About this Author
Ernest Miller Ernest Miller pursues research and writing on cyberlaw, intellectual property, and First Amendment issues. Mr. Miller attended the U.S. Naval Academy before attending Yale Law School, where he was president and co-founder of the Law and Technology Society, and founded the technology law and policy news site LawMeme. He is a fellow of the Information Society Project at Yale Law School. Ernest Miller's blog postings can also be found @

Listen to the weekly audio edition on IT Conversations:
The Importance Of ... Law and IT.

Feel free to contact me about articles, websites and etc. you think I may find of interest. I'm also available for consulting work and speaking engagements. Email: ernest.miller 8T

Amazon Honor System Click Here to Pay Learn More

The Importance of...

Category Archives

July 05, 2005

June 23, 2005

June 22, 2005

June 21, 2005

June 17, 2005

June 16, 2005

June 14, 2005

June 08, 2005

A Long Tail of Surveillance?

Email This Entry

Posted by Ernest Miller

We've all become familiar with the Long Tail for content, but the concept is applicable in a number of different contexts. One I hadn't considered until reading an article from last month was its applicability to the concepts of surveillance and privacy. Perhaps this is an abuse of the metaphor, or useless, but I put it out there anyway.

Typically, though not exclusively, we worry about the mass collection of data by large institutions. The thing about this data, however, is that it generally covers relatively easy-to-collect information that is readily put into categories, monetized, and is common to many people. This data is at the head of the surveillance curve. Data points that are shared by only a few people, or are difficult to reliably collect and categorize, or simply seen as not monetizable are not recorded or, if they are, don't receive much attention. This data is in the long tail of the surveillance curve.

Is technology changing the market for the long tail of the surveillance curve as it has changed the market for the long tail of the entertainment curve? If so, what does this mean for privacy?

The article that sparked my thoughts came from worldchanging, and talks about the coming "participatory panoptican", in which we welcome our own personal surveillance as a "memory assistant" (The Rise of the Participatory Panopticon).

Soon -- probably within the next decade, certainly within the next two -- we'll be living in a world where what we see, what we hear, what we experience will be recorded wherever we go. There will be few statements or scenes that will go unnoticed, or unremembered. Our day to day lives will be archived and saved. What’s more, these archives will be available over the net for recollection, analysis, even sharing.

And we will be doing it to ourselves. ...

[I]n the world of the participatory panopticon, this constant surveillance is done by the citizens themselves, and is done by choice. It's not imposed on us by a malevolent bureaucracy or faceless corporations. The participatory panopticon will be the emergent result of myriad independent rational decisions, a bottom-up version of the constantly watched society.

This seems to me a very plausible scenario, perhaps not so close as the author might imagine (there are still tremendous technical difficulties), but coming appreciably close. And, yes, we will strive for and welcome this technology.

Right now we have to make a conscious decision to turn on our surveillance capabilities. We have to actually take a photo, turn on the recorder, etc. In the future, however, like IM and email today, we'll have to actually make a decision not to record things by default. Moreover, given the flow of information, editing to delete certain information will be very burdensome, just as cleaning out a heavily used email account is. Storage is cheap, editing is costly, keep it all.

Right now much of this recording, this citizen surveillance, is a form of sousveillance, the surveillance of authority from below (think videotaping a police beating, or electronic poll watching) and particularly important events. However, this technology will not long remain simply for sousveillance and key events. It will become part and parcel of our daily lives, recording everyday events in order to ensure that nothing is accidentally missed (storage is cheap, editing is costly, save it all).

And the thing is, we're going to want to share a lot of this data. We're social creatures. We'll blog it, upload it to Flickr, tag it in, let our Google personal assistant do it's magic, and that information is gonna be out there. Put there. By us.

We’re constantly checking with each other for useful insights. You stumble across a new restaurant, and want to know if any of your friends or any of their friends have been there before. You learn about a new politician, and want to know if anyone you know has heard her speak. You meet a new guy, and want to know if someone in your circle has dated him before. These are all conversations we've had, or have had variations of. But they're all subject to the vagaries of memory -- was it *that* restaurant that had the bug in the soup? Was it *that* politician saying something about prayer in schools? Was it *that* guy my sister dated and dumped for cheating?

In a world of personal memory assistants and a participatory panopticon, those questions are answered.

This may change the nature and use of surveillance. Big corporations and governments are going to be unlikely to be able to handle this heterogenous, massive data flow. There will simply be too much to sort through and organize to use in any real effective, mass way. They will continue to rely on the head of the surveillance curve. Sure, there will be things they can do that they couldn't before, they'll be able to move down the surveillance power curve even farther (much farther), but trying to get value out of a lot of this citizens surveillance will be too difficult to deal with on the wholesale or even retail level.

However, those who have enough incentive to dig through this long tail of surveillance information will be able to gather a lot more data than ever before. Corporations, in general, won't be interested in this data with regard to their mass of customers. It won't be profitable. Employees, on the other hand, will likely find their employers digging into the long tail of surveillance. As I noted, governments won't be able to do use this data on a mass scale, but will have the resources and incentives to dig quite deep into the long tail on occasion. And remember that, in the Panopticon, those under surveillance weren't being watched constantly, they simply could never be sure that they weren't being watched.

The most interesting thing, perhaps, and something we are seeing now is that your average citizen won't have access to the head of the surveillance curve, but will have access to the long tail. Might this not lead to a situation in which it would be better to make the head of the curve more available, not less, as the long tail might be misleading? How would this change our social relations, when everyone has access to the long tail, but little more? What niches of surveillance will exist in the long tail?

