Interesting response from my coder guru pal, Pete Fenelon: I don't agree with every word but I thought it was worth reproducing in full..
Overview: code signing and secure OSes won't work - but that's not where
the effort should be going; it should be going into creating a
well-policed interface between private systems and the network - and
making the owners of those systems liable.
PF: I admit that I'm something of an oddball in my views here, but I
belive that what goes on behind your net connection is your own business; what comes out of it is very much not your business. Same as I can have a rocket-powered car in my garage, but I'm toast if I try to take it on the road. ;)
LE: Bill argues that being asked to trust the people who supply "trusted" software - people like Sony - is akin to owning a car where you can't look under the bonnet.
PF: And what's wrong with this? -- most people who buy cars these days don.t know diddly about what goes on under the bonnet, and entrust repairs to qualified professionals (or at least people who they think are qualified professionals). Most home computers are "administered" by "our Kevin who's dead good with computers, he gets high scores on all them games he gets discs of". "Our Kevin" often isn't mindful of the consequences (or even existence of) malware, and would click "OK" like a Pavlovian dog if it meant playing a warez version of Halo 3.
Bill: "I have a very nice car, and I try to take good care of it. It runs on petrol, but I want the freedom to fill it up with diesel and destroy the
engine. It's my engine, after all.
PF: Well, in many cases it's probably the finance or leasing companys engine, but hey...
Bill: The same goes for my computer. I want the freedom to write, compile and run my own code, take risks with dodgy software I've downloaded from the
net and even break the law and risk prosecution by playing unlicensed music or running cracked software. "
PF: It might well be "his computer", in the same way that it's "his
car", but his car has to be MOTed regularly to ensure that it still complies with the law, and he has to take out insurance against any damage he might cause to others. When people call the Internet the "information superhighway" they seem to forget that the real highway isn.t a free-for-all -- there are people out there watching what you do, there are laws by which and your vehicle must abide if you wish to drive on it, and you must be licensed to even venture onto it. The penalties
are (or at least should be) draconian. The analogy is simple; we don't have "car cops" in Britain who stop you fitting an eight litre engine and slick tyres to your Morris Minor, we have "traffic cops" who get peeved if they see it on the road. Similarly, we shouldn.t have "computer cops" who stop you installing Frigware Linux R00tK1T 3D1T10N, we should have "network traffic cops" who pull the plug if your machine starts behaving dangerously.
PF: Right now, lives aren't at stake on the Internet (although no doubt some fool will eventually connect up some safety-critical equipment to an
unprotected public network and someone will get hurt), but the economic well-being of others is. What we need isn't a technical solution; it's a financial/legal one. We need:
PF: liability for damage caused by anything coming from a network
endpoint for which a particular legal entity (individual, corporation) is responsible.
PF: Regulation of apparatus that can connect - and I don't mean the old BABT red/green triangles, I mean mandating *approved* firewall/gateways between the public network and any equipment connected to it. Found without a firewall/working and up to date AV system? (and your ISP will be probing, otherwise it'll be fined and
potentially ostracised at LINX or similar.... or at least would be in my universe?) Exactly the same as having no catalytic converter, no headlights and bald tyres -- your connection "goes dark" and you're fined. Simple as that.
PF: Unfortunately I don;t believe that licensing of individuals as fit to use computers can take place - for a start there's the problem of proving who's in control of a machine at any point.
PF: I also don't believe that licensing of applications can meaningfully be done. True 'trusted computing' costs, and costs in the eight figure sort of region for a typical project. And, frankly, how far does trust go? You can't trust any mainstream commercial or open-source desktop operating systems, not with the level of flaws found in them (and for an amusing aside, google "Reflections On Trusting Trust"). True Trusted Computing platforms are expensive, inflexible, and don't offer the kind
of experience that modern end users expect -- it'd be like stepping back around 20 years for most PC owners. A trusted system according to the Orange Book or Common Criteria would not be something most people would buy, and it'd move computers back from being a part of the home to being an expensive office tool. Maybe no bad thing ;)
LE: What this apparently appealing metaphor obscures is two things. One "trusted computing" in the strict sense is about hardware not software. I'll come back to this. Trusted computing means that the (metaphorical) box your computer comes in has to be a "black box" unopenable by the user - otherwise the user can do all the stupid things users do right now like open emails from strangers, accept downloads with payloads of virus executables , and click on URLs that take them to phishing websites.
PF: Exactly. But extending your thoughts even further, it's a systems view and a human view that we need, not a software one. If I do something that trashes my computer, it's my risk and my loss. If I do something that trashes my computer, turns it into a zombie host for running a botnet from, and makes it part of a denial of service attack, it's different. I've messed someone else's system up and that's contributory negligence... or criminal damage ;)
LE: This means you do indeed have to trust the people who supply you with trusted computing hardware, and I agree with Bill that there should be
serious legal obligations with decent compliance mechanisms placed on those who do sell "trusted computing" so they do not sell us, as we Glaswegians say, a pig in a a poke (or a root kit in a DRM).
LE: But the Internet is not going to be any more secure if we sell people trusted computing hardware and let them, as Bill, wants to, tinker and
fiddle. It would be like selling my mum a Ferrari and suggesting that if she's bored one Sunday she tunes the engine up a bit. She would destroy a very expensive engine and she would also endanger people on the road if she took the car out and it ran out of control as a result of her unskilled modifications while she was driving.
PF: Agreed.
LE: Security of hardware sold to consumers, and consequentially the security of the entire Internet (see posts on bots , zombies etc, passim) is simply no longer compatible with open tinkering.
LE: Once upon a time anyone who bought a car was allowed to simply take delivery and drive it. Then when the density of cars increased, we reaised we needed driving tests for public safety. Maybe people like Bill who are well equipped to safely tinker with/fine tune their computers (unlike my Mum) , should have to pass a test too before they're allowed to drive away a non-black-box computer?
PF: Unenforceable. You don.t stop people owning computers, you just make it very, very hard, risky, and expensive to connect anything dubious to the public internet.
LE: Radical in the libertarian world of computer culture ; but not very odd at all when you look at the rest of the everyday attitude to owning potentially dangerous objects.
PF: "Libertarianism" on the public internet is a consensual illusion
passed down from idealistic old-timers of the 1970s and 1980s who enjoyed unrestricted ARPAnet/Internet access as a perk of their jobs or studies and the network was largely run by and for enthusiasts as a piece of research. It's been a fiction ever since individuals have been paying for their access; you are always "playing with someone else's ball" and that someone else is much bigger than you. AUPs are going to get more and more restrictive, either because ISPs are covering their asses or because governments are leaning on them, and the onsequences for breaching those AUPs must become commensurately more painful.
LE: What about the software that trusted computing hardware is willing to accept and excute? the so called "signed" software? Here I completely agree with Bill that the defining of what is acceptable software cannot safely be left to the dictat of the software/hardware vendors. Microsoft eg (just AS an example!) has absolutely no incentive to let me, a consumer, run open source software on the trusted platform they've just sold me. Without needing to imply any malice at all, simple competitive strategy would dictate they should allow access to Microsoft software products and nothing else, if they can get away with it. So as Bill says:
PF: This "ecosystem" doesn't work; Gates tried to build a "trusted
computing" platform with XBox. I forget how many weeks it took to crack it wide open. DVD regioning tried to enforce a controlled system in hardware. Ditto. There are more and cleverer people out there fighting for "freedom" than there are people able to deny them. So move the problem - take it out of the technical domain and into the legal one.
LE: [actually Bill] "The second thing we need is diversity when it comes to code signing. If my computer is set to run only signed software or read only signed
documents, then who can sign what becomes far more than a matter of technology, it becomes a political issue.
LE: [still actually Bill] We must not settle for a closed platform which allows the hardware vendor or the operating system supplier to decide, so it is time for governments to intervene and to ensure that we have an open marketplace for code signing.
PF: A closed platform won't work (see above). And signing authorities? This just permits the development of 800lb monopoly gorillas like Verisign. Far simpler to move the burden - the place to police is the network interface. I don't care what naughty crap people run on their computers; what I do care about is that someone running dangerous software can't swerve across the information superhighway and unintentionally deny my service.
LE: [still Bill!] The simplest way to do this is to give the process a statutory backing and then issue licences, just like we do for many professional and financial services. "
PF: Software licensing on this scale can't and won't happen. Especially
not while you can buy hooky software from market stalls and/or China ;)
PF: A regulatory framework needs to be put in place and that regulatory framework needs to be centred around policing traffic through network
endpoints, not what's hanging off them. Does it matter what a non-connected computer runs? Of course not.
LE: It's the last para I can't see happening, for the simple reason that a lot of hardware and software comes from the US and the US is not prone
to extending governement regulation of industry. The UK can impose local regulation on hardware, at least in theory, by stopping it at ports: it simply can't impose licensing control on software downloaded from the States. How can you download that "dodgy software" you have your eye on, if the country it originates from hasn't bought in to a licensing scheme model? Do you simply accept any software with no license - then bangs goes security.
PF: All good points.
LE: A better candidate for a certification authority for signing or
licensing software as safe might be the existing international standard setting authorities. If an ISO standard, available on-line and revised on application by new entrants into the software market, said what programmes my black box should (or could) accept and execute and which it definitely shouldn't, both I and my technophobe mother might feel a lot safer on the Net.
PF: A wise old engineer who used to work in telecoms once said to me
"What's the difference between Jurassic Park and the ISO?" I said I didn't know. "One of them's a theme park filled with dinosaurs - and the other.s a movie". By the time the ISO has defined a model for software certification and verification the problem will have morphed out of recognition. The ISO is essentially completely reactive when it comes to comms and computers; their one attempt to define networking standards was a complete failure in the face of the open-source TCP/IP protocol stack and since then they.ve essentially been regarded as a laughing stock by the Internet community. ISO, ECMA, and similar bodies simply don't have the leverage.
PF: Your technophobe mother doesn't want a true "Trusted Computer"; I doubt she.d be willing to take on the cost of buying one. Your technophobe mother wants a computer that does the right job for her, and that's difficult to unintentionally or maliciously modify.
And LE adds - couldn't agree more! Thanks Pete.
Sunday, February 26, 2006
Tuesday, February 21, 2006
Who Do You Trust?
Bill Thompson of the BBC Going Digital has written a very sensible column on how trusted computing, rather than being a smokescreen for All that Is Evil (or Microsofty) might actually be the way forward to defend computers against spyware, adware and virus-ridden CDs of the infamous Sony "root kit" type.
However the tone changes in the second para:
"Unless we are careful the tools which could make us a lot safer and give us more power over what we do with the hardware we own and the software we license - few programs are actually "sold", not even free software - will instead be used to take control away from us.
At the moment the companies behind trusted computing do not trust their customers at all.
They want to use digital rights management to control what we can do with content we have purchased, they want to make sure we don't install programs or new hardware that they haven't approved, and they want to be able to monitor our use of the expensive computers we own."
Bill argues that being asked to trust the people who supply "trusted" software - people like Sony - is akin to owning a car where you can't look under the bonnet.
"I have a very nice car, and I try to take good care of it. It runs on petrol, but I want the freedom to fill it up with diesel and destroy the engine. It's my engine, after all.
The same goes for my computer. I want the freedom to write, compile and run my own code, take risks with dodgy software I've downloaded from the net and even break the law and risk prosecution by playing unlicensed music or running cracked software. "
What this apparently appealing metaphor obscures is two things. One "trusted computing" in the strict sense is about hardware not software. I'll come back to this. Trusted computing means that the (metaphorical) box your computer comes in has to be a "black box" unopenable by the user - otherwise the user can do all the stupid things users do right now like open emails from strangers, accept downloads with payloads of virus executables , and click on URLs that take them to phishing websites.
This means you do indeed have to trust the people who supply you with trusted computing hardware, and I agree with Bill that there should be serious legal obligations with decent compliance mechanisms placed on those who do sell "trusted computing" so they do not sell us, as we Glaswegians say, a pig in a a poke (or a root kit in a DRM).
But the Internet is not going to be any more secure if we sell people trusted computing hardware and let them, as Bill, wants to, tinker and fiddle. It would be like selling my mum a Ferrari and suggesting that if she's bored one Sunday she tunes the engine up a bit. She would destroy a very expensive engine and she would also endanger people on the road if she took the car out and it ran out of control as a result of her unskilled modifications while she was driving.
Security of hardware sold to consumers, and consequentially the security of the entire Internet (see posts on bots , zombies etc, passim) is simply no longer compatible with open tinkering. Once upon a time anyone who bought a car was allowed to simply take delivery and drive it. Then when the density of cars increased, we reaised we needed driving tests for public safety. Maybe people like Bill who are well equipped to safely tinker with/fine tune their computers (unlike my Mum) , should have to pass a test too before they're allowed to drive away a non-black-box computer? Radical in the libertarian world of computer culture ; but not very odd at all when you look at the rest of the everyday attitude to owning potentially dangerous objects.
What about the software that trusted computing hardware is willing to accept and excute? the so called "signed" software? Here I completely agree with Bill that the defining of what is acceptable software cannot safely be left to the dictat of the software/hardware vendors. Microsoft eg (just AS an example!) has absolutely no incentive to let me, a consumer, run open source software on the trusted platform they've just sold me. Without needing to imply any malice at all, simple competitive strategy would dictate they should allow access to Microsoft software products and nothing else, if they can get away with it. So as Bill says:
"The second thing we need is diversity when it comes to code signing. If my computer is set to run only signed software or read only signed documents, then who can sign what becomes far more than a matter of technology, it becomes a political issue.
We must not settle for a closed platform which allows the hardware vendor or the operating system supplier to decide, so it is time for governments to intervene and to ensure that we have an open marketplace for code signing.
The simplest way to do this is to give the process a statutory backing and then issue licences, just like we do for many professional and financial services. "
It's the last para I can't see happening, for the simple reason that a lot of hardware and software comes from the US and the US is not prone to extending governement regulation of industry. The UK can impose local regulation on hardware, at least in theory, by stopping it at ports: it simply can't impose licensing control on software downloaded from the States. How can you download that "dodgy software" you have your eye on if the country it originates from hasn't bought in to a licensing scheme model? Do you simply accept any software with no license - the bangs goes security.
Plus the national model of licensing financial and profesional services has already proven to be a nightmare of possible restrictive practices which the EU , the most harmonised region of nations in the world, is only slowly getting over. How tempting would it be for a faltering French software industry (say) to refuse to sign off on US or even Chinese software products?
A better candidate for a certification authority for signing or licensing software as safe might be the existing international standard setting authorities. If an ISO standard, available on-line and revised on application by new entrants into the software market, said what programmes my black box should (or could) accept and execute and which it definitely shouldn't, both I and my technophobe mother might feel a lot safer on the Net.
However the tone changes in the second para:
"Unless we are careful the tools which could make us a lot safer and give us more power over what we do with the hardware we own and the software we license - few programs are actually "sold", not even free software - will instead be used to take control away from us.
At the moment the companies behind trusted computing do not trust their customers at all.
They want to use digital rights management to control what we can do with content we have purchased, they want to make sure we don't install programs or new hardware that they haven't approved, and they want to be able to monitor our use of the expensive computers we own."
Bill argues that being asked to trust the people who supply "trusted" software - people like Sony - is akin to owning a car where you can't look under the bonnet.
"I have a very nice car, and I try to take good care of it. It runs on petrol, but I want the freedom to fill it up with diesel and destroy the engine. It's my engine, after all.
