Am off again for the Easter weekend. But not before quoting this delightful exchange from a recent debate in Parliament on the new law (yes that one again!) making it (or intending to make it) illegal to design, use and sell hacking and DDOS tool kits.
"The hon. Member for Hornsey and Wood Green (Lynne Featherstone) was right to raise the issue that hacking tools are often used by computer technicians to rectify problems. I have been very stressed since Monday morning, when I switched on my desktop computer in Norman Shaw, North only to get an error message and find that I could not access my programmes, my e-mail or anything else. Fortunately, I have another computer. I phoned extension 2001 and eventually managed to speak to an intelligent life form, although it took a little while, as we know happens with extension 2001.
The Chairman: Order. The hon. Gentleman’s travails are deeply fascinating to the Committee, but we have to get back to the amendment under consideration.
Michael Fabricant: As ever, I accept your guidance, Mr. Conway. Mr. Graham Lugton, who I suspect is in my room this very moment, might be using that [diagnostic tool] software.
Stephen Pound (Ealing, North) (Lab): Wiping your history, I hope."
See http://www.publications.parliament.uk/pa/cm200506/cmstand/d/st060328/am/60328s03.htm .
Friday, April 14, 2006
Wednesday, April 12, 2006
Booby Job of the Week
This appeared shyly on an on line recruitment list I (used to) subscribe to..
Vacancy Title: Chief Executive
Location(s): London
Reference:
Department: Home Office
Salary: Not specified
Brief description: The National Identity Scheme is being delivered through a new Executive Agency (IPS) formed from the UK Passport Service and the Identity Cards Programme. IPS will work closely with other parts of the Government and private sector organisations to deliver the wide-ranging benefits expected of the scheme.
Working Arrangement(s): Full Time
Closing Date: 8 May 2006
More Information: http://www.careers.civilservice.gov.uk/index.asptxtOverRideDocID=19945
Any volunteers?-)
Vacancy Title: Chief Executive
Location(s): London
Reference:
Department: Home Office
Salary: Not specified
Brief description: The National Identity Scheme is being delivered through a new Executive Agency (IPS) formed from the UK Passport Service and the Identity Cards Programme. IPS will work closely with other parts of the Government and private sector organisations to deliver the wide-ranging benefits expected of the scheme.
Working Arrangement(s): Full Time
Closing Date: 8 May 2006
More Information: http://www.careers.civilservice.gov.uk/index.asptxtOverRideDocID=19945
Any volunteers?-)
Gadding About for Fun and Profit, oops, non-profit..
Having not yet opened my suitcase from last (highly stimulating and not at all sunny:-) jaunt to Malta, I have to admit that this conference upcoming in June is very tempting. And not only because it's being held in Rio:-)
"The aim of iCommons reaches far beyond the infrastructure that CC is building. The aim of the iSummit is to bring together a wide range of people in addition the CC crowd - including Wikipedians, Free Software sorts, the Free Culture kids, A2K heroes, Open Access advocates, and others -- to "to inspire and learn from one another and establish closer working relationships around a set of incubator projects." iCommons has a separate board from Creative Commons -- Joi Ito is its chair -- and its ultimate mission (in addition to this annual moveable feast of commons conversation) will be determined by the conversation that will continue in Rio." See further Lessig blog.
Having just come from the launch of Creative Commons Malta with that self same Lessig in attendance(at, uh, that conference mentioned in the previous item with the name that sounds like a skin disease), I was becoming a mite cynical about how much I actually still had to learn about CC and its international progeny. It's a lovely idea for a religion (as Ron Hubbard is once said to have declared in another context), but as far as actual law goes, it's just software licenses after all - would it go down as well with the great washed open source yoof if it was called Just Another Type of Licensing, rather than the much groovier Creative Commons? (I may yet write my paper on this for GikII, Martina...!)
But the move towards collaborative creation of, and open access to, knowledge in general - and the future of wikis and Wikipedia in particular - is something that I think is becoming of crucuial importance in the development of the Web and the nurturing of knowledge - including legal knowledge. So maybe I'll go after all.
And IT law conferences are like buses - no good ones for ages then three come along in one month. Having already decided I really don't have time for the The First International Conference on Legal, Security and Privacy Issues in IT, April 30- May 3, 2006, Hamburg, Germany, I now get an invite (at BILETA - no website I can find yet) to the even more enticing LEFIS Monitoring and Supervision Workshop in Rotterdam in - guess when - June!
Good thing my union is on strike so with any luck we won't be marking any poxy exams in June, huh?
**EDIT: In the interests of fairness and open access!, I should add details of yet another victim (for me) of the June pile up, namely IT and the Legal Learning Space,
The 9th bi-annual conference on Substantive Technology in the Law School, Oslo Thursday 29, Friday 30 June and Saturday 1 July 2006. In the past this conference (colloquially known as Subtech ) has been one of the higlights of the acdemic year, and this year it is to be run by the Oslo people and that colossus of the field , Jon Bing - I hate to face the reality that this year, I just can't prioritise over at least 2 of the 3 others listed above..
And it doesn't end there. July 10th-11th 2006 sees another goody, the Unlocking IP conference in UNSW, Sydney, Australia, courtesy of the ever energetic Graham Greenleaf and his team at AustLII. It's going to be a long hot summer for (well funded and time-rich) open source/creative commons mavens: if they don't change the world they should at least come home with a tan and knowing how to (a) light a barbie and (b)salsa..
"The aim of iCommons reaches far beyond the infrastructure that CC is building. The aim of the iSummit is to bring together a wide range of people in addition the CC crowd - including Wikipedians, Free Software sorts, the Free Culture kids, A2K heroes, Open Access advocates, and others -- to "to inspire and learn from one another and establish closer working relationships around a set of incubator projects." iCommons has a separate board from Creative Commons -- Joi Ito is its chair -- and its ultimate mission (in addition to this annual moveable feast of commons conversation) will be determined by the conversation that will continue in Rio." See further Lessig blog.
Having just come from the launch of Creative Commons Malta with that self same Lessig in attendance(at, uh, that conference mentioned in the previous item with the name that sounds like a skin disease), I was becoming a mite cynical about how much I actually still had to learn about CC and its international progeny. It's a lovely idea for a religion (as Ron Hubbard is once said to have declared in another context), but as far as actual law goes, it's just software licenses after all - would it go down as well with the great washed open source yoof if it was called Just Another Type of Licensing, rather than the much groovier Creative Commons? (I may yet write my paper on this for GikII, Martina...!)
But the move towards collaborative creation of, and open access to, knowledge in general - and the future of wikis and Wikipedia in particular - is something that I think is becoming of crucuial importance in the development of the Web and the nurturing of knowledge - including legal knowledge. So maybe I'll go after all.
And IT law conferences are like buses - no good ones for ages then three come along in one month. Having already decided I really don't have time for the The First International Conference on Legal, Security and Privacy Issues in IT, April 30- May 3, 2006, Hamburg, Germany, I now get an invite (at BILETA - no website I can find yet) to the even more enticing LEFIS Monitoring and Supervision Workshop in Rotterdam in - guess when - June!
Good thing my union is on strike so with any luck we won't be marking any poxy exams in June, huh?
**EDIT: In the interests of fairness and open access!, I should add details of yet another victim (for me) of the June pile up, namely IT and the Legal Learning Space,
The 9th bi-annual conference on Substantive Technology in the Law School, Oslo Thursday 29, Friday 30 June and Saturday 1 July 2006. In the past this conference (colloquially known as Subtech ) has been one of the higlights of the acdemic year, and this year it is to be run by the Oslo people and that colossus of the field , Jon Bing - I hate to face the reality that this year, I just can't prioritise over at least 2 of the 3 others listed above..
And it doesn't end there. July 10th-11th 2006 sees another goody, the Unlocking IP conference in UNSW, Sydney, Australia, courtesy of the ever energetic Graham Greenleaf and his team at AustLII. It's going to be a long hot summer for (well funded and time-rich) open source/creative commons mavens: if they don't change the world they should at least come home with a tan and knowing how to (a) light a barbie and (b)salsa..
Wikipedia vs Linux
Fascinating comparison of the numbers of users and active contributors to Linux and Wikipedia.
"Wikipedia can draw on half a billion potential contributors; only about 100,000 people can code Linux.
It's hard to overstate this difference."
So, yes, I'm back from BILETA in Malta (the annual reunion of the UK and increasingly, European/Asian IT Law, Internet law, and legal technology in education tribes.) Saw lots of interesting papers, some of which may even be written up when I've regained the energy, after twelve hours travelling on two hours sleep, to open my bag and find my conference abstract programme.
After last year's deluge of P2P and FOSS papers, this year, much talk of eBay, Flickr, Wikipedia, Jurispedia and Wikis as the new legal textbooks - looks like C2C and collaborative peer production models have hit the legal hive mind..
"Wikipedia can draw on half a billion potential contributors; only about 100,000 people can code Linux.
It's hard to overstate this difference."
So, yes, I'm back from BILETA in Malta (the annual reunion of the UK and increasingly, European/Asian IT Law, Internet law, and legal technology in education tribes.) Saw lots of interesting papers, some of which may even be written up when I've regained the energy, after twelve hours travelling on two hours sleep, to open my bag and find my conference abstract programme.
