" /> net.wars: December 2009 Archives

« November 2009 | Main | January 2010 »

December 25, 2009

Second acts

Reviewing the big names of 2009 versus the big names of 1999 for ZDNet UK last week turned up some interesting trends there wasn't space to go into. Also worth noting: still unpublished is the reverse portion, looking at what the names who are Internet-famous in 2009 were doing in 1999. These were: Mark Zuckerberg (Facebook), Sergey Brin and Larry Page (Google), Rupert Murdoch, Barack Obama, and Jimmy Wales (Wikipedia).

One of the trends, of course, is the fact that there were so many women making technology headlines in 1999: Kim Polese (Marimba), Martha Lane Fox (Lastminute.com), Carly Fiorina (running - and arguably nearly destroying - HP), Donna Dubinsky (co-founder of Palm), and Eva Pascoe (a media darling for having started the first Internet café, London's Cyberia, and writing a newspaper column). It isn't easy now to come up with names of similar impact in 2009.

You can come up with various theories about this. For example: the shrinking pipeline reported ten years ago by both the ACM and the BCS has borne fruit, so that there are actually fewer women available to play the prominent parts these women did. As against that (as a female computer scientist friend points out) one of the two heads of Oracle is female.

The other obvious possibility is the opposite: that women in prominent roles in technology companies have become so commonplace that they don't command the splashy media attention they did ten years ago. I doubt this; if they're commonplace, you'd expect to see some of their names in common use. I will say, though, that I know quite a few start-ups founded or co-founded by women. It was interesting to learn, in looking up Eva Pascoe's current whereabouts, that part of her goal in starting Cyberia was to educate women about the Internet. She was, of course, right: at the time, particularly in Britain, the attitude was very much that computers were boys' toys and few women then had found the confidence to navigate the online world.

The other interesting thing is the varying fortunes of the technologies the names represent. Some, such as Napster (Shawn Fanning), Netscape (Marc Andreesen) and Cyberia, live on through their successors. Others have changed much less: HP (Fiorina) is still with us, and Palm (Dubinsky and Jeff Hawkins) may yet manage a comeback. Symbian has achieved pretty much everything Colly Myers hoped.

Several of the technologies present the earliest versions of the hot topics of 2009, most notably Napster, which kicked off the file-sharing wars. If I were a music industry executive, I'd be thinking now that I was a numb-nut not to make a deal with the original Napster: it was a company with a central server. Suing it out of existence begat the distributed Gnutella, the even more distributed eDonkey, and then the peer-to-peer BitTorrent and all the little Torrents. Every year, more material is available online with or without the entertainment industry's sanction. This year's destructive industry proposal, three strikes, will hurt all sorts of people if it becomes law - but it will not stop file-sharing.

Of course, Napster's - and contemporary MP3.com's - mistake was not being big enough. The Google Books case, one of the other big stories of the year, shows that size matters: had Brin and Page, still graduate students with an idea and some venture capital funding, tried scanning in library books in 1999 Google would be where Napster is now. Instead, of course, it's too big to fail.

The AOL/Time-Warner merger, for all that it has failed utterly, was the first warning of what has become a long-running debate about network neutrality. At the time, AOL was the biggest conduit for US consumer Internet access; merging with Time-Warner seemed to put dangerous control over that access in the hands of one of the world's largest owners of content. In the event, the marriage was a disastrous failure for both companies. But AOL, now divorced, may not be done yet: the "walled garden" approach to Internet content is finding new life with sites like Facebook. If, of course, it doesn't get run over by the juggernaut of 2009, Twitter.

If AOL does come back into style, it won't be the only older technology finding new life: the entire history of technology seems to be one of constant rediscovery. What, after all, is 2009's cloud computing but a reworking of what the 1960s called time-sharing?

Certainly, a revival of the walled garden would make life much easier for the >deep packet inspectors who would like to snoop intensively on all of us. Phorm, Home Office, it doesn't much matter: computers weren't really fast enough to peek inside data packets in real time much before this year.

