Friday, November 21, 2003

Looks like Derek Slater is off the hook with Harvard for posting the Diebold memos on the web. He's just grateful he had John Slater on his side. Slater himself says,

"I wholeheartedly support Derek in his
assertion of a fair use defense in this matter
for three reasons. First, I think it is
inappropriate to use the copyright law, and
particularly the DMCA's (17 USC Section
512), as a means to stifle political speech of
this sort. Second, I think that every
university has a responsibility to factor in its
academic role, as well as its role as an
Internet Service Provider under certain United
States laws such as the DMCA, when forced
to take up a matter of this sort and when
determining how to respond when its students
are accused in this regrettable manner.
Finally, I am convinced that Derek has a
strong fair use defense and that he ought to be
supported in his assertion of that defense."
Congratulations to Siva Vaidhayanathan, whose latest book, The Anarchist in the Library, is now hitting the printing presses and will be available in the Spring of 2004. I highly recommend his earlier book, Copyrights and Copywrongs, which provides a lovely accessible story of the history of development of copyright law in the US. It was the first time I really appreciated how influential Mark Twain (aka Samuel Clemens) was in the process.
The Guardian actually include some mathematics in an article about ID cards here, to demonstrate reliability problems with biometric schemes. Nice overview and includes a discussion about the UK government's plans to share database information across government departments.

"Ian Brown, director of the Foundation for Information Policy Research, says that governments will find it hard to resist linking data, for example, to tackle obesity by monitoring attendance at leisure centres. "It gives government so many more ways of interfering in people's day-to-day lives," he says. "They say we're not building a big central database. But they don't need to." A series of linked databases will do the job just as well. "

Findlaw issue a reminder that the EU have decided to set up an Internet Security Agency.

Some Republicans are signing up to support the Voter Confidence and Increased Accessibility Act of 2003, which would make paper trails compulsory. They join about 70 Democrats currently support the bill. This, surely, has got to be a cross party issue? At least the Demoncrats and Republicans in Fairfax county seem to see it like that. The Republicans in that case were first off the starting blocks in initiating a complaint about irregularites in the electronic voting. Donna, as usual, has some really interesting material and links on the e-voting controversy and in particular the EFF and students case complaining about Diebold's use of the DMCA to quash online exposure of their embarrassing internal memos. Diebold are now claiming that even publishing parts of the memos constitutes copyright infringement. This is no-brainer territory for me as far as democracy is concerned but things are different in lawyerland.

A judge in Argentina has used the data protection laws as a basis for issuing what is believed to be the country's first injunction to stop a spammer sending unwanted emails.

Monday, November 17, 2003

Bruce Schneier includes an email from Ton van der Putte in his latest CRYPTO-GRAM, November 15, 2003. In September 2000 van der Putte and colleague Jeroen Keuning published a paper, Biometrical Fingerprint Recognition: Don't Get Your Fingers Burnt, on the drawbacks of biometric identification, specifically verification based on fingerprints.

Van der Putte and Keuning say is is now possible to make a dummy finger that will fool a fingerprint reader in 10 to 15 minutes, with materials available at most DIY stores. They also say:

"So it is our opinion, that as long as the manufacturers of fingerprint equipment do not solve the live detection problem (i.e. detect the difference between a live finger and a dummy), biometric fingerprint sensors should not be used in combination with identity cards, or in medium to high security applications. In fact, we even believe that identity cards with fingerprint biometrics are in fact weaker than cards without it. The following two examples may illustrate this statement.

1. Suppose, because of the fingerprint check, there is no longer visual identification by an official or a controller. When the fingerprint matches with the template in the card then access is granted if it is a valid card (not on the blacklist). In that case someone who's own card is on the blacklist, can buy a valid identity card with matching dummy fingerprint (only 15 minutes work) and still get access without anyone noticing this.

2. Another example: Suppose there still is visual identification and only in case of doubt--the look-alike problem with identity cards--the fingerprint will be checked. When the photo on the identity card and
the person do not really match and the official asks for fingerprint verification, most likely the positive result of the fingerprint scan will prevail. That is, the "OK" from the technical fingerprint system will remove any (legitimate) doubt.

It is our opinion that especially the combination of identity cards and biometric fingerprint sensors results in risks of which not many people are aware."

Can somebody please draw this to the attention of our own Home Secretary, who apparently threatened to resign if he didn't get his own way on the national identity card. Just keep repeating the soundbite - biometrics may be unique but they are not secret.
Andrew Cringely is worried about identity theft because his mail was stolen when he was away recently. He's right to be worried.
Preparations for the World Summit on the Information Society in Geneva in December are not running too smoothly, according to a Reuters report in Forbes magazine.

"Developed and developing nations
were wide apart on Saturday on
managing the Internet and closing
the digital divide between rich and
poor at the end of what was meant
as a final meeting before a world

The latest version of the draft declaration of principles for the summit is available on the web.
From Dan Gilmore, "Via Greg Aharonian's Internet Patent News Service comes the news that AT&T has received this patent for -- I kid you not -- a way to defeat anti-spam measures:

"A system and method for circumventing schemes that use duplication detection to
detect and block unsolicited e-mail (spam.) An address on a list is assigned to one
of m sublists, where m is an integer that is greater than one. A set of m different
messages are created. A different message from the set of m different messages is
sent to the addresses on each sublist. In this way, spam countermeasures based
upon duplicate detection schemes are foiled."

Right. And the other thing being foiled is Internet users' desire to be free of the spam plague. AT&T
should be ashamed of itself."