Friday, June 18, 2004

The OECD has published their 386 page "Privacy Online" report. Definitely not bedtime reading but could have important policy implications. It's based on an OECD ministerial declaration from 1998 on the "Protection of Privacy on Global Networks" with the objective of ensuring "the effective protection of privacy and personal data as well as the continued transborder flow of personal data on global networks."

You could be forgiven for going "Pardon?" at that point.

Chapter 3, pages 27 - 35 gives the meat of the guidelines.

Legislation and self regulation each have advantages and disadvantages etc. OECD work suggests a mix of the two is best etc. Involvement of all is the key etc. OECD member countries should:

Ensure organisations adoption of privacy policies through internal review and linking to OECD site.

Ensure organisations post privacy policies online by encouraging them to do so and auditing them.

Ensure availability of enforcement and redress mechanisms in case of breach of privacy policies by encouraging the use of online alternative dispute mechanisms and actively fostering compliance with privacy policies by raising organisations' awareness..."

Sorry folks but I stopped at that point. This document does not actually appear to be saying anything at all about privacy or information flows in practice. Some people I have a great deal of respect for, like Ian Lloyd at the University of Strathclyde, are noted as having been involved in its production, so I'm sure there is more to it than the first 30 pages appear to promise (Prof Lloyd is mentioned re Chpt 14) but I'm going to allow somebody else to do the leg work on extracting the relevant information.
Can't wait to see the reaction of the libertarians to the news that a French court has fined AOL for 21 abusive and 11 illegal contract terms. It will be the usual outrage I would expect.

"the contracts said AOL could break the agreement without warning, while customers had no way of ending the relationship without paying a penalty."

'By their own', 'hoist' and 'petard' come to mind but not necessarily in that order.
Cory Doctorow gave a great speech at Microsoft yesterday about digital rights management (DRM). A taster


"Here's what I'm here to convince you of:

1. That DRM systems don't work

2. That DRM systems are bad for society

3. That DRM systems are bad for business

4. That DRM systems are bad for artists

5. That DRM is a bad business-move for MSFT"

And that was just for starters. It's a bit esoteric if you have not been following the drm and copyright wars but still well worth a read.

"Cryptography -- secret writing -- is the practice of keeping
secrets. It involves three parties: a sender, a receiver and an
attacker (actually, there can be more attackers, senders and
recipients, but let's keep this simple). We usually call these
people Alice, Bob and Carol...

...with dual-key crypto it becomes a lot easier for Alice and Bob to keep their keys secret from Carol, even if they've never met...

...Now, let's apply this to DRM.

In DRM, the attacker is *also the recipient*. It's not Alice and
Bob and Carol, it's just Alice and Bob. Alice sells Bob a DVD.
She sells Bob a DVD player. The DVD has a movie on it -- say,
Pirates of the Caribbean -- and it's enciphered with an algorithm
called CSS -- Content Scrambling System. The DVD player has a CSS
un-scrambler.

Now, let's take stock of what's a secret here: the cipher is
well-known. The ciphertext is most assuredly in enemy hands, arrr.
So what? As long as the key is secret from the attacker, we're
golden.

But there's the rub. Alice wants Bob to buy Pirates of the
Caribbean from her. Bob will only buy Pirates of the Caribbean if
he can descramble the CSS-encrypted VOB -- video object -- on his
DVD player. Otherwise, the disc is only useful to Bob as a
drinks-coaster. So Alice has to provide Bob -- the attacker --
with the key, the cipher and the ciphertext.

Hilarity ensues...

...At the end of the day,
all DRM systems share a common vulnerability: they provide their
attackers with ciphertext, the cipher and the key. At this point,
the secret isn't a secret anymore...

