Friday, December 21, 2007

NCAA rules issued on limited blogging of games

The area with the smallest importance:irritation index in the copyright land grab for me is the sports franchises' claims that they "own" the statistics on sporting contests. I get disproportionately irritated when I hear a journalist has been ejected from a stadium for live blogging about a baseball game, for example. Lest we smugly say that's the Americans for you, there have been similar moves by the Premier League in the UK and the simple question is: how can anyone own a collection of facts?

Sports statistics are a case study in why basic research and data should go into the public domain. When basic information on anything from sports to the human genome gets fenced off and handed as property to private owners, then basic education and research gets impeded, because we need to pay for access to it.

Jonathan Rowe says "If you can own facts then you can own the truth about the past. You can control what people say and write about the past." (e.g. ‘The Wind Done Gone’ case) That's not the kind of society I want my kids growing up in and the "ownership of sports statistics is a trivial but simultaneously serious illustration of the kind of power that unbalanced intellectual property landscapes can bestow. In an information society the information laws, intellectual property prime amongst them, are the default rules of the road.

In fairness, in the latest baseball case in June this year, a judge did decide the first amendment protecting freedom of expression in the US trumped the Major League Baseball franchises and players’ IP rights. (C.B.C. Distribution and Marketing, Inc. Vs Major League Baseball Advanced Media, L.P. et al. in the US Appeal Court for the 8th Circuit).

In any case (due to the importance:irritation index) I've just taken a long-winded route to pointing out the latest development in the plethora of stories on IP and sports stats, which is that the National Collegiate Athletic Association, NCAA, has issued a set of rules "allowing" accredited journalists to indulge in limited live blogging of games.

Thanks to Michael Geist for the link to the NCAA story.

(For an extra baseball DRM bonus on this one from November see and

BEUC urge EU to reject Google DoubleClick deal while FTC approves

The European Consumers Organisation, beuc, the Federation of German Consumer Organisations, vzbv, the Spanish Organización de Consumidores y Usuarios, OCU, and the Italian Altroconsumo have written to competition commissioner, Neelie Kroes, urging her to reject Google's takeover of Doubleclick.

Meanwhile the Federal Trade Commission in the US have given the deal the green light, in a split 4-1 vote, noting that the proposed acquisition is unlikely to substantially lessen competition.

The consumers organisations have this to say specifically on the consequences of the deal for the privacy of people in the EU:

"The Google/DoubleClick merger would harm consumer welfare by creating a structure that
almost certainly will be less respectful of user privacy. A combined Google/DoubleClick will
be a data collection colossus that combines information about consumers that Google
collects through its search engine with the tracking data that DoubleClick collects about
users as they surf the web.

Post-merger, Google will have the ability and incentive to engage in significantly more
intrusive user tracking and profiling than exists today. This is because more intrusive
tracking and profiling would enable Google to improve behavioural ad targeting and to
attract web publishers that today prefer to sell their advertising space via their direct sales
forces. However, because the merged entity will not be subject to any competitive discipline,
the competitive constraints on its tracking and profiling practices will be fundamentally
weakened, and quite likely, ultimately eliminated. The greater privacy intrusions that will
result will constitute a much higher “cost” for consumers who obtain a good or service
online. The point which we wish to emphasize here is that these privacy intrusions will be
the direct consequence of the elimination of the competitive constraints on Google following
its merger with DoubleClick.

In addition, the combination of Google and DoubleClick would further harm consumer
welfare by reducing innovation to improve online privacy, thereby harming the quality of the
service available to consumers. Privacy protection is a competitive differentiator between
companies involved in the business of online advertising serving, especially with European
audiences. Google itself has said that it is investigating new techniques to improve its
privacy practices. Indeed search companies are currently engaging in what the media has
termed a “privacy race”. But post-merger, there is a danger that Google will loose any
incentive to continue innovating in this area due to its hugely dominant position in online
advertising. It will be under considerably less competitive pressure to improve – or even
maintain – the poor quality of its current privacy practices."

