Friday, April 15, 2005

Biometrics shift focus from theft to injury

A security system which required the car owner to use his fingerprint to access the car led to the driver losing more than his car, according to a BBC story Bruce Schenier pointed me at.

"Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.

The car, a Mercedes S-class, was protected by a fingerprint recognition system."

So biometrics in this instance caused the attackers to change tactics - rather than stealing the car they also kidnapped the driver then seriously injured him to deal with the security system.

Mitigating ID thett

Bruce Schneier writes about mitigating identity theft in the latest issue of Crypto-gram, which as usual, is full of common sense advice about security.

"Fraudulent transactions have nothing to do with the legitimate account
holders. Criminals impersonate legitimate users to financial
institutions. That means that any solution can't involve the account
holders. That leaves only one reasonable answer: financial
institutions need to be liable for fraudulent transactions. They need
to be liable for sending erroneous information to credit bureaus based
on fraudulent transactions...

If you think this won't work, look at credit cards. Credit card
companies are liable for all but the first $50 of fraudulent
transactions. They're not hurting for business; and they're not
drowning in fraud, either. They've developed and fielded an array of
security technologies designed to detect and prevent fraudulent
transactions. They've pushed most of the actual costs onto the
merchants. And almost no security centers around trying to
authenticate the cardholder...

That's an important lesson. Identity theft solutions focus much too
much on authenticating the person. Whether it's two-factor
authentication, ID cards, biometrics, or whatever, there's a widespread
myth that authenticating the person is the way to prevent these
crimes. But once you understand that the problem is fraudulent
transactions, you quickly realize that authenticating the person isn't
the way to proceed...

Right now, the economic incentives result in financial institutions
that are so eager to allow transactions -- new credit cards, cash
transfers, whatever -- that they're not paying enough attention to
fraudulent transactions. They've pushed the costs for fraud onto the
merchants. But if they're liable for losses and damages to legitimate
users, they'll pay more attention. And they'll mitigate the
risks. Security can do all sorts of things, once the economic
incentives to apply them are there.

By focusing on the fraudulent use of personal data, I do not mean to
minimize the harm caused by third-party data and violations of
privacy. I believe that the U.S. would be well-served by a
comprehensive Data Protection Act like the European Union. However, I
do not believe that a law of this type would significantly reduce the
risk of fraudulent impersonation. To mitigate that risk, we need to
concentrate on detecting and preventing fraudulent transactions. We
need to make the entity that is in the best position to mitigate the
risk to be responsible for that risk. And that means making the
financial institutions liable for fraudulent transactions."

Identity theft solutions focus too much on authenticating the person? Actually you can probably read this all across to ID cards and translate the last 3 sentences thus, once we all do have ID cards:

To mitigate that risk, we need to concentrate on detecting and preventing [fraudulent transactions] terrorism. We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the [financial institutions] government liable for [fraudulent transactions] terrorism. Ooops, I forgot. That's exactly what the UK government are afraid of. Hence the rush to manage the security theatre public relations battle, the ill thought out developments in law and the soundbite nonsense we hear trotted out in the current election campaign on the subject.

Comcast sued by RIAA target

A disgruntled Comcast customer has sued them for passing her personal details to the RIAA, as a suspected files sharer. Her lawyer reckons "Comcast should respect the rights of privacy who pay them monthly bills"

Wednesday, April 13, 2005

Government silence online discussion of VLEs

The UK government have apparently silenced an online discussion about a hot topic within the higher education sector - "VLEs", that's "virtual learning environments" for the uninitiated. These are the information systems that universities have been (mostly) buying or building for so-called "elearning."

"A JISCMail discussion list on VLEs has really been suspended because it, and others, are apparently perceived as a 'clear and present danger' to the results of the forthcoming UK election. To quote:

"All services provided by non-departmental public bodies (such as Becta) must comply with the General Election Guidance issued by the Cabinet Office.""

