Paul Hardwick: OpEd

Big Brother State - An animated short about public surveillance by David Scharf

Sun, 11 Mar 2007 04:06:35 GMT

please also download using Bit Torrent:
(Xvid Version, ca. 50 MB, 768 px x 432 px) ---> CLICK HERE
(Big FLV Version, 55 MB, 768 px x 432 px, use FLV Player to view) ---> CLICK HERE

Check the Internet Archive for other resolutions and formats: CLICK HERE

EFF Calls For Aggressive Congressional Hearings on National Security Letter Misuse.

Sun, 11 Mar 2007 03:52:46 GMT

EFF Calls For Aggressive Congressional Hearings on National Security Letter Misuse.

EFF is calling for Congress to hold aggressive hearings on the FBI's domestic intelligence authority after the release of a Justice Department report [PDF] showing the Bureau abusing its power to collect telephone, Internet, financial, credit, and other personal records about Americans without judicial approval.

Sen. Patrick J. Leahy, D-Vermont, has said the Senate Judiciary Committee will hold hearings into the report's findings. But the widespread abuse detailed in the report requires more than just a cursory examination.

"The Bureau's misuse of its intelligence authority is an ongoing critical problem," said EFF Staff Attorney Marcia Hofmann. "Congress must use its investigative power to find out what's really going on at the FBI -- and then rein in the Bureau's investigative authority to where is was before the USA PATRIOT Act."

In the report, the Justice Department's inspector general identifies four dozen instances in which demands for personal information -- known as National Security Letters -- may have violated laws and agency regulations. The report also found that the Bureau lied to Congress about its use of the letters.

The FBI has had limited authority to issue National Security Letters for many years. However, a controversial provision of the PATRIOT Act greatly expanded the Bureau's ability to use them to gather information about anyone, as long as the agency believes the information could be relevant to a terrorism or espionage investigation.

Today's report follows the inspector general's findings last year that the Bureau had disclosed more than 100 instances of possible intelligence misconduct to the Intelligence Oversight Board in the preceding two years, a number of which were "significant."

In 2005, EFF argued in a friend of the court brief that the FBI's "unfettered authority" to issue National Security Letters "is ripe for abuse." The danger of such abuse has now been documented.

"This is not simply about errors in 'oversight,'" said EFF Senior Staff Attorney Lee Tien. "This is about disregard for the law. For example, FBI terrorism investigators ignored their own lawyers' advice to stop using so-called 'exigent' letters for about two years."

For more information, read the full report from the Justice Department, as well as this brief description of National Security Letters .

[EFF: Deep Links]

Justice Department Says F.B.I. Misused Patriot Act.

Sun, 11 Mar 2007 03:49:18 GMT

Justice Department Says F.B.I. Misused Patriot Act.

In what should not come as that big of a surprise, AP reports:

The FBI improperly and, in some cases, illegally used the USA Patriot Act to secretly obtain personal information about people in the United States, a Justice Department audit concluded Friday.

And for three years the FBI underreported to Congress how often it forced businesses to turn over the customer data, the audit found.

[sigma]The audit by Justice Department Inspector General Glenn A. Fine found that FBI agents sometimes demanded personal data on individuals without proper authorization. The 126-page audit also found the FBI improperly obtained telephone records in non-emergency circumstances.

[sigma]Fine[base ']s annual review is required by Congress, over the objections of the Bush administration.

The audit released Friday found that the number of national security letters issued by the FBI skyrocketed in the years after the Patriot Act became law.

In 2000, for example, the FBI issued an estimated 8,500 letters. By 2003, however, that number jumped to 39,000. It rose again the next year, to about 56,000 letters in 2004, and dropped to approximately 47,000 in 2005.

Over the entire three-year period, the FBI reported issuing 143,074 national security letters requesting customer data from businesses, the audit found. But that did not include an additional 8,850 requests that were never recorded in the FBI[base ']s database, the audit found.

[sigma]The FBI also used so-called [OE][base ']exigent letters,'[base '] signed by officials at FBI headquarters who were not authorized to sign national security letters, to obtain information. In at least 700 cases, these exigent letters were sent to three telephone companies to get toll billing records and subscriber information.

[OE][base ']In many cases, there was no pending investigation associated with the request at the time the exigent letters were sent,'[base '] the audit concluded.

Unbelievable. The full 199-page report can be downloaded here (PDF). And more coverage is available at Boing Boing and 27B Stroke 6.

[michaelzimmer.org]

Newly Revealed FBI Data Abuses and the Data Retention Red Flag.

Sun, 11 Mar 2007 03:43:18 GMT

Newly Revealed FBI Data Abuses and the Data Retention Red Flag.

Greetings. The release of a new report detailing massive FBI abuses of the PATRIOT Act (particularly in regard to National Security Letters), now confirms concerns that I and others have been long expressing about the potential abuse of retained Internet and other data, e.g.:

Sounding the Alarm on Government-Mandated Data Retention

An Open Letter to Google: Concepts for a Google Privacy Initiative

Broad abuses of retained data are now demonstrated to be real, not theoretical, as described in this Washington Post story.

We don't yet really know the full extent of these violations, but what has already been revealed is bad enough as a starting point.

I hope that these events will not only trigger considerable soul-searching by those firms who voluntarily retain user activity data, but also cause a renewed recognition of how broad mandated data retention can facilitate, and inevitably will facilitate, such abuses in the future.

--Lauren--

[Lauren Weinstein's Blog]

Justice: FBI misused Patriot Act powers - Yahoo! News

Fri, 09 Mar 2007 21:34:53 GMT

The FBI improperly and, in some cases, illegally used the USA Patriot Act to secretly obtain personal information about people in the United States, a Justice Department audit concluded Friday.

And for three years the FBI underreported to Congress how often it forced businesses to turn over the customer data, the audit found.

Attorney General Alberto Gonzales, who oversees the FBI, described the problems cited in the report as unacceptable and left open the possibility of criminal charges. He ordered further investigation.

"Once we get that information, we'll be in a better position to assess what kinds of steps should be taken," Gonzales told reporters following a speech to privacy officials.

[...]

The FBI also used so-called "exigent letters," signed by officials at FBI headquarters who were not authorized to sign national security letters, to obtain information. In at least 700 cases, these exigent letters were sent to three telephone companies to get toll billing records and subscriber information.

"In many cases, there was no pending investigation associated with the request at the time the exigent letters were sent," the audit concluded.

In a letter to Fine, Gonzales asked the inspector general to issue a follow-up audit in July on whether the FBI had followed recommendations to fix the problems.

"To say that I am concerned about what has been revealed in this report would be an enormous understatement," Gonzales told the privacy officials. "Failure to adequately protect information privacy simply is a failure to do our jobs."

Senators outraged over the conclusions signaled they would provide tougher oversight of the FBI -- and perhaps limit its power.

"The report indicates abuse of the authority" Congress gave the FBI, said Senate Judiciary Committee Chairman Patrick Leahy (news, bio, voting record), D-Vt. "You cannot have people act as free agents on something where they're going to be delving into your privacy."

The committee's top Republican, Pennsylvania Sen. Arlen Specter (news, bio, voting record), said the FBI appears to have "badly misused national security letters." The senator said, "This is, regrettably, part of an ongoing process where the federal authorities are not really sensitive to privacy and go far beyond what we have authorized."

Sen. Russ Feingold (news, bio, voting record), D-Wis., another member on the panel that oversees the FBI, said the report "proves that 'trust us' doesn't cut it."

The American Civil Liberties Union said the audit proves Congress must amend the Patriot Act to require judicial approval anytime the FBI wants access to sensitive personal information. "The Attorney General and the FBI are part of the problem and they cannot be trusted to be part of the solution," said Anthony D. Romero, the ACLU's executive director.

Policy Makers call for University Internet Filters.

Fri, 09 Mar 2007 17:16:28 GMT

Policy Makers call for University Internet Filters.

At today[base ']s House Judiciary Subcommittee on Courts, the Internet, and Intellectual Property hearing, titled [base "]An Update - Piracy on University Networks,[per thou] we heard from legislators that they[base ']re very concerned about [base "]piracy[per thou] on campus networks.

You should be able to watch the video of the hearing here.

The common theme of the solutions was not only educating students (which all of the witnesses said that they were working on collaboratively), but for campuses to employ technology to filter the packets flowing over the network.

[Public Knowledge - Blogging, Events, and Action Alerts]

Video: the New Kid for the Block.

Fri, 09 Mar 2007 17:13:14 GMT

Video: the New Kid for the Block.

It looks like video sites are the new flashpoint in the battle against free speech online. Perhaps it is that many states control television broadcasts far more tightly than they control the press. Judges across the world clearly think they understand how to censor television - and are surprised when their attempts to do the same to video online don't work as effectively.

In January it was Brazilian judges who found themselves caught in a hailstorm of criticism when attempting to prevent all Brazilians from downloading a salacious video of a Brazilian celebrity. When the only method of obeying the order at local ISP's disposal was blocking all of YouTube from Brazil, Brazilian net users rose up and complained. The decision was overturned three days later.

This week, it was Turkey, whose Istanbul First Criminal Court ordered Turk Telekom to redirect its users away from YouTube to prevent them seeing a video that poured scorn on Turkey and the country's founder, Mustafa Kemal Ataturk.

As in so many cases of government internet censorship, Turkey's reaction has affected the free speech rights of thousands of innocent parties, and done nothing to stop what they want to stop. The growing legions of Turkish net users were denied access to tools to share their own stories, while anti-Ataturk commentary still exists on YouTube and elsewhere. Meanwhile, nationalists inside Turkey found themselves unable to post their own responses to the video, meaning that the ratio of Turkey critics and supporters on YouTube no doubt lurched towards the critics. Those who agreed with the judges that this video was outrageous found themselves as effectively silenced as the video's maker. As one of the four college students who bravely petitioned the court Thursday, Kursat Cetinkoz, said:

"Banning access to the Website does not punish those who did that (posted the videos) but the citizens of the Turkish Republic."

It looks as if the court will now restore access now that the one video has been removed. To YouTube's credit, the company did not remove the video itself. Then again, it didn't have to: the original user appears to have deleted it from his or her account.

The reaction in Turkey, and fear of discovery and retribution by the creator may have played its part in that personal decision. For free speech online to grow, we need to have not only network operators that cannot be intimidated, but we also need safety through anonymity for speakers. Tor, and services like it, work for both viewers and writers. With Tor and other anti-censorship programs, bypassing the court's censorship was straightforward - and publishing via anonymizers helps give intimated speakers the confidence to stand their ground.

[EFF: Deep Links]

Telecoms.com - Telecoms industry "worst for consumer privacy"

Fri, 09 Mar 2007 00:27:48 GMT

The telecoms industry has been accused of collecting excessive amounts of personal data from its customers, with telecom firms faring worse for privacy than companies in other industries.

The accusations come in the "First Quarter 2007 Online Customer Respect Study of the Telecommunications Industry", from international research...

Editor: Just this teaser unless you register at their site.

C-SPAN Unchains Congressional Hearing Videos.

Thu, 08 Mar 2007 22:56:27 GMT

C-SPAN Unchains Congressional Hearing Videos.

C-SPAN has announced that, effective immediately, its videos of Congressional hearings, White House briefings, and other federal events will be freely available for noncommercial copying, sharing and posting, so long as attribution is included (sounds like the Creative Commons by-nc license, but no confirmation on whether that's what they are using). According to the C-SPAN press release, the move recognizes that we're in "an age of explosive growth of video file sharers, bloggers and online citizen journalists."

