Friday, May 12, 2006

Felten and Rubin on Serious Diebold Voting Machine Flaws

Ed Felten and Avi Rubin on the report claiming Very Serious Diebold Voting Machine Flaws.

"A report by Harri Hursti, released today at BlackBoxVoting, describes some very serious security flaws in Diebold voting machines. These are easily the most serious voting machine flaws we have seen to date — so serious that Hursti and BlackBoxVoting decided to redact some of the details in the reports. (We know most or all of the redacted information...

The attacks described in Hursti’s report would allow anyone who had physical access to a voting machine for a few minutes to install malicious software code on that machine, using simple, widely available tools. The malicious code, once installed, would control all of the functions of the voting machine, including the counting of votes.

Hursti’s findings suggest the possibililty of other attacks, not described in his report, that are even more worrisome.

In addition, compromised machines would be very difficult to detect or to repair. The normal procedure for installing software updates on the machines could not be trusted, because malicious code could cause that procedure to report success, without actually installing any updates. A technician who tried to update the machine’s software would be misled into thinking the update had been installed, when it actually had not.

On election day, malicious software could refuse to function, or it could silently miscount votes.

What can we do now?

Election officials are in a very tough spot with this latest vulnerability. Since exploiting the weakness requires physical access to a machine, physical security is of the utmost importance. All Diebold Accuvote machines should be sequestered and kept under vigilant watch. This measure is not perfect because it is possible that the machines are already compromised, and if it was done by a clever attacker, there may be no way to determine whether or not this is the case. Worse yet, the usual method of patching software problems cannot be trusted in this case.

Where possible, precincts planning on using these machines should consider making paper backup systems available to prepare for the possibility of widespread failures on election day. The nature of this technology is that there is really no remedy from a denial of service attack, except to have a backup system in place. While voter verified paper trails and proper audit can be used to protect against incorrect results from corrupt machines, they cannot prevent an attack that renders the machines non-functional on election day.

Using general purpose computers as voting machines has long been criticized by computer scientists. This latest vulnerability highlights the reasoning behind this position. This attack is possible due to the very nature of the hardware on which the systems are running. Several high profile studies failed to uncover this. With the current technology, there is no way to account for all the ways that a system might be vulnerable, and the discovery of a problem of this magnitude in the midst of primary season is the kind of scenario we have feared all along...

We believe that the question of whether DREs based on commodity hardware and operating systems should ever be used in elections needs serious consideration by government and election officials. As computer security experts, we believe that the known dangers and potentially unknown vulnerabilities are too great. We should not put ourselves in a position where, in the middle of primary season, the security of our voting systems comes into credible and legitimate question."

Not at all good.

Update: Robert Lemos at SecurityFocus has a report on the vunerability, Diebold voting systems critically flawed

Telcos liability for NSA spying

Peter Swire and Judd Legg seem to be making a strong case that Telcos Could Be Liable For Tens of Billions of Dollars For Illegally Turning Over Phone Records to the National Security Agency, if yesterday's USA Today story has the facts of the situation clear. The EFF are currently suing AT&T for the company's involvement in the disclosure of personal communications data without appropriate authorisation. The government are trying to get the EFF suit dismissed. Swire and Judd say:

" Such conduct appears to be illegal and could make the telco firms liable for tens of billions of dollars. Here’s why:

1. It violates the Stored Communications Act. The Stored Communications Act, Section 2703(c), provides exactly five exceptions that would permit a phone company to disclose to the government the list of calls to or from a subscriber: (i) a warrant; (ii) a court order; (iii) the customer’s consent; (iv) for telemarketing enforcement; or (v) by “administrative subpoena.” The first four clearly don’t apply. As for administrative subpoenas, where a government agency asks for records without court approval, there is a simple answer – the NSA has no administrative subpoena authority, and it is the NSA that reportedly got the phone records.

2. The penalty for violating the Stored Communications Act is $1000 per individual violation. Section 2707 of the Stored Communications Act gives a private right of action to any telephone customer “aggrieved by any violation.” If the phone company acted with a “knowing or intentional state of mind,” then the customer wins actual harm, attorney’s fees, and “in no case shall a person entitled to recover receive less than the sum of $1,000.”

(The phone companies might say they didn’t “know” they were violating the law. But USA Today reports that Qwest’s lawyers knew about the legal risks, which are bright and clear in the statute book.)

3. The Foreign Intelligence Surveillance Act doesn’t get the telcos off the hook. According to USA Today, the NSA did not go to the FISA court to get a court order. And Qwest is quoted as saying that the Attorney General would not certify that the request was lawful under FISA. So FISA provides no defense for the phone companies, either.

In other words, for every 1 million Americans whose records were turned over to NSA, the telcos could be liable for $1 billion in penalties, plus attorneys fees. You do the math."

Update: the Guardian have a brief report on the controversy today as do the Independent.
Wired and are also on the case.
William Gibson has had his two cents worth too.
Michael Froomkin thinks Attorney General Gonzales was Merely Parsimonious With the Truth and he recommends No need for Congress, no need for courts by Glenn Greenwald:

"This continuous evasion of judicial review by the administration is much more serious and disturbing than has been discussed and realized. By proclaiming the power to ignore Congressional law and to do whatever it wants in the area of national security, it is seizing the powers of the legislative branch. But by blocking courts from ruling on the multiple claims of illegality which have been made against it, the administration is essentially seizing the judicial power as well. It becomes the creator, the executor, and the interpreter of the law. And with that, the powers of all three branches become consolidated in The President, the single greatest nightmare of the founders. As Madison warned in Federalist 47:
From these facts, by which Montesquieu was guided, it may clearly be inferred that, in saying "There can be no liberty where the legislative and executive powers are united in the same person, or body of magistrates," or, "if the power of judging be not separated from the legislative and executive powers," he did not mean that these departments ought to have no partial agency in, or no control over, the acts of each other.

