" /> net.wars: August 2006 Archives

« July 2006 | Main | September 2006 »

August 25, 2006

Spamigation

The story as it's been explained to me is one of those archetypal sad Internet tales. About five years ago, the owner of a small, Taunton-based cab company decided to create a Web site to advertise the business. He hired a Web developer, who created and set up the site, decorating it with a few pictures. Time passed. About two years ago, the Web developer went bust; another local company took over hosting the site. About a month ago, the site owner got a letter from the legal firm Baker & McKenzie informing him that they represented the photography database Corbis, that one of the photographs infringed Corbis's copyright, and that would be £1,400, please.

There can't be very many small businessmen who get a letter like that who don't panic at least a bit. Two solicitors gave conflicting advice. One said, no case to answer. The other said, pay something because if it goes to court a judge would look on that as evidence of good faith. As of this writing, it's not clear how things will wind up.
But there are some interesting points to make.

First of all, assuming that he is telling the truth and never asked his Web developer where the pictures had been sourced or whether the rights had been cleared, ultimately the owner of a Web site is responsible for whatever appears on it. If you run a Web site – any Web site – you are operating at some risk if you use material that doesn't belong to you. Even if you think that all information should be free and share the fairly common attitude that anything posted on the Web is public domain and free for the copying, the law does not agree with you. And while you may feel that using someone's graphic and linking to it is good publicity for them, that's not your choice to make, it's theirs. Individuals may get away with casual copyright infringement; but if you are running a business you can't afford the risk.

There is a legal precedent establishing the Web developer's responsibility in such cases: Antiquesportfolio.com vs Rodney Fitch & Company. In this case, the owner of an online start-up discovered that the Web developer had lifted the images used for navigation bars, icons, and other decorative elements from a printed encyclopaedia. No action had been brought against the site owner, but that company felt, I think rightly, that the risk of liability was too great and that they would have to pay to redo the Web site without that material. The court sided with Antiquesportfolio.com. Practical lesson: Web developers and site owners both need to protect themselves.

Nonetheless, Corbis's demand for £1,400 seems disproportionate. The cab company almost certainly did not get more business because the photograph is in the Corbis database (if you want to look it up, it's image number 72584) or because it was taken by the photographer Steve Chenn, admirably composed though his work seems to be. It's a minor decoration intended to dress up an otherwise ordinary Web page.

Ian Walden, a reader at London's Queen Mary University, says that in a legal proceeding the court generally tries to do two things: stop whatever the infringement is, and compensate the claimant for the loss that's been caused.
"When a court has to examine past loss," he says – as in this case – "they tend to look at what is a reasonable fee. So they would look at what is the market rate for that sort of image. So there's reasonableness. The claimant doesn't get whatever they as for." After talking to him, I went to the Corbis site, created an account, and found the photograph. For small-sized use on a "corporate or promotional" Web site, aimed at a UK audience, in English, as a static element, in the transport or travel industry, for up to five years beginning August 23, 2006, Corbis would charge: $875.

Of course, no small company is going to pay even that. The Web developerMac Jordan keeps a publicly available set of bookmarks to sources of stock photography, all either very cheap or free, all royalty-free. For such a minor use, there is no reason to pick an expensive image over a cheap or free one.

In addition, because the Web developer is gone, we don't know how or where the photograph was sourced or whether the rights were in fact cleared. We only know that Corbis claims the use is an infringement. I would be inclined to ask them to prove that claim.

But there is another point, raised recently in a posting to Dave Farber's Interesting People list, in which Brad Templeton proposed the term "spamigation" for lawsuits automated by computers. Baker & McKenzie is a big, high-priced law firm. You know their partners aren't sitting around scouring the Net for images they recognize from the Corbis database. Someone has software that goes and spiders for this stuff, and when it finds something a computer spits out a letter. Probably somewhere along the line the lowest-priced intern in the place goes and looks up the site's Whois entry. You don't need a lot of people to pay up at first contact to make that a profitable business.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

August 18, 2006

Travel costs

I've never been much for conspiracy theories – in general, I tend to believe that I'm not important enough to be worth conspiring against – but if I were, this week would be a valid time. On Monday, they began lifting the draconian baggage restrictions imposed late last week. On Wednesday, we began seeing stories questioning the plausibility, chemistrywise, of the plot as we have been told it so far. On Thursday, the Guardian published a package of stories outlining the wonderful increased surveillance we have in store. Repeat after me: the timing is just coincidence. It is sheer paranoia to attribute to conspiracy what can be accounted for by coincidence.

