Friday, June 22, 2012

EFF right idea but wrong target on software patents

The EFF has started a campaign against software patents. They state the problem as:
"Software patents are hard to understand. Really hard, because patent lawyers can get away with writing them in extremely vague and broad language. This means that innovators are left without clear guidance on what patents they might be infringing. It also allows trolls to exploit the vague and confusing patent language to extort higher licensing fees than they would otherwise be entitled."
Much though I like the good folk at the EFF I think maybe they've got their target slightly wrong here.  Software patents can be vague and broad but I'm not sure those particular features distinguish them from any other types of patents.  Yes patent holders exploit the language but companies like Intellectual Ventures or Blackboard, IBM or Myriad Genetics don't really care if it is hardware, software or even, these days, bioware or business methods at the heart of a case.  What they exploit, primarily, is the cost of patent litigation system.  Going to court is so expensive it is really only feasible for those with deep pockets.  For smaller companies the patent system is a licence to pay a lawyer.  If one of the bigger corporations decide to target you the only rational economic response is to settle. Otherwise the risk of bankruptcy is severe.

Greg Aharonian has been a vocal and long time critic of those opposed to software patents. He makes the perfectly logical argument that:
"The Church-Turing thesis (for every algorithm, there is a circuit) requires software and hardware patentability to be equivalent, especially in light of hardware-software codesign tools, where you design both (and their combinations) with equal effort."
And he's right.  If our societal values and patent systems legitimise patents of certain types of electronic hardware then there is no logical reason why the software equivalent of that circuit should not be patentable.

My problem with these types of patents, software and  hardware equivalents, is that they amount to patenting algorithms.  Software is mathematics and mathematics should not be patentable.  Now I know this is a much more complicated case to articulate in practice to technically and mathematically challenged policymakers. But the trouble with focusing on simple but erroneous targets is that they lead to simple but erroneous "solutions" that don't fix anything.

The patent system is complicated.  The technologies that it is increasingly covering are also incredibly complicated.  The principle that mathematics should not be patentable is clear but gets lost in translation when the messy dysfunctionality of the patent system gets applied, in real life, to the complexity of modern technology. Too much of the public debate on intellectual property consists of IP maximalists and IP minimalists shouting PR digestible slogans at each other.  My concern is that the EFF's campaign here might just end up in the same unproductive arena, focusing attention on a beguiling but deceptive underlying issue of vague patent language.  Vague and broad patent language is a problem but it is not one that is exclusive to software patents.

Thursday, June 21, 2012

GNI Digital Freedoms Report

I attended the launch of the Global Network Initiative (GNI) report Digital Freedoms in International Law: Practical Steps to Protect Human Rights Online at the Free Word Centre in London yesterday. The executive summary gives an overview:
"With around 2.3 billion users, the Internet has become part of the daily lives of a significant percentage of the global population, including for political debate and activism. While states are responsible for protecting human rights online under international law, companies responsible for Internet infrastructure, products and services can play an important supporting role. Companies also have a legal and corporate social responsibility to support legitimate law enforcement agency actions to reduce online criminal activity such as fraud, child exploitation and terrorism. They sometimes face ethical and moral dilemmas when such actions may facilitate violations of human rights. In this report we suggest practical measures that governments, corporations and other stakeholders can take to protect freedom of expression, privacy, and related rights in globally networked digital technologies. These are built on a detailed analysis of international law, three workshops in London, Washington DC and Delhi, and extensive interviews with government, civil society and corporate actors. "

David Sullivan (Policy and Communications Director, Global Network Initiative)welcomed everyone explaining the GNI "is a multi-stakeholder group of companies, civil society organizations (including human rights and press freedom groups), investors and academics, who have created a collaborative approach to protect and advance freedom of expression and privacy in the ICT sector. GNI provides resources for ICT companies to help them address difficult issues related to freedom of expression and privacy that they may face anywhere in the world. GNI has created a framework of principles and a confidential, collaborative approach to working through challenges of corporate responsibility in the ICT sector." GNI want multi-stakeholder scrutiny of policy proposals surrounding the internet.

Kirsty Hughes, the Chief Executive of Index on Censorship, opened with the tale of the Azerbaijani blogger who had been jailed and tortured and continually harassed since his release. Azerbaijan government representatives even heckled and yelled at him as he spoke at the OSCE Internet Freedom conference in Dublin earlier this week.  The opportunity for expression facilitated by modern technology, she said, is brilliant compared to just 20 years ago.  But the downside is that the technology facilitates surveillance.