The same goes for my computer. I want the freedom to write, compile and run my own code, take risks with dodgy software I've downloaded from the net and even break the law and risk prosecution by playing unlicensed music or running cracked software. "
What this apparently appealing metaphor obscures is two things. One "trusted computing" in the strict sense is about hardware not software. I'll come back to this. Trusted computing means that the (metaphorical) box your computer comes in has to be a "black box" unopenable by the user - otherwise the user can do all the stupid things users do right now like open emails from strangers, accept downloads with payloads of virus executables , and click on URLs that take them to phishing websites.
This means you do indeed have to trust the people who supply you with trusted computing hardware, and I agree with Bill that there should be serious legal obligations with decent compliance mechanisms placed on those who do sell "trusted computing" so they do not sell us, as we Glaswegians say, a pig in a a poke (or a root kit in a DRM).
But the Internet is not going to be any more secure if we sell people trusted computing hardware and let them, as Bill, wants to, tinker and fiddle. It would be like selling my mum a Ferrari and suggesting that if she's bored one Sunday she tunes the engine up a bit. She would destroy a very expensive engine and she would also endanger people on the road if she took the car out and it ran out of control as a result of her unskilled modifications while she was driving.
Security of hardware sold to consumers, and consequentially the security of the entire Internet (see posts on bots , zombies etc, passim) is simply no longer compatible with open tinkering. Once upon a time anyone who bought a car was allowed to simply take delivery and drive it. Then when the density of cars increased, we reaised we needed driving tests for public safety. Maybe people like Bill who are well equipped to safely tinker with/fine tune their computers (unlike my Mum) , should have to pass a test too before they're allowed to drive away a non-black-box computer? Radical in the libertarian world of computer culture ; but not very odd at all when you look at the rest of the everyday attitude to owning potentially dangerous objects.
What about the software that trusted computing hardware is willing to accept and excute? the so called "signed" software? Here I completely agree with Bill that the defining of what is acceptable software cannot safely be left to the dictat of the software/hardware vendors. Microsoft eg (just AS an example!) has absolutely no incentive to let me, a consumer, run open source software on the trusted platform they've just sold me. Without needing to imply any malice at all, simple competitive strategy would dictate they should allow access to Microsoft software products and nothing else, if they can get away with it. So as Bill says:
"The second thing we need is diversity when it comes to code signing. If my computer is set to run only signed software or read only signed documents, then who can sign what becomes far more than a matter of technology, it becomes a political issue.
We must not settle for a closed platform which allows the hardware vendor or the operating system supplier to decide, so it is time for governments to intervene and to ensure that we have an open marketplace for code signing.
The simplest way to do this is to give the process a statutory backing and then issue licences, just like we do for many professional and financial services. "
It's the last para I can't see happening, for the simple reason that a lot of hardware and software comes from the US and the US is not prone to extending governement regulation of industry. The UK can impose local regulation on hardware, at least in theory, by stopping it at ports: it simply can't impose licensing control on software downloaded from the States. How can you download that "dodgy software" you have your eye on if the country it originates from hasn't bought in to a licensing scheme model? Do you simply accept any software with no license - the bangs goes security.
Plus the national model of licensing financial and profesional services has already proven to be a nightmare of possible restrictive practices which the EU , the most harmonised region of nations in the world, is only slowly getting over. How tempting would it be for a faltering French software industry (say) to refuse to sign off on US or even Chinese software products?
A better candidate for a certification authority for signing or licensing software as safe might be the existing international standard setting authorities. If an ISO standard, available on-line and revised on application by new entrants into the software market, said what programmes my black box should (or could) accept and execute and which it definitely shouldn't, both I and my technophobe mother might feel a lot safer on the Net.
Monday, February 13, 2006
Big game Season
Still on jetlag content here .. From Boing BOing,
Cheney shoots 78-year old lawyer with shotgun
The best bit is the Reader Comment from someone called Om:
"The important questions raised by this hunting accident are:
1) *Are* lawyers in season right now?
2) Was the lawyer at least a 4-point?
3) Was Cheney within his permit limit?
4) Was the Cheney aide misquoted about the lawyer's hunting suit having a target on the back, or that he'd bought it at Target a while back?
5) Will Disney adapt this into a cartoon about a baby lawyer having to adjust to living in the wild without his parent?
6) Is this what you should expect if you don't contribute enough to a political reelection fund in the future? "
Cheney shoots 78-year old lawyer with shotgun
The best bit is the Reader Comment from someone called Om:
"The important questions raised by this hunting accident are:
1) *Are* lawyers in season right now?
2) Was the lawyer at least a 4-point?
3) Was Cheney within his permit limit?
4) Was the Cheney aide misquoted about the lawyer's hunting suit having a target on the back, or that he'd bought it at Target a while back?
5) Will Disney adapt this into a cartoon about a baby lawyer having to adjust to living in the wild without his parent?
6) Is this what you should expect if you don't contribute enough to a political reelection fund in the future? "
Saturday, February 11, 2006
Wednesday, February 01, 2006
The Flickr of Tiny Web beacons?
My concerns about Flickr as a possible exercise in setting web beacons across many sites, have been examined more closely by Adam Fields on his blog. Neither Adam and I can find any conclusive evidence in the Flickr privacy policy that either says Flickr IS doing this , nor that they have barred themselves FROM doing this. One way to safeguard yourself, should you be feeling particularly conspiratorial, would be to tweak your browser to refuse to accept any third party cookies (says my occasional tech-guru correspondent, Mike Scott, who notes that even IE v 6 on only bars third party cookies by default when they come from a source without a compact privacy policy. (Which is a bit different from barring all thrid party cookies by default.)
Mobile, Ubiquitous and Continuing Paranoia
Rupert White of the Law Society Gazette points out that an even easier way to stalk someone rather than "borrowing" their mobile phone (see last entry)is to "borrow" their London Oyster card (should they be a Londoner, of course :-) This gives a full printout of everywhere the card carrier has been for the last n months. The Oyster card can be replaced in the stalkee's jacket, with them none the wiser.
The intersting question about this is what if any crime has been committed? My instinct is that this is (yet again) unauthorised access under s 1 of the CMA 1990.
"1.—(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case."
The big issue, of course, is is an Oyster card a "computer"? The 1990 Act, deliberately, has no definition. Ian Lloyd, an expert on computer crime, suggested in his IT Law textbook a while back that given the ubiquity of smart-chip enabled white goods these days, a dishwasher or a smart fridge might be considered a "computer". I myself think it is not stretching the definition to call a smart-chipped Oyster card a computer.
If not, though, where are we? The Law Commissions tied themselves in knots a few years back over whether an offence of "theft of information" other than in well recognised categories like trade secrets, existed. (This was , in fact, one of the reasons the CMA was enacted in the first place.) Data protection law forbids the unfair processing of personal data, which in this case would include processing (or viewing) without consent. "Processing" includes "use" and display. Data subjects whose rights are violated have rights to sue the processor. But I am not convinced there is a criminal offence here. And, of course, there's always the murky waters of simple fraud - especially in Scotland where the offence of fraud can be charged at common law, not under statute. But again, I am not convinced this is actually a case of fraud as the victim is simply stolen from, not lied to or in any way deluded. The English law of fraud is currently being amended to more comprehensively cover "phishing" - where personal data is stolen by deception. But this does not quite fall under that head either. Interesting problem..
Rupert also points out that the Information Commissioner has expressed worries about the transparency and security of data collection via Oyster cards before - but this is more in relation to what London Transport might do with the information than the accessibility of the card itself as a key to access to personal information by strangers. (But I too have pointed out to my students that the public register entry with the ICO for Transport for London represents no barrier whatsoever to aggressive data mining.)
I am not a Londoner so I am not sure just how easy it is to extract data from an Oyster card. Do you need to give a password or other ID to extract the details of stations passed through, or do you just stick it in a smartcard reader? The Oyster web site merely tells you that details of the last 8 weeks' journeys can be extracted. Help appreciated!
The intersting question about this is what if any crime has been committed? My instinct is that this is (yet again) unauthorised access under s 1 of the CMA 1990.
"1.—(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case."
The big issue, of course, is is an Oyster card a "computer"? The 1990 Act, deliberately, has no definition. Ian Lloyd, an expert on computer crime, suggested in his IT Law textbook a while back that given the ubiquity of smart-chip enabled white goods these days, a dishwasher or a smart fridge might be considered a "computer". I myself think it is not stretching the definition to call a smart-chipped Oyster card a computer.
If not, though, where are we? The Law Commissions tied themselves in knots a few years back over whether an offence of "theft of information" other than in well recognised categories like trade secrets, existed. (This was , in fact, one of the reasons the CMA was enacted in the first place.) Data protection law forbids the unfair processing of personal data, which in this case would include processing (or viewing) without consent. "Processing" includes "use" and display. Data subjects whose rights are violated have rights to sue the processor. But I am not convinced there is a criminal offence here. And, of course, there's always the murky waters of simple fraud - especially in Scotland where the offence of fraud can be charged at common law, not under statute. But again, I am not convinced this is actually a case of fraud as the victim is simply stolen from, not lied to or in any way deluded. The English law of fraud is currently being amended to more comprehensively cover "phishing" - where personal data is stolen by deception. But this does not quite fall under that head either. Interesting problem..
Rupert also points out that the Information Commissioner has expressed worries about the transparency and security of data collection via Oyster cards before - but this is more in relation to what London Transport might do with the information than the accessibility of the card itself as a key to access to personal information by strangers. (But I too have pointed out to my students that the public register entry with the ICO for Transport for London represents no barrier whatsoever to aggressive data mining.)
I am not a Londoner so I am not sure just how easy it is to extract data from an Oyster card. Do you need to give a password or other ID to extract the details of stations passed through, or do you just stick it in a smartcard reader? The Oyster web site merely tells you that details of the last 8 weeks' journeys can be extracted. Help appreciated!
Monday, January 30, 2006
Mobile and Ubiquitous Paranoia
I was teaching my class about interception and surveillance last week and reminded them that you don't need to be government or Echelon or a spook to spy on someone these days: their never-without-it mobile phone is a portable locational bug aiting to happen. And lo and behold, in Saturday's Guardian is a convenient explanation on how you can use a mobile to stalk your chosen prey (EDIT: And here;'s a previous piece that's even better):
"Here is how it works. You register on the site, pay a few quid, type in the phone number of the person you want to track, and then the system sends them a text message. All you need to do is surreptitiously get access to your target’s mobile phone, without their knowledge, for just five minutes: long enough to receive that text message, reply with the word LOCATE, and delete two text messages that arrive immediately, warning them they are being tracked. You can stalk them for a couple of days, find out if they really are where they say they are, work out who they are with, perhaps find out if they’re having an affair, then delete them off the system. They will never be any the wiser."
Thanks To Ray Corrigan at http://b2fxxx.blogspot.com/2006/01/mobile-phone-stalking-made-easy.html .
"Here is how it works. You register on the site, pay a few quid, type in the phone number of the person you want to track, and then the system sends them a text message. All you need to do is surreptitiously get access to your target’s mobile phone, without their knowledge, for just five minutes: long enough to receive that text message, reply with the word LOCATE, and delete two text messages that arrive immediately, warning them they are being tracked. You can stalk them for a couple of days, find out if they really are where they say they are, work out who they are with, perhaps find out if they’re having an affair, then delete them off the system. They will never be any the wiser."
Thanks To Ray Corrigan at http://b2fxxx.blogspot.com/2006/01/mobile-phone-stalking-made-easy.html .
Google Stories get Better and Better
Boing Boing link to a report on the implications of search engines - including Google - automatically recording IP address of searchers.
"Up until now, I’ve only discussed the implications of having an IP address. The situation gets much much worse when you start using it. Because every bit of network traffic you use is marked with your IP address, it can be used to link all of those disparate transactions together. Despite these possible correlations, not one of the major search engines considers your IP address to be personally identifiable information. "
Of course in Europe we have DP law and an IP address would be personally identifying data and therefore protected by the Data Protection Principles, including limitation of data collection by purpose and time of retention, right? Wrong. A recent survey by the Information Comissioner's office in the UK found huge disparities across Europe as to whether an IP address would ALWAYS or even sometimes be treated as personal data.
Plus of course the new data retention rules that are coming in will mandate data retention of certain items for telcos and ISPs. Will these rules apply to search engines? I guess we have to wait for the detail of national implementations of the Data Retention Directive.
Meanwhile the media are beginning to report not only people who prefer to be unGoogleable but ways of anonymising your Google searches, so they cannot subsequently be subpoenaed by governments. The Revenge of the Digerati??
Finally, deep into the further reaches of conspiracy theories re privacy and web-bugging we have this interesting comment from the resposnses to the IP article above.
"I don’t have any ads on the site, I do have embedded Flickr pictures. So, here’s a question - is Flickr just a cover for a huge web bug operation used to track visits to sites that have embedded Flickr pictures, or is that being overly paranoid? "
Flickr is a site where users can post photos they've taken and embed them in their web pages - they can then be viewed, uploaded etc by the public (or not as you choose).
In theory it seems plausible that every Flickr image could inded be a web beacon, meaning Flickr could correlate sign up IDs with IP addresses and web sites, as well as patterns of known associates (people who look at your pictures tend to be people who know you).
Anyone like to comment? I must go have a look at the Flickr privacy policy :-)
"Up until now, I’ve only discussed the implications of having an IP address. The situation gets much much worse when you start using it. Because every bit of network traffic you use is marked with your IP address, it can be used to link all of those disparate transactions together. Despite these possible correlations, not one of the major search engines considers your IP address to be personally identifiable information. "
Of course in Europe we have DP law and an IP address would be personally identifying data and therefore protected by the Data Protection Principles, including limitation of data collection by purpose and time of retention, right? Wrong. A recent survey by the Information Comissioner's office in the UK found huge disparities across Europe as to whether an IP address would ALWAYS or even sometimes be treated as personal data.
Plus of course the new data retention rules that are coming in will mandate data retention of certain items for telcos and ISPs. Will these rules apply to search engines? I guess we have to wait for the detail of national implementations of the Data Retention Directive.
Meanwhile the media are beginning to report not only people who prefer to be unGoogleable but ways of anonymising your Google searches, so they cannot subsequently be subpoenaed by governments. The Revenge of the Digerati??
Finally, deep into the further reaches of conspiracy theories re privacy and web-bugging we have this interesting comment from the resposnses to the IP article above.
"I don’t have any ads on the site, I do have embedded Flickr pictures. So, here’s a question - is Flickr just a cover for a huge web bug operation used to track visits to sites that have embedded Flickr pictures, or is that being overly paranoid? "
Flickr is a site where users can post photos they've taken and embed them in their web pages - they can then be viewed, uploaded etc by the public (or not as you choose).
In theory it seems plausible that every Flickr image could inded be a web beacon, meaning Flickr could correlate sign up IDs with IP addresses and web sites, as well as patterns of known associates (people who look at your pictures tend to be people who know you).
Anyone like to comment? I must go have a look at the Flickr privacy policy :-)
Yet more cool visual aids
Google Tibet Prison Camp
And wow. Apparently you can avoid Google China censorship simply by putting the search terms in with Capital Letters. Wow, how hi tech!
And wow. Apparently you can avoid Google China censorship simply by putting the search terms in with Capital Letters. Wow, how hi tech!
