the $3 30-foot cable I had bought at K-Mart and confiscate it. At the time, AT&T's similar cable cost $25.

In fact, by then AT&T had no right to control what equipment you attached to your phone line because of the Carterfone case, in which the FCC ruled against AT&T's argument that it had to own all the equipment in order to ensure that the network would function properly. But this is how the telco world worked; in Edinburgh in 1983 legally you could only buy a modem from British Telecom. I think it cost about £300 – for 300 baud. Expensive enough that I didn't get online until 1990.

Stories like this are part of why the Internet developed the way it did: the pioneers were determined to avoid a situation where the Internet was controlled like this. In the early 1980s, when the first backbone was being build in the US to connect the five NSF-funded regional computing centers, the feeling was mutual. John Connolly, who wrote the checks for a lot of that work, told me in an interview in 1993 that they had endless meetings with the telcos trying to get them interested, but those companies just couldn't see that there was any money in the Internet.
Well, now here we are, and the Internet is chewing up the telcos' business models and creating havoc for the cable companies who were supposed to be the beneficiaries, and so it's not surprising that the telcos' one wish is to transform the Internet into something more closely approximating the controlled world they used to love.

Which is how we arrived at the issue known as network neutrality. This particular debate has been percolating in the US for at least a year now, and some discussion is beginning in the UK. This week, at a forum held in Westminster on the subject, Ofcom and the DTI said the existing regulatory framework was sufficient.

The basic issue is, of course, money. The traditional telcos are not, of course, having a very good time of things, and it was inevitable that it would occur to some bright CEO – it turned out to be the head of Verizon – that there ought to be some way of "monetizing" all those millions of people going to Google, Yahoo!, and the other top sites. Why not charge a fee to give priority service? That this would also allow the telcos to discriminate against competitor VOIP services and the cablecos (chiefly Comcast) to discrminate against competing online video services is also a plus. These proposals are opposed not only by the big sites in question but by the usual collection of Net rights organization, who tend to believe all sites were created equal – or should be.
Ofcom – and others I've talked to – believes that the situation in the UK is different, in part because although most of the nation's DSL service is provided either directly or indirectly by BT that company has to be cooperative with its competitors or face the threat of regulation. The EU, however, is beginning to take a greater interest in these matters, and has begun legal proceedings against Germany over a law exempting Deutsche Telecom from opening the local loop of its new VDSL network to competitors.

But Timothy Wu, a law professor at Columbia and author of Who Controls the Internet: Illusions of a Borderless World, has pointed out that the current debates are ignoring an important sector of the market: wireless. The mobile market is not now, nor ever has been, neutral. It is less closed in Europe, where you can at least buy a phone and stick any SIM in it; but in the US most phones are hardware-locked to their networks, a situation that could hardly be less consumer-friendly. Apple's new iPod, for example, will be available through only one carrier, AT&T Wireless.

Wu's paper, along with the so-called "Carterfone" decision that forced AT&T to stop confiscating people's phone cords, is cited by Skype in a petition to get the FCC to require mobile phone operators to allow software applications open access. Skype's gripe is easy to comprehend: it can't get its service onto mobile phones. The operators' lack of interest in opening their networks is also easy to comprehend: what consumer is going to call on their expensive tariffs if they can use the Internet data connection to make cheap ones? Wu also documents other cases of features that are added or subtracted according to the network operators' demands: call timers (missing), wi-fi (largely absent), and Bluetooth (often crippled in the US).

The upshot is that because the two markets – wireless phones and the Internet – have developed from opposite directions, we have two network neutrality debates, not one. The wonder is that it took us so long to notice.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

February 23, 2007

Equal prizes

It's been quite a week for women. Wimbledon has announced equal prize money "across the board" for men and women, and a woman has won the Alan M Turing Award from the Association for Computing Machinery. (Please don't confuse that with passing the Turing test; Frances Allen is a pioneer in computer science, not a cleverly built robot.) That concrete pig a friend gave me as a sort of anti-garden gnome is adjusting his aviator goggles and getting ready to take flight.

In the scheme of things, a woman's winning the Turing Award ought to be the less surprising of the two events. Although few women make the mainstream news in computing, there have been enough of them in computing history that it surely had to happen. The All-England Club, which stages the Wimbledon tennis championships every year, is a private club that can do anything it wants, and has for years insisted that the surveys it's carried out show that the audience prefers men's tennis. (To which I say, "Who did you ask?") Anyway: the silly arguments are finally over now, and the best part of that is that we won't have to read the same debate every June. It had gotten boring. Twenty years ago.

The list of Turing Award winners includes some pretty impressive and famous people – Marvin Minsky and John McCarthy for artificial intelligence, Vint Cerf and Robert E. Kahn for the protocols underlying the Internet, Maurice Wilkes, who went on from designing and building the first computer with an internally stored program to inspire generations of computer scientists at Cambridge. The first female winner's work, like many of the other winners' is less familiar as it's in high-performance computing rather than something as mainstream as the Internet. It's not a sign of prejudice that she wasn't better known until now.

I wish I could say that Allen is the first of many. That's not clear. She's almost certainly the first of some. But the truly sad thing is that the numbers of women in computer science have been dropping steadily over the last decade or two, in both Britain and America (and other countries, too). I recently had occasion to interview Nigel Shadbolt, the head of the British Computer Society (the ACM's British equivalent), and he was quite open about it. He named several female BCS Fellows (a designation you need experience and kudos to get), and concluded, "They are there, but not in the numbers we'd like." Only 6 percent of BCS Fellows are women, though the BCS is determined to improve on that. (Bear in mind also that the average age of Fellows is 60, although it's beginning to drop as the generation who grew up with computers in their homes begin to take advantage of that substantial head start.)

Shadbolt blamed early socialising in schools, where girls get the message early that computer science is a hard career to juggle with the demands of any families they might want to have – and also that the geek image is not one you want to have if you're a girl.
Nonetheless, Shadbolt said the BCS numbers are getting a little better. Of the membership as a whole, 14 percent are women. But of the new members the BCS has been recruiting, 20 percent are female.

Does it matter?

Shadbolt thought so. "Modern IT is about social skills as much as technical skills," he told me.
That statement doesn't fill me with as much delight as it might, I'd rather hear that women are needed for their technical genius than the old saw about how they're better with people. Note that Allen has won her awards for fundamentally changing a technical field.

The odd thing is that there are more women in the history of computing than most people realize. Six female mathematicians programmed ENIAC. Contrary to today's idea that only young males could be obsessive enough to spend all that time with their computers, 50 years ago it was thought that only women had the patience to be programmers.

There are several reasons why it does matter to get women into computer science. The first is for the women themselves: why should they miss out on interesting, challenging careers because of some stupid stereotype? The second is simple numbers and applies to all the hard sciences: we need all the talented people we can get entering those fields. The third is practical: computers pervade every part of life. The greater the diversity of the people designing them, the better.

