September 30, 2003

CIA and ICT developing anti-terrorism training "game" -- Media Technology --

The CIA's Counter-Terrorism Center (CTC) is working to develop training simulations with the help of the Institute for Creative Technologies, a center within the University of Southern California that specializes in combining artificial intelligence, virtual reality and techniques from the videogame and movie industries to create interactive training simulations. The company recently received accolades for their "Full Spectrum Warrior" project, which was designed as a training aid for the US Army but has also lead to a commercial videogame for the X-Box. The Army project uses material developed with the Army Infantry School at Fort Benning and a rich AI engine to run trainees through both military and peacekeeping scenarios. For example, in one scenario the trainee plays an officer in charge of a unit that has just been involved in a traffic accident between a tank and a non-English-speaking civilian. If approved, the CIA's simulation would allow analyst trainees to play themselves or the part of terrorist cell leaders, cell members, money-movers and facilitators.

The Washington Times, who broke the story, is highly critical of the project, comparing it to Vice Adm. John Poindexter's ill-received Idea Futures project and quoting unnamed military officials and other critics who call it "a ridiculous and absurd scheme that makes Poindexter's project look good in comparison" and suggest that "the key issue here is the CTC misspending funds on silly, low-priority projects, exactly the kind of thing that forced Admiral Poindexter to resign." A follow-up article, also in the Washington Times, quotes former Georgia congressman Bob Barr (R-GA) as saying "Perhaps this is the reason we were surprised by September 11. If it weren't so serious, it would be comical... What we ought to be doing is focusing our money and attention in identifying terrorists and their associates so we can be on the watch for these characters, not playing video games." The Sydney Morning Herald was slightly less critical, but also linked the project with Poindexter's projects.

It's entirely possible that this project is too expensive (the CIA has not revealed the price tag) or that the simulation is in some way teaching the wrong lessons. However, the main criticism seems to be of the form "the CIA is wasting time playing video games," which is patently absurd. Simulation role-playing has been an effective training tool in both the military and business for decades, and in fact much of the technology now seen in video games was originally developed for training U.S. Army officers. To suggest that the CIA should be out catching terrorists instead of playing video games is like suggesting the U.S. Army should be out fighting wars instead of wasting their time doing training exercises consisting of "running around with toy guns playing capture the flag."

It's pretty clear that there's a thicket of political wrangling going on behind the scenes, and the Times story is a salvo fired by people who want this CIA project canceled. I've no idea whether this is a case of fighting over scarce funding, vengeance against the CTC, or an honest attempt to scuttle a project that won't provide good training, and I won't even begin to speculate. Hopefully someone with a better understanding of the ins and outs of intelligence and military politics (like Phil Carter at Intel Dump) will weigh in on this before long.

Posted by bug to Media Technology at 11:26 PM | Comments (1) | TrackBack

September 29, 2003

TSA still pushing on CAPPS II -- Big Brother --

It seems the Transportation Security Administration is still determined to go forward with their test of the Computer Assisted Passenger Prescreening System (CAPPS II) with live data, even if it means forcing airlines to cooperate. Airlines are understandably hesitant, since Delta Airlines withdrew support after facing a passenger boycott and JetBlue is now facing potential legal action for handing over passengers' data to a defense contractor without passenger knowledge or consent.

For those who haven't heard about CAPPS-II, the idea is to replace the current airline security system where passenger's names are checked against a no-fly list and people with "suspicious" itineraries like one-way flights are flagged for extra search. The TSA has released a disclosure under the Privacy Act of 1974, and Salon published a nice overview on the whole debate a few weeks ago. The ACLU also has a detailed analysis. Extremely briefly, the new system would work like this:

  1. Airlines ask for your Name, Address, Phone Number and Date of Birth.
  2. That info plus your itinerary goes to the CAPPS-II system, which
  3. sends it to commercial data services (e.g. the people who determine your credit rating) who
  4. send back a rating "indicating a confidence level in that passenger's identity."
  5. CAPPS-II sends all the info to the Black Ops Jedi-Mind-Reader computer that was provided by aliens back in 1947.
  6. The Black Ops computer comes back with a rating of whether you are or are not a terrorist, ax murderer, or likely to vote against the President.
  7. Based on both identity and threat ratings, the security guard either gives you a once-over, strip-search, or shoots you on sight (actually, just arrest on sight).

Number 6 is the part that really scares people, because the TSA refuses to say anything about how the (classified) black box computer system will identify terrorists. It could be based on racial profiling, political ideology, or i-ching and no one would ever know.

There's a lot of speculation that the whole "airline security" story is just an excuse to collect travel information from everyday citizens for use in something akin to the Total Information Awareness project that was just killed (or at least mostly just killed) by Congress last week. I'm of two minds on that theory. On the one hand, I can't believe the people at the TSA would really be so stupid as to think something like CAPPS-II would work for the stated purpose, so they must have ulterior motives. On the other hand, maybe I'm being too generous and they really are that stupid, or at least have been deceived by people a little too high on their own technology hype. Of course, there might be a bit of both going on here.

Too many details are left out of the TSA's description of CAPPS-II to do a full evaluation, but even with what they've disclosed there are some huge technological issues:

  • The commercial database step (#4) is to verify that you are who you say you are. The classified black-box step (#6) is to verify that the person you say you are is not a terrorist. This means a terrorist only has to thwart one of the two checks: he either steals the identity of a mild-mannered war hero who is above suspicion, or he gives his real identity and makes sure he doesn't raise any red flags himself. Since no biometric info (photo, fingerprints, or the like) is used, it would be trivial to steal someone else's name, address, phone number and birth date and forge a driver's license for the new identity.
  • Like all automatic classifiers, CAPPS-II needs to be tuned to trade off the number of false positives (innocent people arrested) vs. false negatives (terrorists let through with just a cursory search). Make it too sensitive and every third person will trigger a request for a full search (or worse, arrest), slowing down the security lines. Make it too lax and terrorists will get through without giving up their nail files. The trouble is that airports screen over a billion people a year, and yet even with our supposed heightened risk these past two years far fewer than one in a billion is a terrorist who plans to hijack a plane. Given those numbers, even if our CAPPS-II system correctly identified an innocent person 99.99999% of the time, we would still arrest 1000 people per year due to false information. And with a 99.99999% accuracy requirement on false positives, the odds are good that even Jedi-mindreading alien technology won't have a great false-negative rate. This isn't to say risk-assessment has no effect — it may still give better odds than the system we use currently — but most of the benefit from our security screening comes from the added random risk of being caught that a terrorist faces. And that brings us to the third technical problem: intelligent opponents.
  • Standard classification is a pattern recognition problem. A computer is given large amounts of data and expert knowledge, and tries to predict what class a sample (in this case, a passenger) falls into. Classification of intelligent adversaries is different though — it leaves the realm of normal pattern recognition and enters into game-theory. Once this happens it's a constant arms (and intelligence) race: terrorists commit 9/11 with one-way tickets, so we double-search people with one-way tickets. So all but the stupidest of terrorists now buy round-trip tickets, thus giving them even better than random chance to get through with just a once-over. Of course, we know that's what they would do, so we should switch to letting one-way tickets through and double-search round-trip tickets, at least until the terrorists catch on and change their plans. (Surely I cannot choose the wine in front of me.) There is a solution to all this madness: completely random selection of passengers for extra screening cannot be gamed in this way. Anything else and it become a question of who can figure out the other side's profile faster, and given an intelligent foe who can probe the system to his heart's content, I know who I'd bet on in that race.

