Friday, July 13, 2007
Sony Sues DRM-Maker Over Rootkit Lawsuit Payouts
"Sony BMG is suing a firm that designed controversial anti-piracy software used on CDs sold by the label.
Sony BMG filed papers in a New York state court seeking $12m in damages from the Arizona-based Amergence Group.
It says Amergence's Mediamax software landed it with a $5.75m (£2.83m) bill for compensation after users reported problems with their computers.
Amergence disputes the claims and blames another company's software for the problems."
Interpol Chief Wants Databases To Track Criminals
"The head of Interpol believes terrorists and other criminals are traveling freely around the globe in ways that police agencies find difficult to track, but he says he knows how to cripple their movements.
Interpol Secretary General Ronald Noble on Wednesday suggested two solutions: first, airlines should forward passenger data on international flights to Interpol; and second, nations that arrest foreign visitors should share those fingerprints with the international police agency as well. "
So even if the head of Interpol knows about policing, he doesn't seem to know anythig about large centralised databases.
BBC To Hear Open Source Concerns Over Iplayer
Full paper here.
"Because privacy involves protecting against a plurality of different harms or problems, the value of privacy is different depending upon which particular harm or problem is being protected. Not all privacy problems are equal; some are more harmful than others. Therefore, we cannot ascribe an abstract value to privacy. Its value will differ substantially depending upon the problem or harm we are safeguarding against. Thus, to understand privacy, we must conceptualize it and its value more pluralisically. Privacy is a set of protections against a related set of problems. These problems are not all related in the same way, but they resemble each other. There is a social value in protecting against each problem, and that value differs depending on the nature of each problem...
...the problem with the nothing to hide argument is with its underlying assumption that privacy is about hiding bad things. Agreeing with this assumption concedes far too much ground and leads to an unproductive discussion of information people would likely want or not want to hide...
The deeper problem with the "nothing to hide" argument is that it myopically views privacy as a form of concealment or secrecy. But understanding privacy as a plurality of related problems demonstrates that concealment of bad things is just one among many problems caused by government programs such as the NSA surveillance and data mining...
Far too often, discussions of the NSA surveillance and data mining define the problem soley in terms of surveillance... the problems are not just Orwellian but Kafkaesque. The NSA programs are problematic even if no information people want to hide is uncovered. In The Trial the problem is not inhibited behaviour but rather a suffocating powerlessness and vulnerabilitycreated by the court system's use of personal data and its exclusion of the protaganist from having any knowledge or participation in the process. The harms consist of those created by bureaucracies - indifference, errors, abuses, frustration, and a lack of transparency and accountability...
In many instances, privacy is threatened not by singular egregious acts but by a slow series of relatively minor acts, which gradually begin to add up. In this way, privacy problems resemble certain environmental harms which occur over time...
The "noting to hide" argument...represents a singular and narrow way of conceiving of privacy, and it wins by excluding consideration of the other problems often raised in government surveillance and data mining programs. When engaged with directly, the "nothing to hide" argument can ensnare, for it forces the debate to focus on its narrow understanding of privacy. But when confronted with the plurality of privacy problems implicated by government data collection and use beyond surveillance and disclosure, the "nothing to hide" argument, in the end has nothing to say."
I make the same argument in chapters 5 and 6 of my book but not nearly so eloquently.
"For about thirty years now, security researchers have been talking about using digital signatures in court. Thousands of academic papers have had punchlines like “the judge then raises X to the power Y, finds it’s equal to Z, and sends Bob to jail”. So far, this has been pleasant speculation...
So do magistrates really raise X to the power Y, find it’s equal to Z, and send Eddie off to jail? Not according to enforcement folks I’ve spoken to. Apparently judges find digital signatures too “difficult” as they’re all in hex. The police, always eager to please, have resolved the problem by applying standard procedures for “securing” digital evidence. When they raid a dodgy trucking company, they image the PC’s disk drive and take copies on DVDs that are sealed in evidence bags. One gets given to the defence and one kept for appeal. The paper logs documenting the procedure are available for Their Worships to inspect. Everyone’s happy, and truckers duly get fined.
In fact the trucking companies are very happy. I understand that 20% of British trucks now use digital tachographs, well ahead of expectations. Perhaps this is not uncorrelated with the fact that digital tachographs keep much less detailed data than could be coaxed out of the old paper charts. Just remember, you read it here first."
Ross's paper on the subject is terrific. He concludes that the new digital tachographs "will be extremely vulnerable to wholesale forgery of smartcards and system level manipulation; it has the potential to lead to a large scale breakdown in control." Another hi-tech success story then.
