Tuesday, 30 December 2003
Do spammers fear CAN-SPAM?
Alan Ralsky, Detroit's resident spam lord, told the New York Times that he intends to comply with the CAN-SPAM Act to the best of his ability because he fears a $6 million fine and going to prison. ("An Unrepentant Spammer Vows to Carry On, Within the Law") He says he stopped sending email ads earlier this month, even before President Bush signed the bill into law, to give himself time to bring himself into compliance. Ralsky intends to resume his business in January legally once his new systems are complete. He claims that he will identify himself in each email and honor any opt-out requests that he receives.
We should, of course, take Ralsky's self-serving statements with a grain of salt. He sees himself as an honest businessman with an undeserved bad reputation. He expects ISPs to stop filtering his mail after CAN-SPAM takes effect despite that the law does not require them to do so and that they have at least as great an incentive as before to continue filtering.
If you are still wondering how out of touch Ralsky is, consider an event that occurred thirteen months ago. In November 2002, Mike Wendland of the Detroit Free Press wrote a profile of Ralsky's $750,000 mansion, dubbed the house that spam built. Two weeks later, Wendland reported that anti-spam activists had used the information in his first column to figure out Ralsky's home address.
"They've signed me up for every advertising campaign and mailing list there is," [Ralsky] told [Wendland]. "These people are out of their minds. They're harassing me."
Hossein Derakshan, a Tehran native and Toronto resident, blogs on "the quake's" implications for Iran's Islamic regime. "Nothing could ever show the real sense of diconnectivity and distrust between Iranian people and the Islamic regime, and its deeply dysfunctionality better than a devastating quake." (Via BoingBoing)
Gwen Knapp of the San Francisco Chronicle has made her picks for Sportsmen of the Year ("Finally, in Bonds ball case, someone shows some class"). Her choices: attorneys Don Tamaki and Mike Lee of Minami, Lew & Tamaki LLP.
They are the lawyers who represented Patrick Hayashi, who was sued over Barry Bonds' 73rd home-run ball of the 2001 season. The case came to define the madness and crassness of modern sports. One fan, Alex Popov, got his mitt on the ball and then lost it amid a scrum of fans. Hayashi plucked the ball from the pile, without realizing that he'd entered a whole new ballgame.Hayashi offered to settle the case by splitting the proceeds from the ball's sale 50-50, but Popov rejected the offer. After trial, the court entered a judgment ordering essentially the same thing — but only after both sides had incurred enormous legal fees. Unfortunately, the ball sold at auction for less than half its estimated market value. Hayashi's legal bill, under his written contract with his attorneys, would have amounted to nearly his entire take from the sale — leaving him with almost nothing.
After the home-run ball sold for so little, Tamaki and Lee knew that, once they were paid, their client would gain nothing. So they waived most of the fee. "We talked it over with my partners and agreed that Patrick should walk away with something,'' Tamaki said recently.Neither side will say exactly how much the lawyers reduced their fees, but Hayashi did keep "enough money to pay his tuition for a master's degree in business administration, plus other bills from a year and a half of living crazily." This, my brothers and sisters at the bar, is a fine example of class.
What happened to the plaintiff? "Last we heard, Popov had acrimoniously parted ways with his attorney, Martin Triano, disputing his legal fees of $473,500. Triano sued him."
While Microsoft has yet to fix the URL spoof vulerability in its Internet Explorer browser, at least one amateur software enthusiast community has come up with a robust solution. Users of Proxomitron have found a way to use the local proxy server and web filtering client to work around IE's shortcoming. The proxomitron filters posted in this forum alter links and buttons that lead to web pages that exploit this vulnerability. Additional filters posted there will trigger an alert message box when the active web page contains links that exploit the vulnerability.
These solutions were created by users, free of charge and with no expectation for payment for fun and for the benefit of Internet users generally. The first request for a fix was posted on 12 December, and four filters were available that same day. Over the next five days, the filters were refined and made more robust, until they handled all situations yet conceived by their developers. Note for emphasis: amateurs created a comprehensive solution in five days. All this happened while Microsoft, one of the most profitable software companies in the world, has been unable or unwilling to fix the problem for nearly a month. Anyone care to explain to me again how high-quality software cannot exist without a profit motive?