After last year's deluge of P2P and FOSS papers, this year, much talk of eBay, Flickr, Wikipedia, Jurispedia and Wikis as the new legal textbooks - looks like C2C and collaborative peer production models have hit the legal hive mind..
Monday, April 03, 2006
The DOS wars: Blogscript strikes back
Blogscript sadly fell beneath the waves of overwork at rather the wrong time to make a dent in the amendment process to the Police and Justice Bill revisions of the CMA 1990. Well, inspired by general waves of self congratulation from everyone form the APIG to the BCS, I feel inclined to remark in curmudgeonly way that I'm still not at all happy that the CMA amendments will do anything to water-tightly criminalise DOS in the UK. See my previous blog post at http://blogscript.blogspot.com/2006/01/denial-of-service-i-told-you-so-part.html .
If the latest version of the PJB is as at http://www.publications.parliament.uk/pa/cm200506/cmbills/119/06119.27-33.html, which I *think* it is, then it seems the amendments made have changed nothing useful (in cl 34 - cl 35 has been improved).
The crucial point is that in cl 34 it now reads:(I paraphrase)
S 3(1)CMA90 is amended to say
"A person is guilty of an offence if—
(a) he does any unauthorised act in relation to a computer;
AND (emphasis added)
(b) at the time when he does the act he has the requisite intent and
the requisite knowledge."
It doesn't help to define the intent required by s 3(1)(b) to include intent to impair* if s 3(1)(a) can't be established. You need both pre conditions for a conviction. And as things stand, post last year's DOS acquittal, someone who sends ordinary email or page requests etc to an open website is still not "unauthorised".
What is needed is to re-define or clarify "unauthorised". One easy way might be something like "The owner or operator of a website or server is rebuttably presumed not to give authorisation to the sending of data or traffic to that site where it is sent for the primary purpose of [insert the terms from s 3(2)]*".
I can't see any attempt to clarify "unauthorised" in the PJB. Worse still, we stil have s 3(4) declaring that "For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that the act in question is unauthorised".
I sincerely hope I've missed something. Pah. Why do we expect MPs to draft legislation? We don't expect them to perform heart surgery or build bridges. Why is drafting law, a difficult and skilled task, treated as amateur hour?
* s 3(2) CMA 1990: " (a)to impair the operation of any computer,
(b) to prevent or hinder access to any program or data held in any
computer, or
(c) to impair the operation of any such program or the reliability of any such data,
whether permanently or temporarily."
If the latest version of the PJB is as at http://www.publications.parliament.uk/pa/cm200506/cmbills/119/06119.27-33.html, which I *think* it is, then it seems the amendments made have changed nothing useful (in cl 34 - cl 35 has been improved).
The crucial point is that in cl 34 it now reads:(I paraphrase)
S 3(1)CMA90 is amended to say
"A person is guilty of an offence if—
(a) he does any unauthorised act in relation to a computer;
AND (emphasis added)
(b) at the time when he does the act he has the requisite intent and
the requisite knowledge."
It doesn't help to define the intent required by s 3(1)(b) to include intent to impair* if s 3(1)(a) can't be established. You need both pre conditions for a conviction. And as things stand, post last year's DOS acquittal, someone who sends ordinary email or page requests etc to an open website is still not "unauthorised".
What is needed is to re-define or clarify "unauthorised". One easy way might be something like "The owner or operator of a website or server is rebuttably presumed not to give authorisation to the sending of data or traffic to that site where it is sent for the primary purpose of [insert the terms from s 3(2)]*".
I can't see any attempt to clarify "unauthorised" in the PJB. Worse still, we stil have s 3(4) declaring that "For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that the act in question is unauthorised".
I sincerely hope I've missed something. Pah. Why do we expect MPs to draft legislation? We don't expect them to perform heart surgery or build bridges. Why is drafting law, a difficult and skilled task, treated as amateur hour?
* s 3(2) CMA 1990: " (a)to impair the operation of any computer,
(b) to prevent or hinder access to any program or data held in any
computer, or
(c) to impair the operation of any such program or the reliability of any such data,
whether permanently or temporarily."
Thursday, March 30, 2006
Predictiions that went flop..
Not all IT related by any means, but I particularly like these three:
«This antitrust thing will blow over.»
Bill Gates, founder of Microsoft.
«Remote shopping, while entirely feasible, will flop - because women like to get out of the house, like to handle merchandise, like to be able to change their minds.»
TIME, 1966, in one sentence writing off e-commerce long before anyone had ever heard of it.
«There is no reason anyone would want a computer in their home.»
Ken Olson, president, chairman and founder of Digital Equipment Corp. (DEC), maker of big business mainframe computers, arguing against the PC in 1977.
BlogScript knows it's been a bit thin lately: it's sorry, but it's had new job negotiations and end of term to deal with, is off to funeral, and then off to BILETA, the UK/EU national IT law conference, in Malta, where hopefully it will not only give a paper on eBay and update itself on the latest in Islamic data protection law (for real!) but also try out of every one of the four pools at the conference centre hotel :-) After that, mega content!!
«This antitrust thing will blow over.»
Bill Gates, founder of Microsoft.
«Remote shopping, while entirely feasible, will flop - because women like to get out of the house, like to handle merchandise, like to be able to change their minds.»
TIME, 1966, in one sentence writing off e-commerce long before anyone had ever heard of it.
«There is no reason anyone would want a computer in their home.»
Ken Olson, president, chairman and founder of Digital Equipment Corp. (DEC), maker of big business mainframe computers, arguing against the PC in 1977.
BlogScript knows it's been a bit thin lately: it's sorry, but it's had new job negotiations and end of term to deal with, is off to funeral, and then off to BILETA, the UK/EU national IT law conference, in Malta, where hopefully it will not only give a paper on eBay and update itself on the latest in Islamic data protection law (for real!) but also try out of every one of the four pools at the conference centre hotel :-) After that, mega content!!
Thursday, March 23, 2006
Cruel and Unusual Punishment
MMORPG reintroduces crucifixion.
I wittily suggested that if online personae do exist, and have human rights (as my PhD student is currently trying to claim) then they could certainly claim this was torture and so illegal under the ECHR. A passing computer gamer however noted "And so is getting shot in the face."
Point taken. There are some places law should not go :-)
I wittily suggested that if online personae do exist, and have human rights (as my PhD student is currently trying to claim) then they could certainly claim this was torture and so illegal under the ECHR. A passing computer gamer however noted "And so is getting shot in the face."
Point taken. There are some places law should not go :-)
Sunday, March 19, 2006
Read and wee(ip)
Great collection of IP overkill stories - fun for all the family!
Thanks for the tip to Andrew Ducker.
Thanks for the tip to Andrew Ducker.
Tuesday, March 14, 2006
Free wi fi = free beer, free speech or stolen beer?
Interesting discovery - an outfit called FON who are aiming to provide access to members ("Foneros") to free but secure wi fi wherever you go. They're backed by some heavyweight names like Esther Dyson and Dan Gilmore. Basically, individuals are encouraged to sign up to FON and buy a FON-equipped router, (for the reduced sum of 25 Euros/USD)which allows other FON users to use their bandwidth, via pre arranged usernames and passwords, wherever they go. FON undertake that the original user will always be left with a "reasonable amount of bandwidth" whatever that means :-) - and it does have the big advantage of meaning you can share a wi fi connection with pals without leaving it unsecured.
The big question, of course, is how legal is it? A while back as an anecdotal exercise I looked at a few UK ISP subscriber contracts and found that few, if any, had any direct prohibition on bandwidth sharing. Yet one imagines they wouldn't be too happy if this sort of wi fi sharing took off globally. The FON people themselves rather cleverly cover their backs with a term in the legal notice:
"In accordance with the Terms and Conditions of Use of FON Services, Foneros who enter the FON Community must have access to the Internet where they are permitted to share bandwidth with others and/or to download FON Software onto your router."
Of course there is no implication that they will check this so the legal risk falls on the users, which is of even less comfort to ISPs one imagine - always better to have a node to sue than a multiplicity of users. (Can we foresee the invention of the tort of inducement of wireless bandwidth theft a la Grokster??)
There's also a few cases lately in US and UK which hold that war-chalking - stealing bandwidth without the consent of the original bandwidth renter - is a crime. Yet this is IMHO not that either, since everyone involved in the FON network has consented to wi fi sharing.
So I conclude it's legal. Stick Skype or similar on your PDA (the new Orange SPV 3G phone will do this nicely, even though it is the size of a brick) and you need never pay a long distance phone bill again. Will this take off? I wonder. My own needs for wireless are most prominent (a) in hotels (b) in airports - and neither is somewhere where FON subscribers are likely to live and have a FON router set up. But then I'm quite hapy to pay my £15 a month for broadband from Telewest - maybe others are more canny/mean.
The big question, of course, is how legal is it? A while back as an anecdotal exercise I looked at a few UK ISP subscriber contracts and found that few, if any, had any direct prohibition on bandwidth sharing. Yet one imagines they wouldn't be too happy if this sort of wi fi sharing took off globally. The FON people themselves rather cleverly cover their backs with a term in the legal notice:
"In accordance with the Terms and Conditions of Use of FON Services, Foneros who enter the FON Community must have access to the Internet where they are permitted to share bandwidth with others and/or to download FON Software onto your router."