Daily Tennis points out today that equalizing prize money at Wimbledon, while an important gesture, goes only a small way to redress the prize money gap. The women's tour overall has 22 percent less prize money on offer than the men's (men, by the way, play almost exclusively three-set matches away from the Grand Slams), and the Wimbledon change goes only about 1 percent of the way towards narrowing that gap. The chief effect, therefore, is to make the All-England club stop looking like ante-diluvian, misogynist dorks.

Percentagewise Allen's win is smaller than that. But it will remind an entire generation of girls that it's cool to be a computer scientist,

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

February 9, 2007

Getting out the vote

Voter-verified paper audit trails won't save us. That was the single clearest bit of news to come out of this week's electronic voting events.

This is rather depressing, because for the last 15 years it's looked as though VVPAT (as they are euphoniously calling it) might be something everyone could compromise on.: OK, we'll let you have your electronic voting machines as long as we can have a paper backup that can be recounted in case of dispute. But no. According to Rebecca Mercuri in London this week (and others who have been following this stuff on the ground in the US), what we thought a paper trail meant is definitely not what we're getting. This is why several prominent activist organisations have come out against the Holt bill HR811, introduced into Congress this week, despite its apparent endorsement of paper trails.

I don't know about you, but when I imagined a VVPAT, what I saw in my mind's eye was something like an IBM punch card dropping individually into some kind of display where a voter would press a key to accept or reject. Instead, vendors (who hate paper trails) are providing cheap, flimsy, thermal paper in a long roll with no obvious divisions to show where individual ballots are. The paper is easily damaged, it's not clear whether it will survive the 22 months it's supposed to be stored, and the mess is not designed to ease manual recounts. Basically, this is paper that can't quite aspire to the lofty quality of a supermarket receipt.

The upshot is that yesterday you got a programme full of computer scientists saying they want to vote with pencils and paper. Joseoph Kiniry, from University College, Dublin, talked about using formal methods to create a secure system – and says he wants to vote on paper. Anne-Marie Ostveen told the story of the Dutch hacker group who bought up a couple of Nedap machines to experiment on and wound up publicly playing chess on them – and exposing their woeful insecurity – and concluded, "I want my pencil back." And so on.

The story is the same in every country. Electronic voting machines – or, more correctly, electronic ballot boxes – are proposed and brought in without public debate. Vendors promise the machines will be accurate, reliable, secure, and cheaper than existing systems. Why does anyone believe this? How can a voting computer possibly be cheaper than a piece of paper and a pencil? In fact, Jason Kitcat, a longtime activist in this area, noted that according to the Electoral Commission the cost of the 2003 pilots were astounding – in Sheffield £55 per electronic vote, and that's with suppliers waiving some charges they didn't expect either. Bear in mind, also, that the machines have an estimated life of only ten years.

Also the same: governments lack internal expertise on IT, basically because anyone who understand IT can make a lot more money in industry than in either government or the civil service.

And: everywhere vendors are secretive about the inner workings of their computers. You do not have to be a conspiracy theorist to see that privatizing democracy has serious risks.

On Tuesday, Southport LibDem MP John Pugh spoke of the present UK government's enchantment with IT. "The procurers who commission IT have a starry-eyed view of what it can do," he said. "They feel it's a very 'modern' thing." Vendors, also, can be very persuasive (I'd like to see tests on what they put in the ink in those brochures, personally). If, he said, Bill Gates were selling voting machines and came up against Tony Blair, "We would have a bill now."

Politicians are, probably, also the only class of people to whom quick counts appeal. The media, for example, ought to love slow counts that keep people glued to their TV sets, hitting the refresh button on their Web browsers, and buying newspapers throughout. Florida 2000 was a media bonanza. But it's got to be hard on the guys who can't sleep until they know whether they have a job next month.

I would propose the following principles to govern the choice of balloting systems:

- The mechanisms by which votes are counted should be transparent. Voters should be able to see that the vote they cast is the vote they intended to cast,

- Vendors should be contractually prohibited from claiming the right to keep secret their source code, the workings of their machines, or their testing procedures, and they should not be allowed to control the circumstances or personnel under which or by whom their machines are tested. (That's like letting the psychic set the controls of the million-dollar test.)

- It should always be possible to conduct a public recount of individual ballots.

Pugh made one other excellent point: paper-based voting systems are mature. "The old system was never perfect," he said, but over time "we've evolved a way of dealing with almost every conceivable problem." Agents have the right to visit every polling station and watch the count, recounts can consider every single spoiled ballot. By contrast, electronic voting presumes everything will go right.

Guys, it's a computer. Next!

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

January 26, 2007

Vote early, vote often...

It is a truth that ought to be universally acknowledged that the more you know about computer security the less you are in favor of electronic voting. We thought – optimists that we are – that the UK had abandoned the idea after all the reports of glitches from the US and the rather indeterminate results of a couple of small pilots a few years ago. But no: there are plans for further trials for the local elections in May.

It's good news, therefore, that London is to play host to two upcoming events to point out all the reasons why we should be cautious. The first, February 6, is a screening of the HBO movie Hacking Democracy, a sort of documentary thriller. The second, February 8, is a conference bringing together experts from several countries, most prominently Rebecca Mercuri, who was practically the first person to get seriously interested in the security problems surrounding electronic voting. Both events are being sponsored by the Open Rights Group and the Foundation for Information Policy Research, and will be held at University College London. Here is further information and links to reserve seats. Go, if you can. It's free.

Hacking Democracy (a popular download) tells the story of ,a href="http://www.blackboxvoting.org">Bev Harris and Andy Stephenson. Harris was minding her own business in Seattle in 2000 when the hanging chad hit the Supreme Court. She began to get interested in researching voting troubles, and then one day found online a copy of the software that runs the voting machines provided by Diebold, one of the two leading manufacturers of such things. (And, by the way, the company whose CEO vowed to deliver Ohio to Bush.) The movie follows this story and beyond, as Harris and Stephenson dumpster-dive, query election officials, and document a steady stream of glitches that all add up to the same point: electronic voting is not secure enough to protect democracy against fraud.

Harris and Stephenson are not, of course, the only people working in this area. Among computer experts such as Mercuri, David Chaum, David Dill, Deirdre Mulligan, Avi Rubin, and Peter Neumann, there's never been any question that there is a giant issue here. Much argument has been spilled over the question of how votes are recorded; less so around the technology used by the voter to choose preferences. One faction – primarily but not solely vendors of electronic voting equipment – sees nothing wrong with Direct Recording Electronic, machines that accept voter input all day and then just spit out tallies. The other group argues that you can't trust a computer to keep accurate counts, and that you have to have some way for voters to check that the vote they thought they cast is the vote that was actually recorded. A number of different schemes have been proposed for this, but the idea that's catching on across the US (and was originally promoted by Mercuri) is adding a printer that spits out a printed ballot the voter can see for verification. That way, if an audit is necessary there is a way to actually conduct one. Otherwise all you get is the machine telling you the same number over again, like a kid who has the correct answer to his math homework but mysteriously can't show you how he worked the problem.

