Adam Fields (weblog)

BoingBoing reports that new rules on consumer safety threaten to put small producers out of business because the testing is too expensive.

http://www.boingboing.net/2008/12/10/consumer-safety-rule.html

I have a few thoughts on this.

This is a pretty common libertarian vs. nanny state disagreement – should consumers be allowed to make their own choices, but I don’t think it’s that simple, for a few reasons. (Before you go on, I think it’s worth reading my previous piece on some failure modes of the market.)

Keeping toxic chemicals out of kids toys can’t really be the responsibility of the parents, because it’s not within their domain of control. You can be a responsible parent, you can only buy toys you “trust” (whatever that means) and your child will still be exposed to toys you didn’t have any say about. It’s unavoidable – other kids have toys, day care centers have toys, kids play with toys in the playground that other kids bring or leave behind. The only way to prevent these toys from coming into contact with kids is to keep them out of the marketplace to begin with. If you like, it’s society’s responsibility to keep poisons out of kids’ toys in general, because the incentives don’t line up for the individual actors.

After-the-fact deterrents are simply not effective. Lawsuits take years to resolve, are overly burdensome, and it may be impossible to even track down the responsible party (I’m told it’s nearly impossible to sue a foreign company). On top of that, even an expensive PR-nightmare lawsuit may not be a sufficient deterrent to a large corporation with a hefty legal budget. A few million dollar settlements can seem very small in the face of a few hundred million in profits per year. Also, it’s worth noting that this is a reactive response which doesn’t actually fix the problem, but tries to throw monetary compensation in an attempt to “make things better”. But that’s basically what we’re being asked to accept here with the free market solution – let us do what we want and if you don’t like it, sue us, because it’s “too expensive” to ensure that we make safe products. We have that prefrontal cortex for a reason – people are uniquely capable of making predictive decisions, and to allow reactive forces to handle problems we can plainly see are coming seems ridicuously primitive to me. One might argue that we don’t have the capacity to predict how our actions might affect these complex systems, but that’s exactly why we need to be able to adapt and tweak them as we go. I haven’t seen any evidence that the market makes better choices in these kinds of situations, and in fact the call for regulation is a response to the failure of market forces – these companies have already shown an inability to keep toxic ingredients out of their products, yet we still continue to have these problems. Public outrage and whatever lawsuits are currently in the pipeline haven’t served as an adequate deterrent. Why’s that? I don’t know.

This is similar to the conundrum faced by small food producers. See Joel Salatin’s Everything I Want To Do Is Illegal for a lot of good examples of this. The main thrust is that the rules that are meant for large corporations where the overhead gets absorbed by the scale are overly burdensome for small producers, who don’t have the resources for dedicated testing facilities but also have less capacity to do harm, both because they have fewer customers but also because some kinds of harm are caused by the steps needed to operate at scale in the first place. I like to buy local food from farmers that I’ve come to know and trust. This can work at a small scale – if I want to see their operation, I can go visit the farm. I have no similar way to verify that with a larger company.

I don’t think that broken regulation is a condemnation of the entire idea of regulation, but I think it’s obvious that the rules need to be different depending on the scale of the domain they apply to. It is not unreasonable for Hasbro and Mattel to have to follow different rules than the guy who’s carving wood figures in his garage and selling them on etsy. Scale matters – more is different, and bigger is different.

Dear Senator McCain,

Please remember that you are in America, and in America, we don’t suspend elections.

Have a nice day.

I’ve been very busy lately, but this is just too much to not comment on.

There are other articles about how the Google Chrome terms of service give Google an irrevocable license to use any content you submit through “The Services” (a nice catchall term which includes all Google products and services), but the analysis really hasn’t gone far enough – that article glosses over the fact that this applies not only to content you submit, but also content you display. Of course, since this is a WEB BROWSER we’re talking about, that means every page you view with it.

In short, when you view a web page with Chrome, you affirm to Google that you have the right to grant Google an irrevocable license to use it to “display, distribute and promote the Services”, including making such content available to others. If you don’t have that legal authority over every web page you’ve visited, you’ve just fraudulently granted that license to Google and may yourself be liable to the actual copyright owner. (If you do, of course, you’ve just granted them that license for real.) I’m not a lawyer, but I suspect that Google has either committed mass inducement to fraud or the entire EULA (which lacks a severability clause) is impossible to obey and therefore void. [Update: there is a severability clause in the general terms, which I missed on the first reading. Does that mean that the entire content provisions would be removed, or just the parts that apply to the license you grant Google over the content you don't have copyright to? I don't know.]

Even more so than usual, these terms are, quite frankly, ridiculous and completely inappropriate for not only a web browser but an open source web browser.

http://www.google.com/chrome/eula.html

Nice going guys.

In reference to this Gizmodo piece analyzing the rights granted by the Kindle and Sony e-reader:

http://gizmodo.com/369235/amazon-kindle-and-sony-reader-locked-up-why-your-books-are-no-longer-yours

I think the analysis in that article is flawed. It doesn’t make any sense to be able to resell the reader with the books on it, because the license for the books is assigned to you, not to the reader. For example, if your Kindle breaks, you can move your books to another one. I’ve never heard anything other than the opinion that you can’t resell the digital copy – the assumption has always been that these sorts of transactions break the first sale doctrine. The problem then becomes “what are you buying?”, if there’s nothing you can resell.

The first sale doctrine has to apply to the license, not the bits themselves, because under the scenario in which it applies to the bits, arguably Amazon retains no rights whatsoever. They had no direct hand in arranging the bits of your copy the way they are – they merely sent instructions to your computer about how to arrange them in a certain pattern. The article asserts that you can’t “transfer” the bits, but in the same way, in downloading a copy, Amazon hasn’t actually “transferred” anything to you, either.

There’s no reason you shouldn’t be able to sell your Kindle, and the books don’t necessarily go with it, but if you want to sell the books separately, you can do that too. Legally, if you do that, you’d be obligated to destroy all of the copies you’ve made. Amazon’s inability to police that is as relevant as their inability to police the fact that you haven’t made a photocopy of the physical book you sold when you were done with it. There’s no weight to the argument that this will encourage rampant piracy, given that unencrypted cracked copies of all of these things are available to those who want them anyway, and always will be. People comply with reasonable laws willingly because they’re honest, it’s the “right thing to do”, and they feel that the laws are an acceptable tradeoff for living in a civilized society where sometimes you have to make compromises and not just do whatever you want. People do not comply with one-sided laws where they feel like they’re being ripped off for no reason. A law which turns your sale into a non-sellable license is of the latter kind. It turns normal users into petty criminals who don’t care when they break the law, because the law is stupid. Once they’ve ignored some of the terms, it’s a shorter step to ignore others, or ignore similar terms for other products. People like consistency, especially in legal treatments. I would argue that it’s in Amazon’s interest (and the others) to not niggle on this point, because a reasonable license with terms that look like a sale makes for happier customers who aren’t interested in trodding on the license terms, and that’s better for everyone.

(Yes, I’m arguing that restrictive license “sales” are anti-civilization.)

The Kindle ToS not only prohibits selling the Kindle with your books on it, it prohibits anyone else from even looking at it. If someone reads over your shoulder on the train, you’re in violation.

This is, of course, ridiculous.

The right legal response here seems to me to be to not dicker about with splitting hairs about whether you can sell your digital copies if they’re on a physical device and you can’t if they’re not, but to declare that anything sufficiently close to a “right to view, use, and display [...] an unlimited number of times” de facto consitutes a sale, and with it comes certain buyer’s rights regardless of what kinds of outrageous restrictions the licensor tries to bundle in the ToS. The fact that this also seems to be the right business response reinforces my belief that this is the correct path. This kind of a transaction is different from renting, which is by nature a temporary one.

It is the right thing for society to declare that if you’ve bought something that isn’t time or use limited, you’ve therefore also bought the right to resell it, whether it’s a physical object or a license.

Previously:

http://www.aquick.org/blog/2006/04/30/sony-cant-make-up-its-mind-if-music-is-sold-or-licensed/

http://www.aquick.org/blog/2004/12/30/cory-rants-on-drm-and-rightly-so/

Tags: sony, amazon, kindle, gizmodo, first sale doctrine, digital work, content, licensing, purchase, sale

We have different classifications for the crime of “killing a person”, and those classifications encompass whether it was an accident or not, whether it was premeditated, and how many people were killed – e.g.: How serious a crime has actually been committed. But when we talk about terrorism, it’s always just “terrorism”. This results in the really sinister megacriminals being lumped in with the group of morons that can’t get it to together to leave the house without forgetting to wear pants, let alone actually arrange to blow anything up.

Most “terrorists” are less dangerous than your average serial killer or bus accident, but we still lump them all together simply because they have an agenda.

Similar to murder, I think we need some sort of classification system for these crimes:

1. Intent to commit terrorism: you “plotted” with someone who may or may not have been an undercover cop, but didn’t actually acquire passports or learn how to make liquid explosives
2. Manfrightening: you committed some other crime, and along the way someone got scared and called you a terrorist, but you have no stated agenda.
3. Terrorism in the third degree: You actually blew up something, but no one was hurt.
4. Terrorism in the second degree: You actually blew up something and killed some people, but failed to garner any sympathy from the public.
5. Terrorism in the first degree: You actually blew up something, lots of people were killed, and the US declared war on some country you were unaffiliated with.

Tags: terrorism, legal definition, degree

Crappy DRM company says the DMCA forces you to buy their technology instead of building your own because not buying their technology is a circumvention of an effective copyright tool.

The thing is, I think they’re right. I mean, it’s stupid, but then so is the DMCA.

There are some other provisions (which seem to not apply), but the crux of it is:

“No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that–

`(A) is primarily designed or produced for the purpose of
circumventing a technological measure that effectively
controls access to a work protected under this title;”

It explicitly does NOT say “copy the work”, it says “circumvent the technology”. “Circumvent” is not the word they were looking for.

In fact, now that I think about it, convincing someone that DRM is bad is also a violation, as that may be interpreted as offering a service that is primarily design for the purpose of circumventing technological protection. Crap.

http://www.forbes.com/business/feeds/afx/2007/05/10/afx3708595.html

(via boingboing.)