...Here's the social reason that DRM fails: keeping an honest user
honest is like keeping a tall user tall. DRM vendors tell us that
their technology is meant to be proof against average users, not
organized criminal gangs like the Ukranian pirates who stamp out
millions of high-quality counterfeits. It's not meant to be proof
against sophisticated college kids. It's not meant to be proof
against anyone who knows how to edit her registry, or hold down
the shift key at the right moment, or use a search engine. At the
end of the day, the user DRM is meant to defend against is the
most unsophisticated and least capable among us."

Next he tells a story of an honest user a young mum who to avoid the kids getting jam on an expensive DVD tries to make a VHS copy, so that when that gets thoroughly kidified she can copy it again for their use and not have to fork out for another expensive copy of the DVD. This story rings very true with me. I've had to replace one of my son's favourite CDs four times in six years and I only count myself lucky that it has still been commercially available. Cory goes on:

"what this person will do in the long run: she'll find out about
Kazaa and the next time she wants to get a movie for the kids,
she'll download it from the net and burn it for them.

In order to delay that day for as long as possible, our lawmakers
and big rightsholder interests have come up with a disastrous
policy called anticircumvention.

Here's how anticircumvention works: if you put a lock -- an
access control -- around a copyrighted work, it is illegal to
break that lock. It's illegal to make a tool that breaks that
lock. It's illegal to tell someone how to make that tool. It's
illegal to tell someone where she can find out how to make that
tool.

Remember Schneier's Law? Anyone can come up with a security
system so clever that he can't see its flaws. The only way to
find the flaws in security is to disclose the system's workings
and invite public feedback. But now we live in a world where any
cipher used to fence off a copyrighted work is off-limits to that
kind of feedback. That's something that a Princeton engineering
prof named Ed Felten discovered when he submitted a paper to an
academic conference on the failings in the Secure Digital Music
Initiative, a watermarking scheme proposed by the recording
industry. The RIAA responded by threatening to sue his ass if he
tried it. We fought them because Ed is the kind of client that
impact litigators love: unimpeachable and clean-cut and the RIAA
folded. Lucky Ed. Maybe the next guy isn't so lucky...

...Here are the two most important things to know about computers
and the Internet:

1. A computer is a machine for rearranging bits

2. The Internet is a machine for moving bits from one place to
another very cheaply and quickly

Any new medium that takes hold on the Internet and with computers
will embrace these two facts, not regret them. A newspaper press
is a machine for spitting out cheap and smeary newsprint at
speed: if you try to make it output fine art lithos, you'll get
junk. If you try to make it output newspapers, you'll get the
basis for a free society.

And so it is with the Internet...

...

New media don't succeed because they're like the only media, only
better: they succeed because they're worse than the old media at
the stuff the old media is good at, and better at the stuff the
old media are bad at. Books are good at being paperwhite,
high-resolution, low-infrastructure, cheap and disposable. Ebooks
are good at being everywhere in the world at the same time for
free in a form that is so malleable that you can just pastebomb
it into your IM session or turn it into a page-a-day mailing
list.

The only really successful epublishing -- I mean, hundreds of
thousands, millions of copies distributed and read -- is the
bookwarez scene, where scanned-and-OCR'd books are distributed on
the darknet. The only legit publishers with any success at
epublishing are the ones whose books cross the Internet without
technological fetter: publishers like Baen Books and my own, Tor,
who are making some or all of their catalogs available in ASCII
and HTML and PDF.

The hardware-dependent ebooks, the DRM use-and-copy-restricted
ebooks, they're cratering. Sales measured in the tens, sometimes
the hundreds. Science fiction is a niche business, but when
you're selling copies by the ten, that's not even a business,
it's a hobby. "

And so he continues but you should read the original. It doesn't suffer from the indented formatting translation by Blogger. I'm going to have to do something about this template and get and RSS feed plus commenting enabled but time pressures are against me at the moment...
Nice Guardian article on biometrics, Biometrics - great hope for world security or triumph for Big Brother?