This is where it's difficult to understand the appeal of such systems in the UK. Americans may be incredulous – I was – but a British voter goes to the polls and votes on a small square of paper with a stubby, little pencil. Everything is counted by hand. The UK can do this because all elections are very, very simple. There is only one election – local council, Parliament – at a time, and you vote for one of only a few candidates. In the US, where a lemon is the size of an orange, an orange is the size of a grapefruit, and a grapefruit is the size of a soccer ball, elections are complicated and on any given polling day there are a lot of them. The famous California governor's recall that elected Arnold Schwarzeneger, for example, had hundreds of candidates; even a more average election in a less referendum-happy state than California may have a dozen races, each with six to ten candidates. And you know Americans: they want results NOW. Like staying up for two or three days watching the election returns is a bad thing.

It is of course true that election fraud has existed in all eras; you can "lose" a box of marked paper ballots off the back of a truck, or redraw districts according to political allegiance, or "clean" people off the electoral rolls. But those types of fraud are harder to cover up entirely. A flawed count in an electronic machine run by software the vendor allows no one to inspect just vanishes down George Orwell's memory hole.

What I still can't figure out is why politicians are so enthusiastic about all this. Yes, secure machines with well-designer user interfaces might get rid of the problem of "spoiled" and therefore often uncounted ballots. But they can't really believe – can they? – that fancy voting technology will mean we're more likely to elect them? Can it?

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

December 29, 2006

Resolutions for 2007

A person can dream, right?

- Scrap the UK ID card. Last week's near-buried Strategic Action Plan for the National Identity Scheme (PDF) included two big surprises. First, that the idea of a new, clean, all-in-one National Identity Register is being scrapped in favor of using systems already in use in government departments; second, that foreign residents in the UK will be tapped for their biometrics as early as 2008. The other thing that's new: the bald, uncompromising statement that it is government policy to make the cards compulsory.

No2ID has pointed out the problems with the proposal to repurpose existing systems, chiefly that they were not built to do the security the legislation promised. The notion is still that everyone will be re-enrolled with a clean, new database record (at one of 69 offices around the country), but we still have no details of what information will be required from each person or how the background checks will be carried out. And yet, this is really the key to the whole plan: the project to conduct background checks on all 60 million people in the UK and record the results. I still prefer my idea from 2005: have the ID card if you want, but lose the database.

The Strategic Action Plan includes the list of purposes of the card; we're told it will prevent illegal immigration and identity fraud, become a key "defence against crime and terrorism", "enhance checks as part of safeguarding the vulnerable", and "improve customer service".

Recall that none of these things was the stated purpose of bringing in an identity card when all this started, back in 2002. Back then, first it was to combat terrorism, then it was an "entitlement card" and the claim was that it would cut benefit fraud. I know only a tiny mind criticizes when plans are adapted to changing circumstances, but don't you usually expect the purpose of the plans to be at least somewhat consistent? (Though this changing intent is characteristic of the history of ID card proposals going back to the World Wars. People in government want identity cards, and try to sell them with the hot-button issue of the day, whatever it is.

As far as customer service goes, William Heath has published some wonderful notes on the problem of trust in egovernment that are pertinent here. In brief: trust is in people, not databases, and users trust only systems they help create. But when did we become customers of government, anyway? Customers have a choice of supplier; we do not.

- Get some real usability into computing. In the last two days, I've had distressed communications from several people whose computers are, despite their reasonable and best efforts, virus-infected or simply non-functional. My favourite recent story, though, was the US Airways telesales guy who claimed that it was impossible to email me a ticket confirmation because according to the information in front of him it had already been sent automatically and bounced back, and they didn't keep a copy. I have to assume their software comes with a sign that says, "Do not press this button again."

Jakob Nielson published a fun piece this week, a list of top ten movie usability bloopers. Throughout movies, computers only crash when they're supposed to, there is no spam, on-screen messages are always easily readable by the camera, and time travellers have no trouble puzzling out long-dead computer systems. But of course the real reason computers are usable in movies isn't some marketing plot by the computer industry but the same reason William Goldman gave for the weird phenomenon that movie characters can always find parking spaces in front of their destination: it moves the plot along. Though if you want to see the ultimate in hilarious consumer struggles with technology, go back to the 1948 version of Unfaithfully Yours (out on DVD!) starring Rex Harrison as a conductor convinced his wife is having an affair. In one of the funniest scenes in cinema, ever, he tries to follow printed user instructions to record a message on an early gramophone.

- Lose the DRM. As Charlie Demerjian writes, the high-def wars are over: piracy wins. The more hostile the entertainment industries make their products to ordinary use, the greater the motivation to crack the protective locks and mass-distribute the results. It's been reasonably argued that Prohibition in the US paved the way for organized crime to take root because people saw bootleggers as performing a useful public service. Is that the future anyone wants for the Internet?

Losing the DRM might also help with the second item on this list, usability. If Peter Gutmann is to be believed, Vista will take a nosedive downwards in that direction because of embedded copy protection requirements.

- Converge my phones. Please. Preferably so people all use just the one phone number, but all routing is least-cost to both them and me.

- One battery format to rule them all. Wouldn't life be so much easier if there were just one battery size and specification, and to make a bigger battery you'd just snap a bunch of them together?

Happy New Year!

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 24, 2006

The Great Firewall of Britain

We may joke about the "Great Firewall of China", but by the end of 2007 content blocking will be a fact of Internet life in the UK. In June, Vernon Coaker, Parliamentary Under-Secretary for the Home Department told Parliament, "I have recently set the UK Internet industry a target to ensure that by the end of 2007 all Internet service providers offering broadband Internet connectivity to the UK public prevent their customers from accesssing those Web sites." By "those", he means Web sites carrying pornographic images of children.

Coaker went on to say that by the end of 2006 he expects 90 percent of ISPs to have blocked "access to sites abroad", and that, "We believe that working with the industry offers us the best way forward, but we will keep that under review if it looks likely that the targets will not be met."

The two logical next questions: How? And How much?

Like a lot of places, the UK has two major kinds of broadband access: cable and DSL. DSL is predominantly provided by BT, either retail directly to customers or wholesale to smaller ISPs. Since 2004, BT's retail service is filtered by its Cleanfeed system, which last February the company reported was blocking about 35,000 attempts to access child pornography sites per day. The list of sites to block comes from the Internet Watch Foundation, and is compiled from reports submitted by the public. ISPs pay IWF £5,000 a year to be supplied with the list – insignificant to a company like BT but not necessarily to a smaller one. But the raw cost of the IWF list is insignificant compared to the cost of reengineering a network to do content blocking.