His meaning, as his own words import, and still more conclusively as illustrated by the example in his eye, can amount to no more than this, that where the whole power of one department is exercised by the same hands which possess the whole power of another department, the fundamental principles of a free constitution are subverted...
Amazingly, again and again, they don't even want their own Justice Department to know what they are doing because they are afraid that DoJ lawyers will tell them that it is against the law. They don't want to hear that it is against the law. As USA Today reported: "For similar reasons, this person said, NSA rejected Qwest's suggestion of getting a letter of authorization from the U.S. attorney general's office. A second person confirmed this version of events." They know very well that their conduct might be, and in some cases that it is definitely is, illegal, but they are purposely avoiding having the DoJ be able to opine on the legality of their behavior."

Thursday, May 11, 2006

NSA block DOJ spying probe

Jack Balkin notes a report in the NYT saying : 'NSA Stymies Justice Dept. Spying Probe'

The Department of Justice's (DOJ) Office of Professional Responsibility (OPR) have closed their investigation into the Bush administration authorised NSA domestic spying programme because the NSA would not provide the DOJ lawyers with the security clearance needed to get access to the appropriate information.

Balkan is scathing:

"Note the irony: While private phone company employees at AT&T and other corporations must have sufficient security clearances to know what is going on in the NSA program- because they are helping to run it-- the Justice Department's own ethics lawyers do not. It's a convenient way to forestall any investigation into wrongdoing."

The impact of open access upon public health

From the Bulletin of the World Health Organization (BLT), The impact of open access upon public health:

"Arthur Amman, President of Global Strategies for HIV Prevention (, tells the following story:

“I recently met a physician from southern Africa, engaged in perinatal HIV prevention, whose primary access to information was abstracts posted on the Internet. Based on a single abstract, they had altered their perinatal HIV prevention program from an effective therapy to one with lesser efficacy. Had they read the full text article they would have undoubtedly realized that the study results were based on short-term follow-up, a small pivotal group, incomplete data, and were unlikely to be applicable to their country situation. Their decision to alter treatment based solely on the abstract’s conclusions may have resulted in increased perinatal HIV transmission.”
Amman’s story shows the potentially deadly gap between the information-rich and the information-poor. This gap is not the result of lack of technology or of money, but of a failure of imagination. We live in the most information-rich era of history, when the Internet allows immediate global dissemination of crucial health information, and the inter-linking of online information creates an integrated, living body of information — the ultimate vision of which is the semantic web.(1)

What is preventing such a living web? For scientific and medical information, two obstacles are vested interests and traditions. Central to these traditions is the role of copyright, which was developed when the dissemination of work was on paper. Initially, applying copyright to medical articles protected both the intellectual investment of authors and the commercial investment of publishers...

Print is no longer the most efficient way to disseminate information. The Internet provides the means to revolutionize publishing in two crucial ways. First, it makes it possible to disseminate health information at no charge to anyone in the world with online access. Although it costs money to peer review, edit, produce, and host an online article, this is a one-time, fixed cost. If research funders are willing to pay this cost, then the published work can be made freely available to all readers worldwide, and there would be no need for journal subscriptions. This is one way of financing an open-access model of publishing. (2)

Second, because the Internet allows not just ease of access but ease of reuse, an article’s usefulness is limited only by a user’s imagination."

Little sister is watching you

From the NYT :

"To her fellow students, Hu Yingying appears to be a typical undergraduate, plain of dress, quick with a smile and perhaps possessed with a little extra spring in her step, but otherwise decidedly ordinary.

And for Ms. Hu, a sophomore at Shanghai Normal University, coming across as ordinary is just fine, given the parallel life she leads. For several hours each week she repairs to a little-known on-campus office crammed with computers, where she logs in unsuspected by other students to help police her school's Internet forums...

Politics, even school politics, is banned on university bulletin boards like these. Ms. Hu says she and her fellow moderators try to steer what they consider negative conversations in a positive direction with well-placed comments of their own. Anything they deem offensive, she says, they report to the school's Web master for deletion.

During some heated anti-Japanese demonstrations last year, for example, moderators intervened to cool nationalist passions, encouraging students to mute criticisms of Japan.

Part traffic cop, part informer, part discussion moderator — and all without the knowledge of her fellow students — Ms. Hu is a small part of a huge national effort to sanitize the Internet...

Ms. Hu, one of 500 students at her university's newly bolstered, student-run Internet monitoring group, is a cog in a different kind of force, an ostensibly all-volunteer one that the Chinese government is mobilizing to help it manage the monumental task of censoring the Web...

Ms. Hu beams with pride over her contribution toward building a "harmonious society."

"We don't control things, but we really don't want bad or wrong things to appear on the Web sites," she said. "According to our social and educational systems, we should judge what is right and wrong. And as I'm a student cadre, I need to play a pioneer role among other students, to express my opinion, to make stronger my belief in Communism."


Latest EDRI-gram released

As usual there are lots of notable stories in the latest edition of EDRI-gram (though the site seems to be down at the moment. I've picked out two of particular interest at the moment since I've just been writing the section of my book dealing with risk.