The Christian Science Monitor has a feature article by Amanda Paulson on "cyberbullying." The article outlines the problem, analyzes it as merely a new platform for old-fashioned bullying, and discusses the perils of censoring speach for short-term disciplinary goals. I think that analysis is on the right track, but I would like to add a few points.
The article ignores the grandaddy of all cyberbullying cases and the publicity that surrounded it the case of Jake Baker and the University of Michigan. Mr. Baker's First Amendment defense ultimately led to his exoneration of charges of making threats. (See the EFF case archive for comprehensive information.) The CS Monitor article does, however, discuss the more recent case of "Ghyslain, the Canadian teenager who gained notoriety this year as 'the Star Wars kid.'" This young man videotaped himself goofing around with a broomstick, as if it were a fighting staff.
Some peers got hold of the video, uploaded it to the Internet, and started passing it around. Doctored videos, splicing him into "The Matrix," "The Terminator," or the musical "Chicago," with added special effects and sounds, soon followed. He's now the most downloaded male of the year. According to news reports, he was forced to drop out of school and seek psychiatric help.
"It's one of the saddest examples," says [Glenn Stutzky, an instructor at the Michigan State University School of Social Work]. "He did one goofy little thing, and now it will always be a part of that young man's life."
The article also mentions that (public) schools may lack the authority to shut down off-campus channels of speech used for bullying. The author seems to divide this into two distinct points, one practical and one legal, but it could stand some clarification. First, schools lack the practical ability to censor such centralized speech channels as web-based bulletin boards and instant messaging networks because the school is not the central entity. These are generally physically controlled by private companies. When it comes to open and decentralized channels (like email, IRC, or usenet), the school has no chance. Second, the legal barriers. Any action that schools take or fail to take can open them up to the modern American passtime, lawsuits. Any course of action necessarily requires the school to make judgments that pit one student's civil rights against another's specifically, the right of the bully to speak vs. the right of the victim to have a public education free from harassment. Schools are understandably reluctant to break any new ground in this context. If I were a school board lawyer, I might recommend the most conservative course of action I could think of.
However, schools are not always so loathe to target Internet speech that is generated off-campus. Some get trigger happy when a student's web site criticizes teachers or administrators. Just the other day, I blogged on a recent case involving the Oceanport School District in New Jersey. I could probably turn up ten more examples in as many minutes on Google.
Finally, I want to highlight a case described in the article that displays the best the First Amendment has to offer. "J. Guidetti, principal of Calabasas High School, did get involved, after comments on schoolscandals.com caused many of his students to be depressed, angry, or simply unable to focus on school." All of Guidetti's initial efforts failed as long as he used a law-enforcement approach. Then, he decided to counter speech with speech:
Eventually, a local radio station got involved and put enough pressure on the people running the site a father-son duo that they took it down in the spring. Already, there's a schoolscandals2 relatively harmless, so far. Guidetti checks it regularly for offensive content, one of the ever-growing tasks of a 21st-century principal.
The Associated Press reports (via Wired News) that the e-voting security firm VoteHere, of Bellevue, Washington, was hacked in October. A yet-unidentified individual gained illicit access to VoteHere's network and read internal documents and may have copied some files. Company executives reportedly blame the break-in on the recent spate of public attention paid to electronic voting. If nothing else, this episode highlights the tenuous security to which public elections might be entrusted. (Via beSpacific)
The New York Times points out, rather amusingly, that most members of Congress were engaged in sending a massive wave of unsolicited email to their constituents this weekend — barely ten days after unanimously approving the CAN-SPAM Act. Article: "We Hate Spam, Congress Says (Except Ours)."
"They are regulating commercial spam, and at the same time they are using the franking privilege to send unsolicited bulk communications which aren't commercial," David Sorkin, a professor at the John Marshall Law School in Chicago, said. "When we are talking about constituents who haven't opted in, it's spam."