How much will it cost for the entire industry?

Malcolm Hutty, head of public affairs at Linx, says he can't even begin to come up with a number. BT, he thinks, spent something like £1 million in creating and deploying Cleanfeed – half on original research and development, half on deployment. Most of the first half of that would not now be necessary for an ISP trying to decide how to proceed, since a lot more is known now than back in 2003.

Although it might seem logical that Cleanfeed would be available to any DSL provider reselling BT's wholesale product, that's not the case.

"You can be buying all sorts of different products to be able to provide DSL service," he says. A DSL provider might simply rebrand BT's own service – or it might only be paying BT to use the line from your home to the exchange. "You have to be pretty close to the first extreme before BT Cleanfeed can work for you." So adopting Cleanfeed might mean reengineering your entire product.

In the cable business, things are a bit different. There, an operator like ntl or Telewest owns the entire network, including the fibre to each home. If you're a cable company that implemented proxy caching in the days when bandwidth was expensive and caching was fashionable, the technology you built then will make it cheap to do content blocking. According to Hutty, ntl is in this category – but its Telewest and DSL businesses are not.

So the expense to a particular operator varies for all sorts of reasons: the complexity of the network, how it was built, what technologies it's built on. This mandate, therefore, has no information behind it as to how much it might cost, or the impact it might have on an industry that other sectors of government regard as vital for Britain's economic future.

The How question is just as complicated.

Cleanfeed itself is insecure (PDF), as Cambridge researcher Richard Clayton has recently discovered. Cleanfeed was intended to improve on previous blocking technologies by being both accurate and inexpensive. However, Clayton has found that not only can the system be circumvented but it also can be used as an "oracle to efficiently locate illegal websites".

Content blocking is going to be like every other security system: it must be constantly monitored and updated as new information and attacks becomes known or are developed. You cannot, as Clayton says, "fit and forget".

The other problem in all this is the role of the IWF. It was set up in 1996 as a way for the industry to regulate itself; the meeting where it was proposed came after threats of external regulation. If all ISPs are required to implement content blocking, and all content blocking is based on the IWF's list, the IWF will have considerable power to decide what content should be blocked. So far, the IWF has done a respectable job of sticking to clearly illegal pornography involving children. But its ten years have been marked by occasional suggestions that it should broaden its remit to include hate speech and even copyright infringement. Proposals are circulating now that the organisation should become an independent regulator rather than an industry-owned self-regulator. If IWF is not accountable to the industry it regulates; if it's not governed by Parliamentary legislation; if it's not elected….then we will have handed control of the British Internet over to a small group of people with no accountability and no transparency. That sounds almost Chinese, doesn't it?

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 17, 2006

Waiting for Gowers

So here it is November, and we are drumming our heels impatiently (to the annoyance of the new downstairs neighbours) still waiting for the results of the Gowers Review of Intellectual Property, which was supposed to report to the Chancellor, the Secretary of State for Trade and Industry, and the Secretary of State for Culture, Media, and Sport "in Autumn 2006". I'm not sure when "Autumn" officially begins or ends, but I'd go with August Bank Holiday/Labor Day to the Sunday when the clocks change.

Perhaps the delay is due to global warming.

The Gowers Review is large and complicated. One change the recording industry is lobbying for is copyright term extension for sound recordings; although copyright in sound recordings is 95 years in the US, here you only get (weep for them) 50. The Open Rights Group, on whose advisory board I email, held an event to air the matter earlier this week. It is heartening to report that the event was full of people and passion: one reason copyright has kept getting extended is that no one outside the industry seemed to care.

There are a number of things that *aren't* included in the review. Government information, for example, which had its own review in 2000. Crown Copyright and Parliamentary Copyright (it may not make sense to an American that the text of national legislation is copyright, but so it is). The Patent Office is doing its own review of trademarks and the definition of a "technical step" that's required to make something patentable – this applies in a vital way to the question of patenting software programs. But things like digital rights management, orphan works, archives' right to make preservation copies, and the problem that of perpetual copyright in unpublished work are all being considered. (Yes. A 15th century, anonymous, unpublished poem cannot legally be published or copied.)

The problem is that so many deals can still be cut in smoke-filled back rooms. The reviews' original plan seems more interested in business IP use than in consumers' rights.

We say again: all intellectual property law is a balance between rewarding artists and creators and the rights of the public to access and use their own culture. Corporations that have bought up large numbers of copyrights won't care about this, but (as I also keep saying) every creator is a net consumer of intellectual property. Every writer reads more than he writes; every musician listens to more music than he learns or composes; every filmmaker, even Woody Allen, sees far more films than he will ever make. The more restrictive – or, in Pamela Samuelson's word for it, maximalist – copyright becomes overall the less people will be able to build on the past to produce new work. And no one, no matter how much of a genius, ever creates things that are entirely new with no reference to what has gone before.

So my hope is that what's taking the extra time is that there are lots of impassioned submissions and Gowers and his team are having to consider public interests they didn't expect. And not, instead, that what's happening is behind-the-scenes dickering to skew the report against the public interest.

It's only the future of copyright in the UK.

Still: the point isn't to rush to release the report. The point is to get the report right.

What *should* happen? The Skeptics, another subculture I inhabit, have a saying with reference to the paranormal that "Extraordinary claims require extraordinary proof." Copyright has been with us for centuries, but the relentless march to extend it has vastly accelerated since the mid-1970s. I think we should class the claim that further extension is necessary as extraordinary, and we should demand commensurate proof of its need from those who are lobbying for it. Especially since the industry's major players are the same in every country; in other legal areas we do not assume that the UK must have the same laws as the US. Why should that be true in copyright?

While we're waiting, I have long thought that we need to replace the term "intellectual property". It's a bad metaphor, and calling the intangible results of the creative process "property" stacks the deck against anyone in favor of public access, because as soon as you talk about limiting the term of property rights you sound like a thief. I've been trying to come up with a term that expresses something about products of the creative process ("croducts"?) or what John Perry Barlow talks about as creatures that form in the intellectual and emotional space between two people. I haven't had very much luck. (Could we talk of a "clever"? or borrow Vannevar Bush's term for his Web-like fantasy machine,a "memex"?) "Intellectual children" is my best analogy: like children, you create and murture the products of your mind, and at some point they leave you and have to find their own way in the world. You do not, ever, own them.

A free copy of one of my books to anyone who can come up with a really good answer to this. Meantime, I'm sure Punxsutawney Phil will be along any day now, looking for his shadow.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 10, 2006

ICANN dreams

This week ICANN announced its three new board members for 2006 to 2009: Persistent readers of this column will know that I put my name in for the job. I'm not one of the three. They are: Robert Gaetano, Steven Goldstein, and Rajasekhar Ramaraj, and I know about them approximately what's written by Kieren McCarthy, a journalist who has spent more time than anyone documenting ICANN.