Anyway, just some thoughts on a Wednesday afternoon.

Bonus: Lots of copyright issues to be dealt with:

I hope this pushback happens, frankly, because the alternative is rather unpleasant: memory rights management, where you have to have a license to remember. Think about how often you encounter copyrighted material over the course of the day: music on the radio, shows on tv, articles in magazines and on the web. Right now, because meat memories are imperfect, nobody cares if we remember snippets of songs or scenes from movies. We don’t have to pay for hazy recollections. But when you have perfect recall, the game has changed.
via Moore's Lore

Comments (1) + TrackBacks (0) | Category: Privacy

June 07, 2005

May 31, 2005

May 24, 2005

MS to Lock Up Office Documents, Lock In Customers

Email This Entry

Posted by Ernest Miller

C|Net News reports on a couple of initiatives by Microsoft to bring more security into the workplace (Facing 'New World of Work,' Microsoft Locks Up Office). Apparently Microsoft will be adding new forms of DRM to their popular office suite so that companies have more control over where their internal documents can go. Strangely, the article never bothers to ask whether this technology will have an open protocol or will be used to lock in customers as it locks up documents.

The article also discusses a new, corporate form of IM that is subject to centralized control by the corporation:

"What happened is the dynamic of IM changed when people knew it was being logged," Greifeld said. But both Capossela and Greifeld said that the change is not necessarily a bad thing.

"For us, the value of instant messaging isn't the sideshow where people get to have private conversations," Capossela said. "The value of instant messaging is the ability to connect with somebody absolutely real-time and to have that quick burst back and forth."

Privacy is such an antiquated concept.

Comments (0) + TrackBacks (0) | Category: Digital Rights Management | Open Standards | Privacy | Security

May 15, 2005

July 27, 2004

RIAA Subpoenas for John Does Valid

Email This Entry

Posted by Ernest Miller

C|Net News reports that the RIAA has won a significant battle in its lawsuits against thousands of John and Jane Does (Judge: RIAA can unmask file swappers). The ruling basically allows the RIAA to subpoena (on an expedited basis) a broadband provider for the identities of the John Does the RIAA has sued for copyright infringement. The RIAA must make a prima facie case of infringement, but the various arguments raised to quash subpoenas were rejected.

Although this is a decision by a single district court, it is likely to be persuasive in other courts though it isn't binding. Read the 26-page decision: Sony v. Does 1-40 [PDF].

The most important argument involved the First Amendment right to anonymity of the file sharers. While the judge recognized the First Amendment interest, he concluded that it was not sufficient to protect anonymity for filesharing of copyrighted files without any additional speech. This was the right decision. I agree with Paul Levy:

Paul Levy, an attorney at the nonprofit group Public Citizen, said that "the nice thing about the ruling is that (the judge) recognizes the First Amendment interests at stake here and he applies a balancing test." Levy, who filed a friend-of-the-court brief opposing the RIAA, said that Chin's analysis ensures that companies filing a copyright infringement lawsuit must prove they have a real case and aren't merely on a fishing expedition for someone's name.
The court reserved the right to address the other arguments, such as personal jurisdiction and improper joinder, later. This decision merely addressed the question of quashing the subpoenas. Now that the RIAA knows who it should sue, severance and and personal jurisdiction arguments will probably be made on behalf of the defendants.

There was one interesting aspect of the personal jurisdiction question. Defendants/amici were arguing that the IP/geographic location databases were accurate and showed most of the defendants outside of New York, while the plaintiffs were arguing that they weren't accurate enough to deny the subpoenas:

A supporting declaration by Seth Schoen, staff technologist with amicus curiae Electronic Frontier Foundation, explains the process by which defedants' IP addresses can be matched up with specific geographic designations, using a publicly available database operated by the American Registry for Internet Numbers. These geographic designations indicate the "likely" locations of the residence or other venue where defendants used their Internet-connected computers. Amici maintain that as many as thirty-six of the forty Doe defendants are "likely" to be found outside of New York.

Plaintiffs, however, dispute the accuracy of the methods described in the Schoen Declaration. According to plaintiffs, the geographical designations fall "far short" of 100 percent accuracy and are "often extremely inaccurate." [citations omitted]

Shades of Nitke v. Ashcroft, in which the government advocates the use of geolocation services to promote community standards on the internet with regard to obscenity. Censorware expert Seth Finkelstein has provided testimony that such services are flawed: (Expert Report of Seth Finkelstein in Nitke v. Ashcroft).

Tech Law Advisor has some additional comments ( Up/Downloaders Identities Not Protected by First Amendment).

Comments (0) + TrackBacks (0) | Category: Copyright | File Sharing | Freedom of Expression | Privacy

July 20, 2004

Would You Like Some Surveillance with that Pizza?

Email This Entry

Posted by Ernest Miller

Hilarious (parody?) of the total surveillance future at the ACLU (ACLU Pizza [Flash]). Cash and take out only for me from now on.

via MetaFilter

Comments (0) + TrackBacks (0) | Category: Privacy

July 14, 2004

Does Audible Magic Violate Wiretap Laws?