Tags: drm, dmca, violation

Oh yeah.

http://www.nytimes.com/2007/04/14/technology/14deal.html?ex=1334203200&en=d94eb7f788b32db5&ei=5090&partner=rssuserland&emc=rss

This is a NYT article about an Iraqi show which seems to be called “Hurry Up, He’s Dead”.

The description is painful to read, a horrible ironic reminder of the awfulness:

“In a recent episode, the host, Saad Khalifa, reported that Iraq’s Ministry of Water and Sewage had decided to change its name to simply the Ministry of Sewage — because it had given up on the water part.”

“Mr. Sudani, the writer, said he has lost hope for his country. Iraq’s leaders are incompetent, he said. He fears that services will never be restored. The American experiment in democracy, he said, was born dead.

All anyone can do, he said, is laugh.”

Via Perry Metzger:

http://www.nytimes.com/2006/10/24/world/middleeast/24show.html?ex=1319342400&en=1bf22396b7ede7a3&ei=5090&
partner=rssuserland&emc=rss

Tags: iraq, daily show, awful, nyt, humor

With an open source monitoring program – Dorgem.

http://www.simplehelp.net/2006/09/27/how-to-use-your-pc-and-webcam-as-a-motion-detecting-and-recording-s
ecurity-camera/

Tags: warrantless wiretapping

Bravo.

http://observer.guardian.co.uk/world/story/0,,1869074,00.html

Tags: shaming search engines, wikipedia, china, censoring, not

I’ve often said that terrorism is an auto-immune disease afflicting civilization. Bruce Schneier has a great article up about how responding to terrorism by locking things down is, in fact, exactly what the terrorists want.

http://www.schneier.com/blog/archives/2006/08/what_the_terror.html

Tags: terrorism, play into their hands, auto-immune disease, schneier, security

Britt pointed me at this piece about how Lieberman still has very strong support:

http://www.talkingpointsmemo.com/archives/009461.php

There’s an important lesson in here. When you hang principles on a single race, and then lose, the principle goes with the race and suffers a horrible blow. This >WAS< the Dean mistake – it represented the internet way, and everybody fled when he lost, and how long has it taken that approach to recover its reputation?

When Lieberman wins, the ENTIRE “unseat the incumbents” approach dies a horrible death, in one single event.

How to dissociate the principles from the individual race?

Tags: lieberman, lamont, senate, races, keyraces, politics

This is a serious breach of user privacy, and I can’t imagine there won’t be lawsuits over this.

Either they didn’t think this through, or this is the best way they could think of to raise a public outrage.

http://www.interesting-people.org/archives/interesting-people/200608/msg00027.html

Tags: privacy. data security, search, aol

I think it’s simultaneously good that Google is turning a watchful eye on the government, but also somewhat creepy that they’re putting themselves in the position of proxying people’s access to potentially sensitive information. I do NOT think that the Google privacy policy is sufficient to cover this situation.

As many have predicted, this is also likely to expose some interesting accidentally unprotected things at some point in the future.

http://www.google.com/ig/usgov

Tags: search, privacy, google, us government

Boingboing points out this Wired article about a reporter who crashed a conference of wiretapping providers, mentioning this quotation in particular:

‘He sneered again. “Do you think for a minute that Bush would let legal issues stop him from doing surveillance? He’s got to prevent a terrorist attack that everyone knows is coming. He’ll do absolutely anything he thinks is going to work. And so would you. So why are you bothering these guys?”‘

It’s an interesting read, but I fundamentally disagree with the above statement, and this is the problem.

It’s not the surveillance that bothers me, it’s the resistance to oversight, even after the fact.

If there was any confidence that what they were doing was a reasonable tradeoff, they wouldn’t have to a) lie or b) break the law to do it. Yet they’ve done both of these things.

If the law enforcement community said “well shit, we’re out of ideas about how to stop these people, and so we really need to have our computers read everyone’s email and tap everyone’s phones and we guarantee that this information won’t be used for anything else, and anyone we find doing something nefarious will be dealt with according to due process”, then we could, you know, engage in a meaningful discussion about this. And then we could move on to the fact that “terrorist” is not a useful designation for a criminal, and then maybe we could fire the people who thought up this brilliant idea and find someone who would practice actual security because wholesale surveillance and profiling have been widely debunked as largely useless for anything besides persecution, political attacks, and invasions of privacy.

But we won’t, because that’s not what this is about.

This opinion of a member of the Dutch National Police is particularly telling:

‘He said that in the Netherlands, communications intercept capabilities are advanced and well established, and yet, in practice, less problematic than in many other countries. “Our legal system is more transparent,” he said, “so we can do what we need to do without controversy. Transparency makes law enforcement easier, not more difficult.”

The technology exists, it’s not going away, and it’s really not the problem. The secrecy is the problem.

http://www.wired.com/news/technology/1,71022-1.html

Tags: surveillance, wiretapping, wired, secrecy

Another idea that came out of the tired and somewhat inebriated tail end of last night’s gathering, that I didn’t want to forget.

Our system of representative democracy is predicated on the core idea that elected representatives are beholden to their constituents, because if they’re not, they’ll get elected out on the next cycle. But this is typically a four-year turnaround, and that’s plenty of time to do irreparable damage. I posit that this is not enough feedback, and we need to have a way to get citizen input taken more seriously, with direct consequences for representatives who fail to listen. This also probably goes along with increasing the number of representatives, and possibly giving up on the presumption that people who live near each other necessarily share the same views (or have views that are not directly contradictory and can be rationalized into a coherent position by one representative).

I have to think about this more.

Tags: elections, feedback, constituency

“Elections officials in several states are scrambling to understand and limit the risk from a “dangerous” security hole found in Diebold Election Systems Inc.’s ATM-like touch-screen voting machines.

The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide.”

Perhaps it’s time to acknowledge that the Diebold systems themselves ARE the security glitch.

http://www.insidebayarea.com/ci_3805089

Tags: diebold, electronic voting, security

Remember the privacy implications of the government asking Google for search data? (http://www.aquick.org/blog/2006/01/19/doj-demands-large-chunk-of-google-data/)

It’s going to get worse before it gets better. No online service considers your IP address to be private information, and now they will be required to maintain logs mapping your IP address to real contact information, for a period of at least one year after your account is closed.

The only way to prevent this information from being misused is to not keep it, and now there won’t be any choice.

http://www.interesting-people.org/archives/interesting-people/200604/msg00176.html

I’ve discussed this before:

http://www.aquick.org/blog/2006/01/29/whats-the-big-fuss-about-ip-addresses/

Tags: surveillance, ip address, data retention

Apparently, crooks have been breaking into vacation homes, stealing the >OVEN DOORS<, repackaging them in real flat screen TV boxes, and selling them to dupes on the street.

Words fail me.

http://www.consumerist.com/consumer/consumer-alert/dont-take-any-wooden-flat-screens-165345.php
http://www.consumerist.com/consumer/scam/update-dont-take-any-wooden-flat-screens-165526.php

Tags: oven door, flat screen tv, theft, scam, everythingbuttheovendoor

http://www-tech.mit.edu/V126/N15/RIAA1506.html

Of course, this is nothing compared to the fact that the RIAA says you shouldn’t be allowed to break DRM even if it’s going to kill you if you don’t:

http://www.freedom-to-tinker.com/?p=984

I’ve discussed this before:

http://www.aquick.org/blog/2005/08/01/why-i-oppose-drm/

Tags: drm, riaa, quit school, MIT, unreasonable

Due to a lost patent claim, on April 11th, Active X controls (all embedded objects in IE) will have changed behavior and will require an “activation click” before they can be interacted with.

http://www.eweek.com/article2/0,1895,1943847,00.asp
http://msdn.microsoft.com/library/?url=/workshop/author/dhtml/overview/activating_activex.asp

1) This does not affect pure DHTML/javascript, only DHTML/javascript that interacts with embedded applets.

2) As described in the MS article and some of the links below, it is possible to bypass the restriction by loading the objects from an external page, and this can be automated in some circumstances. Apparently, Adobe/Macromedia is also working on better fixes.

http://www.macromedia.com/devnet/activecontent/
http://www.devx.com/webdev/Article/18063
http://news.com.com/Microsoft+tweaks+browser+to+avoid+liability/2100-1012_3-5980658.html
http://www.betanews.com/article/Microsoft_Offers_60Day_ActiveX_Reprieve/1143650536

Tags: microsoft, eolas, patent, activex, control, widget, interaction

I’ve been collecting examples of cases where there are hidden dangers facing consumers, cases where the information necessary to make an informed decision about a product isn’t obvious, or isn’t included in most of the dialogue about that product. Sometimes, this deals with hidden implications under the law, but sometimes it’s about non-obvious capabilities of technology.

We’re increasingly entering situations where most customers simply can’t decide whether a certain product makes sense without lots of background knowledge about copyright law, evidence law, network effects, and so on. Things are complicated.

So far, I have come up with these examples, which would seem to be unrelated, but there’s a common thread – they’re all bad for the end user in non-obvious ways. They all seem safe on the surface, and often, importantly, they seem just like other approaches that are actually better, but they’re carrying hidden payloads – call them “Trojan technologies”.

To put it clearly, what I’m talking about are the cases where there are two different approaches to a technology, where the two are functionally equivalent and indistinguishable to the end user, but with vastly different implications for the various kinds of backend users or uses. Sometimes, the differences may not be evident until much later. In many circumstances, the differences may not ever materialize. But that doesn’t mean that they aren’t there.