Update: Rufus's paper has received generous praise from William Patry.
Thursday, July 12, 2007
"Detailed schematics of a military detainee holding facility in southern Iraq. Geographical surveys and aerial photographs of two military airfields outside Baghdad. Plans for a new fuel farm at Bagram Air Base in Afghanistan.
The military calls it "need-to-know" information that would pose a direct threat to U.S. troops if it were to fall into the hands of terrorists. It's material so sensitive that officials refused to release the documents when asked.
But it's already out there, posted carelessly to file servers by government agencies and contractors, accessible to anyone with an Internet connection.
In a survey of servers run by agencies or companies involved with the military and the wars in Iraq and Afghanistan, The Associated Press found dozens of documents that officials refused to release when asked directly, citing troop security...
The AP has destroyed the documents it downloaded, and all the material cited in this story is no longer available online on the sites surveyed."
"A group representing Internet service providers in the U.K. has reasserted that ISPs should not be responsible for illegal file-sharing that takes place over their networks.
Speaking Wednesday in the wake of a recent ruling in a Belgian court, a representative of the Internet Service Providers' Association maintained that ISPs should not be "set up to play judge and jury" over alleged copyright infringement. "
"Despite the mirth-inducing elements of the suit (and let's face it, this story has "comedy value" written all over it), there could be some interesting legal elements to this. Firstly, there is the copyright claim itself, as I do not envy the judge who will have to decide on the originality of virtual sex devices; perhaps there are not many ways in which one can invent a pixelated toy, I guess that it would depend on the function (there goes my imagination again!) Secondly, what are the implications of suing an avatar? I'm aware that the avatar is just a way to represent a person who will be identified at a later date, but I still find it interesting that the Second Lice nickname is the one present on the legal documents."
I'm assuming the "Lice" was a freudian typo but let's not go there either...
"But the CBI said enhanced powers to investigate alleged breaches of the data protection rules would have wider implications. "The nature of business is changing dramatically, so the way companies handle customer data is increasingly important," said the employers' body spokesman Jeremy Beale. "Some firms need to improve their data policies but there are no easy answers or silver bullets and the CBI wants a national debate to help identify where the responsibility for different aspects of data protection lies. By calling for the ability to inspect firms' files without consent, the information commissioner is in danger of leading businesses into the very surveillance society he is heeding against."
Mr Thomas said this year he was concerned that the vast amount of data being collected on individuals meant we were sleep-walking into a surveillance society. He said he lacked greater powers only because when the government translated the EU data protection directive into law it left out crucial elements. "The EU wants the government to give us the powers. Our experience tells us we need the powers," he said.
The Ministry of Justice is responsible for overseeing the Information Commissioner's office. Yesterday it said: "We believe that the Information Commissioner already has adequate powers.""
Nice to see he has the support of government and business in his quest to get people to take data protection seriously, isn't it.
Wednesday, July 11, 2007
"The Commission has decided to refer the following five Member States to the European Court of Justice over their failure to communicate national measures implementing Directive 2004/48/EC on the enforcement of intellectual property rights: France, Germany, Luxembourg, Portugal and Sweden. The deadline for implementation expired on 29 April 2006. Although reasoned opinions were sent to all those Member States in October 2006 (see IP/06/1354), no national implementing measures have yet been communicated to the Commission."
"Julian Dibbell had an interesting article in yesterday’s NYT, profiling several Chinese gold farmers, who make their living playing the massive multiplayer game World of Warcraft (WoW) and accumulating virtual loot that is ultimately sold for real money. If you’re not familiar with gold farming, or virtual-world economies in general, it’s a nice introduction...
What’s most interesting about this, to me at least, is the relationship between the gold farmers and the players they serve. It’s not a personal relationship, only an economic one, in which the gold farmers play the boring part of the game in exchange for a cash payment from a richer customers.
This relationship is an amazing tangle of play and work. The gold farmer works playing a game, so he can earn money which he spends playing the same game. The customer finds part of the game too much like work, so he works at another job to earn money to pay a gold farmer to play for him, so the customer can have more fun when he plays. Got it?"
"So, we know what a monopolistic, centralized communications system is like. And we know what it took to open it up even a little. Issuing regulations to make it more open this way or that didn't work because the telephone company was structured in every dimension — from business model to technical infrastructure to how its billing systems worked — to fight openness, competitiveness, and distributed, local control.