It was only a matter of time before someone exploited the Internet Explorer URL spoof vulnerability. (As Xeni Jardin points out, Microsoft has yet to issue a fix.) This particular scam involves an email that purports to be from PayPal and includes a link that appears to take the unwary reader to PayPal's web site, where he is asked to "verify" his account information. The users is really taken to http://www.epack.ch/p/verify.htm, which looks like a legitimate PayPal page and which the scammer thoughtfully induced IE to make it look like it is hosted at PayPal.
Today the San Francisco Chronicle took a critical look at two waves of resurgence of interest in Jewish mysticism, in 1997 and 2003 ("New interest in Jewish mysticism: Anxious times, celebrities ignite revival of Kabbalah"). This comes a mere ten days after the Chronicle reviewed the just-published first volume of Daniel Matt's new translation and commentary on The Zohar.
Here are a few quotes from today's effort (hyperlinks added):
C|Net has released five year-in-review features, covering open source, utility computing, VoIP, Wi-Fi, and patents. Each one has a summary introduction and links to C|Net articles from the past year. This is a great way to get up to speed for anyone who fell behind in the news.
The Associated Press reports that Jeb Bush, the Governor of Florida and brother of the President, quarterbacked the opening ceremony of a new social experiment: a faith-based prison. (Via Washington Post) The experiment is being hailed as the first such prison in the United States.
The "new" prison is really a rededicated old prison that has been in operation for some time. Now, however, it will cater to its prisoners' spiritual "needs" where the old system did not. The state claims that all 791 prisoners therein are living there voluntarily either because they chose not to transfer out or because they applied to transfer in. AP reports a different story, however:
Many of the prisoners who did not transfer from Lawtey stayed simply because they did not want to move, and not because they wanted to become more involved in religion. But inmates who want to make use of the faith initiative say those who do not participate eventually will be released and replaced by others who will make the program stronger.
"They'll get weeded out," said Bryan Lemaster. "When that gets taken care of, I think it will be pretty good." Lemaster is a Catholic who is serving a three-year sentence on a gun violation. It is his second time in prison after serving time for burglary. He said he hopes to get closer to his religion.
Meanwhile, I will ask how long it will take for a court to declare the new experiment unconstitutional. Unless Florida plans to provide identical religious services to every person in every prison within the state, I do not see how it can escape the obvious problems under the establishment clause of the First Amendment and the equal protection clause of the 14th Amendment. Each prisoner quoted in the AP article practiced some flavor of Christianity. Does the State also provide spiritual counseling to Jews, Hindus, Buddhists, Wiccans, atheists, secular humanists, agnostics, and Jedis? Does such counseling receive equal per-prisoner funding? How do the minister-to-prisoner ratios compare? Are their faiths' holy scriptures available in the prison library, alongside the Christian bible? Are the Jews provided with a Torah scroll? Do the Jedis get light sabers?
All the published interviews I can find thus far with prison officials, politicians, prisoners, volunteer ministers, and their families have been with Christians. Each one makes a point of saying that prisoners will be free to practice whatever faith they choose and that no one will proselytize. Unfortunately, their actions and attitudes belie this as dishonest.
For example, Paul Smith, pastor of Miracle Baptist Church in Stuart, Florida, said in an interview with TCPalm.com: "An inmate can be selected [to live in Lawtey prison] whether he has faith, whether he doesn't have faith, or whether he wants to come to faith." In other words, this volunteer was told something different than what Governor Bush told the press at the opening ceremony that some prisoners are not there because they chose to practice a particular faith. When asked whether the prison would cater to Christians, Pastor Smith said, "absolutely not. A faith-based prison is for all faiths and all denominations." When asked about those other faiths and denominations, however, he named only Catholics and Muslims. Later, he revealed the depth of his bias:
It does not violate separation of church and state, one, because all of the inmates have volunteered to be there. If they were being forced or if they were given some type of reduced sentence, or early release to participate in the program, then I think it's a violation. The only thing that this program is a violation to is the devil and the fact he wants to have more souls go to hell.