Given that Congress has just moved to delay CAPPS II until the General Accounting Office makes an assessment, I can only hope they'll have similar questions and concerns. This system is either lunacy or a boondoggle to keep a database on the travel habits of every single American — neither is a comforting option.

Posted by bug to Big Brother at 11:38 PM | Comments (0) | TrackBack

September 23, 2003

Breaking the brick -- Media Technology --

Intel's Personal Server project, lead by Ubiquitous Computing long-timer Roy Want, got some press this past week after it was shown at the Intel Developer Forum. The prototype is a 400MHz computer with Bluetooth, battery and storage, all about the size of a deck of cards. No screen and no keyboard — I/O is handled by whatever devices happen to be around, be they the display and keyboard on your desk, the large-screen projector in the conference room or your portable touch-screen. This concept isn't new; it's something that researchers in Ubiquitous Computing and Wearable Computing (including Roy) have been talking about for over a decade. But it is the right concept, and Moore's Law is finally bringing it to almost within reach.

There are three main reasons why this is the Right Thing(tm):

  • Your hands aren't getting smaller. Handheld computers are now small enough that the limiting factor is screen and button size. Since our hands aren't getting any smaller, we're pretty much at the limit for everything-in-a-single-brick handhelds, at least for current applications. One of the ways out of that box is the wearable computing approach, where interfaces are spread around the body like clothing or jewelry. Displays are shrunk by embedding them directly into the glasses, tiny microphones are used for speech recognition, micro cameras and accelerometers are used for for gesture and context recognition, and specialty input devices such as medical monitors get used instead of more generic input devices. One of the big difficulties with wearables is all the wires leading from the CPU/Disk/Battery unit to the I/O devices, and in fact this problem was a big motivating force behind the IEEE 802.15 short-range wireless standards, which include Bluetooth. Wireless isn't a complete solution (you still have to worry about powering your I/O devices) but it's a start.

    The other way to break the hand-size limit is the UbiComp approach: use whatever interfaces are in your surrounding area. When I'm at my desk I want to use my nice flat-panel display and ergonomic keyboard, not my black-and-white cellphone LCD. When I give a presentation I want to use the conference hall's projector. I don't need a keyboard at all, just enough to launch my Keynote presentation and change slides. Roy naturally leans towards this second approach, but as I've argued before the Ubicomp and Wearables approaches work well together; there's no need to choose.

  • Always the right tool for the job. Another advantage to breaking the CPU from the I/O is it gets around an inherent conflict in interface design. On the one hand, designers will tell you that you always want the interface to fit the task. Use a hammer to drive nails and a screwdriver to turn screws, and all that. But in the mobile world you don't want to carry around your cellphone, PDA, MP3 player, two-way pager, camera and laptop everywhere you go. When it comes to mobility, most people choose to carry a Swiss Army knife instead of a full toolchest, even though the one-size-fits-all interface won't ever be quite right for the task. (That's why I still carry my Danger Hiptop, which is great for text messaging but feels like I'm holding a bar of soap to my ear when I use it for voice.) When you break the brick, as it were, you can use one CPU, main battery, network connection and storage for all your devices. Then just bring whatever interfaces you need for whatever you tasks you expect that day, and use interfaces in your environment when they're available.

  • Thin clients don't grow with Moore's Law. An alternative to having your personal CPU with you at all times is to run a thin client that has just enough smarts to talk to a server over wireless. The server then does all the heavy lifting. The trouble with this approach is that thin clients rely mainly on two resources: wireless bandwidth and the rather significant battery power needed to get to the nearest cell tower. The trouble is, these are the two resources that are growing most slowly. Since 1990, the RAM in mobile computers has improved a hundred-fold, CPUs 400-fold, and disk-space a whopping 1200-fold. In that same time, long-haul wireless speed has improved only 20-fold and battery efficiency only three-fold. (Thanks to Thad Starner for those numbers.) And, of course, thin clients don't work when you're in a wireless deadzone.

It's not clear when Intel (or Apple or Sony for that matter) will finally come out with a successful Personal Server style product. The hardware is just one necessary piece to the puzzle, with resource discovery, communication standards, good interface design and of course the all-important "killer app" to bring it all together. But in spite of the hurdles yet to come, this is the right approach. I'm glad to see Intel is giving it the support it deserves.

Posted by bug to Media Technology at 11:06 PM | Comments (0) | TrackBack

September 22, 2003

ISWC registration deadline this Friday -- Media Technology --

As a reminder for those who are interested in wearable computers, the early registration deadline for the 7th IEEE International Symposium on Wearable Computers is this Friday, September 26th. You can check out the advance program here.

I'll be co-teaching the Introduction to Wearable Computers tutorial with Thad Starner, and am also tutorials chair and on the program committee.

Posted by bug to Media Technology at 12:32 PM | Comments (0) | TrackBack

September 21, 2003

Privacy and soft walls -- Media Technology --

I've been reading up on IBM's recently announced WebFountain project. The system, which has been dubbed Google on steroids, spiders the Net and other databases and applies various data-mining, natural-language processing and pattern recognition techniques to the data. The current system uses 500 parallel-processing Linux boxes, all accessing about half a terabyte of storage in the basement of the IBM Almaden Research Center. IBM's infrastructure allows clients to customize their searches and standing queries using a library that will "tokenize the data to identify people and companies, and discover patterns, trends and relationships in the data." The technology is being offered as a service, and is already being sold through a partnership with Factiva. It is being marketed mainly for trend identification and for "reputation management," where a company watches chat rooms, bulletin boards, newspapers and other sources to see what people are saying about it.