Liberty spokesman,Barry Hugill is quoted: "Once you begin to compile massive databases it's a matter of common sense that you are going to get the most horrendous mix-ups, with the wrong people being accused and the the wrong information being shared around the world."

Law enforcement must have enough technically well trained and experienced people and the best available technology to fight the bad guys and there also has to be checks and balances in the system. There is not a computer scientist in the world who knows how to create, secure and maintain the integrity in practice of massive international databases of the kind that are being discussed here. Blind faith in the technology is not going to work in this instance. The current state of affairs neither re-assures me that we have enough technically trained and experienced law enforcement personel or the best available technology appropriately focussed on the job of catching the real bad guys. It is a tough, complex systemic problem and it will not be addressed by an illusion that it is being tackled through huge investment in technologies that don't work

Thursday, June 17, 2004

Senator Orrin Hatch, praised in the final chapter of Larry Lessig's The Future of Ideas, is proposing the INDUCE Act, the latest in a long line of attempts at further draconian intellectual property legisation. I doubt Larry will be praising this initiative. I can't do better than Susan Crawford on this:

"The logic is that P2P applications inevitably lead to exploitation of children. With me so far? So the act is called the "Inducement Devolves into Unlawful Child Exploitation Act." I'm not even sure that's how "devolves" should be used. But the crimes here go far beyond the title.
The Act (to be proposed tomorrow by songwriter Sen. Hatch and others) amends the copyright law to say that anyone who "induces" copyright infringement is himself/itself an infringer.

"Induce" means intentionally aids, abets, counsels, or procures. So you can't even hire a lawyer if you're doing something risky.

This is amazing. Now we're waaaaaay beyond contributory and vicarious theories of liability, which are court-created and pretty darn broad on their own. See Napster 9th Circuit, Aimster 7th Circuit. It's not even clear what the limit to this is -- "aids" could mean that even something that would have been fair use under the Sony Betamax decision is now an illegal inducement.

And no one can talk to you if they think there's the slightest risk of copyright infringement liability.

We're back to the CBPTDA -- another hugely broad way of making sure that no unauthorized machines ever enter into our lives. If there was ever a moment to organize (see prior post) this might be it."

The CBDTPA was the now defunct proposal of then Sen Hollings in 2002, the Consumer Broadband and Digital Television Promotion Act wonderfully parodied by the EFF. Susan got the initials slightly out of synch but who can blame her. But the
"Inducement Devolves into Unlawful Child Exploitation Act", in the words of another well known American "You cannot be serious!"

Apology
I have to apologise for some of the problems people have been seeing on this blog in recent weeks - in particular (but not limited to) double postings and broken links.

I've been trying to do my posting via my preferred browser, Opera. Unfortunately, however, it doesn't seem to interact too well with the Blogger site leading to the kinds of problems people have noticed, so as of today I'm giving up and sadly reverting to IE for weblog postings.
It seems I may have made a mistake when I reported recently that the EU Commission and Council of ministers had managed to see off the EU Parliament's court challenge to the decision on transfer of airline passenger data to the US.

According to the latest EDR-gram the legal affairs committee of the EU parliament (JURI) yesterday renewed their decision to take the Commission and the Council of ministers to the European Court of Justice on the issue.

"EU Parliament renews decision to take Commission to court ============================================================

The Legal Affairs Committee of the European Parliament (JURI) decided today to take the European Commission as well as the Council to court over the final agreement to transfer PNR data to the US without adequate guarantees for data protection.

The committee, which met today (16 June 2004) for an extraordinary meeting during the Parliament's present recession, voted to call upon the Luxembourg Court to defer the Commission's so-called adequacy finding. This finding claims that the data will find the same level of protection in the U.S. as in the EU. The committee also voted to take the international agreement to court that was signed by the EU Council with the U.S. Department of Homeland Security on 28 May 2004 (see EDRi-gram 2.11). Today's vote was taken with a two-thirds majority concerning the adequacy finding and 19 to 14 votes concerning the international agreement. This is an even clearer majority than in former votes on the same issue.