Of course there is no implication that they will check this so the legal risk falls on the users, which is of even less comfort to ISPs one imagine - always better to have a node to sue than a multiplicity of users. (Can we foresee the invention of the tort of inducement of wireless bandwidth theft a la Grokster??)
There's also a few cases lately in US and UK which hold that war-chalking - stealing bandwidth without the consent of the original bandwidth renter - is a crime. Yet this is IMHO not that either, since everyone involved in the FON network has consented to wi fi sharing.
So I conclude it's legal. Stick Skype or similar on your PDA (the new Orange SPV 3G phone will do this nicely, even though it is the size of a brick) and you need never pay a long distance phone bill again. Will this take off? I wonder. My own needs for wireless are most prominent (a) in hotels (b) in airports - and neither is somewhere where FON subscribers are likely to live and have a FON router set up. But then I'm quite hapy to pay my £15 a month for broadband from Telewest - maybe others are more canny/mean.
Tuesday, March 07, 2006
Click and dick?
The Harlow Star reports that a councillor who was sacked for downloading obscene pictures has failed in his attempts to have the monitoring employed by the council declared illegal. Judge Bradbury said the council was entitled to monitor its computers to avoid breaches of its code of conduct, which includes a prohibition on accessing pornography.
This is of a fair bit of interest legally, as very UK few reported decisions at courts (not EAT) level exist dealing with the legality of electronic employee surveillance, a matter which has been controversial ever since the Lawful Business Regulations and the Information Commissioner's Code on Employee Monitoring came out. But casual readers wil I suspect best remember this case for the councillor's excuse - he wasn't downloading porn, he was just checking out condom sizes as part of his role as the Liberal Democrat group's health spokesman conduting research into the European Union's recommended size for condoms.
Pull the other one, Matthew, it's got bells on it:-)
I am reminded of this delightful song - "Grab your dick and double click.."!
This is of a fair bit of interest legally, as very UK few reported decisions at courts (not EAT) level exist dealing with the legality of electronic employee surveillance, a matter which has been controversial ever since the Lawful Business Regulations and the Information Commissioner's Code on Employee Monitoring came out. But casual readers wil I suspect best remember this case for the councillor's excuse - he wasn't downloading porn, he was just checking out condom sizes as part of his role as the Liberal Democrat group's health spokesman conduting research into the European Union's recommended size for condoms.
Pull the other one, Matthew, it's got bells on it:-)
I am reminded of this delightful song - "Grab your dick and double click.."!
Is dongle still just a silly word?
.. or is two factor authentication the coming saviour for security in online banking?
Alliance and Leicester is set to roll out two-factor authentication to its internet banking customers.Two-factor authentication usually couples a password with some kind of device that generates a second passphrase. The isdea is that this makes it harder for fraudsters to steal both passwords and is therefore more secure than traditional methods of internet banking.
Bruce Schneier disagrees.
"The problem with passwords is that they're too easy to lose control of. People give them to other people. People write them down, and other people read them. ...
Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.
These tokens have been around for at least two decades, but it's only recently that they have gotten mass-market attention. AOL is rolling them out. Some banks are issuing them to customers, and even more are talking about doing it. It seems that corporations are finally waking up to the fact that passwords don't provide adequate security, and are hoping that two-factor authentication will fix their problems.
Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses."
So as Schneier says, imagine a customer is duped by a phishing email and website. He types in his password and he plugs in his dongle to generate a one time authentication code. As now, the site harvest both and logs in as him at the real site. How are we any further on? For a short while phishers may switch their attention to the old password-only sites as easier to crack, but that's just a blip till everyone has gone two-factor authenticated. the same problem arises if a Trojan is sitting on your hard disc harvesting everything you type in or send to a log in on a site.
back to the dongle board, folks..
Alliance and Leicester is set to roll out two-factor authentication to its internet banking customers.Two-factor authentication usually couples a password with some kind of device that generates a second passphrase. The isdea is that this makes it harder for fraudsters to steal both passwords and is therefore more secure than traditional methods of internet banking.
Bruce Schneier disagrees.
"The problem with passwords is that they're too easy to lose control of. People give them to other people. People write them down, and other people read them. ...
Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.
These tokens have been around for at least two decades, but it's only recently that they have gotten mass-market attention. AOL is rolling them out. Some banks are issuing them to customers, and even more are talking about doing it. It seems that corporations are finally waking up to the fact that passwords don't provide adequate security, and are hoping that two-factor authentication will fix their problems.
Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses."
So as Schneier says, imagine a customer is duped by a phishing email and website. He types in his password and he plugs in his dongle to generate a one time authentication code. As now, the site harvest both and logs in as him at the real site. How are we any further on? For a short while phishers may switch their attention to the old password-only sites as easier to crack, but that's just a blip till everyone has gone two-factor authenticated. the same problem arises if a Trojan is sitting on your hard disc harvesting everything you type in or send to a log in on a site.
back to the dongle board, folks..
Monday, March 06, 2006
EBay Makes Your Eyes Water
According to the Beeb, a prosecution brought against eBay.co.uk by the General Optical Council, for aiding and abetting in the illegal sale of contact lenses by persons other than registered opticians, under the Opticians Act 1989, has been dropped, after advice that EBay was protected by European law. One can only assume this refers to Art 14 of the EC Electronic Commerce Directive as implemented in the UK by the 2002 Regulations of the same name. Under this law, reg 19 states that:
"Where an information society service is provided which consists of the storage of information provided by a recipient of the service, the service provider (if he otherwise would) shall not be liable for damages or for any other pecuniary remedy or for any criminal sanction as a result of that storage where -
(a) the service provider -
(i) does not have actual knowledge of unlawful activity or information and, where a claim for damages is made, is not aware of facts or circumstances from which it would have been apparent to the service provider that the activity or information was unlawful; or
(ii) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information, and
(b) the recipient of the service was not acting under the authority or the control of the service provider.
EBay's involvement came from some 200 individuals selling contact lenses via its site listings, not from any direct commercial activities of its own. What the GOC seem to have accepted then is that, as EBay themselves put it, "as an "information society service provider", [EBay's] duty is simply to remove illegal sale notices from its site when it is made aware of them, rather than to comb through it for them". This interpretation is reinforced by Art 15 of the Electronic Commerce Directive which provides that EC states shall not impose positive obligations of monitoring on information society service providers.
As the Beeb report points out, this leaves the GOC, as a public regulator, in a highly unsatisfactory position. The GOC spokesman said: "We feel that it is an unreasonable burden for a regulator, with limited resources, to have to monitor the millions of listings on auction websites. In effect, we would have to notify the website of each individual instance of an illegal sale in order for it to be de-listed."
But did the GOC cave too soon? First, Art 15 was never transposed into UK law. Arguably this makes no difference as remedies can be obtained in respect of Directives even where not transposed into domestic law, but it is still rather odd.
Secondly, and rather controversially, could it be argued that the EBay sellers of contact lenses were acting "under the authority or the control of" EBay? EBay do contractually allow sellers to sell on its site, and take a cut of the profits for doing so. Is this not "authority"? As I have noted before, they are hardly in the same position as a traditional ISP handling myriads of communications in a hands off way. EBay furthermore do at least present something that looks rather like "control" in that they have various Acceptable Use policies relating to what can and cannot be sold on EBay. Contact lenses are specifically mentioned under the "prohibited" list. EBay do their best to make these warnings look advisory - "eBay is here to help, but you are ultimately responsible for making sure that buying an item or selling your item(s) is allowed on eBay and is not prohibited in the eyes of the law. Follow these steps to find out whether or not your item can be listed on eBay."
- but such words cannot detract from the fact that it seems a reasonable interpretation that eBay's various "prohibited" policies for buyers and sellers are incorporated by reference as part of the terms of the contract with eBay .
If eBay can be characterised as having either "authority or control" then the immunity provided by reg 19 in respect of criminal liability will fail to protect them.
Thirdly, nothing in the ECD or the UK regs stops a litigant seeking an injunction or interdict in relation to hosting liability. Reg 20 states: "Nothing in regulations 17, 18 and 19 shall ...(b) affect the rights of any party to apply to a court for relief to prevent or stop infringement of any rights." This language speaks of civil law rights, but could it be read also as allowing the GOC to take an injunction preventing eBay from selling contact lenses without a trained optician on staff? If so, the regulator's need for swift and single-targeted action can be met. Such an approach would not be out of step with the rest of the EU - in Germany, in two cases, the Supreme Court has allowed injunctions against on line auction sites in respect of illegal content they were hosting.
This case is significant for more than just the illegal sale of contact lenses. It is the first UK case, and one of the first EU cases, to decide in any shape or form whether eBay's habitual claim of immunity as a "neutral intermediary" will be unquestioningly accepted. As reported on this blog earlier, an action is also pending from Tiffany the diamond sellers in relation to rampant trademark infringement on eBay. If the GOC case is accepted in practice as any kind of precedent (it is not in strict law, being simply the abandonment of the case), it will be hard for any case on civil or criminal hosting liability to stand up against eBay.