As one of the HE anoraks with an interest in VLEs I find this kind of thing really irritating. I'll say no more.

BBC creative archive

The BBC have unveiled their creative archive licence.

The creative commons (England and Wales) licences are also now available, though I haven't had the chance to look at the detail of these yet.

Tuesday, April 12, 2005

BBC creative archive

David Bollier is pleased at the opening of the BBC's creative archive.

"Ah, but what about “piracy”? How’s this for a refreshing response by the BBC: “If we had started at the policing end we'd never have gotten anywhere with this. Where you've got to start from is, how do we make more content available? I believe this can be a win-win. UK license-fee payers get more access to our content, and having it out there also stimulates various commercial sales markets. I don't believe one has to detrimentally affect the other.”

There is a lot of momentum growing behind business models based on open-platform sharing. When will the powers that be recognize that the intellectual property/piracy dichotomy misses the point -- and begin to understand the new paradigm?"

Radio host sacked for airing public domain piece

Siva is concerned at the firing of a radio show host for airing "a clip of Condoleeza Rice’s nomination questioning" which he apparently recorded from C-SPAN off his own TV.

"The WRPI Executive Committee, which does much of the decision making for WRPI, heard from someone (not C-SPAN) who heard Karius’ Jan.19 show, saying that he improperly used material from C-SPAN. At a meeting of the E-Comm about a week later, the committee voted for his permanent removal as a result of “gross violation of federal copyright law and consequently WRPI’s policy.”...

Karius began contacting his scheduled guests. Then he set to researching copyright law. He is convinced he did not commit any offense by airing the excerpt. National copyright experts, and even C-SPAN’s own policies, say the same...

As long as the material Karius recorded and aired is within the public domain, he is free to use it as a radio host. “He did what any citizen can and may do. C-SPAN is our only source of the sounds of Congress, so we should feel free to use it for reporting and commentary,” Vaidhyanathan said...

Much of the WRPI Executive Committee is composed of RPI students who are not necessarily experts in the field of Federal Copyright Law. Indeed, Kaufman seemed confused about what was specifically violated and how, but said, “It is our interpretation, as well as the interpretation of RPI’s legal counsel and a lawyer specializing in communication, that the material aired by Dennis was a violation of C-SPAN’s intellectual property rights even though we are a public radio station.”

Karius said he understands why E-Comm was hypervigiliant. He said he did not want to damage WRPI’s reputation, and is still a supporter of the station. In Karius’ opinion, the reaction to his show was perhaps caused by the ever-increasing sensitivity of information and copyright issues."

Vatican v Hi-tech spies

The Washington Post says the Vatican is concerned about it's ability to protect the priate deliberations of the conclave to elect the new pope from high-tech enabled journalists, snoopers and general mischief makers.

They are right to be concerned. Given the huge incentives of a wide range of people to get the inside story of the conclave and the power of readily available snooping technologies, they will have their work cut out to prevent any leaks.

The Canadian DMCA and the medics

Michael Geist has been encouraging Canadian medics to take a serious look at the Canadian government's proposals for a new copyright law similar to the US's DMCA and the EU's 2001 copyright directive.

"Consider the potential impact on genetic research. Researchers seeking to obtain access to proprietary genetic databases could be forced to negotiate a licence from the database owner, despite user rights that would otherwise grant the right to access and use selected portions of the database content without prior approval...

The proposals would also harm the use of the Internet as an educational tool within Canada's medical schools. The federal government's copyright proposals contemplate reversing the decade-old policy of avoiding Internet licensing by creating a licensing system for Internet content that would create new restrictions to accessing online content. Although the proposals began with the laudable goal of increasing access while providing creators with appropriate compensation, by proposing a very narrow definition of what can be accessed without compensation, the plan would effectively force millions of Canadian students to pay for access to content that is otherwise publicly available.