Email This Entry

Posted by Ernest Miller

I've discussed Audible Magic and its filtering technology on "The Importance Of..." before: Audible Magic's Sleight of Hand. Basically, Audible Magic filters content based on an audio fingerprinting service that checks against a database of copyrighted works. Installed in a piece of P2P software, it prevents copyrighted works from being transmitted in the first place, which is what the article above discussed. However, Audible Magic is now attempting to sell its technology to schools and universities. In such cases, Audible Magic's technology will listen in to the data transfers (aka sniff packets) in the network and attempt to terminate those virtual circuits it believes are violating copyright. See, Audible Magic's six-page white paper: Managing Peer-to-Peer Traffic with the CopySense™ Network Appliance [PDF].

EFF has just posted a technical analysis of the CopySense technology and concluded that it would be easy to defeat (Audible Magic — No Silver Bullet for P2P Infringement):

Session encryption for file transfers based on ephemeral keys represents a cheap, easily implemented countermeasure that would effectively frustrate Audible Magic's filtering technology. Based on publicly available information, it does not appear that this vulnerability can be easily remedied. Should Audible Magic's technology be widely adopted, it is likely that P2P file-sharing applications would be revised to implement encryption. Accordingly, network administrators will want to ask Audible Magic tough questions before investing in the company's technology, lest the investment be rendered worthless by the next P2P "upgrade."
However, EFF's technical paper doesn't address many of the policy issues. When I read their report, however, one policy/legal issue immediately came to mind:
An engineering goal of Audible Magic's network appliance is to add no additional latency to the network. Therefore, it cannot be interposed between the client and the server, as it would be in traditional firewall or filtering proxy deployment. The network appliance is installed as a peer to other hosts on a network segment, not as a gateway or bridge. The segment is configured such that the appliance can sniff all traffic going over the link layer fabric.
Audible Magic functions like a wiretap. Which leads to the question: (Read on...)

...continue reading.

Comments (0) + TrackBacks (0) | Category: Privacy

July 02, 2004

E-Mail Wiretap Decision: Out of the Wiretap Frying Pan, Into the Copyright Fire

Email This Entry

Posted by Ernest Miller

There has been a lot of rightfully worried commentary about a recent decision by the US Court of Appeals for the First Circuit that found that intercepting and copying users' emails by an email service provider did not violate US wiretap laws. See: EFF (Online Privacy "Eviscerated" by First Circuit Decision); WIRED (E-Mail Snooping Ruled Permissible); and, Slashdot (Appeals Circuit Ruling: ISPs Can Read E-Mail). As EFF put it:

The defendant in the case is a seller of rare and used books who offered email service to customers. The defendant had configured the mail processing software so that all incoming email sent from, the defendant's competitor, was copied and sent to the defendant's mailbox as well as to the intended recipient's. As the court itself admitted, "it may well be that the protections of the Wiretap Act have been eviscerated as technology advances."
Read the 16-page decision (and 37-page dissent): US v. Councilman [PDF] or HTML.

Now I in no way want to de-emphasize the dangers to privacy that this decision represents. If intercepting email is not a violation of the wiretap act, then all sorts of internet privacy goes out the window. If this ruling is not overturned, Congress will have to act to protect all of our privacy.

However, the defendant in this case, Bradford C. Councilman, may not have done himself any favors by winning. The problem is, by convincing the court that the emails intercepted were in "electronic storage," the defendant has pretty much made the case that he is guilty of criminal copyright infringement. Additionally, he would also be liable for huge amounts of civil damages for willful copyright infringement as well. From the decision:

According to the Indictment, on or about January 1998, defendant directed Interloc employees to write computer code to intercept and copy all incoming communications from to subscriber dealers. The Interloc systems administrator wrote a revision to the mail processing code called procmail.rc ("the procmail"), designed to intercept, copy, and store, all incoming messages from before they were delivered to the members' e-mail, and therefore, before the e-mail was read by the intended recipient. Defendant was charged with using the procmail to intercept thousands of messages. Defendant and other Interloc employees routinely read the e-mails sent to its members seeking to gain a commercial advantage.[emphasis added]
Hmmmm....According to the statutes on criminal copyright infringement, 17 USC 506:
Any person who infringes a copyright willfully either -
(1) for purposes of commercial advantage or private financial gain, or
The criminal copyright infringement indictment just about writes itself. Copying the emails is a clear infringement of the right of reproduction. Ordering employees to write a program to copy emails seems pretty willful to me. Finally, the infringement was done for purpose of "commercial advantage." Slam dunk. Interestingly, as long as the commercial value of the emails was greater than $2,500 (which is likely) then the criminal penalties for both infringement and wiretapping are equivalent.

Bonus. The civil penalties for willful infringement are much higher than one can usually get for wiretapping. I mean, heck, up to $150,000 per email copied! All Amazon has to do is sue.

The only problem with this theory, however, is that the statute of limitations for criminal copyright infringement is five years (which means you normally can't prosecute someone five years after the crime occurs). I know that the infringement started in 1998 and Councilman was indicted in 2001. However, these aren't enough facts to know whether or not the statute of limitations will preclude prosecution for criminal copyright infringement.

So, while this decision remains a serious threat to our privacy, if it can be shown that the interceptions were for "commercial advantage" then the Copyright Act comes to the temporary rescue (and perhaps provides even worse penalties).

The Washington Post (annoying reg. req.) has an excellent editorial on this case today (Derail E-Mail Snooping). As does the New York Times (Intercepting E-Mail).

Comments (1) + TrackBacks (0) | Category: Copyright | Privacy

April 12, 2004

Follow the (Political) Money - Use the Web

Email This Entry

Posted by Ernest Miller

WIRED has a very interesting article on the various websites that make it easier to track campaign finance in the political system (Following the Money Made Easier). A number of the best websites are cited, such as Fundrace, Political Money Line, and my favorite, Open Secrets.