In the program, volunteers will act as personal mentors, offering support to each inmate both during their incarceration and as they settle back into the community after serving their sentences. Inmates will participate in all the usual day-to-day prison activities, but during evenings and at weekends will undergo extra classes examining issues such as anger management, good parenting, and the effect of crime on victims, run by representatives from a variety of faiths including Islam, Judaism, and Christianity.
As of today, 26 religions will be represented among Lawtey's population. Belief in a god is not a requirement of the program. But a commitment to self-improvement is. Of the 819 prisoners housed at Lawtey when the scheme was announced in early December, less than 100 have indicated that they do not wish to take part; they have been moved to facilities elsewhere in the state.
PalmSource has published a series of Expert Guides. The guides offer tips, tricks, and software for people who use PalmOS-powered devices in a variety of professions or specialized tasks. Among them is the Legal Expert Guide, written by Susan Wilson, for legal professionals. (Via LawTech Guru)
Doug Isenberg, founder of GigaLaw, summarizes the year 2003 in cyberlaw: "Internet law in 2003 was full of surprises, with Congress passing an antispam bill, the courts blessing pop-up advertising, the music industry losing lawsuits and the Supreme Court finally upholding an Internet law." (Via Inter Alia)
Even before [Norway's prosecution of DVD-Jon] was filed, however, entertainment industry lobbyists had been pressing lawmakers in that country and elsewhere to enact tougher copyright laws, modeled on controversial U.S. legislation that makes it easier for authorities to win prison terms for people who crack encryption schemes or distribute cracking tools. If enacted, proposed legislation in Europe, Canada, Australia and Central and South America would soon hand entertainment companies similar weapons against people caught tinkering with anticopying software.Via Furdlog.
In some ways, the Johansen ruling offers a simple reminder that different countries have different laws, and companies can't rely on protections established in one region to protect them elsewhere. But the case also points to an aggressive drive in the entertainment industry to win greater global conformity in copyright law, modeled on the DMCA.
As Norway illustrates, however, the process can move slowly, leaving the entertainment industry exposed to weaker copyright rules in regions where DMCA-like laws have not yet been passed.
Barbara Fullerton of Locke, Liddell & Sapp has published an interesting article on LLRX called "CyberAge Stalking." She reviews several high-profile cases, the tools used in each case, and the statutes passed in their aftermaths.
Frank Rich wrote a fascinating and entertaining editorial for the New York Times a few days ago ("Napster Runs for President in '04"). Between his attempts to be vogue by dissing the mainstream candidates and media for not "getting" the Howard Dean campaign's various uses of the Internet, Rich makes a few novel points. Among them, that we should view Dean more like FDR and JFK than George McGovern and Barry Goldwater. His conclusion:
Should Dr. Dean actually end up running against President Bush next year, an utterly asymmetrical battle will be joined. The Bush-Cheney machine is a centralized hierarchy reflecting its pre-digital C.E.O. ethos (and the political training of Karl Rove); it is accustomed to broadcasting to voters from on high rather than drawing most of its grass-roots power from what bubbles up from insurgents below.Thanks to Mary Hodder of Napsterization for the heads up.
For all sorts of real-world reasons, stretching from Baghdad to Wall Street, Mr. Bush could squish Dr. Dean like a bug next November. But just as anything can happen in politics, anything can happen on the Internet. The music industry thought tough talk, hard-knuckle litigation and lobbying Congress could stop the forces unleashed by Shawn Fanning, the teenager behind Napster. Today the record business is in meltdown, and more Americans use file-sharing software than voted for Mr. Bush in the last presidential election. The luckiest thing that could happen to the Dean campaign is that its opponents remain oblivious to recent digital history and keep focusing on analog analogies to McGovern and Goldwater instead.