And we also know what happened once we broke up the old monopoly. Long distance rates dropped. New businesses emerged. Competition spurred innovations in services and in the equipment we could attach...
The way the old phone system was is the way the current suppliers of Internet connectivity are. That's not too surprising since the old phone companies are Internet carriers.
The problem is the same and so is the solution. We should do to the carriers of Internet signals what we did to the carriers of telephone signals. Bust 'em up so that the companies that connect us to the Internet don't also sell us services over the Internet. Providing connection and providing content and services can and should be profitable businesses. They just shouldn't be the same business...just as you wouldn't want your local school owned by The Acme Textbook Company, or your safety inspectors supplied by The Acme Burglar Alarm Company. It's just too hard to resist your own brand.
No, we have to bust up the carrier cartel. Structural separation. Divestiture. It's the only way to get the Internet that our economy, culture and democracy need...
The carriers will tip their hats at Net Neutrality if they are forced to. They will then ignore it. For the carriers, business models trump regulation, law and reason.
We have history so we can learn from it."
"Judge Gilman was the only judge to reach the merits. He did the right thing -- he ruled on the FISA question without reaching the First and Fourth Amendment questions. And he held, correctly, that the TSP program violates FISA, and that enactment of the AUMF does not alter that result. His analysis of the statutory question (pages 58-61) is excellent. He also holds that FISA is constitutional as applied to this program, i.e., that the President does not have an Article II power to disregard the statute (pp. 62-63). I think this conclusion is correct, too; unfortunately, Judge Gilman could have done more to defend it -- he merely holds (quoting the Jackson concurrence in Youngstown) that the President's Commander-in-Chief authority is at its "lowest ebb" here, without fully explaining why the President loses at the lowest ebb in this case.
The standing analyses of the three judges are complicated -- real FedCourts inside baseball. I think it will be difficult to explain to laypeople what constitutional value is served by not allowing the courts to reach the merits...
Let's put it this way: This is not a case in which the govenment's alleged unlawful conduct did not harm anyone and in which the judiciary is therefore merely being asked to sit in judgment of a coordinate branch's lawfulness -- something that arguably is better suited for the political branches. There is no doubt that many, many U.S. persons were legally injured by the TSP program (at least to the effect their statutory rights under FISA were violated). Indeed, it is almost certain that some of the plaintiffs and/or their clients were surveilled under TSP (and would not have been surveilled, certainly not to the same extent, if the NSA had complied with FISA -- see below). Therefore, even if one accepts the modern Supreme Court standing doctrine, there are some plaintiffs out there with standing to sue -- at worst, we simply can't tell who those persons are. (Moreover, such indeterminacy and uncertainty about the scope of the program actually increases the number of persons who fear such surveillance and whose speech is therefore chilled.) And it is highly likely that there are persons with standing among the plaintiffs themselves.
Where that is the case, and where the only reason we cannot identify for certain which plaintiffs were surveilled is because of the wrongdoer's own secrecy, wouldn't that argue for at least a rebuttable presumption that there are some in the plaintiff class with standing? Indeed, isn't that presumption even stronger here because the NSA is unwilling even to claim, let alone to prove, that it did not surveille any of the plaintiffs or their clients in the TSP program? (If the NSA did not, in fact, surveille any of them, I can think of no good reason -- certainly not a so-called state secrets privilege -- why the agency could not inform the court of that fact.)"
Solove makes a similar point and does a first amendment chilling speech analysis:
"The plaintiffs claimed that the NSA wiretapping violated, among other things, the First Amendment, Fourth Amendment, and the Foreign Intelligence Surveillance Act (FISA).
According to Judge Batchelder's opinion, the plaintiffs could not establish standing because they could not directly prove that they were subject to surveillance. One of the problems with the court's reasoning is that there is little way for the plaintiffs to find out more specific information about whether particular plaintiffs' phone calls have been wiretapped...
Judge Batchelder also concluded that it was unclear whether the potential chilling effect of the surveillance on the plaintiff's freedom of speech "can fairly be traced to the absence of a warrant, or if the chill would still exist without regard to the presence or absence of a warrant...
One of the difficulties with this line of reasoning is that it runs contrary to the very rationale behind warrants. Judge Batchelder seems to be suggesting that obtaining a warrant has no impact on whether people are chilled in their expression. But according to the rationale behind the warrant requirement, it is the process of the government having to justify its searches before the judiciary that gives us the assurance that we can exercise our freedoms without the fear of improper government surveillance... There is a big difference between a system of highly regulated surveillance subject to oversight and limitation and a system of unregulated surveillance without oversight or limit beyond the whims of the executive branch."