Yet in a civil case such as a trademark infringement action, eBay can be held liable not just if it has actual notice, but also if it has constructive knowledge of the infringement. So in the upcoming TM case, I expect to see evidence that eBay must reasonably have known that its listings were full of counterfeit Tiffany goods, even if it was not compelled to actually monitor its site to see just how many counterfeit listings it had - simply from the NTD requests it received on an ongoing basis. The very advice eBay gives about prohibited listings could be seen as evidence that eBay knew quite well these sort of goods were habitually sold on its site. If that were to be proven - and it would not be hard, one feels - a defense of take down only on actual notice would be irrelevant.
Anyone know what lawyers advised the GOC?
"Where an information society service is provided which consists of the storage of information provided by a recipient of the service, the service provider (if he otherwise would) shall not be liable for damages or for any other pecuniary remedy or for any criminal sanction as a result of that storage where -
(a) the service provider -
(i) does not have actual knowledge of unlawful activity or information and, where a claim for damages is made, is not aware of facts or circumstances from which it would have been apparent to the service provider that the activity or information was unlawful; or
(ii) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information, and
(b) the recipient of the service was not acting under the authority or the control of the service provider.
EBay's involvement came from some 200 individuals selling contact lenses via its site listings, not from any direct commercial activities of its own. What the GOC seem to have accepted then is that, as EBay themselves put it, "as an "information society service provider", [EBay's] duty is simply to remove illegal sale notices from its site when it is made aware of them, rather than to comb through it for them". This interpretation is reinforced by Art 15 of the Electronic Commerce Directive which provides that EC states shall not impose positive obligations of monitoring on information society service providers.
As the Beeb report points out, this leaves the GOC, as a public regulator, in a highly unsatisfactory position. The GOC spokesman said: "We feel that it is an unreasonable burden for a regulator, with limited resources, to have to monitor the millions of listings on auction websites. In effect, we would have to notify the website of each individual instance of an illegal sale in order for it to be de-listed."
But did the GOC cave too soon? First, Art 15 was never transposed into UK law. Arguably this makes no difference as remedies can be obtained in respect of Directives even where not transposed into domestic law, but it is still rather odd.
Secondly, and rather controversially, could it be argued that the EBay sellers of contact lenses were acting "under the authority or the control of" EBay? EBay do contractually allow sellers to sell on its site, and take a cut of the profits for doing so. Is this not "authority"? As I have noted before, they are hardly in the same position as a traditional ISP handling myriads of communications in a hands off way. EBay furthermore do at least present something that looks rather like "control" in that they have various Acceptable Use policies relating to what can and cannot be sold on EBay. Contact lenses are specifically mentioned under the "prohibited" list. EBay do their best to make these warnings look advisory - "eBay is here to help, but you are ultimately responsible for making sure that buying an item or selling your item(s) is allowed on eBay and is not prohibited in the eyes of the law. Follow these steps to find out whether or not your item can be listed on eBay."
- but such words cannot detract from the fact that it seems a reasonable interpretation that eBay's various "prohibited" policies for buyers and sellers are incorporated by reference as part of the terms of the contract with eBay .
If eBay can be characterised as having either "authority or control" then the immunity provided by reg 19 in respect of criminal liability will fail to protect them.
Thirdly, nothing in the ECD or the UK regs stops a litigant seeking an injunction or interdict in relation to hosting liability. Reg 20 states: "Nothing in regulations 17, 18 and 19 shall ...(b) affect the rights of any party to apply to a court for relief to prevent or stop infringement of any rights." This language speaks of civil law rights, but could it be read also as allowing the GOC to take an injunction preventing eBay from selling contact lenses without a trained optician on staff? If so, the regulator's need for swift and single-targeted action can be met. Such an approach would not be out of step with the rest of the EU - in Germany, in two cases, the Supreme Court has allowed injunctions against on line auction sites in respect of illegal content they were hosting.
This case is significant for more than just the illegal sale of contact lenses. It is the first UK case, and one of the first EU cases, to decide in any shape or form whether eBay's habitual claim of immunity as a "neutral intermediary" will be unquestioningly accepted. As reported on this blog earlier, an action is also pending from Tiffany the diamond sellers in relation to rampant trademark infringement on eBay. If the GOC case is accepted in practice as any kind of precedent (it is not in strict law, being simply the abandonment of the case), it will be hard for any case on civil or criminal hosting liability to stand up against eBay.
Yet in a civil case such as a trademark infringement action, eBay can be held liable not just if it has actual notice, but also if it has constructive knowledge of the infringement. So in the upcoming TM case, I expect to see evidence that eBay must reasonably have known that its listings were full of counterfeit Tiffany goods, even if it was not compelled to actually monitor its site to see just how many counterfeit listings it had - simply from the NTD requests it received on an ongoing basis. The very advice eBay gives about prohibited listings could be seen as evidence that eBay knew quite well these sort of goods were habitually sold on its site. If that were to be proven - and it would not be hard, one feels - a defense of take down only on actual notice would be irrelevant.
Anyone know what lawyers advised the GOC?
Wednesday, March 01, 2006
EFF attack Yahoo!/AOL email postage stamp
EFF are co ordinating mass opposition to Yahoo!/AOL's email postage stamp scheme, as blogged by me a few days ago. And bloody right too.
"A pay-to-send system won't help the fight against spam - in fact, this plan assumes that spam will continue and that mass mailers will be willing to pay to have their emails bypass spam filters. And non-paying spammers will not reduce the amount of mail they throw at your filters simply because others pay to evade them.
Perversely, the new two-tiered system AOL proposes would actually reward AOL financially for failing to maintain its email service. The chief advantage of paying to send CertifiedEmail is that it can bypass AOL's spam filters. Non-paying customers are being asked to trust that after paid mail goes into effect, AOL will properly maintain its spam filters so only unwanted mail gets thrown away.
But the economic incentives point the other way: The moment AOL switches to a two-tiered Internet where giant emailers pay for preferential service, AOL will face a simple business choice: spend money to keep regular spam filters up-to-date, or make money by neglecting their spam filters and pushing more senders to pay for guaranteed delivery. Poor delivery of mail turns from being a problem that AOL has every incentive to fix to something that could actually make them money if the company ignores it. "
"A pay-to-send system won't help the fight against spam - in fact, this plan assumes that spam will continue and that mass mailers will be willing to pay to have their emails bypass spam filters. And non-paying spammers will not reduce the amount of mail they throw at your filters simply because others pay to evade them.
Perversely, the new two-tiered system AOL proposes would actually reward AOL financially for failing to maintain its email service. The chief advantage of paying to send CertifiedEmail is that it can bypass AOL's spam filters. Non-paying customers are being asked to trust that after paid mail goes into effect, AOL will properly maintain its spam filters so only unwanted mail gets thrown away.
But the economic incentives point the other way: The moment AOL switches to a two-tiered Internet where giant emailers pay for preferential service, AOL will face a simple business choice: spend money to keep regular spam filters up-to-date, or make money by neglecting their spam filters and pushing more senders to pay for guaranteed delivery. Poor delivery of mail turns from being a problem that AOL has every incentive to fix to something that could actually make them money if the company ignores it. "
Tuesday, February 28, 2006
Sunday, February 26, 2006
Security, Spam and EBay Law round up
Finally tonight, folks, also worth noting: yet another intensely sensible comment on trust and security from Bruce Schneier, my man of the moment:
and a clip I've meant to blog for some time - Yahoo! and AOL have reinvented the email postage stamp, only a year after Bill Gates did, we all laughed at him, The Great Unwashed Public said "We aren't gonna pay extra for steenking email!" and he said "Gee, that wasn't such a good idea after all huh?". OK the new scheme is a bit different. Yahoo! and AOL say it will act to give email that is stamped "preference", rather than acting, as Gates first envisaged it, as a spam whitelist. This still won't make the public like it so it's being sold as a way of prioritising business email. Do you want your email de prioritised? I sure as hell don't..
Also there's this: "AOL and Yahoo will still accept e-mail from senders who have not paid, but the paid messages will be given special treatment. On AOL, for example, they will go straight to users' main mailboxes, and will not have to pass the gantlet of spam filters that could divert them to a junk-mail folder or strip them of images and Web links."
So if you're a spammer with a bit of start up cash all you have to do is pay the stamp and you evade all filters. OK, 99.99% of spammers won't do that but it still irks me, as the whole point of spam is that it is unsolicited. Spam filters should apply if it's SPAM no matter how much blood money has been paid! OK, the NY Times report adds "The senders must promise to contact only people who have agreed to receive their messages, or risk being blocked entirely." - but like, all spammers have been totally truthful up till now? Riiight!
Theer's also the point that Yahoo! and AOL simply keep the "postage stamp" money. When economic modes of stopping spam were first proposed a year or two back, the general foundational idea was that the "spam tax" money would not be kept by ISPs but raked back by the givernment or at least some independent body to be spent on functions of use to the whole Internet - like developing better spam filters. This way it becomes just another revenue stream for Yahoo!/AOL. Back to the NY Times article. ""From AOL's perspective, this is an opportunity to earn a significant amount of money from the sale of stamps," he said. "But it's bad for the industry and bad for consumers. A lot of e-mailers won't be able to afford it."