Right.

One of the things I meant to mention in last week's net.wars but forgot is the US's new rules on passenger data, which require airlines to submit passenger records before the plane takes off instead of, as formerly, afterwards. Ed Hasbrouck has a helpful analysis of these new rules, their problems, and their probable costs. (has anyone calculated the lost productivity cost of the hours in airport security?). The EU now wants to adopt those rules for its ownself, a sad reversal from the notion that the EU might decline to provide passenger data to a country that has so little privacy protection.

One possibility that's been raised on both sides of the Atlantic is a "trusted passenger" scheme, whereby frequent travelers can register to be fast-tracked through the airport. In a sense, most airports already have the beginnings of such a scheme: frequent flyers. As a Gold Preferred US Airways Dividend Miles member, you use the first-class check-in, and in some airports even sped through security via a special line. Do I love it? You betcha. Do I think it's good security? No. If I were a terrorist wanting to get some of my cellmates onto planes to wreak havoc, I would have them flying all over the place building up a stainless profile until everyone trusted them. Only then would they be ready for activation. Obviously the scheme the security services have in mind will be more sophisticated and involve far more background checking, but the problem of the sleeper remains. It's like people who used to talk about gaming the system by getting a "dope-dealer's haircut" before traveling internationally: short, neat, and business-like. That will be the "terrorist's travel identity": suit, tie, briefcase, laptop, frequent flyer gold status, documented blameless existence.

The UK is also talking about "positive profiling" (although Statewatch notes that no explicit references to this appear in the joint press statement), which I guess is supposed to be more sophisticated than "Let's strip search all the Asian passengers" The now-MP-formerly-one-of-my-favorite-actresses Glenda Jackson has published a fairly cogent set of counter-arguments, though I'll note picayunally that the algorithm for picking passengers to search randomly had better be less clearly visible than just picking every third passenger in the queue. (You must immediately! report anyone who asks to change places with you!) The Home Secretary, John Reid, has said that such profiling will not target racial or religious groups but will be based on biometrics – fingerprints, iris scans. We hope Reid is aware of the years of research into fingerprints (DOC) attempting to prove that you could identify criminality in a fingerprint.

Closer to net.wars' heart is ministers' intention to make the Web hostile to terrorists. For example: by blocking Web sites that incite acts of terrorism or contain instructions on how to make a bomb. Aside from the years of evidence that blocking does not work, it's hard to see how you can get rid of bomb-making instructions, such as they are, without also getting rid of pretty much any Web site devoted to chemistry or safety. Though if you're an arts-educated politician who is proud of knowing little of science, that may seem like a perfectly reasonable thing to do. Show me someone who's curious, who wants to know how things work, who likes to try making things and soldering things, and playing with electrical circuits, and I'll show you a dangerous specimen.

But beyond that, I'll bet professional terrorists do not learn how to make bombs by reading Wikipedia.or typing "how make bomb" into Google.

I'm not sure how you make the Web hostile to terrorists without making it hostile to everyone. If you really want to make the Web hostile, the simplest way is simply to limit, by government fiat, the speed of the connection anyone is allowed to buy. Shove us all back to dial-up, and not only does the Web become hostile for terrorists trying to find information on how to make bombs, but you've pretty much solved music/video file-trading, too. Bonus!

We hear quoted a lot, now, the American master-of-all-trades Benjamin Franklin who probably said, "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." But the liberties people deem essential seem to be narrowing, and no one wants to believe that safety is temporary. No plane full of passengers declines screening, saying, "We'll take our chances."