Sunday, January 29, 2006
More visual aids
Worth noting for teachers looking for cool visuals for powerpoints: the Sony rootkit debacle as graphic.
Friday, January 27, 2006
First British File Swappers Found Liable
Worth recording for pure historical interest - from the Beeb:
"High Court judges ordered two men to pay the British Phonographic Industry between £1,500 and £5,000 for making thousands of songs available online.
One of the men said he did not know he was acting illegally, the other said there was no evidence against him."
The first defendant has to pay £5000 plus at least £13,500 in cotss: the second £1,500 plus costs.
Did the first guy actually have a lawyer? Even in a file sharing case, it is fairly well settled that ignorance of the law is no defense.
"High Court judges ordered two men to pay the British Phonographic Industry between £1,500 and £5,000 for making thousands of songs available online.
One of the men said he did not know he was acting illegally, the other said there was no evidence against him."
The first defendant has to pay £5000 plus at least £13,500 in cotss: the second £1,500 plus costs.
Did the first guy actually have a lawyer? Even in a file sharing case, it is fairly well settled that ignorance of the law is no defense.
Google Print gets a Clear Field?
A US district court has ruled in Field v Google that Google's cache
feature, which allows users to access copies of web pages made when they
were viewed or "spidered" by Google robots, does not breach copyright in
those web pages. The matter had never been decided in the US courts
before. The case was brought by author and lawyer Blake Field who had taken
exception to Google's caching of about 50 stories posted by Field on his website. He
brought an action for copyright infringement, arguing that the Google cache
feature allowed web users to access copies of his copyrighted material
without his authorisation. The court disagreed.
The court had three bases for its decision. First, if anyone was
breaching copyright when the cached copy was accessed, it was not Google but
whoever made that cached page request. Google was merely "passive in this
process". Secondly, it was shown that Field knew how to disable the caching
feature, using the "do not archive" metatag or the robots.txt code which,
when inserted in a website's HTML code, tells Google spiders not to make
copies of that page. Field could have used that facility, but chose not to.
As such, he was personally barred from claiming copyright infringment
against Google.
Finally, and most crucially, the use Google made of the material was fair
use, said the Court. The four tests usually applied to determine if a use
is "fair use" are:
(1) the purpose and character of the use, including whether such use is of a
commercial nature or is for nonprofit educational purposes;
(2) the nature of the copyrighted work;
(3) the amount and substantiality of the portion used in relation to the
copyrighted
work as a whole; and
(4) the effect of the use upon the potential market for or value of the
copyrigh
Applying the usual USA jurisprudence, he found that Google's use was fair
because, crucially, it was both transformative and socially valuable.
"Because Google serves different and socially important purposes in offering
access to copyrighted works through 'Cached' links and does not merely
supersede the objectives of the original creations, the Court concludes that
Google's alleged copying and distribution of Field's web pages containing
copyrighted works was transformative."
This means the court accepted that making copies in cache s part of the creation of a
database for a search engine, was something very different from, say, making
copies so as to sell pirate copies to the author's potential audience.
Google were not using their cache copies for any commercial purposes which
interfered with the revenues the author would make from them or could
reasonably be anticipated to make. Nor could Google's "socially important"
purpose, to create a comprehensive freely available search database,
including historic records of altered pages, be accomplished without using
caches of the whole page rather than extracts; so the fact that the whole
rather than parts were copied was not fatal to the claim of fair use.
Finally, the court found Google did gain the benefit of the "safe harbor"
defence under the Digital Millennium Copyright Act , s 512 (b) , which which
provides a defence to service providers for the "intermediate and temporary
storage of material on a system or network controlled or operated by or for
the service provider" whereb the storage is carried out by an "automatic
technical process". There had been doubt in the past as to whether this was
intended to cover "long term" cache storage of the sort Google use - around
14 to 20 days storage. The court found this was indeed temporary, since a similar period of 14 days cache had been found legitimate in Ellison v Robertson 357 F.3d 1072, 1081 (9th Cir. 2004).
As OUT-Law note, this ruling
could hardly be more helpful to Google in its ongoing Google Print dispute.
The Google Print project , just like ordinary Google caching, involves the
automated making of full copies of pages of books, scanned in as electronic text, with the intent of making a search index from them which can then deliver limited sections of the books scanned. When book publishers complained this infringed their rights to control the making of copies, Google responded that the publishers had the ability to opt out of scanning. However under pressure, Google reversed their practice on this and asked publishers to explicitly "opt in" to Google Print, rather than leaving the onus on them to "opt out". This of course makes the project of
potentially much lower social value, as well as leaving out "orphan works"
whose copyright holders are unknown.
A court, albeit a District Court only, now seem to have validated Google's
original "opt-out" approach. Not only that, but it has clarified that
scanning in full text as opposed to merely extracts of texts, can be
acceptable fair use. Finally, they have apparently rebutted the damning
argument that Google Print cannot be fair use because it disrupts future
revenues, in the form of as yet uncommenced efforts by publishers to provide
or license similar revenue-generating book-scanning search engines.
Although I am in favour of Google Print as a project (what academic isn't?),
this all seems just a tad too good to be true. For example, in relation to the fair use criteria, Google can hardly claim with a straight face to make no commercial revenue out of providing either cached page links or Google Print in its full glory. Their revenue comes from AdWords , and these sell because so many million people
use Google to search - something providing Google Print can only enhance. This point was raised by Field, but brushed aside : "The fact that Google is a commercial operation is of only minor relevance in the fair use analysis."
Field's works also had little or no commercial value per se. The court
found: "There is no evidence of any market for Field's works. Field makes
the works available to the public for free in their entirety, and admits that he has
never received any compensation from selling or licensing them."
The situation was, therefore, rather different from, say, Oxford University
Press complaining about the scanning and distribution of parts of their
money-making textbooks or encyclopaedias. The court also found that:
"there is no evidence before the Court of any market for licensing search
engines the right to allow access to Web pages through "Cached" links, or
evidence that one is likely to develop."
But this is probably by now not at all true of large scale book scanning operations -it is obvious that the major publishers, stung by the Google and subsequent Yahoo! etc activity, are getting their asses in gear on this one, and that a future search-and-pay-per-view licensed market by each publisher, or consortia of publishers, can well be imagined.
Finally, the application of the DMCA caching safe harbor decision to Google
is right in technical detail, but in terms of purpose, is deeply suspect.
The caching safe harbor of the DMCA (just like its equivalent in the EU, the
EC E Commerce Directive (ECD) Art 13) was intended to protect the common practice
of making highly temporary local copies of multiply-accessed web pages, to
reduce transmission times to local users making page requests, and to reduce
overall Internet congestion. The Google cache services at least one very
different purpose: to make copies of web pages available to users for some time even when the page has moved or been removed (perhaps deliberately to avoid search). Furthermore, since Google spiders periodically return to un-protected pages to refresh the cache, the cache storage of an unaltered page can be seen as permanent, or at least as not "temporary", since it may effectively persist for a much longer period than the 14-20 day cycle cited in court. ( I note with some amusement that in my first post on Google Print months ago I was alreay quizzical about whether Google could take advantage of the caching safe harbors.)
The court seem, indeed, to have gone further in their first finding, by
deeming Google "passive" in the process of making and transmitting a copy to
the user who makes a page request from a Google cache page link. To this
author, that sounds a lot like a finding that Google is not even actively
caching under s 512(b) but merely a "mere conduit" (as we Europeans call
it - see EC ECD, Art 12) - or as stated under s 512(a) of the DMCA, someone
who only provides "transmission, routing, provision of connections or
storage through a system or network controlled or operated by the service
provider." If Google, albeit by automated technologies, initiate the making of cached copies for their own purposes, not for the needs of end users,
they are not, in my view, being passive "mere conduits" and it is misleading
of the court, for whatever well meant purposes, to make that analogy.
In any case, when we come to Google Print, the intentional and active nature of the
copying, even by automated means, becomes even more obvious. Furthermore,
scanned copies of books will be available indefinitely one assumes: so it would be
unreasonable for the caching safe harbor to apply (nor would the hosting safe harbor in either DMCA or ECD be appropriate, since while the content is supplied by a third party, the copying - and potential copyright infringement - is undertaken by Google).
So to sum up: good news for Google on fair use, and very good news indeed on
"opt out" as opposed to "opt in". Watch this space, as I keep saying. Your
humble blogger will be chairing a debate on Google Print at href="http://www2006.org/">WWW 2006 in sunny Edinburgh - I am looking
forward to it.
feature, which allows users to access copies of web pages made when they
were viewed or "spidered" by Google robots, does not breach copyright in
those web pages. The matter had never been decided in the US courts
before. The case was brought by author and lawyer Blake Field who had taken
exception to Google's caching of about 50 stories posted by Field on his website. He
brought an action for copyright infringement, arguing that the Google cache
feature allowed web users to access copies of his copyrighted material
without his authorisation. The court disagreed.
The court had three bases for its decision. First, if anyone was
breaching copyright when the cached copy was accessed, it was not Google but
whoever made that cached page request. Google was merely "passive in this
process". Secondly, it was shown that Field knew how to disable the caching
feature, using the "do not archive" metatag or the robots.txt code which,
when inserted in a website's HTML code, tells Google spiders not to make
copies of that page. Field could have used that facility, but chose not to.
As such, he was personally barred from claiming copyright infringment
against Google.
Finally, and most crucially, the use Google made of the material was fair
use, said the Court. The four tests usually applied to determine if a use
is "fair use" are:
(1) the purpose and character of the use, including whether such use is of a
commercial nature or is for nonprofit educational purposes;
(2) the nature of the copyrighted work;
(3) the amount and substantiality of the portion used in relation to the
copyrighted
work as a whole; and
(4) the effect of the use upon the potential market for or value of the
copyrigh
Applying the usual USA jurisprudence, he found that Google's use was fair
because, crucially, it was both transformative and socially valuable.
"Because Google serves different and socially important purposes in offering
access to copyrighted works through 'Cached' links and does not merely
supersede the objectives of the original creations, the Court concludes that
Google's alleged copying and distribution of Field's web pages containing
copyrighted works was transformative."
This means the court accepted that making copies in cache s part of the creation of a
database for a search engine, was something very different from, say, making
copies so as to sell pirate copies to the author's potential audience.
Google were not using their cache copies for any commercial purposes which
interfered with the revenues the author would make from them or could
reasonably be anticipated to make. Nor could Google's "socially important"
purpose, to create a comprehensive freely available search database,
including historic records of altered pages, be accomplished without using
caches of the whole page rather than extracts; so the fact that the whole
rather than parts were copied was not fatal to the claim of fair use.
Finally, the court found Google did gain the benefit of the "safe harbor"
defence under the Digital Millennium Copyright Act , s 512 (b) , which which
provides a defence to service providers for the "intermediate and temporary
storage of material on a system or network controlled or operated by or for
the service provider" whereb the storage is carried out by an "automatic
technical process". There had been doubt in the past as to whether this was
intended to cover "long term" cache storage of the sort Google use - around
14 to 20 days storage. The court found this was indeed temporary, since a similar period of 14 days cache had been found legitimate in Ellison v Robertson 357 F.3d 1072, 1081 (9th Cir. 2004).
As OUT-Law note, this ruling
could hardly be more helpful to Google in its ongoing Google Print dispute.
The Google Print project , just like ordinary Google caching, involves the
automated making of full copies of pages of books, scanned in as electronic text, with the intent of making a search index from them which can then deliver limited sections of the books scanned. When book publishers complained this infringed their rights to control the making of copies, Google responded that the publishers had the ability to opt out of scanning. However under pressure, Google reversed their practice on this and asked publishers to explicitly "opt in" to Google Print, rather than leaving the onus on them to "opt out". This of course makes the project of
potentially much lower social value, as well as leaving out "orphan works"
whose copyright holders are unknown.
A court, albeit a District Court only, now seem to have validated Google's
original "opt-out" approach. Not only that, but it has clarified that
scanning in full text as opposed to merely extracts of texts, can be
acceptable fair use. Finally, they have apparently rebutted the damning
argument that Google Print cannot be fair use because it disrupts future
revenues, in the form of as yet uncommenced efforts by publishers to provide
or license similar revenue-generating book-scanning search engines.
Although I am in favour of Google Print as a project (what academic isn't?),
this all seems just a tad too good to be true. For example, in relation to the fair use criteria, Google can hardly claim with a straight face to make no commercial revenue out of providing either cached page links or Google Print in its full glory. Their revenue comes from AdWords , and these sell because so many million people
use Google to search - something providing Google Print can only enhance. This point was raised by Field, but brushed aside : "The fact that Google is a commercial operation is of only minor relevance in the fair use analysis."
Field's works also had little or no commercial value per se. The court
found: "There is no evidence of any market for Field's works. Field makes
the works available to the public for free in their entirety, and admits that he has
never received any compensation from selling or licensing them."
The situation was, therefore, rather different from, say, Oxford University
Press complaining about the scanning and distribution of parts of their
money-making textbooks or encyclopaedias. The court also found that:
"there is no evidence before the Court of any market for licensing search
engines the right to allow access to Web pages through "Cached" links, or
evidence that one is likely to develop."
But this is probably by now not at all true of large scale book scanning operations -it is obvious that the major publishers, stung by the Google and subsequent Yahoo! etc activity, are getting their asses in gear on this one, and that a future search-and-pay-per-view licensed market by each publisher, or consortia of publishers, can well be imagined.
Finally, the application of the DMCA caching safe harbor decision to Google
is right in technical detail, but in terms of purpose, is deeply suspect.
The caching safe harbor of the DMCA (just like its equivalent in the EU, the
EC E Commerce Directive (ECD) Art 13) was intended to protect the common practice
of making highly temporary local copies of multiply-accessed web pages, to
reduce transmission times to local users making page requests, and to reduce
overall Internet congestion. The Google cache services at least one very
different purpose: to make copies of web pages available to users for some time even when the page has moved or been removed (perhaps deliberately to avoid search). Furthermore, since Google spiders periodically return to un-protected pages to refresh the cache, the cache storage of an unaltered page can be seen as permanent, or at least as not "temporary", since it may effectively persist for a much longer period than the 14-20 day cycle cited in court. ( I note with some amusement that in my first post on Google Print months ago I was alreay quizzical about whether Google could take advantage of the caching safe harbors.)
The court seem, indeed, to have gone further in their first finding, by
deeming Google "passive" in the process of making and transmitting a copy to
the user who makes a page request from a Google cache page link. To this
author, that sounds a lot like a finding that Google is not even actively
caching under s 512(b) but merely a "mere conduit" (as we Europeans call
it - see EC ECD, Art 12) - or as stated under s 512(a) of the DMCA, someone
who only provides "transmission, routing, provision of connections or
storage through a system or network controlled or operated by the service
provider." If Google, albeit by automated technologies, initiate the making of cached copies for their own purposes, not for the needs of end users,
they are not, in my view, being passive "mere conduits" and it is misleading
of the court, for whatever well meant purposes, to make that analogy.
In any case, when we come to Google Print, the intentional and active nature of the
copying, even by automated means, becomes even more obvious. Furthermore,
scanned copies of books will be available indefinitely one assumes: so it would be
unreasonable for the caching safe harbor to apply (nor would the hosting safe harbor in either DMCA or ECD be appropriate, since while the content is supplied by a third party, the copying - and potential copyright infringement - is undertaken by Google).