Privacy International wrote to Ms Kroes in November, with the support of Associazione per la Libertà nella Comunicazione Elettronica Interattiva (Italy), Digital Rights (Denmark), Digital Rights Ireland, Electronic Frontier Finland, European Digital Rights (EU), IRIS - Imaginons un réseau Internet solidaire (France) and Netzwerk Neue Medien (Germany), expressing parallel concerns.

Thursday, December 20, 2007

Merry Christmas from the copyright police

From TorrentFreak: A small charity are getting a little fed up with the attentions of the UK Performing Rights Society.

"The staff at a charity also received a visit from a PRS officer who declared that because a staff radio in the kitchen could be overheard by the public in their tea-room, they would need a license. The charity, Dam House, which was originally set up to save a historic building and offer community and health facilities, had to have a fund-raising event to raise the money for the license.

However, having purchased a license, this wasn’t the end of the matter. The PRS then started asking more questions, and when they discovered that kids sing in a carol concert there at Christmas, they declared that the premises were under licensed. Yes, of course - the PRS wanted yet more money."

They did generously say that the kids would be allowed to sing old songs on which the copyright had expired without having to pay any fees.

Burst's new patent on digital recording were issued a patent on 18 September this year on digital video recording, aka a 'System and method for time-shifted program viewing'.

The patent covers receiving a digital TV signal, storing it, enabling people to watch one programme while storing new ones and so on. It's right up there with the Blackboard patent on delivering courses via the Net.

Burst applied for their patent way back in May 1998.

David Byrne's Survival Strategies for Emerging Artists — and Megastars

At Wired: David Byrne's Survival Strategies for Emerging Artists — and Megastars

The Generational Divide in Copyright Morality

David Pogue at the NYT has been finding out that what he thought was obvious in the context of illegal file sharing has failed to bridge the generational gap.

"“I borrow a CD from the library. Who thinks that’s wrong?” (No hands go up.)

“I own a certain CD, but it got scratched. So I borrow the same CD from the library and rip it to my computer.” (A couple of hands.)

“I have 2,000 vinyl records. So I borrow some of the same albums on CD from the library and rip those.”

“I buy a DVD. But I’m worried about its longevity; I have a three-year-old. So I make a safety copy.”


“I record a movie off of HBO using my DVD burner. Who thinks that’s wrong?” (No hands go up. Of course not; time-shifting is not only morally O.K., it’s actually legal.)

“I *meant* to record an HBO movie, but my recorder malfunctioned. But my buddy recorded it. Can I copy his DVD?” (A few hands.)

“I meant to record an HBO movie, but my recorder malfunctioned and I don’t have a buddy who recorded it. So I rent the movie from Blockbuster and copy that.” (More hands.)

And so on...

The exercise is intended, of course, to illustrate how many shades of wrongness there are, and how many different opinions. Almost always, there’s a lot of murmuring, raised eyebrows and chuckling.

Recently, however, I spoke at a college. It was the first time I’d ever addressed an audience of 100 percent young people. And the demonstration bombed."

Limited or no wireless connectivity - it shouldn't be this difficult

Ok I've had enough. I've spent several hours today trying to connect a couple of Windows XP laptops to my home wireless smart access point and router.

Should be easy right? Get Windows to detect local access points, click connect, key in the network security key and you're off. Nope. That gives 'limited or no connectivity'. So the laptop is connected to the router but can't do anything else, as it doesn't get allocated an IP address automatically. I check Windows firewall and the settings are all as expected, with no gremlin blockers. I check the router network key, which accounts for this kind of problem in most circumstances but no it is fine too. Same problem with both machines. I do all the usual tricks, switching router off, re-booting etc., nothing works.

Ok let's take the simple route. Load the router client and use the AOSS connectivity exchange route, which conveniently and automatically exchanges all the appropriate settings between laptop and router without having to do it manually. Nope. AOSS light flashes on the router to say come and get me. Click the AOSS button on the newly loaded laptop client and it has a search, but despite being right beside the router, can't seem to find it. Ironically the windows scanner had picked up the router immediately but the windows scanner is disabled now
I've installed the router client. So I uninstall the router client and the machine can 'see' the router again just not connect to it.