I'm quite interested in the technology, and even have a friend from grad school who has been working on it (Hi Dan!). But the thing that got me thinking was a comment about privacy by Robert Morris, the director of IBM Almaden. As reported in the San Jose Mercury News:

The technology could potentially raise privacy concerns if companies turned its power on analyzing individuals. But Hart and Morris said both companies would protect user privacy.

"Anything we mine is public data on the Web," Morris said.

But it isn't yet clear how the company would restrict users trying to use the tool to invade someone's privacy.

The quote is in line with the comment by The Economist: "No doubt some people will say it sounds a little intrusive. But all WebFountain does is reveal information that is hidden in plain sight."

Unfortunately, the idea that anything findable on the Net is "public" is a dodge — "public data" is a simplification of what is a much more complex set of social rules. Counter-intuitive as it may sound, privacy rules are not primarily about restricting information access to particular people. The primary purpose of privacy rules is to keep people from using the information in ways that would harm the person who is keeping it secret. This is why companies wink at sharing trade secrets with your wife or husband but are adamant about not revealing them to potential competitors, unless they've first signed a non-disclosure agreement. The NDA explicitly restricts harmful uses of the data, making the privacy rules unnecessary.

The idea that privacy is a restriction on power was brought home to me a few years ago by an old fraternity brother of mine. Back when he was still finishing his PhD at MIT he got a call from an MIT campus policeman, who somewhat sheepishly explained that he was calling on behalf of an irate member of the Massachusetts Maritime Police Department. Apparently this maritime policeman had been surfing the Web and had come across a picture from my friend's undergraduate fraternity days, showing him firing water balloons from a giant funnelator. The campus policeman said he was calling to inform my friend that slingshots are illegal in Massachusetts, and that he wanted to make sure that the device had been destroyed.

So here was a picture that was clearly "public" in that it had been published for anyone to see. The intended audience was anyone who was interested in our fraternity's annual Water War, plus anyone else who might get a chuckle out of it. You could even say the intended audience was everyone in the world except for particularly humor-impaired members of the Massachusetts Maritime Police Department. If webservers had provided such vaguely-defined access rules, we certainly would have used them.

A more realistic idea of public vs. private spaces is one of intended use, with restrictions on access as a proxy for limiting that use. When I write an article for an academic journal or even a blog entry I expect to be called upon to defend my position. When I write a LiveJournal post I expect much less criticism, and I expect that people who read my postings will be the sort of people who generally agree with me and will be accepting of whatever personal thoughts I write. Both are published on the Web, both are "public," but different social rules are implied by the relative ease of access, ease of discovery, and the different communities that are most likely to come across my posts. Difficult access provides a kind of "soft wall" that restricts access to certain communities, and the social rules of those communities provide a soft wall that limit how my information will be used. I expect most LiveJournal users would feel violated if information from their posts wound up being used in targeted marketing literature, even though most posts aren't password protected.

I don't intend to slam WebFountain with this argument — WebFountain is just the latest technology that is moving soft walls around by changing the ground rules. It was also only a matter of time before such a service was be offered. As a coworker of mine has pointed out, it is almost a certainty that the NSA has already developed such technology. (The argument goes: (a) The NSA would have to be really incompetent not to have done this, and (b) the NSA is not incompetent.) Given this is likely, it seems better for society that such technology be out in the open so people can adjust their expectations about how soft those soft walls really are.

Posted by bug to Media Technology at 11:14 PM | Comments (0) | TrackBack

September 19, 2003

Different copynorms for HTTP and P2P? -- Intellectual Property --

Ernest Miller has an interesting post over at LawMeme about why there is moral outcry about shutting down music filesharing on peer-to-peer systems, but not about sharing via the Web. (Props to Freedom to Tinker for the link).

Yet there hasn't been much outcry over the fact that the RIAA has and continues to shut down hundreds of noncommercial websites offering copyrighted MP3s for download without authorization. The RIAA has even threatened lawsuits and gotten college students expelled over their refusal to remove MP3s from college websites. There has been concern (often expressed on LawMeme) about abuse of the DMCA's notice and takedown procedures, but not much outcry when direct copyright infringement has been shown. Why is there no outraged defense of http filesharing?

...

I venture that there seems to be a different set of copynorms for the practice of filesharing via P2P and http. Certainly some defend filesharing via both P2P and http, but others strongly defend P2P with nary a word in favor of http filesharing. Although I have no proof, I suspect that the public's attitude toward filesharing would differ based on the protocol at issue. Would 12-year old Brianna Lahara think it was okay for her to put all her music on a website for the world to copy? Why don't we see people uploading files to their websites more often? Why aren't they more upset when told they can't upload to their website then when they make files available via a filesharing program?

I believe that the difference is that filesharing by http is seen clearly as a public act, while P2P seems more like a private act [Can't stay away from that Public/Private distinction, huh? - Ed.]. If I were to stand on a street corner handing out CD-Rs to strangers (even were I doing so with no possibility of remuneration of any sort), most people would not consider that proper. If the RIAA were to sue me for such an act, would there be such an outcry over the injustice of it all? Yet, if I handed a CD-R to a friend, most would defend it. The difference is that one is private and the other public.

I think we're seeing three effects here:

  • I agree that P2P feels more private than the Web, and so people feel the law should butt out. I would argue that the main for this is that P2P software is easier to set up than a webserver, so "normal" people think of P2P as private and HTTP as "that place that I pay someone else to host content for me," if indeed they have a personal webserver at all.

    If everyone had their own website, I expect you would see similar copynorms for both P2P and HTTP. As completely anecdotal evidence, my more techie friends who have their own websites also share music via password-protected HTTP. It would be interesting to see if this distinction between the copynorms for the two protocols exists on college campuses where every student is given his or her own personal webspace.

  • P2P is newer, and so copynorms were set for P2P at a time when the Internet was used by normal, everyday people. Remember that when Mozilla and Netscape were first introduced people were still panicking about evil teen-aged hackers who could kill people from their bedroom computer and the horrible discovery that (gasp!) there was pornography on the Net. By the time mainstream America was online all the music-sharing websites had already been shutdown and sharing had moved to Napster, so "normal" people haven't experienced it first-hand.
  • There's the idea of reciprocation with P2P, where you are generally sharing with people who share with you. I think it's this aspect that most counteracts the feeling that you're handing out CD-Rs to strangers and brings it closer to the idea that you're sharing mix-tapes with your 5,000 closest new friends.
Posted by bug to Intellectual Property at 1:10 PM | Comments (1) | TrackBack

September 17, 2003

Volokh-Solum debate on IP -- Intellectual Property --

I meant to blog this earlier, but Ed Felten beat me to it. Eugene Volokh (The Volokh Conspiracy blog) and Lawrence Solum (Legal Theory Blog) are having an interesting debate on the theory behind the idea of treating intellectual property as tangible property, hinging mostly on the idea of the level of property rights necessary to offer incentives to produce intellectual and tangible goods. The postings so far:

Posted by bug to Intellectual Property at 12:26 PM | Comments (0) | TrackBack

September 16, 2003

Move over Zuccarini -- Media Technology --

For those who don't know, John Zuccarini is the most notorious of the so-called "typo-squatters," people who register domain names that are common typos of popular websites and then flood the poor fat-fingering visitor with advertisements. Zuccarini had at least 5,500 copycat Web addresses, and the FTC estimated he was earning between $800,000 and $1 million annually from the mostly porn-based banner ads he displayed, in spite of numerous lawsuits against him for trademark violations. Zuccarini was arrested last week under the new Truth in Domain Names provision in the PROTECT Act of 2003, which makes it illegal to use misleading domain names to lure children to sexually explicit material.