3. EU moves to criminalise IP offences ============================================================

The European Commission has revived a proposal to criminalise infringement of all intellectual property rights "on a commercial scale" after a European Court of Justice ruling that the Commission may include criminal offences in their Directives.

The proposal would also criminalise the "attempting, aiding or abetting and inciting" of infringement, and introduce multi-year jail sentences, confiscation of equipment and fines of hundreds of thousands of euros. This goes much further than the EU's obligations under the World Trade Organisation's Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS). Right holders could participate in police investigations into infringement.

While the Commission focuses in its press release on counterfeiting by organised criminal gangs, the legislation would have a much wider effect. It could cover teenage file sharers, authors of file sharing and DRM-circumvention software, and even incautious campaigners for intellectual property law reform.

It is this type of outrageous legislative manoeuvring by large intellectual property right holders and their allies in European and US administrations that has brought IP law into such public disrepute.

Amended proposal for a Directive of the European Parliament and of the Council on criminal measures aimed at ensuring the enforcement of intellectual property rights (26.04.2006)

Commission proposes criminal law provisions to combat intellectual property offences (26.04.2006)

European Court of Justice ruling (13.09.2005)

(Contribution by Ian Brown, board-member EDRI)


5. Alarming results from Italian experimental e-voting ============================================================

During the recent Italian political elections an experimental e-voting system for counting votes - not for expressing the vote itself - has been used in several polling places. The system has been used in parallel with normal, manual counting operations; but it was quite clear that the goal of such experiments was to progressively switch all counting operations to using automated, computer-based systems.

Emmanuele Somma, fellow of Free Software Foundation Europe, participated as an official observer to the counting operations in one polling station (section 224 in the city of Rome) and reported on his experience, which casts an alarming shadow over the reliability of the system used and of the "human element" involved.

According to Somma, the computer operator was not able to produce the necessary official documentation which, according to law, qualifies personnel assigned to supervise electronic counting operations; after the system erred in assigning votes to one list, the operator proceeded in manually - and illegally - correcting the error, and was stopped only by the intervention of Somma; it seemed overly hard for the president of the polling station to check the activities of the computer operator for lack of technical knowledge.

The request of Somma to have a copy of the CD-ROM containing the program that was used for the automated counting operations was refused, as the operator claimed that such program was a "trade secret". What is worse, Somma reports having found a copy of that CD-ROM and a paper containing the access codes to the system in the trash outside of the polling place, while the counting operations were still undergoing.

Somma concludes his report by suggesting that automated counting operations are far from being that model of efficiency and reliability that has been boosted by the government; given the claimed costs of such a system - more or less 37 millions euros - and its perceived advantages, which - assuming the system really works - amount to having the final voting results just a few hours before, it arguably remains a mystery why Italy should implement e-voting systems in the near future.

Reports of Emmanuele Somma of the Italian e-voting experiment (11.04.2006)

(Contribution by Andrea Glorioso - Italian consultant on digital policies)"

Wednesday, May 10, 2006

High Court Rules against the government on hijacker asylum seekers

The UK government have lost a case in the High Court where Afghan asylum seekers who hijacked a plane to Britain challenged the government's failure to grant them refugee status. The judge, Mr Justice Sullivan, was quite scathing about what he perceives to be the government's abuse of power in the case:

"It is difficult to conceive of a clearer case of 'conspicuous unfairness amounting to an abuse of power'."

"Lest there be any misunderstanding, the issue in this case is not whether the executive should take action to discourage hijacking, but whether the executive should be required to take such action within the law as laid down by Parliament and the courts."

The Home Office took an "am I bovvered" approach in response:

"The hijackers are not deemed to present a threat to the UK's national security at present and it remains our intention to remove them as soon as it is possible to ensure that they can be returned in safety to Afghanistan."

So continues the battle between the judiciary and the government.

Risk to government from single universal identities

Richard Allan has pointed out a neglected facet of the identity card debate. Senior government officals with responsibility for sets of personal data about citizens have a legal duty to protect that data. The universal identity architecture severely compromises their ability to carry out that duty since the overall security of the system is very poor.

"One common identifier across all government systems means less work in the short term but is much riskier for those charged with guarding each dataset. Different identifiers that can still be linked with proper authority require a proper defined regime of access control and are therefore safer for both citizens and officials who hold data about citizens."

Brands on building privacy into ID cards

Stefan Brands has emailed William Heath about his posing of the question by government officials about why a single universal identity is a bad idea. Brands is one of the key people the UK government should be talking to regarding identity architectures, since he is one of the few with a really deep understanding of them.

"The envisioned national ID card would replace today’s local non-electronic identifiers by universal identifiers that are processed fully electronically. This migration would remove the natural segmentation of traditional activity domains. As a consequence, the damage that identity thieves can cause would no longer be confined to narrow domains, nor would identity thieves be impaired any longer by the inherent slowdowns of today’s non-electronic identification infrastructure. Furthermore, service providers and other parties would be able to electronically profile individuals across all activity domains on the basis of the universal electronic identifiers that would inescapably be disclosed whenever individuals interact with service providers."

Colbert's White House Correspondents' Dinner Speech

From Julie Hilden at Findlaw:

"Stephen Colbert's April 30th keynote address to the White House Correspondents' Association Dinner continues to spark commentary even now, more than a week later - with the video and the transcript still widely circulated on the Internet. Why?