I check accessible wireless networks and there are several around here. I check the settings, properties, authentication, security, data encryption etc. etc. on my router. Everything is as the manual, which I've now resorted to reading, suggests it should be.

I haven't got a whole lot of hope but then I load the router client on the other older laptop and try AOSS connect. Bingo! It finds the router, exchanges settings and I'm finally back on the Net. Except I'm only partly so. I need to do some stuff on iTunes. Opens fine as usual but won't connect to the Net. The error says "make sure your network settings are correct". Given I've just spent a lot of time doing precisely that, I'm not impressed. Ok so we're back to checking firewalls etc. No iTunes is not blocked - all as it should apparently be but it still won't connect. So I uninstall iTunes and via my partly enabled (one at least) laptop re-install it again. Yes I can get at the Apple site via a browser but not via iTunes. iTunes and Windows are not playing ball again. Doesn't that sound like a familiar story. In any case the newly re-loaded iTunes has no more success that the (same) version that was not working before I uninstalled it. So I re-boot for the umpteenth time today, with no more success than previous occasions.

Ok maybe I can do it via Windows Media player. Nope that doesn't want to connect to the Net either...

The point of the rambling rant is that I like computers (at least some of the time!) and, though I'm not a code jockey, have a one-eyed-man-in-the-kingdom-of-the-blind notion of where to start if things don't work as they should. But most people don't care about getting under the bonnet of a computer. They just want it to work out of the box. And it should! It is incredible what we just accept in terms of the lousy functionality of the computing kit we invest such vast sums in (remember it is the newer machine - which originally came with Vista but I couldn't put up with all the baggage on that and had it replaced with XP - which won't connect at all). Meanwhile I know I'm missing something patently obvious that's stopping me getting properly connected but no matter how patently obvious it might be, it should not have been a problem to begin with.

Enough said.

Kim Cameron's Identity blog

Given all the publicity surrounding data debacles in the past few weeks, could I again recommend Kim Cameron's identity blog as one of the most informed sources on the Web on this whole subject.

It's funny how I read Kim's blog so often I had just assumed I had it on my blogroll, yet I had not got around to putting it there until this morning!

I really should find some time to smarten up this blog including making sure my sources are up to date. I had a similar issue with my rss reader recently when it was recommending blogs I thought I had already subscribed to.

Wednesday, December 19, 2007

The NHS can do data protection

Kim Cameron has pointed out that some UK government bodies do understand secure data management:

"Scotland’s eCare has been recognised at an international awards ceremony on good practice in data protection. On Tuesday, 11 December, the Data Protection Agency of the Region of Madrid awarded the eCare framework one of two “special mention” awards. The aim of the annual prize is to expand the awareness of best practices in data protection by government bodies across Europe.

I’m really pleased to see the authors of eCare recognized. They have created a system for sharing health information that concretely embodies the kind of thinking set out in the Laws of Identity...

Ken Macdonald, Assistant Commissioner (Information Commissioner’s Office, which provided a note of support for the eCare application) has commented:

It is wonderful to see UK expertise in data protection being officially recognised in Europe for the second year running. Recent events have highlighted the need to comply with the principles of the Data Protection Act and I am delighted to see the eCare Framework and the Scottish Government setting such a fine example to others not just in the UK but throughout Europe.

I hope the work is published more broadly. From seeing presentations on the system, it partitions information for safety. It employs encrypted data, not simply network encryption. It favors local administration, and leaves information control close to those responsible for it. It puts information sharing under the control of the data subjects. It consistently enforces “need to know” as well as user consent prior to information release. In fact it strikes me as being everything you would expect from a system built after wide consultation with citizens and thought leaders - as happened in this case. And not surprisingly with such a quality project, it uses innovative new technologies and approaches to achieve its goals."