Worrisome Privacy Issues

Increased transparency in funding is all to the good (especially for larger donors), but I feel a little strange being able to know which of my neighbors have given $100 to Bush or Edwards (no local Kerry fans, apparently). How long will this data be held? Will these websites discourage people from donating to candidates not favored by their neighbors? What effect will this have on our politics?

More Efficient Tracking Desired

Of course, I would love for these websites to become even more efficient. What about email alerts and RSS feeds? You could subscribe to a candidate feed and be notified when they have new donations above a certain limit. You could have geographic feeds and industry feeds. You could track particular donors, especially industries, across a variety of candidates. Bloggers could make excellent use of such feeds.

Fix the Problem of Money in Politics

We really need to reduce the importance of money in politics (it'll never go away entirely). The more we undermine mass media, the better I think. A vast amount of political money is spent on television advertising, if we can change that paradigm with something like broadcatching we would be better off.

Bonus IP issue: The logo for Fundrace is highly reminiscent of Nascar's.

Comments (3) + TrackBacks (0) | Category: Broadcatching/Podcasting | Privacy | RSS

March 18, 2004

"True Name and Address" Bill for All Filesharers Introduced in Calif

Email This Entry

Posted by Ernest Miller

The LA Times (reg. req.) reports that California state legislators are hauling water for Hollywood once again (Setting a Trap for Net Pirates). The basic idea of the bill is to extend a "true name and address" statute to cover virtually all exchanges of copyrighted audiovisual information. That is, if you send someone a copy of a recording or audiovisual work electronically without also providing your true name and address, you could be fined $2,500 and spend a year in the clink.

Read Assembly Bill 2735 (the Assembly Version): An act to amend Section 653v of, and to add Section 653aa to the Penal Code, relating to Internet piracy.

What is the point of this bill? According to a sponsor:

[State Sen.] Murray [D - Culver City] says the point isn't to take names; his idea is to give state prosecutors, who have no jurisdiction over copyright infringement, a charge they can bring against online pirates.

Hmmmm ... the concept of federal preemption of copyright law comes to mind. One might argue that many states have "true name and address" statutes, but they generally apply only to sales of physical goods. Like copyright law, this proposed law applies to any transfer (outside your home and family), not only sales. If this isn't preempted I'm not sure what would be.

And what is this? Hollywood can't afford to sue people? We citizens of California have to expend precious tax dollars and limited law enforcement resources on copyright enforcement because Hollywood is too darn cheap? With massive statutory copyright damages available as a remedy, there is no excuse for Hollywood not to prosecute copyright infringers directly. Heck, it could even be a profit center.

An Attack on Privacy and Anonymity

Read the EFF press release: California Bill Backed by Hollywood Attacks Internet Privacy. The EFF notes the pernicious effects on children's privacy: "These California anti-anonymity bills would force everyone - including children - to put their real names and addresses on all the files they trade, regardless of whether the files actually infringe copyrights."

There are many more problems with this bill as well. EFF notes that there are no exceptions for fair use. For example, if one emails a friend a copy of a political campaign commericial that includes copyrighted music, I'm a Dole Man comes to mind, you can be fined and sent to jail. Heck, posting and commenting on Janet Jackson's wardrobe malfunction could get you sent to jail.

This is certainly an attack on the anonymity protections of the First Amendment. Unlike commercial "true name and address" statutes, this bill reaches beyond a state's interest in preventing fraud to cover all types of anonymous speech, including speech that is clearly protected by the First Amendment. State Sen. Murray says, "There's one way to maintain your privacy in my bill. That is not to engage in illegal activity." But that is the problem. The bill strips anonymity even when people are engaging in constitutionally protected activities. On this basis alone, I believe it is clearly unconstitutional under the First Amendment.

An Attack on the Creative Commons

Even worse, there is no exception for permission of the copyright holder. So, if I record a song and post it under a Creative Commons license that permits redistribution but reserves commercial use rights, you can go to jail for redistributing it. I mean, really, what more can be said about such an overbroad bill?

We need to have a "true names" bill for politicians. By all rights, State Sen. Kevin Murray should start calling himself State Sen. Hollywood Sycophant.


You can find your California State representatives here: Find Your California State Legislative Representatives. Let them know what you think of these bills.

Comments (0) + TrackBacks (0) | Category: Copyright | File Sharing | Freedom of Expression | Privacy

March 17, 2004

Security Know-Nothingism

Email This Entry

Posted by Ernest Miller

I must admit it is very frustrating to read, frankly, ignorant security columns on the op-ed page of America's most prestigious newspaper, the New York Times (reg. req.). Columnist Nicholas Kristof is the culprit this time, with a couple of half-baked security measures (May I See Your ID?). In response I ask Kristof, may I see your security analyst credentials?

The first idea is, as the title gives it away, a renewed call for a national ID card. Argues Kristof:

If the right is willing to imprison people indefinitely and send young people off to die in Iraq in the name of security, then why is it unthinkable to standardize driver's licenses into a national ID?

This is an argument, why?

Hey, I'm not too happy with the imprisoning people indefinitely thing either (at least without, you know, some judicial process), but Guantanamo makes national ID cards a good idea how? And sending troops overseas to war justifies national ID cards at home because...? Let's try that argument again: "If the right is willing to send young people off to die in Afghanistan in the name of security, then why is it unthinkable to standardize driver's licenses into a national ID." Make any more sense?