One reason the story has had "legs," it seems, is the contention that Colbert crossed an invisible line, and the retort that either such a line shouldn't exist, or that Colbert was entitled to cross it...

Despite the caustic nature of Colbert's satire, it is clear that given the extent to which the Bush Administration, elected officials, the news media, pundits, and the public have continued to talk about and debate his keynote -- more than a week after Colbert delivered it - Colbert...has enriched our political discourse.

That he did so with the president as a captive audience may have defied protocol, but in light of the protocols regarding public debate that this president has defied, it should be viewed as fair play.

In the end, we shouldn't so automatically accept contentions like ... "He is the president of the United States, and he deserves some respect." Respect ought to be based on what one does and says, not on the office one occupies. And even when the president deserves respect, he must also be accountable. Seeking to hold a president accountable through use of a caustic parody that exploits politically embarrassing events is in the best tradition of the First Amendment and encourages the robust public debate democracy requires."

She's not a big fan of the president then. I had read the transcript but it is difficult to fully appreciate the impact without seeing the video. (Colbert starts about 55 minutes in). President Bush was looking pretty grim by the end of it.

Tuesday, May 09, 2006

Getting off the DNA database

John Lettice has been looking into how someone who believes their DNA is wrongly included on thenational DNA database can go about having those details removed. He not optimistic about any applicants' chances of success.

Felten on 21st Century wiretapping part 2

Ed Felten has posted the second entry in his series about 21st century wiretapping.

"In practice, the best we can hope for is that, based on the best available information, there is some known probability that the message will be part of a terrorist plot. If that probability is less than 100%, we’ll be comfortable allowing eavesdropping on that message. If the probability is infinitesimal, we won’t allow eavesdropping. Somewhere in the middle there is a threshold probability, just high enough that we’re willing to allow eavesdropping. We’ll make the decision by weighing the potential benefit of hearing the bad guys’ conversations, against the costs and harms imposed by wiretapping, in light of the probability that we’ll overhear real bad guys. The key point here is that even the best wiretap policy will sometimes listen in on innocent people...

The drawbacks of wiretapping come in several flavors:

(1) Cost: Wiretapping costs money.
(2) Mission Creep: The scope of wiretapping programs (arguably) tends to increase over time, so today’s reasonable, well-balanced program will lead to tomorrow’s overreach.
(3) Abuse: Wiretaps can be (and have been) misused, by improperly spying on innocent people such as political opponents of the wiretappers, and by misusing information gleaned from wiretaps.
(4) Privacy Threat: Ordinary citizens will feel less comfortable and will feel compelled to speak more cautiously, due to the knowledge that wiretappers might be listening.

Cheap, high capacity storage reduces the first drawback (cost) but increases all the others. The risk of abuse seems particularly serious. If government stores everything from now on, corrupt government officials, especially a few years down the road, will have tremendous power to peer into the lives of people they don’t like.

This risk is reason enough to insist that recording be limited, and that there be procedural safeguards against overzealous recording."

The British Library and DRM

The folks at the British Library genuinely care about access to knowledge and the problems associated with drm and overly strong intellectual property laws. So when the chair of the All Parliamentary Internet Group called on the British Library to lead the debate on DRM in order to avoid excessive influence from the IP industries lobby, those with a digital rights persuasion didn't raise any objections. The British Library chief executive Lynne Brindley was surprised at the call but "willing to play a part."

Firstly the positive - I think the British Library is fantastic. If it wasn't for the good folks at the British Library, Oxford's Bodleian Library and the Open University Library, I would never have had access to the literally hundreds of books and articles I've needed as part of the research for my book over the past year or so.

Secondly the negative - Pamela Jones points out in gory detail how the British Library have adopted restrictive policies and Microsoft drm in their deployment of information systems to handle electronic materials. The story of how such a venerable institution, commited to access to knowledge can come to implement some of the draconian policies Pamela outlines merits further investigation but for the moment for those of you serious about what have come to be called digital rights, The British Library - "The world's knowledge" DRM'd and for a price
is essential reading.

" My grandmother was a research librarian...

We'd have tea together every day when I was little, just the two of us, only my tea was what she called cambric tea, namely hot water with milk and sugar, in pretty little cups, and she would tell me stories about her life...She taught me many valuable things, like how to deal with adversity, and she taught me values by telling those stories.

That is how I know quite a lot about libraries. She taught me how to use the card system. They'd have rows and rows of wooden file cabinets with drawer after drawer of index cards, so you could find where things were located in the library. That is how, when I first read about Google's books project, I knew instantly that what they are wanting to do is to set up a kind of digital version of those index cards, not to "steal" the books, but so we all would know where to find them...

Libraries are looking for ways to loan digital works while respecting copyright law. There has always been a certain tension between libraries and publishers, because the latter want everyone to pay for a book or article, and if you don't have the money, too bad for you. Libraries, on the other hand, traditionally want to make knowledge available to all. It's the heart of what they are, or what they traditionally have been. But since my grandmother's day, we have new, top-heavy copyright laws, with the entertainment moguls pushing for what suits them sitting on top, and once RIAA lawyers get in the mix, you know how complicated everything gets, and so libraries have to be careful to set policies that comply with the law. It's hard. Here's the dignified way the NY Public Library does so, posting a notice about copyright law and what it means to you...

You agree that it is your responsibility to install anti-virus software and related protections against viruses, Trojan horses, worms, time bombs, cancelbots or other computer programming routines or engines that are intended to damage, destroy, disrupt or otherwise impair a computer's functionality or operation which may be transferred to your computer via the OverDrive server.