"1. Men like blond bombshells (and women want to look like them)...
10. Men sexually harass women because they are not sexist...
Sexual harassment cases of the hostile-environment variety result from sex differences in what men and women perceive as "overly sexual" or "hostile" behavior. Many women legitimately complain that they have been subjected to abusive, intimidating, and degrading treatment by their male coworkers. Browne points out that long before women entered the labor force, men subjected each other to such abusive, intimidating, and degrading treatment.
Abuse, intimidation, and degradation are all part of men's repertoire of tactics employed in competitive situations. In other words, men are not treating women differently from men—the definition of discrimination, under which sexual harassment legally falls—but the opposite: Men harass women precisely because they are not discriminating between men and women."
Do you get the sense that the authors, psychologists Alan S. Miller and Satoshi Kanazawa, are trying to provoke a response? Their book, Why Beautiful People Have More Daughters, is due out later this year.
"Orange, Barclays, NatWest and several other High Street banks are listed among a 'horrifying' number of organisations who have breached data protection rules, a report out today says.
The revelations come as the Information Commissioner Richard Thomas warned company bosses they must take the security of employees' and customers' personal information more seriously.
In his annual report he criticises a catalogue of security lapses. 'The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying,' Mr Thomas said."
The full report is available (1.2M pdf) at the ICO's website.
"CKAN is the Comprehensive Knowledge Archive Network, a registry of open knowledge packages and projects (and a few closed ones). CKAN is the place to search for open knowledge resources as well as register your own – be that a set of Shakespeare's works, a global population density database, the voting records of MPs, or 30 years of US patents.
Those familiar with freshmeat or CPAN can think of CKAN as providing an analogous service for open knowledge."
Rufus Pollock explains:
"CKAN is a registry of open knowledge packages and projects — be that a set of Shakespeare’s works, a global population density database, the voting records of MPs, or 30 years of US patents.
CKAN is the place to search for open knowledge resources as well as register your own. Those familiar with freshmeat (a registry of open source software), CPAN (Perl) or PyPI (python package index) can think of CKAN as providing an analogous service for open knowledge.
CKAN is a key part of our long-term roadmap and completes our work on the first layer of open knowledge tools:
- The Open Knowledge Definition which sets out what we mean by open knowledge.
- KForge/KnowledgeForge which provide a system for managing open knowledge projects and the services (repositories/wikis/mailing lists) they need.
- Comprehensive Knowledge Archive Network (CKAN) which provides a registry so that open knowledge creators and users can find other open knowledge projects and resources.
CKAN links in especially closely with our recent discussions of componentization: we envision a future in which open knowledge is provided in a much more componentized form (packages) so as to facilitate greater reuse and recombination similar to what occurs with software today (see the recent XTech presentation for more details). For this to occur we need to make it much easier for people to share, find, download, and ‘plug into’ the open knowledge packages that are produced. An essential first step in achieving this is to have a metadata registry where people can register their work and where relevant metadata (both structured and unstructured) can be gradually added over time.
We also make no bones that fact what we have is present is very simple, certainly when compared to the long-term vision — after all, we should remember it has taken software over thirty years to reach its present level of sophistication. Thus, rather than attempting to pre-judge the solution to open knowledge componentisation question (for example in the choice of metadata attached to each package), this beta version is the simplest possible thing that will provide value, and we look to user feedback (and we include ourselves here as users) to determine the future direction of development of the system."
Tuesday, July 10, 2007
"Brian Iddon (Bolton South East, Labour) Link to this | Hansard source
May I draw my right hon. Friend's attention to a substantial piece of work that Zentek Forensics in my constituency carried out? It showed that it is ever so easy to google one's way around the firewalls that prevent children from accessing some very undesirable material. That is happening in schools, libraries and children's bedrooms in the evenings at home. Will my right hon. Friend look at the providers of commercial filters and try to get them to strengthen their firewalls?
Jacqui Smith (Home Secretary) Link to this | Hansard source
I am happy to look at anything we can do to protect children from some of the dangers of the internet. I recognise, of course, that the internet plays an important role in the lives of children and young people—at their schools, in their social lives and in their ability to research. However, it is clearly unacceptable if we cannot put the technical safeguards in place. We have been considering how we can, for example, kitemark some of the products that are involved in filtering and monitoring software. Perhaps, as part of that activity, the company to which my hon. Friend referred could make some progress. However, we take the issue extremely seriously."