This is fantastic news! A considerable helping of the credit belongs to Carl Malamud, who responded to a copyright kerfuffle involving House Speaker Nanci Pelosi's use of C-SPAN hearing footage by writing an open letter to C-SPAN's CEO Brian Lamb challenging him to open up the archives to enable these kinds of public uses of C-SPAN content. Several meetings later, it appears C-SPAN decided to rise to the challenge.

Kudos to Carl, and kudos to C-SPAN. This is an amazing bit of public service all around. (Full disclosure: EFF represented Carl in connection with this issue, but we hardly lifted a finger -- all credit goes to Carl.)

[EFF: Deep Links]

Editor: Hmm maybe I'll have to consider making some snippets available in the future. A lot of hearings are dry, but every once in a while you get a real gem.

Yochai Benkler, Cory Doctorow, and Bruce Schneier Win EFF Pioneer Awards.

Thu, 08 Mar 2007 22:39:43 GMT

Yochai Benkler, Cory Doctorow, and Bruce Schneier Win EFF Pioneer Awards.

Mark Cuban to Keynote Award Ceremony in San Diego

San Francisco - The Electronic Frontier Foundation (EFF) is pleased to announce the winners of its 2007 Pioneer Awards: Professor Yochai Benkler of Yale Law School, writer and Boing Boing co-editor Cory Doctorow, and security technologist Bruce Schneier. Mark Cuban -- HDNet Chairman and NBA Dallas Mavericks owner -- will give the keynote address at the award ceremony. The 16th annual Pioneer Awards will be held at 7:30pm, March 27th, at the Manchester Grand Hyatt in San Diego in conjunction with the O'Reilly Emerging Technology Conference.

Professor Yochai Benkler of Yale Law School researches the effects of laws on information, knowledge, and culture in the digital world. Benkler's important contributions include a theoretical explanation of how the Internet has allowed decentralized groups to produce things like technologies and bodies of knowledge more efficiently than any centrally organized corporation or trade-based marketplace could. After the publication of Benkler's most recent book, "The Wealth of Networks," Lawrence Lessig called him "the leading intellectual of the information age."

Cory Doctorow is an activist, writer, blogger, and public speaker about copyright, digital rights management, and electronic freedom. As a co-editor of the Boing Boing blog, he highlights critical technology issues for more than a million readers a day. Doctorow has lectured around the globe and has been nominated for Hugo and Nebula Awards for his science fiction novels. Doctorow is currently the Canadian Fulbright Chair at the USC Center on Public Diplomacy. He was EFF's European Affairs Coordinator until December of 2005.

Bruce Schneier is an internationally renowned security technologist acclaimed for his criticism and commentary on everything from network security to national security. His books -- including the highly influential "Secrets and Lies" and "Applied Cryptography" -- his monthly newsletter, and his security blog have reached hundreds of thousands of people with candid and lucid analysis of security issues. Schneier has often testified before Congress on security policy.

"This year's award winners have all provided important analysis and criticism of our digital world, educating the public on how electronic systems really work and what it means to us and our future," said EFF Executive Director Shari Steele. "I'm thrilled to honor Yochai, Cory, and Bruce. They are truly pioneers of the electronic frontier."

Since 1991, the EFF Pioneer Awards have recognized individuals and organizations that have made significant and influential contributions to the development of computer-mediated communications and to the empowerment of individuals in using computers and the Internet. Past winners include World Wide Web inventor Tim Berners-Lee, Linux creator Linus Torvalds, science fiction writer Bruce Sterling, and Wikipedia founder Jimmy Wales, among many others.

Benkler, Doctorow, and Schneier were nominated by the public and then chosen by a panel of judges. This year's panel includes Kim Alexander (President and founder, California Voter Foundation), Esther Dyson (Internet court jester and blogger, Release 0.9; founding chairman of ICANN; former chairman of EFF), Mitch Kapor (Chair, Open Source Applications Foundation; co-founder and former chairman EFF), Drazen Pantic (Co-director, Location One), Barbara Simons (IBM Research [Retired] and former president ACM), James Tyre, (Co-founder, The Censorware Project; EFF policy fellow) and Jimmy Wales, (Founder, Wikipedia; co-founder, Wikia; chair emeritus of the Wikimedia Foundation).

The Pioneer Awards are sponsored by Sling Media, the world's leading digital lifestyle company offering consumer services and products. Sling Media's product family includes the internationally acclaimed Slingbox that allows consumers to watch and control their living room television at any time, from any location, using PCs, Macs, PDAs and smartphones. For more information on Sling Media or the Slingbox, visit www.slingmedia.com.

Tickets to the Pioneer Awards ceremony and Mark Cuban's keynote address are $35. If you plan to attend, RSVP to events@eff.org. You can also pay for your tickets in advance at http://secure.eff.org/pioneerfundraiser. Members of the media interested in attending the event should email press@eff.org.

For more on attending the Pioneer Awards:
http://www.eff.org/awards/pioneer

Contact:

Katina Bishop
Associate Director of Development
Electronic Frontier Foundation
katina@eff.org

[EFF: Breaking News]

The Fix is In: Massive Web Radio Fee Hike and the XM/Sirius Merger.

Thu, 08 Mar 2007 22:37:56 GMT

The Fix is In: Massive Web Radio Fee Hike and the XM/Sirius Merger. Greetings. While no conspiracy beyond "business as usual" is required to explain this confluence of events, it is fascinating to note the continuing collapse of true competition in the music and radio industries (as in the Internet ISP industry). [Lauren Weinstein's Blog]

How Computers Can Make Voting More Secure.

Thu, 08 Mar 2007 22:35:06 GMT

How Computers Can Make Voting More Secure.

By now there is overwhelming evidence that today[base ']s paperless computer-based voting technologies have such serious security and reliability problems that we should not be using them. Computers can[base ']t do the job by themselves; but what role should they play in voting?

It[base ']s tempting to eliminate computers entirely, returning to old-fashioned paper voting, but I think this is a mistake. Paper has an important role, as I[base ']ll describe below, but paper systems are subject to well-known problems such as ballot-box stuffing and chain voting, as well as other user-interface and logistical challenges.

Security does require some role for paper. Each vote must be recorded in a manner that is directly verified by the voter. And the system must be software-independent, meaning that its accuracy cannot rely on the correct functioning of any software system. Today[base ']s paperless e-voting systems satisfy neither requirement, and the only practical way to meet the requirements is to use paper.

The proper role for computers, then, is to backstop the paper system, to improve it. What we want is not a computerized voting system, but a computer-augmented one.

This mindset changes how we think about the role of computers. Instead of trying to make computers do everything, we will look instead for weaknesses and gaps in the paper system, and ask how computers can plug them.

There are two main ways computers can help. The first is in helping voters cast their votes. Computers can check for errors in ballots, for example by detecting an invalid ballot while the voter is still in a position to fix it. Computers can present the ballot in audio format for the blind or illiterate, or in multiple languages. (Of course, badly designed computer interfaces can do harm, so we have to be careful.) There must be a voter-verified paper record at the end of the vote-casting process, but computers, used correctly, can help voters create and validate that record, by acting as ballot-marking devices or as scanners to help voters spot mismarked ballots.

The second way computers can help is by improving security. Usually the e-voting security debate is about how to keep computers from making security too much worse than it was before. Given the design of today[base ']s e-voting systems, this is appropriate [~] just bringing these systems up to the level of security and reliability in (say) the Xbox and Wii game consoles would be nice. Even in a computer-augmented system, we[base ']ll need to do a better job of vetting the computers[base '] design [~] if a job is worth doing with a computer, it[base ']s worth doing correctly.

But once we adopt the mindset of augmenting a paper-based system, security looks less like a problem and more like an opportunity. We can look for the security weaknesses of paper-based systems, and ask how computers can help to address them. For example, paper-based systems are subject to ballot-box stuffing [~] how can computers reduce this risk?

Surprisingly, the designs of current e-voting technologies, even the ones with paper trails, don[base ']t do all they can to compensate for the weaknesses of paper. For example, the current systems I[base ']ve seen keep electronic records that are subject to straightforward post-election tampering. Researchers have studied approaches to this problem, but as far as I know none are used in practice.

In future posts, we[base ']ll discuss design ideas for computer-augmented voting.

'30s Hollywood Cartoon Censorship.

Wed, 07 Mar 2007 17:45:23 GMT

'30s Hollywood Cartoon Censorship. Cartoon Brew highlights how the Hayes Code impacted cartoons in 1939 -- male characters couldn't be effeminate, kids had to behave and Flossie the cow's sexy udders had to be clothed. At Table of Malcontents. [Wired News: Top Stories]

Nightline NSA Spy Exclusive: Dud.

Wed, 07 Mar 2007 17:07:37 GMT

Nightline NSA Spy Exclusive: Dud. AT&T whistleblower Mark Klein breaks silence to tell ABC News' Nightline about the NSA eavesdropping on the internet, but reveals little new information. In 27B Stroke 6. [Wired News: Top Stories]

Spying at Wal*Mart: Human nature run amuck?

Wed, 07 Mar 2007 16:46:37 GMT

Spying at Wal*Mart: Human nature run amuck? Does the Wal-Mart eavesdropping debacle have the potential to be this year's HP scandal? A former IT security staffer for the retailer evaluates what might have happened. [Computerworld Privacy News]

Cybercrime Treaty: What it Means to You

Wed, 07 Mar 2007 02:53:57 GMT

In that vein, in August the Senate ratified the Convention on Cybercrime, drafted by the Council of Europe with considerable input from the United States. So far, 43 nations have signed on. The Convention includes many sensible provisions aimed at unifying global computer-crime laws, and closes loopholes that make it possible for criminals to escape prosecution by locating their activities offshore.

But civil libertarians, along with leading telecommunications companies, strongly oppose the treaty. Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located. If France is investigating a sale of Nazi memorabilia on eBay, the U.S. must cooperate, even though such transactions are not illegal in the U.S.

Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind.

These are potentially serious problems, especially given that the Convention is open to any country that wants to join. But there are more practical reasons U.S. businesses should be concerned. The provisions for data retention and production apply to any operator of a computer network, not just telecoms. Worse, Article 12 attaches liability to businesses for "lack of supervision or control" of employees who commit criminal offenses covered by the Convention. Businesses must worry about employee activities that may be legal here, but illegal elsewhere, risking administrative, civil, or even criminal penalties.

These investigative and supervision costs will invariably be imposed on businesses without any real controls. Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you.

Cybercrime Treaty ó Hidden Costs For All.

Wed, 07 Mar 2007 02:48:08 GMT

Cybercrime Treaty [~] Hidden Costs For All. linuxtelephony writes in with an article at CIO Insight about a cybercrime treaty drafted in Europe with help from the US. It has implications for just about everyone with a network. From the article: "Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located... Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind... The provisions for data retention and production apply to any operator of a computer network, not just telecoms... Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you." [Slashdot: Your Rights Online]

Action Alert: Repeal the REAL ID Act!

Wed, 07 Mar 2007 02:24:48 GMT

Action Alert: Repeal the REAL ID Act!

The federal government has taken another step towards forcing you to carry a national ID in order to get on airplanes, open a bank account, enter federal buildings, and much more. But with state legislatures and Congressional representatives increasingly turning against the REAL ID Act, you can help stop this costly, privacy-invasive mandate -- voice your opposition now.

On March 1, the Department of Homeland Security (DHS) released draft regulations [PDF] for implementing REAL ID, which makes states standardize drivers licenses and create a vast national database linking all of the ID records together. Once in place, uses of the IDs and database will inevitably expand to facilitate a wide range of tracking and surveillance activities. Remember, the Social Security number started innocuously enough, but it has become a prerequisite for a host of government services and been co-opted by private companies to create massive databases of personal information.

