" /> net.wars: December 2006 Archives

« November 2006 | Main | January 2007 »

December 29, 2006

Resolutions for 2007

A person can dream, right?

- Scrap the UK ID card. Last week's near-buried Strategic Action Plan for the National Identity Scheme (PDF) included two big surprises. First, that the idea of a new, clean, all-in-one National Identity Register is being scrapped in favor of using systems already in use in government departments; second, that foreign residents in the UK will be tapped for their biometrics as early as 2008. The other thing that's new: the bald, uncompromising statement that it is government policy to make the cards compulsory.

No2ID has pointed out the problems with the proposal to repurpose existing systems, chiefly that they were not built to do the security the legislation promised. The notion is still that everyone will be re-enrolled with a clean, new database record (at one of 69 offices around the country), but we still have no details of what information will be required from each person or how the background checks will be carried out. And yet, this is really the key to the whole plan: the project to conduct background checks on all 60 million people in the UK and record the results. I still prefer my idea from 2005: have the ID card if you want, but lose the database.

The Strategic Action Plan includes the list of purposes of the card; we're told it will prevent illegal immigration and identity fraud, become a key "defence against crime and terrorism", "enhance checks as part of safeguarding the vulnerable", and "improve customer service".

Recall that none of these things was the stated purpose of bringing in an identity card when all this started, back in 2002. Back then, first it was to combat terrorism, then it was an "entitlement card" and the claim was that it would cut benefit fraud. I know only a tiny mind criticizes when plans are adapted to changing circumstances, but don't you usually expect the purpose of the plans to be at least somewhat consistent? (Though this changing intent is characteristic of the history of ID card proposals going back to the World Wars. People in government want identity cards, and try to sell them with the hot-button issue of the day, whatever it is.

As far as customer service goes, William Heath has published some wonderful notes on the problem of trust in egovernment that are pertinent here. In brief: trust is in people, not databases, and users trust only systems they help create. But when did we become customers of government, anyway? Customers have a choice of supplier; we do not.

- Get some real usability into computing. In the last two days, I've had distressed communications from several people whose computers are, despite their reasonable and best efforts, virus-infected or simply non-functional. My favourite recent story, though, was the US Airways telesales guy who claimed that it was impossible to email me a ticket confirmation because according to the information in front of him it had already been sent automatically and bounced back, and they didn't keep a copy. I have to assume their software comes with a sign that says, "Do not press this button again."

Jakob Nielson published a fun piece this week, a list of top ten movie usability bloopers. Throughout movies, computers only crash when they're supposed to, there is no spam, on-screen messages are always easily readable by the camera, and time travellers have no trouble puzzling out long-dead computer systems. But of course the real reason computers are usable in movies isn't some marketing plot by the computer industry but the same reason William Goldman gave for the weird phenomenon that movie characters can always find parking spaces in front of their destination: it moves the plot along. Though if you want to see the ultimate in hilarious consumer struggles with technology, go back to the 1948 version of Unfaithfully Yours (out on DVD!) starring Rex Harrison as a conductor convinced his wife is having an affair. In one of the funniest scenes in cinema, ever, he tries to follow printed user instructions to record a message on an early gramophone.

- Lose the DRM. As Charlie Demerjian writes, the high-def wars are over: piracy wins. The more hostile the entertainment industries make their products to ordinary use, the greater the motivation to crack the protective locks and mass-distribute the results. It's been reasonably argued that Prohibition in the US paved the way for organized crime to take root because people saw bootleggers as performing a useful public service. Is that the future anyone wants for the Internet?

Losing the DRM might also help with the second item on this list, usability. If Peter Gutmann is to be believed, Vista will take a nosedive downwards in that direction because of embedded copy protection requirements.

- Converge my phones. Please. Preferably so people all use just the one phone number, but all routing is least-cost to both them and me.

- One battery format to rule them all. Wouldn't life be so much easier if there were just one battery size and specification, and to make a bigger battery you'd just snap a bunch of them together?

Happy New Year!