Regular readers of B2fxxx will be aware of my views on lousy commercial filter software and kitemarking any or all of it will not improve my perspective on the subject.
Monday, July 09, 2007
"In a 2-1 decision (PDF), the 6th Circuit Court of Appeals in Cincinnati dismissed a federal district court ruling from last August that found the National Security Agency's Terrorist Surveillance Program violated the U.S. Constitution and ordered it to stop. The majority's ruling did not address the legality of the program; rather, it tossed out the case on narrow procedural grounds...
The U.S. Department of Justice was quick to praise Friday's decision, which it said "confirms that plaintiffs in this case cannot seek to expose sensitive details about the classified and important Terrorist Surveillance Program."...
ACLU Legal Director Steven Shapiro said his organization had not ruled out petitioning the U.S. Supreme Court for another look at the 6th Circuit's action.
"As a result of today's decision, the Bush administration has been left free to violate the Foreign Intelligence Surveillance Act, which Congress adopted almost 30 years ago to prevent the executive branch from engaging in precisely this kind of unchecked surveillance," Shapiro said in a statement. "It is important to emphasize that the court today did not uphold the legality of the government's warrantless surveillance activity."...
Judges Alice Batchelder and Julia Smith Gibbons, both appointed by President Ronald Reagan, concluded in separate opinions that the parties that sued the NSA didn't have standing to bring their case in the first place."
Update: The BBC has a related article Questions for Microsoft on Open Formats "After Microsoft announced it would work with the UK National Archives to help open old digital document formats, Georg Greve and Joachim Jakobs, of the Free Software Foundation Europe, question the US giant's motives."
for Collaboration and Innovation.
" “Cyberinfrastructure” was originally shorthand for Internet–based information infrastructure, one of the “critical infrastructures” that merited special attention as a matter of national security . The National Science Foundation has since adopted it as a programmatic label for advanced knowledge infrastructure, which despite its roots in NSF’s core competencies (science, engineering, education) is essentially unbounded. It offers a promise of informing and enabling innovation wherever it may occur — and in doing so, helping us better understand the processes, practices, and institutions of innovation. Since we look to innovation as a principal source of increased productivity and economic growth, NSF’s initiative on cyberinfrastructure may prove as politically and strategically important as the development of the Internet, in which NSF also had a central programmatic role.
The objective of this project was not to examine NSF’s program on cyberinfrastructure, but to look at how cyberinfrastructure as an evolving enabling vision (rather than a given that merits protection) faces the innovation landscape beyond NSF’s academic constituency. It’s not just a matter of the social and economic impact of cyberinfrastructure, or the constraints that markets, laws, and policies impose on cyberinfrastructure. Rather it is a matter of designing an optimal ecology for knowledge and innovation, drawing on what can be done with science, software, organizations, and policy. This challenge is both technical and political. It is a challenge of how to get infrastructures — including infrastructure implicit in laws and markets — to work together as well as they work internally. This is a crucial test for both interdisciplinary collaboration and U.S. innovation policy."Dan Burk does a great job, for example, in pointing out the basic hurdles to open networked scientific collaboration introduced by some of the peculiarities of [US] intellectual property law.
"The development of a new generation of cyberinfrastructure promises to increase and facilitate globally distributed scientific collaboration as well as access to scientific research via computer networks. But the potential for such access and collaboration is subject to concerns regarding the intellectual property rights that will be associated with networked data and with networked collaborative activity. Intellectual property regimes are generally problematic in the practice of science, because scientific research typically assumes practices of openness that may be hampered or obstructed by intellectual property rights. These difficulties are likely to be exacerbated in the context of networked collaboration, where the development and use of intellectual resources will likely be distributed among many researchers in a variety of physical locations, often spanning national boundaries. Such issues may be addressed by a combination of public and private approaches, including amendment of U.S. law to recognize transborder collaborative work, and adoption of clarifying contractual agreements among those who are collaborating via cyberinfrastructure, including cautious adaptation of “viral” licensing from the open source coding community."
"The case, which drew international attention, began in 2005 when Pearson became a judge and brought several suits for alterations to Custom Cleaners. A pair of pants from one suit was missing when he requested it two days later. A week later, the Chungs said the pants had been found, but Pearson denied that they were his and decided to sue.
Pearson's suit, which originally asked for $67 million, was based on a strict interpretation of the city's consumer protection law -- which imposes fines of $1,500 per violation. It also included damages for inconvenience, mental anguish and attorney fees for representing himself."