Technology, Thoughts, and Trinkets

(Source)

In this post I’m going to briefly note just how bad an idea it is, for citizens, that ISPs and content providers are working together to resolve ‘copyright infringement’ without having a substantial degree of government involvement.

Rules of the game

Perhaps you’re familiar with baseball (or California penal rules). In either case, you’ll have heard of the ‘three strikes and you’re out’ rule. In baseball, this would mean that a batter returns to the dugout, and another person attempts to swat a ball and race towards first base. In the penal system, it indicates that you’ve committed enough criminal offenses that you’re going to have the book thrown at you . . . the next person behind you in court can then try to argue why they’re innocent, and go free (first base?).

Viva la France!

France has recently set in place a three-strikes rule - if you are caught infringing on copyright three times, then you will have your Internet access terminated for a year. The question that arises is this: what happens if someone uses your computer without permission? How can you appeal any incorrect or unjust decision? What does this have the effect of doing to a member of a rural community, where the ‘net has become a core way of communicating with the world at large and their government representatives? What role do citizens play in how a core system of communications, that they have come to rely on, is being affected by corporate interests?

Hello world!

With governments around the world demanding that copyright groups and ISPs find a workable solution to infringement that doesn’t tie up court systems, the three-strikes model is gaining ground. This is significant, as it would shift the role of ISPs from passively watching content as it streams across and out of their network, to a more active analysis of what individuals are doing on their networks. This shift in activity corresponds with the increasingly common deployment of Deep Packet Inspection technologies throughout ISP networks, technologies that shift through each piece of data that a person transmits to, and receives from, the ‘net. With these technologies, along with digital ‘fingerprints’ to look for, ISPs will be able to either prevent their users from infringing on most copyright (should the system be designed with a user-designated ‘censoring’ mode), as well as more effectively identify when they might be in the midst of, or preparing to, infringe.

Goodbye World

What happens when a six-year old child is ‘caught’ downloading something to the family computer a few times? Should the parents lose all access to the ‘net for a year, or should they return to disciplining the child? What happens when someone files a copyright infringement notice, but it turns out that a person’s computer had been taken over by spyware? What systems are in place to address these issues?

An ISP isn’t the police, nor is it a part of the judiciary. Given this, why shouldn’t the courts be the solution to copyright infringement? The response is often that it would clog up the courts, but this presumes that the laws that are being applied to individuals, but were prepared to account for businesses infringing, are the ‘right’ kinds of laws for individual citizens. Should a person really be charged the same amount for showing their friends a copy of a hallowed Simpsons clip as a corporation that is using it for corporate promotion? There seems to be an analytic difference between these two groups, and this is a difference that needs more attention before these kinds of ‘three-strike’ rules are set into place.

Technorati Tags: copyright, DPI, IFPI, Internet, Infringement, Surveillance

(Source)

A few years ago Computer World ran a particularly good piece on Radio-frequency identification )RFID entitled ‘Opinion: RFID security worries need a reality check‘. I’d highly recommend taking a look at it, for a pair of reasons:

1. It identifies that hackers will only look at RFID tags once the data they transmit is easy to send along electronic mediums, with the data being transmitted itself valuable (i.e. not simply the location of valuable goods, but the information must be a valuable good in itself);
2. It blindingly misses the point that RFID opens a new avenue of attack that could seriously contribute to an e-warfare application.

RFI-What?
You might have heard about RFID in the news over the past few years. In case you need a quick primer/update, here’s the basics on RFID:

• It’s not new - RFID has been in use since WWII to organize valuable assets and more effectively track them;
• RFID can either actively broadcast information, or have the chip activated when placed within ‘hot’ zones - an RFID device does not necessarily always broadcast information;
• There are different ISO standards for various RFID types - some support encryption, some do not, some support active transmission of data (i.e. they are always broadcasting information), and some do not (these are termed passive RFID devices);
• RFID Tag are often confused with Contactless SmartCars (CSCs) on the basis that they mutually use radio transceivers to broadcast information. Different ISO standards are used for these two types of devices, with CSCs having been developed with encryption and privacy issues in mind;
• On the topic of read ranges - RFID tags can be read up to 10 meters or so away, whereas CSCs are usually read from a maximum of about 5cm away from a reader;
• RFID Tags are to be placed in many of the Enhanced Drivers Licenses (EDLs) in Canada, whereas CSCs are being insert into the e-passports that are being deployed in Britain and the US.

RFID - It’s worth some e-money now
In the article by Computer World, it was noted that:

Information criminals steal information that’s readily convertible to cash, not meaningless EPC RFID inventory data. The people who design EPC standards know far more about the risk to supply chains than cloistered academics engineering these meaningless proof-of-concept exploits.