ICANN had 90 applicants for the open jobs – three for the board of directors, and four for various subgroups. I'm told that in Asian countries it would be a terrible loss of face to be on the short list and then not get chosen, and that this could be the reason the names of those on the short list have never been made public. But no statistics have been released either, so we don't even know how many made it that far. Nominating committee members are unlikely ever to divulge even that much; they were required to sign a non-disclosure agreement. I know only this: I was on the short list.

Because so little is known about the ICANN selection process, it seems worth recounting what happened. Shortly before the nominating committee's late September selection meeting in Frankfurt, I got email from the chair, George Sadowsky, asking me to supply a phone number where I could be contacted on Friday, the first day of the meeting. If they wanted to speak to me they would call that number and schedule a phone call for Saturday. I should not draw negative conclusions if they did not contact me. But they did, working around a transatlantic flight, and the phone call was scheduled.

Now, I'm a writer, and kind of a literalist with language. I also have pretty much never applied for a job, and don't work in either the corporate world or academia. Therefore, when his email said they wanted to talk to me for "clarification" I assumed they meant they wanted to ask me questions about what I'd written in my statement of interest. So I reread it. I also spent an hour or two before the phone call reading news and other items on the ICANN site. One of these was the then newly released LSE report (PDF) on the Generic Names Supporting Organization.

None of that helped, because what Sadowsky, who conducted the 20-minute call with utter silence behind him, asked me were things like, "What, in your view, is ICANN's mission?" And "What are the three areas of ICANN you most want to be active in?" The first question made me think I was taking a test; the second seemed more like a job interview, or perhaps a theatrical casting call. You know, the kind where the director and his minions are all sitting, invisible, out in the theater where you can't see them because the stage lights are blinding you. When I asked who else was sitting around the phone they wouldn't say. (They did refer me to the Web page listing the committee's members, but I wasn't sure who might or might not have made the actual meeting.)

"What," the last question went, "would you want to say you had accomplished that only you could do" if I were chosen. I said I wanted to see ICANN become a more trusted and accountable organization.

There's no point pretending otherwise: I sounded completely lame and unprepared. Hardly surprising, because I was. I did manage to suggest that one reason I didn't know more about ICANN – enough, say, to know what they meant by "three areas" (countries? subcommittees? policies? "What are the choices?" I asked, and was referred again to the Web page) – was, as the LSE report agreed, the difficulty of navigating their Web site. It, like the European Union government sites, is perfectly understandable if you are already an expert on its content, but otherwise not so much.

In this sort of endeavor I have a second problem: journalists learn to deadline and forget everything the second they send the article in. In any given year I probably write 200 articles on dozens of topics. There isn't a single one of those topics where I don't have to reread what I've written to know what I said, even if I wrote it yesterday (I also reread my own work because I trust the research).

So, yes, I should have had the sense to be better prepared, but it was all, as I say, so unexpected. I serve on other boards. None requires anything like the effort the ICANN board does; and arguably none of them is as decisive in determining what the organizations do. In all cases I joined because I was asked; I never went through a selection process like this one.

As a reject, I can't really comment intelligently on how ICANN went about making its choices. I merely tell the story here in case my experience can help another applicant, somewhere down the line, be less confused than I was.

Thanks to all those who emailed or posted messages of support, and especially to my three referees.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

October 6, 2006

A different kind of poll tax

Elections have always had two parts: the election itself, and the dickering beforehand (and occasionally afterwards) over who gets to vote. The latest move in that direction: at the end of September the House of Representatives passed the Federal Election Integrity Act of 2006 (H.R. 4844), which from 2010 will prohibit election officials from giving anyone a ballot who can't present a government-issued photo ID whose issuing requirements included proof of US citizenship. (This lets out driver's licenses, which everyone has, though I guess it would allow passports, which relatively few have.)
These days, there is a third element: specifying the technology that will tabulate the votes. Democracy depends on the voters' being able to believe that what determines the election is the voters' choices rather than the latter two.

The last of these has been written about a great deal in technology circles over the last decade. Few security experts are satisfied with the idea that we should trust computers to do "black box voting" where they count up and just let us know the results. Even fewer security experts are happy with the idea that so many politicians around the world want to embrace: Internet (and mobile phone) voting.

The run-up to this year's mid-term US elections has seen many reports of glitches. My favorite recent report comes from a test in Maryland, where it turned out that the machines under test did not communicate with each other properly when the touch screens were in use. If they don't communicate correctly, voters might be able to vote more than once. Attaching mice to the machines solves the problem – but the incident is exactly the kind of wacky glitch that's familiar from everyday computing life and that can take absurd amounts of time to resolve. Why does anyone think that this is a sensible way to vote? (Internet voting has all the same risks of machine glitches, and then a whole lot more.)

The 2000 US Presidential election isn’t as famous for the removal from the electoral rolls in Florida of few hundred thousand voters as it is for hanging chad – but read or watch on the subject. Of course, wrangling over who gets to vote didn't start then. Gerrymandering districts, fighting over giving the right to vote to women, slaves, felons, expatriates…

The latest twist in this fine, old activity is the push in the US towards requiring Voter ID. Besides the federal bill mentioned above, a couple of dozen states have passed ID requirements since 2000, though state courts in Missouri, Kentucky, Arizona, and California are already striking them down. The target here seems to be that bogeyman of modern American life, illegal immigrants.

Voter ID isn't as obviously a poll tax. After all, this is just about authenticating voters, right? Every voter a legal voter. But although these bills generally include a requirement to supply a voter ID free of charge to people too poor to pay for one, the supporting documentation isn't free: try getting a free copy of your birth certificate, for example. The combination of the costs involved in that aspect, plus the effort involved in getting the ID are a burden that falls disproportionately on the usual already disadvantaged groups (the same ones stopped from voting in the past by road blocks, insufficient provision of voting machines in some precincts, and indiscriminate cleaning of the electoral rolls). Effectively, voter ID creates an additional barrier between the voter and the act of voting. It may not be the letter of a poll tax, but it is the spirit of one.

This is in fact the sort of point that opponents are making.

There are plenty of other logistical problems, of course, such as: what about absentee voters? I registered in Ithaca, New York, in 1972. A few months before federal primaries, the Board of Elections there mails me a registration form; returning it gets me absentee ballots for the Democratic primaries and the elections themselves. I've never known whether my vote is truly anonymous; nor whether it's actually counted. I take those things on trust, just as, I suppose, the Board of Elections trusts that the person sending back these papers is not some stray British person who's does my signature really well. To insert voter ID into that process would presumably require turning expatriate voters over to, say, the US Embassies, who are familiar with authentication and checking identity documents.