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

December 23, 2006

Thinking time

If it's Christmas it must be time to come up with program proposals for Computers, Freedom, and Privacy, the 17th edition of which will take place in Montreal, May 1-4. Submissions (via email or the Web system) are due on January 20. It's something to think about after you've finished listening to the Queen's Speech (UK)) or watching It's a Wonderful Life (US). Who needs trivia quizzes when you can think up and propose speakers for CFP?

CFP is a cross-disciplinary oddity of a conference. Others focus more tightly on privacy, data protection, cryptography, software, hardware, games, music, new technology...but CFP is the only one where, as I'm so fond of saying, for four days you never want to finish anyone else's sentence.

The 2007 theme is autonomy, which should include one of the subjects CFP has long neglected, disability. Generally speaking, redesigning anything to make disabled access easier has benefited many other people (curb ramps, for example, help not only people in wheelchairs but those dragging luggage or pushing babies in strollers). But it's been contentious in designing electronic voting systems, especially when you're trying to design a paper trail voters can verify – how does a blind person verify the paper?

It's worth noting, by the way, that the UK, apparently refusing to believe the stories it reads about snafus (PDF) everywhere else, has decided to run trials in 2007. Look for a talk by Rebecca Mercuri on the problems encountered in the last US elections on February 8 in London as part of a conference on e-voting that will attract speakers from Ireland and Italy; it's being organized by Jason Kitcat for the Open Rights Group.

The disabled, the elderly, and even the seriously ill, figure in another trend: one of the promises people talk about with respect to ubiquitous computing is the ability to monitor people at risk and make sure they're all right. It sounds so warm and fuzzy: install a bunch of sensors in Grandma's house so you can check in every day via a Web interface and make sure she's still alive. Or give her a robot to make sure she eats every day and doesn't spend all day sitting around in that one stained bathrobe. Is that the life you want when you're 87? (I can hear my mother saying even now, of her old robot that's been replaced, "It never calls, never writes…")

Autonomy is also an umbrella for the many trends that, compared to the glamour days of the file-sharing wars, sound too dry or remote to be dangerous. What could be harmful about putting medical records on a centralized database? Wouldn't it be better if emergency personnel can quickly find out the medical history of an unconscious person – what medications they take, what allergies they have, what their health problems are? Speaking as someone with almost no medical records at all (most of my doctors are dead; those that aren't shredded their records rather than show them to me), that sounds appealing. But who will have access? How will that information be used and protected? Where will it go once it's collected? The UK's proposals in this area are so weak that Ross Anderson is heading a movement to help people opt out of having their patient records uploaded.

As much data as is now collected about us all – credit card trails, online shopping, medical data, government dealings, phone bills, Web logs – it's nothing compared to what's coming our way. Location-tracking (primarily but not solely via mobile phones), national identity databases, border controls that require fingerprinting and other biometrics will all generate far more data than anything we have now. And that's without RFID. A friend points out that in the US foreigners are required (although it's rarely enforced) to carry their I-94 entry forms with them at all times; trials are underway to include RFID chips in these, and the privacy flaws are already being reported.

Which leads to another strand: technologies that don't work. Despite the fact that everyone who's ever installed new software has had the experience of having it utterly fail to work, hope seems to spring eternal that any IT project will do what its vendors promise if only it's sufficiently large and commissioned by a government. In a way, we have to be grateful when those hopes are crashed; an identity database that fails obviously, frequently, and undeniably is much less damaging to the person who is the object of that failure (the failee?) than one that fails subtly and rarely. The real problem is not that technology fails – all technologies fail sometimes – but our faith that it can be trusted.

The Hitchhiker's Guide to the Galaxy summed up the three stages of civilization thus: How can we eat? What shall we eat? Where shall we have lunch? There is a similar thread running from the natural desire for greater safety for ourselves and our children (warning labels on bags of marbles) to surrendering control over our own lives (a database to make sure that marbles aren't sold to anyone who isn't bright enough to know not to eat them).