But to add insult to injury, no sooner has Zuccarini been arrested than he has been toppled as the typo-squatting king by a new upstart: the domain-name register VeriSign. Trumping Zuccarini's 5,500 copycat domain names, VeriSign has used their position as keeper of the keys to redirect ALL unregistered typos to their site. Try going to http://whattheheckisverisignsmoking.com/ and see for yourself. VeriSign has posted a white paper on their new move, which creates a top-level "wildcard" registry for every domain-name request in the .com or .net domains. The change redirects any entry without DNS service to VeriSign's own SiteFinder search engine, including reserved domain names such as a.com and domain names that are registered to other people but don't have an active name server.

The main problem is that VeriSign is abusing their position as gatekeeper of the com and net domains, which are a public trust and not VeriSign's commercial property. Network types have also been quick to point out other ways this move breaks things on the Net. Most important to everyday users, Web browsers are no longer able to gracefully handle bad links or mistyped URLs. Most browsers pop up a small dialog box for a bad URL, leaving the user on the old page. With the new changes, browsers cannot give this functionality. (Of course, for people who use versions of IE that redirect to Microsoft's search-page, the only difference will be a change of masters.) Furthermore, debugging scripts often use domain-not-found errors to check for routing problems; these are no longer returned. And finally, anti-spam software also often uses domain-not-found errors to detect mail from invalid email addresses. (There was also concern that email sent to a typoed domain name would not bounce properly, but it seems this was either not the case or has been fixed.)

As one might expect, the flameage has been fast and furious on this one. Of particular note is the discussion on the North American Network Operators Group mailing list, where members have already contributed several patches to routing software that would essentially ignore VeriSign's wildcard lookup, restoring the Internet (or at least the portions that apply the patch) to the old way things operated. Many are also simply dropping the IP address for sitefinder.verison.com (64.94.110.11) on the floor. If widely adopted such actions would essentially neutralize VeriSign's change, but I expect the adoption levels will only be enough to be a statement of protest, not an actual revolution. However, Computer Business Review notes that the Internet Corporation for Assigned Names and Numbers (ICANN), which manages aspects of the DNS for the US government, has yet to weigh in on whether VeriSign's changes are actually valid according to agreed-upon specs.

UPDATE: It seems VeriSign is only half-handling email correctly. What they've done is hooked up their own special mail-handler (which they call the Snubby Mail Rejector Daemon v1.3) that returns a fixed set of responses to SMTP transactions. Currently, VeriSign reads the From and To headers and then returns an error code. This means all misaddressed email relies on VeriSign's server to bounce mail, and should the server not be available bounces might be delayed by several days. It also means that all addresses of typoed email are actually sent to VeriSign before being bounced, rather than stopped locally. Of course, I'm sure no VeriSign employee would be so criminal as to actually use this information for industrial espionage, nor would he change the Snubby Mail Daemon to actually collect the contents of said messages.

Friends of mine have also pointed out that ISPs and businesses "cache" DNS addresses on their local DNS servers. By claiming that all DNS requests are legitimate, VeriSign is clogging these caches with bad requests.

References

Posted by bug to Media Technology at 1:41 PM | Comments (3) | TrackBack

September 15, 2003

Homefront Confidential -- Big Brother --

Since March 2002, the Reporters Committee for Freedom of the Press has released a semiannual report on how the War on Terrorism is affecting "access to information and the public's right to know." The fourth edition of this report, Homefront Confidential, has just been released.

The 89-page report ranks threats to a free press on the same color-code used by the Department of Homeland Security:

  • Red (severe): Access to terrorism & immigration proceedings; restrictions on Freedom of Information Act requests
  • Orange (high): Covering the war; military tribunals
  • Yellow (elevated):The USA PATRIOT Act and beyond; The reporter's privilege; The rollback in state openness
  • Blue (guarded): Domestic coverage

Homefront Confidential is a stark contrast to the kind of "information wants to be free" rhetoric I so usually find (and, I'll admit, often speak) here in Silicon Valley. In my techno-optimistic world, information naturally flows straight from bloggers in the field to a public eager for news, with no gatekeepers between us. There is some truth to this notion, and blogs have been credited with breaking the Monica Lewinsky story and keeping Trent Lott's racist remarks about Strom Thurmond in the public eye, as well as many other successes.

But while blogs and other Internet reporting can both accelerate a story's propagation and occasionally magnify the voice of an eyewitness or whistleblower, most important news starts in the hands of a few important decision-makers. Without cooperation from the Justice Department, information about closed terrorism and immigration proceedings (including the detainees' names) is simply not available. Without access to battlefields and military officers, details about our progress in war is not available. The government also has extensive powers to keep information bottled up, from criminal prosecution of whistleblowers under the Homeland Security Act, to legal restrictions on commercial satellite imaging companies, to use of subpoenas to force reporters to reveal their sources. These are all effective restrictions on the flow of information that aren't deterred by the blogger's nimble RSS feed.

Information wants to be free in this networked age, but the information that is most important for keeping our government in check is still behind several gatekeepers. In deciding the laws and policies of our land it's important to remember the converse of this techie creed: Yes, information wants to be free, but freedom also requires information.

References

Posted by bug to Big Brother at 11:53 PM | Comments (0) | TrackBack

September 12, 2003

More RIAA Blowback -- Intellectual Property --

The blowback from the RIAA's lawsuits continues. First, recording artists like the Grateful Dead's Bob Weir, Chuck D of Public Enemy, DJ Moby, Steve Miller and Huey Lewis are all speaking out against the lawsuits, and more importantly against the myth that the RIAA is out to protect the artists. The plight of artists is the only source of sympathy the RIAA has, so this kind of talk hurts a lot. Then in a turnabout-is-fair-play move, a California man has filed lawsuit against the RIAA, alleging that their clean slate program is fraudulent because it offers an amnesty the RIAA does not have the right to grant. Finally, the EFF has started a petition to congress that protests the RIAA's lawsuits, calls for "the development of a legal alternative that preserves file-sharing technology while ensuring that artists are fairly compensated" and asks that the EFF be included in upcoming hearings on the subject. The petition has already received over 12,000 signatures in first two days.