REAL ID won't just cost you your privacy. The states and individual taxpayers bear the estimated 23 billion dollar burden of implementing the law, and that figure is probably low given that the necessary verification systems don't exist yet.

And what will you get in return? Not improved national security, because IDs do little to stop those who haven't already been identified as threats, and wrongdoers will still be able to create fake documents.

REAL ID is fundamentally flawed, and DHS' proposed regulations do nothing to change that. Thankfully, the tide is turning against REAL ID in a big way -- state legislatures around the country are passing or considering legislation rejecting its implementation, and Congress is considering repealing it.

The DHS regulations mean that states must have an implementation plan ready by October 2007. Make sure your Congressional representatives support the repeal of REAL ID before it's too late.

For more information, check out San Jose Mercury News' recent editorial opposing REAL ID as well as the ACLU's Realnightmare.org.

[EFF: Deep Links]

Top Secret: We're Wiretapping You.

Mon, 05 Mar 2007 21:41:41 GMT

Top Secret: We're Wiretapping You. The feds accidentally give a D.C. attorney a classified document showing that the NSA intercepted his phone calls without a warrant. When they ask for it back, they get a $2 million lawsuit along with it. By Ryan Singel. [Wired News: Security Blanket]

F2C: Freedom to Connect being webcast starting March 5

Mon, 05 Mar 2007 20:57:29 GMT

F2C is a meeting of people engaged with Internet connectivity and all that it enables, including vendors, customers, regulators, legislators, analysts, financiers, citizens and co-creators. This year, the theme of F2C is how universal connectivity and the plunging capital requirements of information production are changing our fundamental economic and social assumptions. (F2C is produced by David S. Isenberg of isen.com, LLC.)

Tune into F2C Group Chat beginning about 8:30AM, Monday 5 March

F2C Webcast available for those who can't be there. (Please participate in Group Chat too.)

Techdirt: An Economic Explanation For Why DRM Cannot Open Up New Business Model Opportunities

Mon, 05 Mar 2007 03:11:01 GMT

Continuing my increasingly lengthy series of posts on the economics of non-scarce goods, I wanted to take a look at an issue that I mentioned in passing earlier this week concerning the ongoing insistence among the entertainment industry (and the DRM industry) that DRM somehow will open up new business models. I'd like to explain why, economically, that doesn't make sense.

First, to clarify, I should point out that, technically, I mean that it doesn't make sense that DRM could ever open up feasible or successful business models. Anyone can create a new unsuccessful business model. For example, I'm now selling $1 bills for $1,000. It's a new business model (well, perhaps not to the dot coms of the original dot com boom), but it's unlikely to be a successful one (if you disagree, and would like to pay me $1,000 for $1, please use the feedback form above to make arrangements). However, for a new business model to make sense, it needs to provide more value. Providing more value than people can get elsewhere is the reason why a business model succeeds. So, any new business model must be based on adding additional value.

Why DRM Cannot Open Up New Business Models.

Mon, 05 Mar 2007 03:08:11 GMT

Why DRM Cannot Open Up New Business Models. An anonymous reader writes "Techdirt has a cool post up that doesn't just explain why DRM is bad, but gives a really interesting economic explanation for why DRM cannot create successful new business models. Since the RIAA and MPAA keep insisting that DRM will create new business models, it's useful to see an argument for why that's basically impossible." As the article says, anyone can create a "new" business model. Creating a successful "new" business model is what is so elusive here. [Slashdot]

Concurring Opinions: The Rise of Customer Blacklists

Sun, 04 Mar 2007 04:55:39 GMT

Blacklists appear to be the rage these days. With the ease of storing and sharing personal information -- coupled with lax privacy law restrictions on such activities -- companies can increasingly create blacklists of bad customers. In this article from the Ottawa Citizen, hotels in Australia and Canada (and soon the United States) are signing up for a service that compiles a blacklist against "bad" hotel guests:

DoJ Mulls Tracking Picture Uploads.

Sun, 04 Mar 2007 03:57:23 GMT

DoJ Mulls Tracking Picture Uploads. Dominus Suus passed us a link to a C|Net article about a disturbing threat to privacy from the Justice Department. According to the article, a private meeting was held Wednesday between Justice officials and telecom industry representatives. With individuals from companies such as AOL and Comcast looking on, the officials continued overtures to increase data retention by ISPs on American citizens. This week, they were specifically looking to have records kept of photo uploads. In this way, and 'in case police determine the content is illegal and choose to investigate,' an easy trail from A to Z will be available. The article provides a good deal of background on the Bush Administration's history with data retention, with ties to events even older than the Bush presidency. --- "The Justice Department's request for information about compliance costs echoes a decade-ago debate over wiretapping digital telephones, which led to the 1994 Communications Assistance for Law Enforcement Act. To reduce opposition by telephone companies, Congress set aside $500 million for reimbursement and the legislation easily cleared both chambers by voice votes. Once Internet providers come up with specific figures, privacy advocates worry, Congress will offer to write a generous check to cover all compliance costs and the process will repeat itself." [Slashdot: Your Rights Online]

Patently Bad Move Gags Critics.

Wed, 28 Feb 2007 23:47:07 GMT

Patently Bad Move Gags Critics. A company finds a sneaky new way to silence security researchers: Claim that defeating its products infringes on patents. Commentary by Jennifer Granick. [Wired News: Security Blanket]

EFF - miniLinks for 2007-02-28.

Wed, 28 Feb 2007 22:50:21 GMT

miniLinks for 2007-02-28.

Supreme Court Debates Patentability of Software
Justices look skeptically at the details of software's protection.

Toward an Ethical Patent System
European citizens unite against over-broad patents....

Bad Patents Are Bad for Business
... as does the European business community to go with it.

Canada Turns Away Americans for Past Misdemeanors
Thanks to DHS data mining, Canada turned away a visitor who shop-lifted during a fraternity prank 20 years ago and others with minor criminal records.

Has the Media Center Moved to Silicon Valley?
On the day of the Oscars, Tom Forenski thinks that films have lost their magic, and Net technology has seized it.

Whit Diffie Warns Of Overbroad Privacy Laws
"I am, on balance, more pleased with the fact that I can learn lots of information about people in minutes by using the Web than I am concerned about the fact that people can learn lots of information about me that way. And I would not like to see laws that restrict people's ability to go investigate things. "

Protect Your Users' Data With a Privacy Wall
How one company works to protect its users' financial information.

SF Chronicle: Reverse Real ID
"Congress must take a hard look at whether it makes sense to proceed with an expansive law that would be more appropriately called the National ID Act."

North Korea and the Internet
North Korea's strange, inward-looking national intranet.

Did WIPO's Director-General Lie About his age?
Confidential report suggests that he was 28 when he first took the job, not 37, and has repeatedly given the wrong age on official documents for 24 years.

The "Crime" of Blogging in Egypt
Abdelkareem Nabil Soliman is sentenced to four years for free speech.

Recording Industry Targets Colleges
Administrators get caught in the crossfire: "[The complaint] is asking us to pursue an investigation and as the service provider we don't see that as our role", says Purdue spokesman.

[EFF: Deep Links]

Lawsuits, patent claims silence Black Hat talk | InfoWorld | 2007-02-27 | By Paul F. Roberts

Wed, 28 Feb 2007 02:59:50 GMT

A planned talk on RFID security by a security researcher has been pulled from this week's Black Hat Federal security conference after secure card maker HID claimed the talk violated the company's patent rights and threatened to take legal action against Chris Paget, the researcher, and IOActive, Paget's employer, if the talk went forward.

The company decided to cancel the talk after all-night negotiations with HID collapsed, said Josh Pennell, CEO of IOActive. In response, Black Hat organizers were forced to tear materials out of printed show proceedings and will instead present a discussion by a representative of the ACLU on the criticality of RFID security, said Jeff Moss, founder and director of Black Hat.

A spokeswoman for HID did not immediately respond to a request for comment.

The incident recalled a 2005 dispute over a presentation at Black Hat in Las Vegas involving Cisco Systems and Michael Lynn, a security researcher who worked for Internet Security Systems at the time.

New Controversy over Black Hat Presentation.

Wed, 28 Feb 2007 02:55:39 GMT

New Controversy over Black Hat Presentation. uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure. [Slashdot]

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Wed, 28 Feb 2007 00:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 22:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

Protect the Children From Porn.

Tue, 27 Feb 2007 21:33:20 GMT

Protect the Children From Porn. Sending a teacher to prison for mishandling a classroom porn storm does not address the root of the problem: fear that traces back to ignorance. Commentary by Regina Lynn. [Wired News: Top Stories]

Fool Me Once, Shame On You But Fool Me Twice....

Mon, 26 Feb 2007 22:27:39 GMT

Fool Me Once, Shame On You But Fool Me Twice....

In aiming to settle a class action suit, a group of companies is throwing a proverbial pie in the face of affected consumers.

A Security Fix reader forwarded an e-mail about a benefit he allegedly was eligible to collect as a result of a class-action settlement over services offered by a subsidiary of Experian, one of the three major credit reporting bureaus.

I immediately sensed a phishing scam after reviewing the e-mail and the third-party site touted in the message, which asks the visitor to enter a Social Security number and birth date. But it turns out that the site is legitimate, although extremely insensitive to consumers.

The class-action case referenced in the e-mail is the latest in a series of lawsuits against Consumerinfo.com. The firm promised free credit reports but allegedly failed to clarify that it would charge a customer's credit card $79.95 for a "credit monitoring service."

In yet another insult for affected consumers, the Web site providing more information about the settlement encourages affected individuals to further expose their personal data online.

Consumerinfo.com agreed last week to pay $300,000 to settle charges brought by the Federal Trade Commission that it violated the terms of a previous settlement with the agency over the misleading "free credit reports." It was originally fined $950,000.

The impersonal e-mail was sent to consumers from browningnotice@gardencitygroup.com. It begins: "NOTICE FROM FEDERAL COURT. PLEASE READ. Records show that you entered into an agreement over the Internet with Consumerinfo.com or an Experian entity to purchase any Credit Check or Credit Check Monitoring (which were formerly known as CreditCheck Monitoring Service), Credit Manager (including Yahoo! Credit Manager), Triple Alert, or Triple Advantage credit-monitoring product, or you paid for a credit score sold on a Web site that also sold one of these credit-monitoring products, between June 17, 1998 and December 27, 2006. If so, you may be eligible to receive a benefit under the proposed settlement."

So, exactly what is this perk? It's 60 days of free credit monitoring service from Experian. If you don't cancel this "benefit," Experian will bill you $9.95 per month after the initial 60 days.

The e-mail details the terms of the settlement:

"If you choose credit monitoring, and you don't cancel your credit-monitoring membership after using your code to obtain the credit monitoring benefit but prior to the expiration of the 60 day, settlement benefit period, you will be billed at the then-applicable rate, which is currently $9.95, for each month that you continue your membership."

If you were an individual burned by this bogus "free credit report" offer who wasn't already insulted enough, go to browningsettlement.com, the site erected by Melville, N.Y.-based Garden City Group, a company that administers class action settlements.

The Web site includes a link to "update your contact information," where it asks a visitors to enter a Social Security number and birth date. Phishing scams almost always try to dupe people into entering personal data at fake bank and e-commerce sites by blasting out e-mails telling people they need to "update" their information. I spoke with the contact who registered the site, Frank Dmuchowski, but he referred me without comment to Garden City's public relations staff. That person in turn referred me to a woman at Experian, with whom I'm currently playing phone tag.

