" /> net.wars: November 2007 Archives

« October 2007 | Main | December 2007 »

November 30, 2007

Spam today and spam tomorrow

Admittedly you have to be not really paying enough attention to do this, but in the last couple of weeks I've discovered torrent spam. Here's how it works: you download a file you think is something you want, and discovered it's been RAR-compressed. When you uncompress the file, you get a second RAR file that requires a password and a Readme file. The Readme advises you that to get the password you need to go to a Web site and enter an email address – any email address. I'm not quite demented enough to do this, even with the venerable black-hole address nobody@nowhere.com. Who knows what evils might be lurking on that Web site?

This is the more or less harmless kind. Other stories say that there are more dangerous types of torrent spam, where to play the file you are required to download a new video player that is typically infected with malware.

For once, this seems not to be an RIAA/MPAA initiative. It's just spam, reflecting the reality that any time anything on the Net gets sufficiently popular someone tries to turn it into a vehicle for unwanted crap. And you know they know it's unwanted, because otherwise they wouldn't be trying so hard to trick you into reading it. At one time – oh, say, a year ago – a lawyers' mailing list agreed that at the threshold of around 10,000 readers you have to turn off or moderate comments because the comment spam got too heavy. Page rank can do it, too: the pelicancrossing.net site that hosts one version of this column gets something like 1,000 comment spams a week – and hardly any real ones. (Moveable Type, which powers that blog, does have anti-spam settings, which trap most, but not all, of the junk. Unfortunately, the price is that for some reason it rejects all comments I make myself, which means that people who do comment don't get responses from me. Despite a lot of trawling through settings, I have yet to find a solution to this.)

Appropriately diligent research shows that torrent spam isn't new; it was first reported in 2004, and by 2005 there were efforts to create a reporting service. That service now has very little traffic in its forums, and that makes it hard to tell from its stats whether this is a growing problem. Despite the egocentric desire to see it as one – hey, I noticed it! It must be big! – it's probably just a footnote to the great tide of spam that washes over us in so many other ways. A modest amount of attention paid to checking the torrent you're downloading defeats it.

Still, it's arguably yet another reason why the *AAs should have fought back by creating their own cheap, reliable, widely available services. They may pick up some short-term advantage by being able to campaign semi-truthfully on the idea that using P2P to download copyrighted material is risky. But long-term the educational task they'll face in trying to explain to ordinary consumers why we should trust that their systems are safer will be a bigger disadvantage.

On the wider Internet, of course, spam continues to be a relentless flood. Google broke ranks this week to claim that the amount of spam reaching its network is declining. I find it hard to believe this. It's certainly true that spam does move on if a particular technology goes out of favor – the areas of Usenet I frequent are now almost completely spam-free though not, unfortunately, devoid of single-idea-obsessed idiots with a trigger-finger on the abusive adjectives.

But if email spam does start to die because too many people have moved their real communications to IM, Skype, Facebook, and other newer, more carefully gated media it seems unlikely that any one service provider will be singled out. Given that the single biggest reason email spam is popular is that it costs next to nothing to send, I really can't see botnet designers sitting around their labs going, "Oh, listen, this time let's not bother sending anything to gmail addresses; they just bounce it." If there's one thing we know about spammers it's that they don't care about targeting. I find Facebook, LinkedIn, and the other social network platforms painfully irritating to use for communications compared to email; but for a lot of people they work as an elaborate form of white-listing.

But others do not. "I'm more likely to have Facebook open these days than Outlook," one such correspondent wrote just this morning when I suggested taking it to email.

The longer-term prospects, though, are for much more "legitimate" marketing email. Spamhaus has a really interesting article up about a recent flood of sales messages it's received from one of the lifetime menaces on its ROKSO list advertising cheap home delivery of the New York Times. That same article talks about the many ways email addresses find their way onto marketing lists: sharing with third-party companies and database-matching being the most significant. Then, also this week, Adobe and Yahoo! announced that we can have – oh, joy! – ads in PDFs downloaded dynamically while we try to read.