Meanwhile, RIAA president Cary Sherman is invoking that old standby Devil, child pornography, in congress. A pedophile could send "an instant message to the unwitting young person who downloads an Olsen twins or Pokemon file from the pedophile's share folder on Kazaa," Sherman said.

What strikes me is how differently this battle is playing out in the press than the CyberPorn and Kevin Mitnick battles did back in 1995. Remember back then, when the word "hacker" was spoken in the same frightened reverence with which we speak the word "terrorist" now. For better or worse, our society has realized in this last decade that there are worse crimes than porn on the Net, worse violations of our civil liberties than export restrictions on our cryptography, and more dangerous people than our own children. We're wiser now, and that's good, but I also find I long for the days when I wore my Cypherpunk Criminal t-shirt for political protest, not out of nostalgia.

References

Posted by bug to Intellectual Property at 9:16 PM | Comments (0) | TrackBack

September 10, 2003

Slate's Guide to the Patriot Act -- Big Brother --

With tomorrow's anniversary of 9/11, John Ashcroft wrapping up his national tour for promoting the USA Patriot Act, and President Bush asking for more authority under what is being called the first of several Patriot-II laws, I highly recommend people go read Dahlia Lithwick and Julia Turner's four-part series, A Guide to the Patriot Act, published in Slate. Lithwick and Turner manage to cut through the spin-doctoring on both sides of the debate, presenting the more controversial parts of the Act without shilling for one side or the other, but while still presenting their own analysis and thoughtful interpretation. It's a breath of fresh air, cutting between punditry and objective-to-a-fault reporting-without-analysis:

How bad is Patriot, really? Hard to tell. The ACLU, in a new fact sheet challenging the DOJ Web site, wants you to believe that the act threatens our most basic civil liberties. Ashcroft and his roadies call the changes in law "modest and incremental." Since almost nobody has read the legislation, much of what we think we know about it comes third-hand and spun. Both advocates and opponents are guilty of fear-mongering and distortion in some instances.

The truth of the matter seems to be that while some portions of the Patriot Act are truly radical, others are benign. Parts of the act formalize and regulate government conduct that was unregulated — and potentially even more terrifying — before. Other parts clearly expand government powers and allow it to spy on ordinary citizens in new ways. But what is most frightening about the act is exacerbated by the lack of government candor in describing its implementation. FOIA requests have been half-answered, queries from the judiciary committee are blown off or classified. In the absence of any knowledge about how the act has been used, one isn't wrong to fear it in the abstract — to worry about its potential, since that is all we can know.

Ashcroft and his supporters on the stump cite a July 31 Fox News/Opinion Dynamics Poll showing that 91 percent of registered voters say the act had not affected their civil liberties. One follow-up question for them: How could they know?

If you haven't read all 300-plus pages of the legislation by now, you should.

Since I haven't read all 300-plus pages of the legislation myself, I won't tell you to do so. But I will tell you to go and read Lithwick and Turner's guide.

References

Posted by bug to Big Brother at 9:19 PM | Comments (1) | TrackBack

September 9, 2003

RIAA Blowback -- Intellectual Property --

As Slate points out, if you're one of the more than 4 million people who use the KaZaA network on any given day you've a greater chance of being hit by lightning than being one of the 261 people the RIAA just sued. The RIAA's strategy all along has been cultural: scare people into not sharing, and "educate" the public that file sharing is an evil treat to our society's very survival. Whether these lawsuits (and the thousands more they plan to file) have a chilling effect will be seen over the next couple months. The battle for our hearts and minds, however, is not going so well for the RIAA.

So far the press has reported on a few members of the seamy file-sharing underworld. One is Brianna LaHara, a 12-year-old Catholic-school honors student who was "on the verge of tears when she found out about this." Another is Heather McGough, a 23-year-old single mom of two who got KaZaA when a friend of her 14-year-old cousin told her she could "get the Gateway to play songs." Then there's Durwood Pickle, a 71-year-old grandfather who says his teen-aged grandchildren use his computer during visits to his home. "I'm not a computer-type person," Pickle said. "They come in and get on the computer. How do I get out of this? Dadgum it, got to get a lawyer on this."

Each defendant is potentially liable for fines ranging between $750,000 and $150 million, though of course the RIAA is offering settlements. Brianna's mom has already accepted a quick settlement, paying $2000.

The reactions of the defendants have varied. Yale University photography professor Timothy Davis said he'll stop sharing music files immediately. "I've been pretending it was going to go away," Davis told reporters. "I'm not some kind of college student who's downloaded thousands and thousands of things. It isn't like I'm trying to broadcast these things anywhere." Most quoted in the news, however, have expressed frustration. "I can understand why the music industry is upset about this, but the fact that we had access to this as the public, I don't think gives them the right to sue us. It's wrong on their part," said Lisa Schamis, a 26-year-old from New York. Schamis added that she is unemployed and would be unable to pay any large fine or settlement. Her sentiment is shared by defendant Vonnie Basset, a bookkeeper in Redwood City, California. "How are we supposed to know it's illegal? Half the things on the Internet must be illegal then," said Ms. Basset, who says her 17-year-old son uses KaZaA. "Why don't they sue KaZaA? Why are they suing the people? That's the part I don't understand."

Marvin Hooker, a 39-year-old San Francisco bank employee, expressed the philosophy held by many. "To me, the way I see it, I am not taking anything from them," Mr. Hooker said. He compared downloading music to making a copy of music or a tape for friends. "I don't see people getting sued because of that," he said. Sylvia Torres, Brianna LaHara's Mom, put it more simply: "It's not like we were doing anything illegal. This is a 12-year-old girl, for crying out loud."

This is, of course, the exact message the RIAA wants to stamp out. But with such normal, mainstream defendants and such out-of-this-world potential fines, it's hard not to see the RIAA as the big bully extorting everyday citizens.

Attempts by the RIAA to soften the legal attack have met with a good deal of scorn. One attempt is their Clean Slate amnesty program, whereby the RIAA promises not to sue file-sharers who sign a notarized form admitting to copyright violation and promising never to do it again. But as the Electronic Frontier Foundation points out, the RIAA does not actually own any copyrights and member labels are not bound by any agreement they make. Furthermore, such admissions could be used by other rights holders to prove a sharer was a "willful infringer," which could lead to prison time.