One recently resurfaced name from the Net's early history that I didn't flag in the ZDNet piece is Sanford ("Spamford") Wallace, who in the late 1990s was widely blacklisted for sending spam email. By 1999, he had supposedly quit the business. And yet, this year he was convicted of 14,214,753 violations of the CAN-SPAM anti-spam act and told to pay Facebook more than $711 million. How times do not change.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

December 19, 2009

Little black Facebook

Back in 2004, the Australian privacy advocate and consultant Roger Clarke warned about the growth of social networks. In his paper Very Black 'Little Black Books' he warned of the privacy implications inherent in posting large amounts of personal data to these sites. The primary service Clarke talks about in that paper is Plaxo, though he also mentions the Google's then newly-created Orkut, as well as Tribe.net, various dating sites, and, on the business side, LinkedIn.

The gist: posting all that personal data (especially in the case of Plaxo, to which users upload their entire address books) is a huge privacy risk because the business models for such sites are still unknown.

"The only logical business model is the value of consumers' data," he told me for a piece I wrote on social networks in 2004. "Networking is about viral marketing, and that's one of the applications of social networking. It's social networks in order to achieve economic networks."

In the same interview, Clarke predicted the future for such networks and their business models: "My expectation would be that if they were rational accumulators of data about individuals they wouldn't be caught out abusing until they had a very nice large collection of that data. It doesn't worry me if they haven't abused yet; they will abuse."

Cut to this week, when Facebook - which wouldn't even exist until two years after that interview - suddenly changed its privacy defaults to turn the service inside out. Gawker calls the change a great betrayal, and says, "The company has, in short, turned evil."

The change in a nutshell: Facebook changed the default settings on its privacy controls, so that information that was formerly hidden by default is now visible to default - and not just to people on Facebook but to the Internet at large. The first time I logged on after the change, I got a confusing screen asking me to choose among the privacy options for each of a number of different types of data - open, or "old settings". I stared at it: what were the old settings?

Less than a week after the changes were announced, ten privacy organizations, led by the Electronic Privacy Information Center and including the American Library Association, the Privacy Rights Now Coalition, and the Bill of Rights Foundation, filed a complaint with the Federal Trade Commission (PDF) asking the FTC to enjoin Facebook's "unfair and deceptive business practices" and compel the company to restore its earlier privacy settings and allow complete opt-out, as well as give users more effective control over their data.

The "walled garden" approach to the Net is typically loathed when it's applied to, say, general access to the Internet. But the situation is different when it's applied to personal information; Facebook's entire appeal to its users is based on the notion that it's a convenient way to share stuff with their friends that they don't want to open up to the entire Internet. If they didn't care, they'd put it all on blogs, or family Web sites.

"I like it," one friend told me not long ago, "because I can share pictures of my kids with my family and know no one else can see them."

My guess is that Facebook's owners have been confused by the success of Twitter. On Twitter, almost everything is public: what you post, who you follow, who follows you, and the replies you send to others' messages. All of that is easily searchable by Google, and Tweets show up with regularity in public search results.

But Twitter users know that everything is public, and (one hopes) moderate their behavior accordingly. Facebook users have populated the service with personal chatter and photos of each other at private moments precisely because they expected that material to remain private. (Although: Joseph Bonneau at the University of Cambridge noticed last May that even deleted photos didn't always remain private.) You can understand Facebook's being insecure about Twitter. Twitter is the fastest-growing social network and the one scooping all the media attention (because if ever there were a service designed for the butterfly mentality of journalists, this is it). The fact that Tweets are the same length as Facebook status updates may have led Facebook founding CEO Mark Zuckerberg et al to think that competing with Twitter means implementing the same features that make Twitter so appealing.

Of course, Facebook has done this in a typically Facebookish sort of way, in that the interface is typically clunky and unpleasant (the British journalist Andrew Brown once commented that the Facebook user interface could drive one to suicide.) Hence the need for a guide to reprivatizing your account.

But adding mobile phone connections is one thing; upending users' expectations of your service is another. There is a name for selling a product based on one description and supplying something different and less desirable: bait and switch.