Given that most countries have few such outposts, the barriers to absentee voting would be substantially raised for many expatriates. Granted, we're a small portion of the problem. But there's a direct clash between the trend to embrace remote voting - the entire state of Oregon votes by mail – and the desire to authenticate everyone.
We can fix most of the voting technology problems by requiring voter-verifiable, auditable, paper trails, as Rebecca Mercuri began pushing for all those years ago (and most computer scientists now agree with), and there seem to be substantial moves in that direction as state electors test the electronic equipment and scientists find more and more serious potential problems. Twenty-seven states now have laws requiring paper trails. But how we control who votes is the much more difficult and less talked-about frontier.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

September 22, 2006

The last social mile

Persistent readers of net.wars may remember that last February I spent a month working in an office. A couple of days ago, it was announced that Jim Fruchterman, the owner The Benetech Initiative, the office in question, has been given the MacArthur "Genius" award for his work as a "social entrepreneur".

The $500,000 award joins Fruchterman to a pretty elite and eclectic gang: Richard Stallman (free software pioneer), Pamela Samuelson (the first to blow the whistle on where copyright was going), and (the first time I ever heard of these awards) magician and paranormal investigator James Randi. The awards famously have no strings: you could take the half-mil and head for retirement. But the people MacArthur picks are the passionate, creative kind who are too driven to do anything but plough the money back into their work.

My corner of Benetech was the Human Rights Database Group which, under the leadership of Patrick Ball, uses relational databases to extract scientifically defensible statistics from testimony documenting human rights abuses, and also makes the Martus program to securely collect and manage unstructured information (such as testimony). But HRDAG is only one of several Benetech projects. Its other programs include Bookshare, an effort that (legally) scans in books to make them available to the vision-impaired, Route 66, a literacy program for adults and teenagers with learning disabilities, and a new tool for landmine detection and removal.

When I was there, Fruchterman, had just returned from his fourth visit to the World Economic Forum in Davos, where he'd been hobnobbing with the sort of people who have to check their aircraft carriers at the door. No entourages and, sadly, not much in the way of direct quotables. Fruchterman's presence at Davos reflected five years of increasing interest in incorporating the social sector into what began as primarily a meeting between business and government (plus the occasional rock star). Religious leaders, Union leaders, non-government organisations, and Fruchterman's own category, social entrepreneurs, are all represented now, he said, and about half of the content of the conference is about social issues. Concerned at the beginning that their invitations might just be "social window dressing", there is now a general sense that they belong.

Enlightened self-interest," he said, in explaining why the welfare of the less fortunate is important to the Davos crowd. It's a quote from Tony Blair, but the point is clear: investing in the socially less fortunate is a matter of self-preservation. Global warming doesn't distinguish between rich and poor countries, just as incurable tuberculosis flitting through an aircraft's ventilation system doesn't discriminate between the rich person in first class and the relatively poor one sitting 30 rows back.

There's a clear line from the first company Fruchterman founded, Calera, an early (1982) optical character recognition company, to Benetech: Fruchterman started wanting to build a reading machine as long ago as his years studying pattern recognition as an undergraduate at Caltech. He didn't have the usual sort of reason; neither he nor a family member has a visual disability. Other than a short detour to start a rocket company ("the rocket blew up") making the world of text available to the visually impaired is a constant thread through his work life.

In 1989, he founded Arkenstone, a non-profit that used Calera's optical character recognition to develop and market such a machine for the blind. It was, he says, a technical breakthrough because the machine needed no training and did not need specific fonts. Arkenstone was eventually sold to Freedom Scientific, which shares Benetech's offices in Palo Alto.

"When you start a company," Fruchterman told me he'd come out of Davos this year thinking, "you imagine there's a gap that needs to be filled, that's why you're doing it. Sometimes you want to make a lot of money. Something you do it because you want to build something – like the average engineer. I came out realizing that there are a whole bunch of demands that people are beginning to put on technology and content. For example, they want better education, more literacy, more health, better economic opportunities for the poor, cleaner energy, to stop global warming."

We're now past the stage of a few years ago, when people were still trying to understand what the issues were. Now, we pretty much know: "It's not complicated, but we need to figure out ways." As a simple example: "Stop systematically screwing poor countries."

By now, he said, "We are transitioning from hype-filled discussions of, 'We have to fix the digital divide' to asking what that really means. People are experimenting." He sees two separate threads to those experiments. One: the PC thread. This includes Negroponte and his cheap laptops, Microsoft's starter edition, Linux and open source generally. The other: the mobile phone group, who are convinced that cellphones will be the platform for everything.

For what Fruchterman does, "I don't care which group wins. The fact that both support Web browsing means we could be delivering Route 66 content to teach people reading and digital textbooks on these platforms." As long as Benetech can build what Fruchterman calls the "last social mile" on the platform, Fruchterman is happy.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post comments here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

August 4, 2006

Hard times at the identity corral

If there is one thing we always said about the ID card it's that it was going to be tough to implement. About ten days ago, the Sunday Times revealed how tough: manufacturers are oddly un-eager to bid to make something that a) the Great British Public is likely to hate, and b) they're not sure they can manufacture anyway. That suggests (even more strongly than before) that in planning the ID card the government operated like an American company filing a dodgy patent: if we specify it, they will come.

I sympathize with IBM and the other companies, I really do. Anyone else remember 1996, when nearly all the early stories coming out of the Atlanta Olympics blamed IBM' prominently for every logistical snafu? Some really weren't IBM's fault (such as the traffic jams). Given the many failures of UK government IT systems, being associated with the most public, widespread, visible system of all could be real stock market poison.

But there's a secondary aspect to the ID card that I, at least, never considered before. It's akin to the effect often seen in the US when an amendment to the Constitution is proposed. Even if it doesn't get ratified in enough states – as, for example, the Equal Rights Amendment did not – the process of considering it often inspires a wave of related legislation. The fact that ID cards, biometric identifiers, and databases are being planned and thought about at such a high level seems to be giving everyone the idea that identity is the hammer for every nail.

Take, for example, the announcement a couple of days ago of NetIDme, a virtual ID card intended to help kids identify each other online and protect them from the pedophiles our society apparently now believes are lurking behind every electron.

There are a lot of problems with this idea, worthy though the intentions behind it undoubtedly are. For one thing, placing all your trust in an ID scheme like this is a risk in itself. To get one of these IDs, you fill out a form online and then a second one that's sent to your home address and must be counter-signed by a professional person (how like a British passport) and a parent if you're under 18. It sounds to me as though this system would be relatively easy to spoof, even if you assume that no professional person could possibly be a bad actor (no one has, after all, ever fraudulently signed passports). No matter how valid the ID is when it's issued, in the end it's a computer file protected by a password; it is not physically tied to the holder in any way, any more than your Hotmail ID and password are. For a third thing, "the card removes anonymity," the father who designed the card, Alex Hewitt, told The Times. But anonymity can protect children as well as crooks. And you'd only have to infiltrate the system once to note down a long list of targets for later use.

