Avi Rubin Joins Diebold (via Avi Rubin)

RIAA Sues Google; Internet Doomed (via James Grimmelmann)

Valenti Condemns Avian P2P (via me)

EFF buys Department of Justice (also note: Valenti To Join EFF Board) (via EFF)

Omniscience Protocol Specification Published (via Scott Bradner)

Duke Buys the Public Domain (via ibiblio)

Google Staffing Lunar Office (via Google)

WalMart Buys Record Company (via Ernest Miller)

EZBake Oven For Your PC (via ThinkGeek)

Testimony of Jack Valenti
Motion Picture Association of America
Before the Senate Commerce Committee
April 1, 2004

Mister Chairman,

Last year I appeared before this committee to urge your support for the broadcast flag, a harmless technical standard necessary to stem the gruesome tide of piracy that is sapping the very lifeblood of America’s most important industry. It is with shock and sadness – and deep concern for the fate of our great democracy – that I must reveal to you today an even more disturbing threat to our way of life.

Recently, Israeli scientists demonstrated a new form of wireless networking, a so-called pigeon-to-pigeon, or "P2P", technology based on ultra-high-density memory cards transported by carrier pigeons. The so-called scientists, with utter disregard for all standards of content protection and human decency, proved that their technology offers twice as much bandwidth to the home as existing broadband solutions such as DSL, allowing pirates to download twice as many movies.

Let me be blunt, Mister Chairman. This technology is a vehicle for pornography. Nothing prevents its use to transport the most vile and hateful filth. Indeed – and I hesitate to say this in an open hearing room, but you must know the truth – the carriers themselves have been known to engage in acts of procreation.

Even today, deployment of this destructive technology proceeds. A technical standard for its use, known as RFC 1149, has already been issued, and P2P carriers have begun assembling in parks throughout our great nation – the very same parks frequented by drug dealers.

We cannot – we must not – allow this to stand. Faced with the threat of DSL, our nation rose to the occasion by adopting the broadcast flag. We must rise again, to defy this newest and greatest threat to our liberty, by instituting a program of Direct Reproductive Management, or "DRM," requiring mandatory contraception for every pigeon in America.

Our experts assure us, as they did with the broadcast flag, that this plan is simple, inexpensive, and risk-free. This initiative is of utmost importance to the MPAA. Therefore, it should be implemented by the U.S. Department of Justice, so as not to impede our industry’s work on the nation’s behalf.

Mister Chairman, I cannot overstate the importance of this issue. Our industry, our nation, indeed our civilization itself, depends on your action.

Somebody over at the Bush-Cheney campaign had better figure out this Internet thingy pretty soon, or it's going to be a long, unpleasant online campaign for them.

The first evidence of the campaign's Net-cluelessness was the Bush-Cheney poster generator that came to be called "The Sloganator". This was a web tool, on the campaign's site, that let you create a Bush-Cheney campaign poster containing the slogan of your choice. On hearing about this, any Net-savvy person knew exactly what would happen next. Opponents would discover the site and create posters with disparaging slogans. Contests would be held, to see who could make the funniest poster. And the whole episode would be commemorated with an online slide show.

This week brings another "what were they thinking" moment, as the Bush campaign contemplates buying pop-up ads on websites. This would be a clever idea – if the ads said "Vote for Kerry". It’s hard to think of a better way to alienate the Net community than to associate your cause with something as universally despised as popup ads. And the mistake of running popup ads would be compounded by the inevitable response, as people all over the Net started attaching spoofed popup ads to their own sites.

Bradley Rhodes at DocBug predicts more of this sort of thing, as the remix culture collides with politics. The MoveOn homebrew ads are only the beginning. Expect to see agenda-laden Flash games, spoofed websites and commercials, George Bush verbal blooper tapes, videos of John Kerry debating himself, and nasty-funny creations of all types, from supporters of both sides (or all three, if you count Nader). It looks like we're in for an entertaining campaign.

Felix Oberholzer and Koleman Strumpf, of Harvard and the University of North Carolina, respectively, have published an interesting study on the effect of file sharing on record sales. They looked at album sales, actual download traffic for individual songs, and several other variables. Their main conclusion that file sharing had little or no effect on sales, and they could not reject the statistical hypothesis that filesharing had no effect at all on sales. Though these effects are not statistically significant, the data suggests that file sharing may boost the sale of the most popular albums, and may depress the sales of less popular albums, with a near-zero net effect on sales.