Rather than adopting an approach that facilitates the use of the Internet, the government is moving toward a model that will force schools to pay to use Internet materials — contrary to the expectations of many creators. Canadian medical schools, which are struggling with 20th-century budgets to provide a 21st-century education, should call on the federal government to reject the proposal and instead adopt a balanced copyright approach that encourages the use of the Internet in Canadian schools."

IFPI sue 963

The IFPI are suing more individuals for uploading music to the Net, this time in Ireland, Japan, Holland, Finland and Iceland.

Preparations for ID card continue without parliament

The UK government are going ahead with the compulsory fingerprinting of passport applicants even without the cover of parliamentary "authority", which with the large Labour majority has been nothing more than a rubber stamp for the wishes of the executive, anyway.

"The home secretary Charles Clarke has authorised the passport service to acquire 70 new passport service offices across the country so that all adult applicants for new documents can be interviewed in person from next year. The service currently has seven offices.

The Home Office admits that the new network could also be used in future as identity card enrolment centres and the introduction of mandatory fingerprinting of passport applicants will form an important "building block" for the future ID card scheme."

So much for the election delaying the progress of the IS card white elephant. Well given the government have more people in the public services working on the non existant not yet approved ID card scheme that they have hi-tech crime unit police offices, I guess they didn't want all those civil servants to be at a loose end whilst the election campaign was going on. The Lib Dems have called the process an abuse of democracy.

Monday, April 11, 2005

Copyfighter survey of music services

Derek has been thinking about subscribing to a music download service and has some random observations about what he's seen.

CBC Quirks and Quarks MP3s

Cory is pleased that a Canadian Broadcasting Corporation science and technology show is being made available as MP3s for downloading.

Appeals Court Agrees to Reconsider Decision About French Censorship of U.S. Speech

This one won't lie down. Following a French appeal court ruling that Yahoo and their ex CEO were not criminally liable for selling nazi memorabilia, a US appeal court, according to the Center for Denocracy and Technology, has agreed to " reconsider an earlier decision restricting Yahoo's efforts to protect its lawful US publications from liability under French law. A French court had imposed fines on the U.S.-based Yahoo! for web site content that is lawful in the U.S. but illegal in France. A lower U.S. court held that enforcing the French fines would violate the U.S. First Amendment. An appeals court panel disagreed"

Fiona Apple and schizophrenic Sony

Charles Arthur at the Register ponders the fate of Fiona Apple's third album and how it illustrates the difficulties Sony are having with the digital age in entertainment.

"nobody wins. Fiona Apple's album goes mostly unheard. Sony gets no revenues from its being downloaded. And all because the idea of selling music online has to be made to fit into the strategies used for 90-odd years. You've adapted your job and your business to this interweb thing. But the record labels still think the Net should bow to their thinking.

Oh, and there's a final irony in it all. Sony, the company at the centre of all this, should be celebrating whoever wins that case. For it's arguing on both sides. That's right. Check the dockets at this page ( and you'll find that one of the "petitioners" ( (379KB PDF) along with MGM is Sony Music.

Look further down at those "supporting respondents" (ie backing Grokster), and you'll find the Consumer Electronics Association's amicus brief ( (273KB PDF). And among the members of the CEA? Sony Electronics."

Training a new breed of hacker

The BBC have heard about a course in Barcelona that was "set up by the Institute for Security and Open Methodologies (ISECOM), a non-profit computer security outfit that wants to make students streetwise to the hostile neighbourhood the internet can often be."

James Love quantifying WIPO politics

Donna reports that James Love has provided "(1) links to various countries' proposals for interpreting the Development Agenda and (2) a telling "scorecard" of key words in the proposals, providing an at-a-glance analysis of substantive slant."

Piercing P2P myths

Michael Geist has a typically well argued article on P2P in First Monday. Abstract:

"Canada is in the midst of a contentious copyright reform with advocates for stronger copyright protection maintaining that the Internet has led to widespread infringement that has harmed the economic interests of Canadian artists. The Canadian Recording Industry Association (CRIA) has emerged as the leading proponent of copyright reform, claiming that peer–to–peer file sharing has led to billions in lost sales in Canada.