The EPC initiative is backed by companies that suffer billions of dollars in global supply chain losses every year. They have performed a rigorous risk analysis and concluded that the effect of a supply chain exploit targeting EPC chips is relatively low. They also have determined that the probability of seeing a wave of hacks on EPC chips is similarly low. (Source)

What does this say? It says that billions were already being lost to supply chain losses - this isn’t necessarily the case when it comes to shunting people across borders, save through some reasonably abstract understandings of what it means to lose money as people cross the border (this would be where efficiently metrics as they relate to human actions would come in). It also says that from a supply chain analysis, it’s unlikely that there would be any kind of attack/hack on EPC chips.

Supply chain analyses are (presumably) different from border crossing analyses - the former relates to product as they move around the world, where there are known losses, whereas the former relates to the movement of citizens between different legal jurisdictions. Unless we’re talking about independent organizations being able to track the number of people that disappear as they hit various borders as they are ‘redistributed’ to Gitmo or similar detention areas, I fail to see how ‘known losses’ fit with a situation where citizens are crossing a border.

Moreover, whereas a supply chain is only likely to hold value to rival retailers (knowing how Wal-Mart moves all of its supplies internationally might provide a competitive advantage), knowing how and where citizens are traveling, as well as gaining access to a wide population’s biometric information, is of value to most bureaucratic bodies in public and private settings (imagine travel insurance companies learning just how much you travel!). The opportunities to be gained from this kind of information are high, which translates into the possibility of monetizing RFID hacks. When you’re dealing with sensitive information that can be communicated along the ‘net, with that information being valuable in and of itself, then it’s likely that those ‘cloistered academic’ engineering exploits will quickly become meaningful.

To encrypt, or not encrypt - that is the question
When it comes to your driver’s license, health card, or any other piece of government- issued ID you can visually confirm that the information displayed on the ID-piece is accurate. Given that the cards have the information placed on them after it is harvested from the appropriate databases, it is easy to determine whether or not the printed information is accurate or not and, correspondingly, whether the databases that were drawn on hold accurate personal information. When if comes to RFID Tags, however, you can never be entirely certain what is being broadcast, unless you have a way of reading the information. This would mean that, to ensure that accuracy of broadcast information, that you would need to be able to read it. This suggests one of two things:

1. Information from RFID Tags is broadcast ‘in the clear’, that is, the information broadcast is not encrypted, enabling citizens to determine if the broadcast information is accurate;
2. Information is encrypted, but there are many public readers where you can confirm the accuracy of the information being broadcast.

There are obvious problems with the first choice - it would mean that very personal/private information was being broadcast to the wider world. There are clear security problems with this possibility. The second choice - encrypted but lots of public access points - is good, but only if the access points are relatively ‘hardened’, if they are easy to find and access, and if the RFID Tags are set to a passive, rather than active, broadcast.

The problem with most encryption schemes, as they’re proposed at the moment, is that citizens would be unable to access the information that was being broadcast. This is intended to assuage citizens that their personal information is secure, but fails to provide them with the ability to confirm the accuracy of their personal information that is either being transmitted using RFID on CSCs or called up in databases associated with RFID Tags. For a democracy to thrive a government must be transparent, and citizens need to be able to perceive themselves as the legislators and subjects of any law. How can one legislate a law, when the consequences of that law are subsequently hidden? When it comes to identity programs, citizens must be able to understand precisely what they are giving up to authorities when challenged for ID.

Catch-22 and beyond
The current EDL proposals in Canada call for unencrypted transmissions of identifier numbers that than ‘hook’ into a government database. Unlike the government of Canada, most RFID venders recommend that data that is transmitted be encrypted. Unfortunately, the choice between encryption or not leads to a catch-22 situation; they either lack transparency, or they risk putting citizens’ biometric information in the public eye. This isn’t to say that there aren’t technical solutions to this issue - solutions can be implemented - but pursuing a technical solution fails to recognize that we, as citizens, really need to determine whether or not RFID-enabled identity cards are really needed!

In Canada, EDLs are being created in order to satisfy the American securitization of their borders. Putting aside whether or not that securitization is real security, or merely security theater, we as Canadians need to ask whether or not we want to open ourselves to a heightened risk of biometric theft (an upgrade of mere ‘identity’ theft), or simply pony-up for passports. Canadian passports are valid pieces of international ID, and can be used to cross the Canada-US border (as well as the other borders of the world). Instead of investing in EDLs and the massive infrastructure that will accompany them, why not simply divert that money to subsidize the cost of passports?