Hmm. That last paragraph takes us into a new zone. If I want to listen to the Tom Sawyer audiobook, I must install antivirus software? I discern they assume we are all using Windows. (Actually, the NY Public Library accommodates Apple software too, although they seem never to have heard about GNU/Linux users.) But I'm not using Windows. Still, that requirement is in the license. To be law-abiding, I'd have to install software I don't need or want. Plus, there is something that doesn't feel quite right about being told what one must do with one's own property, and my computer is mine. But I suppose my remedy is not to use the service...

Draconian DRM is undeniably altering what a library is and how knowledge can be found and used. It alters not only what libraries are like; it alters the way copyright law works, without anyone passing a law...

Would you like to see what a more fully DRM-loving library looks like? Take a look at the British Library. The British Library's motto is "The world's knowledge." For example, here's how they describe themselves:

The British Library is the national library of the United Kingdom and one of the world’s greatest libraries. The collections include more than 150 million items, in over 400 languages, to which three million new items are added every year. We house books, magazines, manuscripts, maps, music scores, newspapers, patents, databases, philatelic items, prints and drawings and sound recordings...

The processes needed to deal with electronic materials are intrinsically the same as those needed for traditional print materials, but the solutions need to be different.

The British Library's solution is Digital Object Management or DOM. And they explain their software choice:

Software tools We have also assessed the choice of tools in building this storage sub-system. We have chosen to work in a Microsoft .NET framework, using BizTalk 2004 and C#. We have established that there are clear productivity and cost benefits from this approach. We have looked at DSpace, Fedora, and ePrints software for the digital repository system: none of these offer exactly what we need, although some design features are of interest.

So it's a Microsoft shop, with all that that implies for your privacy and usability and security. So let's say you wanted a digital copy of a document housed at the British Library. How does it work? Obviously, they won't just send it to you in the clear. They don't trust you or the law's ability to dissuade you from behaving criminally. So what is their solution? Here you will find the British Library's Document Supply Services services terms and conditions, which is too long to quote in full but which is horrific enough that I hope you do read it. What stands out is that they charge money to loan. Libraries don't traditionally cost anything, if you wish to borrow a book. That little shift changes the landscape utterly...

You are allowed to print out one copy, and that is all, and must promise to delete the electronic copy...

Document manipulation is verboten, whatever that means. When you order that digital document, you will be using what they call secure electronic delivery, which is a method of sending encrypted PDFs which you must print out within 14 days...

You also must pay what they call a copyright fee...

A copyright fee? What is that for? They have a service for ordering documents, called Articles Direct. Because they are supplying digital copies of paper documents, they have special rules...

You can't store or copy most documents even for your own internal, private purposes. DRM makes it possible for the document copy to time-expire on their terms. Heaven help you if you try to print out your one permitted copy and you have a paper jam. Why do we need to pay a copyright fee? What is it for? The library explains:

Copyright is important because it protects the interests of those who create and those who invest in creativity. If there was no copyright, it would be impossible for creative people to make a living from their creativity.

No one would be willing to come up with the money to make a film, to write or publish a book or journal, or to bring out a record - because there would be no way of earning a return on that investment.

Now it might be going too far to say no one would publish a book or a journal without such copyright protection, as they claim. Cory Doctorow publishes his works online and at the same time sells them as traditional books, and he makes a living. How did that happen, if their theory were true? And as for journals, there are millions of bloggers out there, most of them writing for free. One thing is certain - we'll never run out of people willing to write...

The British Library continues:

Now that it is so easy to copy material, it is more vital than ever that we respect copyright so that people continue to produce the creative works that society needs. This is why copyright law has a method for providing financial reward to creators for uses of their intellectual property....

However, it is often much easier to obtain a copy via a supplier such as the British Library. This, too, deprives the author and publisher of income and therefore the law now says that in many circumstances a copyright fee must be charged.

So that is the purpose of the copyright fee, to provide income to authors and those who "invest in creativity". But it is also the death of the concept of a free library, where even those with little or no money can go to learn and access the world's knowledge. Is it acceptable to you that they must go in person, while the rest of us can use the digital capabilities technology makes available, because we can afford to pay and pay and pay? A real line has been crossed, here, with the British Library buying in to the traditional publishers' hatred of libraries. Librarians are supposed to stand up against such encroachments. My grandmother would have, I know. When she was young, she didn't have a dime to spare, and she became a highly educated woman in part because of libraries. She knew how vital they were to those whose dimes were all accounted for just to pay necessary bills but who were hungry to learn. Here's another part that really bothers me:

If you pay the copyright fee, and abide by any terms and conditions associated with the provision of the article (for example, you cannot re-distribute or re-sell it because this would also deprive the author or publisher of income), you will not be in breach of copyright.

What is it about DRM that makes people add on not-yet-legistated items to copyright law...

If the copyright fee is for the author, how come he gets it if it's a rush order and not if it's by mail? It's still one copy. Now, if you live in the UK, you don't have to pay the fee on a loan. You are getting a copy, not just a loan that you return. But wait. They just told us that in some circumstances, we only get to keep the document you buy for a specified time period. So why isn't that a loan too? If I pay for something, I do think I should be able to keep it forever. And if I can't keep it, it's really a loan. So if it's a loan, I am paying a copyright fee for a loan. No? What am I missing? Deeper, why does any of this make sense, in a digital age, when you can set up a database and let it pretty much run itself? A fee for what? I thought the whole idea of a library was that it made books and music available to those who couldn't pay.