This article examines CRIA’s claims by conducting an analysis of industry figures. It concludes that loss claims have been greatly exaggerated and challenges the contention that recent sales declines are primarily attributable to file–sharing activities. Moreover, the article assesses the financial impact of declining sales on Canadian artists, concluding that revenue collected through a private copying levy system already adequately compensates Canadian artists for the private copying that occurs on peer–to–peer networks."

Stop spam

From scambusters, "Stop Spam: 16 Ways Spammers Get Your Email Address ... and How to Stop Them!"

And if you wanted to know how to deal with viruses, trojans and worms and generally protect your PC in addition, you could do a lot worse than sign up for the Open University's 10 week course, T187 Vandalism in Cyberspace: understanding and combating malicious software.

Monsanto v US farmers

According to Jonathan Rowe, Monsanto don't fare too well in a recent report Monsanto v US Farmers produced by the campaigning group Center for Food Safety.

"The report documents the legal thuggery the Monsanto corporation commits upon U.S. farmers – many of them totally innocent and unsuspecting – to enforce the patents on its genetically modified seeds. The company has turned the genetic commons into a corporate police state; and if that sounds inflammatory and extreme, then check out the report."

Interestingly enough, the European Patent Office have just concluded their review of biotech firm Syngenta's and Greenpeace's challenge to Monsanto's patenting of herbicide-resistant seeds on this side of the pond and declared the patents valid.

Grokster SCOTUS transcript

The transcript of the MGM v Grokster oral arguments before the US Supreme Court is now available online.

I'll drink to that

I liked this:

"P-to-P (peer-to-peer) file-trading enthusiasts like to rant about the draconian steps taken by groups like the RIAA (Recording Industry Association of America) to enforce laws protecting their intellectual property rights, by shutting down distribution systems like the original Napster. But can those enthusiasts be organized into an influential grassroots organizing force?

The founders of CopyNight hope that the answer is "yes," and that social gatherings can ferment political activism."

Another piratical business model built on the blood, sweat and tears of the entertainment industry.

Jeffreys calls for world DNA database

Sir Alec Jeffreys, who discovered DNA fingerprinting, has called for the creation of a database which would contain the DNA details of everyone in the world.

"At a lecture on Saturday to mark the 20th anniversary of the discovery of DNA fingerprinting, Professor Sir Alec Jeffreys, of Leicester University, said a global DNA database would have been invaluable in attempting to identify victims of the recent tsunami. Instead, investigators faced endless searches through incomplete records, or having to cause further distress to relatives of the victims."

He suggests that access and use of such a database should be strictly controlled and has serious criticisms, for example, of the UK criminal DNA database. If the existing UK scheme, used for limited purposes (law enforcement) and miniscule by comparison with the proposed database, has so many problems, though, how could such a database possibly work in practice?

What problem are you trying to solve?
A: Identifying victims in case of disaster (and other unspecified noble objectives)

What does the system architecture look like?
A: Massive database + decentralised hi tech networked registration centres + remote networked handheld verification devices (or labs on a chip, as Professor Jeffrey's nicely describes them)

How well does it work?
A: Probably not very well

How many other problems can it cause?
Quite a few, similar to the national ID card scheme. Tens of thousands, if not millions of people have to have access to the system and some of them will have malign intentions. How can the database fail naturally (through errors in entries etc) and how can it be made to fail (eg deliberate falsification of records) leading to erroneous identification of victims. Function creep - once such a database exists, the temptation to use it for other things becomes irresistible. How do we know this? Because it already happens

How much does it cost?
Well the UK national Id card scheme is currently pegged at between £3 billion and £11 billion. A database a thousand times as big may cost a thousand times as much again, though economists would, no doubt berate me for making such a simplistic jump, not taking into account economies of scale on the positive side and the negative effects of collating international collaboration on a global scale.

Is is worth it?
Probably not.