Sopranos creator says IP lawsuit made him sick

From AP via Findlaw:

"The creator of "The Sopranos" testified that he wanted to cry when he learned in 2002 he was being sued by a former municipal judge who wanted credit for his role in the creation of the hit mob television drama."

Tuesday, December 18, 2007

They've done it again and are still focussing on news management

Right after the ministerial statement on Kieron Poynter's interim report on the HMRC data Chernobyl, it got out that there was another major data leak, this time from the DVLC (via Pearson Driving Assessments in Iowa!) on learner drivers.

Are the government doing anything about it? Of course not - they're offering another token superficial apology and are hoping it will all die down soon, given the world of short attention spans that we inhabit. The "latest" scandalous data mismanagement, btw, happened in May this year but someone at Whitehall obviously thinks it's an opportune time to release the information. Publicise some of the big data losses now and hopefully it will all disappear from the media radar in a few weeks, especially with Christmas coming up and the new Italian England manager to think about. The government are so blindly focussed on data debacles as a news management problem that they can't even conceive of actually seriously doing anything about the issue.

I had some small hope when Blair left and Brown came in that the complete obsession with news management at the expense of substantive government would be at least slightly abated. But it seems that for the Brown Nu Labour government it is all ahead as before.

Monday, December 17, 2007

Lessons from Facebook’s Beacon Misstep

Ed Felten says there should be some lessons learned from Facebook’s Beacon misstep.

"Facebook recently beat a humiliating retreat from Beacon, its new system for peer-based advertising, in the face of users’ outrage about the system’s privacy implications. (When you bought or browsed products on certain third-party sites, Beacon would show your Facebook friends what you had done.)

Beacon was a clever use of technology and might have brought Facebook significant ad revenue, but it seemed a pretty obvious nonstarter from users’ point of view. Trying to deploy it, especially without a strong opt-out capability, was a mistake. On the theory that mistakes are often instructive, let’s take a few minutes to work through possible lessons from the Beacon incident.

To start, note that this wasn’t a privacy accident, where user data is leaked because of a bug, procedural breakdown, or treacherous employee...

Organizations often have trouble predicting what will cause privacy outrage. The classic example is the U.S. government’s now-infamous Total Information Awareness program. TIA’s advocates in the government were honestly surprised when the program’s revelation caused a public furor. This wasn’t just public posturing. I still remember a private conversation I had with a TIA official who ridiculed my suggestion that the program might turn out to be controversial...

Of course, privacy is not the only area where organizations misjudge their clients’ preferences. But there does seem to be something about privacy that makes these sorts of errors more common.

What makes privacy different? I’m not entirely certain, but since I owe you at least a strawman answer, let me suggest some possibilities.

(1) Overlawyerization: Organizations see privacy as a legal compliance problem. They’re happy as long as what they’re doing doesn’t break the law; so they do something that is lawful but foolish.

(2) Institutional structure: Privacy is spun off to a special office or officer so the rest of the organization doesn’t have to worry about it; and the privacy office doesn’t have the power to head off mistakes.

(3) Treating privacy as only a PR problem: Rather than asking whether its practices are really acceptable to clients, the organization does what it wants and then tries to sell its actions to clients. The strategy works, until angry clients seize control of the conversation.

(4) Undervaluing emotional factors: The organization sees a potential privacy backlash as “only” an emotional response, which must take a backseat to more important business factors. But clients might be angry for a reason; and in any case they will act on their anger.

(5) Irrational desire for control: Decisionmakers like to feel that they’re in control of client interactions. Sometimes they insist on control even when it would be rational to follow the client’s lead. Where privacy is concerned, they want to decide what clients should want, rather than listening to what clients actually do want.

Perhaps the underlying cause is the complex and subtle nature of privacy. We agree that privacy matters, but we don’t all agree on its contours. It’s hard to offer precise rules for recognizing a privacy problem, but we know one when we see it. Or t least we know it after we’ve seen it."