How else does this whole operation resemble a phishing scam? The e-mail does not address the recipient by name. It contains some very elaborate explanations and legalese that is somewhat akin to a Nigerian scheme. There is also the element of urgency. Recipients are told that if they do not respond within a given period of time, they will give up their rights to sue the company in as part of a class in any other lawsuit. Maybe that's one reason why we have seen phishing scams disguised as settlement offers succeed so well: settlement companies are conditioning consumers to respond to them, and the federal courts are encouraging this practice.

But wait, there's more. While a federal court has deemed it acceptable for companies like the Garden City Group to communicate with people this way via e-mail, anyone who wants to object or exclude themselves from the settlement terms must do so by snail mail by May 15. Anyone who wants to accept the dubious settlement benefit, however, is free to do so by e-mail.

Please do not let this May 15 deadline slip away. Write to the Browning Settlement Administrator to tell the court why you think the settlement stinks:

Objections-Browning Settlement Administrator
P.O. Box 91141
Seattle, WA 98111-9241

In addition, you can request to speak in court about the fairness of the settlement at a hearing on July 31.

Under federal law, all U.S. citizens are eligible for a free copy of their credit report from each of the three major credit reporting bureaus: Experian, Equifax and Trans Union. Consumers should take advantage of this benefit, but only by visiting http://www.annualcreditreport.com or calling a toll-free number: 1-877-322-8228. You will get the most mileage out of your free reports if you scatter them across the entire calendar year by contacting a different credit bureau every four months.

Update, 3:50 p.m.: I heard from Experian spokesperson Heather Greer, who said that all communications were reviewed and approved by the court in accordance with the settlement." With regard to this settlement, we felt that this was the best way to inform consumers as soon as possible as to the products they were entitled to as part of the class," Green said. She added that the settlement site also includes a toll-free number (1-800-399-4322) that consumers also can use to either opt-out or accept the terms of the settlement.

[Security Fix]

Wired News: Why Smart Cops Do Dumb Things By Bruce Schneier

Sun, 25 Feb 2007 04:58:46 GMT

Since 9/11, we've spent hundreds of billions of dollars defending ourselves from terrorist attacks. Stories about the ineffectiveness of many of these security measures are common, but less so are discussions of why they are so ineffective. In short: Much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs.

Are we stuck with CYA homeland security? | NetworkWorld.com Community

Sun, 25 Feb 2007 04:53:52 GMT

Wired has a thought-provoking piece this morning from security expert Bruce Schneier - headlined "Why smart cops do dumb things". It makes the case that the bulk of post-9/11 homeland security excesses stem from a most natural of human instincts: the need to cover one's ass.

The headline is misleading in that the essay is not about police officers specifically, but rather public safety officials, politicians and regulators of all stripes. But on the broader score the column is dead-on accurate: We've scared ourselves half to death and thus practically demand that those entrusted with keeping us safe go to absurd extremes to keep from being scapegoated should something go wrong. ... And something will go wrong. That part of the equation is not irrational.

The only quibble I have with Schneier's assessment is his conclusion that "there might not be a solution." Call me a crazy optimist (you'd be the first), but I've got to believe there's a way out of this knot.

Human Nature Trumps Homeland Security.

Sun, 25 Feb 2007 04:41:19 GMT

Human Nature Trumps Homeland Security. netbuzz writes "Security expert Bruce Schneier suggests this morning that 'there might not be a solution' to our post-9/11 penchant for making domestic anti-terrorism decisions based on the basic human desire to cover one's backside. He might be right. But shouldn't we at least try to figure out a better way? For example, wouldn't 'Commonsense Homeland Security' be a winning political banner, not a risky one? " [Slashdot: Your Rights Online]

Pendulum Swinging Toward Privacy.

Sun, 25 Feb 2007 04:31:04 GMT

Pendulum Swinging Toward Privacy. netbuzz writes "The New York Times reports this morning on a gathering movement to remove Social Security numbers from online public records. While justifiable, given the reality of and concerns about identity theft, it also doesn't take much to imagine how such concerns will be abused by public officials who are strapped for cash and/or ethically challenged." [Slashdot: Your Rights Online]

DRM Causes Piracy.

Sun, 25 Feb 2007 04:26:18 GMT

DRM Causes Piracy. igorsk recommends an essay by Eric Flint, editor at Baen Publishing and an author himself, over at Baen's online SF magazine, Baen Universe. In it Flint argues that, far from curbing piracy of copyrighted materials, DRM actually causes it. Quoting: "Electronic copyright infringement is something that can only become an 'economic epidemic' under certain conditions. Any one of the following: 1) The products they want... are hard to find, and thus valuable. 2) The products they want are high-priced, so there's a fair amount of money to be saved by stealing them. 3) The legal products come with so many added-on nuisances that the illegal version is better to begin with. Those are the three conditions that will create widespread electronic copyright infringement, especially in combination. Why? Because they're the same three general conditions that create all large-scale smuggling enterprises. And... Guess what? It's precisely those three conditions that DRM creates in the first place. So far from being an impediment to so-called 'online piracy,' it's DRM itself that keeps fueling it and driving it forward." [Slashdot: Your Rights Online]

RIAA to Parents: Pop-Ups + Viruses = Piracy!

Sun, 25 Feb 2007 04:01:25 GMT

RIAA to Parents: Pop-Ups + Viruses = Piracy!

If a parent sees pop-up ads and viruses on her computer, she can be sued for copyright infringement by the RIAA.

At least that's what the RIAA is arguing in a recent court filing in the Capitol v. Foster case, in which a federal judge made the RIAA cough up attorney's fees to a mother, Debra Foster, who had been sued because her daughter was file sharing. The RIAA lawyers had dawdled in dismissing their complaint against Foster, even after her child admitted to being the file-sharer in the house (the RIAA went ahead and got a default judgment against the child).

This new filing marks the first time the RIAA has explained its claim that parents are liable for the infringements committed by their children (a theory that has never been accepted by any court, to the best of my knowledge). The argument is pretty remarkable, built on a house of cards including the notion that "everyone knows" pop-up ads and viruses signify piracy! Here's the relevant portion of the RIAA brief:

Given that it has been established that the Kazaa file-sharing program was on the Foster family's computer, the evidence would have established that the Kazaa icon was clearly visible on the computer when defendant was using it and that there were likely a substantial number of pop-up advertisements, the types of which have been associated with the Kazaa program.

In other words, the RIAA believes that pop-up ads and a system tray icon should put every parent on the hook for every download on the computer.

In addition, it is undisputed that defendant had an account with Cox Communications. Defendant's subscriber agreement with Cox made clear that defendant, as the account holder, was responsible for what is done on her account. ...

Here, the RIAA is trying to make a private contract between Cox and the parent into a promise to the RIAA. Of course, since this is standard boilerplate in ISP customer agreements, this argument would apply equally to every broadband subscriber, whether parent, employer, library, or school.

Finally, plaintiffs believe that discovery would have revealed substantial other evidence of defendant's knowledge and material assistance in the underlying infringements. For example, the computer may well have been in a common area such that defendant heard music coming from the computer when admitted infringer Amanda Foster was using it. In addition, the evidence may have established, as it has in other similar cases, that there were viruses on the computer due to Kazaa and that defendant may have had work done on the computer that would have revealed the existence of the file-sharing program. ...

Yes, parents, that means every time you hear music emanating from a computer, the RIAA believes you have a legal duty to check the copyright pedigree of its source. Oh, and if your computer has a virus, same answer.

Similarly, plaintiffs believe that, had they been given the opportunity, they would have been able to prove vicarious infringement. Specifically, plaintiffs would have proved that, as a parent, defendant had the full right and ability to control her daughter's use of the computer at issue. Most parents impose restrictions on computer usage by their children (e.g., rules about pornography sites and chat rooms), and plaintiffs believe that defendant would have done so as well. Plaintiffs further would have proven that defendant had a direct financial interest in her daughter's infringing activities, which, of course, involve substantial sums of money in terms of the value of the recordings at issue and the potential liabilities resulting from such activities.

By this logic, the more responsible you are as a parent, the more the RIAA will be entitled to collect from you. Moreover, the RIAA is confusing the benefit to the child with the benefit to the parent. As every parent knows, just because your kids wants a new CD doesn't mean you would have bought it for them.

Let's be clear what this pretzel logic is really all about -- the RIAA wants to reach a hand into every parent's pocket in order to fuel their mass litigation campaign, irrespective of whether the law supports this. But there is a bigger risk, as well. If court's accept this argument in file-sharing cases, the RIAA will have a precedent to use against every employer, every library, and every school for every copyright infringement committed on its computers. So I'm on the side of the judge in Capitol v. Foster, who dubbed these RIAA arguments "untested and marginal."

For more on parental liability in RIAA file sharing lawsuits, take a look at the memo we prepared on the subject in 2005 (soon to be updated in light of more recent authorities, including Capitol v. Foster).

[EFF: Deep Links]

Going to Canada? Check your past / Visitors with minor criminal records turned back at border

Fri, 23 Feb 2007 22:25:44 GMT

There was a time not long ago when a trip across the border from the United States to Canada was accomplished with a wink and a wave of a driver's license. Those days are over.

Take the case of 55-year-old Lake Tahoe resident Greg Felsch. Stopped at the border in Vancouver this month at the start of a planned five-day ski trip, he was sent back to the United States because of a DUI conviction seven years ago. Not that he had any idea what was going on when he was told at customs: "Your next stop is immigration.''

Felsch was ushered into a room. "There must have been 75 people in line," he says. "We were there for three hours. One woman was in tears. A guy was sent back for having a medical marijuana card. I felt like a felon with an ankle bracelet.''

[...]

Welcome to the new world of border security. Unsuspecting Americans are turning up at the Canadian border expecting clear sailing, only to find that their past -- sometimes their distant past -- is suddenly an issue.

While Canada officially has barred travelers convicted of criminal offenses for years, attorneys say post-9/11 information-gathering, combined with a sweeping agreement between Canada and the United States to share data, has resulted in a spike in phone calls from concerned travelers.

They are shocked to hear that the sins of their youth might keep them out of Canada. But what they don't know is that this is just the beginning. Soon other nations will be able to look into your past when you want to travel there.

[...]

"From the time that you turn 18, everything is in the system,'' says Lucy Perillo, whose Canada Border Crossing Service in Winnipeg, Manitoba, helps Americans get into the country.

[...]

So it isn't as if rules have stiffened. But what has changed is the way the information is gathered. In the wake of 9/11, Canada and the United States formed a partnership that has dramatically increased what Lesperance calls "the data mining'' system at the border.

The Smart Border Action Plan, as it is known, combines Canadian intelligence with extensive U.S. Homeland Security information. The partnership began in 2002, but it wasn't until recently that the system was refined.

"They can call up anything that your state trooper in Iowa can,'' Lesperance says. "As Canadians and Americans have begun cooperating, all those indiscretions from the '60s are going to come back and haunt us.''

[...]

The lesson, the attorneys say, is that if you must travel to Canada, you should apply for "a Minister's Approval of Rehabilitation" to wipe the record clear.

Oh, and by the way, if you don't need to travel to Canada, don't think you won't need to clear your record. Lesperance says it is just a matter of time before agreements are signed with governments in destinations like Japan, Indonesia and Europe.

"This,'' Lesperance says, "is just the edge of the wedge.''

Cerf: Internet Reflects Society.