The Liberal Party of Canada went off on a funny tirade against the proprietors of PaulMartinTime.ca — a spoof of the Canadian Prime Minister's official site, PaulMartinTimes.ca. This is, of course, the Canadian equivalent of G. W. Bush's famous campaign gaffe, "There ought to be limits on this kind of freedom." (Via BoingBoing)
The National Professional Association has published an interview with Randy Cassingham, one of my favorite humorist/writers. The interview captures everything I love about Randy's work: his boldness, his sense of humor, his skepticism, and his passion for all things interesting. Randy is the author of (among other things) This is True, the True Stella Awards, and Heroic Stories.
The Norweigan newspaper Aftenposten reports that Jon Johansen has been acquitted — again ("DVD-Jon wins new legal victory"). He was being tried for copyright infringement a second time (by an appellate court, this time) for his role in creating DeCSS. The power brokers in the movie industry are, of course, "disappointed."
Pamela Jones over at GrokLaw has a long analysis of RIAA v. Verizon. Amid her explanation of the decision, she waxes philosophic on the law generally. Also, her blog seems to be the place to be this weekend that article had over 90 comments last time I checked.
Earlier today I mentioned "a banner week for civil liberties everywhere." How little I knew at the time. Just a few minutes ago, I learned that John Perry Barlow launched a blog on Wednesday: BarlowFriendz. Yes, this is the same man who co-founded the EFF and wrote "A Declaration of the Independence of Cyberspace" and "Selling Wine Without Bottles."
By now the world has heard of the D.C. Circuit decision in RIAA v. Verizon. Previously, the D.C. District Court ruled that Verizon must comply with RIAA's subpoenas, issued under § 512 of the Digital Millennium Copyright Act (DMCA). Those subpoenas are designed to force ISPs to disclose the identities of users whom RIAA suspects of illegally making copyrighted music available for others to download. RIAA can trace users by itself as far as their IP addresses (the sets of numbers that uniquely identifies every computer on the Internet), but it needs the cooperation of ISPs to connect an IP address with an individual's name and address. Once it has that information, it can send a cease & desist letter or file a lawsuit.
Yesterday's Circuit decision reverses the District Court's interpretation of the statute. The appeals court gave the statute an extremely close reading in rendering its decision. The relevant section has a complex sentence structure and many cross references, so it is no wonder that the parties (and two different courts) disagreed as to its meaning. Derek Slater makes a few interesting points, including: "I find it fascinating when opinions contrast in this way — when they see the same issue clearly, unambiguously, but oppositely. [District] Judge Bates, just like [Circuit Judge] Ginsburg, claims to stick to the statute's text and go no further, yet their opinions are night and day."
The decision is a victory for privacy, but not a victory for privacy as such. The result was reached on a technical reading of the statute, and turned on the fact that a subpoena can only be sent if a DMCA notice-and-takedown letter can also be sent. […] The constitutional issues that would have made this a victory for privacy as such, or for freedom of expression, were not addressed by the court.
This line of reasoning rests on the cross references between § 512(h) and § 512(c). Subsection (h) permits a copyright owner to apply to the Clerk of the court for a subpoena so long as the application contains "a copy of a notification [of claimed copyright infringement, as] described in [§ 512](c)(3)(A)." The relevant language in § 512(c)(3)(A) is: "To be effective under this subsection, a notification of claimed infringement must be a written communication … that includes substantially the following" six elements. The third enumerated element is "(iii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material." (Emphasis added)
The court agreed with Verizon that this language requires the subpoena application to assert that the ISP has the ability to remove or disable access to the allegedly infringing material. However, most current P2P applications use a decentralized architecture. This means that all shared data is stored on users' computers, not on any central server — except for temporary copies incidental to transmission, which the DMCA permits. Therefore, the ISP has no legal right to remove or disable access to the material shared on the P2P network:
No matter what information the copyright owner may provide [in its subpoena application], the ISP can neither "remove" nor "disable access to" the infringing material because that material is not stored on the ISP's servers. Verizon can not remove or disable one user's access to infringing material resident on another user's computer because Verizon does not control the content on its subscribers' computers.