Doesn't anyone get it? The difference between marketing and spam is user choice. Take that away, and it's all just spam.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 23, 2007

Road block

There are many ways for a computer system to fail. This week's disclosure that Her Majesty's Revenue and Customs has played lost-in-the-post with two CDs holding the nation's Child Benefit data is one of the stranger ones. The Child Benefit database includes names, addresses, identifying numbers, and often bank details, on all the UK's 25 million families with a child under 16. The National Audit Office requested a subset for its routine audit; the HMRC sent the entire database off by TNT post.

There are so many things wrong with this picture that it would take a village of late-night talk show hosts to make fun of them all. But the bottom line is this: when the system was developed no one included privacy or security in the specification or thought about the fundamental change in the nature of information when paper-based records are transmogrified into electronic data. The access limitations inherent in physical storage media must be painstakingly recreated in computer systems or they do not exist. The problem with security is it tends to be inconvenient.

With paper records, the more data you provide the more expensive and time-consuming it is. With computer records, the more data you provide the cheaper and quicker it is. The NAO's file of email relating to the incident (PDF) makes this clear. What the NAO wanted (so it could check that the right people got the right benefit payments): national insurance numbers, names, and benefit numbers. What it got: everything. If the discs hadn't gotten lost, we would never have known.

Ironically enough, this week in London also saw at least three conferences on various aspects of managing digital identity: Digital Identity Forum, A Fine Balance, and Identity Matters. All these events featured the kinds of experts the UK government has been ignoring in its mad rush to create and collect more and more data. The workshop on road pricing and transport systems at the second of them, however, was particularly instructive. Led by science advisor Brian Collins, the most notable thing about this workshop is that the 15 or 20 participants couldn't agree on a single aspect of such a system.

Would it run on GPS or GSM/GPRS? Who or what is charged, the car or the driver? Do all roads cost the same or do we use differential pricing to push traffic onto less crowded routes? Most important, is the goal to raise revenue, reduce congestion, protect the environment, or rebalance the cost of motoring so the people who drive the most pay the most? The more purposes the system is intended to serve, the more complicated and expensive it will become, and the less likely it is to answer any of those goals successfully. This point has of course also been made about the National ID card by the same sort of people who have warned about the security issues inherent in large databases such as the Child Benefit database. But it's clearer when you start talking about something as limited as road charging.

For example: if you want to tag the car you would probably choose a dashboard-top box that uses GPS data to track the car's location. It will have to store and communicate location data to some kind of central server, which will use it to create a bill. The data will have to be stored for at least a few billing cycles in case of disputes. Security services and insurers alike would love to have copies. On the other hand, if you want to tag the driver it might be simpler just to tie the whole thing to a mobile phone. The phone networks are already set up to do hand-off between nodes, and tracking the driver might also let you charge passengers, or might let you give full cars a discount.

The problem is that the discussion is coming from the wrong angle. We should not be saying, "Here is a clever technological idea. Oh, look, it makes data! What shall we do with it?" We should be defining the problem and considering alternative solutions. The people who drive most already pay most via the fuel pump. If we want people to drive less, maybe we should improve public transport instead. If we're trying to reduce congestion, getting employers to be more flexible about working hours and telecommuting would be cheaper, provide greater returns, and, crucially for this discussion, not create a large database system that can be used to track the population's movements.

(Besides, said one of the workshop's participants: "We live with the congestion and are hugely productive. So why tamper with it?")

It is characteristic of our age that the favored solution is the one that creates the most data and the biggest privacy risk. No one in the cluster of organisations opposing the ID card - No2ID, Privacy International, Foundation for Information Policy Research, or Open Rights Group - wanted an incident like this week's to happen. But it is exactly what they have been warning about: large data stores carry large risks that are poorly understood, and it is not enough for politicians to wave their hands and say we can trust them. Information may want to be free, but data want to leak.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 16, 2007


The newly minted Nobel Laureate Doris Lessing has advised writers to remind themselves: "'Without me the literary industry would not exist: the publishers, the agents, the sub-agents, the sub-sub-agents, the accountants, the libel lawyers, the departments of literature, the professors, the theses, the books of criticism, the reviewers, the book pages – all this vast and proliferating edifice is because of this small, patronized, put-down and underpaid person."