So to sum up: good news for Google on fair use, and very good news indeed on
"opt out" as opposed to "opt in". Watch this space, as I keep saying. Your
humble blogger will be chairing a debate on Google Print at href="http://www2006.org/">WWW 2006 in sunny Edinburgh - I am looking
forward to it.
Thursday, January 26, 2006
Google China more addendum
Boing-Boing helpfully gives us a link to empirical work comparing just what page results have been censored from Google China. Always good to have facts not just agitprop and press releases.
Denial of Service: I Told You So, part 22
As heavily predicted by various commentators, including, ahem, moi, Denial of Service (DoS) attack in the UK is set to become a new offence within the year. Parts of the Private Members Bill on Computer Misuse put forward last year by MP Tom Harris will be included in a new general crime bill. The Government has included updates – with new offences and stiffer penalties – in the Police and Justice Bill, introduced January 25 2006. This will amend the now rather outdated Computer Misuse Act 1990. the matter was brought to a head when a court cleared a teenager last November who had sent five million emails to his former employer, on the grounds that no offence had been committed under the Act.
Section 34 of the Bill expands on the 1990 Act's existing provisions to cover someone who does an unauthorised act in relation to a computer with "the requisite intent and the requisite knowledge." Previously, s 3 of the 1990 Act prohibited only on unauthorised modification of computer programs or data. (Section 1 of the Act deals with unauthorised access ie hacking.)
The requisite intent referred to is an intent to do the act in question, and by so doing:
-to impair the operation of any computer,
-to prevent or hinder access to any program or data held in any computer, or
-to impair the operation of any program or data held in any computer.
This is not so different from the existing law (see emboldened parts). The section on intent is identical to that in the existing 1990 Act, s 3. Crucially, the argument that an unsecured website impliedly authorised everyone in the world to make page requests from it, or send emails to it - even where those requests are for 5 milion pages in an hour leading to the server falling over - still seems potentially open.
As was said by the judge in the November teenager case: "In this case, the individual emails caused to be sent each caused a modification which was in each case an 'authorised' modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by [the Act]."
The new law has changed the word "modification" to "act" (which is not defined except to say it includes a series of acts) but not touched the word "unauthorised". To make matters worse, s 34(4) states that "For the purposes of subsection (1)(b) above, the requisite knowledge is knowledge that the act in question is unauthorised". How hard is to claim after the November case that you reasonably thought making page requests or sending emails was an authorised act?
Quid iuris? One way round this of course would be a clear statement on any potential target website that persons are explicitly not authorised to send multiple emails to the site with the intent of causing system degradation - but this carries with it the usual problems of adequate notice for incorporation, nor is it a very appealing thing to have on your website front page. If the government are finally (after 3 PM Bills) going to the effort of making new law on DoS, I am surprised they have not chosen to clarify the meaning of "unauthorised" by statute. The intent requirement alone will not create a water-tight crime of DoS if the actus reus is not satisfied.
Less ballyhooed but also of interest is the new section 3A added by the 2006 Bill which is extracted below:
“3A Making, supplying or obtaining articles for use in offence under
section 1 or 3(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—
(a) knowing that it is designed or adapted for use in the course of
or in connection with an offence under section 1 or 3; or
(b) intending it to be used to commit, or to assist in the commission
of, an offence under section 1 or 3."
This probably criminalises the making and selling of virus and DDOS toolkits, something I have wondered about in the past. What if you write a virus-making toolkit to learn about viruses and virus-spreaders so you can be a better security expert? (a) may still catch you. I would have felt happier if the new offense was restricted to the (b) branch, or if the "or" was an "and".
Section 34 of the Bill expands on the 1990 Act's existing provisions to cover someone who does an unauthorised act in relation to a computer with "the requisite intent and the requisite knowledge." Previously, s 3 of the 1990 Act prohibited only on unauthorised modification of computer programs or data. (Section 1 of the Act deals with unauthorised access ie hacking.)
The requisite intent referred to is an intent to do the act in question, and by so doing:
-to impair the operation of any computer,
-to prevent or hinder access to any program or data held in any computer, or
-to impair the operation of any program or data held in any computer.
This is not so different from the existing law (see emboldened parts). The section on intent is identical to that in the existing 1990 Act, s 3. Crucially, the argument that an unsecured website impliedly authorised everyone in the world to make page requests from it, or send emails to it - even where those requests are for 5 milion pages in an hour leading to the server falling over - still seems potentially open.
As was said by the judge in the November teenager case: "In this case, the individual emails caused to be sent each caused a modification which was in each case an 'authorised' modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by [the Act]."
The new law has changed the word "modification" to "act" (which is not defined except to say it includes a series of acts) but not touched the word "unauthorised". To make matters worse, s 34(4) states that "For the purposes of subsection (1)(b) above, the requisite knowledge is knowledge that the act in question is unauthorised". How hard is to claim after the November case that you reasonably thought making page requests or sending emails was an authorised act?
Quid iuris? One way round this of course would be a clear statement on any potential target website that persons are explicitly not authorised to send multiple emails to the site with the intent of causing system degradation - but this carries with it the usual problems of adequate notice for incorporation, nor is it a very appealing thing to have on your website front page. If the government are finally (after 3 PM Bills) going to the effort of making new law on DoS, I am surprised they have not chosen to clarify the meaning of "unauthorised" by statute. The intent requirement alone will not create a water-tight crime of DoS if the actus reus is not satisfied.
Less ballyhooed but also of interest is the new section 3A added by the 2006 Bill which is extracted below:
“3A Making, supplying or obtaining articles for use in offence under
section 1 or 3(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—
(a) knowing that it is designed or adapted for use in the course of
or in connection with an offence under section 1 or 3; or
(b) intending it to be used to commit, or to assist in the commission
of, an offence under section 1 or 3."
This probably criminalises the making and selling of virus and DDOS toolkits, something I have wondered about in the past. What if you write a virus-making toolkit to learn about viruses and virus-spreaders so you can be a better security expert? (a) may still catch you. I would have felt happier if the new offense was restricted to the (b) branch, or if the "or" was an "and".
Wednesday, January 25, 2006
Google China addendum
My correspondent pete@fenelon.com adds rather sensible: "Something that nobody's yet pointed out about Google China self-censoring is that it's fairly pointless for it to return 'banned' search results anyway, as the 'Great Wall' firewall will block anything containing dangerous subversive content like "democracy" or "Taiwan" anyway.
What use is a search engine where most of the results you click on are
blocked by something else? ;)
Pragmatic move by Google, I'd say. No point searching for content you
can't look at in full."
Another interesting (and perhaps overly provocative, but I like that :-) point made on the Cyberprof mailing list was, why is it ok for the US to export its principles such as freedom of speech to China, but not for China to export its principle of the supremacy of the communist state's security over such freedom to a US company? they're all just values after all..
What use is a search engine where most of the results you click on are
blocked by something else? ;)
Pragmatic move by Google, I'd say. No point searching for content you
can't look at in full."
Another interesting (and perhaps overly provocative, but I like that :-) point made on the Cyberprof mailing list was, why is it ok for the US to export its principles such as freedom of speech to China, but not for China to export its principle of the supremacy of the communist state's security over such freedom to a US company? they're all just values after all..
It's Like Watching Little Anakin Grow Into Darth Vader
Best title evah!!! as Silicon Valley.com comments on Google's controversial roll out of a state-agreed censored Google feed to China.
Not had much time to absorb this, but certain obvious arguments can be made : that a censored service, where blocked sites are at least indicated, is better than continual tussles with the government which might lead to either the total blocking of the site to most PRC residents who can't get access via foreign proxy sites etc, and/or the compulsory imposition of invisible upstream filtering; that Google has a considerable number of employees in China and has to protect them from possible Govrnment backlash; that Google is only doing publicly, and with certain safeguards what the likes of Yahoo! and MSN are already doing covertly.
At heart, even if this is the current best-case scenario for China, what this crisis clarifies is the unsatisfactoriness of a world where Internet search is controlled by a private company; as many many have observed this bodes ill to be as unsatisfactory as a world where 90% of operating systems are controlled by Big Bill. The capitalist solution is, presumably, a better competing search engine (though would they not have as mch trouble in China as Google, and without the market power to negotiate on details?)The regulatory solution is to apply human rights law directly to certain private actors such as Google and Microsoft. But how pie in the sky is that, folks?
AS Silicon Valley note, Google put PR credit in the bank with recently refusing the US government subpoena of personal data. Cynically one might hazard that that was intended to counteract a backlash as a result of decision. Knowing some senior Google people personally, I don't actually think that myself - but it will be interesting to see what happenes to the share price.
Not had much time to absorb this, but certain obvious arguments can be made : that a censored service, where blocked sites are at least indicated, is better than continual tussles with the government which might lead to either the total blocking of the site to most PRC residents who can't get access via foreign proxy sites etc, and/or the compulsory imposition of invisible upstream filtering; that Google has a considerable number of employees in China and has to protect them from possible Govrnment backlash; that Google is only doing publicly, and with certain safeguards what the likes of Yahoo! and MSN are already doing covertly.
At heart, even if this is the current best-case scenario for China, what this crisis clarifies is the unsatisfactoriness of a world where Internet search is controlled by a private company; as many many have observed this bodes ill to be as unsatisfactory as a world where 90% of operating systems are controlled by Big Bill. The capitalist solution is, presumably, a better competing search engine (though would they not have as mch trouble in China as Google, and without the market power to negotiate on details?)The regulatory solution is to apply human rights law directly to certain private actors such as Google and Microsoft. But how pie in the sky is that, folks?
AS Silicon Valley note, Google put PR credit in the bank with recently refusing the US government subpoena of personal data. Cynically one might hazard that that was intended to counteract a backlash as a result of decision. Knowing some senior Google people personally, I don't actually think that myself - but it will be interesting to see what happenes to the share price.
Monday, January 23, 2006
Scotland goes digital?
The Scottish Executive have announced a consultation on the Electronic Communications (Scotland) Act 2006. The purpose of this consultation is to seek views/comments on the proposals to amend appropriate legislation to allow for electronic communications to be accepted in the same way as "in writing" or "by hand" submissions.
Starting: Friday, January 27, 2006 Deadline: Friday, March 24, 2006
This should pave the way , one hopes for fully electronic conveyancing (following the existing ARTL project), electronic application for legal aid (also already being piloted), and , perhaps electronic voting? No more current details - queries to christine.gresswell@scotland.gsi.gov.uk .
Starting: Friday, January 27, 2006 Deadline: Friday, March 24, 2006
This should pave the way , one hopes for fully electronic conveyancing (following the existing ARTL project), electronic application for legal aid (also already being piloted), and , perhaps electronic voting? No more current details - queries to christine.gresswell@scotland.gsi.gov.uk .
Thursday, January 19, 2006
Wikipedia falls beneath the courts..
Just as the Yahoo! v FRance litigation disappears thankfully beneath the waves of the technical process of the US appeal court procedures, a new transatlantic dissensus storm cloud appears.
Wikipedia Germany is down today (19/1/06) because of a court order of some sort, posts James Enck on EuroTelcoblog today. he reports that the legal dispute relates to a deceased German hacker whose real name is used on the Wikipedia site - his family have apparently sued to have the site shut down on the grounds that this violates their privacy.
The case is a lovely example of how notice and take down - in this case backed by court order - can remove vast amounts of useful content from public site even before merits have been decided.
Except that you can still read the exact same content in both German and English, on US Wikipedia, which is also available in German translation. A court order would have to be sought from the US to close them down too and US freedom of speech law is highly unlikely to allow this.
As Enck says, "National litigation [is] rendered nonsensical by a supranational web."
EDIT: Oops, apparently:-)
Wikipedia Germany is down today (19/1/06) because of a court order of some sort, posts James Enck on EuroTelcoblog today. he reports that the legal dispute relates to a deceased German hacker whose real name is used on the Wikipedia site - his family have apparently sued to have the site shut down on the grounds that this violates their privacy.
The case is a lovely example of how notice and take down - in this case backed by court order - can remove vast amounts of useful content from public site even before merits have been decided.
Except that you can still read the exact same content in both German and English, on US Wikipedia, which is also available in German translation. A court order would have to be sought from the US to close them down too and US freedom of speech law is highly unlikely to allow this.
As Enck says, "National litigation [is] rendered nonsensical by a supranational web."
EDIT: Oops, apparently:-)
Saturday, January 14, 2006
Blawgs hit London press!
The Law Society Gazette, major organ of UK solicitors, has finally editorialised on blawgs, including this esteemed site. I guess, we really are in the 21st century, Matilda.. (Even if they didn't give MY URL!)
Thursday, January 12, 2006
Being Annoying on the Internet to Be a Crime?
The blogoverse has lately been full of the shocking news that President Bush has passed into law a provision, tucked into the Violence Against Women and Department of Justice Reauthorization Act of 2005, which in essence, makes it illegal to annoy someone on the Internet, if you do so without disclosing your true identity.
Since many blogger's (and blog-reader's) days are spent mainly achieving this very aim, and often under a pseudonym or under cloak of anonymity, the unrest such a law has incited among the lieges becomes understandable. Some blog sites, such as Blogspot, leave it open to users to use either their true name or a pseudonym (or no name at all) when commenting; others, such as Live Journal, actively encourage uses to conmment only sub pseudonym (although it should be noted that comments made anonymously, can also, on various blog sites, be banned). In the US, anonymity for political (though not other) purposes has a degree of constitutional protection ( McIntyre v. Ohio Election Commission ) and so the fredom of speech mavens are up in arms.
More recent reports have suggested however that (a) this is in fact not a new law at all, but merely an amendment of existing US law relating to "annoying" ie nuisance telephone calls, and (b) that even the amended law continues as before to exclude "interactive computer devices" though it does include calls made at least partially via the Internet. It seems possible therefore that the new law merely extends the old nuisance phone calling prohibition to calls made via IM and VOIP, and is not intended to extend to email, Internet web and Usenet posts at all. The point is also well made that incidental annoyance caused by irate posters, is not at all the same as criminally intending to cause annoyance.
What interests me, though, is that in the UK, as usual, we have on the whole collectively patted ourselves on the back and said "Mad Americans, it culdn't happen here." But in fact, it already has.
The (UK wide) Communications Act 2003, s 127 ("Improper use of public electronic communications network") holds that:
(1) A person is guilty of an offence if he-
(a) sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or
(b) causes any such message or matter to be so sent.
and
(2) A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another [emphasis added], he-
(a) sends by means of a public electronic communications network, a message that he knows to be false,
(b) causes such a message to be sent; or
(c) persistently makes use of a public electronic communications network.
So it would appear that, say , the persistently "annoying" commentor on Blogger - a spammer, for example, or perhaps just a particularly brusque or longwinded repeat correspondent - could hypothetically be charged under s 127. Subsection (2)(c) does not appear to require that the "message" be false; nor (as with the US law) is there even the need for anonymity.
And yet no one here makes a fuss about the non-constitutionality of it all. Such a criminal provision has existed since at least 1984 under our old Telecommunications Act, to deal with, surprise, nuisance/crank/malicious phone calls. It was quietly extended to the Internet in the 2003 Act (wherein the definition of a "public telecommunications network" can be found) and even more quietly, has anecdotally been used by the police on occasion since to charge Denial of Service, in the absence of clear guidance as to whether s 3 of the Computer Misuse Act 1990 would cover that crime. (see Blogscript, elsewhere).