Fri, 23 Feb 2007 17:04:22 GMT

Cerf: Internet Reflects Society. Online abuses merely mirror its users' interests, says Net luminary and ICANN chief. [PC World: Latest Technology News]

What would you do as chief information security officer?

Fri, 23 Feb 2007 16:56:57 GMT

What would you do as chief information security officer. Becoming the chief information security officer (CISO) of a corporation makes you a strategic IT advisor to business management, the chief information officer, and the rest of the information technology staff. Just as no company is the same as another, the job of CISO -- or alternately, "chief security officer," which might include physical security as well -- isn't either. The four security professionals who share their priorities with us make it clear there's nothing cookie-cutter about the top IT security job.
[CSO Online Data Security Briefing]

Social Networks Key to 2008 Race.

Fri, 23 Feb 2007 16:51:14 GMT

Social Networks Key to 2008 Race. Social networking sites have changed the game for political candidates. [PC World: Latest Technology News]

Colleges Struggle to Cope With Flood of Copyright Complaints.

Fri, 23 Feb 2007 16:49:38 GMT

Colleges Struggle to Cope With Flood of Copyright Complaints.

The major record labels are sending thousands more copyright nastygrams to colleges regarding student file sharing this year. Of course, file sharing continues unabated, and these P2P-related notices will simply push fans to use other readily-accessible technologies that the RIAA can't easily monitor -- copying music through iTunes over the campus LAN, swapping hard drives and USB flash drives, burning recordable DVDs, and forming ad hoc wireless networks.

So the RIAA's strategy still won't stop file sharing, but it certainly will cause collateral damage to academic freedom, free speech, and privacy. In a recently released report, the Brennan Center lays out what that cost looks like today based on interviews with representatives from 25 service providers including 10 from universities. Universities are already being forced to waste substantial resources on doing the RIAA's dirty work. Flooded with machine-generated complaints, schools are unable to evaluate the merits of particular complaints. While lacking procedural safeguards to make sure students wrongly accused of infringement are not penalized, many schools have adopted stricter penalties than the law requires. Schools have also adopted network monitoring and filtering tools that interfere with legitimate expression.

The increase in P2P-related notices stands only to make matters worse. The RIAA's Cary Sherman states that the increase in the notices is "something we feel we have to do," but blanket licensing provides a clear alternative to blanket lawsuits. Take action now to help stop the lawsuit campaign.

[EFF: Deep Links]

AT&T Whistleblower Wins Award.

Thu, 22 Feb 2007 16:28:40 GMT

AT&T Whistleblower Wins Award.

Whistleblower Mark Klein will get some well-deserved acknowledgement when he receives a James Madison Freedom of Information Award next month. The award could hardly find a more deserving recipient [~] Klein is the former AT&T technician who exposed the extent of the government's warrantless wiretapping program

In early 2006, Klein came forward with internal AT&T documents that show the company cooperated with the NSA's secret program to eavesdrop on internet communications, in violation of federal wiretapping laws and the Fourth Amendment. Klein's evidence demonstrates that in at least one of AT&T's facilities, internet traffic was diverted to a secret, secure room to which only the NSA had access.

All of the documents have been used in EFF's court case, which is currently under review by the Ninth Circuit Court of Appeals and a portion have been made broadly available on the internet since April, 2006.

In the words of EFF Staff Attorney Kurt Opsahl, Klein is [base "]a true American hero.[per thou] This public recognition of his bravery in defense of the public's right to know is richly deserved.

[EFF: Deep Links]

Music moguls seek security blanket - Los Angeles Times

Thu, 22 Feb 2007 16:24:50 GMT

One way to judge the music industry's troubles is to watch annual sales figures for CDs, which have slumped 25% since 2000. But it's more revealing to chart how the major record companies' attitudes about new business models online have been shifting.

At first the shifts were almost too small to notice, as when the labels started making a handful of downloadable songs available for $2.50 or more. But as the file-sharing phenomenon grew and CD sales slipped, the changes became more pronounced. The labels started offering the rights to songs on terms that didn't cripple their online partners. They embraced Apple's iTunes Music Store, whose anti-piracy technology doesn't actually limit copying. They cut deals with file-sharing companies for subscription services that let users share the songs they rented.

Along the way, though, the major labels adamantly refused to do the kind of deal necessary to replicate what the original Napster, Kazaa and eDonkey had provided: they would not accept a flat fee a "blanket" license that lets Internet service providers sell an all-you-can-eat sonic buffet, enabling customers to download, burn and swap as much as they pleased. The rights would be included in the cost of a high-speed Internet access line, so the downloads would seem free while still generating royalties for artists, songwriters, labels and publishers.

That reticence may be giving way, too, thanks to the relentless decline in revenue. Just look at what the head of the major record companies' global trade group, let slip last month at a music-industry gathering in France. If Internet service providers "want to come to us and look for a blanket license for an amount per month," IFPI chief John Kennedy said, "let's engage in that discussion."

His U.S. counterpart, Mitch Bainwol of the Recording Industry Assn. of America (RIAA), quickly added that the licenses should be negotiated voluntarily, not compelled by the government. So that part of the labels' thinking hasn't changed. Nevertheless, Kennedy's remark reflects a potential sea change in the way the record companies do business. If the labels follow through, it could trigger the greatest explosion in innovation since engineers at the Fraunhofer Institute in Germany developed the MP3 format.

That's a big "if," but two of the four majors have already taken the first step. In England, a venture called PlayLouder MSP is negotiating deals with record companies and music publishers for a competitively priced high-speed Internet access service that will include the right to download millions of songs, transfer them to portable devices and share them with friends. The main restriction is that subscribers can't send songs to people who aren't customers of PlayLouder MSP. In other words, it's a private electronic playground for music lovers.

The company, which expects to launch its service this year, plans to put a chunk of the monthly service charges into a royalty pool that would be divided according to popularity--the more often a song is downloaded, the larger the share of the pool that its copyright holders will receive. To monitor the network and enforce its borders, PlayLouder MSP relies on technology that can identify songs as they pass through the network--and, if necessary, block them. So far, several large independent labels from the U.S. and the U.K. have agreed to let the company offer MP3s of all their songs, while two of the majors, Sony BMG and EMI, have agreed to supply songs wrapped in electronic locks. Those locks won't make much difference, though; as part of the deal, subscribers will be free to share MP3s from all of PlayLouder MSP's partners, including Sony BMG and EMI.

LA Times: Start Blanket Licensing, Stop Blanket Lawsuits.

Thu, 22 Feb 2007 16:19:11 GMT

LA Times: Start Blanket Licensing, Stop Blanket Lawsuits.

The major record labels have stayed the course for the last five years with predictable results -- they've stuck by DRM, ratcheted up their file sharing lawsuit campaign, and let revenues continue to slide. Today, the LA Times suggests some reasons to think the labels may finally be coming around to a sensible solution that EFF has long advocated -- blanket licenses for music fans to share as much music as they like for a flat monthly fee.

"If Internet service providers 'want to come to us and look for a blanket license for an amount per month,' IFPI chief John Kennedy said, 'let's engage in that discussion....'
In the past, label executives made three main arguments against the blanket-licensing concept: it turned their companies into glorified marketing firms; it forced labels to fight over a fixed pool of dollars, so that one artist's gain was another one's loss; and there wouldn't be enough money in the pool to replace all the CD sales that would be lost. The first two complaints get little mention today; instead, the make-or-break issue for blanket-licensing deals is the amount of royalties the service can generate."

"That's the right focus. Blanket licensing wouldn't transform labels into advertising companies; the only element of their business they would lose is the part that distributes plastic discs, and that's going away anyway. When consumers can choose from a virtually unlimited supply of songs, the ability of a label to find, sign and promote the most compelling artists will be even more important than it is today. And the fees that consumers pay for downloading rights represent only a portion of the money [that blanket licensing] could generate for copyright holders. There's also money to be made from advertisers, mobile phone companies, device makers and premium music services that want to insert themselves into the network."

As we point out in our white paper about blanket licensing, even a small monthly fee from the millions of American filesharers could provide more profit than the industry has ever seen.

Unfortunately, the record labels haven't done a complete 180 from their backward-thinking ways. For instance, the labels seem eager to coopt ISPs into helping push their file sharing lawsuit campaign even further, and the AP reports that the labels have radically increased their copyright notices aimed at college students. Neither of these actions will put a dime in artists' pockets or get the labels any closer to a real solution.

The LA Times story closes by saying, "You have to wonder how low [major label revenues] have to go before blanket licenses look like a better approach than blanket lawsuits." To put it another way: how much longer do ordinary music fans and innovators have to be treated like criminals before a better way forward is finally pursued?

[EFF: Deep Links]

From the Unmitigated Gall Department.

Thu, 22 Feb 2007 16:15:31 GMT

From the Unmitigated Gall Department.

How is it that the National Association of Broadcasters, which is seeking regulatory relief from current media ownership caps, has the gumption to criticize the proposed merger of XM Satellite Radio and Sirius Satellite Radio? Their statement following the announced merger can be found here, but this is the part I like best:

When the FCC authorized satellite radio, it specifically found that the public would be served best by two competitive nationwide systems. Now, with their stock price at rock bottom and their business model in disarray[sigma]they seek a government bail-out to avoid competing in the marketplace.

[Public Knowledge - Blogging, Events, and Action Alerts]

Hip-Hop Outlaw (Industry Version) - Samantha M. Shapiro - New York Times

Mon, 19 Feb 2007 22:02:09 GMT

Late in the afternoon of Jan. 16, a SWAT team from the Fulton County Sheriff's Office, backed up by officers from the Clayton County Sheriff's Office and the local police department, along with a few drug-sniffing dogs, burst into a unmarked recording studio on a short, quiet street in an industrial neighborhood near the Georgia Dome in Atlanta. The officers entered with their guns drawn; the local police chief said later that they were "prepared for the worst." They had come to serve a warrant for the arrest of the studio's owners on the grounds that they had violated the state's Racketeer Influenced and Corrupt Organizations law, or RICO, a charge often used to lock up people who make a business of selling drugs or breaking people's arms to extort money. The officers confiscated recording equipment, cars, computers and bank statements along with more than 25,000 music CDs. Two of the three owners of the studio, Tyree Simmons, who is 28, and Donald Cannon, who is 27, were arrested and held overnight in the Fulton County jail. Eight employees, mostly interns from local colleges, were briefly detained as well.

Later that night, a reporter for the local Fox TV station, Stacey Elgin, delivered a report on the raid from the darkened street in front of the studio. She announced that the owners of the studio, known professionally as DJ Drama and DJ Don Cannon, were arrested for making "illegal CDs." The report cut to an interview with Matthew Kilgo, an official with the Recording Industry Association of America, who was involved in the raid. The R.I.A.A., a trade and lobbying group that represents the major American record labels, works closely with the Department of Justice and local police departments to crack down on illegal downloading and music piracy, which most record-company executives see as a dire threat to their business.

Kilgo works in the R.I.A.A.'s Atlanta office, and in the weeks before the raid, the local police chief said, R.I.A.A. investigators helped the police collect evidence and conduct surveillance at the studio. Kilgo consulted with the R.I.A.A.'s national headquarters in advance of the raid, and after the raid, a team of men wearing R.I.A.A. jackets was responsible for boxing the CDs and carting them to a warehouse for examination.

Macrovision's DRM valentine: Consumers not only need it, they will love it

Mon, 19 Feb 2007 21:30:00 GMT

Fred Amoroso is the CEO of Macrovision, a company that earns its keep by inventing and maintaining DRM systems and charging Hollywood an arm and a leg for it. The two are a good match, insofar as they both greatly fear technology, and both spin amazing tales to bolster their views.