You fortunate UK and Irish guys don't have to pay the copyright fee but that doesn't mean they trust you. No siree. Here's what you have to do to prove you have no criminal intent:

If a copyright fee does not need to be paid on the copy you are ordering, we call it a Library Privilege copy. The person who wants the Library Privilege copy, i.e. the end user, must sign a Copyright Declaration Form in order to declare that they are not knowingly breaking copyright law. You can download Copyright Declaration Forms from (PDF format). If the Library Privilege copy is delivered electronically or by fax, you must ensure that a similar declaration is signed. You do not return these forms to us, but instead should keep them for a minimum of seven years in case the rights owner, or their agent, requests an audit of the Library Privilege service.

Seven years? Copyright authors can request an audit of the British Library to find out if you failed to keep your permission slip for seven years? You have to keep your permissions slip longer than the IRS requires US citizens to keep proof of their finances? Are they insane? I note the Library doesn't want to be bothered with that stupid paperwork. Nope. It's for all you Would-Be-Pirates in the UK and Ireland. Happy bookkeeping. Doesn't it make you just yearn to get materials from the British Library...

There are different restrictive terms if you receive it by FAX or mail. How do they plan on enforcing this? By fly bots buzzing through our homes to spy on us? Actually they have a plan. If you purchase certain materials and you don't fully pay, this is what you agree they can do about it:

We may enter Your premises without notice and recover the Products which have not been paid for in full. This sub-clause constitutes Your authority for Us to enter the premises of any other person holding the Products on Your behalf and on whose property the Products may be and remove the Products.

Now, wait a second, cowboy. You want to enter my premises without notice and search for and take back your stuff? Without going to court at least first, to establish your version of events is true? So no more "my home is my castle," or the old quaint US idea that there can be no unreasonable search and seizures. This isn't a government search; it's by a library on behalf of private copyright owners, and it's a Brave New World, where to get content at all, you are required to waive all your normal rights. And your dignity as a human being too. Can you imagine your little kids when they burst into your house and demand their copyrighted documents back, you deadbeat parents...

Finally, the library says the website's content is also copyrighted, so naturally there are restrictions on what you can do with it:

The content of this website can be accessed, printed and downloaded in an unaltered form (unaltered including being stretched, compressed, coloured or altered in any way so as to distort content from its original proportions or format) with copyright acknowledged, on a temporary basis for personal study which is not for a direct or indirect commercial use and any non-commercial use. Any content printed or downloaded may not be sold, licensed, transferred, copied or reproduced in whole or in part in any manner or in or on any media to any person without the prior written consent of the British Library, including but not limited to:

* transmission by any method
* storage in any medium, system or program
* display in any form
* performance
* hire, lease, rental or loan

They seem to be offering to sue me for what I've done in this article. Except I'm still an American. I can use copyrighted content under fair use, which this is. But for how long? If the entire world goes DRM, you can kiss fair use goodbye. How would you like to live in the British Library's world forever...

I've been researching libraries and DRM for weeks. Why did I finally write about it? Because, as you can see from the story in News Picks, Expert Group to advise EU Commission on how to build the European Digital Library the British Library is one of the "experts" advising the EU Commission...

As I told you in March, Microsoft has already made a pitch to the EU Digital Libary for their future version of XML, and with it they suggest monetizing the world's knowledge...

DRM is part of the plan, and I encourage you to read the entire Microsoft document. It would make my grandmother roll over in her grave. Some of the librarians at the British Library are deeply troubled too about what DRM is doing to libraries. How will we access the materials if the DRM company goes out of business someday?

If they duplicate what they have done at the British Library, I think it's fair to say that it is the death of public libraries as we have known them, and the world's knowledge will be available only DRM'd and for a price."

I have to say I'm concerned at the story Pamela tells. My take is that she is a little harsh on the people involved since I expect it is the story of overworked, dedicated, people making the best of systems imposed from on high and some of the more draconian provisions she points out coming with the package. It will also be a story of complexity, misunderstanding and blind acceptance of pre-prepared template licences and the magic promise of technologies, as well as organisational micromanagement through inflexible committees which fails totally to take in to account potential systemic failures. However complex the situation, though, we have to expect better of the British Library in relation to the policies they adopt on intellectual property and drm'd information systems in the digital age. It is the curse of those with high standards that those are the standards they get judged by.

The 'nothing to fear' question

William Heath says senior government officials are asking the question ""Why should I be worried about Govt forcing me to have a single identity, if I am not a terrorist/benefit scam artist etc?"

I generally get irritated when someone spouts the soundbite 'nothing to fear nothing to hide' because it is offered as a baseless, empty, rhetorical, debating trick. (I use the word 'debating' reluctantly there as it assumes a real engagement which doesn't exist in this case). However, William seems to think these officials genuinely want to understand the problems with the imposition of a single universal identity and " if they get an intelligent answer they'll mull it over and perhaps, probably, eventually do the right thing."

Leaving aside the problem that they've got the question exactly backwards - i.e. that the government want to impose an ID card scheme and the burden of proof on spelling out the reasons for this should be squarely on their shoulders, it's a useful exercise in and of itself for the rest of us to spell out explicitly the problems that can accrue from such a single identity.

Phil Booth of NO2ID puts it like this:

"[The simple answer is 'the presumption of innocence'? - the question presumes that ONLY terrorists or criminals would resist a Gov'?t-imposed identity. Which is THEIR line, and utterly unsupportable. It is for them to prove that I need one, not me to prove that I don'?t.]