Should repeat emails or web posts be criminal simply because they are annoying, inconvenient or anxiety-provoking but not false, malicious or libellous? If they contain threats, they will in any case be chargeable as assault; if they are falseand relate to a living person, they wil often be pursuable as libels. With phone calls it is clear that repeated nuisance calls have a deleterious psychological effect on the victim. But web posts can be ignored, software exists to ban named posters from commenting on many sites, and email can be similarly filtered. Unusual though it is, in a world where we usually try to draft convergence-neutral laws, freedom of speech does seem to demand a different balance for net communications than it does with conventional telephone calls. Perhaps the 2003 Act, s 127 should be reviewed?
Since many blogger's (and blog-reader's) days are spent mainly achieving this very aim, and often under a pseudonym or under cloak of anonymity, the unrest such a law has incited among the lieges becomes understandable. Some blog sites, such as Blogspot, leave it open to users to use either their true name or a pseudonym (or no name at all) when commenting; others, such as Live Journal, actively encourage uses to conmment only sub pseudonym (although it should be noted that comments made anonymously, can also, on various blog sites, be banned). In the US, anonymity for political (though not other) purposes has a degree of constitutional protection ( McIntyre v. Ohio Election Commission ) and so the fredom of speech mavens are up in arms.
More recent reports have suggested however that (a) this is in fact not a new law at all, but merely an amendment of existing US law relating to "annoying" ie nuisance telephone calls, and (b) that even the amended law continues as before to exclude "interactive computer devices" though it does include calls made at least partially via the Internet. It seems possible therefore that the new law merely extends the old nuisance phone calling prohibition to calls made via IM and VOIP, and is not intended to extend to email, Internet web and Usenet posts at all. The point is also well made that incidental annoyance caused by irate posters, is not at all the same as criminally intending to cause annoyance.
What interests me, though, is that in the UK, as usual, we have on the whole collectively patted ourselves on the back and said "Mad Americans, it culdn't happen here." But in fact, it already has.
The (UK wide) Communications Act 2003, s 127 ("Improper use of public electronic communications network") holds that:
(1) A person is guilty of an offence if he-
(a) sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or
(b) causes any such message or matter to be so sent.
and
(2) A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another [emphasis added], he-
(a) sends by means of a public electronic communications network, a message that he knows to be false,
(b) causes such a message to be sent; or
(c) persistently makes use of a public electronic communications network.
So it would appear that, say , the persistently "annoying" commentor on Blogger - a spammer, for example, or perhaps just a particularly brusque or longwinded repeat correspondent - could hypothetically be charged under s 127. Subsection (2)(c) does not appear to require that the "message" be false; nor (as with the US law) is there even the need for anonymity.
And yet no one here makes a fuss about the non-constitutionality of it all. Such a criminal provision has existed since at least 1984 under our old Telecommunications Act, to deal with, surprise, nuisance/crank/malicious phone calls. It was quietly extended to the Internet in the 2003 Act (wherein the definition of a "public telecommunications network" can be found) and even more quietly, has anecdotally been used by the police on occasion since to charge Denial of Service, in the absence of clear guidance as to whether s 3 of the Computer Misuse Act 1990 would cover that crime. (see Blogscript, elsewhere).
Should repeat emails or web posts be criminal simply because they are annoying, inconvenient or anxiety-provoking but not false, malicious or libellous? If they contain threats, they will in any case be chargeable as assault; if they are falseand relate to a living person, they wil often be pursuable as libels. With phone calls it is clear that repeated nuisance calls have a deleterious psychological effect on the victim. But web posts can be ignored, software exists to ban named posters from commenting on many sites, and email can be similarly filtered. Unusual though it is, in a world where we usually try to draft convergence-neutral laws, freedom of speech does seem to demand a different balance for net communications than it does with conventional telephone calls. Perhaps the 2003 Act, s 127 should be reviewed?
Friday, January 06, 2006
The digital citizen bites back
Governments are keen on encouraging digital uptake by citizens, because they see the potential both to get votes, reduce voter apathy, and to reduce costs by expanding e-government. But what gives with one hand takes with another. The Register reports that Craig Murray, the former UK ambassador to Uzbekistan has effectively avoided the Official Secrets act by publishing classified documents the government attempted to suppress on his blog. Murray now claims these appeared in over 4,000 blogs within 72 hours. And that the government are unlikely to prosecute him under the OSA - as would of course still be possible - since no jury would be likely to convict.
Both official secrets and contempt of court have long been regarded as dead in the water since the advent of the Internet and at least since the Spycatcher debacle. It will be interesting to see what action, if any, the government do take.
Both official secrets and contempt of court have long been regarded as dead in the water since the advent of the Internet and at least since the Spycatcher debacle. It will be interesting to see what action, if any, the government do take.
Thursday, January 05, 2006
Sony and the Root KIts Play Out
Details of the Sony US settlement re their offending DRM-enabled "root kit" CDs are helpfully reported at Out-Law.com. Inter alia, customers who bought the protected CDs will be entitled to $7.50 each and one album download from a list of 200 titles, or three album downloads from the list if they waive the cash offer.
Sony BMG also undertakes to take "commercially reasonable steps" to destroy the information that it collected from users – the "spyware" aspect of the fracas - namely, album details and IP addresses – within 10 days of collection, except as otherwise required by law or court order. And they undertake to make sure that in any future CD production, no software is installed before the user accepts the EULA -a major step towards transparency which will hopefully now be accepted as an industry must-do.
Sony BMG also undertakes to take "commercially reasonable steps" to destroy the information that it collected from users – the "spyware" aspect of the fracas - namely, album details and IP addresses – within 10 days of collection, except as otherwise required by law or court order. And they undertake to make sure that in any future CD production, no software is installed before the user accepts the EULA -a major step towards transparency which will hopefully now be accepted as an industry must-do.
Road to Nowhere??
Via Bytes in Brief
"On December 26th, it was announced that Britain would become the first
country in the world where the movements of all vehicles on the roads are
recorded. A new national surveillance system will hold the records for at
least two years. Using a network of cameras that can automatically read
every passing number plate, the plan is to build a huge database of
vehicle movements so that the police and security services can analyze any
journey a driver has made over several years. By next March a central
database installed alongside the Police National Computer in Hendon, north
London, will store the details of 35 million number-plate "reads" per day.
These will include time, date and precise location, with camera sites
monitored by global positioning satellites. Already there are plans to
extend the database by increasing the storage period to five years and by
linking thousands of additional cameras so that details of up to 100
million number plates can be fed each day into the central databank. Civil
libertarians are concerned that the movements of millions of law-abiding
people will soon be routinely recorded and kept on a central computer
database for years. "
The British public, unlike privacy advocate groups, has always supported ubiquitous surveillance, at least in the form of CCTV, where the alternative appeared to be the risk of exposure to crime. Will the killer combo of ID cards and full fledged Big Brother style surveillance of all vehicles, with no incentives in sight but speeding tickets, turn the tide of opinion?
If you do care about privacy, this certainly makes worrying over tosh like RFID in the retail chain look like a minor affair. Although if you combine car tracking for the socially included, with ID cards and RFID-cash tracking for the rest, the prospects of future employment for data miners (not minors) look bright indeed.. Minority Report, which I watched again over Xmas, looks nearer and nearer to truth. How far are we from the Dept of Pre-Crime now?
"On December 26th, it was announced that Britain would become the first
country in the world where the movements of all vehicles on the roads are
recorded. A new national surveillance system will hold the records for at
least two years. Using a network of cameras that can automatically read
every passing number plate, the plan is to build a huge database of
vehicle movements so that the police and security services can analyze any
journey a driver has made over several years. By next March a central
database installed alongside the Police National Computer in Hendon, north
London, will store the details of 35 million number-plate "reads" per day.
These will include time, date and precise location, with camera sites
monitored by global positioning satellites. Already there are plans to
extend the database by increasing the storage period to five years and by
linking thousands of additional cameras so that details of up to 100
million number plates can be fed each day into the central databank. Civil
libertarians are concerned that the movements of millions of law-abiding
people will soon be routinely recorded and kept on a central computer
database for years. "
The British public, unlike privacy advocate groups, has always supported ubiquitous surveillance, at least in the form of CCTV, where the alternative appeared to be the risk of exposure to crime. Will the killer combo of ID cards and full fledged Big Brother style surveillance of all vehicles, with no incentives in sight but speeding tickets, turn the tide of opinion?
If you do care about privacy, this certainly makes worrying over tosh like RFID in the retail chain look like a minor affair. Although if you combine car tracking for the socially included, with ID cards and RFID-cash tracking for the rest, the prospects of future employment for data miners (not minors) look bright indeed.. Minority Report, which I watched again over Xmas, looks nearer and nearer to truth. How far are we from the Dept of Pre-Crime now?
Cybercrime enters 2006, pt 3!
Several very interesting recent developments in UK cybercrime case law:
War-chalking or wireless bandwidth theft: The Register report that a man was last week fined £500 after a British jury found him guilty of using a neighborhood wireless broadband connection without permission. Gregory Straszkiewicz, 24, was also sentenced to a 12 months conditional discharge after he was convicted of dishonestly obtaining an communications service and related offences at London's Islewoth Crown Court last Wednesday (20 July). Beeb also reported it.
The case - brought under the Communications Act 2003 s 125 - is the first "war driving" prosecution in the UK, according the police. The Act - which is UK wide - introduced a new offence of dishonestly obtaining an electronic communications service with the intent to avoid a charge applicable to that service. Mr Straszkiewicz is reported to have been caught by police outside a residential building surfing the internet using a laptop. Some commentators have suggested that this might extend the criminal law to surfers who accidentally jump onto another party's net connection (easy to do if a host is using an unsecured connection with no encryption, as many still do). IMHO the mens rea requirement makes this seem unlikely however.
This follows fast on the heels of the first US prosecution for war-driving - it seesm this once hypothetical crime is now here to stay?
Denial of service (DDOS): in my soon to be published article Edwards L “Dawn of the Death of Distributed Denial of Service: How To Kill Zombies” forthcoming(2006) Cardozo Arts and Entertainment Journal, I expressed doubts, contrary to the rather more optimistic approach of both the police and APIC (the All Parliamentary Internet Group), that the Computer Misuse Act 1990, s 3, did indeed criminalise denial of service per se.
Section 3 of the CMA prohibits unauthorised modification of computer data - and was originally intended to criminalise the spreading of comoputer viruses (having been drafted long before DoS became common). DoS basically involves sending so many page or access requests to a computer server that it falls over. It has long been uncertain if this would constitute an "unauthorised modification" under s 3 - if sending one email is a legitimate act, impliedly authorised by the website or server, and not a "modification", is sending 5 million? I think not, although the policy implications are obviously unfortunate.
A UK court has now agreed with me. The judge, District Judge Kenneth Grant , in a November 2005 case at Wimbledon Magistrate's Court , involving a teenager who could not be named for legal reasons, but who had allegedly sent five million emails to a former employer to cause a DoS attack, ruled:
"In this case, the individual emails caused to be sent each caused a modification which was in each case an 'authorised' modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by [the Act]."
As Peter Sommer, a senior research fellow in the London School of Economics' Information Systems department, put it "When you send an e-mail to an e-mail server, you are not modifying that server, because the purpose of the e-mail server is to sit around waiting to receive e-mails aimed at that domain,".
It is not clear from available evidence if the teenager was ever charged with an offense under s 1 of the CMA wich prohibits unauthorised access to a computer or data. It has been hypothesised that a distributed DoS attack, which involves enslaving a large network of unknowing "bot" computers via hacking or virus infestation to send the emails that form the DoS attack, might be susceptible to a s 1 charge. But if the emails the teenager sent contained no malicious material, and he did not use any means of unauthorised access to send email to the victim's server, or utilise a bot network, then s 1 would also not be relevant.
It is likely we will now see legislative change on both "vanilla" DoS and Distributed DoS. A Private Member's Bill already introduced will be read again in 2006. The Scottish courts are also soon likely to have a chance to rule on DoS when the case of a man in Elgin comes to court.
And finally
DRM as virus? the "root of all evil" case.
Sony had some extremely bad press near the end of 2005 when it transpired that Digital Rights Management (or technical protection measures or TPM) software they had placed on some music CDs to prevent them being ripped or played via iTunes, had had the unfortunate additional effects of acting as spyware and rendering user machines vulnerable to virus attacks by third parties. The DRM software was invisible to the user when the CD was loaded, and the EULA laid down that users accepted the DRM as a condition of purchase.
Sony are now under threat of prosecution from various state attorneys in the US and in other countries. They have already made a financial settlement which is likely to protect them from criminal prosecution in the US but Naked Law are now speculating as to whether s 3 of the CMA (that old warhorse again :-)could be used to prosecute Sony in the UK. The matter is likely to be academic, as there is no evidemce any consumer in the UK has suffered from the DRMed CDs, but the interesting question is whether s 3, which makes it an offence to intentionally modify the contents of a computer without the consent of the user, would apply. Users must accept the EULA to play the CD, but the EFF have claimed in the past in relation to similar Sony DRM-protected CDs that "the [DRM] software is installed prior to display of the relevant EULA, and is not removed even if a user does not accept the terms of the EULA". There is as well as the question of how far a user can consent to a criminal act the full consequences of which he is largely or wholly ignorant.
Intersting times..
War-chalking or wireless bandwidth theft: The Register report that a man was last week fined £500 after a British jury found him guilty of using a neighborhood wireless broadband connection without permission. Gregory Straszkiewicz, 24, was also sentenced to a 12 months conditional discharge after he was convicted of dishonestly obtaining an communications service and related offences at London's Islewoth Crown Court last Wednesday (20 July). Beeb also reported it.
The case - brought under the Communications Act 2003 s 125 - is the first "war driving" prosecution in the UK, according the police. The Act - which is UK wide - introduced a new offence of dishonestly obtaining an electronic communications service with the intent to avoid a charge applicable to that service. Mr Straszkiewicz is reported to have been caught by police outside a residential building surfing the internet using a laptop. Some commentators have suggested that this might extend the criminal law to surfers who accidentally jump onto another party's net connection (easy to do if a host is using an unsecured connection with no encryption, as many still do). IMHO the mens rea requirement makes this seem unlikely however.
This follows fast on the heels of the first US prosecution for war-driving - it seesm this once hypothetical crime is now here to stay?
Denial of service (DDOS): in my soon to be published article Edwards L “Dawn of the Death of Distributed Denial of Service: How To Kill Zombies” forthcoming(2006) Cardozo Arts and Entertainment Journal, I expressed doubts, contrary to the rather more optimistic approach of both the police and APIC (the All Parliamentary Internet Group), that the Computer Misuse Act 1990, s 3, did indeed criminalise denial of service per se.
Section 3 of the CMA prohibits unauthorised modification of computer data - and was originally intended to criminalise the spreading of comoputer viruses (having been drafted long before DoS became common). DoS basically involves sending so many page or access requests to a computer server that it falls over. It has long been uncertain if this would constitute an "unauthorised modification" under s 3 - if sending one email is a legitimate act, impliedly authorised by the website or server, and not a "modification", is sending 5 million? I think not, although the policy implications are obviously unfortunate.
A UK court has now agreed with me. The judge, District Judge Kenneth Grant , in a November 2005 case at Wimbledon Magistrate's Court , involving a teenager who could not be named for legal reasons, but who had allegedly sent five million emails to a former employer to cause a DoS attack, ruled:
"In this case, the individual emails caused to be sent each caused a modification which was in each case an 'authorised' modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by [the Act]."