Technorati Tags: Canada, CSC, EDL, IT, RFID, Security

(Source)

Yahoo! has recently released a new product called Fire Eagle. Fire Eagle is an application that developers can integrate into their software suites, enabling users to identify and broadcast their geospatial location to others on the application’s network. There are many very positive features of Fire Eagle (at least relative to other applications of this nature):

* It’s opt-in
* It allows for granular, application level, sharing of information
* It keeps limited historical data - it “keeps only the most recent piece of location information it has received for each of the major levels it understands: Exact Location, Neighborhood, City, State, Country etc. If a new piece of “Exact Location” information comes in, then we throw away the old one.” (Source)
* Yahoo!’s developers anonymize user data, and assert that they will exclusively use it for system statistics as it pertains to updates and improving service (no notes on how data is anonymized, however)
* The privacy statement makes note that users need to read the privacy agreements of the applications that utilize/integrate Fire Eagle
* Yahoo! notes that their partners must consent to terms and services, and a code of conduct, and Yahoo! provides a space for users to complain if they think that a Yahoo! partner is violating their agreements with Yahoo!.

But, but, what about those third parties!?!
A BBC article that talks about this new service (Privacy worry over location data) really identifies the core privacy concern that most advocates seem to have with this service:

The problem for privacy watchers is that privacy policies across the web are all very different and using a service through a third party could raise some real issues.

This is a very, very real concern, but one that I think is misidentified by the popular media. While it’s true that people (such as myself) are concerned about the actual legibility of privacy policies (most are in complicated legalese, and as such effectively meaningless - someone can’t reasonably be expected to consent to a contract that they have no way of understanding), another (perhaps more significant issue) is that when most contracts state that they won’t share information with ‘third parties’ they really don’t clearly identify what a third party is.

Let me unpack that last bit, just a little. Let’s say that you enter into a contract/agree to an EULA with Company Alpha (Company A). Unbeknownst to you, Company A is a subsidiary of Company Big (Company B for short), who is a subsidiary of Core Company (Company C, for short). When you enter into an agreement with Company A, your information can often be passed around the rest of the corporate family without violating the contract that you consented to. Of course, the average consumer has no clue who is a member of a ‘corporate family’, and is still vulnerable to the commonplace divergent understandings of corporate privacy policies in the various subsidiary corporations. Most people are also unaware that this means that their granular data, which is on its own not terrible useful or informative about themselves as users, is drawn together to compose substantial data doubles, and that these doubles are (a) valuable; (b) used to discriminate against consumers without their being aware of the discrimination taking place.

Alleviating third-party worries
I hesitate to say that I necessarily LIKE this way of doing things, just because I’m hesitant about how facebook actually operates. That said, Facebook is releasing a new service (Facebook Connect) where the privacy settings that you establish in the Facebook environment will carry along with you to the other websites that you access. Of course, this means that Facebook will be gathering information on where you go, what you do, and so on. It also means that to enjoy a unified privacy policy that you’ll need to be a member of Facebook - you’ll need to be willing to give a corporation access to your personal data to enjoy something that you really should be able to expect a government to set up for you.

Nevertheless, Facebook’s Connect Platform may offer a way for Facebook users to enjoy a common attitude towards privacy. This is one of the solutions that Lessig notes in Code 2.0, but I remain concerned about the solution for the reasons that I addressed in my MA thesis. Namely:

1. Without federal/state/provincial regulations, violations of a corporate policy lack a clear punitive strategy. Without a monetized penalty, corporations may be less willing to entirely abide by the codes of conduct.
2. It makes it challenging to enjoy a granular privacy policy - I may not want to let Nike know much about me, whereas I’m comfortable telling the local government a great deal.
3. What happens if a particular group chooses not to ‘buy-in’ to the Facebook program for their own, valid, reasonings? Are citizens to become citizen-consumers, where to enjoy their constitutional rights they are limited to the corporate brands that they see as ‘healthy’ to them?
4. Why *shouldn’t* government be the body responsible for setting these kinds of rules and regulations, and developing the IT frameworks to allow all citizens to have consistent privacy frameworks across their browsing experience. I’m not suggesting that citizens would subsequently be required to use the government systems, or that there aren’t inherent challenges with any large body establishing a common privacy level that travels with me across the ‘net, but I’m far more comfortable with a democratically legitimated body doing this than a for-profit corporations who just wants to harvest my personal information.