My identity is mine, and to others my identity is ME. When any authority attempts to impose an identity on me, it has to make all sorts of gross assumptions about who I am, my relationships and how I choose to live my life. The authority'?s '?identity'? will therefore, and almost inevitably, tend to restrict me - especially as the purpose of ALL imposed Â?identitiesÂ? is control.

Why should I have to relinquish control of my life and relationships? So long as I am doing nothing wrong, I should have the right to live my life as I see fit. Authorities almost always define Â?wrongÂ? in very rigid ways and, of necessity, analyse behaviour in binary/digital terms. If something that I do confounds expected patterns but is not illegal, why should I be considered Â?suspectÂ?? If I choose to disagree with the authority and express that, should I live in fear?

The authorityÂ?s Â?identityÂ?, because I am no longer in direct control of it and may have no knowledge of how it is being (ab)used, will almost certainly expose me to danger, damage and circumstances that I might choose to avoid [your other respondents list many examples]. At the very least, I should be given the choice whether or not to expose myself to such unquantified - and individually unquantifiable - risks.

An Â?identityÂ? is far more than a simple accumulation of facts. In linking together pieces of our personal information and sharing them with others, the authority (mis)represents us for its own purposes. If it is so unwilling to take full responsibility for this that it has to try to impose its Â?identitiesÂ? on us, then we should be far more than worried. And we should damn well fight to preserve control of our real identities."

And Toby Stevens agrees

"PhilÂ?s pretty much got it there. Strong identity is the cornerstone of privacy. But a *single* identity is the most privacy-intrusive measure that I can have forced upon me short of a viewscreen in my living room.

Once I have to use a *single* identity, IÂ?m obliged to reveal exactly who I am every time I wish to interact with government, commerce and society. This facilitates massive aggregation of data and the creation of a detailed profile about me, not just by government but by any commercial organisation.

A *strong* identity, however, should permit as many pseudonymous or anonymous IDs as I choose to use. So what if I call myself Wayne Rooney, so long as my payments can be authorised or the authorities can find me if I use those multiple IDs for nefarious purposes?

We all use pseudonyms and anonymous credentials: I donÂ?t reveal my home address on my blog, or my NI number when I top up my Oyster card; I donÂ?t use the same user name and password for my Internet banking as I do for a discussion group, and I donÂ?t hand out my home phone number on my business cards.

Strong identity is the friend of privacy - itÂ?s single identity that we have to worry about."

That's a good start. I suspect government officials like solid examples to help too. The usual value of anonymity/privacy cases apply :
  • The unhappy teenager confused about their sexuality looking for information
  • The person with privately held unpopular political views who might be ostracised from the community, family or workplace (or even sacked, as has happened on countless occasions)
  • The child in a strong religious family who hides this from her classmates to avoid ridicule
  • Someone attending counselling sessions for depression
  • Someone who has a criminal record for a misdemeanor as a teenager
  • Someone trying to hide from an abusive partner
  • A witness to a serious crime
  • Someone with past health problems, which though long since recovered could interfere with their ability to get a particular job
  • Someone whose details get wrongly entered on the database as a paedophile rather than a pediatrician
  • Someone whose identity gets corrupted through errors on the database or through the sales or aggregation of data shared between government and commercial organisations
  • Someone who through a routine health check discovers they carry the defective BRCA1 or BRCA2 genes and is subsequently denied health insurance
... the list goes on and on. Maybe someone should trawl the works of John Stuart Mill, Jefferson, Madison, Macaulay, Brandeis et al and just list the salient examples on the Ideal government site?

And remember the words of Louis Brandeis: "The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding." I wonder what Brandeis would have made of George W. and Tony?

Monday, May 08, 2006

Anonymous donations

Here's an interesting idea from law prof., Ian Ayres, to cure the buying a seat in the House of Lords syndrome.

"Tony Blair's leadership has been threatened this spring by allegations that "secret political payments were rewarded with seats in the house of Lords." The traditional response is to simply require disclosure, but in a recent oped in the Financial Times, Bruce Ackerman and I argue that mandating anonymous contributions is a more powerful means of insulating the political sphere from uneven distribution of wealth in our economy."

From Ian's FT op ed (excuse the formatting):

"Whenever a secret deal
comes to light, the
necessary reform seems
self-evident – force
politicians to report all gifts to
the public as rapidly as the
internet will allow. But this
rests on the premise that
politicians should continue to
know who is giving them
We reject this conventional wisdom. We think that each
political party should open a
“blind trust” with the election
authorities into which all
private donors must deposit
their money. Politicians will
no longer be able to
determine who has given
how much. As a
consequence, it will be impossible for them to know who to reward with a peerage or,
even worse, to gratify big donors with special - interest legislation."

Colbert White House Skit Copyright Spat

From the NYT:

"Stephen Colbert's performance at the White House Correspondents Dinner nine days ago has already created a debate over politics, the press and humor. Now, a commercial rivalry has broken out over its rebroadcast.

On Wednesday, C-Span, the nonprofit network that first showed Mr. Colbert's speech, wrote letters to the video sites and, demanding that the clips of the speech be taken off their Web sites. The action was a first for C-Span, whose prime-time schedule tends to feature events like Congressional hearings on auto fuel-economy standards. "

James Love fresh from the WIPO discussions on the broadcast treaty last week has some thoughts:

" Apparently C-Span has issued take-down requests to and, asking that they remove their copies of the Cobert footage, and they have entered into a deal with Google, giving Google the right to show it, but only as part of the longer full event, which would include President Bush's well recieved performance.