As Peter Sommer, a senior research fellow in the London School of Economics' Information Systems department, put it "When you send an e-mail to an e-mail server, you are not modifying that server, because the purpose of the e-mail server is to sit around waiting to receive e-mails aimed at that domain,".
It is not clear from available evidence if the teenager was ever charged with an offense under s 1 of the CMA wich prohibits unauthorised access to a computer or data. It has been hypothesised that a distributed DoS attack, which involves enslaving a large network of unknowing "bot" computers via hacking or virus infestation to send the emails that form the DoS attack, might be susceptible to a s 1 charge. But if the emails the teenager sent contained no malicious material, and he did not use any means of unauthorised access to send email to the victim's server, or utilise a bot network, then s 1 would also not be relevant.
It is likely we will now see legislative change on both "vanilla" DoS and Distributed DoS. A Private Member's Bill already introduced will be read again in 2006. The Scottish courts are also soon likely to have a chance to rule on DoS when the case of a man in Elgin comes to court.
And finally
DRM as virus? the "root of all evil" case.
Sony had some extremely bad press near the end of 2005 when it transpired that Digital Rights Management (or technical protection measures or TPM) software they had placed on some music CDs to prevent them being ripped or played via iTunes, had had the unfortunate additional effects of acting as spyware and rendering user machines vulnerable to virus attacks by third parties. The DRM software was invisible to the user when the CD was loaded, and the EULA laid down that users accepted the DRM as a condition of purchase.
Sony are now under threat of prosecution from various state attorneys in the US and in other countries. They have already made a financial settlement which is likely to protect them from criminal prosecution in the US but Naked Law are now speculating as to whether s 3 of the CMA (that old warhorse again :-)could be used to prosecute Sony in the UK. The matter is likely to be academic, as there is no evidemce any consumer in the UK has suffered from the DRMed CDs, but the interesting question is whether s 3, which makes it an offence to intentionally modify the contents of a computer without the consent of the user, would apply. Users must accept the EULA to play the CD, but the EFF have claimed in the past in relation to similar Sony DRM-protected CDs that "the [DRM] software is installed prior to display of the relevant EULA, and is not removed even if a user does not accept the terms of the EULA". There is as well as the question of how far a user can consent to a criminal act the full consequences of which he is largely or wholly ignorant.
Intersting times..
The Future of the Borderless Net?
various commentators have pointed me towards the rather fabulous latest issue of LegalAffairs - which features inter alia Julian Dibbell on the taxation of virtual property, a novel topic if ever there was one in these our days of endles novelty,and an excellent summary of where we are in relation to the "repatriation" of the once "borderless" Net by Wu and Goldsmith, the latter one of earliest cynics, sorry, pragmatists from the days when "the law of cyberspace" libertarian wave was at its height.
Discussing the French Yahoo! case, they highlight the often overlooked point that the French court principally decided to place Yahoo! US under their jurisidiction, not out of a sense of obstinate and blind assertion of sovereignty, but because they had discovered that Yahoo! pages referred to French users were coming, not from the US site where Yahoo! were claiming the protection of the US First Amendment, but from a Stockholm mirror site. Wu and Goldsmith go on to reject the aphorism that "information wants to be free" in favour of the declarator that information wants to be organised and categorised, and point out that "geography turns out to be one of the most important ways to organize information on this medium that was supposed to destroy geography". Fascinating stuff.
Discussing the French Yahoo! case, they highlight the often overlooked point that the French court principally decided to place Yahoo! US under their jurisidiction, not out of a sense of obstinate and blind assertion of sovereignty, but because they had discovered that Yahoo! pages referred to French users were coming, not from the US site where Yahoo! were claiming the protection of the US First Amendment, but from a Stockholm mirror site. Wu and Goldsmith go on to reject the aphorism that "information wants to be free" in favour of the declarator that information wants to be organised and categorised, and point out that "geography turns out to be one of the most important ways to organize information on this medium that was supposed to destroy geography". Fascinating stuff.
Wednesday, January 04, 2006
Cybercrime: more good news :-)
Another catch up. The Sydney Morning herald reported on Dec 7 2005 that details of a zero-day vulnerability in Microsoft's Excel spreadsheet program have been put up for sale on eBay, with the seller offering a starting price of 1 US cent. At the time of the article, the bidding had reached $US60 ($A79). Interestingly, the hacker had already reported the flaw to Microsoft but after receiving no response, put it up for sale on EBay. Ethical hacking goes guerilla??
Talking of buying insecurity, it's well known that less ethical persons are now trading bot networks for sums almost though not quite as low as the above. Any serious future concerted EU security policy may have to look at ways of monitoring and clamping down on such sales, pubic and private, as clearly the serious crime intersts who are now using bot networks for spamming, phishing etc are no longer the teen hackers of yore , but simply businessmen who will buy bot networks to make a profit, just like they now buy drugs.
Talking of buying insecurity, it's well known that less ethical persons are now trading bot networks for sums almost though not quite as low as the above. Any serious future concerted EU security policy may have to look at ways of monitoring and clamping down on such sales, pubic and private, as clearly the serious crime intersts who are now using bot networks for spamming, phishing etc are no longer the teen hackers of yore , but simply businessmen who will buy bot networks to make a profit, just like they now buy drugs.
Tuesday, January 03, 2006
The year of the digital citizen-consumer, continued..
Yet more turn of the year past- and future-gazing , emphasising the idea that consumers are now as likely to be participatory citizens and producers of digital products, as passive recipients of services. Blogging, podcasting, and vlogging - video blogging - all get approving nods - as does the new Center for Citizen Media.
"Crucially, what 2005 proved was that far from these techno tools being purely dumb funnels for the same paid-for content from mainstream media, they had the chance to become powerful tools for political expression and reportage.
The consumer was turning into the citizen with a meaningful role to play. Media started to look more participatory and inclusive.
The Boxing Day tsunami of 2004 starkly showed the potential of these tools. Most of the memories of that day have been graphically captured, replayed and played again, making the event much more immediate and personal.
Later in the year, the 7 July London bombings and the hurricanes in the US forced home the fact that citizens had a much larger role in the production of news than ever before. "
This slightly more cynical commentator wonders if there may be downsides for the on line empowered consumer. What about consumer protection law? it tends to assume a disparity of power between creators/retailers/publishers and consumers. Will there be the same force behind arguments for strong consumer protection laws on line in the WEU when consumers are seen as active not passive?
One hard question here is what might happen, in various jurisdcitions, if an EBay buyer claimed consumer protection in a contract gone badly wrong. Would such a person still be characterised as "consumer" if they were sometimes or mostly an EBay seller? Hmmm.
"Crucially, what 2005 proved was that far from these techno tools being purely dumb funnels for the same paid-for content from mainstream media, they had the chance to become powerful tools for political expression and reportage.
The consumer was turning into the citizen with a meaningful role to play. Media started to look more participatory and inclusive.
The Boxing Day tsunami of 2004 starkly showed the potential of these tools. Most of the memories of that day have been graphically captured, replayed and played again, making the event much more immediate and personal.
Later in the year, the 7 July London bombings and the hurricanes in the US forced home the fact that citizens had a much larger role in the production of news than ever before. "
This slightly more cynical commentator wonders if there may be downsides for the on line empowered consumer. What about consumer protection law? it tends to assume a disparity of power between creators/retailers/publishers and consumers. Will there be the same force behind arguments for strong consumer protection laws on line in the WEU when consumers are seen as active not passive?
One hard question here is what might happen, in various jurisdcitions, if an EBay buyer claimed consumer protection in a contract gone badly wrong. Would such a person still be characterised as "consumer" if they were sometimes or mostly an EBay seller? Hmmm.
Cybercrime: happy 2006, pt 1..
Interesting quote from Bruce Schneier:
The (US) Treasury Department says that cyber crime has now outgrown illegal drug sales in annual proceeds, netting an estimated $105 billion in 2004, the report said.
I wonder how they measure it? Assuming it's only based on cybercrime activity they actually detect, the actual figure must surely be much much larger. (The original newspaper report admits that "It is difficult to gauge the true number of security failures because many companies are unaware they've been hacked, the paper said.")
The (US) Treasury Department says that cyber crime has now outgrown illegal drug sales in annual proceeds, netting an estimated $105 billion in 2004, the report said.
I wonder how they measure it? Assuming it's only based on cybercrime activity they actually detect, the actual figure must surely be much much larger. (The original newspaper report admits that "It is difficult to gauge the true number of security failures because many companies are unaware they've been hacked, the paper said.")
First spammer fined in UK
Well, lordy lordy, someone in the UK has finally actually managed to successfully sue a spammer. (This story reported December 27th 2005 - catch up time again, folks.) The miracle of Xmas is clearly with us. Before you cheer too much however, notice the damages - the grand sum of £270. And that isn't just, as the Beeb story suggests, because the claim was done as a small claim - it's because the damages are limited by the actual damage that can be proved to have been done, which is extremely low for most individuals. Even if the criminal law gets involved, the maximum fine under the anti spam provisions of the Privacy and Electronic Communications Regulations falls within Data Protection legislation - - and that, barring solemn procedure (very unusual indeed) is £3,000. Compare to the million dollar punitive damages you can get in the US under the Can Spam Act, or even the 6 figure sums that ICSTIS, the UK premium phone line regulator, can impose when operators breach their rules. DP legislation sanctions are a joke and need reformed desperately. US type class action rules for civil suits would help too. (And hey, I won't even start on how 90% of spam comes from outside the EU and is effectively without control by EU citizens anyway..)
Happy humbug!
Happy humbug!
Monday, January 02, 2006
The consumer as producer, and RSS
Happy New Year! and welcome to some new(ish) interesting stories which have slipped by Blogscript in our, er, seasonal hiatus :-)
The ever faithful Beeb report the emergence of Spy Media, an agency which plans to provide a market place for the sale and exchange of blog posts as well as pictures snapped by ordinary citizens armed with digicams, phonecams and webcams. The idea of a press agwency to market the increasingly valuable snaps taken by the public, and which will allow amateurs as well as professional photographers to hawk their pix to the media for solid dosh, is not new: Scoopt may well have been the first into the market. Pictures taken by the public increasingly shape the public global image of events from the second they happen : the BBC eg received 50 pictures from the public within an hour of the London bombings on July 7 2005.
But Spy Media plan to do more. They plan to "educate people. They are going to demand that material [marketed via Spymedia] not be sent through RSS where people utilise them without permission."
In other words, Spy Media plan to start policing the very common current practice of A N Other providing an RSS feed so that in-demand on-line content from other platforms or websites can be "syndicated" for free to readers all over the blogverse (and without the annoying local platform pop ups and ads). Such RSS syndication without permission is clearly a breach of copyright. But it is also very much a tool whereby the work of unknown creators goes from cult unknown to commercial success: as happened, eg, with the on line gaming cartoon, P v P (which now restricts its content from being RSSed). As with P2P services, it may be worth considering if closing down such RSS feeds may not be more damaging than nurturing to creator revenues. In terms of the syndication of "ordinary" blog posts (as opposed to, say, cartoons or comics or prfesional quality photos)there must be also strong argument of implied license to copy - the aim of most bloggers is, after all, as wide an audience as they can get, rather than monetary rewards.
RSS as a format makes loss of control by creators if not inevitable then extremely hard to police**. But it also is an amzing tool for participatory democracy and brand building for individual creators without corporate advertising budgets. Much of sf writer and EFF official Cory Doctorow's brand recognition as an author, eg, has been built on his wodely syndicated via RSS co-authored blog Boing Boing. It may be better to look at alternative means of revenue collection than to persuade creators into a cease and desist campaign on unauthorised syndicators. One is drawn again to Fisher's vision of a world of compulsory licensing of on line content (music, pictures, and images. perhaps?) along with some kind of entertainment levy.
** Aha. Enquiries among local techie friends (many thanks to Andrew Ducker, Simon Bisson, Mike Scot) reveal that when you are attempting to restrict syndication of images, (eg the P V P on line comic), you can set the site up so that when a request for the image comes in, it checks to see if you're looking at it on the site itself , or on a different one, and "can then send an image saying "Yaah, boo, sucks to you" to people trying to read it from offsite, and the actual image to people looking at it on your site."
(You still can't stop someone creating an RSS feed on their own site saying "Look, there's a new PVP comic over there" - an alert feed. But that's OK, it seems to me. Potential readers are driven to the site of origin, where the creators have chosen to make their work public in the first place, and get the benefits of such. Where's the problem with that?)
But if you're trying to protect syndication of text it's a whole other story. There's almost nothing anyone can do to stop someone scraping an open-to-the-public website's HTML and building a feed from it. "The thing is, once you have content in an open format like HTML, anyone can do anything with it. Blocking screen-scraping spiders is not a trivial exercise if they don't want to be blocked."
The ever faithful Beeb report the emergence of Spy Media, an agency which plans to provide a market place for the sale and exchange of blog posts as well as pictures snapped by ordinary citizens armed with digicams, phonecams and webcams. The idea of a press agwency to market the increasingly valuable snaps taken by the public, and which will allow amateurs as well as professional photographers to hawk their pix to the media for solid dosh, is not new: Scoopt may well have been the first into the market. Pictures taken by the public increasingly shape the public global image of events from the second they happen : the BBC eg received 50 pictures from the public within an hour of the London bombings on July 7 2005.
But Spy Media plan to do more. They plan to "educate people. They are going to demand that material [marketed via Spymedia] not be sent through RSS where people utilise them without permission."
In other words, Spy Media plan to start policing the very common current practice of A N Other providing an RSS feed so that in-demand on-line content from other platforms or websites can be "syndicated" for free to readers all over the blogverse (and without the annoying local platform pop ups and ads). Such RSS syndication without permission is clearly a breach of copyright. But it is also very much a tool whereby the work of unknown creators goes from cult unknown to commercial success: as happened, eg, with the on line gaming cartoon, P v P (which now restricts its content from being RSSed). As with P2P services, it may be worth considering if closing down such RSS feeds may not be more damaging than nurturing to creator revenues. In terms of the syndication of "ordinary" blog posts (as opposed to, say, cartoons or comics or prfesional quality photos)there must be also strong argument of implied license to copy - the aim of most bloggers is, after all, as wide an audience as they can get, rather than monetary rewards.
RSS as a format makes loss of control by creators if not inevitable then extremely hard to police**. But it also is an amzing tool for participatory democracy and brand building for individual creators without corporate advertising budgets. Much of sf writer and EFF official Cory Doctorow's brand recognition as an author, eg, has been built on his wodely syndicated via RSS co-authored blog Boing Boing. It may be better to look at alternative means of revenue collection than to persuade creators into a cease and desist campaign on unauthorised syndicators. One is drawn again to Fisher's vision of a world of compulsory licensing of on line content (music, pictures, and images. perhaps?) along with some kind of entertainment levy.
** Aha. Enquiries among local techie friends (many thanks to Andrew Ducker, Simon Bisson, Mike Scot) reveal that when you are attempting to restrict syndication of images, (eg the P V P on line comic), you can set the site up so that when a request for the image comes in, it checks to see if you're looking at it on the site itself , or on a different one, and "can then send an image saying "Yaah, boo, sucks to you" to people trying to read it from offsite, and the actual image to people looking at it on your site."