The JURI committee's decision must still be confirmed by the EU Parliament's Group leaders in a meeting this evening, but it is widely considered that this confirmation is only a formality after no less than six votes in the Parliament to stop the ongoing transfer.

There are however also indications that the Parliament's outgoing President, Pat Cox, has been trying to turn over the wide consensus against the transfer within the EU Parliament. Before the vote in the Committee, a member of the Parliament's judicial service, which is attached to the President's office and obliged to be politically neutral, tried to convince MEPs in a 25-minute speech that there was no legal basis for taking the other two EU institutions to court. Mr. Cox is one of the possible candidates for the presidency of the EU Commission and could thus become subject to an EU Court of Justice case himself. Outgoing Italian Radical MEP Marco Cappato criticised the Judicial Services' intervention as based 'more on political than on legal grounds' and therefore 'an abuse'.

EU-US air data row hots up (16.06.2004) http://www.eupolitix.com/EN/News/200406/8f1cbb0f-bc0c-4583-b514-4b029ed1f942.htm

PNR data deal signed by European Commission (02.06.2004) http://www.edri.org/cgi-bin/index?id=000100000151

(Contribution by Andreas Dietl, EDRI EU affairs director)"

Update: The FT have picked up the story.
"A Better Ballot Box" by Rebecca Mercuri, a highly respected electronic voting expert, from Bryn Mawr College explains very clearly the problems with electronic voting. She concludes:

"An observer of voting technology once remarked: "If you think technology can solve our voting problems, then you don't understand the problems and you don't understand the technology." Computerization alone cannot improve elections. Those designing and those buying election systems must be aware of their inherent limitations, mindful of the sometimes conflicting needs for privacy, auditability, and security in the election process, and willing to seek out-of-the-(ballot)-box solutions."

Incidently Rebecca Mercuri was proposing voter verified paper trails for electronic voting machines over ten years ago.

Rebecca was one of a select group of delegates invited to take part in Harvard University's Kennedy School of Government and National Science Foundation "Voting, Vote Capture, and Vote Counting" Digital Voting Symposium a couple of weeks ago.

Ron Rivest of RSA public key encryption fame was another in attendance and someone who sees the difficulties with electronic voting as a challenge which can be overcome with sufficient thought and effort.

"We see that innovations in voting systems are continuing, and will continue. We need to manage well this process of continual improvement. I believe that security in voting systems can be substantially improved. While some current DRE [direct recording electronic] systems definitely seem a step backwards in terms of security, it does appear probable that we can eventually have highly secure electronic voting systems, with a reduced or eliminated need to trust the voting machine equipment and software. We will be developing assurance and certification for the election results, rather than for the voting machines. While paper may not go away, we may be able to eventually have secure electronic ballots, rather than paper ballots."

The organisers of the symposium have drawn up a set of best practices that they believe fairly summarise the overall conclusions of the event. I hope they won't mind me reprinting these in full here. They deserve the widest possible circulation.

Certain immediate steps must be taken.

Election Assistance Commission and National Institute of Standards and Technology open standards must be developed and implemented.

The process is even more important than the underlying technology.

The educational process for given technologies must follow a "chain of trust" where the election workers trust their trainers and are trusted by the public.
Poll workers should be well chosen from a motivated pool with incentives, and monetary incentives have proven to work. Poll workers are more important than the technology.
Poll workers should be well trained to fully understand the technology and how to handle contingencies.
Poll workers should not have to rely solely on the vendors to address observed errors.
Speed and accuracy in the process are both achievable, but not simultaneously possible. The public should be educated about the distinction between the speed that allows immediate returns, and the accuracy required in the official tally.
There should be adequate time for determining the official tally.
There should be provisional voting mechanisms, and adequate time to evaluate provisional votes for the final tally.