This holding does have some privacy implications, but they are small compared to Verizon's alternative argument. Having decided this case on statutory grounds, the court ducked the larger First Amendment questions.
So what implications does it have? Dozens of people predict that RIAA will lobby Congress to close what it surely sees as a loophole in the DMCA. Ernest quipped, "[T]he RIAA has nearly hosed itself." The trade group has been trying to consolidate all its DMCA subpoena litigation in Washington, D.C. for administrative convenience. Now, however, it cannot be happy with its "success" in transferring the SBC case to the D.C. District from the Northern District of California in San Francisco — because the Verizon decision is now binding precedent in the nation's capital. This will not stop RIAA from getting users' information, however. It will only make the process slower and more expensive. Instead of paying its lawyers simply to draft subpoena applications, it now has to pay them to draft and file complaints and motions in addition to subpoena applications. These costs will be passed on to consumers in the form of higher average settlements.
John Palfrey sees a broader trend: "Add this development to the Grokster opinion, and the trend of the law in favor of digital rights holders is at least in a holding pattern." The trend may be even broader than Palfrey recognizes — this was a banner week for civil liberties everywhere. (It could, however, be just a blip on the post-9/11 radar screen.) The Dutch supreme court ruled that the makers of Kazaa are not liable under Dutch law for copyright infringement committed by the software's users. A day earlier, the Second Circuit ruled that the U.S. government may not classify Jose Padilla as an enemy combatant — which should assure that his constitutional rights are no longer suspended. Just a few hours later, the Ninth Circuit wrote "that the [Bush] administration's policy of imprisoning about 660 non-citizens on a naval base in Guantanamo Bay, Cuba, without access to U.S. legal protections 'raises the gravest concerns under both American and international law'" (source).
If nothing else, we live in interesting times.
Missile Defense: Deployment is Still Scheduled for Late 2004
It was just one year ago that President Bush ordered deployment of a limited system of interceptor missiles in California and Alaska by the end of 2004 (WN 20 Dec 02). But in the meantime, according to a story this week in Space News, the test schedule has fallen behind by about six months. "Tough break," I said to my friend General Persiflage at the Missile Defense Agency, "how much will postponing the tests delay deployment?" He was clearly amused: "Not one day; it's all part of the plan. The Commander-in-Chief ordered us to deploy in 2004, and deploy we will. The only thing that could get in our way is to blow a test. So why ask for trouble?" He chuckled, "You scientists always think you have to do experiments. This is a faith-based initiative."
News 12 New Jersey reports ("Teenager sues Oceanport School District over freedom of speech") that Ryan Dwyer of New Jersey has filed a lawsuit against the Oceanport School District, which operates his former middle school. Dwyer suffered several punishments for operating a web site that criticized the school. If we believe his description of the site (which has been taken offline), this may be a good test case, because he kept the site "clean:"
The Web site was launched in April. It greeted users with, "Welcome to the Anti-Maple Place — Your Friendly Environment," and said: "This page is dedicated to showing students why their school isn't what it's cracked up to be. You may be shocked at what you find on this site," Dwyer says students were allowed to post opinions, but profanity was prohibited and no threats were allowed to be made.
The decision by the Dutch court, the highest European body yet to rule on file-sharing software, means that the developers of the software cannot be held liable for how individuals use it. It does not address issues over individuals' use of such networks. […] The Supreme Court rejected demands by Buma Stemra, the Dutch royalties collection society, that distribution of Kazaa cease and that future versions be modified so that copyrighted materials cannot be exchanged over the network, lawyers representing Kazaa said.It looks like Matt Oppenheim, a senior vice president of RIAA, has to eat his words from March 2002. Describing the Dutch appeals court action underlying yesterday's supreme court decision, he said: "I don't think this summary decision…will have any more impact than it would have from any other country that doesn't enforce copyright law consistent with the United States." Matt, perhaps you can tell me if I spelled "jingo" correctly.