(You still can't stop someone creating an RSS feed on their own site saying "Look, there's a new PVP comic over there" - an alert feed. But that's OK, it seems to me. Potential readers are driven to the site of origin, where the creators have chosen to make their work public in the first place, and get the benefits of such. Where's the problem with that?)
But if you're trying to protect syndication of text it's a whole other story. There's almost nothing anyone can do to stop someone scraping an open-to-the-public website's HTML and building a feed from it. "The thing is, once you have content in an open format like HTML, anyone can do anything with it. Blocking screen-scraping spiders is not a trivial exercise if they don't want to be blocked."
Wednesday, November 02, 2005
Th First World Trade War
(via Lenz Blog) Last March, the WTO's Appellate Body confirmed the ruling against the United States in the case of cotton subsidies (DSB 267). This case was brought by Brazil against the United States arguing that the cotton industry in that country is obtaining subsidies from the government that are contrary to trade rules included in the Subsidies and Countervailing Measures (SCM) Agreement, calculated at around $140.000 USD per farmer. The argument by Brazil and other developing countries is that the subsidies make it impossible for their agriculture industries to compete in the global market, as the subsidies bring prizes down. On the other hand, the other greatest subsidiser (the EU) supported the United States in this.
The U.S. lost the case, the subsidies were deemed to be in violation of international trade rules, and was therefore asked to stop the subsidies and bring their legislation in compliance. So far the compliance has not been forthcoming.
This is just the latest case in a series of rulings that have gone against the U.S. in international trade issues in which they are not implementing the ruling, such as the Canadian lumber case. This has prompted questions about the validity of the international trade mechanism, and allows other countries to ask the question of why they should comply. This is dangerous territory at a time that American copyright industry is trying to get China to comply with its TRIPS commitments and stop piracy.
This could open the door for a global trade war, with countries reverting to the protectionist principles before the WTO. Most importantly for the U.S. is the threat by Brazil that they might as well allow the massive copying of American movies and music, and to allow the production of patented pharmaceuticals.
The U.S. lost the case, the subsidies were deemed to be in violation of international trade rules, and was therefore asked to stop the subsidies and bring their legislation in compliance. So far the compliance has not been forthcoming.
This is just the latest case in a series of rulings that have gone against the U.S. in international trade issues in which they are not implementing the ruling, such as the Canadian lumber case. This has prompted questions about the validity of the international trade mechanism, and allows other countries to ask the question of why they should comply. This is dangerous territory at a time that American copyright industry is trying to get China to comply with its TRIPS commitments and stop piracy.
This could open the door for a global trade war, with countries reverting to the protectionist principles before the WTO. Most importantly for the U.S. is the threat by Brazil that they might as well allow the massive copying of American movies and music, and to allow the production of patented pharmaceuticals.
Friday, October 28, 2005
Publication on web in Scotland is not "public" enough!
The latest Brodies Solicitors free technology law supplement helpfully tells me of an intersting recent Scottish Fredom of Information decision.
In Decision 001/2005, Mr l and the Lothian & Borders Safety Camera Partnership (17 May 2005)
Mr L requested sight of the calibration certificate for equipment used in an alleged speeding offence.The Partnership argued that the information was already "otherwise accessible" under s 25 of the FOI (SC) Act by virtue of it being on the Partnership’s website. As it turned out, the particular calibration
certificate was not actually on their website at the time of the request. However, the Commissioner provided his view , making reference to the fact that most deprived households were without internet access according to the Social Justice Annual Report 2003:
“In my view therefore it is not yet possible to say that information which is solely provided on a website is reasonably accessible to people in Scotland”
This must be an expensive blow for public authorities. The commissioner stated that “where [the authority] receives a request for the information to be made
available in another format, e.g. in paper form posted to a home address, then it should do so unless there are overriding technical or cost implications.”
Other recent decisions mainly question the relationship between release of information under FOI and the protection of personal data under data protection law. This is shaping up to be a very controversial area.
In Decision 001/2005, Mr l and the Lothian & Borders Safety Camera Partnership (17 May 2005)
Mr L requested sight of the calibration certificate for equipment used in an alleged speeding offence.The Partnership argued that the information was already "otherwise accessible" under s 25 of the FOI (SC) Act by virtue of it being on the Partnership’s website. As it turned out, the particular calibration
certificate was not actually on their website at the time of the request. However, the Commissioner provided his view , making reference to the fact that most deprived households were without internet access according to the Social Justice Annual Report 2003:
“In my view therefore it is not yet possible to say that information which is solely provided on a website is reasonably accessible to people in Scotland”
This must be an expensive blow for public authorities. The commissioner stated that “where [the authority] receives a request for the information to be made
available in another format, e.g. in paper form posted to a home address, then it should do so unless there are overriding technical or cost implications.”
Other recent decisions mainly question the relationship between release of information under FOI and the protection of personal data under data protection law. This is shaping up to be a very controversial area.
Thursday, October 27, 2005
Secure feed ISPs
Interestingly since writing the last post, I've noticed that Edinburgh University - who act as my ISP and that of many 1000s of staff and students have begun compulsorily scanning the accounts of users, by administrative unit, for security breaches and vulnerabilities. And yes, you can opt out - but then the unit opting out according to the security policy must " ensure that they have sufficient resources to quickly identify compromised or mal-configured systems when the need [arises]" . This is pretty much the model I was beginning to outline below.
Liability of ISPs for malware?
Bruce Schneier has reiterated his long held belief that ISPs should be held liable for their part in spreading viruses and malware.
The Register quote him as saying: “It’s about externalities – like a chemical company polluting a river – they don’t live downstream and they don’t care what happens. You need regulation to make it bad business for them not to care. You need to raise the cost of doing it wrong.” Schneier said there was a parallel with the success of the environmental movement – protests and court cases made it too expensive to keep polluting and made it better business to be greener.
The analogy is appealing, but wrong. ISPs are not the polluters but the water-ways, or perhaps, their curators. The real polluters are the virus writers and bot creators - who are in most jurisdictions already criminally , and probably, civilly liable - just impossible to find.
Schneier goes on to say that ISPs should offer consumers “clean pipe” services: “Corporate ISPs do it, why don’t they offer it to my Mum? We’d all be safer and it’s in our interests to pay."
Here Schneier gets nearer to the real way forward. What Schneier, being a brilliant security expert, not a lawyer or economist, is getting wrong, is not the desirable end - ISPs helping clean up the Internet "environment" - but how to achieve it. You don't need public regulation of ISPs on the polluters model - which is unfair given the ubiquity malware is nsimply ot their fault - when it's easier to get profits to act as an incentive instead. US companies, correctly, saw cleaning up pollution as a profit loser until it was made too expensive to ignore on a PR level, but security can be turned into a money maker easy.
My Mum, much like Schneier's I suspect, has no idea how to set up a firewall or a virus checker, or come to that, her email account. But she's not that short of a bob. If she was offered, instead of the almost useless "BT Privacy", "BT Security" for an extra £12 a month, say, where BT undertook to manage the security of her machine, monitoring, reporting, isolating and cleaning it out if it was infected or zombified, etc etc, she'd take it tomorrow. ISPs should be offering security cleanfeeds instead of content ones. When there's a decent , competitive market of those, we won't NEED enviromental Internet laws - which will in any case be expensive and almost impossible to enforce universally, due to safe havens and lack of global harmonisation of criminal and public law (as Schneier himself acknowledges).
Someone pointed out to me that this isn't a solution, because those who don't buy in to a secure feed still remain vectors for infection. This is true: but it's possible we can deal with that by making the opters-out personally strictly liable for the security of their own machines (they are likely to be either the techy or the bolshy), rather than imposing inequitable liabilities on ISPs wholesale. Such an onus would be likely to drive all but those who really can look after their own machines - sysops, geeks, Linux lovers :-) - into the arms of a safefeed ISP. Another alternative for such would be to offer insurance to cover claims against them by affected consumers or networks.
Another commentor pointed out that a security service almost exactly as described above already exists - and lo! it costs £12 per month!. Truth is stranger than fiction.
The UK answer thus far is not more law but public education in the shape of the new National Hi Tech Crime Unit GetSafe camapign. We shall report on its success but remain cynical ..
The Register quote him as saying: “It’s about externalities – like a chemical company polluting a river – they don’t live downstream and they don’t care what happens. You need regulation to make it bad business for them not to care. You need to raise the cost of doing it wrong.” Schneier said there was a parallel with the success of the environmental movement – protests and court cases made it too expensive to keep polluting and made it better business to be greener.
The analogy is appealing, but wrong. ISPs are not the polluters but the water-ways, or perhaps, their curators. The real polluters are the virus writers and bot creators - who are in most jurisdictions already criminally , and probably, civilly liable - just impossible to find.
Schneier goes on to say that ISPs should offer consumers “clean pipe” services: “Corporate ISPs do it, why don’t they offer it to my Mum? We’d all be safer and it’s in our interests to pay."
Here Schneier gets nearer to the real way forward. What Schneier, being a brilliant security expert, not a lawyer or economist, is getting wrong, is not the desirable end - ISPs helping clean up the Internet "environment" - but how to achieve it. You don't need public regulation of ISPs on the polluters model - which is unfair given the ubiquity malware is nsimply ot their fault - when it's easier to get profits to act as an incentive instead. US companies, correctly, saw cleaning up pollution as a profit loser until it was made too expensive to ignore on a PR level, but security can be turned into a money maker easy.
My Mum, much like Schneier's I suspect, has no idea how to set up a firewall or a virus checker, or come to that, her email account. But she's not that short of a bob. If she was offered, instead of the almost useless "BT Privacy", "BT Security" for an extra £12 a month, say, where BT undertook to manage the security of her machine, monitoring, reporting, isolating and cleaning it out if it was infected or zombified, etc etc, she'd take it tomorrow. ISPs should be offering security cleanfeeds instead of content ones. When there's a decent , competitive market of those, we won't NEED enviromental Internet laws - which will in any case be expensive and almost impossible to enforce universally, due to safe havens and lack of global harmonisation of criminal and public law (as Schneier himself acknowledges).
Someone pointed out to me that this isn't a solution, because those who don't buy in to a secure feed still remain vectors for infection. This is true: but it's possible we can deal with that by making the opters-out personally strictly liable for the security of their own machines (they are likely to be either the techy or the bolshy), rather than imposing inequitable liabilities on ISPs wholesale. Such an onus would be likely to drive all but those who really can look after their own machines - sysops, geeks, Linux lovers :-) - into the arms of a safefeed ISP. Another alternative for such would be to offer insurance to cover claims against them by affected consumers or networks.
Another commentor pointed out that a security service almost exactly as described above already exists - and lo! it costs £12 per month!. Truth is stranger than fiction.
The UK answer thus far is not more law but public education in the shape of the new National Hi Tech Crime Unit GetSafe camapign. We shall report on its success but remain cynical ..
Monday, October 24, 2005
Honey, I Trademarked the Blog
The Markenblog blog reports that on October 21, 2005 the term law blog was registered by the owner of the popular German blog "law blog". The registration does not, actually, expressly cover blogs, but legal services in class 42, and services including the presentation of creative works in class 41. The German registration should not affect the general use of the generic or descriptive term by others.
says the German American Law Journal.
Words fail me really. I'm not a trademark lawyer but has "blog" not become a generic word? Does adding "law" really suffice to distinguish it as a badge of origin of particular services? Anyone out there want to comment?
says the German American Law Journal.
Words fail me really. I'm not a trademark lawyer but has "blog" not become a generic word? Does adding "law" really suffice to distinguish it as a badge of origin of particular services? Anyone out there want to comment?
Creative Commons: threat or menace?-)
Some random quotes from an online discusion on LIve JOurnal after a Friday night pub discussion on whether open source, creative commons and the rest of the anti copyright movements are new religions or merely fora for the development of useful tools:
"Creative Commons and Open Source are religions. Not as bad as some of the others, but nonetheless they are somebody else's vision of utopia that we're all supposed to participate in." Voidampersand.
"The sub-sect that drives me up the wall in the Wikipedians - and I speak as an avid user and browser of Wikipedia. Yes, it's an impressive achievement, but you can only tout it as an improvement over traditional encyclopeadias by rather radically redefining 'improved'. Which some of its most zealous advocates are happy to do... (Isn't it brilliant! Our users can democratically determine the value of pi by continuous re-editing!)"
"I'm tolerant and indeed supportive of OSS between consenting adults; it'd be hypocritical of me not to, as I use enough of the stuff at home - but I'm opposed to fundamentalism about it too. I don't like people saying I shouldn't have the right to protect intellectual property and make a living from it; it should be my choice".
On open source: "it's plainly a way for young white introvert males to "stick it to the man" -- in this instance, their employers"
"Creative Commons and Open Source are religions. Not as bad as some of the others, but nonetheless they are somebody else's vision of utopia that we're all supposed to participate in." Voidampersand.
"The sub-sect that drives me up the wall in the Wikipedians - and I speak as an avid user and browser of Wikipedia. Yes, it's an impressive achievement, but you can only tout it as an improvement over traditional encyclopeadias by rather radically redefining 'improved'. Which some of its most zealous advocates are happy to do... (Isn't it brilliant! Our users can democratically determine the value of pi by continuous re-editing!)"
"I'm tolerant and indeed supportive of OSS between consenting adults; it'd be hypocritical of me not to, as I use enough of the stuff at home - but I'm opposed to fundamentalism about it too. I don't like people saying I shouldn't have the right to protect intellectual property and make a living from it; it should be my choice".
On open source: "it's plainly a way for young white introvert males to "stick it to the man" -- in this instance, their employers"
Friday, October 21, 2005
Once More With Lawyers
Fox have closed down a planned fan performance of the well known Buffy musical Once More With Feeling at a fan convention, on copyright grounds, despite la Joss himself saying he was happy for it to go ahead. Illustrating yet again that the interests of the artists/creators themselves and those they assign rights to tend to be very, very different.
Should a fan musical really need copyright permision? It's well known that UK and US don't go for a "private non commercial copying" exemption as Continental countries like France and Germany do, and even if they did, a public performance would never , I expect, be seen as private copying. But as Kim Weatherall comments, there's no way this performance could do anything other than encourage people to buy profit-making official Buffy CDs, DVDs and other merchandise. There's no travelling official Buffy musical whose revenues can be cut into by fan knock offs (more's the shame!) Fox is simply cutting off its nose to spite its own fans here.
Some commentators have compared this unfavourably to the permissive attitude towards Rocky Horror Show peformances which take place all over the world with massive fan , er, interpretation of the plot and cast. But the point there is that every such performance also involves a public showing of the movie, so will usually involves a revenue stream, as almost all professional cinemas will abide by normal license agreements.
Should a fan musical really need copyright permision? It's well known that UK and US don't go for a "private non commercial copying" exemption as Continental countries like France and Germany do, and even if they did, a public performance would never , I expect, be seen as private copying. But as Kim Weatherall comments, there's no way this performance could do anything other than encourage people to buy profit-making official Buffy CDs, DVDs and other merchandise. There's no travelling official Buffy musical whose revenues can be cut into by fan knock offs (more's the shame!) Fox is simply cutting off its nose to spite its own fans here.
Some commentators have compared this unfavourably to the permissive attitude towards Rocky Horror Show peformances which take place all over the world with massive fan , er, interpretation of the plot and cast. But the point there is that every such performance also involves a public showing of the movie, so will usually involves a revenue stream, as almost all professional cinemas will abide by normal license agreements.