In the wake of Steve Jobs' fashionably-late missive against DRM, Amoroso has crafted a response that seeks to convince us all that DRM is not only needed, it's actually a fantastic "enabler" that consumers should embrace. He focuses on four arguments:

DRM is broader than just music
DRM increases, not decreases consumer value
DRM will increase electronic distribution
DRM needs to be interoperable and open

DRM is indeed broader than music, and it's no surprise that the CEO of a DRM-producing company would like to see DRM put on everything possible, particularly movies, music, games and software. The reasons why we should want this are ridiculous.

The Doghouse: Onboard Threat Detection System.

Mon, 19 Feb 2007 02:44:55 GMT

The Doghouse: Onboard Threat Detection System.

It's almost too absurd to even write about seriously -- this plan to spot terrorists in airplane seats:

Cameras fitted to seat-backs will record every twitch, blink, facial expression or suspicious movement before sending the data to onboard software which will check it against individual passenger profiles.

[...]

They say that rapid eye movements, blinking excessively, licking lips or ways of stroking hair or ears are classic symptoms of somebody trying to conceal something.

A separate microphone will hear and record even whispered remarks. Islamic suicide bombers are known to whisper texts from the Koran in the moments before they explode bombs.

[Schneier on Security]

EFF: DeepLinks - RIAA to ISPs: Help Us Sue Your Customers Better

Sun, 18 Feb 2007 23:53:10 GMT

As if suing thousands of music fans isn't bad enough, now the RIAA wants to conscript ISPs into helping them streamline the shakedowns. The major record labels sent a letter to ISPs across the country asking them to trade away customers' rights and make the overzealous file sharing lawsuits more profitable -- and the RIAA even has the audacity to suggest that this is all for your own good.

ISPs currently have no obligation to maintain IP log files, and that's a good thing when it comes to protecting your privacy. Those log files can serve as Internet breadcrumbs -- your ISP and any third party that has access to them can retrace your online activities.

But the RIAA wants ISPs to maintain (and disclose) a customer's IP logs for six months whenever the RIAA says the user may have infringed copyright. In exchange, the record companies will reduce its initial lawsuit settlement demands. Of course, the actual customer would have no say in the matter. The RIAA letter says it wants the information kept because it could "exculpate" the customer, but of course those same records can also implicate the user. Funny, the labels don't mention that.

EFF and others have long warned that copyright claims could become an altar on which personal privacy is sacrificed. Now the RIAA wants your ISP to voluntarily wield the knife, and there's no telling what else the RIAA might ask for once this cut has been made.

The RIAA also wants ISPs to keep customers in the dark about their legal options. Before the RIAA has even verified that the user is correctly identified, it wants ISPs to send along a note saying the user might be sued and can already settle potential claims. At the same time, the RIAA scolds ISPs for giving information to their customers that could help provide sound legal counsel. Instead, the RIAA wants ISPs to direct subscribers solely to the RIAA.

MPAA Violates Another Software License.

Sun, 18 Feb 2007 23:45:13 GMT

MPAA Violates Another Software License. Patrick Robib, a blogger who wrote his own blogging engine called Forest Blog recently noticed that none other than the MPAA was using his work, and had completely violated his linkware license by removing all links back to the Forest Blog site, not crediting him in any way. The MPAA blog was using the Forest Blog software, but had completely stripped off his name, and links back to his site. He only found about it accidentally when he happened to visit the MPAA site. [Slashdot: Your Rights Online]

Is AT&T helping the NSA ? First your phone calls and now your e-mails (For Your Eyes Only? ) NOW | PBS.

Sun, 18 Feb 2007 19:53:13 GMT

For Your Eyes Only? NOW | PBS

This week, NOW reports on new evidence suggesting the existence of a secret government program that intercepts millions of private e-mails each day in the name of terrorist surveillance. News about the alleged program came to light when a former AT&T employee, Mark Klein, blew the whistle on what he believes to be a large-scale installation of secret Internet monitoring equipment deep inside AT&T's San Francisco office. The equipment, he contends, was created at the request of the U.S. government to spy on e-mail traffic across the entire Internet. Though the government and AT&T refuse to address the issue directly, Klein backs up his charges with internal company documents and personal photos.

QDN: The growing consensus behind OpenID

Fri, 16 Feb 2007 18:28:06 GMT

It's because of this that I'm so happy to see an initiative like OpenID succeeding. A few years ago, the idea of OpenID was floated by the inestimable Brad Fitzpatrick (the father of LiveJournal, now a Six Apart property) as a way for people to carry around virtual identity cards on the net, and to securely use those credentials as a way of demonstrating to others on the internet who they really are. Between then and now, OpenID's development has taken place out in the open, on mailing lists and wikis and web forums, and the result is a technology that Microsoft adopted last week and AOL has been quietly rolling out to its online service and instant messenger users for a few months now. That's a great adoption rate, and I'd like to think that it's because it's a technology that's sorely needed on today's web. I'm not naive enough to think that it's a salve to cure all the net's wounds -- for example, there's still work to be done to make sure that anonymous ID providers don't become the way spammers and miscreants get around the system -- but I'm hopefuly enough to recognize that OpenID might be one of the more important building blocks to us all being able to trust our online interactions just a bit more.

The Dangers of Default Passwords.

Fri, 16 Feb 2007 15:48:27 GMT

The Dangers of Default Passwords.

Stroll through any neighborhood with an open laptop in hand and you will probably notice your machine automatically connecting to various wireless Internet routers that local residents have set up. If you are given a connection that allows you to surf the Web, chances are very good that you can also assume control over the same network that gave you the access.

In my experience, few people who operate wide-open wireless networks -- those unprotected by even the simplest encryption technology -- ever bother to change the default user name and password needed to reconfigure the router. Perhaps consumers who operate open networks aren't terribly worried about their neighbors "sniffing" the ambient wireless airwaves for passwords and other sensitive data. But it may be that a person running a router under the default factory settings has more to fear from a malicious Web site than a local interloper.

Researchers at Symantec Corp. have devised a series of "proof-of-concept" exploits that show how an Internet user running any one of several name-brand, $50 - $100 routers under the default factory settings could be in a world of trouble in a very short time, just by browsing to a malicious Web site. One of the easiest ways to commandeer a factory-set wireless router remotely is through the use of Javascript, a powerful Web programming language that makes it easy for Web sites to monkey with or otherwise manipulate a computer's settings.

For example, a nasty site could use Javascript to change the default settings on a router so that anytime the victim tries to visit a bank Web site he or she is silently redirected to a counterfeit site set up to steal online banking credentials (this is a type of phishing attack known as "pharming.") Or, the attackers could poke holes in the router's built-in firewall to allow certain types of traffic to slip through.

Zulfikar "Zully" Ramzan, senior principal researcher at Symantec, said he successfully tested such scenarios using mock Web pages and some of the more popular routers on the market today, including those sold by Linksys, D-Link and Netgear. "Using the same techniques, an attacker could create a very simple Web page that when viewed by a Web browser could change the default settings on a router," he said.

The reason this has the potential to be such a problem is that a broadband router sits apart from the user's computer, so it's likely to be one of those set-it-and-forget-it type appliances. Indeed, if a malicious Web site succeeded in altering the default settings on a router, the router might be the last place most users -- even security professionals -- would look to as the source of the problem.

Michael Sutton, security evangelist for Atlanta based SPI Dynamics, said Javascript's flexibility and power make it an increasingly common component of cyber attacks.

"People are always coming out with new tricks with Javascript, but the reality is that it's a very powerful language and if you can convince someone to run your code by visiting your site, you effectively control their actions," Sutton said.

So what's the takeaway here? Whether you're using a wired or wireless router to split traffic on your home network, make sure you change the default password. A comprehensive list of default usernames and passwords for just about every commercial router is already available online. If you're the forgetful type, write down your router password and store it in a safe place. Even if you don't remember it, all consumer Internet routers ship with a tiny pinhole in the back that -- with the aid of something pointy and a steady grip -- allow you to reset the router to the factory settings (and back to the default password).

Also, consider browsing the Web with Mozilla's Firefox; with it, you can use the excellent "noscript" add-on that allows you to control which sites should be permitted to run Javascript inside of the browser. It's not a perfect solution, but it has saved my bacon on more than a few occasions. If anyone is aware of a similar add-on for Internet Explorer 7, please drop a pointer to it in the comments section below.

[Security Fix]

Free Speech group EFF needs videographer in Syracuse (CraigsList)

Fri, 16 Feb 2007 03:26:39 GMT

Date: 2007-02-15, 9:12PM EST

we are looking for someone who has a good-quality Mini-DV camera and can produce good lighting (natural is fine) and sound (onboard is fine, it just has to be very clear) for a brief videotaped statement.

this is to support an online free speech case.

details here:
http://www.10zenmonkeys.com/2006/11/01/eff-crook-dmca-lawsuit/

the subject to be shot is in/around Syracuse. we may be able to pay expenses for travel by car. if you respond to this note, EFF lawyers will contact you with more info.

this video will be distributed widely across the webernets and we can offer a prominent production credit, as well as the warm, fuzzy feeling that you've helped EFF's ongoing defense of digital free speech.

please respond with with your availability over the next week or so.

Tapping Brains for Future Crimes.

Fri, 16 Feb 2007 02:06:25 GMT

Tapping Brains for Future Crimes. A breakthrough in computer-assisted mind reading brings us closer to predicting criminality. Should the justice system adapt? Commentary by Jennifer Granick. [Wired News: Security Blanket]

Lauren Weinstein's Blog: New Short Video: "Is Your Cell Phone Bugged?"

Thu, 15 Feb 2007 22:26:07 GMT

Greetings. I've been getting lots of continuing interest and queries in the wake of my blog item from late last year:

How To Tell If Your Cell Phone Is Bugged

In an effort to explain this issue in a more demonstrative and somewhat less technical manner, I'm pleased to announce a short free video (under six minutes):

"Is Your Cell Phone Bugged?"

While I'll admit that the production values are much closer to those of Ed Wood than of Cecil B. DeMille, I hope you'll still find this video to be interesting, or at least amusing.

"Is Your Cell Phone Bugged?" Video Access Pages:

Streaming Via YouTube

Streaming or Download Via Google Video

Be seeing you!

--Lauren--

Hacker, Microsoft duke it out over Vista design flaw | Zero Day | ZDNet.com

Wed, 14 Feb 2007 04:11:29 GMT

Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out -- from Microsoft officials -- that the default no-admin setting isn't even a security mechanism anymore.

Rutkowska, a hacker with a track record of defeating Vista's security mechanisms, believes UAC has a major flaw in the way it automatically assumes that all setup programs (application installers) should be run with administrator privileges.

"[When] you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog.

That's because Vista uses a compatibility database and several heuristics to recognize installer executables and, every time the OS detects that an executable is a setup program, "it will only allow running it as administrator."

This, in Rutkowska's mind, is a "very severe hole in the design of UAC."

"After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:Program Files and some keys under HKLMSoftware and do nothing more. I could do that under XP, but apparently I can't under Vista, which is a bit disturbing," she added.

A few days after Rutkowska flagged the UAC shortcoming, Microsoft's Mark Russinovich wrote a detailed technical explanation of the way the mechanism works. One thing that stood out in Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack.

Debate growing over data security - baltimoresun.com

Wed, 14 Feb 2007 01:40:57 GMT

When Johns Hopkins officials announced this week that a courier had lost nine backup computer tapes containing personal data on 135,000 employees and patients, security specialists were critical, even though the information probably was destroyed without being compromised.