A hybrid of paper and electronic systems provides the most effective voting system.

Electronic interfaces can meet the widest range of accessibility needs.
Electronic interfaces enable customized ballots by zip code, party, or disability.
Voter examination of a paper ballot allows the greatest degree of confidence that the ballot was cast as intended.
A paper ballot, when handled properly, allows a robust audit trail for a recount to ensure that the ballot was counted as cast.
Hybrid systems can be designed to accommodate provisional arrangements and contingencies for equipment failure. There are many possible implementations.

Good voting systems require good design standards.

There is no single voting interface that can meet everyone's needs.
An untrained voter should be able to know when voting equipment fails.
Access is critical: not to a specific, single technology, but to the ability to vote in a fashion that provides full civil rights.
Rigorous testing is needed for all voting system components to ensure security, reliability and usability.
Even with full auditing of each vote, testing for usability and reliability remain critical.

Openness of a voting process is critical for the perception of legitimacy of that process.

All security issues should be fully disclosed, although allowing vendors a limited, fixed time between notification and public disclosure could foster more public trust.
If underlying mechanics or software are not in the public domain, they must at least be available for inspection by the larger security research community.
The voting technology acquisition process should be open for public scrutiny from constituents.
The voting technology acquisition process should be open to allow jurisdictions to learn from each other; to be specific, records of difficulties should be made available to all election officials.

Election systems must have built-in auditing capabilities.

The reconciliation procedure must be clear, precise, authoritative, and binding.
The cast ballot must follow a "Chain of Custody" from the moment it is cast to the moment the vote is entered into the final official tally. This chain must be subject to audit and oversight at each step regardless of technology.
If some metric of voting irregularity is exceeded in a given jurisdiction, a court-supervised manual recount should be required.
Auditing should not be implemented by a vendor affiliated with the original system.

The general approach to building and implementing elections processes must carefully targeted.

Policymakers should first focus on the overall election process before selecting a specific technology. However, process details must then be tailored to meet the requirements of each specific technology. Technology neutral policies are inadequate in elections.
Policy makers must specify desirable priorities before designing an election system and its technologies. They must identify the problems they wish to solve and how each proposed solution will solve them.
There is an inevitable trade-off between authentication of voters and access. Requiring greater proof of the right to vote will prevent some from voting; removing any requirement for proof will allow those without the right to vote to cast ballot.
Elections and the surrounding systems should be explicitly designed to handle crises. Policy makers and elections officials should assume in every case that there will be a contested recount and plan accordingly.
Given that no voting system can ever be perfect it is crucial to incorporate technologically appropriate risk management tools into the design and evaluation of voting systems and implementation strategies.








Wednesday, June 16, 2004

In the wake of DirecTV's agreement with the EFF which I reported on yesterday, the 11th Circuit Court of Appeals has ruled that the company
can't sue people for "mere possession" of technology that might be used to freely access satellite broadcast signals. A cynic might suggest they saw it coming... but I wouldn't want to be seen as a cynic.

Findlaw has a link to the decision http://caselaw.findlaw.com/data2/circs/11th/0315313p.pdf

Acacia which has been quietly building a track record of success, suing pornographers and minor educational institutions for patent infringement, has decided the time is right to pick a fight with some of the big broadcasters. Acacia holds a patent on audio and visual transmission via the Net. The notion that anybody should get awarded such a patent is daft but it now gets to get tested by the big guys' lawyers.
A PhD student at Duke University has given what I would consider a pretty worrying analysis outlining the ease with which the electronic voting in November's presidential elections could be disrupted. He's entitled it President Nader.

Avi Rubin, meanwhile, who was one of those who brought the problems with electronic voting to public attention, has proposed an interesting challenge: he wants to know if a voting machine that was rigged in favour of a particular candidate could pass certification. What a good idea. Just like undercover agents testing the security at airports.