Meanwhile back at The Register, the old idea of strict liability for data breaches has reared its head again in the wake of the theft of a laptop from a mortgage lender containing 550,000 people's full credit information. In the US, the the Gramm Leach Bliley Act (GLBA), 15 USC 6801, demands that holders of financial data take reasonable care as to it. In the end however, the mortgage lender was found to have behaved reasonably: " it was not foreseeable that the laptop containing this information, being kept in this home office, might be the subject of a burglary. The court even deemed the location to be a "relatively safe" neighborhood in suburban Washington DC. This is despite the fact that last year alone there were a large number of laptop thefts across the United States."
Finally just a marker of what might be a significant case in the beginning of the end for EBay's carefully kept position of "intermediary neutrality". Tiffany, the diamond folks, are suing EBay for essentially aiding and abetting the passing off of Tiffany fakes via their site. It's hard to see how EBay, unlike old fashioned ISPs, can maintain that they can only stay in business if not held liable for third party content, when their entire business model is based on taking a cut from other parties' third party content. The fact that EBay maintains pages of guidance on not selling goods such as counterfeits on its site merely demonstrates that (a) they know the problem exists but (b) they aren't going to spend any (OK, many) resources on solving it, even though they have the benefit of access to far more data than either the businesses whose trademarks are infringed or the police. Watch this one run..
and a clip I've meant to blog for some time - Yahoo! and AOL have reinvented the email postage stamp, only a year after Bill Gates did, we all laughed at him, The Great Unwashed Public said "We aren't gonna pay extra for steenking email!" and he said "Gee, that wasn't such a good idea after all huh?". OK the new scheme is a bit different. Yahoo! and AOL say it will act to give email that is stamped "preference", rather than acting, as Gates first envisaged it, as a spam whitelist. This still won't make the public like it so it's being sold as a way of prioritising business email. Do you want your email de prioritised? I sure as hell don't..
Also there's this: "AOL and Yahoo will still accept e-mail from senders who have not paid, but the paid messages will be given special treatment. On AOL, for example, they will go straight to users' main mailboxes, and will not have to pass the gantlet of spam filters that could divert them to a junk-mail folder or strip them of images and Web links."
So if you're a spammer with a bit of start up cash all you have to do is pay the stamp and you evade all filters. OK, 99.99% of spammers won't do that but it still irks me, as the whole point of spam is that it is unsolicited. Spam filters should apply if it's SPAM no matter how much blood money has been paid! OK, the NY Times report adds "The senders must promise to contact only people who have agreed to receive their messages, or risk being blocked entirely." - but like, all spammers have been totally truthful up till now? Riiight!
Theer's also the point that Yahoo! and AOL simply keep the "postage stamp" money. When economic modes of stopping spam were first proposed a year or two back, the general foundational idea was that the "spam tax" money would not be kept by ISPs but raked back by the givernment or at least some independent body to be spent on functions of use to the whole Internet - like developing better spam filters. This way it becomes just another revenue stream for Yahoo!/AOL. Back to the NY Times article. ""From AOL's perspective, this is an opportunity to earn a significant amount of money from the sale of stamps," he said. "But it's bad for the industry and bad for consumers. A lot of e-mailers won't be able to afford it."
Meanwhile back at The Register, the old idea of strict liability for data breaches has reared its head again in the wake of the theft of a laptop from a mortgage lender containing 550,000 people's full credit information. In the US, the the Gramm Leach Bliley Act (GLBA), 15 USC 6801, demands that holders of financial data take reasonable care as to it. In the end however, the mortgage lender was found to have behaved reasonably: " it was not foreseeable that the laptop containing this information, being kept in this home office, might be the subject of a burglary. The court even deemed the location to be a "relatively safe" neighborhood in suburban Washington DC. This is despite the fact that last year alone there were a large number of laptop thefts across the United States."
Finally just a marker of what might be a significant case in the beginning of the end for EBay's carefully kept position of "intermediary neutrality". Tiffany, the diamond folks, are suing EBay for essentially aiding and abetting the passing off of Tiffany fakes via their site. It's hard to see how EBay, unlike old fashioned ISPs, can maintain that they can only stay in business if not held liable for third party content, when their entire business model is based on taking a cut from other parties' third party content. The fact that EBay maintains pages of guidance on not selling goods such as counterfeits on its site merely demonstrates that (a) they know the problem exists but (b) they aren't going to spend any (OK, many) resources on solving it, even though they have the benefit of access to far more data than either the businesses whose trademarks are infringed or the police. Watch this one run..
Oyster cards, privacy and security
Not that I'm claiming I started it or anything but there has been something of a flurry in the press lately about the Transport for London Oyster Card and how easily it can be used to track down an individual's movements. No one did come back last time to tell me how an Oyster card worked, (well except Ian Brown ) but from the Register and Independent on Sunday articles, it seems you need nothing beyond the actual card in your hand to access journey information at a kiosk, but slightly more security operates when you try to get the info on-line from your own PC:
"The IoS claims that Oyster journey data can be extracted at a ticket machine using the card, or online by keying the serial number of the card. As far as The Register is aware, however, internet access is slightly more secure than this, requiring a username and password or the serial number, and mother's maiden name or similar, from the application form. These are not, however, insuperable hurdles for the suspicious spouse or close friend, and access to the individual's email account would probably be enough for a snooper to change passwords and gain access to the account itself."
As the Register point out, the current basic level of security helps no one. Either close down access altogether - why do you need to access details of your OWN journeys? you KNOW where you've been!! - or add some decent security like a password for ticket machine access.
And as they also add, the problem will more pressing if/when , as planned for a year or so, the Oyster Card scheme is extended to become a smart card wallet, used in DigiCash like ways to pay for small purchases like milk and papers.
"The IoS claims that Oyster journey data can be extracted at a ticket machine using the card, or online by keying the serial number of the card. As far as The Register is aware, however, internet access is slightly more secure than this, requiring a username and password or the serial number, and mother's maiden name or similar, from the application form. These are not, however, insuperable hurdles for the suspicious spouse or close friend, and access to the individual's email account would probably be enough for a snooper to change passwords and gain access to the account itself."
As the Register point out, the current basic level of security helps no one. Either close down access altogether - why do you need to access details of your OWN journeys? you KNOW where you've been!! - or add some decent security like a password for ticket machine access.
And as they also add, the problem will more pressing if/when , as planned for a year or so, the Oyster Card scheme is extended to become a smart card wallet, used in DigiCash like ways to pay for small purchases like milk and papers.
Who Do You Trust, Reloaded?
Interesting response from my coder guru pal, Pete Fenelon: I don't agree with every word but I thought it was worth reproducing in full..
Overview: code signing and secure OSes won't work - but that's not where
the effort should be going; it should be going into creating a
well-policed interface between private systems and the network - and
making the owners of those systems liable.
PF: I admit that I'm something of an oddball in my views here, but I
belive that what goes on behind your net connection is your own business; what comes out of it is very much not your business. Same as I can have a rocket-powered car in my garage, but I'm toast if I try to take it on the road. ;)
LE: Bill argues that being asked to trust the people who supply "trusted" software - people like Sony - is akin to owning a car where you can't look under the bonnet.
PF: And what's wrong with this? -- most people who buy cars these days don.t know diddly about what goes on under the bonnet, and entrust repairs to qualified professionals (or at least people who they think are qualified professionals). Most home computers are "administered" by "our Kevin who's dead good with computers, he gets high scores on all them games he gets discs of". "Our Kevin" often isn't mindful of the consequences (or even existence of) malware, and would click "OK" like a Pavlovian dog if it meant playing a warez version of Halo 3.
Bill: "I have a very nice car, and I try to take good care of it. It runs on petrol, but I want the freedom to fill it up with diesel and destroy the
engine. It's my engine, after all.
PF: Well, in many cases it's probably the finance or leasing companys engine, but hey...
Bill: The same goes for my computer. I want the freedom to write, compile and run my own code, take risks with dodgy software I've downloaded from the
net and even break the law and risk prosecution by playing unlicensed music or running cracked software. "
PF: It might well be "his computer", in the same way that it's "his
car", but his car has to be MOTed regularly to ensure that it still complies with the law, and he has to take out insurance against any damage he might cause to others. When people call the Internet the "information superhighway" they seem to forget that the real highway isn.t a free-for-all -- there are people out there watching what you do, there are laws by which and your vehicle must abide if you wish to drive on it, and you must be licensed to even venture onto it. The penalties
are (or at least should be) draconian. The analogy is simple; we don't have "car cops" in Britain who stop you fitting an eight litre engine and slick tyres to your Morris Minor, we have "traffic cops" who get peeved if they see it on the road. Similarly, we shouldn.t have "computer cops" who stop you installing Frigware Linux R00tK1T 3D1T10N, we should have "network traffic cops" who pull the plug if your machine starts behaving dangerously.
PF: Right now, lives aren't at stake on the Internet (although no doubt some fool will eventually connect up some safety-critical equipment to an
unprotected public network and someone will get hurt), but the economic well-being of others is. What we need isn't a technical solution; it's a financial/legal one. We need:
PF: liability for damage caused by anything coming from a network
endpoint for which a particular legal entity (individual, corporation) is responsible.