How much should we trust these results? I don't know. The authors look like respectable academics, but their methodology is complex enough that I am not qualified to evaluate it. Perhaps a more qualified reader will have something to say about the study's methodology.

Senators Orrin Hatch and Patrick Leahy have introduced a new bill, the PIRATE Act, that would authorize the U.S. government to bring civil lawsuits against copyright infringers, and would create a $2 million fund to pay for such suits. (Copyfight has the details.) Rather than doing this, it would be more efficient simply to give copyright owners the $2 million in cash, and let them decide whom to sue, or not to file suits at all.

If spending $2 million on lawsuits will deter enough infringement to increase (the present value of) future copyright revenues by more than $2 million, then copyright owners will find it in their interest to file the suits themselves. If not, then the government has no business filing the suits, since doing so would burn $2 million of government money to create a benefit of less than $2 million. So let’s save ourselves the trouble, and just give the cash to the RIAA and MPAA.

Criminal enforcement by the government might make sense, since private parties can’t bring criminal actions. But civil suits brought by the government, on the same terms those suits could be brought by copyright owners, can only be inefficient.

Worst of all, asking the Department of Justice to spend its valuable time and attention on small-fry copyright suits carries a high opportunity cost. The DoJ has much more important things to do. Copyright infringement is bad, but it’s hardly the greatest threat we face.

Peter Harsha at CRA points to an interesting analysis, by Colleen Shannon and David Moore of CAIDA, of the recent Witty worm.

Derek Slater discusses Fraunhofer's new Light Weight DRM system. Derek is skeptical but states his opinion cautiously, not being a technologist. In any case, Derek gets it right.

It's hard to see much that's new in this proposal. If we ignore the newly coined LWDRM buzzword and the accompanying marketing spin, we're left with a fairly standard looking DRM scheme, of the type I call mark-and-trace.

Mark-and-trace DRM schemes try to put a unique, indelible mark on each legitimate copy of a work, so that any infringing copies found later can be traced, with the aid of the mark, back to the legitimate copy from which they originated. Such schemes have fallen out of favor recently, because of two problems.

First, the mark must really be indelible. If an adversary can remove the mark, the resulting "scrubbed" copy can be redistributed with impunity. Nobody has figured out how to make marks that can't be removed from music or video. Past attempts to create indelible marks have failed miserably. A notable example is the SDMI watermarks that my colleagues and I showed were easily removed.

Second, blaming the buyer of an original for all copies (and copies of copies, etc.) made from it just isn't practical. To see why, suppose Alice has a big collection of music on her laptop. Then her laptop is stolen, or somebody breaks into it electronically, and all of her songs end up on millions of computers all over the Net. What then? Do you take all of Alice's earthly possessions to compensate for the millions of infringements that occurred? (And if that's the policy, what sane person will buy music in the first place?) Or do you let Alice off the hook, and allow burglars to defeat your entire DRM scheme? Nobody has a plausible answer to this question; and the Fraunhofer people don't offer one.

Ben Edelman reports that Utah's governor signed HB323 into law yesterday. That's the anti-spyware law I discussed two weeks ago. I guess we'll find out whether the bill's opponents were right about its supposed burden on legitimate software businesses.

Simson Garfinkel has an eye-opening piece in CSO magazine about the contents of used hard drives. Simson bought a pile of used hard drives and systematically examined them to see what could be recovered from them.

I took the drives home and started my own forensic analysis. Several of the drives had source code from high-tech companies. One drive had a confidential memorandum describing a biotech project; another had internal spreadsheets belonging to an international shipping company.

Since then, I have repeatedly indulged my habit for procuring and then analyzing secondhand hard drives. I bought recycled drives in Bellevue, Wash., that had internal Microsoft e-mail (somebody who was working from home, apparently). Drives that I found at an MIT swap meet had financial information on them from a Boston-area investment firm.

...

One of the drives once lived in an ATM. It contained a year's worth of financial transactions—including account numbers and withdrawal amounts—from a organization that had a legal requirement to not divulge such information. Two other drives contained more than 5,000 credit card numbers—it looked as if one had been inside a cash register. Another had e-mail and personal financial records of a 45-year-old fellow in Georgia. The man is divorced, paying child support and dating a woman he met in Savannah. And, oh yeah, he's really into pornography.

It's shouldn't be a secret anymore than when you "delete" a file, it's not really gone. Yes, the file is unreachable by ordinary means, but virtually all of the information is still there on the hard disk, recoverable by anybody with the right tools. If you really want to destroy data, you have to use special disk scrubbing tools that overwrite the "empty" disk space with random data. It's not rocket science, but you do need to be careful.