More than 100 nations have some kind of national ID card. And the reality is that we're already moving toward a government ID system — using driver's licenses and Social Security numbers to prove who we are — but they neither protect our privacy nor stop terrorists. Instead, they simply promote identity theft.

You might think he would have made a stronger case in favor of a national ID card before he brings out the "everyone else is doing it" argument. You know, identity theft is a serious problem. National ID cards solve this how? Many security experts believe that they may, in fact, exacerbate the identity theft problem. A real security expert, Bruce Schneier, wrote, in Crypto-Gram Newsletter - December 15, 2001 - National ID Cards:

Identity theft is already a problem; if there is a single ID card that signifies identity, forging that will be all the more damaging. And there will be a great premium for stolen IDs (stolen U.S. passports are worth thousands of dollars in some Third World countries).

But, whatever, Kristof continues:

At least seven of the Sept. 11 hijackers, some living in Maryland hotels, managed to get Virginia ID cards or driver's licenses, which can be used as identification when boarding planes. Americans routinely travel to and from Canada, Mexico and the Caribbean with just a driver's license.

And I guess that foreigners won't be allowed to get these ID cards and will not be permitted to live in Maryland hotels? Of course, we will have to issue some sort of identification to foreigners ... and we all know how reliable the identity paperwork from foreign countries is. As Scheier notes, "Some of the 9/11 terrorists who had stolen identities stole those identities overseas." Yep, national ID cards will stop that.

Some U.S. officials privately fret that security may depend on a harried immigration officer in Maine who is handed a forged Guam or North Dakota driver's license. One undercover federal study underscored the vulnerability last year by using off-the-shelf materials to forge documents that were then used to get driver's licenses in seven states and the District of Columbia. The forgeries worked in each place attempted.

And having a national ID card will stop people from forging documents to get the licenses how? And I guess that Kristof is guaranteeing that relying on a single national ID card won't lull that harried Maine officer into complacency?

So why not plug this hole with a standardized, hard-to-forge national ID card/driver's license that would have a photo, a fingerprint and a bar code that could be swiped to check whether the person is, for example, a terror suspect who should not be allowed onto a plane?

Yeah, because we know who the terror suspects are and terror suspects are happy to properly register themselves with the government. They also, when asked politely, explain to the airline counter clerk that, yes, someone else packed their luggage and they are carrying gifts for strangers. And from Schneier again, "Biometric information, whether it be pictures, fingerprints, retinal scans, or something else, does not prevent counterfeiting; it only prevents one person from using another's card. And this assumes that whoever is looking at the card is able to verify the biometric."

Schneier summed up the national ID issue best I think:

I am not saying that national IDs are completely ineffective, or that they are useless. That's not the question. But given the effectiveness and the costs, are IDs worth it? Hell, no.

Kristof's other concern is with the availability of instructions for creating weapons of mass destruction:

The other area where I'd like to see a tougher approach has to do with "cookbooks" to make anthrax, sarin and other chemical, biological or nuclear weapons. Over the last few years, I've collected a horrifying set of booklets, typically sold at gun shows or on the Internet, detailing how to make mustard gas, VX, anthrax or "home-brew nerve gas."
....Sure, I cherish the First Amendment. But remember what Alexander Bickel, the eminent First Amendment scholar, told the Supreme Court when he argued on behalf of this newspaper in the Pentagon Papers case. Pressed by the justices on whether publication could be blocked if 100 Americans would certainly die as a result, he reluctantly agreed: "I am afraid that my inclinations to humanity overcome the somewhat more abstract devotion to the First Amendment."

Funny quote from Bickel, that. Why, if I knew for certain that Kristof's column would lead to certain death for even one person, let alone 100, I would have to agree with Kristof that "In these exceptional circumstances, we are — I hate to admit it — better off banning books."

Now, whether or not it should be legal to publish information about making WMDs is a serious question and one that shouldn't be addressed lightly. But lightly, in a few paragraphs, is how Kristof deals with it. He couldn't even write an entire column on the issue? There are many questions he doesn't even raise, such as, how and where do you draw the lines on such information? Is a recipe for ricin bannable? What about flight simulator software? What about dual-use items?

Maybe, for certain types of exceptional information, we should have more control. But to simply come out and say, "we are ... better off banning books" is not a terribly compelling argument by itself. I am surprised that the New York Times is the source for this perfunctory argument in favor of censorship.

Comments (2) + TrackBacks (0) | Category: Civil Liberties | Freedom of Expression | Privacy

March 15, 2004

A Race the FBI Can't Win: The Increasingly Asymmetric Costs of Wiretap Surveillance vs. Wiretap Avoidance

Email This Entry

Posted by Ernest Miller

LawMeme briefly summarizes and collects a number of articles on several law enforcement agencies' (FBI, DOJ and DEA) recent petition to the FCC to expand government wiretap capability (FBI seek to expand the system-formerly-known-as-Carnivore).

C|Net News reports that the petition "aims to give police ready access to any form of Internet-based communications" (FBI adds to wiretap wish list):

Legal experts said the 85-page filing includes language that could be interpreted as forcing companies to build back doors into everything from instant messaging and voice over Internet Protocol (VoIP) programs to Microsoft's Xbox Live game service. The introduction of new services that did not support a back door for police would be outlawed, and companies would be given 15 months to make sure that existing services comply.

That's just wonderful. And I suppose only the US government will have access to these backdoors?