PF: Regulation of apparatus that can connect - and I don't mean the old BABT red/green triangles, I mean mandating *approved* firewall/gateways between the public network and any equipment connected to it. Found without a firewall/working and up to date AV system? (and your ISP will be probing, otherwise it'll be fined and
potentially ostracised at LINX or similar.... or at least would be in my universe?) Exactly the same as having no catalytic converter, no headlights and bald tyres -- your connection "goes dark" and you're fined. Simple as that.
PF: Unfortunately I don;t believe that licensing of individuals as fit to use computers can take place - for a start there's the problem of proving who's in control of a machine at any point.
PF: I also don't believe that licensing of applications can meaningfully be done. True 'trusted computing' costs, and costs in the eight figure sort of region for a typical project. And, frankly, how far does trust go? You can't trust any mainstream commercial or open-source desktop operating systems, not with the level of flaws found in them (and for an amusing aside, google "Reflections On Trusting Trust"). True Trusted Computing platforms are expensive, inflexible, and don't offer the kind
of experience that modern end users expect -- it'd be like stepping back around 20 years for most PC owners. A trusted system according to the Orange Book or Common Criteria would not be something most people would buy, and it'd move computers back from being a part of the home to being an expensive office tool. Maybe no bad thing ;)
LE: What this apparently appealing metaphor obscures is two things. One "trusted computing" in the strict sense is about hardware not software. I'll come back to this. Trusted computing means that the (metaphorical) box your computer comes in has to be a "black box" unopenable by the user - otherwise the user can do all the stupid things users do right now like open emails from strangers, accept downloads with payloads of virus executables , and click on URLs that take them to phishing websites.
PF: Exactly. But extending your thoughts even further, it's a systems view and a human view that we need, not a software one. If I do something that trashes my computer, it's my risk and my loss. If I do something that trashes my computer, turns it into a zombie host for running a botnet from, and makes it part of a denial of service attack, it's different. I've messed someone else's system up and that's contributory negligence... or criminal damage ;)
LE: This means you do indeed have to trust the people who supply you with trusted computing hardware, and I agree with Bill that there should be
serious legal obligations with decent compliance mechanisms placed on those who do sell "trusted computing" so they do not sell us, as we Glaswegians say, a pig in a a poke (or a root kit in a DRM).
LE: But the Internet is not going to be any more secure if we sell people trusted computing hardware and let them, as Bill, wants to, tinker and
fiddle. It would be like selling my mum a Ferrari and suggesting that if she's bored one Sunday she tunes the engine up a bit. She would destroy a very expensive engine and she would also endanger people on the road if she took the car out and it ran out of control as a result of her unskilled modifications while she was driving.
PF: Agreed.
LE: Security of hardware sold to consumers, and consequentially the security of the entire Internet (see posts on bots , zombies etc, passim) is simply no longer compatible with open tinkering.
LE: Once upon a time anyone who bought a car was allowed to simply take delivery and drive it. Then when the density of cars increased, we reaised we needed driving tests for public safety. Maybe people like Bill who are well equipped to safely tinker with/fine tune their computers (unlike my Mum) , should have to pass a test too before they're allowed to drive away a non-black-box computer?
PF: Unenforceable. You don.t stop people owning computers, you just make it very, very hard, risky, and expensive to connect anything dubious to the public internet.
LE: Radical in the libertarian world of computer culture ; but not very odd at all when you look at the rest of the everyday attitude to owning potentially dangerous objects.
PF: "Libertarianism" on the public internet is a consensual illusion
passed down from idealistic old-timers of the 1970s and 1980s who enjoyed unrestricted ARPAnet/Internet access as a perk of their jobs or studies and the network was largely run by and for enthusiasts as a piece of research. It's been a fiction ever since individuals have been paying for their access; you are always "playing with someone else's ball" and that someone else is much bigger than you. AUPs are going to get more and more restrictive, either because ISPs are covering their asses or because governments are leaning on them, and the onsequences for breaching those AUPs must become commensurately more painful.
LE: What about the software that trusted computing hardware is willing to accept and excute? the so called "signed" software? Here I completely agree with Bill that the defining of what is acceptable software cannot safely be left to the dictat of the software/hardware vendors. Microsoft eg (just AS an example!) has absolutely no incentive to let me, a consumer, run open source software on the trusted platform they've just sold me. Without needing to imply any malice at all, simple competitive strategy would dictate they should allow access to Microsoft software products and nothing else, if they can get away with it. So as Bill says:
PF: This "ecosystem" doesn't work; Gates tried to build a "trusted
computing" platform with XBox. I forget how many weeks it took to crack it wide open. DVD regioning tried to enforce a controlled system in hardware. Ditto. There are more and cleverer people out there fighting for "freedom" than there are people able to deny them. So move the problem - take it out of the technical domain and into the legal one.
LE: [actually Bill] "The second thing we need is diversity when it comes to code signing. If my computer is set to run only signed software or read only signed
documents, then who can sign what becomes far more than a matter of technology, it becomes a political issue.
LE: [still actually Bill] We must not settle for a closed platform which allows the hardware vendor or the operating system supplier to decide, so it is time for governments to intervene and to ensure that we have an open marketplace for code signing.
PF: A closed platform won't work (see above). And signing authorities? This just permits the development of 800lb monopoly gorillas like Verisign. Far simpler to move the burden - the place to police is the network interface. I don't care what naughty crap people run on their computers; what I do care about is that someone running dangerous software can't swerve across the information superhighway and unintentionally deny my service.
LE: [still Bill!] The simplest way to do this is to give the process a statutory backing and then issue licences, just like we do for many professional and financial services. "
PF: Software licensing on this scale can't and won't happen. Especially
not while you can buy hooky software from market stalls and/or China ;)
PF: A regulatory framework needs to be put in place and that regulatory framework needs to be centred around policing traffic through network
endpoints, not what's hanging off them. Does it matter what a non-connected computer runs? Of course not.
LE: It's the last para I can't see happening, for the simple reason that a lot of hardware and software comes from the US and the US is not prone
to extending governement regulation of industry. The UK can impose local regulation on hardware, at least in theory, by stopping it at ports: it simply can't impose licensing control on software downloaded from the States. How can you download that "dodgy software" you have your eye on, if the country it originates from hasn't bought in to a licensing scheme model? Do you simply accept any software with no license - then bangs goes security.
PF: All good points.
LE: A better candidate for a certification authority for signing or
licensing software as safe might be the existing international standard setting authorities. If an ISO standard, available on-line and revised on application by new entrants into the software market, said what programmes my black box should (or could) accept and execute and which it definitely shouldn't, both I and my technophobe mother might feel a lot safer on the Net.
PF: A wise old engineer who used to work in telecoms once said to me
"What's the difference between Jurassic Park and the ISO?" I said I didn't know. "One of them's a theme park filled with dinosaurs - and the other.s a movie". By the time the ISO has defined a model for software certification and verification the problem will have morphed out of recognition. The ISO is essentially completely reactive when it comes to comms and computers; their one attempt to define networking standards was a complete failure in the face of the open-source TCP/IP protocol stack and since then they.ve essentially been regarded as a laughing stock by the Internet community. ISO, ECMA, and similar bodies simply don't have the leverage.
PF: Your technophobe mother doesn't want a true "Trusted Computer"; I doubt she.d be willing to take on the cost of buying one. Your technophobe mother wants a computer that does the right job for her, and that's difficult to unintentionally or maliciously modify.
And LE adds - couldn't agree more! Thanks Pete.
Overview: code signing and secure OSes won't work - but that's not where
the effort should be going; it should be going into creating a
well-policed interface between private systems and the network - and
making the owners of those systems liable.
PF: I admit that I'm something of an oddball in my views here, but I
belive that what goes on behind your net connection is your own business; what comes out of it is very much not your business. Same as I can have a rocket-powered car in my garage, but I'm toast if I try to take it on the road. ;)
LE: Bill argues that being asked to trust the people who supply "trusted" software - people like Sony - is akin to owning a car where you can't look under the bonnet.
PF: And what's wrong with this? -- most people who buy cars these days don.t know diddly about what goes on under the bonnet, and entrust repairs to qualified professionals (or at least people who they think are qualified professionals). Most home computers are "administered" by "our Kevin who's dead good with computers, he gets high scores on all them games he gets discs of". "Our Kevin" often isn't mindful of the consequences (or even existence of) malware, and would click "OK" like a Pavlovian dog if it meant playing a warez version of Halo 3.
Bill: "I have a very nice car, and I try to take good care of it. It runs on petrol, but I want the freedom to fill it up with diesel and destroy the
engine. It's my engine, after all.
PF: Well, in many cases it's probably the finance or leasing companys engine, but hey...
Bill: The same goes for my computer. I want the freedom to write, compile and run my own code, take risks with dodgy software I've downloaded from the
net and even break the law and risk prosecution by playing unlicensed music or running cracked software. "
PF: It might well be "his computer", in the same way that it's "his
car", but his car has to be MOTed regularly to ensure that it still complies with the law, and he has to take out insurance against any damage he might cause to others. When people call the Internet the "information superhighway" they seem to forget that the real highway isn.t a free-for-all -- there are people out there watching what you do, there are laws by which and your vehicle must abide if you wish to drive on it, and you must be licensed to even venture onto it. The penalties
are (or at least should be) draconian. The analogy is simple; we don't have "car cops" in Britain who stop you fitting an eight litre engine and slick tyres to your Morris Minor, we have "traffic cops" who get peeved if they see it on the road. Similarly, we shouldn.t have "computer cops" who stop you installing Frigware Linux R00tK1T 3D1T10N, we should have "network traffic cops" who pull the plug if your machine starts behaving dangerously.