If there's a conspiracy, I guess that means we're in on it.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

August 11, 2006

Any liquids discovered must be removed from the passenger

The most interesting thing I heard anyone say yesterday came from Simon Sole, of Exclusive Analysis, a risk assessment company specializing in the Middle East and Africa, in an interview on CNBC. He said that it's no longer possible to track terrorists by following the money, because terrorism is now so cheap they don't need much: it cost, he said, only $4,000 to crash two Russian planes. That is an awfully long way from the kind of funding we used to hear the IRA had.

It is also clear that the arms race of trying to combat terrorism (by throwing out toothpaste in Grand Forks, North Dakota?) is speeding up. Eighteen years ago, the Lockerbie crash was caused by a bomb in checked baggage; that sparked better baggage screening. Five years ago, planes were turned into bombs by hijackers armed with small knives. The current chaos is being caused by a chemistry plot: carry on ordinary-looking items that aren't weapons in themselves and mix to make dangerous. Banning people from carrying liquids is, obviously, a lot more complicated than banning knives when you already have metal detectors. Lacking scanning technology sophisticated enough to distinguish dangerous liquids from safe ones, banning specific liquids requires detailed, item-by-item searching. Which is why, presumably, the UK (unlike the US) has banished all hand luggage to the hold: maybe they just don't have the staffing levels to search everything in a reasonable amount of time.

The UK has always hated cabin baggage anyway, and the CAA has long restricted it to 6Kg, where the US has always been far more liberal. So yesterday's extremity is the kind of panic response someone might make in a crisis when they already think carrying a laptop is a sign of poor self-control (a BA staffer once said that to me). Ban everything! Yes, even newspapers! Go!

Passengers in and leaving the US can still carry stuff on, just not liquids or gels. You may regard this as reckless or enlightened, depending on your nationality or point of view. Rich pickings in the airport garbage tonight.

The Times this morning speculates that the restrictions on hand luggage may become permanent. When you read a little more closely, they mean the restrictions on liquids, not necessarily all hand luggage. If I ran an airline, I'd be campaigning pretty heavily against yesterday's measures. For one thing, it's going to kill business travel, the industry's most profitable segment. If you can't read or use your laptop in-flight or while waiting in the airport club before departure, you're losing many hours of productivity. Plus, imagine being cabin staff trying to control a plane full of hundreds of bored, hungry, frustrated people, some of them adults.

Security expert Bruce Schneier links to a logical reason why the restrictions should be temporary: blocking a particular method only works until the terrorists switch to something else. Schneier also links to a collection of weapons made in prison under the most unpromising of circumstances with the most limited materials. View those, and you know the truth: it will never be possible to secure everything completely. Anything we do to secure air travel is a balance of trade-offs.

One reason people are so dependent on their carry-on luggage is that airline travel is uncomfortable and generally unpleasant. Passengers carry bottles of water because aircraft air is dry. I carry a milk on selected flights because I hate synthetic creamer, and dried fruit and biscuits because recent cutbacks mean on some flights you go hungry. I also carry travel chopsticks (easier to eat with than a plastic fork), magazines to read and discard, headphones with earplugs in them, and I never check anything because I hate waiting for hours for luggage that may be lost, stolen, or tampered with. Better service would render a lot of this unnecessary.

I know these measures are for our own good: we don't want planes falling out of the sky and killing people. (Though we seem perfectly innured to the many thousands more deaths every year from car crashes.) But the extremity of the British measures seems like punishment: if you are so morally depraved as to want to travel by air, you deserve to be thoroughly miserable while doing it. In fact, part of air travel's increasingly lousy service is the cost of security. We lose twice.