The Washington Post (reg. req.) talks to one of the leading experts on wiretapping, CDT's James X. Dempsey (Easier Internet Wiretaps Sought):

But privacy and technology experts said the proposal is overly broad and raises serious privacy and business concerns. James X. Dempsey, executive director of the Center for Democracy & Technology, a public interest group, said the FBI is attempting to dictate how the Internet should be engineered to permit whatever level of surveillance law enforcement deems necessary.
"The breadth of what they are asking for is a little breathtaking," Dempsey said. "The question is, how deeply should the government be able to control the design of the Internet? . . . If you want to bring the economy to a halt, put the FBI in charge of deploying new Internet and communications services."

Dempsey is right. The amount of intervention in technology development necessary for the FBI and DOJ to accomplish what they want with regard to wiretapping is enormous. The costs will be both direct (money out of consumer's pockets) and indirect (loss of innovation). However, that is only half the picture. Unfortunately for the FBI, the costs to defeat the wiretapping are relatively small and will continue to decrease. We have here an asymmetric situation that will only grow more asymmetric as time goes on.

The problem is with the underlying architecture of the internet. Advances in technology along with the end-to-end/layers principle mean that it will always be cheaper to add encryption to the edges of the network than to increase the amount of surveillance at the center of the network. How much does it cost to write an encrypted VoIP app? Not much. How much does it cost to build the surveillance mechanism and conduct the surveillance across all possible ISPs? A heck of a lot more.

Ok. Now that the first encrypted VoIP app is compromised ... how much will it cost to build another encrypted layer on top of the first one? How much will it cost to conduct surveillance on this new layer? Hmmmm, if this progression continues, as we add additional layers of encryption and surveillance, the costs will increasingly diverge. Not a game you can win ultimately. In fact, it doesn't make much sense to even start. The FBI should be happy with what they've got.

Nor should we forget how darn cheap computing is getting. I wish my first computer had the power of a Treo 600. How hard is it to write voice encryption software for Treos and all the follow-on smart phones? How hard will be to add additional layers to the communications stack especially given all the various options for communication being made available through ubiquitous grid-network wireless?

If I were the FBI, I wouldn't waste my time on a battle I ultimately couldn't win and instead would concentrate my efforts on the place where I could still achieve my goals - the ends. You want to know what someone is up to online? I would recommend, for example, key loggers, "real" spyware, and social engineering. It ain't gonna be easy, but you have a chance of winning in the long term. The sooner you quit a race you can't win, the faster you can enter a race where you have a chance.

Bonus FBI Inanity: Sunday, March 14th was the 54th birthday of the FBI's "Top Ten Most Wanted Fugitive List." What better way to celebrate than with a humorous quiz? For example,

5. What Bible-carrying female impersonator was captured in 1964 while working as "Bobo the Clown" with a traveling carnival?
ANSWER: Leslie Douglas Ashley. And for extra credit, Isaie Aldy Beausoleil [apparently another man] was arrested in 1953 dressed as a woman...acting v-e-r-y suspiciously in a Chicago ladies' restroom.
7. Who was arrested in Japan, extradited to the U.S., and in Honolulu presented FBI Agents--in all seriousness--with [sic] a Monopoly "Get Out of Jail Free" card?
ANSWER: James Robert Ringrose, arrested in 1967.
And this one is really a laugh riot, har-d-har-har:
4. What Top Ten terrorist who was apprehended in 1995 said at his trial in New York City, "I am a terrorist, and I am proud of it"?
ANSWER: Ramzi Ahmed Yousef, who masterminded the 1993 World Trade Center bombing in New York and planned the bombing of an American airplane in the Far East, an act that was prevented. Judge Kevin Thomas Duffy of Manhattan's Federal District Court called him "an apostle of evil [who] wanted to kill for the thrill of killing human beings."

Bonus FBI Inanity 2: A Strengthened Partnership to Protect Children: Name that Sexual Predator! - That's the real name for the page - no foolin'. Frankly, I am somewhat disturbed when law enforcement agencies turn child abuse into a game.


Brother Dana has some observations here: Following The Chinese Way

Comments (3) + TrackBacks (0) | Category: Civil Liberties | Cryptography | Cybercrime | Internet | Privacy | Security | WiFi

March 11, 2004

Library Surveillance in Garden Grove

Email This Entry

Posted by Ernest Miller

Findlaw's Modern Practice's Anita Ramasastry has written a column on the recent California appellate decision upholding the city of Garden Grove's requirement that cybercafes maintain surveillance cameras (Can a City Require Surveillance Cameras in Cybercafes?). She is disapproving of the decision and cites the dissent's comparison of Garden Grove's actions with those of dictatorial governments. I've written on the decision extensively here: CyberCafe Ordinance Decision - First Amendment Victory - Privacy Defeat.

via Ernie the Attorney, whose response to this privacy invasion is incredulity

Comments (0) + TrackBacks (0) | Category: CyberCafes | Freedom of Expression | Privacy

February 04, 2004

DRM - False Privacy Savior

Email This Entry

Posted by Ernest Miller

On the Moore's Lore blog Dana Blankenhorn makes the provocative claim that DRM will be useful as a privacy protection measure (Mobile DRM Argument Misses The Point). Dana points out a major issue the world of "always on" raises, that of privacy. When almost everything we do is generating wireless data, such as our blood sugar levels, refrigerator contents, and garden soil moisture levels, we will certainly want to protect much of that information from prying eyes. Dana's response is to promote the use of DRM as a privacy protection measure.

This is not such a good idea for a variety of reasons.

First, it would essentially propertize our privacy. There are a number of major concerns regarding propertizing privacy, especially the fact that it is unlikely to solve many of our problems. Without going into a major critique here, Pam Samuelson has written a good introduction to many of the issues involved: Privacy as Intellectual Property? [PDF].