PF: Right now, lives aren't at stake on the Internet (although no doubt some fool will eventually connect up some safety-critical equipment to an
unprotected public network and someone will get hurt), but the economic well-being of others is. What we need isn't a technical solution; it's a financial/legal one. We need:
PF: liability for damage caused by anything coming from a network
endpoint for which a particular legal entity (individual, corporation) is responsible.
PF: Regulation of apparatus that can connect - and I don't mean the old BABT red/green triangles, I mean mandating *approved* firewall/gateways between the public network and any equipment connected to it. Found without a firewall/working and up to date AV system? (and your ISP will be probing, otherwise it'll be fined and
potentially ostracised at LINX or similar.... or at least would be in my universe?) Exactly the same as having no catalytic converter, no headlights and bald tyres -- your connection "goes dark" and you're fined. Simple as that.
PF: Unfortunately I don;t believe that licensing of individuals as fit to use computers can take place - for a start there's the problem of proving who's in control of a machine at any point.
PF: I also don't believe that licensing of applications can meaningfully be done. True 'trusted computing' costs, and costs in the eight figure sort of region for a typical project. And, frankly, how far does trust go? You can't trust any mainstream commercial or open-source desktop operating systems, not with the level of flaws found in them (and for an amusing aside, google "Reflections On Trusting Trust"). True Trusted Computing platforms are expensive, inflexible, and don't offer the kind
of experience that modern end users expect -- it'd be like stepping back around 20 years for most PC owners. A trusted system according to the Orange Book or Common Criteria would not be something most people would buy, and it'd move computers back from being a part of the home to being an expensive office tool. Maybe no bad thing ;)
LE: What this apparently appealing metaphor obscures is two things. One "trusted computing" in the strict sense is about hardware not software. I'll come back to this. Trusted computing means that the (metaphorical) box your computer comes in has to be a "black box" unopenable by the user - otherwise the user can do all the stupid things users do right now like open emails from strangers, accept downloads with payloads of virus executables , and click on URLs that take them to phishing websites.
PF: Exactly. But extending your thoughts even further, it's a systems view and a human view that we need, not a software one. If I do something that trashes my computer, it's my risk and my loss. If I do something that trashes my computer, turns it into a zombie host for running a botnet from, and makes it part of a denial of service attack, it's different. I've messed someone else's system up and that's contributory negligence... or criminal damage ;)
LE: This means you do indeed have to trust the people who supply you with trusted computing hardware, and I agree with Bill that there should be
serious legal obligations with decent compliance mechanisms placed on those who do sell "trusted computing" so they do not sell us, as we Glaswegians say, a pig in a a poke (or a root kit in a DRM).
LE: But the Internet is not going to be any more secure if we sell people trusted computing hardware and let them, as Bill, wants to, tinker and
fiddle. It would be like selling my mum a Ferrari and suggesting that if she's bored one Sunday she tunes the engine up a bit. She would destroy a very expensive engine and she would also endanger people on the road if she took the car out and it ran out of control as a result of her unskilled modifications while she was driving.
PF: Agreed.
LE: Security of hardware sold to consumers, and consequentially the security of the entire Internet (see posts on bots , zombies etc, passim) is simply no longer compatible with open tinkering.
LE: Once upon a time anyone who bought a car was allowed to simply take delivery and drive it. Then when the density of cars increased, we reaised we needed driving tests for public safety. Maybe people like Bill who are well equipped to safely tinker with/fine tune their computers (unlike my Mum) , should have to pass a test too before they're allowed to drive away a non-black-box computer?
PF: Unenforceable. You don.t stop people owning computers, you just make it very, very hard, risky, and expensive to connect anything dubious to the public internet.
LE: Radical in the libertarian world of computer culture ; but not very odd at all when you look at the rest of the everyday attitude to owning potentially dangerous objects.
PF: "Libertarianism" on the public internet is a consensual illusion
passed down from idealistic old-timers of the 1970s and 1980s who enjoyed unrestricted ARPAnet/Internet access as a perk of their jobs or studies and the network was largely run by and for enthusiasts as a piece of research. It's been a fiction ever since individuals have been paying for their access; you are always "playing with someone else's ball" and that someone else is much bigger than you. AUPs are going to get more and more restrictive, either because ISPs are covering their asses or because governments are leaning on them, and the onsequences for breaching those AUPs must become commensurately more painful.
LE: What about the software that trusted computing hardware is willing to accept and excute? the so called "signed" software? Here I completely agree with Bill that the defining of what is acceptable software cannot safely be left to the dictat of the software/hardware vendors. Microsoft eg (just AS an example!) has absolutely no incentive to let me, a consumer, run open source software on the trusted platform they've just sold me. Without needing to imply any malice at all, simple competitive strategy would dictate they should allow access to Microsoft software products and nothing else, if they can get away with it. So as Bill says:
PF: This "ecosystem" doesn't work; Gates tried to build a "trusted
computing" platform with XBox. I forget how many weeks it took to crack it wide open. DVD regioning tried to enforce a controlled system in hardware. Ditto. There are more and cleverer people out there fighting for "freedom" than there are people able to deny them. So move the problem - take it out of the technical domain and into the legal one.
LE: [actually Bill] "The second thing we need is diversity when it comes to code signing. If my computer is set to run only signed software or read only signed
documents, then who can sign what becomes far more than a matter of technology, it becomes a political issue.
LE: [still actually Bill] We must not settle for a closed platform which allows the hardware vendor or the operating system supplier to decide, so it is time for governments to intervene and to ensure that we have an open marketplace for code signing.
PF: A closed platform won't work (see above). And signing authorities? This just permits the development of 800lb monopoly gorillas like Verisign. Far simpler to move the burden - the place to police is the network interface. I don't care what naughty crap people run on their computers; what I do care about is that someone running dangerous software can't swerve across the information superhighway and unintentionally deny my service.
LE: [still Bill!] The simplest way to do this is to give the process a statutory backing and then issue licences, just like we do for many professional and financial services. "
PF: Software licensing on this scale can't and won't happen. Especially
not while you can buy hooky software from market stalls and/or China ;)
PF: A regulatory framework needs to be put in place and that regulatory framework needs to be centred around policing traffic through network
endpoints, not what's hanging off them. Does it matter what a non-connected computer runs? Of course not.
LE: It's the last para I can't see happening, for the simple reason that a lot of hardware and software comes from the US and the US is not prone
to extending governement regulation of industry. The UK can impose local regulation on hardware, at least in theory, by stopping it at ports: it simply can't impose licensing control on software downloaded from the States. How can you download that "dodgy software" you have your eye on, if the country it originates from hasn't bought in to a licensing scheme model? Do you simply accept any software with no license - then bangs goes security.
PF: All good points.
LE: A better candidate for a certification authority for signing or
licensing software as safe might be the existing international standard setting authorities. If an ISO standard, available on-line and revised on application by new entrants into the software market, said what programmes my black box should (or could) accept and execute and which it definitely shouldn't, both I and my technophobe mother might feel a lot safer on the Net.
PF: A wise old engineer who used to work in telecoms once said to me
"What's the difference between Jurassic Park and the ISO?" I said I didn't know. "One of them's a theme park filled with dinosaurs - and the other.s a movie". By the time the ISO has defined a model for software certification and verification the problem will have morphed out of recognition. The ISO is essentially completely reactive when it comes to comms and computers; their one attempt to define networking standards was a complete failure in the face of the open-source TCP/IP protocol stack and since then they.ve essentially been regarded as a laughing stock by the Internet community. ISO, ECMA, and similar bodies simply don't have the leverage.
PF: Your technophobe mother doesn't want a true "Trusted Computer"; I doubt she.d be willing to take on the cost of buying one. Your technophobe mother wants a computer that does the right job for her, and that's difficult to unintentionally or maliciously modify.
And LE adds - couldn't agree more! Thanks Pete.
Tuesday, February 21, 2006
Who Do You Trust?
Bill Thompson of the BBC Going Digital has written a very sensible column on how trusted computing, rather than being a smokescreen for All that Is Evil (or Microsofty) might actually be the way forward to defend computers against spyware, adware and virus-ridden CDs of the infamous Sony "root kit" type.
However the tone changes in the second para:
"Unless we are careful the tools which could make us a lot safer and give us more power over what we do with the hardware we own and the software we license - few programs are actually "sold", not even free software - will instead be used to take control away from us.
At the moment the companies behind trusted computing do not trust their customers at all.
They want to use digital rights management to control what we can do with content we have purchased, they want to make sure we don't install programs or new hardware that they haven't approved, and they want to be able to monitor our use of the expensive computers we own."
Bill argues that being asked to trust the people who supply "trusted" software - people like Sony - is akin to owning a car where you can't look under the bonnet.
"I have a very nice car, and I try to take good care of it. It runs on petrol, but I want the freedom to fill it up with diesel and destroy the engine. It's my engine, after all.