The reaction came not just because the tapes were lost, but because they weren't encrypted -- coded so that they could be read only with a computerized key.

"Have we not learned from history yet, that if you're going to give [data] to a third party that you either encrypt or password protect it?" said Linda Foley, executive director of the Identity Theft Resource Center in San Diego.

Amid a spate of lost or stolen data, some organizations and industries have begun taking steps to better protect employee and customer information, yet far too many have not, privacy advocates say. Many still leave sensitive information uncoded or hand it off to sometimes-careless employees or third parties.

This year alone, Social Security numbers were posted on a public Web site at the University of Nebraska; personal information on 537 people was stolen from the New York Department of Labor; a hacker accessed Social Security numbers for more than 1,200 people at the University of Missouri; and a laptop was stolen that contained medical records for 1,100 patients at the Salina Regional Health Center in Kansas.

Some consultants say that costs keep organizations from updating their security practices -- encryption software and developing privacy procedures can be expensive. But the No. 1 reason is complacency, according to Lillie Coney, associate director of the Electronic Privacy Information Center, or EPIC, in Washington.

"They don't see themselves as being in a position where they're going to lose something," Coney said.

Wanted: Missing FBI Laptops.

Wed, 14 Feb 2007 00:25:51 GMT

Wanted: Missing FBI Laptops.

If you lose your laptop, don't go crying on the shoulder of the Federal Bureau of Investigation. It has its own problems. The agency had at least 160 laptops lost or stolen over the past four years.

Ten of those laptops contained highly sensitive classified information and at least one included "personal identifying information on FBI personnel, according to a new report.

While the number may loom large, the agency actually has improved on keeping tabs on its wares. The report released today by the Justice Department's Office of Inspector General was a follow-up to a similar 2002 report. The charter report found that the FBI had reported some 317 employee laptops as either lost or stolen over the previous 28-month period. Seventeen of those laptops were reported stolen. In 2002, the FBI had roughly 11 laptops stolen or lost each month. The agency currently mismanages an average of four laptops monthly.

It's worth noting that as many as 51 of the laptops reported lost or stolen since 2002 may also have contained classified data, but the inspector general's office said the FBI could not be sure. At least seven of the laptops were assigned to the agency's counterintelligence or counterterrorism divisions, the report notes.

It is not clear from the report how many of those stolen or lost laptops used encryption technology to safeguard the data. Only one individual case cataloged in the report details that encryption technology was used to protect data stored on the computer's hard drive.

The report recommends that future laptop-loss reports include information on whether the computer in question had protected data. The FBI agreed with that recommendation, and said it would make such reporting mandatory.

Now, if they would just make the use of encryption technology mandatory on government laptops, I'm sure we would all sleep a little more soundly.

[Security Fix]

Schneier: Why Microsoft Sold Out Consumers in Vista.

Wed, 14 Feb 2007 00:19:17 GMT

Schneier: Why Microsoft Sold Out Consumers in Vista.

Today, the PC industry needs Hollywood more than Hollywood needs the PC. Most consumers rely on traditional consumer electronics devices to view DVDs and TV content, but companies like Microsoft are betting on the converged digital home and desperately want a bigger piece of the media device market. Because of the DMCA, Microsoft has to get permission to build devices compatible with Hollywood's DRMed content. So when Hollywood demanded that Microsoft lard Vista with restrictions to access high-def DVD and digital cable content, the software giant was in a weak bargaining position.

But as Bruce Schneier explains in a recent editorial (via BoingBoing), Vista's DRM may also be a play to turn the tables and turn Microsoft's platform into a distribution channel on which Hollywood relies:

"[W]hile it may have started as a partnership, in the end Microsoft is going to end up locking the movie companies into selling content in its proprietary formats.
"We saw this trick before; Apple pulled it on the recording industry. First iTunes worked in partnership with the major record labels to distribute content, but soon Warner Music's CEO Edgar Bronfman Jr. found that he wasn't able to dictate a pricing model to Steve Jobs. The same thing will happen here; after Vista is firmly entrenched in the marketplace, Sony's Howard Stringer won't be able to dictate pricing or terms to Bill Gates. This is a war for 21st-century movie distribution and, when the dust settles, Hollywood won't know what hit them....

"Microsoft is reaching for a much bigger prize than Apple: not just Hollywood, but also peripheral hardware vendors. Vista's DRM will require driver developers to comply with all kinds of rules and be certified; otherwise, they won't work. And Microsoft talks about expanding this to independent software vendors as well. It's another war for control of the computer market."

Schneier overstates his case a bit when he says Microsoft could have simply refused Hollywood's demands for DRM and Hollywood would have released today's high-def video content for Vista anyway. But he's right that Microsoft would very much like to lock content vendors into a distribution channel that it controls, including for channels like IPTV and digital downloads. And the more Hollywood depends on Microsoft, the more Microsoft may be able to limit competition from other tech companies' platforms and devices.

[EFF: Deep Links]

An American Idol for Crypto Geeks.

Mon, 12 Feb 2007 19:02:53 GMT

An American Idol for Crypto Geeks. The federal government is holding a competition for a new cryptographic hash function that will become the national standard. Really, this is exciting stuff. Commentary by Bruce Schneier. [Wired News: Security Blanket]

FCW.com News - Lack of info feeds public outcries about privacy, experts say

Mon, 12 Feb 2007 18:52:39 GMT

Federal agencies need to do a better job of informing the public about measures taken to protect their sensitive and private information, current and former government officials say.

A lack of information can lead to trouble, said several experts, speaking at the CTO Forum held by the Government Electronics and Information Technology Association.

In some cases, agencies have been forced to end programs -- such as data mining or surveillance projects -- because of public outcry that stemmed from misperceptions that might have been better addressed with better information.

"When we don't get the kind of meaningful public debate, decisions get based on inadequate knowledge and the public gets in an uproar on things based on incorrect information," said Linda Millis, director of the National Security Program at the nonprofit Markle Foundation.

US surveillance of soldiers' blogs sparks lawsuit | The Register

Mon, 12 Feb 2007 18:28:34 GMT

The US Army is being sued by a privacy group that wants the military to come clean about how it monitors websites and soldiers' blogs for potential military leaks.

The Electronic Frontier Foundation (EFF) lawsuit (PDF) against the Department of Defense comes after the Department of Defense and Army failed to respond to Freedom of Information Act (FOIA) requests about the blog monitoring programme.

According to news reports cited by the EFF, an Army unit called the Army Web Risk Assessment Cell (AWRAC) reviews hundreds of thousands of websites every month, notifying webmasters and bloggers when it finds "sensitive information". Some bloggers complain the unit's remit extends beyond a legitimate attempt to restrict the disclosure of military secrets, effectively forcing them to censure posts about their feelings about the conflict or shut down sites altogether.

"Soldiers should be free to blog their thoughts at this critical point in the national debate on the war in Iraq," EFF staff attorney Marcia Hofmann said. "If the Army is colouring or curtailing soldiers' published opinions, Americans need to know about that interference."

EFF's suit demands records on how the AWRAC operates, as well as any orders to soldiers about revision or deletion of web posts. "Of course, a military effort requires some level of secrecy. But the public has a right to know if the Army is silencing soldiers' opinions as well. That's why the Department of Defense must release information on how this program works without delay," Hofmann added.

China Creates Massive Online ID Database.

Mon, 12 Feb 2007 04:48:50 GMT

China Creates Massive Online ID Database. schwaang writes that while the US continues to hash out concerns over the Real ID Act, which aims to create a national ID by standardizing state driver's licenses, China has already implemented a massive online ID database, which they say will help prevent fraud. --- From the Xinhua English-language site: "Anyone can now send a text message or visit the country's population information center's website, to check if the name and the ID number of a person's identity card match. If they do match the ID card-holder's picture also appears, said the Ministry, adding that no other information is available to ensure a citizen's privacy is protected. Completed at the end of 2006, China's population information database, the world's largest, contains personal information on 1.3 billion citizens. Giving public accessing to the database is also designed to correct mistakes if an individual discovers that their name, number and picture don't match." [Slashdot: Your Rights Online]

Two Ways Not To Handle Free Speech.

Mon, 12 Feb 2007 04:43:58 GMT

Two Ways Not To Handle Free Speech. Two stories in the news offer contrasting approaches by Web companies to questions of free speech. First YouTube: reader skraps notes that the Google property has recently banned the popular atheist commentator Nick Gisburne. Gisburne had been posting videos with logical arguments against Christian beliefs; but when he turned his attention to Islam (mirror of Gisburne's video by another user), YouTube pulled the plug, saying: 'After being flagged by members of the YouTube community, and reviewed by YouTube staff, the video below has been removed due to its inappropriate nature. Due to your repeated attempts to upload inappropriate videos, your account now been permanently disabled, and your videos have been taken down.' Amazon.com provides a second example of how to react to questions of free speech. Reader theodp sends along a story in TheStreet.com about how Amazon hung up on customers wanting to comment on its continuing practice of selling animal-fighting magazines. The article notes that issues of free speech are rarely cut-and-dried, and that Amazon is doing itself no favors by going up against the Humane Society.
Update: 02/11 04:25 GMT by KD : updated Nick Gisburne link to new account. [Slashdot: Your Rights Online]

Copyright collective wants iPod levy

Mon, 12 Feb 2007 03:16:29 GMT

OTTAWA- Canada's Private Copyright Collective is taking another stab at introducing levies on digital music players and memory cards.

The charges could add as much as $75 to the price of a new Apple iPod.

The collective, which seeks to compensate artists for unauthorized copying of their music, said Friday it's taking a new tack after a 2003 Federal Court of Appeals decision rejected the levies.

The court overturned the Copyright Board of Canada's approval of the charges after protests by a coalition of industry groups that included retailers Wal-Mart, Staples Business Depot and Future Shop.

The collective had argued the memory inside a digital audio device such as an iPod is an audio recording medium primarily used to store music, and therefore should be subject to the Canadian Copyright Act.

The act states an audio recording medium is "a medium regardless of its material form on which a recording can be reproduced."

The court, however, found the memory can't be defined as an audio recording medium.

Now, the group is going after the devices themselves. It says devices such as the iPod can be classified as a "recording medium" and should be subject to taxation.

"It is simply a matter of fairness that the creators of content, the creators of culture actually, should receive some compensation for the large volume of unauthorized and uncontrollable copying onto these media," said collective chair Claudette Fortier. "Private copying is a fact - Canadians do it."

The group is responsible for collecting a levy on blank recording media and distributing the money to those entitled to royalties.

In other words, every time a Canadian buys a blank CD, or audio cassette today a portion of the cost is sent to artists all over the world such as Kid Rock, Justin Timberlake and Paris Hilton.

In its new submission to the Copyright Board, the collective is proposing levies of $5 on devices with up to one gigabyte (GB) of memory, $25 for one to 10 GB, $50 for between 10 GB and 30 GB and $75 for over 30 GB. That would take the price of Apple's 30GB iPod to $365 from $290, a 26 per cent increase.

The group is also asking for levies of $2 to $10 for memory cards, which are primarily used to store photographs in digital cameras.

It's also asking for eight-cent increases to the current 21-cent levy on blank CD media and 77-cent charge for CD-R Audio, CD-RW Audio and MiniDiscs.

House Introduces Privacy Bill Foursome...With One Runt in the Litter

Mon, 12 Feb 2007 03:02:24 GMT

House Introduces Privacy Bill Foursome ... With One Runt in the Litter.