• Remote data storage. I wrote a previous post about this, and Kevin Bankston of the EFF has some great comments on it. Essentially, the problem is this. To the end user, it doesn’t matter where you store your files, and the value proposition looks like a tradeoff between having remote access to your own files or not being able to get at them easily because they’re on your desktop. But to a lawyer asking for those files, it makes a gigantic difference in whether they’re under your direct control or not. On your home computer, a search warrant would be required to obtain them, but on a remote server, only a subpoena is needed.
• The recent debit card exploit has shed some light on the obvious vulnerabilities in that system, and it’s basically the same case. To a consumer, using a debit card looks exactly the same as using a credit card. But the legal ramifications are very different, and their use is protected by different sets of laws. Credit card liability is typically geared in favor of the consumer – if your card is subject to fraud, there’s a maximum amount you’ll end up being liable for, and your account will be credited immediately, as you simply don’t owe the money you didn’t charge yourself. Using a debit card, the money is deducted from your account immediately, and you have to wait for the investigation to be completed before you get your refund. A lot of people recently discovered this the hard way. There’s a tremendous amount of good coverage of debit card fraud on the Consumerist blog.
• The Goodmail system, being adopted by Yahoo and AOL, is a bit more innocuous on the surface, but it ties into the same question. On the face of it, it seems like not a terrible idea – charge senders for guaranteed delivery of email. But the very idea carries with it, outside of the normal dialogue, the implications of breaking network neutrality (the concept that all traffic gets equal treatment on the public internet) that extend into a huge debate being raged in the confines of the networking community and the government, over such things as VoIP systems, Google traffic, and all kinds of other issues. I’m not sure if this really qualifies in the same league as my other examples, but I wanted to mention it here anyway. There’s a goodmail/network neutrality overview discussion going on over on Brad Templeton’s blog.
• DRM is sort of the most obvious. Consumers can’t tell what the hidden implications of DRM are. This is partly because those limitations are subject to change, and that in itself is a big part of the problem. The litany of complaints is long – DRM systems destroy fair use, they’re security risks, they make things complicated for the user. I’ve written a lot about DRM in the past year and a half.
• 911 service on VoIP is my last big example, and one of the first ones that got me started down this path. This previous post, dealing with the differences between multiple kinds of services called “911 service” on different networks, is actually a good introduction to this whole problem. I ask again ‘Does my grandmother really understand the distinction between a full-service 911 center and a “Public Safety Answering Point”? Should she have to, in order to get a phone where people will come when she dials 911?‘

I don’t have a good solution to this, beyond more education. This facet must be part of the consumer debate over new technologies and services. These differences are important. We need to start being aware, and asking the right questions. Not “what are we getting out of this new technology?“, but “what are we giving up?“.

Tags: DRM, consumer, hidden dangers, trojan, techology, voip, Goodmail, Google, Amazon, debit, consumerist

If you bought an infected CD from Sony, you’re entitled to some benefits under the lawsuit settlement:

http://www.eff.org/sony

Tags: Sony, DRM, busted, lawsuit, eff, settlement

As predicted, U.S. Judge James Ware intends to force Google to hand over the requested data to the DoJ.

http://www.cnn.com/2006/TECH/internet/03/14/google.hearing.ap/index.html

Tags: Google, privacy, search, records, surveillance

The big news this week – video that Bush knew that Katrina would destroy New Orleans a day before the storm hit:
http://www.truthout.org/multimedia.htm
http://websrvr20.audiovideoweb.com/avwebdswebsrvr2143/news_video/apbushkatrina512K.mov

Asking for complaint forms in Flordia Police stations gets you harassed and threatened:
http://cbs4.com/topstories/local_story_033170755.html

Greek cell phone taps of high officials were enabled by embedded surveillance tech:
http://www.schneier.com/blog/archives/2006/03/more_on_greek_w.html

Zogby poll shows 72% of troops want to get out of Iraq in the next year, but also that 85% of them think they’re there to retaliate for Saddam’s attacking us on 9/11. So, there’s that:
http://www.estripes.com/article.asp?section=104&article=35385

Human rights abuses in Iraq are worse than under Saddam (oops, Freudian slip – I typed Bush there first):
http://www.chron.com/disp/story.mpl/ap/world/3696105.html

Daily Kos is mumbling something about State-initiated impeachment:
http://www.dailykos.com/story/2006/3/1/235828/9378

And, a kitten:
http://www.dailykitten.com/archives/340-Poppy.html

Tags: outrage fatigue, news, depressing, makeitstop

Power, once given, will be abused. And not necessarily by those it’s given to.

Bruce Schenier has a blog entry about the Greek cell phone tapping scandal – about 100 cell phones of politicians and officials, including the American embassy, have been tapped by an unknown party since the 2004 Olympics.

Bruce points out that the “malicious code” used to enable this was actually designed into the system as an eavesdropping mechanism for the police.

“There is an important security lesson here. I have long argued that when you build surveillance mechanisms into communication systems, you invite the bad guys to use those mechanisms for their own purposes. That’s exactly what happened here.”

http://www.schneier.com/blog/archives/2006/03/more_on_greek_w.html

Tags: surveillance, greek, wiretapping, security, privacy

Joe Gratz and I are having an interesting discussion about Creative Commons licenses over in the comments of his blog post about Schmap:

http://www.joegratz.net/archives/2006/02/23/schmap/

Tags: flickr, debate, creative commons, commercial, non-commercial

Harold Hurtt, police chief of Houston, has advocated changing building permits to require cameras in public areas of malls and apartment complexes, to try to deter crime:

http://seattlepi.nwsource.com/national/1110AP_Police_Cameras.html

He’s quoted in the article, saying “I know a lot of people are concerned about Big Brother, but my response to that is, if you are not doing anything wrong, why should you worry about it?”

1) “Wrong” is always changing, and isn’t always correct.

2) Our society and legal system are neither constructed for or capable of handling perfect law enforcement.

3) It’s not worth any price to catch all of the criminals. There are tradeoffs to be made.

The Hurtt Prize is a $1000-and-growing bounty offered for anyone who gets a video capture of Mr. Hurtt committing a crime.

http://www.hurttprize.org/

Tags: hurtt prize, security, cameras, surveillance

In an interview with a senior Chinese official responsible for policing the Internet, he defends China’s monitoring and filtering as no different from what other countries do to enforce their laws and keep the content on the internet “safe”. He points to the Patriot Act as evidence that the US is “doing a good job on this front”.

http://www.nytimes.com/2006/02/14/international/asia/14cnd-china.html?ex=1297573200&en=f7e5e2a8d90dfbeb&ei=5090&partner=rssuserland&emc=rss

Tags: china, patriot act, censorship

Declan McCullagh has compiled responses from AOL, Microsoft, Yahoo and Google on the following questions (two of which are nearly verbatim from my previous query, uncredited):

So we’ve been working on a survey of search engines, and what data they keep and don’t keep. We asked Google, MSN, AOL, and Yahoo the same questions:

- What information do you record about searches? Do you store IP addresses linked to search terms and types of searches (image vs. Web)?
- Given a list of search terms, can you produce a list of people who searched for that term, identified by IP address and/or cookie value?
- Have you ever been asked by an attorney in a civil suit to produce such a list of people? A prosecutor in a criminal case?
- Given an IP address or cookie value, can you produce a list of the terms searched by the user of that IP address or cookie value?
- Have you ever been asked by an attorney in a civil suit to produce such a list of search terms? A prosecutor in a criminal case?
- Do you ever purge these data, or set an expiration date of for instance 2 years or 5 years?
- Do you ever anticipate offering search engine users a way to delete that data?

http://news.com.com/2100-1025_3-6034626.html

Tags: privacy, search, retention, tracking

The system has cost around $15 billion, and has caught about 1000 criminals. No terrorists, all immigration violations and common criminals.

http://www.schneier.com/blog/archives/2006/01/the_failure_of_1.html

This estimate doesn’t include lost tourism revenue, academic implications of detaining foreign students or professors, or a count of how many of those criminals might have been caught anyway.

Tags: US-VISIT, security, immigration, government

Given the recent fuss about the government asking for search terms and what qualifies as personally identifiable information, I want to explain why IP address logging is a big deal. This explanation is somewhat simplified to make the cases easier to understand without going into complete detail of all of the possible configurations, of which there are many. I think I’ve kept the important stuff without dwelling on the boundary cases, and be aware that your setup may differ somewhat. If you feel I’ve glossed over something important, please leave a comment.

First, a brief discussion of what IP addresses are and how they work. Slightly simplified, every device that is connected to the Internet has a unique number that identifies it, and this number is called an IP address. Whenever you send any normal network traffic to any other computer on the network (request a web page, send an email, etc…), it is marked with your IP address.

There are three standard cases to worry about:

1. If you use dialup, your analog modem has an IP address. Remote computers see this IP address. (This case also applies if you’re using a data aircard, or using your cell phone as a modem.)
2. If you have a DSL or cable connection, your DSL/cable modem has an IP address when it’s connected, and your computer has a separate internal IP address that it uses to only communicate with the DSL or cable modem, typically mediated by a home router. Remote computers see the IP address of the DSL/cable modem. (This case also applies if you’re using a mobile wifi hotspot.)
3. If you’re directly connected to the internet via a network adapter, your network adapter has an IP address. Remote computers see this IP address.

Sometimes, IP addresses are static, meaning they’re manually assigned and don’t change automatically unless someone changes them (typically, only for case #3). Often, they’re dynamic, which means they’re assigned automatically with a protocol called DHCP, which allows a new network connection to automatically pick up an IP address from an available pool. But just because they can change doesn’t mean they will change. Even dynamic IP addresses can remain the same for months or years at a time. (The servers you’re communicating with also have IP addresses, and they are typically static.)

In order to see how an IP address may be personally identifiable information, there’s a critical question to ask – “where do IP addresses come from, and what information can they be correlated with?”.

Depending on how you connect to the internet, your IP address may come from different places:

• If you use dialup, your modem will get its IP address from the dialup ISP, with which you have an account. The ISP knows who you are and can correlate the IP address they give you with your account. Your name and billing details are part of your account information. By recording the phone number you call from, they may be able to identify your physical location.
• If you have a DSL or cable connection, your DSL/cable modem will get its IP address from the DSL/cable provider. The ISP knows who you are and can correlate the IP address they give you with your account. Your name and physical location, and probably other information about you, are part of your account information.
• If you’re using a public wifi access point, you’re probably using the IP address of the access point itself. If you had to log in your account, your name and physical location, and probably other information about you, are part of your account information. If you’re using someone else’s open wifi point, you look like them to the rest of the internet. This case is an exception to the rest of the points outlined in this article.
• If you’re directly connected to the internet via a network adapter, your network adapter will get its IP address from the network provider. In an office, this is typically the network administrator of the company. Your network administrator knows which computer has which IP address.