But the real kicker is in NetIDme's privacy policy, in which the fledgling company makes it absolutely explicit that the database of information it will collect to issue IDs is an asset of a business: it may sell the database, the database will be "one of the transferred assets" if the company itself is sold, and you explicitly consent to the transfer of your data "outside of your country" to wherever NetIDme or its affiliates "maintain facilities". Does this sound like child safety to you?

But NetIDme and other systems – fingerprinting kids for school libraries, iris-scanning them for school cafeterias – have the advantage that they can charge for their authentication services. Customers (individuals, schools) have at least some idea of what they're paying for. This is not true for the UK's ID card, whose costs and benefits are still unclear, even after years of dickering over the legislation. A couple of weeks ago, it became known that as of October 5 British passports will cost £66, a 57 percent increase that No2ID attributes in part to the costs of infrastructure needed for ID cards but not for passports. But if you believe the LSE's estimates, we're not done yet. Most recent government estimates are that an ID card/passport will cost £93, up from £85 at the time of the LSE report. So, a little quick math: the LSE report also guessed that entry into the national register would cost £35 to £40 with a small additional charge for a card, so revising that gives us a current estimate of £38.15 to £43.60 for registration alone. If no one can be found to make the cards but the government tries to forget ahead with the database anyway, it will be an awfully hard sell. "Pay us £40 to give us your data, which we will keep without any very clear idea of what we're going to do with it, and in return maybe someday we'll sell you a biometric card whose benefits we don't know yet." If they can sell that, they may have a future in Alaska selling ice boxes to Eskimos.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

July 28, 2006

Why I am standing for the ICANN board

Like many of the Net's founders and creators, I am an idealist: I want the Net to remain as free and unfettered as possible, avoiding the twin dangers of stagnation and disintegration, both of which are possible outcomes of poor management. ICANN's job is nominally to provide technical oversight of naming and addressing, but it is impossible to consider these issues without making what is essentially public policy. Governments, corporations, technologists, and lawyers have an important role to play, but they are not the only stakeholders, and it seems to me that Net *users* and consumers are insufficiently represented. I believe I can help represent that point of view. I also believe increased representation of that point of view is necessary. The uniform dispute resolution procedures, for example, are generally considered to be disproportionately weighted in favor of large corporations at the expense of the very small businesses and individuals that the Net is supposed to empower.

The Internet was famously decentralized to withstand a bomb outage. Even so, from the earliest days there have been a number of benevolent dictators who guided the development of specific areas or applications. It is to some extent unavoidable that assigning unique identifiers – names, numbers, and ports – must be handled by one or more central authorities. The most visible aspect of this, the Domain Name System, for all that it has scaled well since Paul Mockapetris devised it in the 1980s, is a single, central point of failure managed by an organization that no one understands and few people trust.

The lack of trust is partly unavoidable. ICANN's predecessor, Jon Postel, was a rare man whom almost everyone trusted. Had Postel lived, he might have been able to act as a guarantor of the fledgling ICANN and been able to transfer some of that trust. After his untimely death and in his absence, it was inevitable that Netizens would treat any new authority with suspicion, especially since many had already vehemently rejected the earlier proposed gTLD-MOU that was widely interpreted (however incorrectly) as a "coup".

But much of today's distrust was not unavoidable. Despite ICANN's insistence that it is an open and accoutable organization, observer after observer has complained that while portions of its official meetings are public decisions are in reality made behind closed doors, often in advance. While I appreciate that the changing meeting venues are intended to avoid giving an unequal advantage in attendance to any one nation or group of nations, the meetings' perpatetic nature make it hard for observers without significant funding to attend on any regular basis. Therefore, it is even more crucial for ICANN to engage the Internet community at large on questions of policy and direction. The decision to do away with elected At-Large board members was widely perceived to derive from a dislike of the electoral results; that, too, has made ICANN look secretive and unaccountable.

The past cannot be changed, but the future can. ICANN has frequently stated that it intends to be publicly accountable and open, and perform its duties of technical oversight by consensus. But because code is law (Amazon UK), technical decisions have public policy consequences. "Technical oversight" is an incorrect description unless ICANN's mission becomes the janitorial role of merely implementing technical decisions made by others (a role to which some have argued it should be constrained). ICANN's latest strategic planning statement (PDF) expresses no such intent. Instead, it says, "The continued evolution of the Internet, especially the DNS, brings with it an increasing number of policy issues of ever increasing complexity that need to be decided through the ICANN process."

But as a policy-making body ICANN has the endemic structural problem of lacking the checks and balances that constrain a democratic government's behavior. Admittedly, technology moves fast and democratic deliberation takes time. As long as ICANN is tied to the Department of State, there is at least some small measure of democratic oversight. WSIS, for all its flaws, is made up of representatives of democratically elected governments. Other technical bodies, such as the IETF, make technical policy by opening their meetings and allowing full participation; technical merit gets you heard. The early Internet made history for its openness, using RFCs to suggest, not impose, technical changes. As ICANN's strategic plan itself recognizes, this is a key moment in ICANN's history: if it is to become independent it must find a way to become truly accountable. It would be a betrayal of every principle on which the Internet was founded for the Internet's most important single point of failure to be completely controlled by a self-selecting body whose inner deliberations and functioning remain obscure.

In these latter days, it is hard for anyone who is not, as I am not, a programmer (or lawyer) to make significant contributions to the Internet's development. The Internet in its many aspects has been my main focus as a London-based journalist since 1991. I continue to make that choice because I want to help push Internet policy and development in what I feel are the right directions: toward openness and experimentation, away from closure and control.

I believe that serving on the ICANN board would be a logical continuation of my work over the last 15 years.

P.S.: I also really love to travel.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

July 14, 2006

Not too cheap to meter

An old Net joke holds that the best way to kill the Net is to invent a new application everyone wants. The Web nearly killed the Net when it was young. Binaries on Usenet. File-sharing. Video on demand may finally really do it. Not, necessarily, because it swamps servers, consumes all available bandwidth. But because, like spam, it causes people to adopt destructive schemes.

Two such examples turned up this week. The first, from the IP Development Network, the brainchild of Jeremy Penston, formerly of UUnet and Pipex, HD-TV over IP: Who Pays the Bill? (PDF), argues that present pricing models will not work in the HDTV future, and ISPs will need to control or provide their own content. It estimates, for example, that a consumer's single download of a streamed HD movie could cost an ISP £21.13, more than some users pay a month. The report has been criticized, and its key assumption – that the Internet will become the chief or only gateway to high-definition content – is probably wrong. Niche programming will get downloaded because any other type of distribution is uneconomical, but broadcast will survive for mass-market.

The germ that isn't so easily dismissed is the idea that bandwidth is not necessarily going to continue to get cheaper, at least for end users.