27B Stroke 6 outlines four important pieces of privacy-protecting legislation that have either been recently introduced or received new life in the Democratically-controlled House of Representatives:

* The Prevention of Fraudulent Access to Phone Records Act, introduced by Dingell and Ranking Member Joe Barton (R-TX), and 24 original cosponsors, to prohibit pretexting of phone records and to enhance security requirements for customer proprietary network information.

* The Social Security Number Protection Act of 2007, introduced by Reps. Ed Markey (D-MA), Chairman of the Subcommittee on Telecommunications and the Internet and Barton, and 22 original cosponsors, to strengthen the authority of the Federal Government to protect individuals from abusive acts and practices in the sale and purchase of Social Security numbers.

* The Securely Protect Yourself Against Cyber Trespass Act (or SPY ACT), introduced by Reps. Edolphus Towns (D-NY) and Mary Bono (R-CA), and 28 original cosponsors, to protect users of the Internet from unknowing transmission of the personally identifiable information through spyware programs.

*The Data Accountability and Trust Act (or DATA), introduced by Reps. Bobby Rush (D-IL), Chairman of the Subcommittee on Commerce, Trade and Consumer Protection and Subcommittee Ranking Member Cliff Stearns (R-FL), and 22 original cosponsors, to protect consumers by requiring entities engaged in interstate commerce to have reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.

Crashing the party, however, is the Republican-supported Safety Act, which would compel all Internet service providers to track their customers[base '] online activities.

Four steps forward, one leap back[sigma]

[michaelzimmer.org]

Unfairly Caught in Viacom's Dragnet? Let Us Know!

Mon, 12 Feb 2007 02:58:53 GMT

Unfairly Caught in Viacom's Dragnet? Let Us Know!

As an RIAA spokesperson famously put it when asked about the spectacle of file-sharing lawsuits against innocent grandparents, "when you go fishing with a driftnet, sometimes you catch a dolphin."

Well, with its 100,000 DMCA takedown notices aimed at YouTube users, now it's Viacom that is netting its share of dolphins. Among the 100,000 videos targeted for takedowns was a home movie shot in a BBQ joint, a film trailer by a documentarian, and a music video (previously here) about karaoke in Singapore. None of these contained anything owned by Viacom. For its part, Viacom has admitted to "no more than" 60 mistakes, so far. Yet each mistake impacts free speech, both of the author of the video and of the viewing public.

If they are making these kinds of blatant mistakes, who can tell how many fair uses of Viacom content they also targeted in their 100,000 takedowns? Hundreds? Thousands? If Viacom made a clear mistake and your clip contains no content from Viacom-owned copyrighted works, sending a simple DMCA counter-notice to YouTube may be enough to do the job. But if you're attempting to make a fair use of Viacom's works, it may make more sense to go to court to assert your rights. More information about your options is available at the Fair Use Network.

Has your video been removed from YouTube based on a bogus Viacom takedown? If so, contact information@eff.org --we may be able to help you directly or help find another lawyer who can. In this situation, as in so many others, EFF will work to make sure that copyright claims don't squelch free speech.

We've put together a video version of this post on YouTube, which you can embed on your website or blog. Check it out, Digg it and spread the word -- the more it rises in YouTube's listings, the more likely it will be seen by users who have received takedowns:

[EFF: Deep Links]

The Chronicle: 2/9/2007: Caught in the Network

Sat, 10 Feb 2007 22:35:45 GMT

I wasn't particularly impressed. I had helped edit and revise that policy when I worked for the information-technology office before I earned my Ph.D., and I knew that neither Tor nor any similar program had existed when the policy was first written. I also knew that the provisions in question were vague.

My visitors next produced page after page of logs detailing my apparent use of Tor. While I couldn't dispute most of the details in the logs, they seemed inaccurate. For example, the technician said I had been using Tor earlier that morning. In fact, I had been at Wal-Mart that morning looking for a good deal on an HDTV; I had reached my office only about five minutes earlier.

More important, the logs did not prove any wrongdoing on my part. All they demonstrated was that I, like thousands of others around the world, had installed and infrequently used Tor. In my case, of course, there was no wrongdoing.

Nonetheless, my visitors made two requests: that I stop using Tor, and that I avoid covering it in class.

Having been on the administrative end of academic technology, I appreciate the difficulties facing the information-technology staff. No one pats you on the back if nothing goes wrong, but if something does -- if a virus or worm sweeps through the campus's network infrastructure, or someone hijacks some computers to churn out spam -- you are off everyone's Christmas-card list. The last thing my former colleagues needed was some smarmy faculty member spouting off about academic freedom and threatening to demonstrate Tor to 100-plus students each semester.

Their job is to protect the network that allows me to do my job: to teach classes that are mostly or entirely online, and to conduct research. If they weren't here as the first or even only line of defense against the unscrupulous elements of our technological society, my university would cease to function. It's as simple as that.

Furthermore, I do not rely heavily on Tor, or even think much about it outside the context of my courses. I find all that routing makes it slow to use, even with the superfast connection I have at work.

But it is being used all around the world, by people in countries that restrict their access to information, by corporate whistle-blowers, and by digital-rights activists. It's even being used by average people like me, as a way to keep innocuous and personal online activities private.

So in the head-on collision between my appreciation of the role IT staff members play on my campus and my understanding of the role I have to play for my students, my need for academic freedom won. I found myself lecturing my three visitors into near catatonia about the uses of Tor.

Finally, they shook my hand, thanked me for talking with them, reminded me that I was probably violating the responsible-use policy, and left. They had bigger game to catch: the other Tor user on the campus.

A moment later, I heard another knock on my door. One of the detectives had come back to ask if I would reconsider my position. I told him that while I would think about giving up Tor, I honestly felt that this was a clear case of academic freedom, and I could not bow to external pressure. I reminded him that Tor is a perfectly legal, open-source program that serves a wide variety of legitimate needs around the world.

He nodded and left. Feeling an odd mixture of righteous indignation, patriotism, and dread, I closed the door.

University Professor Chastised For Using Tor.

Sat, 10 Feb 2007 22:28:22 GMT

University Professor Chastised For Using Tor. Irongeek_ADC writes with a first-person account from the The Chronicle of Higher Education by a university professor who was asked to stop using Tor. University IT and campus security staffers came knocking on Paul Cesarini's door asking why he was using the anonymizing network. They requested that he stop and also that he not teach his students about it. The visitors said it was likely against university policy (a policy they probably were not aware that Cesarini had helped to draft). The professor seems genuinely to appreciate the problems that a campus IT department faces; but in the end he took a stand for academic freedom. [Slashdot: Your Rights Online]

To Media Companies, BitTorrent Implies Guilt.

Sat, 10 Feb 2007 22:23:16 GMT

To Media Companies, BitTorrent Implies Guilt. kripkenstein writes "The big media companies immediately assume you are guilty by your mere presence on a BitTorrent swarm, an investigation by a university security worker reveals. Turns out companies like BayTSP (which the media companies employ) will send shutdown notices to ISPs without any evidence of copyright infringment; all they feel they need is an indication that you are reported by the tracker to be in the swarm." From the post: "For my investigation, I wrote a very simple BitTorrent client. My client sent a request to the tracker, and generally acted like a normal Bittorrent client up to sharing files. The client refused to accept downloads of, or upload copyrighted content. It obeyed the law... With just this, completely legal, BitTorrent client, I was able to get notices from BayTSP. To put this in to perspective, if BayTSP were trying to bust me for doing drugs, it'd be like getting arrested because I was hanging out with some dealers, but they never saw me using, buying, or selling any drugs." [Slashdot: Your Rights Online]

Some States Say National ID Cards 'Make Life Easier'.

Sat, 10 Feb 2007 01:53:03 GMT

Some States Say National ID Cards 'Make Life Easier'. VE3OGG writes "Some places, like Maine, have outright rejected the idea of a nationally mandated ID card amid privacy, legal and security concerns. On the other side of the fence some states, such as California and New Jersey, have said that they welcome the National ID card and that it will make 'life easier'. One New Jersey official said 'All you are getting in e-government for the most part are things that don't require strong two-factor identification,' the official said referring to security that requires something beyond a user name and password. 'But as we move forward and start to deliver more and more complicated services, I think that people for the most part will want to know their government has implemented strong measures [with National ID cards]'." [Slashdot: Your Rights Online]

FTC Issues Fraud and ID Theft Data for 2006.

Thu, 08 Feb 2007 17:31:26 GMT

FTC Issues Fraud and ID Theft Data for 2006.

Unauthorized credit card charges were the leading contributor to more than $1.1 billion bilked in reported consumer fraud complaints last year, according to new figures released today by the Federal Trade Commission.

Shop-at-home/catalog sales and prizes and sweepstakes accounted for nearly 15 percent of all fraud-related complaints, followed closely by Internet services and online auctions. While the FTC's data tracks both online and offline fraud, the commission said some 60 percent of fraud complaints stemmed from transactions where the initial contact with the consumer was over e-mail (45 percent) and the Web (15 percent). (The PDF version of the FTC report is here.)

Credit-card fraud was the most common source of reported losses, followed by phone or utilities fraud (16 percent), bank fraud (16 percent) and employment fraud (14 percent). The latter category usually involved the unauthorized use of someone's Social Security number in order to secure employment.

Claudia Bourne Farrell, a spokesperson for the FTC, was herself a victim of employment fraud.

"I learned about it when the Internal Revenue Service asked why I wasn't declaring income and paying taxes on my job" at a Washington, D.C., restaurant, she said. Investigators later linked the identity thief to a local man using her Social Security number under the name Claudio Farrell.

While consumers are usually reimbursed by their bank for fraudulent credit- and debit-card charges, fraud that results from new accounts being opened in a victim's name -- from new cell phone and utility services ordered by the fraudsters -- represent a far more serious type of fraud, said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse.

"Usually, when a new account is opened in your name, the monthly statements go to a drop box or the criminal's address, and the victim doesn't generally find out about it until they go to open a new line of credit or orders a copy of their credit report," Givens said. "This is the most difficult type of fraud to erase from your file." A victim must do a great deal of work to expunge the fraudulent accounts from their credit files, she said.

The FTC warned that the percentage of fraud complaints where wire transfers were the reported payment method continued to increase last year. Most wire transfer losses are associated with Internet auction scams, where auctioneers simply take the money but never ship the promised merchandise. Twenty-three percent of the consumers reported fraud incidents where wire transfer was the payment method, an increase of eight percentage points from calendar year 2005, the FTC said.

California, Texas and Florida led the nation in the total number of identity and consumer fraud cases that were reported last year. Virginia and Maryland were sixth and eighth, respectively, in the rankings of consumer fraud complaints per 100,000 people by state. Maryland came it at No. 11 in the rankings of reported identity theft cases per 100,000 people, while Virginia came in at 15 in the same measure.

For Washington, D.C., the FTC said there were 1,904 complaints made by city residents last year about consumer fraud or identity theft. The Washington region in general ranked 110 in fraud complaints out of the top 400 metropolitan areas in the country.

Consumers in the 18-29 age set were the largest age group that reported losses from fraud. That finding closely mirrors other studies that have identified younger online users as those most likely to be defrauded or scammed.

The overall number of fraud complaints was down slightly from 2005, but the FTC noted that one major data contributor did not properly catalog many of its complaints, so comparisons with previous years are difficult.

The FTC and consumer advocates urge consumers to keep a close eye on their credit files for signs of fraudulent activity. Under federal law, consumers are entitled to a free copy of their credit report each year. Consumers can order their free credit report by visiting AnnualCreditReport.com.

[Security Fix]