It is as Roger Clarke said five years ago: sooner or later, these companies have to make money. Social networks have only two real assets: their users' desire to keep using their service, and the mass of data users keep giving them. They're not charging users. What does that leave as a business strategy?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

December 12, 2009

One ring to rule them all

The heat of the discussions of file-sharing - which a little too often are boiling down to "it's evil" versus "no, it isn't" - tend to obscure the fact that there are very real decisions to be made about the future of copyright. On Monday, there was a Intellectual Property Office to consider these kinds of questions. How best, asked the European Commission paper (PDF) the meeting was convened to discuss, can a single market for creative content online be created?

It was an interesting group - a couple of us sent (as advisory council members) by the Open Rights Group alongside representatives of the collection society PPL, Consumer Focus, several from the IPO itself, and six or seven more whose affiliations I didn't catch. We hear a lot about the smoke-filled rooms in which policy is formed; I can say no one was smoking, but have no idea how much influence the discussion will have on policy. However, the IPO is accepting comments on the paper until January 5.

One of the key themes that kept resurfacing is the fundamental mismatch between the way intellectual property law is devised and rights are exercised and the way digital data behaves. Laws and business models are national; digital data is everywhere. Usually, thinking about that mismatch ushers in a discussion of "evil" file-sharers, but on this occasion the questions were more to do with how to create a framework that would enable commercial services to function across all of Europe. It says something about the extreme difficulties now posed by copyright law even for professionals that part of the discussion revolved around the acknowledged desire of new businesses to be able clear all the rights for a particular work in one go. Even something as apparently simple as a single recorded song may have a whole bundle of rights holders: the songwriter/composer, arranger, performer, and broadcaster. Music already has centralized clearing for mechanical licenses and standard rates across Europe and there is something similar for satellite broadcasting (PPT). The pending European Court of Justice ruling in the CISAC case, however, is expected to determine the availability of pan-European licenses.

But such agreement is a rarity: another common theme was the wide variation across Europe. In Germany, for example, creators cannot legally be required to waive their moral rights; in most other EU countries (including the UK), they can. A work may be orphaned in one territory but not in another. In five EU countries (one of which is the UK) there is no private copying levy; in Germany such levies are being applied to larger and larger classes of hardware.

This huge thicket of cross-border disharmonies and conflicts poses serious difficulties in deciding the way forward: no matter what you do, someone is going to lose something. New business models sound like a great idea, but if the idea is to bundle up large amounts of content for greatly reduced license fees, are we creating these new businesses at the expense of artists and creators? Of course, if you follow that argument to its logical conclusion you would never do anything at all. The IPO's view seems to be that you make the best decisions you can and then solve the problems they raise as needed. Which is fine, as long as the problems you create don't all disadvantage the same group of people. At the moment, artists and creators are being squeezed from all sides, and the public seems to be the least represented in the decisions that eventually get made.

The PPL's representative argued that one barrier to a competitive market was competition law, intended to prevent cartels from forming, that blocks the four major record companies from talking jointly to ISPs. Instead, all four have the same conversations with the ISPs.

But all of this was leading up the day's key question: is it a good or bad thing to bring in a single, Europe-wide copyright? On the pro side, for rights holders, such an arrangement would eliminate forum-shopping and leveraging competing legal systems. For artists and new businesses, it would lead, hopefully, to a much simpler regime for clearing rights and paying licensing fees. On the other hand: it would wipe away the traditional business models and notions of artistic control, all of which rely, as already noted, on parceling up rights according to national boundaries (as well as types of usage).

It would also remove control at the national government level: the arguments now taking place over the powers conferred by the Digital Economy Bill, for example, would very likely be happening at EU level. Are artists and creators likely to be better served by copyright law that's created in such a centralized way? It's not clear to me that the answer to that is yes; it seems more likely that today's grass-roots lobbying would become much harder. The EU government is structurally arcane and difficult to penetrate, even though it's true that anti-software patent campaigners had some success. But overall and in general harmonization has not been kind to public access rights because typically "harmonization" has meant adopting the most restrictive of the existing regimes.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

December 4, 2009

Which lie did I tell?