TV and movie scriptwriters are usually better paid than novelists, but if you read William Goldman's several books about screenwriting the general position of the writer in Hollywood is somewhere beneath contempt. ("Did you hear the one about the Polish starlet who was so dumb she slept with the writer?") Bad casting can break the finest scripts (think Ronald Reagan and Ann Sheridan in Casablance). But casting can't make a dud script shine. Without writers, nothing.

There's no doubt that the TV studios are in a stronger position than they used to be. Current trends like reality TV, talk shows, game shows, and sports (televised poker, anyone?), plus the ever-increasing back catalogue of movies and shows, mean that the seemingly infinite number of TV hours can be filled somehow. The audience, long-term, seems secure: broadcast TV has ease of use.

But the studios are also in a weaker position. The mass audiences once commanded by the Big Three US networks are splintering into myriad smaller channels. Two decades of home video sales and rental have also demonstrated media companies' ability to turn apparently threatening technology into large, new revenue streams. And the writers' position is simple: if you're going to go on making money off my work for a century (as the term is under current copyright law), I want some of it.

The Internet is also catching the studios in a new kind of bind previously experienced primarily by politicians. In 1988, the last time writers went on strike, it was still possible to say different things to different audiences and not get found out. It was before a lot of media concentration, there were more companies involved, and fewer of those companies were public. Today, we find it easy to follow the difference between what big media companies are telling the courts (file-sharing is bankrupting us), Wall Street s (digital media are growing like crazy and creating new revenue opportunities, if not streams), and what they're telling the writers (no money, sorry). Fan support for the strike is also much easier to organise and much more visible.

The late British journalist John Diamond once set off a small firestorm in the Fleet Street Forum by arguing that writers shouldn't be paid royalties – after all, he said, you don't pay your plumber every time you use the bathtub he's put in – but should be well-paid up front. I understand that this is a variant of an analogy made famous by Lew Wasserman, who originally said it in toilets. Diamond held that this remained true even if your plumber installed a bathtub so fantastic and elegant that you were able to charge money for tours through your home for people to look at it. My own belief is if the plumber were that good he'd be mounting his own exhibitions and pocketing the ticket revenue.

But writing isn't like plumbing, in that if you know how to install a functioning toilet the chances are very good that you can keep installing them, year after year, in a reliable fashion, for enough money to make a living. Writing, by contrast, can be a completely freakish business, subject to luck, timing, and accident: you can write a billion-dollar hit one year, and then spend the rest of your life unable to write anything else that anyone wants to read or see. Participating in the profits of your work, therefore, is compensation for the high-risk nature of being a creator of any kind. It's the same trade-off as putting your money in a savings account earning a modest 4 percent per year versus buying tech stocks.

That said, Diamond was primarily talking about journalism. It's not so long since journalists by default retained the right to resell and exploit their work. Periodical publishers began to shift in the 1990s to all-rights contracts that included electronic media. Young freelances often don't know any better than to sign these contracts; older ones trying to argue can find themselves out of work. It's been bad enough in journalism, where freelance incomes haven't budged in 20 years, but at least journalists can keep working, like plumbers. A Hollywood writer's employment is far more fragile.