Enjoy the holidays.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

December 15, 2006

I hear dead people

You just can't please some dead people. Last week's report from the Gowers review and its recommendation not to extend the term of copyright in sound recordings past the current 50 years predictably annoyed the record industry. A day later, Phonographic Performance Limited, the collection society for sound recordings, responded by taking out a full-page ad in the Financial Times listing 4,500 musicians whose signatures it collected protesting Gowers' recommendation.

Well, fair enough; if anyone has the right to talk about copyright in sound recordings it's musicians, without whom there would be nothing to talk about. That doesn't mean they should have the right to dictate policy, but probably few outside the business understand the extent to which any musician who stays in the business any length of time has been ripped off (by both professionals and amateurs), cheated, and otherwise buffeted by the "I love your music"s of life. Spend any time with them, and you'll run across a load of people who are determined that if they can ever get their rights back they're never going to lose control of them again.

It's just that some of the musicians signing the ad were…dead.

It's not a big deal. No one is alleging that the Gowers recommendations made them commit suicide or anything. They're just dead.

And, apparently, recomposing.

Mind you, the people most affected by term expiry are in fact the dead musicians, since it's rare for them to produce new recordings and therefore royalties from the old ones are all they have in the way of income.

Among known dead contributors to the PPL petition are Lonnie Donegan, Richard Harris, Freddie Garrity, Jimmy Shand, Richard Berry, Iain Mackintosh (whom I knew and, like everyone, liked a lot), and Nat Gonnella, with death dates varying from 1997 until just last August (Mackintosh). Among the lesser-known session musicians and small-timers, there may be many more, and some of the names on the list may be in fact heirs controlling the estate rather than the musician himself. The British folksinger great Cyril Tawney (who wrote "Grey Funnel Line", "Sally, Free and Easy", and other classics) is not listed – he died in 2005 – but his widow, Rosemary, is.

I can think of a number of ways that dead musicians' names might end up on a petition like this.

Mediumship: paging James Randi to the white courtesy phone... If someone can contact these musicians, explain the debate to them, and get a reliable signature under proper observing conditions this person clearly qualifies for James Randi's $1 million award. Randi expects to resume his normally hectic schedule (after a bout of ill-health) in the next few months. One to investigate, surely.

Prior art: the PPL collected signatures by contacting musicians "throughout the year! and asking them to sign the petition to support the campaign. "One-man folk festival" Pete Coe says "I did sign up for this, as I support the campaign." It seems reasonable to assume, at least in the case of the more recent deaths such as Mackintosh's, that the musicians themselves signed the petition. The older deaths are almost certainly…

Proxy: their heirs and assigns signed it in their name. In the case of "James Shand", the original Jimmy Shand's son is himself a performer, as is his brother, Neil, and any family that's been in the business that long is likely to be well aware of what rights mean in terms of income. There is a basic assumption here that benefiting the musicians' widows, children, and grandchildren is the same to the general public as providing a longer run of royalties to the musicians themselves.

Coe's comment on that score is likely to be pretty much most people's reaction: "I don't have a problem with family claims though I don't have much sympathy with corporate record claims unless the royalties really are being passed on to the composers' heirs." (The PPL's petition, however, did not cover composers' rights, merely performance rights in sound recordings; there may of course be other petitions and campaigns that the PPL has in mind. Probably also those heirs who are not getting royalties passed on to them would be less likely to sign the petition.)

But if that's the situation, then the PPL needs to be clear about it, because it isn't fair to play on the deep emotional connection people make with their favorite musicians if the petition's supporters are not actually those musicians but their descendants. Income-producing rights are the one valuable thing many musicians have to leave their families; it's natural for the families to want to hang onto them.

But that's not how we make policy. Copyright was created, and persists, to give creators incentives so they will continue to create and rewards so they can *afford* to continue to create. You make a lot less music if you have to spend all day working in a Post Office to support your habit. At least that's the theory, though it doesn't seem to work for dead musicians, who have all the time in the world at their disposal and no living expenses, and yet produce very little.

Keep music dead. Hire dead musicians.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Advertisement: Use our people search engine to find people you've lost touch with.  Find possible addresses and relatives too!