Which leads to exhibit B, the story that's gotten more coverage, a press release – the draft discussion paper isn't available yet – from the London-based Association of Independent Music (AIM) proposing that ISPs should be brought "into the official value chain". In other words, ISPs should be required to have and pay for licenses agreed with the music industry and a new "Value Recognition Right" should be created. AIM's reasoning: according to figures they cite from MusicAlly Research, some 60 percent of Internet traffic by data volume is P2P, file-sharing, and music has been the main driver of that. Therefore, ISPs are making money from music. Therefore, AIM wants some.

Let's be plain: this is madness.

First of all, the more correct verb there is "was", and even then it's only partially true. Yes, music was the driver behind Napster eight years ago, and Gnutella six years ago, and the various eHoofers. But now Bittorrent is the biggest bandwidth gobbler, and the biggest proportion of transferred data transferred is video, not music. This ought to be obvious: MP3 4Mb, one-hour TV show 350Mb, movie 700Mb to 4.7Gb. Music downloads started first and have been commercialized first, but that doesn't make it the main driver; it just makes it the historically *first* driver. In any event, music certainly isn't the main reason people get online: that is and was email and the Web.

Second of all, one of the key, underrated problems for any charging mechanism that involves distinguishing one type of bits from another type of bits in order to compensate someone is the loss of privacy. What you read, watch, and listen to is all part of what you think about; surely the inner recesses of your mind should be your own. A regime that requires ISPs to police what their customers do – even if it's in their own financial interests to do so – edges towards Orwell's Thought Police.

Third of all, anyone who believes that ISPs are making money from P2P needs remedial education. Do they seriously think that at something like £20 per month for up to 8mbps ADSL anyone's got much of a margin? P2P is, if anything, the bane of ISPs' existence, since it turns ordinary people into bandwidth hogs. Chris Comley, managing director of Wizards, the small ISP that supplies my service (it resells BT connections), says that although his company applies no usage caps, if users begin maxing out their connections (that is, using all their available bandwidth 24 hours a day, seven days a week), the company will start getting complaining email messages from BT and face having to pay higher charges for the connections it resells. Broadband pricing, like that of dial-up before it (when telephone bills could be relied upon to cap users' online hours), is predicated on the understanding that even users on an "unlimited" service will not in fact consume all the bandwidth that is available to them. In Comley's analogy, the owner of an all-you-can-eat buffet sets his pricing on the assumption that people who walk in for a meal are not in fact going to eat everything in the place.

"The price war over bandwidth is going to have to be reversed," he says, "because we have effectively discounted what the user pays for IP to such a low level that if they start to use it they're in trouble, and they will if they start using video on demand or IPTV."

We began with an old Internet joke. We end with an old Internet saying, generally traced back to the goofy hype of Nicholas Negroponte and George Gilder: that bandwidth is or will be too cheap to meter. It ought to be, given that the price of computing power keeps dropping. But if that's what we want it looks like we'll have to fight for it.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

June 30, 2006

Technical enough for government work

Wednesday night was a rare moment of irrelevant glamor in my life, when I played on the Guardian team in a quiz challenge grudge match.

In March, Richard Sarson (intriguingly absent, by the way) accused MPs of not knowing which end was up, technically speaking, and BT funded a test. All good fun.

But Sarson had a serious point: MPs are spending billions and trillions of public funds without the technical knowledge to them. His particular focus was the ID card, which net.wars has written about so often. Who benefits from these very large IT contracts besides, of course, the suppliers and contractors? It must come down to Yes, Minister again: commissioning a huge, new IT system gives the Civil Service a lot of new budget and bureaucracy to play with, especially if the ministers don't understand the new system. Expanded budgets are expanded power, we know this, and if the system doesn't work right the first time you need an even bigger budget to fix them with.

And at that point, the issue collided in my mind with this week's other effort, a discussion of Vernor Vinge's ideas of where our computer-ridden world might be going. Because the strangest thing about the world Vernor Vinge proposes in his new book, Rainbows End, is that all the technology pretty much works as long as no one interferes with it. For example: this is a world filled with localizer sensors and wearable computing; it's almost impossible to get out of view of a network node. People decide to go somewhere and snap! a car rolls up and pops open its doors.

I'm wondering if Vinge has ever tried to catch a cab when it was raining in Manhattan.

There are two keys to this world. First: it is awash in so many computer chips that IPv6 might not have enough addresses (yeah, yeah, I know, no electron left behind and all that). Second: each of these chips has a little blocked off area called the Secure Hardware Environment (SHE), which is reserved for government regulation. SHE enables all sorts of things: detailed surveillance, audit trails, the blocking of undesirable behavior. One of my favorite of Vinge's ideas about this is that the whole system inverts Lawrence Lessig's idea of code is law into "law is code". When you make new law, instead of having to wait five or ten years until all the computers have been replaced so they conform to the new law, you can just install the new laws as a flash regulatory update. Kind of like Microsoft does now with Windows Genuine Advantage. Or like what I call "idiot stamps" – today's denominationless stamps, intended for people who can never remember how much postage is.

There are a lot of reasons why we don't want this future, despite the convenience of all those magically arriving cars, and despite the fact that Vinge himself says he thinks frictional costs will mean that SHE doesn't work very well. "But it will be attempted, both by the state and by civil special interest petitioners." For example, he said, take the reaction of a representative he met from a British writers' group who thought it was a nightmare scenario – but loved the bit where microroyalties were automatically and immediately transmitted up the chain. "If we could get that, but not the monstrous rest of it…"

For another, "You really need a significant number of people who are willing to be Amish to the extent that they don't allow embedded microprocessors in their lifestyle." Because, "You're getting into a situation where that becomes a single failure point. If all the microprocessors in London went out, it's hard to imagine anything short of a nuclear attack that would be a deadlier disaster."

Still, one of the things that makes this future so plausible is that you don't have to posit the vast, centralized expenditure of these huge public IT projects. It relies instead on a series of developments coming together. There are examples all around us. Manufacturers and retailers are leaping gleefully onto RFID in everything. More and more desktop and laptop computers are beginning to include the Trusted Computing Module, which is intended to provide better security through blocking all unsigned programs from running but as a by-product could also allow the widescale, hardware-level deployment of DRM. The business of keeping software updated has become so complex that most people are greatly relieved to be able to make it automatic. People and municipalities all over the place are installing wireless Internet for their own use and sharing it. To make Vinge's world, you wait until people have voluntarily bought or installed much of the necessary infrastructure and then do a Project Lite to hook it up to the functions you want.

What governments would love about the automatic regulatory upgrade is the same thing that the Post Office loves about idiot stamps: you can change the laws (or prices) without anyone's really being aware of what you're doing. And there, maybe, finally, is some real value for those huge, failed IT projects: no one in power can pretend they aren't there. Just, you know, God help us if they ever start being successful.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).