In the case of the UK government, it looks as though privacy is sadly set to be perceived by them as no more than a PR problem. Maybe someone should do a Geist-Facebook assault on this case too?

UK government refuses to listen on data management

Kieron Poynter of PriceWaterhouseCoopers did publish his interim report today into the failures that led to HM Revenue and Customs (HMRC) losing 25 million confidential records about UK citizens claiming child benefit. The reaction of the government to the report is yet another clear indication that they just refuse to listen on the subject of large databases. The Foundation for Information Policy Research says:

"The Foundation for Information Policy Research (FIPR) believes that
the Government's response to the interim Poynter report shows that
they just don't understand what has gone wrong. Their refusal to
abandon the headlong rush towards Transformational Government -- the
enormous centralised databases being built to regulate every walk of
life -- is not just pig-headed but profoundly mistaken.

Both Alasdair Darling, commenting on the HMRC fiasco, and Ruth Kelly,
telling the House about the loss of 3 million people's personal
information, told us that once `lessons have been learned' and
`procedures tightened' the march to ever-larger database systems will

Before Transformational Government came along, only small amounts of
data were lost -- but as the new databases cover the whole population,
everyone's affected now, not just a few unlucky people.

Transformational Government means putting all of the eggs into one
basket and it is creating:

* The multi-billion pound identity card scheme, to hold data on the
whole population

* The National Health spine, which will make everyone's health records
available for browsing by a million NHS workers

* ContactPoint which will record details on every child in England,
with details of their parents, carers and indicators of whether they
have any contact with social services. Three hundred thousand people
can look that information up.

* A universal pensioner's bus pass scheme which will hold the data on
17 million people, and in principle will let any bus driver learn
your age and address -- when all that it should record is an
entitlement to free travel.

Ross Anderson, Chair of FIPR and Professor of Security Engineering at
the University of Cambridge said, "the Government believes that you
can build secure databases and let hundreds of thousands of people
access them. This is nonsense -- we just don't know how to build such
systems and perhaps we never will. The correct way to design such
systems is to localise the data, in a school, in your local GP
practice. That way when there is a compromise because of a technical
failure or a dishonest user then the damage is limited.

"You can have security, or functionality, or scale -- you can even
have any two of these. But you can't have all three, and the
Government will eventually be forced to admit this. In the meantime,
billions of pounds are being wasted on gigantic systems projects that
usually don't work, and that place citizens' privacy and safety at
risk when they do."

Richard Clayton, FIPR Treasuer said, "Personal data ought to be
handled as if it were little pellets of plutonium -- kept in secure
containers, handled as seldom as possible, and escorted whenever it
has to travel. Should it get out into the environment it will be a
danger for years to come. Putting it into one huge pile is really
asking for trouble. The Government needs to completely rethink its
approach and abandon its Transformational Government disaster.""

As I said in my letter to my MP,

"This privacy timebomb cannot be allowed to be forgotten to tick away merrily once the media frenzy has moved on to some other government failure or failures, as it inevitably will. It is important that we begin to call a halt to the government's deployment of technological systems they don't understand, in contexts and environments to which they are ill suited, and constructed in ways which if suggested by an entry level computer science student would cause him/her to receive a fail grade. The government are not merely failing with these systems, however, they are doing untold damage to the fabric of our society."

The power of Facebook

Michael Geist has been surprised by the power of Facebook to mobilise opposition to the Canadian government's proposals for their own DMCA.

"consider the experience of the Fair Copyright for Canada Facebook group, which I launched on December 1st with limited expectations. With the federal government expected to introduce new copyright reform within a matter of days, a Facebook group seemed like a good way to educate the public about an important issue. I sent invitations to a hundred or so Facebook friends and seeded the group with links to a few relevant websites.

What happened next was truly remarkable - within hours, the group started to grow - first 50 members, then 100, and then 1000 members. One week later, there were 10,000 members. Two weeks later, there were over 25,000 members with another Canadian joining the group every 30 seconds.