The Google transparency report 2012 reports that Google had few takedown requests from China. Is that good news or are China so good at censorship  they don't need Google's help? The volume of takedown requests increased drastically in India (49%) and the US (103%). There are huge concerns from the big ISPs about this.  Ms Hughes rounded off by saying Index on Censorship are committed to doing a lot more about internet censorship issues.

The first panel of the day was chaired by Ms Hughes and included Richard Allan (Director of Policy EMEA, Facebook), Stephen Deadman (Group Privacy Officer and Head of Legal, Vodafone) and Douwe Korff (Professor of International Law, London Metropolitan University).  Mr Deadman was invited to speak first to address the question of who has access to our communications.  He looks after privacy and security at Vodaphone and noted the law enforcement and human rights issues have increased by an order of magnitude over the past 10 years. Telecommunications companies (telcos) have come together to express their concern about pressures from various governments to disclose data undermining human rights.  Ten have recently published a set of principles around human rights in their sector.

For telcos surveillance is a fact of life. It is the nature of their business. The level of support provided to law enforcement authorities is on an industrial scale.  That affects the way they have to manage law enforcement. Working with law enforcement is not rare.  It is very common. So the processes have to ensure that cooperation happens in a legitimate way. However the technology has changed hugely whilst there has been very little change in how telcos provide support for law enforcement.  The Communications Data Bill, he hopes, will lead to an enlightening public debate on this.

There are two key issues for Vodaphone:

1. How can surveillance powers be adapted to the modern world in legitimate, proportionate and necessary ways?
2. How do telcos operate in markets where even basic human rights do not exist?

Richard Allan from Facebook followed. His answer to the question of who controls access to your communications is you. "The default mode is you control access to your communications." (Ahem) Operators have a moral (ahem) and legal obligation to ensure that control is meaningful.  The challenge is that governments want to override your control of your data.  Data retention is the evil twin of data protection. (That got a laugh.  You could tell he'd learned his script and was practiced at delivering it.)

Override powers are in law and companies have to abide by them if they want to operate in that jurisdiction. And the government will not leave you alone if you are as big as Facebook.  Richard Allan then asked what do we want as citizens? He wants informed consent and accountability.  So called "informed consent", imho, is a meaningless concept in the context of companies like Facebook since their users have no idea of what exactly it is they are giving away. However he followed through with the informed consent and accountability line and explained what he thought it meant - clear what the override powers are, when they are being used and what they are being used for (aka transparency); and he wants to give his consent to these things only through the judicial process.  He also wants to have to give consent (aka have his say in) to what society considers banned speech.    He also wants the authorities to be held accountable.  If commerce knew the rules were clear and governments accountable that would make their life much easier.

Note in the Facebook worldview the real evil twin is government and the good twin is commerce. It was a subtle message, slickly delivered. Yet I didn't get that from Vodaphone's Stephen Deadman.  Mr Deadman was direct in stating clearly that surveillance is in the operations dna of telcos, that support for law enforcement is provided on an industrial scale and that the regulations need to catch up with the technology via an open informed public debate. He didn't try to blame the evil government bogeyman but insisted we need to adopt proportionate, legitimate and necessary surveillance powers for the modern world.

Professor Korff came next and launched into his task with some passion.  Technology is evolving he said.  In the old days the amount of data gathered was relatively limited. Now installing a surveillance black box generates a vast amount of data.  This is fundamentally dangerous.

The way the surveillance technology is built varies. These systems need ongoing continuous maintenance and support.  The amount of data is huge and the UK government are being disingenuous or clueless if they think they are only going to gather minimal data through the provisions outlined in the Communications Data Bill (CDB).  Peter Sommer eloquently explained at the recent Scrambling for Safety conference that communications and content data cannot be separately simply in the way the government believes.

If CDB goes ahead in the UK, Prof Korff believes, we will all effectively be tagged like criminals are now.

The international law surrounding all this is really complicated. During the Arab spring in Tunisia, Egypt and other places states of emergency were declared by respective governments and normal laws suspended. Terrorism falls between peacetime and emergency but government authorities want to operate as they would in a state of emergency.  Different jurisdictions have different perspectives on speech.  In parts of Europe it is against the law to deny the holocaust.  In the US the first amendment gives people a constitutional right to do so.  It's difficult to apply conflicting laws across borders.

When researching the report they looked at the emergency standards in international law and the Ruggie principles. Ruggie focused on companies breaching human rights. In the GNI report they wanted to focus on states forcing companies to undermine human rights.

Index on Censorship CEO Kirsty Hughes then posed the question: When is it a company's obligation to challenge the law?