Thursday, October 20, 2005
Oxford Internet Institute UK Survey
The Oxford Internet Institute survey of UK Internet usage landed on my desk (yes! hard copy! how quaint!) this morning. It is a thing of wonder. Every totally obvious statement you ever wanted to include in an article but couldn't be bothered to find statistical backing for is included. Yes, 74% of UK citizens have now bought something on line. Yes, 61% of UK people now have Internet access at home. Yes, broadband uptake is higher in wealthy homes than poorer ones (no, you don't say.) People think the Internet is bad for privacy? Tick! ( 49% think the use of computers in the UK is a threat to personal privacy. 45% are concerned about access to their personal data.) Worried about spam? Tick! (60%. Though only 35% have done anything about it.) Concerned about viruses? Tick! (82%! And 65% have done something about it! (or so they say :-)
Thre are some pleasant (and less pleasant) surprises though. 72% of those asked said the Internet had made their life better. Only 23% agreed strongly that they were concerned about immoral content on the Internet, while 15% strongly disagreed (given the social difficulty of disagreeing with such a question for many parents, the "strongly"s striks me as the only section of the respondents who matter). An amazing 18% claim they post pictures on the Web and 14% keep a website , though only 5% blog (but still!). But only 17% of Britons object to ID cards and around 5% of users have given up on the Internet entirely between 2003 and 2005 for whatever reason (mainly lack of interst - only 11% cited bad experiences and 17% privacy worries.
And only 2% agree strongly that email takes up too much of their time while 65% disagree or strongly disagree. They sure as hell didn't interview me for this survey:-)
Thre are some pleasant (and less pleasant) surprises though. 72% of those asked said the Internet had made their life better. Only 23% agreed strongly that they were concerned about immoral content on the Internet, while 15% strongly disagreed (given the social difficulty of disagreeing with such a question for many parents, the "strongly"s striks me as the only section of the respondents who matter). An amazing 18% claim they post pictures on the Web and 14% keep a website , though only 5% blog (but still!). But only 17% of Britons object to ID cards and around 5% of users have given up on the Internet entirely between 2003 and 2005 for whatever reason (mainly lack of interst - only 11% cited bad experiences and 17% privacy worries.
And only 2% agree strongly that email takes up too much of their time while 65% disagree or strongly disagree. They sure as hell didn't interview me for this survey:-)
Wednesday, October 19, 2005
It's a hacker's life being a security pro
Hands up if you've never worried that a website that looks oh so real might just be a phishing site? We've all by now unfortunately seen enough sites that look as real as apple pie, but something - the URL usually - tells us that actually, it's a vehicle for fraud. If you work in professional computer security, this paranoia must be all the more overwhelming, and you have the tools to hand to test out your theories. It got to a certain Daniel Cuthbert, a security pro, who even lectured part time in security to members of the police's own Computer Crime Unit. Cuthbert, a well meaning citizen, went to a site to donate £30 to the Tsunami relief appeal. After making a donation but not getting any official thank-you or confirmation page, Cuthbert tested the security of the page, using tricks like putting in ../../../ to move up three directories. In fact, the site was genuine, and Cuthbert's access atempts (which failed) were recorded, Cuthbert was arrested, and successfully prosecuted for attempted unauthorised access under s 1 of the Computer Misuse Act. Last week, he was fined £400, paid £600 in costs and lost his job as a result.
Remarkably few convictions have been made under the CMA s 1 and this should not hve been one. As the defense opined, it was tantamount to turning the s 1 offence into a strict liability offense. "Unauthorised access" simplex is the least serious charge in the CMA, but it cannot be regarded as an "administrative" crime, one like wrongful parking, which in the interests of the smooth running of society should be enforceable even when the party intended to do no wrong - it can earn a term of imprisonment and quite clearly demands mens rea. Section 1 of the CMA states that
1.—(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
Arguably, Mr Cuthbert was not trying to "secure access" as his purpose but merely as his literal means to that purpose. His true intent was merely to test whether the site was actually what it claimed to be. On the Internet, this is very dificult to establish without attempting access unless the site has a digital certificate or a SET/SSL interface. This defence could have been backed up by analysis of the statute as a whole (and its peliminary debates) which clearly assume that the access that is sought to be obtained is so sought in pursuit of some criminal or at least amoral purpose.
If we are talking only of the preservation of privacy of personal data, not about criminal activity, as we really were here, then the data protection laws should suffice without needing to go to the hacking laws. This was a case for the Information Commisioner not the police. Given the longstanding and honorable tradition of benign hacking to probe security holes (which following Cuthbert, must clearly fall within the s 1 offence) there is room for a public interest/research exemption here to clarify matters, as there is indeed in relation to the arguably much less acceptable act of possession of child pornography (see the Protection of Children Act 1978 1(4)(a) and equivalent provisions for Scotland in the Criminal Justice Act 1988 and Civic Govt )(Sc) Act 1982.) As matters stand, security professionals will be unable in any circumstances to test the validity and security of a site unless they know for sure they have authorisation fom the true owner of the site.
Remarkably few convictions have been made under the CMA s 1 and this should not hve been one. As the defense opined, it was tantamount to turning the s 1 offence into a strict liability offense. "Unauthorised access" simplex is the least serious charge in the CMA, but it cannot be regarded as an "administrative" crime, one like wrongful parking, which in the interests of the smooth running of society should be enforceable even when the party intended to do no wrong - it can earn a term of imprisonment and quite clearly demands mens rea. Section 1 of the CMA states that
1.—(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
Arguably, Mr Cuthbert was not trying to "secure access" as his purpose but merely as his literal means to that purpose. His true intent was merely to test whether the site was actually what it claimed to be. On the Internet, this is very dificult to establish without attempting access unless the site has a digital certificate or a SET/SSL interface. This defence could have been backed up by analysis of the statute as a whole (and its peliminary debates) which clearly assume that the access that is sought to be obtained is so sought in pursuit of some criminal or at least amoral purpose.
If we are talking only of the preservation of privacy of personal data, not about criminal activity, as we really were here, then the data protection laws should suffice without needing to go to the hacking laws. This was a case for the Information Commisioner not the police. Given the longstanding and honorable tradition of benign hacking to probe security holes (which following Cuthbert, must clearly fall within the s 1 offence) there is room for a public interest/research exemption here to clarify matters, as there is indeed in relation to the arguably much less acceptable act of possession of child pornography (see the Protection of Children Act 1978 1(4)(a) and equivalent provisions for Scotland in the Criminal Justice Act 1988 and Civic Govt )(Sc) Act 1982.) As matters stand, security professionals will be unable in any circumstances to test the validity and security of a site unless they know for sure they have authorisation fom the true owner of the site.
Friday, September 23, 2005
Suing Google Print
Also from the Beeb, but all over the Web, Google is being sued by an alliance of book publishers, the Author's Guild, over its Google Print scheme. Basically Google Print involves scanning 1000s of books, found in certain university libraries, and when you do a search, GP will deliver you a small section of the text relevant to your search, usually less than a page. In some, but not all, cases, the copyright holders have agreed this can be done, and in some, but not all, cases, the work will be in the public domain. The real controversy arises over whether GP has the right to deliver even snippets of the works in copyright without right holder permission. GP do not seek rightholdr permission in advance, but they DO give rightholders the option to "opt out" of being included in GP.
On Cyberprof, several US law profs argued persuasively that Google had "fair use" on their side; in Europe where fair use/dealing exemptions are very tight under the Copyright Directives, this seems highly unlikely. To be non technical, the policy question is really whether you think what Google is doing is more like making an entire copy of an MP3 without permission of the owner (clearly illegal) or more like looking up an index or digest to find extended references to useful texts (clearly legal.)
I was slightly amazed (and pleased) the first time I looked to find the whole of my own chapter on legal regulation of CCTV in the UK was available (from a book published by Asser Press) . Today, that chapter is no longer there, and two other book chapters of mine (with Kluwer) deliver only 2-3 page snippets. This seems either to be down to a damage mitigation stategy by Google to placate the publishers, or a closing of ranks by the publishers against Google, since one assumes Asser had already given permission to reproduction of the whole book in question, before the GP issue hit the fan.
My own feeling is that, as with the P2P wars, after a certain amount of legal skirmishing, eventually we will see this kind of global library full-text look-up-and-download being accepted by the rightsholders, but only when some mechanism is in place to get a royalty back to the publishers, by some kind of levy or license fee eventually charged against consumers. Cf the transition from illegal Napster to legal Napster, where you buy £10 a month to stream as much music as you like, and the record companies involved in contracts with Napster get their share. One of the arguments being thrown around in favour of Google is that GP is helping raise interest in out of print and back-list books which make little or no money for publishers, so why are the publishers suing?. But publishers must surely be waking up to the fact that that back list can become valuable very easily in a world of universal digital download of text. Google have tried it on, methinks, trying to get to offer this service without paying anything for it.
Lessig argues that as Google already makes copies of every text it spiders in order to deliver search results, finding GP illegal is the same as finding Google the search engine illegal for breach of copyright, and common sense revolts at this idea. But this is not necessarily true, as most jurisdictions now have exemptions allowing for the making of transient rather than permanent copies for "technical reasons". Search engines may reply on thse rather than "fair use" to protest their legality. The question is if such exemptions, mainly tailored to legalise caching, are phrased widely enough to cover what search engines do, and how transient Google's spider copies are. Copies are retained for days, sometimes weeks in Google's cache - can these really be regarded as transient?
In any case, in the UK, The Copyright and Related Rights Regulations 2003 implement the "temporary acts of reproduction" exception provided for in Article 5(1) of the Copyright Directive by inserting a new Section 28A into the 1988 Act, as follows:
"Copyright in a literary work, other than a computer program or a database, or in a dramatic, musical or artistic work, the typographical arrangement of a published edition, a sound recording or a film, is not infringed by the making of a temporary copy which is transient or incidental, which is an integral and essential part of a technological process and the sole purpose of which is to enable -
(a) a transmission of the work in a network between third parties by an intermediary; or
(b) a lawful use of the work;
and which has no independent economic significance.".
Google search engine would fail to get the benefit of this under (a) for sure. And the "economic significance" is also arguable - Google don't get paid for GP, but they do make money out of adverts on the main search site, depending how many people click through on advert links placed next to searches. But (b) is the heart of the argument in Google Print.So it may all, in fact, come back to fair use/fair dealing. We in Europe may need to revisit these exemptions yet again.
On Cyberprof, several US law profs argued persuasively that Google had "fair use" on their side; in Europe where fair use/dealing exemptions are very tight under the Copyright Directives, this seems highly unlikely. To be non technical, the policy question is really whether you think what Google is doing is more like making an entire copy of an MP3 without permission of the owner (clearly illegal) or more like looking up an index or digest to find extended references to useful texts (clearly legal.)
I was slightly amazed (and pleased) the first time I looked to find the whole of my own chapter on legal regulation of CCTV in the UK was available (from a book published by Asser Press) . Today, that chapter is no longer there, and two other book chapters of mine (with Kluwer) deliver only 2-3 page snippets. This seems either to be down to a damage mitigation stategy by Google to placate the publishers, or a closing of ranks by the publishers against Google, since one assumes Asser had already given permission to reproduction of the whole book in question, before the GP issue hit the fan.
My own feeling is that, as with the P2P wars, after a certain amount of legal skirmishing, eventually we will see this kind of global library full-text look-up-and-download being accepted by the rightsholders, but only when some mechanism is in place to get a royalty back to the publishers, by some kind of levy or license fee eventually charged against consumers. Cf the transition from illegal Napster to legal Napster, where you buy £10 a month to stream as much music as you like, and the record companies involved in contracts with Napster get their share. One of the arguments being thrown around in favour of Google is that GP is helping raise interest in out of print and back-list books which make little or no money for publishers, so why are the publishers suing?. But publishers must surely be waking up to the fact that that back list can become valuable very easily in a world of universal digital download of text. Google have tried it on, methinks, trying to get to offer this service without paying anything for it.
Lessig argues that as Google already makes copies of every text it spiders in order to deliver search results, finding GP illegal is the same as finding Google the search engine illegal for breach of copyright, and common sense revolts at this idea. But this is not necessarily true, as most jurisdictions now have exemptions allowing for the making of transient rather than permanent copies for "technical reasons". Search engines may reply on thse rather than "fair use" to protest their legality. The question is if such exemptions, mainly tailored to legalise caching, are phrased widely enough to cover what search engines do, and how transient Google's spider copies are. Copies are retained for days, sometimes weeks in Google's cache - can these really be regarded as transient?
In any case, in the UK, The Copyright and Related Rights Regulations 2003 implement the "temporary acts of reproduction" exception provided for in Article 5(1) of the Copyright Directive by inserting a new Section 28A into the 1988 Act, as follows:
"Copyright in a literary work, other than a computer program or a database, or in a dramatic, musical or artistic work, the typographical arrangement of a published edition, a sound recording or a film, is not infringed by the making of a temporary copy which is transient or incidental, which is an integral and essential part of a technological process and the sole purpose of which is to enable -
(a) a transmission of the work in a network between third parties by an intermediary; or
(b) a lawful use of the work;
and which has no independent economic significance.".
Google search engine would fail to get the benefit of this under (a) for sure. And the "economic significance" is also arguable - Google don't get paid for GP, but they do make money out of adverts on the main search site, depending how many people click through on advert links placed next to searches. But (b) is the heart of the argument in Google Print.So it may all, in fact, come back to fair use/fair dealing. We in Europe may need to revisit these exemptions yet again.
Blog censorship handbook
Interesting BBC article on how bloggers should deal with state censorship, and tips on how to maintain anonymity. One interesting point is that although it is some states such as China and Singapore which are seen as providing rules repressive of freedom of expression, it is private actors - often Anerican based - who are helping them enforce the rules. See "In June, Microsoft's MSN Spaces site in China started to block blog entries which used words such as "freedom", "democracy" and "demonstration". Microsoft said the company abided by the laws, regulations and norms of each country in which it operates."
The point is a difficult one in terms of policy. Microsoft (and Yahoo! who a few weeks back revealed the identity of a blogger to Chinese authorities, probably exposing him to criminal penalties) are criticised for supporting censorship contrary to Western norms which they benefit from in their own home countries. But such companies can also argue that to maintain a base in these countries they have to work by local laws, and that withdrawing would merely reduce the positive importation of e-commerce prosperity and the overall impact of the Net on these countries. It is a case perhaps of medicine today, to have jam tomorrow.
The point is a difficult one in terms of policy. Microsoft (and Yahoo! who a few weeks back revealed the identity of a blogger to Chinese authorities, probably exposing him to criminal penalties) are criticised for supporting censorship contrary to Western norms which they benefit from in their own home countries. But such companies can also argue that to maintain a base in these countries they have to work by local laws, and that withdrawing would merely reduce the positive importation of e-commerce prosperity and the overall impact of the Net on these countries. It is a case perhaps of medicine today, to have jam tomorrow.
Wednesday, September 21, 2005
Purpose of the blog
This blog is directed towards the students in the LLM in Information Technology and the Law (both on campus and distance learning). It is not obligatory work, and it does not constitute assessment in class. The opinions expressed here are not necessarily those of the AHRC Centre.
Welcome to all our new students!
Tuesday, September 13, 2005
Subscribe to:
Posts (Atom)