Universal Music Group has even cut the price of a CD from $18.98 to $12.98, citing falling CD sales and, of course, piracy. Their olive branch to consumers, however, is being seen as too little, too late. Renee Graham, of the Boston Globe, writes:

In other words, after years of gouging customers, the recording industry is desperate. Sparked by Napster, and continued through such file-swapping services as KaZaA, Morpheus, and Grokster, the free-music revolution has left the major labels reeling and hemorrhaging. And CD prices, which despite promises to the contrary have steadily increased through the years, turned off even those who weren't inclined to sit at their computers downloading their favorite tracks.

In an article for The Register, Ashlee Vance points out that this is the first price cut since the CD format came out in the 1980s. At the time, the fact that CDs were a new format was used as an excuse to raise prices above LPs, with the promise that prices would drop as the new format became mainstream. She also points out that just two months ago a pair of music labels were yet again nailed for price fixing by the Federal Trade Commission.

None of this helps portray the music industry as a poor innocent victim, being picked on by wicked 12-year-old girls. As for the effect on file-sharing, I honestly hope that the RIAA's jihad has a chilling effect for a while. Each turn of the screw has unleashed new technology, from music webpages, to multimedia search pages, to Napster, to complete peer-to-peer file sharing. I keep hoping for one more forced revision to the technology before the music industry finally gets a clue. But I can guarantee who will win this battle in the end. A Forrester report released a few weeks ago reports that 49% of 12- to 22-year olds downloaded music last month. When it comes to pride, stubbornness and brazen pig-headedness, even the RIAA can't stand up to the combined will of millions of teenagers.

References

Posted by bug to Intellectual Property at 11:47 PM | Comments (4) | TrackBack

September 8, 2003

100% Cotton -- Politics --

From Reuters:

CANCUN, Mexico (Reuters) - The United States came under fire for its heavy cotton subsidies Monday with African nations saying free trade talks are meaningless unless Washington stops throwing money at its farmers... [Benin's trade minister] and ministers from fellow African cotton producers Mali, Burkina Faso and Chad called for the WTO to approve a total ban on subsidies for cotton farmers by 2006.

This has been boiling up for a while now. To put things in perspective, Burkina Faso is one of the poorest countries in the world, and cotton is one of their few cash crops. Most of their cotton farms operate on 1-3 acres, with the planting, weeding and harvesting done by hand. You'd think such farming couldn't be as efficient as the economy of scale achievable by large-scale U.S. agribusiness, but in fact it costs about 73 cents to produce a pound of cotton in the U.S. and only 21 cents per pound in Burkina Faso.

A few other facts from a 2002 Oxfam briefing paper:

  • In 2001/2002, U.S. farmers received subsidies amounting to $3.9 billion, more than the entire GDP of Burkina Faso, and three times more in subsidies than the entire USAID budget for Africa's 500 million people.
  • The value of subsidies in 2001 exceed the market value of output by around 30 percent. In other words, cotton was produced at a net cost to the United States.
  • Based on models from the International Cotton Advisory Board, Burkina Faso lost 1% of GDP and 12% of export earnings due to U.S. subsidies.
  • The largest 10 per cent of U.S. cotton farms receive three quarters of total payments. In 2001, ten farms between them received equivalent to $17 million.

It's unclear how this WTO case will play out. African countries are in an extremely weak negotiating position, because they rely heavily on aid, debt relief and trade preferences. For example, the aid relief provided by the U.S. under the Africa Growth and Opportunity Act (AGOA) can be unilaterally withdrawn, as can U.S. food aid. (The AGOA aid, ironically, is conditional on African governments liberalizing agricultural markets, including cotton.) On the other hand, the conflict is bringing visibility of the problem to Capitol Hill at a time when farm subsidies are being challenged.

References

Posted by bug to Politics at 11:44 PM | Comments (0) | TrackBack

September 7, 2003

Taxation Chicanary -- Politics --

The apportionment of taxes on the various descriptions of property is an act which seems to require the most exact impartiality; yet there is, perhaps, no legislative act in which greater opportunity and temptation are given to a predominant party to trample on the rules of justice. — James Madison

Tax policy has everything a politician could want in an issue: it affects everyone, it's easy to differentiate your position from your opponent's, and it's complex enough that you can spin the subject six ways to Sunday without ever telling a bald-faced lie. With the presidential campaign ramping up and the California gubernatorial campaign in full swing I'm starting to see a few standard tricks get used. I'm no Penn and Teller of the political world, but I thought I'd list some of the spin tricks I've seen so far. (Kids, play at home — how many misleading tax claims can you find this campaign season?)

  1. Bringing down the (income) tax. In 2001, President Bush said that under his first tax cut "a family of four making $35,000 [would] receive a one hundred percent tax cut." What he forgot to mention that this was only income tax he was talking about, not payroll tax.

    Everyone gets mad about income tax because it's the one we see every April, but 74% of Americans actually pay more in federal payroll tax than federal income tax. For poor to moderate-income workers, it's a lot more. And because income taxes are a relatively small percentage of these worker's total tax burden, any small reduction can look like a huge percentage of the income tax without reducing the total tax burden by a large amount. It's a classic use of misdirection. Penn and Teller would be proud.

    This trick hasn't been retired in the past two years, either. Back in June of this year, Tim Russert quoted statistics provided by the Department of Treasury in his Meet The Press interview with Howard Dean:

    The Department of Treasury, we consulted and asked them: What effect would [repealing Bush's entire package of tax cuts] have across America? And this is what they said. A married couple with two children making $40,000 a year, under the Bush plan, would pay $45 in taxes. Repealing them, under the Dean plan, if you will, would pay $1,978, a tax increase of over 4,000 percent. A married couple over 65 making $40,000 and claiming their Social Security, under Bush would pay $675 in taxes. You're suggesting close to $1,400, a 107 percent tax increase. Can you honestly go across the country and say, "I'm going to raise your taxes 4,000 percent or 107 percent," and be elected?

    Dean responded "I don't believe [those figures]. This administration has not been candid about the impacts of this tax cut."

    John Kerry continues to cite these numbers, saying in an August 31st Meet The Press that "If you're a $40,000 income earner, Howard Dean's going to raise your taxes more than 20 times."

    As you might have guessed, the numbers provided to NBC for the Dean interview are only for income tax, not the full tax burden. Martin Sullivan, an economist and writer for Tax Notes, discussed the figures in a recent article:

    And in a new application of the "income tax only" approach to distribution analysis, the Treasury Department is providing the press with case studies of the combined effects of the 2002 and 2003 tax cuts on middle-income families. But in what can only be characterized as egregious use of misinformation, the Treasury Department frequently omits from its explanation that it is looking only at income taxes.