Ultimately, however, I want to quickly return to Yahoo!’s own stance toward privacy and Fire Eagle. Yahoo! is being reasonably up-front, honest, and genuine with the consumer - they’re doing their job in providing the information that consumers really need to be aware of, in language that is easily accessible. Whether or not people read the privacy policy, the policy isn’t one that is so filled with legalese that it’s non-sensical to the average person. This, in and of itself, is a massive change in how the industry constructs their privacy notices, and is something that reflects well on their division of Yahoo! services.

Technorati Tags: Fire Eagle, Geolocation, Lessig, privacy, Surveillance, Yahoo!

(Source)

Don Reisinger’s posting on Pro-privacy initiatives are getting out of hand is a good read, even if I don’t think that he ‘gets’ the reason why privacy advocates are (should be?) concerned about Google Streetview. If you’ve been under a rock, Google is in the process of sending out cars (like the one at the top of this post) to photograph neighborhoods and cities. The aim? To let people actually see where they are going - get directions, and you can see the streets and the buildings that you’ll be passing by. It also lets you evaluate how ’safe’ a neighborhood is (ignoring the social biases that will be involved in any such estimation) and has been talked about as a privacy violation because some people have been caught on camera doing things that they didn’t want to be caught doing.

Don: Privacy Wimps Stand Up, Sit Down, and Shut Up
Don’s general position is this: American law doesn’t protect your privacy in such a way that no one can get one or take a photo of your property. What’s more, even if you were doing something that you didn’t want to be seen in you home, and if that action was captured by a Google car, don’t worry - no one really cares about you. In the new digital era, privacy by obscurity relies on poor search, poor image recognition, and even less interest in what you’re doing. Effectively, Streetview will be used to watching streets, and little else.

Fair Enough
Don’s got a really, really good point, and his article is good because it identifies many of the contemporary concerns (i.e. that you and your home are being photographed) and points out that those concerns are (really) fairly trivial. I say this as someone who has issues with a lot of Google’s services *grin*.
What Don doesn’t get - and to be fair the issue I want to focus on hasn’t really gotten to courts in the US as far as I can tell - is that this is another artifact that is now online. Do I care if my home is captured by Streetview? No, not really, unless that image is correlated with my postal code, my address, where I work, my phone number, my criminal record, etc. In essence, my real concern about Streetview is that is provides another data source for mash-ups, or services that compile data profiles from a large number of sources. What’s more, as search improves we move towards a point where these artifacts are more easily collected, giving a very detailed accounting of who I am, what I do, and where I do it. As someone who does value my privacy, that’s unnerving, especially when there is not real way for me to identify what information of mine exists online without some intense personal investigative efforts.

Mash-ups - Badness?
Mash-ups aren’t necessarily bad - I need to state that right away - but neither are they necessarily good. In the past, people enjoyed security and privacy by obscurity; there were so many data sources and it was so costly to collect full profiles on people that it wasn’t done very often. Nowadays, however, it is much cheaper, and much easier, to aggregate people’s information. Once aggregated, that information can be used in an almost infinite number of ways - ways that the individual who generated that information/has that data tied to doesn’t necessarily consent to. Consent, as always, is meant as an ‘opt-in’ consent, rather than an opt-out form of consent.
This collection and reorganization of data into a new, useful, format is what is commonly referred to when people talk about mash-ups.
Consent is Dumb Though!
Yeah yeah, we hear this all the time. Opt-in consent is onerous, whereas opt-out is sufficient. I think that this is absolutely correct - read it again, I agreed with that past sentence - for Silicon valley companies who are creating products to solve problems that don’t really exist (had you going for a second, eh?). Let me put it another way: what ‘problem’ do many of the social networking technologies and Web 2.0 technologies solve? Were these genuinely problems, or were problems found after the technology was deployed?

If the technology/mashup is a clearly useful or desirable product then companies shouldn’t worry about opt-in requirements. Only when there is a strong possibility that the technology isn’t actually useful to the consumer/the consumer isn’t made fully aware of the benefits of the technology will opt-in be disdained.

Back to Streetview
Does Google’s Streetview meet the various privacy rights in the sundry jurisdictions that it’s deployed in? That’s a good question, and one that civil rights advocates with lawyers should (and are) look into. That said, any time where Streetview, or any other ‘primary’ data source is found to be acceptable to national privacy laws, the subsequent mash-ups need to be examined and evaluated.

Something that I do read every now and again in the education blogs that I read is that teaching students about the value of mash-ups is important, and I agree. That said, included in that education should be a critical evaluation of the benefits and harms that might follow from mash-ups. Any such evaluation would be greatly helped were federal and state/provincial government to start to proactively think about the issues posed by mash-ups and begin to develop regulations intended to minimize their possible privacy harms, while enhancing their positive benefits.

Technorati Tags: Google, privacy, mash-ups