None of this information is secret in the traditional sense. It is probably confidential business information, but in all cases, someone knows it, and the only thing keeping it from being further revealed is the willingness or lack thereof of the company or person who knows it.

While an IP address may not be enough to identify you personally, there are strong correlations of various degrees, and in most cases, those correlations are only one step away. By itself, an IP address is just a number. But it’s trivial to find out who is responsible for that address, and thus who to ask if you want to know who it’s been given out to. In some cases, the logs will be kept indefinitely, or destroyed on a regular basis – it’s entirely up to each individual organization.

Up until now, I’ve only discussed the implications of having an IP address. The situation gets much much worse when you start using it. Because every bit of network traffic you use is marked with your IP address, it can be used to link all of those disparate transactions together.

Despite these possible correlations, not one of the major search engines considers your IP address to be personally identifiable information. [Update: someone asked where I got this conclusion. It's from my reading of the Google, Yahoo, and MSN Search privacy policies. In all cases, they discuss server logs separately from the collection of personal information (although MSN Search does have it under the heading of "Collection of Your Personal Information", it's clearly a separate topic). If you have some reason to believe I've made a mistake, I'm all ears.] While this may technically be true if you take an IP address by itself, it is a highly disingenuous position to take when logs exist that link IP addresses with computers, physical locations, and account information… and from there with people. Not always, but often. The inability to link your IP address with you depends always on the relative secrecy of these logs, what information is gathered before you get access to your IP address, and what other information you give out while using it.

Let’s bring one more piece into the puzzle. It’s the idea of a key. A key is a piece of data in common between two disparate data sources. Let’s say there’s one log which records which websites you visit, and it stores a log that only contains the URL of the website and your IP address. No personal information, right? But there’s another log somewhere that records your account information and the IP address that you happened to be using. Now, the IP address is a key into your account information, and bringing the two logs together allows the website list to be associated with your account information.

• Have you ever searched for your name? Your IP address is now a key to your name in a log somewhere.
• Have you ever ordered a product on the internet and had it shipped to you? Your IP address is now a key to your home address in a log somewhere.
• Have you ever viewed a web page with an ad in it served from an ad network? Both the operator of the web site and the operator of the ad network have your IP address in a log somewhere, as a key to the sites you visited.

The list goes on, and it’s not limited to IP addresses. Any piece of unique data – IP addresses, cookie values, email addresses – can be used as a key.

Data mining is the act of taking a whole bunch of separate logs, or databases, and looking for the keys to tie information together into a comprehensive profile representing the correlations. To say that this information is definitely being mined, used for anything, stored, or even ever viewed is certainly alarmist, and I don’t want to imply that it is. But the possibility is there, and in many cases, these logs are being kept, if they’re not being used in that way now, the only thing really standing in the way is the inaction of those who have access to the pieces, or can get it.

If the information is recorded somewhere, it can be used. This is a big problem.

There are various ways to mask your IP address, but that’s not the whole scope of the problem, and it’s still very easy to leak personally identifiable information.

I’ll start with one suggestion for how to begin to address this problem:

Any key information associated with personally identifiable information must also be considered personally identifiable.

[Update: I've put up a followup post to this one with an additional suggestion.]

Tags: IP address, privacy, tracking, logs, retention, personal information

I asked John Battelle the question about whether Google keeps personally identifiable search log information, particularly search logs correlated with IP address. He asked Google PR, who confirmed that they do.

http://battellemedia.com/archives/002272.php

From my comment there, ultimately, this is bad for users. If the information is kept, it’s available for request, abuse, or theft.

Tags: Google, privacy, logs, retention, tracking, personal data, search

This article from Internet Week has Alan Eustace, VP of Engineering for Google, on the record talking about the My Search feature.

http://internetweek.cmp.com/showArticle.jhtml?articleID=161500556

“Anytime, you give up any information to anybody, you give up some privacy,” Eustace said.

With “My Search,” however, information stored internally with Google is no different than the search data gathered through its Google .com search engine, Eustace said.

“This product itself does not have a significant impact on the information that is available to legitimate law enforcement agencies doing their job,” Eustace said.

This seems pretty conclusive to me – signing up for saved searches doesn’t (or didn’t, in April 2005) change the way the search data is stored internally.

Comments?

(This was pointed out to me by Ray Everett-Church in the comments of the previous post, covered on his blog: http://www.privacyclue.com/index.php?p=68)

Tags: Google, privacy, logs, retention, tracking, personal data, search

The question is this – is there any evidence that Google is keeping logs of personally identifiable search history for users who have not logged in and for logged-in users who have not signed up for search history? What about personal data collected from Gmail, and Google Groups, and Google Desktop? Aggregated with search? Kept personally identifiably? (Note: For the purposes of this conversation, even though Google does not consider your IP address to be personally identifiable, at least according to their privacy policy, I do.)

It is not arguable that they could keep those logs, but I think every analysis I’ve seen is simply repeating the assumption that they do, based on the fact that they could.

Has there ever been a hard assertion, by someone who’s in a position to know, that these logs do in fact exist?

I have a suspicion about one possible source of all this. Google’s privacy policy used to say (amended 7/2004):

“Google notes and saves [emphasis mine] information such as time of day, browser type, browser language, and IP address with each query.“.

But the policy no longer says that. The current version reads: “When you use Google services, our servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser.“. Again, no information about what’s being done with that data or how long it’s kept.

Given the possibility that they don’t, I think it drastically changes the value proposition of those free subsidiary tools. Obviously, if you ask for your search history to be saved, they’re going to keep it. But maybe that decision is predicated on the assumption that they’re going to keep it anyway, and you might as well have access to it. If the answer is that they’re not keeping it, that’s a different question.

It’s critical to point out that these issues are not even close to limited to Google. Every search engine, every “free” service you give your data to, every hub of aggregated data on the web has the same problems.

Currently, there’s no way to make an informed decision, because privacy policies don’t include specific information about what data is kept, in what form, and for how long. With all of the disclosures in the past year of personal data lost, compromised, and requested, isn’t it time for us to know? In the beginning of the web, having a privacy policy at all was unheard of, but now everybody has one. I don’t think it’s too much to ask of the companies we do business with that the same be done with log retention policies.

I agree with the request to ask Google to delete those logs if they’re keeping them, but I haven’t seen any evidence that they are. Personally, I’d like to know.

Tags: Google, privacy, logs, retention, tracking, personal data, search

This is pretty much exactly the point I’ve been trying to make – while Google is commendable for standing up to the government, they created this problem in the first place by aggregating search data.

“Imagine we were to find out one day that Starbucks had been recording everyone’s conversations for the purpose of figuring out whether cappuccino is more popular than macchiato. Sure, the result, on the margin, might be a better coffee product. And, yes, we all know, or should, that our conversations at Starbucks aren’t truly private. But we’d prefer a coffee shop that wasn’t listening – and especially one that won’t later be able to identify the macchiato lovers by name. We need to start to think about search engines the same way and demand the same freedoms.”

http://www.slate.com/id/2134670/?nav=tap3

Having examined the motion and letters, I see a different picture emerging.

I am not a lawyer, but from my reading of the motion, it appears that Google’s objections are thin. Really thin.
Also, they seem to have been completely addressed by the scaling back of the DOJ requests. Of course, that’s not the complete story, but if the arguments in the motion are correct, it seems like to me that Google will lose and be compelled to comply.

Based on the letters and other analysis, they’re also pulling the slippery slope defense – “we’re not going to comply with this because it will give you the expectation that we’re open for business and next time you can ask for personal information”. If that’s true, I think that’s the first good news I’ve heard out of them in years. Good luck with that.

Google’s own behavior is inconsistent with their privacy FAQ, which states Google does comply with valid legal process, such as search warrants, court orders, or subpoenas seeking personal information. These same processes apply to all law-abiding companies. As has always been the case, the primary protections you have against intrusions by the government are the laws that apply to where you live. (Interestingly, this language is inconsistent with their full privacy policy, which states that Google only shares personal information … [when] We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request.

I wonder if they intend to challenge the validity of the fishing expedition itself, which would be the real kicker (and probably invalidate the above paragraph). I also idly wonder if they expect to lose anyway and have simply refused to comply with bogus arguments in order to get the request entered into the public record.

Interesting stuff. A lot of my criticisms of Google are about their unwillingness to publicly state their intentions with respect to the data they get (and the extent to which they may or may not be retaining, aggregating, and correlating that data), and I don’t think this case is any different. I think Google’s interest here in not releasing records is aligned with the public good, and as such, I wish them well. It’s been asserted that Google has taken extraordinary steps to preserve the anonymity of its records, and that well may be true. It’s also kind of irrelevant. Beyond this specific case, of whether the govnernment can request information about Google searches (let alone any of their more invasive services, or anyone’s more invasive services), is the issue of the ramifications of collecting, aggregating, and correlating this data in the first place.

There is no question that Google has access to a tremendous amount of data on everyone who interacts with its service. It is still troubling that its privacy policy is inadequate. It’s still troubling that Google (and Yahoo, and how many others) considers your IP address to be not personally identifiable information. It’s still troubling that Google (and Yahoo and how many others) do all of their transactions unencrypted and that search terms are included in the URL of the request. As this case has shown, Google’s actual behavior may not correlate to their stated intentions, of which there are few in the first place. By Google’s own slippery slope logic, this time it works for you – will it next time?

Perhaps it’s time to hold companies accountable for the records they keep.

This is a fascinating deconstruction of the court documents and letters available so far:

http://blog.searchenginewatch.com/blog/060119-161802

The Bush administration on Wednesday asked a federal judge to order Google to turn over a broad range of material from its closely guarded databases.

The move is part of a government effort to revive an Internet child protection law struck down two years ago by the U.S. Supreme Court. The law was meant to punish online pornography sites that make their content accessible to minors. The government contends it needs the Google data to determine how often pornography shows up in online searches.

In court papers filed in U.S. District Court in San Jose, Justice Department lawyers revealed that Google has refused to comply with a subpoena issued last year for the records, which include a request for 1 million random Web addresses and records of all Google searches from any one-week period.

http://www.siliconvalley.com/mld/siliconvalley/13657386.htm

I’m sort of out of analysis about why this is bad, because I’ve said it all before.