The big numbers tell only part of the story. The group is home to over 500 wall posts, links to 150 articles of interest, over 50 discussion threads, dozens of photos, and nine videos. Nine days ago, it helped spur on an offline protest when Kempton Lam, a Calgary technologist, organized 50 group members who descended on Industry Minister Jim Prentice's local open house to express their views on copyright...

Much to the surprise of skeptics who paint government as unable or unwilling to listen to public concerns, those voices had an immediate impact. Ten days after the Facebook group's launch, Prentice delayed introducing the new copyright reforms, seemingly struck by the rapid formation of concerned citizens who were writing letters and raising awareness.

Not only had tools like Facebook had an immediate effect on the government's legislative agenda, but the community that developed around the group also led to a "crowdsourcing" of knowledge. Canadians from coast to coast shared information, posed questions, posted their letters to politicians, and started a national conversation on copyright law in Canada.

Poynter Report on UK HMRC Data Chernobyl

Today Kieron Poynter of PriceWaterhouseCoopers will publish his report into the failures that led to HM Revenue and Customs (HMRC) losing 25 million confidential records about UK citizens claiming child benefit and there will be a ministerial statement on the review this afternoon.

I wrote to my MP about this (not something I make a habit of but probably should do more often) with more than a little help from ORG. Thanks for the prompt, Glyn. Extract:

"For technologists (amongst whom I count myself, as a senior lecturer in technology and author of 'Digital Decision Making: Back to the Future' published earlier this year by Springer-Verlag), one of the most worrying developments since this crisis has been ministers’ using it as an excuse to push for solutions based around biometrics, solutions that would actually increase the privacy risks we are exposed to. Six leading academics recently wrote to the Parliamentary Joint Committee on Human Rights to express their dismay at how biometrics are seen as a magic fix for improving security. These experts, Professor Ross Anderson, Security Engineering, University of Cambridge, Dr Richard Clayton, University of Cambridge Computer Laboratory, Dr Ian Brown, Oxford Internet Institute, University of Oxford, Dr Brian Gladman, Ministry of Defence and NATO (retired), Professor Angela Sasse, Department of Computer Science, University College London, Professor Martyn Thomas, CBE FREng, Software Engineering, University of Oxford,

“These assertions are based on a fairy-tale view of the capabilities of the technology and in addition, only deal with one aspect of the problems that this type of data breach causes. … Furthermore, biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.”

These technologies are unproven and will not be ready for commercial deployment for another 15 years. I know it is tough to get through to them but please encourage the Government to listen to the facts on biometrics, as experts like Ross Anderson have been doing for years (sadly with little success)...

Professor Anderson has stated repeatedly

“Again and again and again these warnings have been made in different contexts by expert groups and the Government has not been interested.”

And it is not just Professor Anderson who has been saying this. It is whole armies of respected experts who really understand the technologies the government are deploying in such an expensive and dangerous fashion. Kim Cameron (Microsoft’s Chief Architect of
Identity) has described the HMRC 25 million data loss as "Britain’s HMRC Identity Chernobyl". He also says:

'We are living in an age where systems dealing with our identity must be designed from the bottom up not to leak information in spite of being breached. Perhaps I should say, “redesigned from the bottom up”, because today’s systems rarely meet the bar. … There is no need to store all of society’s dynamite in one place, and no need to run the risk of the collosal explosion that an error in procedure might produce.' is essential that you and your many colleagues in parliament encourage the Government to heed the warnings of these and other experts. This privacy timebomb cannot be allowed to be forgotten to tick away merrily once the media frenzy has moved on to some other government failure or failures, as it inevitably will. It is important that we begin to call a halt to the government's deployment of technological systems they don't understand, in contexts and environments to which they are ill suited, and constructed in ways which if suggested by an entry level computer science student would cause him/her to receive a fail grade. The government are not merely failing with these systems, however, they are doing untold damage to the fabric of our society."

Computers are terrifically useful, flexible and fun. We should be using them to solve problems rather than create them.