    He then discusses the Treasury Department report that was quoted in the Dean interview, noting that the words "income tax" appear only in the detailed write-up and an accompanying report, but nowhere in the main executive summary. "If this continues," writes Sullivan, "the Treasury's Office of Tax Policy (OTP) may have to change its name to the Office of Tax Propaganda."

  2. Just your average family. The most common way to compute an average tax-cut is to take the total tax cut and divide by the number of tax-payers (also known as the mean). So when Bush says "ninety-two million Americans will keep, this year, an average of almost $1,000 more of their own money" in his State of the Union address, that's the average of my tax cut, your tax cut, and Bill Gates' tax cut. Unfortunately, Bill Gates got a bigger cut than you or I did, so that skews the numbers. It also doesn't average in the fifty million tax-paying Americans who got no tax cut, which brings the average up even further. In fact, according to the Urban-Brookings Tax Policy Center, fewer than 20% of tax-payers would receive a tax cut of $1000 or more. A less misleading average would be the median tax cut (a little less than $100) or the mode tax cut (zero dollars) but those don't sound nearly as exciting.

  3. The Specter of Double Taxation. The dividend tax has been loudly criticized as being an "unfair double taxation." To quote the Republican Study Committee:

    No dollar should be taxed twice — especially not a dollar created by citizen productivity. Just imagine if taxes were taken out of your constituents' weekly paychecks before they were mailed and then again after they were mailed. Wouldn't that be unfair? The double taxation of dividends is equally unjust. No income should be taxed more than once. If the federal government taxes a dollar of corporate profit, it has no right to tax that same dollar again just because it is distributed to shareholders.

    There are sound economic arguments for reducing the dividend tax, the strongest being that it encourages companies to issue stock instead of borrow money. However, the double-taxation argument is complete chicanery — all money is double-taxed (and triple-taxed, and quadruple-taxed). When I receive my paycheck (created with my citizen productivity), I pay income tax. I then spend that money and pay sales tax, a double-tax. If I purchase gasoline I'll also pay a gas tax, a triple-tax on my dollar. But it doesn't stop there! The gas station uses that dollar to pay the attendant, and charge him income tax, and then he goes to a restaurant... you get the idea. There's a nice Tom The Dancing Bug cartoon that illustrates the problems with this dodge quite effectively.

  4. What goes around comes around. During the first California Gubernatorial recall debate, Arianna Huffington (Independent) and Peter Camejo (Green) both suggested raising corporate taxes. On the surface this sounds like a way to raise revenue without causing pain to working-class voters, but it ignores the fact that everything is interconnected in an economy. Republican State Senator Tom McClintock had this response:

    I'll let you in on a secret about business taxes. Businesses do not pay taxes, they pay taxes through you as a consumer in higher prices, through you as an employee through lower wages or through you as an investor in lower earnings. Investors are not fat cats, that is Mom and Dad's retirement fund we're talking about.

    McClintock is correct as far as he goes: at some point that tax burden has to be paid by real humans, be they consumers, employees or investors. But he only describes half the cycle. The other half is that taxes on individual people will come back to be paid by businesses, through lower sales to consumers, higher wages of employees, or through lower stock prices as investors have less savings to invest. That's the whole point of both trickle-down and trickle-up economics: to get business moving, you give a tax break to consumers and investors. In economics, everything is connected. You can't just look at the burden on one group without looking at how it affects the whole.

  5. Math class is hard. Let's go shopping. One of the arguments that gets used to promote flat taxes and consumption taxes goes something like this: "Boy, tax forms are complicated, aren't they? If you'd just throw out the entire income tax system and replace it with our proposal you wouldn't have to do all that math every April." To quote the main tagline of Americans for Fair Taxation, "It's simple."

    I'm amazed that anyone falls for this argument. First of all, the tax code isn't complex because we have a graduated (that is, non-flat) income tax, it's complicated because of all the exemptions, deductions, and special cases. (Such exemptions are used, for example, to encourage home ownership by allowing mortgage interest to be deducted from one's income.) Second, both flat-taxes and consumption-taxes are extremely regressive, which is to say they tax the poor a larger percentage of their income than they do the rich. I guess the idea is to distract middle-class voters with the simplicity argument so they don't realize they'll be taking on a larger tax burden. Pay no attention to the man behind the curtain.

In the end, tax policy boils down to just three things: fairly distributing the tax burden, creating incentives for useful behavior, and making sure there's enough revenue to keep the government running. Between these three parameters there's a whole world of complex, intelligent argument. We need advocates who can argue about whether a tax is more fair when it burdens everyone equally, burdens each according to his means, or burdens each according to the benefit he receives. We need economists who can argue whether trickle-up or trickle-down will jump-start an economy faster. We need political representatives who can argue about what services the government should provide. These are good, honest, and necessary arguments. We have no need for deceivers, dissemblers and charlatans who hope to pull a fast one.

References

Posted by bug to Politics at 11:31 PM | Comments (3) | TrackBack

September 5, 2003

Webmaster to start one-year sentence -- Big Brother --

Sherman Austin headed to jail on Wednesday to start his one-year prison sentence, guilty of hosting plans for the manufacture of explosives on his anarchist website, RaiseTheFist.com. The plans were not written by Austin, but Austin provided free hosting for anarchists and political protesters. In January of 2002, the FBI raided the home where Austin lived with his parents and confiscated all his computers and backup disks, including the server for RaiseTheFist. Agents also found components to make a Molotov cocktail. Austin was 18 years old at the time. (Austin details the entire story in an interview with CounterPunch.)

A few days later Austin went to the World Economic Forum protest in New York, where he was arrested and held without bail. He was eventually charged with possession of an unregistered firearm (the Molotov cocktail components), and with violating the controversial 1997 federal law that makes it illegal to distribute information about the manufacture of explosives "with the intent that the... information be used for, or in furtherance of, an activity that constitutes a Federal crime of violence." The law, championed by Sen. Dianne Feinstein (D-Calif.), raised serious first amendment issues when it was proposed. According to a CNET interview with Austin shortly before he went to prison, he is the first person to be convicted under the law.

In a statement on his web site, Austin said he originally planned to contest the charges. He decided to plead guilty to the information dissemination crime in return for the dropping of the firearms charge, because "after my lawyer consulted the USPO working on the case, she found out that a 'terrorism enhancement' is applicable to my charge, which could get me an additional 20 years." According to the LA Times, Austin was offered a plea bargain of four months in prison followed by four months in a halfway house, but U.S. District Judge Stephen V. Wilson rejected the plea and sentenced Austin to a full year in prison. After completing his term, he will be placed on three years probation, and will be barred from associating with any groups that espouse violence to achieve political, economic or social change. He will also need permission from the probation office operate a computer. The EFF has protested that the sentence is too severe for the alleged crime.