Stephen Deadman of Vodaphone, in fairness, again didn't attempt to duck the question.  He suggested it depended on the context.  He argued that companies cannot engage in civil disobedience if they have a physical presence in a particular market. But they do have an obligation to push back in whatever way makes sense in that market.  Sometimes this has a positive outcome.  They were under pressure from the Egyptian government to spam people with state sponsored messages.  Vodaphone pushed back and said no.  The government could have forced the issue but chose not to. The practical reason companies like Vodaphone cannot go any further than this, he insisted, was that it could have serious consequences for employees on the ground in those countries where human right abuses are rife.  Local Vodaphone employees have rights too and the company has an obligation not to put them in danger.

He was then asked if Vodphone would decide to go into or withdraw from a market on the basis of a specific country's human rights record.  Disappointingly here he retreated into the standard PR response mode.  For Vodaphone, human rights is one of the factors they consider but the key question is whether the people in that market would be better off with them, a company that respects human rights, than without. He could not and would not give a guarantee that they would refuse to go into a country on human rights grounds.

The Facebook response to when is it a company's obligation to challenge the law was a pleading - Facebook don't have a choice; when you're as big as Facebook nasty governments won't leave you alone.  The cure is to get a global regulatory framework that is the same for everyone.  Part of that framework is in place in the cybercrime convention.

Douwe Korff then suggested if there was no rule of law in a country it was not a very stable place to invest.  One of the recommendations in the GNI report is a single point of contact in each country for communications data access requests to companies.  Part of the problem for companies getting established in new countries is the multiple levels of corruption and many corrupt officials demanding data from telcos for example.  It's therefore a good idea to get agreement eg through UK ambassadors at high level what/who the single point of contact for surveillance data requests would come from.  Then if low level officials demand data they get referred to the higher authority.  It facilitates transparency of the process.

Stephen Deadman responded Vodaphone have taken this approach in a number of markets. It is easier for the company and the central government gets the benefit of monitoring these processes centrally too.

At this point there was a question from the audience prefaced with an accusation that neither Vodaphone nor Facebook are transparent about the number of requests they receive. There is a bizarre situation in some countries where you may only find out your data have been mined when you're in the dock.  In many countries there are no prohibitions on telling data subjects data has been requested by the government authorities.  Why do Vodaphone and Facebook not tell users about surveillance requests and how many geolocation  requests are they getting in the UK.

Stephen Deadman explicitly refuted the suggestion that Vodaphone have the freedom to share this information with users in many countries.  He also said it should be for governments to provide the information right across the whole market rather than individual operators disclosing.

Richard Allan said Facebook are looking at Google's transparency report and wondering if they could do something similar. But in terms of "tipping off" (my hackles were raised slightly by that) Facebook do their own assessment of the law enforcement requests for information; and tipping off is not appropriate in most cases e.g. child abuse investigation.  More cases Facebook get are legitimate investigations.  Typically totalitarian regimes don't make data requests from Facebook.  Newspapers protect sources.  Facebook and Vodaphone are not newspapers.  Facebook primarily view it as a safety issue.  Cooperating with law enforcement is a big part of that.  Safety and security are the overriding objectives.

Stephen Deadman then forcefully pointed out that Vodaphone get very little background on law enforcement requests for information.  They get a request form and follow a process.  Vodaphone is not in a position to assess the case from an investigative, criminal or legal process perspective and should not be.  It is not part of Vodaphone's remit to investigate or prosecute crimes.  They must, however, ensure due process is followed with respect to the information they supply to law enforcement.  But their capacity to say to law enforcement that they are overstepping the mark is non existent.  Vodaphone, however, get radically different types of data requests to companies like Facebook or Google.

Douwe Korff jumped in at this point and I could tell I wasn't alone in taking offence at Richard Allan's "tipping off" phrase. All this, he said, is a dialogue in secret behind your back.  On publishing the data on numbers of requests he doesn't trust government.  By all means they should publish their statistics but the telcos should too and then we can compare the two sets of data and find the holes. Companies should minimise and push back against government overreaching every time.  He doesn't believe Facebook have the competence to assess criminal cases and whether information requests are legitimate.  Companies should know the legal setup of any country they get into and with the help of academics and civil society etc facilitate understanding through transparency.  He objected strenuously to Facebook's "tipping off" language too.

Eric King of Privacy International asked for clarification of Vodaphone's interpretation of the Regulation of Investigatory Powers Act (RIPA).  His own understanding was that the RIPA default is that telcos are not gagged if they get a data access request.  He also wanted to know what degree of human supervision happens in these industrial scale law enforcement cooperations.