In Simson's study, between one-third and one-half of the drives had significant amounts of confidential data that could be recovered. Only ten percent of the used drives had been properly scrubbed.

[Link credit: Michael Froomkin at discourse.net]

Frank Field points to an upcoming symposium at Seton Hall on "Peer to Peer at the Crossroads: New Developments and New Directions for the Law and Business of Peer-to-Peer Networking". Here's a summary from the symposium announcement:

This Symposium will review recent developments in the law and business of peer-to-peer networks, with a view to determining where the law is going and where it should go. We will examine both the theoretical and practical implications of recent decisions and legislative initiatives, and will offer different perspectives on where the intersection between P2P technology and the law should lie. Our panelists include scholars and practitioners as well as representative from the U.S. Copyright Office.

This sounded pretty good. But reading the announcement more carefully, I noticied something odd: the speakers are all lawyers. If you're having a conference whose scope includes business and technology, it seems reasonable to have at least some representation from the technology or business communities. Maybe on the panel about "Business Models, Technology, and Trends"?

Now I have nothing against lawyers. Some lawyers really understand technology. A few even understand it deeply. But if I were running a conference on law and technology, and I invited only technologists to speak, this would be seen, rightly, as a big problem. It wouldn't be much of an excuse for me to say that those technologists know a lot about the law. If I'm inviting ten speakers for a conference on technology and the law, surely I have one slot for somebody whose primary expertise is in the law.

Yet the same argument, running in the other direction, seems not to apply sometimes. Why not?

A new computer worm infects PCs by attacking security software, according to a Brian Krebs story in Saturday's Washington Post. The worm exploits flaws in two personal firewall products, made by Black Ice and Real Secure Internet. Just to be clear: the firewalls' flaw is not that they fail to stop the worm, but that they actively create a hole that the worm exploits. People who didn't buy these firewalls are safe from the worm.

This has to be really embarrassing for the vendor, ISS. The last thing a security product should do is to create more vulnerabilities.

This problem is not unique. Last week, another security product, Norton Internet Security, had a vulnerability reported.

Consumers are still better off, on balance, using PC security products. On the whole, these products close more holes than they open. But this is a useful reminder that all network software caries risks. Careful software engineering is needed everywhere, and especially for security products.

James Gleick has an interesting piece in tomorrow's New York Times Magazine, on the problems associated with naming online. If you're already immersed in the ICANN/DNS/UDRP acronym complex, you won't learn much; but if you're not a naming wonk, you'll find the piece a very nice introduction to the naming wars.

The Pew Internet & American Life Project has released results of a new survey of experiences with email spam.

The report's headline is "The CAN-SPAM Act Has Not Helped Most Email Users So Far", and this interpretation is followed by the press articles I have seen so far. But it's not actually supported by the data. Taken at face value, the data show that the amount of spam has not changed since January 1, when the CAN-SPAM Act took effect.

If true, this is actually good news, since the amount of spam had been increasing previously; for example, according to Brightmail, spam had grown from 7% of all email in April 2001, to 50% in September 2003. If the CAN-SPAM Act put the brakes on that increase, it has been very effective indeed.

Of course, the survey demonstrates only correlation, not causality. The level of spam may be steady, but there is nothing in the survey to suggest that CAN-SPAM is the reason.

An alternative explanation is hiding in the survey results: fewer people may be buying spammers' products. Five percent of users reported having bought a product or service advertised in spam. That's down from seven percent in June 2003. Nine percent reported having responded to a spam and later discovered it was phony or fraudulent; that's down from twelve percent in June 2003.

And note that the survey asked whether the respondent had ever responded to a spam, so the decrease in recent response rates would be much more dramatic. To understand why, imagine a group of 200 people who responded to the latest survey. Suppose that 100 of them are Recent Adopters, having started using the Internet since June 2003, and that the other 100 are Longtime Users who went online before June 2003. According to the previous survey, seven of the Longtime Users (i.e., 7%) bought from a spammer before June 2003; and according to the latest survey, only ten of our overall group of 200 users (i.e., 5%) have ever bought from a spammer. It follows that only three of our other 190 hypothetical users responded to a spam since June 2003, so that spammers are finding many fewer new buyers than before.

A caveat is in order here. The survey's margin of error is three percent. so we can't be certain there's a real trend here. But still, it's much more likely than not that the number of responders really has decreased.