Several things bother me about this case.

First are the obvious First Amendment issues with the anti-information law under which he was convicted. Two things are necessary for this law to apply. The first is the distribution of information about explosives, which is clearly pure speech that is protected under the First Amendment. The second is the intent that the information be used for a violent crime, which is inherently difficult to prove or to disprove. It seems quite reasonable that Austin was all bluster and no action, an angry 18-year-old boy who liked to play political terrorist on his website and in his back yard but was not violent in real life. It is telling that the only previous charges brought against Austin were for refusal to disperse, conspiracy to commit a refusal to disperse, unlawful assembly, and disorderly conduct for blocking pedestrian traffic. In other words, for committing peaceful civil disobedience.

It's not surprising that the FBI thought they were dealing with a dangerous terrorist psychopathic when they went to RaiseTheFist.com and saw pictures of George W. Bush with a gun sight on his head, or read posts saying "Yeah, motherfucker, I'm a terrorist to the United States Government. I'm a terrorist to capitalism." and "We don't gather weapons, plan extreme operation, and risk our lives for nothing. This is real." But that's just speech, not action. It's like the old Saturday Night Live running gag where someone says "Well, it's not like I said I was going to kill the president..." and gets jumped by Secret Service agents that come out of nowhere. It's also not clear to me whether Austin was the author of any of these more violent postings, or whether he merely hosted them.

The second bothersome point is that the this smacks of selective enforcement. Information on how to make bombs is everywhere, from libraries to web sites to bookstores. This includes the infamous Anarchist's Cookbook that was published in 1970, and about which the author admits that the "central idea to the book was that violence is an acceptable means to bring about political change." And yet, the FBI has yet to raid Amazon.com to stop them from distributing this information. Of course, Amazon was not the author of the book, and it would be unfair to assume that Amazon intends violence just because they sell a violent book. Just as Austin did not write the explosives guide, and it is unfair to assume he intends any violence just because he offers web hosting for a violent page. Clearly, the crackdown was at least in part due to RaiseTheFist's message, and the fact that this message was in alignment with the growing anti-globalization movement.

The final point is most troubling: Austin was never able to argue his case. Plea bargains are meant to be an incentive to surrender when guilt is obvious. In cases like Austin's, where the plea is for a four-month sentence and the risk is 20+ years, there is huge incentive for a suspect to plead guilty even when he knows he is innocent. Sadly, this is often the rule rather than the exception, especially for the poor. It is only because this case involves mediapathic issues such as First-Amendment rights, the Internet, and terrorism that we have heard about it at all, unlike the hundreds of cases every day where innocent men and women cop a plea to go free based on time served rather than risk further jail time to clear their names.

Austin's lawyer describes his client as "a very peaceful person" who got carried away "in a very heated political environment." A clinical psychologist who specializes in threat assessments wrote for the defense that Austin "does not appear to have seriously considered the ramifications" of his actions "and would have been horrified had someone been injured." Let us hope that his year in prison, and his apparent abuse by the system, does not turn this peaceful-but-angry young man into the very terror the FBI fears.

References

Posted by bug to Big Brother at 11:49 PM | Comments (0) | TrackBack

September 3, 2003

Root Kit. Password Sniffer. Subpoena? 

Hackers have just had a new tool added to their arsenal of ways to get unauthorized access to a computer: the overbroad subpoena.

The story starts with Alwyn Farey-Jones, who was embroiled in a commercial lawsuit with a company called Integrated Capital Associates (ICA). In the course of that suit he told his lawyer to subpoena ICA's internet service provider, NetGate, for ICA's email. All of it.

What NetGate should have done is pass the subpoena by a lawyer, or at the very least talk to ICA first. But apparently they were cowed by the legal saber-rattling and eventually put up a "free sample" of 339 messages from ICA on their website for Farey-Jones and his lawyer to download. Most were unrelated to the litigation, and many were privileged or personal. Farey-Jones and his lawyer read them without notifying opposing council. After ICA's lawyers found out what had happened, the court issued a major tongue-lashing, quashed the subpoena and fined Farey-Jones over $9000 to cover ICA's legal fees. The court found "the subpoena, on its face, was massively overbroad" and "patently unlawful," that it "transparently and egregiously" violated the Federal Rules, and that defendants "acted in bad faith" and showed "at least gross negligence in the crafting of the subpoena." Subpoenas can be issued without a judge's approval, but under the Federal Rules lawyers must "take reasonable steps to avoid imposing undue burden or expense."

This is where things get interesting. ICA's lawyers and ICA employees whose e-mail was made available sued Farey-Jones and his lawyer for violating the Stored Communications Act and the Computer Fraud and Abuse Act, among others. These acts are usually applied to hackers who crack into a computer. In particular, the Stored Communications Act provides a cause of action against anyone who "intentionally accesses without authorization a facility through which an electronic communication service is provided... and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage." The Computer Fraud and Abuse Act reads similarly with regard to accessing "information from any protected computer." The district court threw the case out, but on appeal the 9th Circuit ruled that these laws can, in fact, apply to overly broad subpoenas. The case now goes back for trial.

From my non-lawyer's perspective, the court's logic makes sense. Farey-Jones and his lawyer used deception (in this case, a subpoena they knew to be illegally broad) to gain access to information from a computer. This sounds a lot like the so-called "social engineering" used by Kevin Mitnick to gain network access and sensitive information. As Mitnick said in a recent interview, "social engineering... is basically using manipulation or deception to influence a person to comply with a request — to release sensitive information or perform an action that creates a security hole, such as typing in commands, installing software or turning on a modem." Or in this case, to get an ISP to post email archives on their website where they can be downloaded.

SecurityFocus reports that legal reactions to the ruling are mixed. On the one hand, experts were concerned that it expands the scope of computer crime to include people who never themselves access a computer, and allows people who don't even own the computer in question to bring suit. On the other hand, experts said the ruling is good for online privacy and cracks down on subpoena-aided fishing expeditions. Cindy Cohn, legal director at the Electronic Frontier Foundation, said the EFF plans to cite the case in arguments against the Recording Industry Association of America, which has been subpoenaing ISPs to identify file traders. "It's going to be pretty useful to us," Cohn told SecurityFocus. "It buttresses the idea that you have a serious level of responsibility in issuing these legal instruments."

References

Posted by bug to at 9:14 PM | Comments (0) | TrackBack