Stephen Deadman said Vodaphone do have oversight and review processes.  Most cases have some kind of review, some are automated.  Vodaphone doesn't have a legal opinion that says that it cannot disclose data requests under RIPA.  In other countries so prohibitions do apply.  Going down the route of transparency is something he accepts is a good idea in principle.  It does have a number of operational, cost and other practicality issues to consider though.

Mr Deadman did also, later in proceedings, say that advanced markets are the best at surveillance - this is a simple emergent feature of the different levels of technical competence.

Prof Korff then pointed out that black boxes are dangerous technology because they are indiscriminate.  The only control on them is the good behaviour or good intentions of the agencies that operate them. Without transparency no one is watching the watchmen.

There followed rather long PR statement on behalf of Facebook from Richard Allan.  All about ow Facebook what to make the world more open, how they are getting increasingly transparent, how they are much and unfairly maligned for not warning people enough, how a stazi type control system would not work and how Facebook has a network of activists showing people how to use Facebook safely.

There was a question from a member of  the House of Lords on how long the panel members thought it would be before the surveillance technology became useless except for catching stupid crooks.

Prof Korff: the circumvention technology arms race will continue and ordinary people will become more educated about the dangers online.

Richard Allan:  That is the rationale for the Communications Data Bill - technology is changing so fast the government need to keep up and they claim they can only do so with sweeping powers.  So we have to be careful with that kind of argument. They argue the more difficult it is the more data they want.

Vodaphone's Stephen Deadman agreed - the Bill is the response to that fear. He wonders if we have really looked at this holistically?  We need a debate as to what surveillance is legitimate, proportionate and necessary.

Kirsty Hughes' final question then was how worried should we be about the Communications Data Bill?

Prof Korff - "Very worried"

Richard Allan - "On a scale of 1 to 10, 11!"

Stephen Deadman - "Concerned."

That rounded off the first panel of the day.  I'll stick another note here on the second panel as, when and if time allows

Monday, June 18, 2012

Coalition mass surveillance bill

There has been little doubt for some time that the Home Secretary, Theresa May, has been completely house trained and now buys into the mass surveillance mindset of her Nu Labour predecessors.  The latest evidence comes in her scaremongering justifications for the indefensible draft Communications Data Bill (CDB).
"As criminals make increasing use of internet based communications, we need to ensure that the police and intelligence agencies continue to have the tools they need to do the job we ask of them: investigating crime and terrorism, protecting the vulnerable and bringing criminals to justice.
For many years our police and security and intelligence agencies have used communications data from landline telephones and mobiles to catch criminals and to protect the public. This information – which does not include the content of a phone call or email – has played a role in nearly every serious organised crime investigation and in all major Security Service counter-terrorism operations over the past decade and is fundamental to policing across the UK. But the ability of the police and others to use this vital tool is disappearing because communications data from new technologies is less available and often harder to access. Without action there is a serious and growing risk that crimes enabled by email and the internet will go undetected and unpunished, that the vulnerable will not be protected and that terrorists and criminals will not be caught and prosecuted. No responsible Government could allow such a situation to develop unaddressed.
The purpose of this Bill, therefore, is to protect the public and bring offenders to justice by ensuring that communications data is available to the police and security and intelligence agencies in future as it has been in the past."
All the old bogeymen are wheeled out.  In multiple media engagements she drags up all four horsemen of the infocalypse - terrorists, drug dealers, child abusers and organised crime - and more, on several occasions quoting the Met police chief as insisting passing this legislation is a "matter of life and death".

She goes to great pains to point out that the CDB is "not about creating big government database - communications service providers will be asked to hold this data". (That's "asked" as in compelled). The attempt to distance herself from the Nu Labour apparatchiks obsessed with massive database cures for all ills is laughable. As if compelling commercial communications providers (and potentially everyone if the broad definitions in Clause 28 of the Bill are any guide) to build and maintain massive databases to which government has open access is somehow morally superior?!