As Avi says, if a rigged machine makes it through the certifciation process in every state that it is tested, these machines need to be quickly eliminated from the election process.
The right way to use biometrics - Bruce Schneier is pleased to finally find someone thinking of an appropriate use for biometric technology - bioemtric IDs for airport employees.

" The strong suit of biometrics is authentication: is this person who he says he is. Issuing ID cards to people who require access to these sensitive areas is smart, and using biometrics to make those IDs harder to hack is smarter. There's no broad surveillance of the population; there are no civil liberties or privacy concerns.

And transportation employees are a weak link in airplane security. We're spending billions on passenger screening programs like CAPPS-II, but none of these measures will do any good if terrorists can just go around the systems. Current TSA policy is that airport workers can access secure areas of airports with no screening whatsoever except for a rudimentary background check. That includes the thousands of people who work for the stores and restaurants in airport terminals as well as the army of workers who clean and maintain aircraft, load baggage, and provide food service. Closing this massive security hole is a good idea.

All of this has to be balanced with cost, however. Issuing one million IDs, and probably tens of thousands of ID readers, isn't going to be cheap. But it would certainly give us more security, dollar for dollar, than yet another passenger security system.

Unfortunately, politicians tend to prefer security systems that affect broad swaths of the population. They like security that's visible; it demonstrates that they're serious about security and is more likely to get them votes. A security system for transportation workers, one that is largely hidden from view, is likely to garner less support than a more public system.

Let's hope U.S. lawmakers do the right thing regardless."

The Commission for Racial Equality (CRE)is worried about the UK government's plans for a national ID card. They reckon it could cause a "great deal of unease" among ethnic minorities due to the potential for it to be used as a lever for racial abuse.

You might recall I mentioned some time ago that Mr Blunkett is kindly arranging for me and the rest of the UK-resident Irish diaspora to have a special ID card, unique to the Irish. Hmmm, why doesn't that fill me with confidence? I'd be interested to know the CRE's perspective on this.
"CUTTING EDGE TECHNOLOGY TO MODERNISE UK BORDER CONTROL" shouts the Home Office press release.

"Cutting edge technology is set to revolutionise the UK's immigration controls, with the roll-out of a hi-tech iris recognition system to a number of key UK airports, Immigration Minister, Des Browne announced today.

The state-of-the-art system will store and verify the iris patterns of specially selected groups of travellers, giving watertight confirmation of their identity when they arrive in the UK. This will substantially increase security as well as speed their process through immigration control."

Complete nonsense. I'll say this slowly, Mr Browne, biometrics may be unique but they are not secret and the technology is not very reliable.

Tuesday, June 15, 2004

"More than a million pages from 19th Century British newspapers are to be put online by the British Library."
The EU's Information society commissioner, Erkki Liikanen, has been appointed governor of the bank of Finland. he'll be leaving the Commission on 12 July.

Who comes next?
Larry Lessig, who incidentally will be doing a short online visit to my Open University T182 course next week, is looking for stories to support the Stanford cyberlaw clinic case Kahle v Aschroft.

"To win the lawsuit, we need your help. We need more examples of people being burdened by these copyright-related barriers to the use of orphan works. You can help us if you have ever wanted to copy, distribute, perform, modify, sample, mash-up, or generally use an orphan work, but were prevented from doing so because:
The cost of trying to find the copyright holder was too high; or
You were unable to find the copyright holder; or
You were able to find the copyright holder and they refused to issue a license; or
You were able to find the copyright holder and you were issued a license, but you have a good story to tell about how difficult the process was."
Tim Berners Lee has been deservedly awarded the Millennium Technology Prize from the Finnish Technology Award Foundation.

Always nice to see the good guys getting rewarded.
There's a major turnaround at the League of Women Voters. In the face of mass protest from the membership over their support for electronic voting machines with no paper trail, the leadership of the organisation has been forced into a U-turn. They have dropped their support for paperless voting and adopted a resolution in favour of ``voting systems and procedures that are secure, accurate, recountable and accessible.''