See (particularly 4 and 5):

1. http://www.aquick.org/blog/2005/04/21/google-adds-prove-adam-right-button/
2. http://www.aquick.org/blog/2005/05/06/they-dont-necessarily-know-who-you-are/
3. http://www.aquick.org/blog/2005/06/23/beware-the-google-threat/
4. http://www.aquick.org/blog/2005/05/08/google-is-destroying-the-private/
5. http://www.aquick.org/blog/2005/05/05/google-wants-your-logs/
6. http://www.aquick.org/blog/2005/11/21/google-really-wants-your-logs/

It really comes down to one thing.

If data is collected, it will be used.

It’s far past the time for us all to take an interest in who’s collecting what.

“This rationale was spelled out in a memo written by John Yoo, a White House attorney, less than two weeks after the attacks of 9/11. It’s a dense read and a terrifying piece of legal contortionism, but it basically says that the president has unlimited powers to fight terrorism. He can spy on anyone, arrest anyone, and kidnap anyone and ship him to another country … merely on the suspicion that he might be a terrorist. And according to the memo, this power lasts until there is no more terrorism in the world.”

http://www.startribune.com/stories/562/5793639.html

Bruce Schneier has an excellent piece in Salon on the recent wiretap revelations:

http://www.salon.com/opinion/feature/2005/12/20/surveillance/index.html

This is an editorial that Perry sent to his cryptography mailing list.

I posted this earlier today to a mailing list for cryptographers that I run. Please feel free to send it to anyone you like.

To: cryptography
Subject: A small editorial about recent events.
From: “Perry E. Metzger” Date: Sun, 18 Dec 2005 13:58:06 -0500

A small editorial from your moderator. I rarely use this list to express a strong political opinion — you will forgive me in this instance.

This mailing list is putatively about cryptography and cryptography politics, though we do tend to stray quite a bit into security issues of all sorts, and sometimes into the activities of the agency with the biggest crypto and sigint budget in the world, the NSA.

As you may all be aware, the New York Times has reported, and the administration has admitted, that President of the United States apparently ordered the NSA to conduct surveillance operations against US citizens without prior permission of the secret court known as the Foreign Intelligence Surveillance Court (the “FISC”). This is in clear contravention of 50 USC 1801 – 50 USC 1811, a portion of the US code that provides for clear criminal penalties for violations. See:

http://www.law.cornell.edu/uscode/html/uscode50/usc_sup_01_50_10_36_20_I.html

The President claims he has the prerogative to order such surveillance. The law unambiguously disagrees with him.

There are minor exceptions in the law, but they clearly do not apply in this case. They cover only the 15 days after a declaration of war by congress, a period of 72 hours prior to seeking court authorization (which was never sought), and similar exceptions that clearly are not germane.

There is no room for doubt or question about whether the President has the prerogative to order surveillance without asking the FISC — even if the FISC is a toothless organization that never turns down requests, it is a federal crime, punishable by up to five years imprisonment, to conduct electronic surveillance against US citizens without court authorization.

The FISC may be worthless at defending civil liberties, but in its arrogant disregard for even the fig leaf of the FISC, the administration has actually crossed the line into a crystal clear felony. The government could have legally conducted such wiretaps at any time, but the President chose not to do it legally.

Ours is a government of laws, not of men. That means if the President disagrees with a law or feels that it is insufficient, he still must obey it. Ignoring the law is illegal, even for the President. The President may ask Congress to change the law, but meanwhile he must follow it.

Our President has chosen to declare himself above the law, a dangerous precedent that could do great harm to our country. However, without substantial effort on the part of you, and I mean you, every person reading this, nothing much is going to happen. The rule of law will continue to decay in our country. Future Presidents will claim even greater extralegal authority, and our nation will fall into despotism. I mean that sincerely. For the sake of yourself, your children and your children’s children, you cannot allow this to stand.

Call your Senators and your Congressman. Demand a full investigation, both by Congress and by a special prosecutor, of the actions of the Administration and the NSA. Say that the rule of law is all that stands between us and barbarism. Say that we live in a democracy, not a kingdom, and that our elected officials are not above the law. The President is not a King. Even the President cannot participate in a felony and get away with it. Demand that even the President must obey the law.

Tell your friends to do the same. Tell them to tell their friends to do the same. Then, call back next week and the week after and the week after that until something happens. Mark it in your calendar so you don’t forget about it. Politicians have short memories, and Congress is about to recess for Christmas, so you must not allow this to be forgotten. Keep at them until something happens.

Perry

I don’t remember who originally sent this to me, but I got it a few times. This is apparently a patent for a warp drive.

” A cooled hollow superconductive shield is energized by an electromagnetic field resulting in the quantized vortices of lattice ions projecting a gravitomagnetic field that forms a spacetime curvature anomaly outside the space vehicle. The spacetime curvature imbalance, the spacetime curvature being the same as gravity, provides for the space vehicle’s propulsion. The space vehicle, surrounded by the spacetime anomaly, may move at a speed approaching the light-speed characteristic for the modified locale.”

They’re off their rocker.

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1=6,960,975.WKU.&OS=PN/6,960,975&RS=PN/6,960,975

Does this phrase sound familiar? “You may not send automated queries of any sort to Google’s system without express permission in advance from Google.” It’s from Google’s terms of service, and it’s just one of several aspects of that document that make this leave a bad taste in my mouth.

Larry Lessig makes the point that “Google wants to index content. Never in the history of copyright law would anyone have thought that you needed permission from a publisher to index a book’s content.” But that’s not what Google wants to do. Google wants to index content and put their own for-pay ads next to it. Larry says ” It is the greatest gift to knowledge since, well, Google.”

http://www.wired.com/wired/archive/13.11/posts.html?pg=8

Don’t forget this for a second. Google is not a public service, Google is a business. Google isn’t doing this because it’s good for the world, Google is doing this because it represents a massive expansion in the number of pages they can serve ads next to. In order to do that, the index remains the property of Google, and no one else will be able to touch it except in ways that are sanctioned by Google. It’s not really about money, it’s about control. It’s against the terms of service to make copies of Google pages in order to build an index. Why should it be okay for them to make copies of other people’s pages in order to build their own? It’s not that they’re making money that bothers us, it’s the double standard. The same double standard that says that Disney can take characters and stories from the public domain, copyright them, and then lock them up and prevent other people from using them.

Oh, but you hate that, don’t you, Larry? (And I think a lot of us do.) How is what Google is doing any different? Google is just extending the lockdown one step further, into their own pockets. There’s no share alike clause in the Google terms of service, and that is what’s wrong with it. They want privileges under the law that they’re not willing to grant to others with respect to their own content.

The day Google steps forward and says “we’re building an index, and anyone can access it anonymously in any way they please”, then sure – I’m all with you.

(Found at http://www.hyperorg.com/blogger/mtarchive/go_larry_go.html)

Conclusion: tinfoil hat makes it easier for the gummint to read your brain. It’s a conspiracy!

http://people.csail.mit.edu/rahimi/helmet/

Long article copied shamelessly from Esquire about”Idiot America”.

“Idiot America is a collaborative effort, the result of millions of decisions made and not made. It’s the development of a collective Gut at the expense of a collective mind. It’s what results when politicians make ridiculous statements and not merely do we abandon the right to punish them for it at the polls, but we also become too timid to punish them with ridicule on a daily basis, because the polls say they’re popular anyway. It’s what results when leaders are not held to account for mistakes that end up killing people.”

Via Novitz:

http://templeofpolemic.proboards42.com/index.cgi?board=theo&action=print&thread=1130126466

“A Plot or Storyline Patent application seeks to patent the underlying
novel and nonobvious storyline of a fictional story.”

http://www.plotpatents.com/applications.htm

Here’s an article about it:

http://www.emediawire.com/releases/2005/11/emw303435.htm

And the actual patent application:

http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=2&f=G&l=50&co1=AND&d=PG01&s1=storyline&OS=storyline&RS=storyline

I love this comment on Bruce Schneier’s blog in reference to the recent NYC subway threat which turned out to be a hoax:

“Every time I read this kind of nonsense, I have a mental image of our government — from city level on up — as a strung-out derelict curled up in a fetal position in a corner, screaming about the spiders all over him as he clutches a bottle of cheap fortified wine cut with paint thinner.”

http://www.schneier.com/blog/archives/2005/10/exploding_baby.html

This is a good page describing the legal situation surrounding the copyright of the song “Happy Birthday”.

Via Perry:

http://www.unhappybirthday.com/

Can we please stop calling it “The New Currency” everytime we release a new kind of money? I’m getting confused about whether this is the new $10, the last new $10, or the one before that. They need version numbers or years or funny names like Hurricanes have.

Bonus points for scoring “moneyfactory.gov” though!

http://www.moneyfactory.gov/newmoney/main.cfm/currency/new10

Well, the US government, anyway. I seem to recall a certain vocal minority saying all along that this is how it would turn out.

http://www.washingtonpost.com/wp-dyn/content/article/2005/08/13/AR2005081300853.html

“The goal now is to ensure a constitution that can be easily amended later so Iraq can grow into a democracy, U.S. officials say.”

Until someone else forgets that too.

Also:

“Washington now does not expect to fully defeat the insurgency before departing, but instead to diminish it, officials and analysts said. There is also growing talk of turning over security responsibilities to the Iraqi forces even if they are not fully up to original U.S. expectations, in part because they have local legitimacy that U.S. troops often do not.”

A researcher found that a search for “Dr. Lee court documents Google Microsoft” (no quotes), in reference to the lawsuit between MS and Google over the hiring of a key employee, yielded vastly different results from MSN and Google. As happens, the results have been a bit skewed by the existence of this observation, but my results seem to roughly correspond to those reported.

http://www.webpronews.com/insidesearch/insidesearch/wpn-56-20050804MSNGooglesDrLeeLawsuitSERPsVastlyDifferent.html

This is an interesting contrast to the usual “we refuse to comment during an ongoing investigation”. I wonder if this is indirectly caused by indexing of internal company pages that link to one viewpoint or another.

Incidentally, I find it not suprising in the least that the search results aren’t impartial.