In an honest world, I think publishers in the 1990s and studios now should be able to say something like: "We know these new media are going to be big winners for us. But we don't understand the business model yet, and we don't know where the revenues are going to come from. Give us a five-year moratorium while we figure things out, and then we'll negotiate in good faith to ensure you get a fair share." That no one can say this and be believed is Hollywood's own damned fault after decades of "creative accounting" to ensure that big hits are never profitable enough to owe creative artists their cut. Time to pay up.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 9, 2007

Watching you watching me

A few months ago, a neighbour phoned me and asked if I'd be willing to position a camera on my windowsill. I live at the end of a small dead-end street (or cul-de-sac), that ends in a wall about shoulder height. The railway runs along the far side of the wall, and parallel to it and further away is a long street with a row of houses facing the railway. The owners of those houses get upset because graffiti keeps appearing alongside the railway where they can see it and covers flat surfaces such as the side wall of my house. The theory is that kids jump over the wall at the end of my street, just below my office window, either to access the railway and spray paint or to escape after having done so. Therefore, the camera: point it at the wall and watch to see what happens.

The often-quoted number of times the average Londoner is caught on camera per day is scary: 200. (And that was a few years ago; it's probably gone up.) My street is actually one of those few that doesn't have cameras on it. I don't really care about the graffiti; I do, however, prefer to be on good terms with neighbours, even if they're all the way across the tracks. I also do see that it makes sense at least to try to establish whether the wall downstairs is being used as a hurdle in the getaway process. What is the right, privacy-conscious response to make?

I was reminded of this a few days ago when I was handed a copy of Privacy in Camera Networks: A Technical Perspective, a paper published at the end of July. (We at net.wars are nothing if not up-to-date.)

Given the amount of money being spent on CCTV systems, it's absurd how little research there is covering their efficacy, their social impact, or the privacy issues they raise. In this paper, the quartet of authors – Marci Lenore Meingast (UC Berkeley), Sameer Pai (Cornell), Stephen Wicker (Cornell), and Shankar Sastry (UC Berkeley) – are primarily concerned with privacy. They ask a question every democratic government deploying these things should have asked in the first place: how can the camera networks be designed to preserve privacy? For the purposes of preventing crime or terrorism, you don't need to know the identity of the person in the picture. All you want to know is whether that person is pulling out a gun or planting a bomb. For solving crimes after the fact, of course, you want to be able to identify people – but most people would vastly prefer that crimes were prevented, not solved.

The paper cites model legislation (PDF) drawn up by the Constitution Project. Reading it is depressing: so many of the principles in it are such logical, even obvious, derivatives of the principles that democratic governments are supposed to espouse. And yet I can't remember any public discussion of the idea that, for example, all CCTV systems should be accompanied by identification of and contact information for the owner. "These premises are protected by CCTV" signs are everywhere; but they are all anonymous.

Even more depressing is the suggestion that the proposals for all public video surveillance systems should specify what legitimate law enforcement purpose they are intended to achieve and provide a privacy impact assessment. I can't ever remember seeing any of those either. In my own local area, installing CCTV is something politicians boast about when they're seeking (re)election. Look! More cameras! The assumption is that more cameras equals more safety, but evidence to support this presumption is never provided and no one, neither opposing politicians nor local journalists, ever mounts a challenge. I guess we're supposed to think that they care about us because they're spending the money.
The main intention of Meingast, Pai, et al, however, is to look at the technical ways such networks can be built to preserve privacy. They suggest, for example, collecting public input via the Internet (using codes to identify the respondents on whom the cameras will have the greatest impact). They propose an auditing system whereby these systems and their usage is reviewed. As the video streams become digital, they suggest using layers of abstraction of the resulting data to limit what can be identified in a given image. "Information not pertinent to the task in hand," they write hopefully, "can be abstracted out leaving only the necessary information in the image." They go on into more detail about this, along with a lengthy discussion of facial recognition.

The most depressing thing of all: none of this will ever happen, and for two reasons. First, no government seems to have the slightest qualm of conscience about installing surveillance systems. Second, the mass populace don't seem to care enough to demand these sorts of protections. If these protections are to be put in place at all, it must be done by technologists. They must design these systems so that it's easier to use them in privacy-protecting ways than to use them in privacy-invasive ways. What are the odds?