``My initial reaction is incredible joy and relief,'' said computer scientist Barbara Simons, 63, past president of the Association for Computing Machinery and a league member from a chapter in Palo Alto, Calif. ``This issue was threatening to split the league apart. ... The league now has a position that I feel very comfortable supporting.''

Well done Barbara (who I had the pleasure of meeting at a conference in Oxford in recent years) and your fellow protestors.

And meanwhile in Florida (wot won it for Bush, in Sun-speak)state officials have declared that "Touchscreen voting machines in 11 counties have a software flaw that could make manual recounts impossible in November's presidential election".

The story of electronic voting could fill more than one book.
Looks as though the EFF and the Stanford Cyberlaw folks have had some success in getting through to satallite TV company DirecTV about their thousands of threats and lawsuits against innocent users of smart card technology.

"Over the past few years, DirecTV has orchestrated a nationwide legal campaign against hundreds of thousands of individuals, claiming that they were illegally intercepting its satellite TV signal. The company began its crusade by raiding smart card device distributors to obtain their customer lists, then sent over 170,000 demand letters to customers and eventually filed more than 24,000 federal lawsuits against them. Because DirecTV made little effort to distinguish legal uses of smart card technology from illegal ones, EFF and the CIS Cyberlaw Clinic received hundreds of calls and emails from panicked device purchasers.

n August 2003, EFF and CIS created the DirecTV Defense website to provide innocent users and their lawyers with the information necessary to defend themselves. The organizations also began a series of discussions with DirecTV about ways to reform its anti-piracy tactics and protect innocent consumers.

As a result, DirecTV has agreed to make several changes to its campaign. The company will no longer pursue people solely for purchasing smart card readers, writers, general-purpose programmers, and general-purpose emulators. It will maintain this policy into the forseeable future and file lawsuits only against people it suspects of actually pirating its satellite signal. DirecTV will, however, continue to investigate purchasers of devices that are often primarily designed for satellite signal interception, nicknamed “bootloaders” and “unloopers.”

DirecTV also agreed to change its pre-lawsuit demand letters to explain in detail how innocent recipients can get DirecTV to drop their cases. The company also promised that it will investigate every substantive claim of innocence it receives. If purchasers provide sufficient evidence demonstrating that they did not use their devices for signal theft, DirecTV will dismiss their cases. EFF and CIS will monitor reports of this process to confirm that innocent device purchasers are having their cases dismissed."

I suspect the EFF and Stanford people have ideological objections to DirecTV's 'guilty until you prove yourself innocent' stance but this constitutes major progress in the dispute and all concerned deserve credit.
My friend John Naughton is not impressed with WIPO's plans for a broadcasting treaty.

"When I first saw the draft (it was published in April), I assumed it must have been written by executives at Fox, NBC and other US TV networks while high on cocaine, because it read like a wish-list of everything a failing industry could want to protect it from the future.

It is a control-freak's charter. This is predictable, because an obsession with control has worked its way into the industry's DNA. Broadcasting is a few-to-many medium: a small number of content-providers decide what is to be offered, produce the content, and push it to passive consumers. Central to the broadcasting ethos is a desire to control the viewer, to restrict choice to the menus chosen by the industry - like Skinnerian pigeons pecking at coloured levers to obtain food...

...Experience over the last decade has shown us how established industries react when they are threatened by new technology. First they go into denial. Then they resort to legal countermeasures - which invariably fail. Finally they nobble legislators, seeking to persuade them to enact laws that will protect the old business models.

Which is where the draft broadcast treaty comes in. The great thing about Wipo, from the point of corporate lobbyists and their allies in certain national governments, is that it offers more bangs per buck. Instead of having to petition 50 or 100 national legislatures, you persuade Wipo to propose a draft treaty, which is submitted to a diplomatic conference and ratified. Then all the signatories are obliged to do what you want."