December 8, 2006

In praise of Gowers

The most surprising thing about the Gowers report PDF) on the future of copyright in Britain, which was released Wednesday afternoon, is that so much of it is so rational. In fact, so many of its recommendations are good that it seems almost churlish to carp about the few that aren’t. Still, that’s what we’re here for.

First, the good. Gowers’ report came down in favor of exceptions for: derivative and transformative works, archives’ and libraries’ preservation copies, research, distance education, caricature, parody, and pastiche. It recommended creating an exception for limited private copying – format shifting. (As American readers may not know, it’s technically illegal in the UK to rip a commercial CD and copy the resulting MP3s to an iPod.) Similarly, it’s hard to object to the recommendation that Trading Standards be given the power to crack down on counterfeit CDs at boot sales and so on.

The probably biggest news: Gowers recommended firmly against copyright term extension in sound recordings, against the pleadings of Big Music. The basis for this was largely an economic report (PDF) commissioned specifically for the review that is utterly worth reading for its careful analysis of what facts we have about the economics of older recordings.

Its findings in brief: the costs of term extension to consumers are greater than the benefits to the recording industry. The economic report invalidates a number of claims made by the record industry. The impact of term extension on the balance of trade would be negative, because in the biggest two of the 13 countries that have longer terms than the UK does, the US and Australia, UK rightsholders would not be able to benefit under rules known as “comparison of terms”. In the US, the world’s biggest music market ($12.1 billion in 2004), international imports command only 5 percent of sales. The report carefully derives an estimate of £155 million in “welfare loss” to consumers if term were extended. Finally, this report points out that although the term of copyright in sound recordings is shorter in the UK, recordings are protected by a broader array of rights, so simply comparing term length is misleading.

Most of the patent recommendations seem rational, too; Gowers recommends holding the line on barring patents on discoveries, mathematical methods, pure software, and business methods. This is interesting, as the review also recommends continuing to support the development of the EU community patent, which is widely believed by anti-software patent campaigners to be an attempt to sneak software patents into Europe. Gowers also recommends some measures that sound utterly sensible, such as sending Patent Office staff on short-term placements to university research labs so they are kept up-to-date on new technical developments (and are, therefore, presumably less likely to grant patents for which there is prior art).

What’s less certain is what the impact would be of the recommendation that the cost and time involved in obtaining and litigating patents should be lessened. On the one hand, lowering costs and simplifying the legal system would certainly make the patent system more accessible to small businesses. On the other hand, lowering costs will make it cheaper and easier for large businesses, too.

The two recommendations out of 54 that are really worrying are 38, and 39. Number 38 recommends ensuring that “an effective and dissuasive system of damages” exists for civil IP cases. The concern here is in ensuring that a legal distinction is drawn between commercial and non-commercial copying, something I’ve been advocating for years. It is extremely clear that commercial counterfeiting, whether physical or digital, where people pay for fake copies, leaches sales from the rightsholders. (Yes, you can argue that someone who buys a DVD for £5 might not buy the same DVD for £25, and that’s true – but it’s only a matter of time before prices on the officially released DVDs drops, especially with hi-def DVDs coming into release.) It is much less clear if this is true about file-sharing; there is still insufficient research available into how and why people share, and what its impact on the industry really is. If these recommendations are translated into rules that impose huge damages for activity whose actual impact is unknown, this would be a bad thing.

Number 39 recommends creating protocols for sharing user data between ISPs and rightsholders, “to remove and disbar users engaged in ‘piracy’.” If, it adds, such protocols aren’t developed by the end of 2007 the government should consider legislating. Until now, the data protection laws have hampered such sharing. This is where you have to wait to see specific proposals before you can tell whether users’ right to privacy is going to be respected or not. It’s hard, on the fact of it, to see why rightsholders shouldn’t have to go through the same police procedures, culminating in a court order, as anyone else if they want to know who a particular user is. But again: the devil is in the details.

Gowers’ recommendations almost all point in the opposite direction to current US trends, and also to much of what industry wants. Will the British government have the guts to adopt them?