As for the camera on my windowsill, I told my neighbour after some thought that they could have it there for a maximum of a couple of weeks to establish whether the end of my street was actually being used as an escape route. She said something about getting back to me when something or other happened. Never heard any more about it. As far as I am aware, my street is still unsurveilled.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 3, 2007

Amateur hour

If you really want to date yourself, admit that you remember Ted Mack's Amateur Hour. Running from 1949 to 1970, it was the first televised amateur talent competition, the granddaddy of today's reality TV. What's new about the Internet isn't that amateurs can create content people will look at but the ability to access an audience without going through an older-media gatekeeper.

But even on the Internet, user-generated content (as the kids are calling it these days) is not new: user-uploaded messages and files are how people like CompuServe made money. But that was user-originated content. Today's user-generated content on sites like YouTube includes a mass of uploaded video, audio, and text that in fact do not belong to the users but to third parties. These issues are contentious; so much so that Ian Fletcher, the CEO of he UK's Intellectual Property Office, bailed at the thought of appearing before an audience that might publish his remarks out of context on the Net.

To hear media representatives tell it at today's Amateur Hour conference, they regarded it with a pretty benign eye for quite a while.

It wasn't, said Lisa Stancati, assistant general counsel for ESPN, until Google bought YouTube that everyone got mad. "If Google is going to be making money from my content I have a serious problem with that."

Well, fair enough. But how did it get to be your content? Media companies love theoretically paying artists when they want to expand copyright. Come contract time it's a different story, as the tableful from Actors Equity knew all too well. And what about the content of the future?

Marni Pedorella, vice president of NBC Universal, notes that the site the company runs for Battlestar Galactica fans provides raw materials for users to play with. If they upload the mashed-up results, however, NBC takes a royalty-free license in perpetuity. Are older media hoping new media will become a source of what Brian Murphy is calling CGC – for "cheaply generated content". Like reality TV?

Heather Moosnick, vice president of business development for CBS Interactive, recounted CBS's moves to share its content more widely around the Net: you can watch current shows on its Web site, for example (unless you live outside the US). But, she said sadly, if people don't care about copyright – well, there might be fewer CSIs. (Threat or promise? There are three CSI shows. At least she didn't say that less "expert content" will deprive us of Cavemen.)

Because the conference was sponsored by a law school, a lot of the moderators' questions centered on things like: How do you see your risks developing? What is your liability? What about international laws?

And: what is the difference between a professional and an amateur? You might argue that it doesn't matter as long as the content is interesting, but when it comes to the shield laws that allow journalists to protect their sources the difference is important. Should every blogger – hundreds of millions of them – have the right ? Just the ones with mass audiences who make a living from running AdSense alongside their postings? None? Is a blogger with an audience of 100,000 of the most important people in American politics more or less worthy of protection than a guy writing for a local paper with a circulation of 10,000? Is a fan taking pictures of Lindsay Lohan with a cell phone subject to California's new law limiting paparazzi?

To me, the key difference between an amateur and a professional is that the professional does the job even when he doesn't feel like it.

The source of this idea is Agatha Christie, who defined the moment she became a professional writer, some ten or 15 books into her career. She was mid-divorce, and she liked neither the book nor her work on it – but she had a contract. The amateur can say, Screw the contract, I don't feel like getting up this morning. The professional makes the work arrive, even if it stinks. Unfortunately, that practical distinction is not easily describable in law.

You could define it a different way: a professional is the guy you'll miss if he goes on strike, as TV writers are about to do over residual payments for digital reuse.

Another line: a lot of large companies operate their message boards on the basis of the safe harbor protections in the DMCA, under which you're not liable as long as you take down material when notified of infringement or other legal problems. What about mixed content? There's a case pending between the Fair Housing Council and Roommates.com because the latter site gave users a questionnaire asking such roommate-compatibility questions as age, race, gender, sexual orientation… All these are questions that landlords are not allowed to ask under the Fair Housing Act. At what point is someone looking for a roommate subject to that act? Are we really going to refuse to allow people all control over who they live with?

These aren't problems that have solutions, at least yet. They're the user-generated lawsuits of the future.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).