Second, enabling DRM in everything is far more likely to be privacy corroding. Anonymity would be very difficult to assure when everything is digitally signed and encrypted.

Third, DRM is a technical solution, not a policy or social solution. Dana claims that,

Under DRM the holder of the content has the absolute right to control where it goes, and the conditions under which it is used. Right? Isn't that what you want, when the content is personal, even intimate, knowledge about you, your body, your possessions? Isn't that the very basis of privacy?

But this isn't true. My ability to control information about me has far more to do with my ability to negotiate with those who will have access to information about me then the technical protections I choose. For example, people can choose not to use a grocery store card that tracks their purchases, but that is going to have a significant impact on their wallets (which leaves no choice for many people). I can choose not to enable cookies on my browser (yeah, right). Each of these privacy-protection solutions is technologically impeccable and completely within my theoretical power, but their ability to protect practically non-existent. DRM will not change this.

There is also a strange dissonance in Dana's position. Dana says that, "Once you buy something, whether it's a can of peaches, a microwave, or a song by Nelly, it's yours." However, why wouldn't the same apply when the grocery store "buys" my grocery-shopping habits in return for everyday lower prices? Why wouldn't the grocery store "own" that data? After all, that data was generated with the grocery store, they are partially responsible for generating that data in the first place.

Privacy is an important issue in the "always on" world, and DRM may play some role in the solution with regard to particular problems and specific threat concerns. However, there is simply no reason to believe that DRM should be "baked into the World of Always-On" in order to protect privacy.

Comments (2) | Category: Digital Rights Management | Privacy

February 02, 2004

CyberCafe Ordinance Decision - First Amendment Victory - Privacy Defeat

Email This Entry

Posted by Ernest Miller

Larry Lessig has written a brief note about a California Appeals Court decision that eviscerated privacy rights in cybercafes (mandated telescreen upheld). There is a article here (Internet Cafe Ordinance Sparks War of Words). Read the decision (Thany Thuy Vo v. City of Garden Grove [PDF]). The issue that has Prof. Lessig rightfully incensed is an operational requirement for cybercafes that forces them to monitor (read over the shoulder) what people are doing on cybercafe screens, whether it is reading email, browsing the web or playing a game of Counter Strike. However, there are other major issues involved and the decision has some very important victories in it for those who care about the First Amendment.

...continue reading.

Comments (5) | Category: CyberCafes | Freedom of Expression | Games | Privacy

December 19, 2003

Verizon Wins Against DMCA Subpoenas

Email This Entry

Posted by Ernest Miller

As reported by Donna Wentworth on Copyfight, Verizon has emerged victorious in its effort to thwart the RIAA's subpoenas under the DMCA (Verizon Wins Victory for Privacy). The US Court of Appeals for the District of Columbia Circuit has reversed a lower court's ruling and held that the RIAA may not send subpoenas to ISPs for information on alleged infringers using P2P. Read the DC Circuit decision: RIAA v Verizon [PDF].

The decision is a victory for privacy, but not a victory for privacy as such.

The result was reached on a technical reading of the statute, and turned on the fact that a subpoena can only be sent if a DMCA notice-and-takedown letter can also be sent. A DMCA notice-and-takedown letter can only be sent to the ISP if the ISP can remove access to the material (and not if the only way to remove access is to terminate a user's account). Thus, a copyright owner cannot send a DMCA notice-and-takedown to an ISP for what a user shares via P2P (the ISP can do nothing but terminate the user's account, which is not a remedy under a DMCA notice-and-takedown letter). Consequently, if no notice-and-takedown may be sent, no subpoena may be issued.

The constitutional issues that would have made this a victory for privacy as such, or for freedom of expression, were not addressed by the court.

What does all this mean?

...continue reading.

Comments (0) + TrackBacks (0) | Category: Copyright | Digital Millennium Copyright Act | Privacy

November 10, 2003


Email This Entry

Posted by Ernest Miller

The American Booksellers Foundation for Free Expression has launched a new campaign to support their challenges to the PATRIOT Act provisions that give law enforcement wide discretion to seize various records, including bookseller and library records. The campaign adds a cool new homophone to the language: Freadom.

via Copyfight

Comments (0) + TrackBacks (0) | Category: Civil Liberties | Privacy

October 25, 2003

GPS Metadata and JPGS

Email This Entry

Posted by Ernest Miller

This story is actually several months old, but is something that I hadn't see before. Apparently, some GPS-enabled camera phones can tag the resulting photo with GPS metadata, so you not only have the photo, but know where it was taken as well. The AkuAku SF blog even has a nifty interface that will allow you to click on a GPS-tagged photo and bring up a map that will show the location (GPS Tagged JPEGS). UltraNifty, but one has to wonder about the privacy implications.

via BoingBoing

Comments (1) + TrackBacks (0) | Category: Privacy

California's Recommendations to Businesses on Privacy and Security

Email This Entry

Posted by Ernest Miller

Doug Simpson points out that California's Office of Privacy Protection has issued a set of recommendations for businesses to comply with California's requirement that they notify customers of security breaches (California Guide on Disclosure of Personal Info Security Breach). You can find links to all of California's recommendations here (Recommended Practices). The specific guide is here (Recommended Practices on Notification of Security Breach Involving Personal Information [PDF]). The 39-page document covers protection and prevention, preparation for notification and notification itself. Additionally, it has many other resources, such as sample notification letters and the California laws in question and a benchmark study on compliance.