C-Span is also selling a DVD of the event for $24.95.

There are a number of troubling aspects of this deal, and it goes beyond this particular event. Google's Peter Chane is quoted as saying "C-Span has some very, very unique content," which is true, of course. C-Span broadcasts debates in the US Congress, plus a number of DC-based press conferences and public affairs events. The ownership and control over the best record of these events is important, and not just for commerical reasons.

C-Span claims it has a copyright in these events, and even if it doesn't have a copyright in some broadcasts, it would get a new intellectual property in material it broadcasts, under a new treaty that WIPO is considering.

Increasingly, our whole culture is being privatized in ways that restrict speech and make it difficult to engage in criticism, documentaries or other commentary.

Some of these issues are presented very well in a comic book titled bound by law regarding copyright problems that film makers face, written by three law professors, Keith Aoki, James Boyle and Jennifer Jenkins.

This is more evidence that we need to heed calls for new debates over the limits of copyright, and the importance of the public domain, or the public's rights to use certain materials for debate, commentary or criticism. Will any political party take on copyright and other intellectual property rights (such as the WIPO xcasting treaty) as political, and not simply commerical issues?"

Meeting Xiong Chengyu

Tim Wu met Xiong Chengyua, a personal advisor to Chinese President Hu Jintao on internet policy, last week.

"In conversation it turned out he was something of an internet utopian himself. He spoke of a network of great transformative power for China’s economy, culture, and society. A network that would take China out of its present cage, its underdeveloped version of itself. That would create applications to match and compete with U.S. versions, and even interestingly, a content industry that can best Hollywood...

Like many of the dreamers in our book he was so deeply convinced of the internet's potential to liberate China from its lack of development that he was willing to overlook details nearer the present. He was buoyed by the same kind of optimism in internet progress that you see in the West, just directed to a different goal: bringing China back where it should be. That, for him, made hard questions easy. I admired his spirit but it also made me a little nervous.

On his way out he wanted to buy some of the "new" books on law or media or the internet at the bookstore that can be harder to find in China. I took him there and he bought my book (shameless, yes). He also bought Lessig's 3 books, and Paul Starr's "the Creation of the Media." Neither Glenn Reynold's nor Yochai Benkler's new books were in the bookstore (Labyrinth Books, near Columbia).

I wondered if I should warn him that our China chapter is quite critical, but I didn't, and off he went."

Beatles lose to Apple in Court

The BBC are reporting that the Apple v Apple trademark case has been decided in favour of Apple of the computer variety. They say:

"Mr Justice Edward Mann ruled that the computer company used the Apple logo in association with its store, not the music, and so was not in breach.

The ruling means iPods and iTunes will still be able to carry the Apple name and logo.

Apple Corps logo on Beatles LP
With great respect to the trial judge, we consider he has reached the wrong conclusion
Neil Aspinall
Apple Corps
The Beatles' label, which wanted London's High Court to award damages and stop its rival using the Apple logo in its music operations, will appeal.

Mr Justice Mann ruled iTunes was "a form of electronic shop" and not involved in creating music.

"I conclude that the use of the apple logo ... does not suggest a relevant connection with the creative work," he wrote in his judgment."

Update: The full text of the judgement is available at BAILII but I haven't had the chance to go through it yet.

Felten on Wiretapping

Ed Felten is starting a series of short articles on his blog about 21st century wiretapping.

"The first thing to realize is that this is not your parents’ wiretap debate. Though the use (and sometimes misuse) of wiretapping has long been a contentious issue, the terms of the debate have changed. I’m not referring here to the claim that 9/11 changed everything. What I mean is that wiretapping technology has changed in ways that ought to reframe the debate.

Two technology changes are important. The first is the dramatic drop in the cost of storage, making it economical to record vast amounts of communications traffic. The second technology change is the use of computer algorithms to analyze intercepted communications. Traditionally, a wiretap would be heard (or read) immediately by a person, or recorded for later listening by a person. Today computer algorithms can sift through intercepted communications, looking for sophisticated patterns, and can select certain items to be recorded or heard by a person...

So government will have greater eavesdropping capabilities and, more interestingly, it will have different capabilities. How should we respond? Surely it is not right simply to let government do whatever it wants — this has never been our policy. Nor can it be right to let government do no wiretapping at all — this has not been our policy either. What we need to understand is where to draw the line, and what kind of oversight and safeguards we need to keep our government near the line we have drawn."

Sunday, May 07, 2006

Surveillance society: The DNA files

From the Independent on Sunday:

"Police files hold the DNA of more than 50,000 children who have committed no offence. And that's only the tip of the iceberg - Britain now has the largest DNA database in the world...

More than 51,000 innocent children have had DNA samples lodged on a national police database - more than twice the figure previously admitted by ministers...

MPs last night called for the genetic samples of innocent people, including those of children, to be immediately removed from what is now the world's largest DNA database.

The revelations come five years after the database was set up. It is a year since police were given new powers to hold DNA samples from anyone suspected of an offence, not just those who have been convicted.

Civil liberties campaigners are warning that the scheme, which currently holds the genetic data of more than three million people, is an attempt to create a database "by stealth". This has been denied by senior police officers who argue that it is a vital crime-fighting tool."

Thanks to HJ Afleck at FIPR for the pointer.