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

December 1, 2006

A SWIFT kick

One of the clear trends of the last five years has been increasing international surveillance, especially by or on behalf of the US. Foreign visitors to the US now are welcomed with demands for fingerprints and other biometrics; airlines flying to the US are required to hand over passenger data even before the plane pushes back; and, behind the scenes, the cooperative that handles interbank transfers within Europe has been sending the US Treasury department banking records that the average European citizen almost certainly assumes are confidential.

This week, the Article 29 group – a panel of European Commissioners for Freedom, Security, and Justice – ruled that the interbank money transfer service SWIFT (Society for Worldwide Interbank Financial Telecommunication) has failed to respect the provisions of the EU Data Protection directive by transferring personal financial data to the US in a manner the press release describes as "hidden, systematic, massive, and long-term."

It doesn't sound like much when you say that a few people brought a complaint about an obscure organization to an equally obscure branch of the EU government and won. It sounds like a lot more when you say that a few people brought a complaint that, upheld, means that the European financial world will have to change their behavior.

The transfers are part of anti-terrorist programs put in place after the September 11, 2001 attacks to allow American intelligence agency analysts to spot funds being sent to finance terrorists. The problem is that, under EU law, the Data Protection Directive forbids the transfer of personal data to countries that do not have the same level of protection in place; the US is most certainly in that category. Simon Davies, executive director of Privacy International, says the goal in making the complaint that led to the Article 29 group's decision was not to stop all data transfers. "The data should be transferred when there's some level of evidence," he says. What PI objected to was the lack of oversight from anyone outside the cooperative, which is owned by the many private companies – banks, brokers, investment managers, and corporations.

"Now that we know SWIFT was acting illegally," says Davies, "the aim is to bring SWIFT and the banks to account, first by establishing a meaningful oversight mechanicsm, and second by bringing some transparency to the whole arrangement." Part of Privacy International's involvement was, together with the American Civil Liberties Union, to prepare a report on the involvement of consulting firm Booz Allen Hamilton, which is SWIFT's supposedly independent auditor but which, according to the report, has been deeply involved with American surveillance programs for the last ten years. Booz Allen told the New York Times that it rejected PI's charges.

PI's next step, Davies says, will be to contact the banks to ask what they intend to do or have done to comply with the decision. Under the law, they have 30 days to reply. "At the end of the 30 days, unless they provide evidence that they have complied, we then follow up with a second round of complaints to all commissioners worldwide." The US, of course, has no data protection commissioner – and even if it did, the transfers are legal there – so the list Davies is talking about is all the EU countries, Canada, Hong Kong, Australia, New Zealand, and a smattering of others.

"What they do depends on their powers in each country," says Davies, noting that "the UK is particularly weak." Unlimited fines can be imposed, should the commissioners so choose. "If SWIFT doesn't make an adult decision to deal with the situation, then it's up to member banks to use their voting rights within SWIFT to force change."

Meanwhile, he says, "SWIFT is also stuck. They have to comply with subpoenas issued by US authorities." Otherwise, SWIFT would be incurring criminal liability.

Davies' belief is that what's needed is either a truly independent oversight body or perhaps a former judge, to review proposed data transfers and ensure they comply with the law.

That, of course, is not what the US wants; Jane Hovarth, chief privacy and civil liberties officer for the US Department of Justice, told the recent international conference of data protection officers that the US does, too, have privacy laws, and that everyone should get together and agree on some kind of global data law. Under EU law, however, the US would have to raise its privacy protections to EU standards before sending data there would be legal.

This seems unlikely, but you never know. A couple of years ago, when the EU had the choice of honoring data protection law or sending the US government all the airline passenger data it wanted – the EU caved and sent the passenger data. Still, in this era when people seem willing to justify almost any amount of privacy invasion with the words "anti-terrorism", it was heartening to read the Working Party's final comment on the whole thing:

"The Working Party recalls that any measures taken in the fight against crime and terrorism should not and must not reduce standards of protection of fundamental rights which characterise democratic societies."

It's up to us to make them stick to that.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).