"And what's your mother's maiden name?"

A lot of attention has been paid over the years to the quality of passwords: how many letters, whether there's a sufficient mix of numbers and "special characters", whether they're obviously and easily guessable by anyone who knows you (pet's name, spouse's name, birthday, etc.), whether you've reset them sufficiently recently. But, as someone noted this week on UKCrypto, hardly anyone pays attention to the quality of the answers to the "password hint" questions sites ask so they can identify you when you eventually forget your password. By analogy, it's as though we spent all our time beefing up the weight, impenetrability, and lock quality on our front doors while leaving the back of the house accessible via two or three poorly fitted screen doors.

On most sites it probably doesn't matter much. But the question came up after the BBC broadcast an interview with the journalist Angela Epstein, the loopily eager first registrant for the ID card, in which she apparently mentioned having been asked to provide the answers to five rather ordinary security questions "like what is your favorite food". Epstein's column gives more detail: "name of first pet, favourite song and best subject at school". Even Epstein calls this list "slightly bonkers". This, the UKCrypto poster asked, is going to protect us from terrorists?

Dave Birch had some logic to contribute: "Why are we spending billions on a biometric database and taking fingerprints if they're going to use the questions instead? It doesn't make any sense." It doesn't: she gave a photograph and two fingerprints.

But let's pretend it does. The UKCrypto discussion headed into technicalities: has anyone studied challenge questions?

It turns out someone has: Mike Just, described to me as "the world expert on challenge questions". Just, who's delivered two papers on the subject this year, at the Trust (PDF) and SOUPS (PDF) conferences, has studied both the usability and the security of challenge questions. There are problems from both sides.

First of all, people are more complicated and less standardized than those setting these questions seem to think. Some never had pets; some have never owned cars; some can't remember whether they wrote "NYC", "New York", "New York City", or "Manhattan". And people and their tastes change. This year's favorite food might be sushi; last year's chocolate chip cookies. Are you sure you remember accurately what you answered? With all the right capitalization and everything? Government services are supposedly thinking long-term. You can always start another Amazon.com account; but ten years from now, when you've lost your ID card, will these answers be valid?

This sort of thing is reminiscent of what biometrics expert James Wayman has often said about designing biometric systems to cope with the infinite variety of human life: "People never have what you expect them to have where you expect them to have it." (Note that Epstein nearly failed the ID card registration because of a burn on her finger.)

Plus, people forget. Even stuff you'd think they'd remember and even people who, like the students he tested, are young.

From the security standpoint, there are even more concerns. Many details about even the most obscure person's life are now public knowledge. What if you went to the same school for 14 years? And what if that fact is thoroughly documented online because you joined its Facebook group?

A lot depends on your threat model: your parents, hackers with scripted dictionary attacks, friends and family, marketers, snooping government officials? Just accordingly came up with three types of security attacks for the answers to such questions: blind guess, focused guess, and observation guess. Apply these to the often-used "mother's maiden name": the surname might be two letters long; it is likely one of the only 150,000 unique surnames appearing more than 100 times in the US census; it may be eminently guessable by anyone who knows you - or about you. In the Facebook era, even without a Wikipedia entry or a history of Usenet postings many people's personal details are scattered all over the online landscape. And, as Just also points out, the answers to challenge questions are themselves a source of new data for the questioning companies to mine.

My experience from The Skeptic suggests that over the long term trying to protect your personal details by not disclosing them isn't going to work very well. People do not remember what they tell psychics over the course of 15 minutes or an hour. They have even less idea what they've told their friends or, via the Internet, millions of strangers over a period of decades or how their disparate nuggets of information might match together. It requires effort to lie - even by omission - and even more to sustain a lie over time. It's logically easier to construct a relatively small number of lies. Therefore, it seems to me that it's a simpler job to construct lies for the few occasions when you need the security and protect that small group of lies. The trouble then is documentation.

Even so, says Birch, "In any circumstance, those questions are not really security. You should probably be prosecuted for calling them 'security'."

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.