I read – somewhere – about a woman of a much earlier generation who expressed sadness at the thought that today's weary wanders would never know "the pleasure of traveling". We know the pleasure of being somewhere else. But we do not know the pleasure of the process of getting there as they did in a time when you were followed by trunks that were packed by servants, who came along to ensure that you were comfortable and your needs catered to. Of course, you had to be rich to afford all that. I bet it wasn't so much fun for the servants, or for the starving poor stuffed into the ship's hold. Even so, yesterday I thought about that a lot, and with the same kind of sadness.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

August 4, 2006

Hard times at the identity corral

If there is one thing we always said about the ID card it's that it was going to be tough to implement. About ten days ago, the Sunday Times revealed how tough: manufacturers are oddly un-eager to bid to make something that a) the Great British Public is likely to hate, and b) they're not sure they can manufacture anyway. That suggests (even more strongly than before) that in planning the ID card the government operated like an American company filing a dodgy patent: if we specify it, they will come.

I sympathize with IBM and the other companies, I really do. Anyone else remember 1996, when nearly all the early stories coming out of the Atlanta Olympics blamed IBM' prominently for every logistical snafu? Some really weren't IBM's fault (such as the traffic jams). Given the many failures of UK government IT systems, being associated with the most public, widespread, visible system of all could be real stock market poison.

But there's a secondary aspect to the ID card that I, at least, never considered before. It's akin to the effect often seen in the US when an amendment to the Constitution is proposed. Even if it doesn't get ratified in enough states – as, for example, the Equal Rights Amendment did not – the process of considering it often inspires a wave of related legislation. The fact that ID cards, biometric identifiers, and databases are being planned and thought about at such a high level seems to be giving everyone the idea that identity is the hammer for every nail.

Take, for example, the announcement a couple of days ago of NetIDme, a virtual ID card intended to help kids identify each other online and protect them from the pedophiles our society apparently now believes are lurking behind every electron.

There are a lot of problems with this idea, worthy though the intentions behind it undoubtedly are. For one thing, placing all your trust in an ID scheme like this is a risk in itself. To get one of these IDs, you fill out a form online and then a second one that's sent to your home address and must be counter-signed by a professional person (how like a British passport) and a parent if you're under 18. It sounds to me as though this system would be relatively easy to spoof, even if you assume that no professional person could possibly be a bad actor (no one has, after all, ever fraudulently signed passports). No matter how valid the ID is when it's issued, in the end it's a computer file protected by a password; it is not physically tied to the holder in any way, any more than your Hotmail ID and password are. For a third thing, "the card removes anonymity," the father who designed the card, Alex Hewitt, told The Times. But anonymity can protect children as well as crooks. And you'd only have to infiltrate the system once to note down a long list of targets for later use.

But the real kicker is in NetIDme's privacy policy, in which the fledgling company makes it absolutely explicit that the database of information it will collect to issue IDs is an asset of a business: it may sell the database, the database will be "one of the transferred assets" if the company itself is sold, and you explicitly consent to the transfer of your data "outside of your country" to wherever NetIDme or its affiliates "maintain facilities". Does this sound like child safety to you?

But NetIDme and other systems – fingerprinting kids for school libraries, iris-scanning them for school cafeterias – have the advantage that they can charge for their authentication services. Customers (individuals, schools) have at least some idea of what they're paying for. This is not true for the UK's ID card, whose costs and benefits are still unclear, even after years of dickering over the legislation. A couple of weeks ago, it became known that as of October 5 British passports will cost £66, a 57 percent increase that No2ID attributes in part to the costs of infrastructure needed for ID cards but not for passports. But if you believe the LSE's estimates, we're not done yet. Most recent government estimates are that an ID card/passport will cost £93, up from £85 at the time of the LSE report. So, a little quick math: the LSE report also guessed that entry into the national register would cost £35 to £40 with a small additional charge for a card, so revising that gives us a current estimate of £38.15 to £43.60 for registration alone. If no one can be found to make the cards but the government tries to forget ahead with the database anyway, it will be an awfully hard sell. "Pay us £40 to give us your data, which we will keep without any very clear idea of what we're going to do with it, and in return maybe someday we'll sell you a biometric card whose benefits we don't know yet." If they can sell that, they may have a future in Alaska selling ice boxes to Eskimos.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).