Let's just look at what part 1 of the draft bill actually says as opposed to "we just want to protect you cuddly kittens" newspeak version promoted by the Home Secretary.
"1 Power to ensure or facilitate availability of data
(1) The Secretary of State may by order—
(a) ensure that communications data is available to be obtained from telecommunications operators by relevant public authorities in accordance with Part 2, or
(b) otherwise facilitate the availability of communications data to be so obtained from telecommunications operators.
(2) An order under this section may, in particular—
(a) provide for—
(i) the obtaining (whether by collection, generation or otherwise) by telecommunications operators of communications data,
(ii) the processing, retention or destruction by such operators of data so obtained or other data held by such operators,
(iii) the entering into by such operators of arrangements with the Secretary of State or other persons under or by virtue of which the Secretary of State or other persons engage in activities on behalf of the operators on a commercial or other basis for the purpose of enabling the operators to comply with requirements imposed by virtue of this section,
(b) impose requirements or restrictions on telecommunications operators or other persons or provide for the imposition of such requirements or restrictions by notice of the Secretary of State.
(3) Requirements imposed by virtue of subsection (2) may, in particular, include—
(a) requirements (whether as to the form or manner in which the data is held or otherwise) which ensure that communications data can be disclosed without undue delay to relevant public authorities in accordance with Part 2,
(b) requirements for telecommunications operators—
(i) to comply with specified standards,
(ii) to acquire, use or maintain specified equipment or systems, or
(iii) to use specified techniques,
(c) requirements which—
(i) are imposed on a telecommunications operator who controls or provides a telecommunication system, and
(ii) are in respect of communications data relating to the use of telecommunications services provided by another telecommunications operator in telecommunication system concerned.
(4) Nothing in this Part authorises any conduct consisting in the interception of communications in the course of their transmission by means of a telecommunication system.
(5) In this section—
“processing”, in relation to communications data, includes its reading, organisation, analysis, copying, correction, adaptation or retrieval and its integration with other data,
“relevant public authority” has the same meaning as in Part 2.
(6) See—
(a) section 25 for the way in which this Part applies to public postal operators and public postal services, and
(b) section 28 for the definitions of “communications data” and “telecommunications operator” and for other definitions relevant to this Part."
I won't dissect all the parts of clause 1 here but the introduction to the draft bill itself explains what this means:
"Part 1 makes provision for ensuring or otherwise facilitating the availability of communications data to be obtained from telecommunications operators. Clause 1 enables the Secretary of State, by order, to ensure that communications data is available to be obtained by public authorities" 
The bottom line is that the relevant Secretary of State, most likely the Home Secretary, gets unlimited powers to mould data access regulations in perpetuity without the need to consult parliament in any meaningful way:
(1) The Secretary of State may by order—
(a) ensure that communications data is available to be obtained from telecommunications operators by relevant public authorities in accordance with Part 2, or
(b) otherwise facilitate the availability of communications data to be so obtained from telecommunications operators.
(2) An order under this section may, in particular—
[...]
(b) impose requirements or restrictions on telecommunications operators or other persons or provide for the imposition of such requirements or restrictions by notice of the Secretary of State"
This is basically a really dangerous Henry VIII clause. There is no mechanism for amending Henry VIII orders and they usually get rubber-stamped by Parliament without material scrutiny.  Ms May and her successors get to order anyone to do anything that can be related to facilitating access to communications data:

If you combine this with, as Francis Davey points out, with the broad definitions given in clause 28 of the bill, e.g.
"“person” includes an organisation and any association or combination of persons
[..]
“telecommunications operator” means a person who—
(a) controls or provides a telecommunication system, or
(b) provides a telecommunications service,
“telecommunication system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy,
“telecommunications service” means a service that consists in the provision of access to, and of facilities for making use of, a telecommunication system (whether or not one provided by the person providing the service)"
- this Bill could theoretically, as currently drafted mean that we might be obliged to keep "who, what, when and where" records of family and friends social gatherings which involve listening to music, TV watching, internet or mobile phone use, electronic gaming or just chatting.

Wendy Grossman summarises it nicely:
"So we're talking - again - about spending huge sums of government money on a project that only a handful of people want and whose objectives could be better achieved by less intrusive means. Give police better training in computer forensics, for example, so they can retrieve the evidence they need from the devices they find when executing a search warrant.
Ultimately, the real enemy is the lack of detail in the draft bill. Using the excuse that the communications environment is changing rapidly and continuously, the notes argue that flexibility is absolutely necessary for Clause 1, the one that grants the government all the actual surveillance power, and so it's been drafted to include pretty much everything, like those contracts that claim copyright in perpetuity in all forms of media that exist now or may hereinafter be invented throughout the universe. This is dangerous because in recent years the use of statutory instruments to bypass Parliamentary debate has skyrocketed. No. Make the defenders of this bill prove every contention; make them show the evidence that makes every extra bit of intrusion necessary."

So much for the promising promises of the then new coalition government in 2010 "to reverse the substantial erosion of liberties under the Labour government". Henry Porter's optimism at the time has given way to weary disappointment as he points out that the authoritarian forces within government pressing for a surveillance state are alive, well and thriving,
"the onerous truth is that the price of liberty is eternal vigilance...
We should not let this bill pass."
Indeed.