Cory Doctorow (cory@eff.org), Wendy Seltzer (wendy@eff.org) and David Tannenbaum (davidt@public-domain.org) attended the meeting that John refers to, as part of a public interest delegation and did a terrific job of making noteson the proceedings. The notes provide the first direct public insight into the making of international intellectual property regulations and makes fascinating reading.
Looks as though the EFF and the Stanford Cyberlaw folks have had some success in getting through to satallite TV company DirecTV about their thousands of threats and lawsuits against innocent users of smart card technology.

"Over the past few years, DirecTV has orchestrated a nationwide legal campaign against hundreds of thousands of individuals, claiming that they were illegally intercepting its satellite TV signal. The company began its crusade by raiding smart card device distributors to obtain their customer lists, then sent over 170,000 demand letters to customers and eventually filed more than 24,000 federal lawsuits against them. Because DirecTV made little effort to distinguish legal uses of smart card technology from illegal ones, EFF and the CIS Cyberlaw Clinic received hundreds of calls and emails from panicked device purchasers.

n August 2003, EFF and CIS created the DirecTV Defense website to provide innocent users and their lawyers with the information necessary to defend themselves. The organizations also began a series of discussions with DirecTV about ways to reform its anti-piracy tactics and protect innocent consumers.

As a result, DirecTV has agreed to make several changes to its campaign. The company will no longer pursue people solely for purchasing smart card readers, writers, general-purpose programmers, and general-purpose emulators. It will maintain this policy into the forseeable future and file lawsuits only against people it suspects of actually pirating its satellite signal. DirecTV will, however, continue to investigate purchasers of devices that are often primarily designed for satellite signal interception, nicknamed “bootloaders” and “unloopers.”

DirecTV also agreed to change its pre-lawsuit demand letters to explain in detail how innocent recipients can get DirecTV to drop their cases. The company also promised that it will investigate every substantive claim of innocence it receives. If purchasers provide sufficient evidence demonstrating that they did not use their devices for signal theft, DirecTV will dismiss their cases. EFF and CIS will monitor reports of this process to confirm that innocent device purchasers are having their cases dismissed."

I suspect the EFF and Stanford people have ideological objections to DirecTV's 'guilty until you prove yourself innocent' stance but this constitutes major progress in the dispute and all concerned deserve credit.

Monday, June 14, 2004

The RIAA have added digital radio to their list of problem technology targets. They have to be really careful - they are going to eventually pick on one to many metaphorical straws and find their camel collapsing underneath.

Some libraries in New Hampshire are giving up the chance of federal funding because they don't want to install filter software on their computers.

"The New Hampshire Library Association encouraged forgoing federal funds in a statement posted on its Web site. It said filters block valuable information like research on breast cancer, sexually transmitted diseases and even Super Bowl XXX, and give a false sense of security."

Since this weblog has been subject to crude ship due to crude xxx filtering I'd say more power to their elbow!
Ernest Miller has another beauty on DRM: Incredibly Dumb DRM Tactics - iTunes Example #1

"So, here we have a DRM stripping program that is deliberately designed to encourage copyright compliance yet still enable fair use. What does Apple do? They deliberately make such stripping programs untenable...

...This helps encourage copyright compliance, how?"

Matthew Skala of CyberPatrol hack fame has a terrific essay on the colour (or lack of it) of bits and why lawyers and computer scientists don't understand each other. In the computer scientists' universe bits have no colour. In the lawyers' universe, bit must have colour because colour is what they base their reasoning on.

Larry Lessig tells, in the penultimate chapter of his first book Code and other laws of cyberspace, of a lesson he learnt from his uncle about the art of being a good lawyer. It's not about tactics or slight of hand but about using reason, through a story to persuade. Computer scientists and lawyers can communicate but each species needs to improve their use of reason through stories to persuade and help the other understand their respective universes.