Bush thinks intelligent design should be taught alongside evolution in schools -

http://www.fortwayne.com/mld/newssentinel/news/editorial/12278405.htm

“I think that part of education is to expose people to different schools of thought,” Bush said. ” You’re asking me whether or not people ought to be exposed to different ideas, the answer is yes.”

That is, of course, the usual dodging of the real point. ID is not a theory, it is a vague notion. It is the embodiment of saying “we can’t know, so we’re free to imagine whatever we want”. It is as testable as the flying spaghetti monster “idea”. ID is useless as a scientific concept, because it closes off further investigation.

(I might accept ID as a valid theory if it was accompanied by some attempt to identify, and possibly vanquish, said creator.)

All ideas are not equal. ID should not be taught in schools any more than the “idea” that black people are inferior because they have smaller brains should be.

“Because I say so” is not a valid logical argument.

Why haven’t we put this idiocy to rest yet?

[Update: here's some good dissection of this point.]

“Jim March, a member of the Black Box Voting board of directors, was arrested Tuesday evening for trying to observe the Diebold central tabulator (vote tallying machine) as the votes were being counted in San Diego’s mayoral election (July 26).”

http://www.bbvforums.org/cgi-bin/forums/board-auth.cgi?file=/1954/8556.html

Bruce Schenier’s blog has excellent comments on the NYC subway search stupidity.

http://www.schneier.com/blog/archives/2005/07/searching_bags.html

NYC Police are apparently going to start random bag searches of people entering the subway.

And if you refuse to have your bag searched? Why, you’ll have to leave the subway and try again later.

http://1010wins.com/topstories/local_story_202135404.html

I fail to see the point of this huge waste of time, effort, and privacy.

Millimeter-wave machines are to be deployed to scan the passengers of the London Tube.

http://technology.timesonline.co.uk/article/0,,20409-1686151,00.html

Because the 500,000 security cameras obviously weren’t enough to prevent the bombing, obviously the answer is more invasive surveillance.

Perry Metzger (on hiatus from blogging), moderator of the cryptography list, wrote the following in response to the question of why Americans are so afraid of ID cards. I reproduce it here verbatim with permission:

Perhaps I can explain why I am.

I do not trust governments. I’ve inherited this perspective. My grandfather sent his children abroad from Speyer in Germany just after the ascension of Adolf Hitler in the early 1930s — his neighbors thought he was crazy, but few of them survived the coming events. My father was sent to Alsace, but he stayed too long in France and ended up being stuck there after the occupation. If it were not for forged papers, he would have died. (He had a most amusing story of working as an electrician rewiring a hotel used as office space by the Gestapo in Strasbourg — his forged papers were apparently good enough that no one noticed.) Ultimately, he and other members of the family escaped France by “illegally” crossing the border into Switzerland. (I put “illegally” in quotes because I don’t believe one has any moral obligation to obey a “law” like that, especially since it would leave you dead if you obeyed.)

Anyway, if the governments of the time had actually had access to modern anti-forgery techniques, I might never have been born.

To you, ID cards are a nice way to keep things orderly. To me, they are a potential death sentence.

Most Europeans seem to see government as the friendly, nice set of people who keep the trains running on time and who watch out for your interests. A surprisingly large fraction of Americans are people or the descendants of people who experienced the institution of government as the thing that tortured their friends to death, or gassed them, or stole all their money and nearly starved them to death, etc. Hundreds of millions of people died at the hands of their own governments in the 20th century, and many of the people that escaped from such horrors moved here. They view things like ID cards and mandatory registry of residence with the local police as the way that the government rounded up their friends and relatives so they could be killed.

I do not wish to argue about which view is correct. Perhaps I am wrong and Government really is the large friendly group of people that are there to help you. Perhaps the cost/benefit analysis of ID cards and such makes us look silly. I’m not addressing the question of whether my view is right here — I’m just trying to explain the psychological mindset that would make someone think ID cards are a very bad idea.

So, the next time one of your friends in Germany asks why the crazy Americans think ID cards and such are a bad thing, remember my father, and remember all the people like him who fled to the US over the last couple hundred years and who left children that still remember such things, whether from China or North Korea or Germany or Spain or Russia or Yugoslavia or Chile or lots of other places.

http://www.flickr.com/photos/fields/sets/545333/

Since when does “one tower” evoke “two towers”?

http://www.nytimes.com/2005/06/30/arts/30appraisal.html?ex=1277784000&en=4099edc8a297a3b6&ei=5090&partner=rssuserland&emc=rss

Ironically, the headline of this article is “IRS search for public records access ends with ChoicePoint”. Ha!

“The Internal Revenue Service has awarded ChoicePoint Government Services a contract worth as much as $20 million to serve as the agency’s public records provider for batch processing projects, according to the company.”

http://www.gcn.com/vol1_no1/daily-updates/36239-1.html

???!

So, being the target of the data breach du jour is now your ticket to FAT FAT GOVERNMENT CONTRACTS.

Oh, but wait, that was four or five months ago. Everyone must have forgotten about it by now.

Right?

Via hackaday:

http://www.casualty-maps.com/

[Update: another map (not a Google map), this one with casualties plotted over time by country and location in Iraq: http://www.obleek.com/iraq/index.html]

I’ve been hearing a lot that the Grokster decision is akin to the court saying that gun manufacturers should be liable for crimes committed with guns.

I think a better analogy is this: if a gun manufacturer sells guns with a sign that says “Bank Robbing Projectile Launchers Here” and then in the middle of a bank robbery they help their customers unjam their guns so they can fire at the cops again, that they might have some liability as an accessory to the bank robbery.

I’ve actually had time to read the entire decision, and I find this totally reasonable.

This is the text of the decision, and I’m surprised that this was turned into such a landmark case to begin with. It’s meaninless – all it says is that if you promote a service meant to contribute to copyright infringement, you can’t hide behind the defense that your service also has other uses.

http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=US&vol=000&invol=04-480

Discovery revealed that billions of files are shared across peer-to-peer networks each month. Respondents are aware that users employ their software primarily to download copyrighted files, although the decentralized networks do not reveal which files are copied, and when. Respondents have sometimes learned about the infringement directly when users have e-mailed questions regarding copyrighted works, and respondents have replied with guidance. Respondents are not merely passive recipients of information about infringement. The record is replete with evidence that when they began to distribute their free software, each of them clearly voiced the objective that recipients use the software to download copyrighted works and took active steps to encourage infringement.

This isn’t about freedom of technological expression, unless I’m missing something big here. These guys were running a service encouraging people to trade copyrighted content, giving them tech support on it, and then hiding behind the claim that other people were using the service for legitimate means.

We can argue about whether that should be legal or not, but as far as I can tell, there isn’t a strong case for the argument that it actually is legal. This isn’t about protecting the rights of technologists to develop new ideas – this is about actual copyright infringement. There are two different cases here:

1. You release a tool that enables people to infringe copyright and you have no control over that.
2. You release a tool that enables people to infringe copyright and you advertise it as such, promote it with that goal, and help people out when they can’t download the latest Britney album.

Sounds like #2 to me.

The Supreme Court has unanimously decided that filesharing companies should be held liable for copyright infringement performed on their networks.

“One who distributes a device with the object of promoting its use to infringe copyright … is liable for the resulting acts of infringement by third parties using the device, regardless of the device’s lawful uses,” Justice David Souter wrote in the ruling.

http://arstechnica.com/news.ars/post/20050627-5042.html

[Update - I think this is reasonable. Here's why.]

What’s that slightly coppery smell? It’s irony mixed with incompetence.

So, let me get this straight. The UK government decides to implement a national ID system amid serious criticism of its effectiveness at all and its cost-effectiveness in particular, and now is considering selling the data to pay for spiraling costs.

I bet that idea is guaranteed to reduce identity theft and abuse of the system.

http://news.independent.co.uk/uk/politics/story.jsp?story=649780

http://www.chron.com/cs/CDA/ssistory.mpl/metropolitan/3239024

New London, Connecticut is salary.com’s #1 most affordable city for 2005:

http://money.cnn.com/2005/05/23/pf/pay_costliving/index.htm

“The living costs measured in the new Salary Value Index include housing, food, transportation, utilities and state taxes. The index also factors in an area’s employment and job-growth rates.

What it does not account for are quality-of-life issues, such as culture, school systems and the weather.”

… or, you know, the fact that the city may seize your house and knock it down.

“File a false unemployment claim and you can receive $400 per week for 26 weeks. Do it for 100 Social Security numbers and you’ve made a quick $1.04 million. It’s tough to make crime pay much better than that.”

http://news.com.com/States+fiddle+while+defrauders+steal/2010-1071_3-5754429.html

I think this is a terrible precedent. But, you know, you’ve got to build bypasses.

http://news.yahoo.com/s/ap/20050623/ap_on_go_su_co/scotus_seizing_property

Plenty of money to go bomb other countries, but let’s not spend any money on making sure our kids can read (yes, I personally learned to read largely from watching Sesame Street). Thanks.

A House panel has voted to eliminate all public funding for NPR and PBS, starting with “Sesame Street,” “Reading Rainbow,” and other commercial-free children’s shows. If approved, this would be the most severe cut in the history of public broadcasting, threatening to pull the plug on Big Bird, Cookie Monster, and Oscar the Grouch.

The cuts would slash 25% of the federal funding this year–$100 million–and end funding altogether within two years. The loss could kill beloved children’s shows like “Clifford the Big Red Dog,” “Arthur,” and “Postcards from Buster.” Rural stations and those serving low-income communities might not survive. Other stations would have to increase corporate sponsorships.

Sign the petition against this cut:

http://www.moveon.org/publicbroadcasting/

The EFF has collected a number of FAQs about legal issues that various kinds of bloggers may face.

http://www.eff.org/bloggers/lg/

The EFF is doing good work that needs doing. I urge you to support them.

“We the undersigned write because of our concern regarding recent disclosures of a Downing Street Memo in the London Times, comprising the minutes of a meeting of Prime Minister Tony Blair and his top advisers. These minutes indicate that the United States and Great Britain agreed, by the summer of 2002, to attack Iraq, well before the invasion and before you even sought Congressional authority to engage in military action, and that U.S. officials were deliberately manipulating intelligence to justify the war.”