The same goes for my computer. I want the freedom to write, compile and run my own code, take risks with dodgy software I've downloaded from the net and even break the law and risk prosecution by playing unlicensed music or running cracked software. "
What this apparently appealing metaphor obscures is two things. One "trusted computing" in the strict sense is about hardware not software. I'll come back to this. Trusted computing means that the (metaphorical) box your computer comes in has to be a "black box" unopenable by the user - otherwise the user can do all the stupid things users do right now like open emails from strangers, accept downloads with payloads of virus executables , and click on URLs that take them to phishing websites.
This means you do indeed have to trust the people who supply you with trusted computing hardware, and I agree with Bill that there should be serious legal obligations with decent compliance mechanisms placed on those who do sell "trusted computing" so they do not sell us, as we Glaswegians say, a pig in a a poke (or a root kit in a DRM).
But the Internet is not going to be any more secure if we sell people trusted computing hardware and let them, as Bill, wants to, tinker and fiddle. It would be like selling my mum a Ferrari and suggesting that if she's bored one Sunday she tunes the engine up a bit. She would destroy a very expensive engine and she would also endanger people on the road if she took the car out and it ran out of control as a result of her unskilled modifications while she was driving.
Security of hardware sold to consumers, and consequentially the security of the entire Internet (see posts on bots , zombies etc, passim) is simply no longer compatible with open tinkering. Once upon a time anyone who bought a car was allowed to simply take delivery and drive it. Then when the density of cars increased, we reaised we needed driving tests for public safety. Maybe people like Bill who are well equipped to safely tinker with/fine tune their computers (unlike my Mum) , should have to pass a test too before they're allowed to drive away a non-black-box computer? Radical in the libertarian world of computer culture ; but not very odd at all when you look at the rest of the everyday attitude to owning potentially dangerous objects.
What about the software that trusted computing hardware is willing to accept and excute? the so called "signed" software? Here I completely agree with Bill that the defining of what is acceptable software cannot safely be left to the dictat of the software/hardware vendors. Microsoft eg (just AS an example!) has absolutely no incentive to let me, a consumer, run open source software on the trusted platform they've just sold me. Without needing to imply any malice at all, simple competitive strategy would dictate they should allow access to Microsoft software products and nothing else, if they can get away with it. So as Bill says:
"The second thing we need is diversity when it comes to code signing. If my computer is set to run only signed software or read only signed documents, then who can sign what becomes far more than a matter of technology, it becomes a political issue.
We must not settle for a closed platform which allows the hardware vendor or the operating system supplier to decide, so it is time for governments to intervene and to ensure that we have an open marketplace for code signing.
The simplest way to do this is to give the process a statutory backing and then issue licences, just like we do for many professional and financial services. "
It's the last para I can't see happening, for the simple reason that a lot of hardware and software comes from the US and the US is not prone to extending governement regulation of industry. The UK can impose local regulation on hardware, at least in theory, by stopping it at ports: it simply can't impose licensing control on software downloaded from the States. How can you download that "dodgy software" you have your eye on if the country it originates from hasn't bought in to a licensing scheme model? Do you simply accept any software with no license - the bangs goes security.
Plus the national model of licensing financial and profesional services has already proven to be a nightmare of possible restrictive practices which the EU , the most harmonised region of nations in the world, is only slowly getting over. How tempting would it be for a faltering French software industry (say) to refuse to sign off on US or even Chinese software products?
A better candidate for a certification authority for signing or licensing software as safe might be the existing international standard setting authorities. If an ISO standard, available on-line and revised on application by new entrants into the software market, said what programmes my black box should (or could) accept and execute and which it definitely shouldn't, both I and my technophobe mother might feel a lot safer on the Net.
However the tone changes in the second para:
"Unless we are careful the tools which could make us a lot safer and give us more power over what we do with the hardware we own and the software we license - few programs are actually "sold", not even free software - will instead be used to take control away from us.
At the moment the companies behind trusted computing do not trust their customers at all.
They want to use digital rights management to control what we can do with content we have purchased, they want to make sure we don't install programs or new hardware that they haven't approved, and they want to be able to monitor our use of the expensive computers we own."
Bill argues that being asked to trust the people who supply "trusted" software - people like Sony - is akin to owning a car where you can't look under the bonnet.
"I have a very nice car, and I try to take good care of it. It runs on petrol, but I want the freedom to fill it up with diesel and destroy the engine. It's my engine, after all.
The same goes for my computer. I want the freedom to write, compile and run my own code, take risks with dodgy software I've downloaded from the net and even break the law and risk prosecution by playing unlicensed music or running cracked software. "
What this apparently appealing metaphor obscures is two things. One "trusted computing" in the strict sense is about hardware not software. I'll come back to this. Trusted computing means that the (metaphorical) box your computer comes in has to be a "black box" unopenable by the user - otherwise the user can do all the stupid things users do right now like open emails from strangers, accept downloads with payloads of virus executables , and click on URLs that take them to phishing websites.
This means you do indeed have to trust the people who supply you with trusted computing hardware, and I agree with Bill that there should be serious legal obligations with decent compliance mechanisms placed on those who do sell "trusted computing" so they do not sell us, as we Glaswegians say, a pig in a a poke (or a root kit in a DRM).
But the Internet is not going to be any more secure if we sell people trusted computing hardware and let them, as Bill, wants to, tinker and fiddle. It would be like selling my mum a Ferrari and suggesting that if she's bored one Sunday she tunes the engine up a bit. She would destroy a very expensive engine and she would also endanger people on the road if she took the car out and it ran out of control as a result of her unskilled modifications while she was driving.
Security of hardware sold to consumers, and consequentially the security of the entire Internet (see posts on bots , zombies etc, passim) is simply no longer compatible with open tinkering. Once upon a time anyone who bought a car was allowed to simply take delivery and drive it. Then when the density of cars increased, we reaised we needed driving tests for public safety. Maybe people like Bill who are well equipped to safely tinker with/fine tune their computers (unlike my Mum) , should have to pass a test too before they're allowed to drive away a non-black-box computer? Radical in the libertarian world of computer culture ; but not very odd at all when you look at the rest of the everyday attitude to owning potentially dangerous objects.
What about the software that trusted computing hardware is willing to accept and excute? the so called "signed" software? Here I completely agree with Bill that the defining of what is acceptable software cannot safely be left to the dictat of the software/hardware vendors. Microsoft eg (just AS an example!) has absolutely no incentive to let me, a consumer, run open source software on the trusted platform they've just sold me. Without needing to imply any malice at all, simple competitive strategy would dictate they should allow access to Microsoft software products and nothing else, if they can get away with it. So as Bill says:
"The second thing we need is diversity when it comes to code signing. If my computer is set to run only signed software or read only signed documents, then who can sign what becomes far more than a matter of technology, it becomes a political issue.
We must not settle for a closed platform which allows the hardware vendor or the operating system supplier to decide, so it is time for governments to intervene and to ensure that we have an open marketplace for code signing.
The simplest way to do this is to give the process a statutory backing and then issue licences, just like we do for many professional and financial services. "
It's the last para I can't see happening, for the simple reason that a lot of hardware and software comes from the US and the US is not prone to extending governement regulation of industry. The UK can impose local regulation on hardware, at least in theory, by stopping it at ports: it simply can't impose licensing control on software downloaded from the States. How can you download that "dodgy software" you have your eye on if the country it originates from hasn't bought in to a licensing scheme model? Do you simply accept any software with no license - the bangs goes security.
Plus the national model of licensing financial and profesional services has already proven to be a nightmare of possible restrictive practices which the EU , the most harmonised region of nations in the world, is only slowly getting over. How tempting would it be for a faltering French software industry (say) to refuse to sign off on US or even Chinese software products?
A better candidate for a certification authority for signing or licensing software as safe might be the existing international standard setting authorities. If an ISO standard, available on-line and revised on application by new entrants into the software market, said what programmes my black box should (or could) accept and execute and which it definitely shouldn't, both I and my technophobe mother might feel a lot safer on the Net.
Monday, February 13, 2006
Big game Season
Still on jetlag content here .. From Boing BOing,
Cheney shoots 78-year old lawyer with shotgun
The best bit is the Reader Comment from someone called Om:
"The important questions raised by this hunting accident are:
1) *Are* lawyers in season right now?
2) Was the lawyer at least a 4-point?
3) Was Cheney within his permit limit?
4) Was the Cheney aide misquoted about the lawyer's hunting suit having a target on the back, or that he'd bought it at Target a while back?
5) Will Disney adapt this into a cartoon about a baby lawyer having to adjust to living in the wild without his parent?
6) Is this what you should expect if you don't contribute enough to a political reelection fund in the future? "
Cheney shoots 78-year old lawyer with shotgun
The best bit is the Reader Comment from someone called Om:
"The important questions raised by this hunting accident are:
1) *Are* lawyers in season right now?
2) Was the lawyer at least a 4-point?
3) Was Cheney within his permit limit?
4) Was the Cheney aide misquoted about the lawyer's hunting suit having a target on the back, or that he'd bought it at Target a while back?
5) Will Disney adapt this into a cartoon about a baby lawyer having to adjust to living in the wild without his parent?
6) Is this what you should expect if you don't contribute enough to a political reelection fund in the future? "
Saturday, February 11, 2006
Subscribe to:
Posts (Atom)