Comments (0) + TrackBacks (0) | Category: Privacy

Defense Dept. Gung-Ho for RFID

Email This Entry

Posted by Ernest Miller

The Register points out a recent policy announcement by the Department of Defense mandating the use of RFID tags for everything but bulk items such as sand, gravel and liquids by January 2005 (Defense Department wants RFID tags on everything but sand). You can read the official news release here (DoD Announces Radio Frequency Identification Policy). ZDNet UK also covers the story (US military throws weight behind RFID).

This will be a huge boost for RFID manufacturer and will likely speed its widespread adoption for consumer goods.

Comments (0) + TrackBacks (0) | Category: Privacy

October 23, 2003

Airline Security: Ineffectual As Usual

Email This Entry

Posted by Ernest Miller

Freedom to Tinker points (Rescorla on Airport ID Checks) to the Educated Guesswork blog, which notes an incredibly stupid airline ticket verification protocol (Airport ID checks: a broken protocol). The article shows how, even if you were Osama Bin Laden, you could print your airline ticket at home and avoid being screened through the government databases. Great.

Educated Guesswork also suggests some elementary methods of closing this security hole (Designing a non-broken boarding pass protocol). Given the relative ease of the fix, you have to wonder if anyone in the Transportation Security Administration is really concerned with airline security, or if they simply want to violate privacy.

In a related story, the New York Times (reg. req.) reports on Steven Brill's new venture to create private, third-party "I am not a terrorist" ID cards that will smooth your transit through security at airports, major sporting events, etc. (Venture to Offer ID Card for Use at Security Checks). Great.

Comments (0) + TrackBacks (0) | Category: Privacy

October 22, 2003

Keep a Close Watch on Ex-Servicemen

Email This Entry

Posted by Ernest Miller

Bruce Scheier, one of the world's leading cryptography and security experts, has an op-ed on pointing out the foibles of mass terrorist screening at airports and the like (Terror Profiles By Computers Are Ineffective). As an ex-military type myself, the example he used of bogus screening criteria hits close to home:

I have an idea. Timothy McVeigh and John Allen Muhammad - one of the accused D.C. snipers - both served in the military. I think we need to put all U.S. ex-servicemen on a special watch list, because they obviously could be terrorists. I think we should flag them for "special screening" when they fly and think twice before allowing them to take scuba-diving lessons.

Comments (1) + TrackBacks (0) | Category: Privacy

Camera Phone Backlash

Email This Entry

Posted by Ernest Miller

CNETAsia has an interesting artice on the backlash towards camera phones (Ban camera-phones in workplaces: Analyst). The analyst in question is Jack Gold, of the META Group, and he seems to be a bit reactionary. Certainly banning all camera phones is going to become difficult when all phones will soon have cameras (see, Nokia's All Seeing Eye(s)).

The article does point out some other interesting news as well. For example, Iceberg Systems is testing technology ("Safe Haven") that will disable camera phones in particular locations. Also, Korea's legislature is considering requiring camera phones to make a loud noise when a photo is taken. Perhaps the two aspects could be combined ... cameras would have to emit a loud noise when a photo is taken in a particular location.

via Techdirt


On the other hand Jeff Jarvis is celebrating The all-in-one, super-duper, deluxe everything citizens' reporting machine.

Comments (0) + TrackBacks (0) | Category: Blogging and Journalism | Privacy

Fly the Privacy Friendly Skies

Email This Entry

Posted by Ernest Miller

Edward Hasbrouck, aka "The Practical Nomad", highlights on his blog the privacy-friendly position the Air Transport Association seems to be taking (USA airlines say privacy must come before CAPPS-II tests):

The Air Transport Association, which represents America's commercial airlines, is just as adamant that proper protections be put in place before they give anyone's private information to the government. They're particularly sensitive since the recent controversy over JetBlue, which provided a defense contractor passenger information, without the passenger's knowledge.
"We're in very intense negotiations with the TSA," says the ATA's Doug Wills. "You can't have higher levels of protection without taking steps to secure customers' private information."

The quotes above come from a Christian Science Monitor article on the CAPPS II debate with the Transportation Security Administration (Passenger tracking at airports on hold).

Comments (0) + TrackBacks (0) | Category: Privacy

October 21, 2003

Victoria's Not-So-Secret

Email This Entry

Posted by Ernest Miller

The New York Times (reg. req.) reports that Victoria's Secret has settled with Attorney General Eliot Spitzer of New York regarding the retailer's privacy practices (Victoria's Secret Reaches a Data Privacy Settlement). Apparently, the retailer's lack of server security resulted in the names, addresses and orders of more than 560 customers being made available for several months to anyone who figured out how to manipulate the online customer identification number and order number to call up customer records. The information revealed did not include credit card numbers, but only who was buying what frilly underwear. In the absence of comprehensive privacy legislation, it is a pretty good result that Victoria's Secret was held up to is announced privacy policy.

Comments (0) + TrackBacks (0) | Category: Privacy

October 16, 2003

Nokia's All Seeing Eye(s)

Email This Entry

Posted by Ernest Miller

C|Net News reports on recent statements by Nokia's CEO on the company's strategy (Nokia says it gets the picture). The most interesting news is that "the company intends to make cameras a part of nearly every kind of Nokia phone by the second half of 2004." Indeed, "Nokia believes it could become the biggest digital camera manufacturer globally in 2003."

Welcome to the Panopticon.

Comments (0) + TrackBacks (0) | Category: Privacy