Here’s the full letter:

http://www.johnconyers.campaignoffice.com/index.asp?Type=SUPERFORMS&SEC={4A195451-3934-4C00-B11D-BEE8AFA3D119}

Here’s the actual text of the memo:

http://www.timesonline.co.uk/printFriendly/0,,1-523-1593607-523,00.html

Many many signatures have already been collected. Here’s an update:

http://www.dailykos.com/story/2005/6/2/15274/55931

“1. An altered memory card (electronic ballot box) was substituted for a real one. The optical scan machine performed seamlessly, issuing a report that looked like the real thing. No checksum captured the change in the executable program Diebold designed into the memory card.

2. A second altered memory card was demonstrated, using a program that was shorter than the original. It still worked, showing that there is also no check for the number of bytes in the program.

3. A third altered memory card was demonstrated with the votes themselves changed, showing that the data block (votes) can be altered without triggering any error message.”

http://www.bbvforums.org/cgi-bin/forums/board-auth.cgi?file=/1954/5921.html

I’m not sure how I feel about this.

A Minnesota court has ruled that the presence of encryption software is valid evidence for determining criminal intent. On the one hand, it seems like a severe misunderstanding of how the modern world actually works, given that encryption is absolutely essential for many things we take for granted.

I guess I can see that if there’s other evidence, this might be used as evidence that you have something to hide, but I worry for the situation where there isn’t any other evidence of a crime, and the fact that there’s something to hide becomes the key determining factor.

Everyone has something to hide. It may be private, it may be secret (not the same thing), it may be evidence of a crime, or it may be evidence of something that someone else thinks is a crime but you don’t. For the latter two, that is, of course, why we have a legal system in the first place. For the former two, there are plenty of legal reasons to want to keep those things private or secret.

http://www.schneier.com/blog/archives/2005/05/encryption_as_e.html

I’ve written before about why a National ID card, and particularly dependence on a National ID card, is actually likely to make us less safe, not more. This is a new blog collecting ways to fight it:

http://realidrebellion.blogspot.com/

In short, the Real ID Act is a huge waste of money that will likely have the opposite of the stated effect, but will enable other kinds of tracking that are not worth the cost at best and totalitarian at worst, while leaving huge vulnerabilities for legitimate users of the system (i.e. MOST of the population).

On Tuesday, it comes up for vote in the Senate. It’s already passed the House.

http://www.unrealid.com/
http://action.eff.org/site/Advocacy?id=119

Senator Durbin’s opposing viewpoint:
http://aila.org/contentViewer.aspx?bc=9,594,8140,9251

Bruce Schneier has written extensively on why a National ID card is both a waste of money and likely to make us less safe.

I’ll paraphrase here, but I urge you to read his versions:

http://www.schneier.com/crypto-gram-0404.html#1
http://www.schneier.com/crypto-gram-0402.html#6

And particularly, his analysis of REAL ID:

http://www.schneier.com/blog/archives/2005/05/real_id.html

There are several key points:

1) It’s a common fallacy that identification is security, and that putting a label on everybody will automatically mean you can identify the bad guys. This is simply not true, and it’s an excuse to get an ID card implemented for other things. It is not possible to make an unforgeable ID card, and spending money on that is money that could be better spent on other, more useful (from a security standpoint) things, like training border guards. This fallacy has been propagated for years by the airline industry – matching ID to the name on the ticket does nothing for security.

2) A national ID card is a single point of very valuable failure for ID theft. With a one-stop card that’s good for everything, the incentive to forge that one card goes WAY up.

3) There isn’t one database of every citizen, currently, although the IRS probably comes closest. There has been no discussion about the feasibility of merging a bunch of databases into one, or how access will be limited to that data, how it will be secured, etc… This is not a small problem, and it’s being swept under the rug as an afterthought.

4) A very simple question – “is this a smart way to spend how much money for … what gain exactly?”.

A few quotes from Bruce:

“REAL ID is expensive. It’s an unfunded mandate: the federal government is forcing the states to spend their own money to comply with the act. I’ve seen estimates that the cost to the states of complying with REAL ID will be $120 million. That’s $120 million that can’t be spent on actual security.

And the wackiest thing is that none of this is required. In October 2004, the Intelligence Reform and Terrorism Prevention Act of 2004 was signed into law. That law included stronger security measures for driver’s licenses, the security measures recommended by the 9/11 Commission Report. That’s already done. It’s already law.

REAL ID goes way beyond that. It’s a huge power-grab by the federal government over the states’ systems for issuing driver’s licenses.”

“Near as I can tell, this whole thing is being pushed by Wisconsin Rep. Sensenbrenner primarily as an anti-immigration measure. The huge insecurities this will cause to everyone else in the United States seem to be collateral damage.”

A few observations of my own:

- This comes on the tail of the realization that the TSA has spent 4.5 BILLION dollars in the past few years on useless “security” measures in the past 3 years, some not insignificant chunk of which was spent on things relating to identification of passengers. It has been widely concluded that the airlines are no safer than they were in 2001.

- This administration is seriously deluded about security measures in electronically readable identification (particularly RFID implementation), and was recently forced against their every protest to face the fact that bad guys don’t play by your rules, and you need to design security measures against the worst case, not the best case. I see nothing like that here.

- Just the fact that it was slipped into a military appropriations bill and will pass with no debate is reason enough for me to be suspect.

http://www.unrealid.com/
http://action.eff.org/site/Advocacy?id=119

In the last post, I wrote a lot about what’s wrong with Google’s new services and terms of service. I think one thing bears important repeating.

MANY of your important interactions with Google are unencrypted. As such, it is even more trivially easy to steal the value of someone’s Google cookie, and possibly pose as that person to Google. It’s possible that Google has taken precautions against this, but the risk is currently unknown. If this is possible, I think that throws a huge wrench into the use of this information by law enforcement.

I remember early discussions when it was first revealed that Google was storing a persistent lifetime cookie. It was generally perceived to be “okay” only because the value was not to be tied to search history in any way. We predicted that someday it would be.

Sometimes the slippery slope is actually slippery.

I’ve been kicking this around for a while, given the release of Google’s ability to save searches.

Google just announced the Google Web Accelerator, and this has the same kinds of privacy issues surrounding it, so I’ll discuss them both here. For those not in the know, Google Search History is the feature that lets you access your past searches if you’re logged into Google. The Web Accelerator is a proxy that pushes all of your browsing through Google’s servers. Ostensibly, this is to make your browsing faster, but it also has the side effect that Google can (and presumably will) monitor both the URLs and contents of every web page you’re looking at. You make a request for a web page, and Google fetches it for you. I’d expect that they’re also doing various tricks with preloading and caching.

Google is poised to collect a lot of data on browsing habits, and every indication is that they plan to keep it around.

As a brief aside, while I don’t personally know anyone who works for Google, I do have some friends who do. Every one of them has, in the past, asserted during conversations about Google’s privacy concerns, that Google both has (or had) no intentions of keeping permanent searching / browsing logs, and has (or had) actually built up complicated encryption / hashing mechanisms to allow aggregate data to be kept without individual search histories. That may have been true at one time, although I personally found it doubtful, given that if it were true, Google could only benefit by stating it publicly. They have never done so, and recent events have shown that assertion to be presently categorically false. Google does want to keep your individual search history. I think that’s a relevant point to the privacy debate.

In reference to search history, I wrote but never published, the following: “Search history is a sensitive area. Saving and aggregating search history is of dubious value to the end user – it’s maybe a minor convenience at best. If you care about that sort of thing, you’ll want to capture for yourself far more information than just search history, and do it locally across the board. There are several plugins for Firefox that will do exactly that for you, and not only watch your tracks, but save complete copies of everything you’re browsing.” In reference to the web accelerator, it’s evident that Google is heading towards collecting that information for themselves.

Set aside the fact that Google has now become an extremely juicy target for a one-stop shop for identity thieves. I’m sure they’ve got great security. But do you? Google’s lifetime cookie is, as always, a serious point of possible failure. One good cross-site scripting attack or IE exploit, or even a malicious extension, and the Google cookie can be easily exposed. What’s your liability for being associated with a search history, or now a browsing history, tied to a stolen Google cookie?

But here’s the real doozie.

The Google Privacy Policy states that Google may disclose personally identifiable information in the event that:

“We conclude that we are required by law or have a good faith belief that access, preservation or disclosure of such information is reasonably necessary to protect the rights, property or safety of Google, its users or the public.”

Welcome to Google, where the Third Law comes first.

This has serious implications. For logged-in users using all of Google’s services, this now includes the contents of your emails, your complete search AND browsing history, any geographical locations you’re interested in, what you’re shopping for, and probably plenty of things I haven’t thought of yet.

I posit that it would not significantly damage Google in any way for them to actually make use of this information, and that Google could withstand any public backlash resulting from it.

I think we’ve long passed the point at which we say “this is bad”.

This is bad.

In case you haven’t been paying attention, there’s a word for this.

It’s called “surveillance”.

I believe that Google should revise their privacy policy to reflect the actual intended usage of this information, and they should clarify under what circumstances this information will be released, and to whom. Will this information be used to catch terrorists? Errant cheating spouses? Tax evaders? Jaywalkers? Anarchists? Litterbugs? As a user, you have a right to demand to know. Of course, don’t expect Google to tell you, since they don’t actually get any of their money from you.

Enjoy!

http://www.salon.com/politics/war_room/archive.html?blog=/politics/war_room/2005/04/25/mercury_pyramid/index.html

There’s a very interesting discussion here on the Becker/Posner blog, between these two very smart and well-educated men, regarding the prospect legalizing drugs in the US:

(The posts seem to be out of order on the blog. I think this is the right order.)

http://www.becker-posner-blog.com/archives/2005/03/the_failure_of.html
http://www.becker-posner-blog.com/archives/2005/03/the_war_on_drug.html
http://www.becker-posner-blog.com/archives/2005/03/response_on_leg.html
http://www.becker-posner-blog.com/archives/2005/03/the_war_on_drug_1.html

If companies can insist on non-negotiable terms for every product sold as a service, why not terms for your money in return?

http://www.moneylicense.com

Dude registers a domain to put up a fan site for a local mall, of all things. The lawyers attack, and he defends. Successfully. Bravo.

http://www.taubmansucks.com/

Bruce Schneier points out that the ChoicePoint exploit is probably far worse than anyone knows:

“Catch that? ChoicePoint actually has no idea if only 145,000 customers were affected by its recent security debacle. But it’s not doing any work to determine if more than 145,000 customers were affected — or if any customers before July 1, 2003 were affected — because there’s no law compelling it to do so.”

http://www.schneier.com/blog/archives/2005/03/choicepoint_say.html

Following close on the heels of the news about ChoicePoint, another “I’m a large corporation and I just exposed the personal data of lots of Americans, and ho ho ho I’m just going to apologize.”

“Bank of America Corp. has lost computer data tapes containing personal information on 1.2 million federal employees, including some members of the U.S. Senate.”

Oops.

http://hosted.ap.org/dynamic/stories/B/BANK_OF_AMERICA_LOST_DATA?SITE=APWEB&SECTION=HOME&TEMPLATE=DEFAULT

There are a whole bunch of problems here.

These companies have very little liability and regulation for aggregating personal data. So, Bank of America has financial information on 1.2 million customers. That’s to be expected. They are, after all, a bank and need access to your financial information. But once you step past that – what else is legal for them to do with the data? Are they liable if they expose it by accident? They have a privacy policy that says they’re careful with your data, but what happens if they break it? Are there actually any consequences?

Bank of America actually has quite a detailed privacy policy, but what’s hidden here is important – it doesn’t say anything about the risks. “Remember that Bank of America does not sell or share any Customer Information with marketers outside Bank of America who may want to offer you their own products and services. No action is required for this benefit.” But also remember that Bank of America is a target, and your recourse is largely limited to “telling them your preferences”.

I’ve been reading “The Digital Person” by Daniel J. Solove, and it’s been an eye-opener about the problems associated with the construction, storage, and use of digital dossiers. It’s possible that I haven’t gotten to the main point yet, but even in the beginning, he makes some good observations – the problems we’re facing here aren’t necessarily malicious, but they are impersonal and uncaring. The fact that an individual piece of data doesn’t really matter if it’s revealed doesn’t mean that lots of pieces all revealed together aren’t a problem.

There are synergistic network effects at play here. It needs to be recognized that the “simple” collection and aggregation of large amounts of data has side effects in and of itself.

Fantastic!

http://yro.slashdot.org/article.pl?sid=05/02/24/0133212

Bruce Schneier points out this EFF article on electronic voting machine recounts, which is good overall, but fails to hammer home the biggest point, I think. “Easy”, here is only a secondary goal, after “Correct” (or, more properly, “Verifiably Correct”). The first priority is that the count match the intent of the voters. Only AFTER that goal is met to the best of our ability can we start thinking about ways to make the processes of voting and counting easier or faster. “Easy” is being given too much weight, at the expense of “Correct”.

If you have a hole in your wall, it’s pretty easy to put duct tape over the hole to keep the wind out.

http://www.schneier.com/blog/archives/2005/01/election_recoun.html
http://www.eff.org/deeplinks/archives/002222.php

NYC City Council feels royally fucked by NYS, US… again ponders secession.

http://www.nypost.com/news/regionalnews/38867.htm

Okay, this is a whole bunch of subjects near and dear to me. Security, content management, collaborative workflow, information sharing. The FBI’s new collaborative case file system is being scrapped after spending $170 million with a result of less than 10% of the functionality being delivered.

This really bugs me. This kind of project is totally doable, and it could have (nay, should have) been done right. This wasn’t random chance, it wasn’t happenstance. Somebody fucked up bigtime, and somebody else fucked up in writing a check to that first somebody.

Maybe $170 million wasn’t enough to do this right – that’s certainly possible. But there’s no excuse for spending $170 million and getting nothing, or spending $170 million before you figure out that it’s not enough.

http://www.nytimes.com/2005/01/14/politics/14fbi.html

(Yes, I’ll put my mouth where their money is. I think I could do better.)

Bruce Schneier has taken an advisory role in evaluating the Secure Flight initiative. He can’t talk about it. If it’s badly broken, we’ll probably never know. But at least he’s in there. I actually feel a little safer already.

http://www.schneier.com/blog/archives/2005/01/secure_flight_p.html

$240,000 of taxpayer money paid to commentator Armstrong Williams to promote the No Child Left Behind act.

http://story.news.yahoo.com/news?tmpl=story&cid=676&e=2&u=/usatoday/20050107/ts_usatoday/whitehousepaidcommentatortopromotelaw

http://www.humanrightsfirst.org/blog/

“With regards to our factual finding, in brief, we find that there were massive and unprecedented voter irregularities and anomalies in Ohio. In many cases these irregularities were caused by intentional misconduct and illegal behavior, much of it involving Secretary of State J. Kenneth Blackwell, the co-chair of the Bush-Cheney campaign in Ohio.”

http://www.truthout.org/docs_05/010605Y.shtml

DRM doesn’t work to prevent copying. It cannot work to prevent copying (it can only work to prevent legitimate users from using content in the ways they’d like to, and to turn them into criminals when they do it anyway). Therefore, file trading will continue. It can be made illegal, but then, you have to define the illegal behavior. In the case of a store, that’s easy. There’s a physical item you’re not allowed to walk away with. In the case of a piece of content, it’s not so easy.

(more…)

Mayur has written an extended piece against Social Security privitization. With permission, I include it here in its entirety:

(more…)

cdh points me to this article by Federal Judge (and blogger!) Michael Posner on the economics of copyright, and why copying should always qualify as fair use if the copyright holder has not expressed “enough interest” in retaining copyright.

http://www.bepress.com/ev/vol1/iss1/art3/

Or jump straight to the PDF:
http://www.bepress.com/cgi/viewcontent.cgi?article=1003&context=ev

Also, there’s Judge Posner’s blog, which he shares with Nobel Prize winner Gary Becker:

http://www.becker-posner-blog.com/

Very useful page of corporate contact numbers, courtesty of the GSA.

http://pueblo.gsa.gov/crh/corpormain.shtml

Interesting post from Cringely, about what it might take to make a grassroots tsunami early warning system.

Obviously, the Government approach is The Cathedral:

“We can’t rely on governments to do this kind of work anymore. They just take too darned long and spend too much money for what you get. Besides, since governments are almost totally reactive, what they’ll build is a warning system for precisely the tsunami we just had — a tsunami bigger than any in that region since the eruption of Krakatoa eruption of 1883. One could argue (and some experts probably will) that it might even be a waste of money to build a warning system for a disaster that might not happen for another 121 years.”

http://www.pbs.org/cringely/pulpit/pulpit20041230.html

The Extreme in the title of this post is a reference to Extreme Programming (XP), a very interesting and sometimes blindingly effective development methodology based around collaboration, communication, the philosophy of as-little-documentation-as-needed-but-no-less, and frequent testing and rebuilding of small, modular, pluggable pieces. It was designed to accomodate frequently changing requirements in a highly dynamic environment. One of the aims of XP is to be able to walk away from the project at any given release (typically spaced two weeks apart), and still have a working system, even if it doesn’t meet all of the feature requirements. This is exactly what’s needed here – get something up and running quickly, and build on it over time.

Fantastic piece on DRM by Cory Doctorow.

http://www.boingboing.net/2004/12/29/cory_responds_to_wir.html

I think this is a mostly accurate assessment, one that is not worded strongly enough.

But, there’s a distinction between “how things should be” and “how things are currently” that needs to be drawn.

Content owners, however unfortunate that may be, do call most of the shots, by virtue of the fact that they claim to do so. But there’s no reason to think that the public has to let them. In contracts, and more specifically, in policy, the guilty party that yells the loudest and makes the most demands can set the stage up however they want, and everyone who goes along with it gives them only more power to do so. This is the reality of intangible agreements, and the “rules” are whatever the content companies dictate and consumers accept. Or consumers dictate and content companies accept. If you disagree with this, you must speak. Verbally, with your wallet, in print, on the radio, on TV. Change the discourse.

I wholeheartedly agree with the point about using DRM to remove functionality included at the time of purchase, and shrouding it in ongoing rental/license fees as an excuse that you always have the choice to renew or cancel, and so promises they’ve made up to that point are somehow not required to be included in future negotiations. This sort of transaction is very much like a “sale”, but it is not a “sale”, even though most people continue to consider it such (because all they know is “sale”, and no one’s explained the new rules to them well enough). It differs from a “sale” in that it removes any obligation on the part of the producer/supplier to not reverse any of the terms of the transaction after the fact. Think about what that means for a second.. . .

Think about what it would be like if other things worked this way. Say you buy a microwave oven that comes with a “single touch popcorn function”. That’d be a selling point of the microwave, that would maybe encourage you to choose one kind of microwave over another. Now, say it’s a month later, and the popcorn function stops working. You’d expect the company to fix it, right? Now, what if when you ask them to fix it, they say “Sorry, we turned if off from here. If you want to make popcorn, you have to pay us another dollar.”? Do you? Or do you decide that the initial purchase was made on fraudulent terms and demand your money back?

Maybe, the argument goes, they won’t do this because then — who would buy their product in the future? But what if, at the same time, it became impossible to find a microwave with a built-in popcorn feature that was just “included”? That would be stupid, right? Maybe this is stretching the analogy a bit thin. Manufacturers should be adding features to get new customers, not taking them away. Except that you’re not looking at the right value proposition – the fact that you want to make popcorn in your microwave benefits the people who make the microwave in exactly zero ways, once you’ve already made the decision to buy the microwave… Unless, that is, they can get you to buy the ability to make popcorn again. Of course, they’d have to also find ways of getting you to think you still had a good deal, so you wouldn’t tell your friends what happened.

There are three possible outcomes:

1) Your microwave (and everything else digital, and that eventually means “everything”) starts to behave more like your cable box. Welcome to popcorn licensing.

2) Your cable box starts to behave like your microwave does today. Frankly, I just don’t see this happening.

3) We all step away and look at different pricing models for this business of bit pattern creation, and examine what the real value of this industry is, and where the trade-offs are.

Content companies spend millions per year on lobbying the government to change the “rules”.

Where are you in this discussion?

-

http://www.americanprogress.org/site/pp.asp?c=biJRJ8OVF&b=274629