Score one for the good guys! The U.S. Court of Appeals for the Second Circuit has ruled that the President cannot simply classify Josι Padilla, a.k.a. Abdullah al Muhajir, as an enemy combatant on faith. The government alleges that Padilla was plotting to detonate a "dirty bomb" when it arrested him in Chicago in mid-2002. Since that time, the government has held Padilla — a U.S. citizen — in jail, incommunicado, and without bringing charges against him. The court gave the President 30 days to release him him or charge him with a crime under the rules of civilian criminal procedure. Links: majority opinion [pdf] and dissent [pdf]. News coverage: Washington Post, CNN.
The hits just keep on coming. Wired News reprints an AP article with this provocative opening: "At least five convicted felons secured management positions at a manufacturer of electronic voting machines, according to critics demanding more stringent background checks for people responsible for voting machine software."
Several of the people at issue were hired by Global Election Systems (GES), before Diebold acquired it in 2002 and renamed the subsidiary Global Election Management System, part of Diebold Election Systems. GES Vice President Jeffrey Dean, for example, was responsible for some of the company's proprietary code that counted ballots. The problem? According to court documents, he "served time in a Washington state correctional facility for stealing money and tampering with computer files in a scheme that 'involved a high degree of sophistication and planning.'"
The greatest threat to the integrity of our democracy may come from insiders at the companies that provide our election infrastructure. Who better to manufacture that infrastructure than people who have demonstrated a willingness to commit criminal and unethical acts for money? To state it mildly, this news qualifies as cause for alarm.
Microsoft and New York State Attorney General Eliot Spitzer are going after spammers — in state courts. The claims they intend to file strike at the misleading nature of email marketing, not the commerciality of the messages. In other words, they are suing under state laws that are not preempted under the CAN-SPAM Act. News coverage: C|Net, New York Times, Seattle Times.
Happy flight day! I hope everyone enjoyed the festivities surrounding the centennial of Orville Wright's historic flight. Unfortunately, the weather in Kill Devil Hills did not cooperate with the long-planned reenactment.
California Secretary of State Kevin Shelley made an announcement today regarding the audit of the State's Diebold voting machines that he ordered. He demanded the audit after learning that Diebold had illegally installed software patches on machines used in Alameda County after those machines were certified — meaning that the software was never approved. eVoting machines in at least 17 counties were found to contain uncertified software, and Diebold now stands on the brink of losing the right to sell voting machines to the State of California and her counties. The San Jose Mercury News has the story: "Voting machine maker dinged."
The two coauthors of the CAN-SPAM Act, U.S. Senators Ron Wyden (D-Ore.) and Conrad Burns (R-Mont.), published an essay yesterday in response to criticism of their bill. They state in no uncertain terms what I have been saying all along — that CAN-SPAM is not a silver bullet but that it is a good first step. The money line: "Big-time spammers will inevitably violate the Can-Spam Act because it strikes at the heart of how their sleazy businesses work." (Thanks to GrepLaw for the heads up.)
Also, I did not mention yesterday that President Bush signed the Act.
For most people, getting caught for two unrelated crimes on the same day would be disconcerting. Yet that is what happened to U.S. Attorney General John Ashcroft yesterday. First, the Washington Post reports that Federal Election Commission (FEC) has fined Ashcroft's PACs for accepting illegal campaign contributions during his failed 2000 Senate race. Second, the Post reports that U.S. District Judge Gerald Rosen publicly rebuked Ashcroft for twice violating gag orders in the first criminal trials related to the 9/11 attacks — but stopped short of holding him in criminal contempt.
The last five days have brought big copyright news from the Great White North allegedly also known as "Canada." First, the Canadian Copyright Board issued a decision levying fees on many new media and interpreting Canadian law to permit downloading (but not uploading) of copyrighted works via P2P networks. Then the National Post reported that the Canadian Recording Industry Association (CRIA) might soon begin suing file sharers, ala RIAA.
During this time, I have been reading up on CRIA's chief, Brian Robertson. While he is reluctant to discuss CRIA's lawsuit plans, he loves to talk about the number 30. That is the percentage of revenue he claims the Canadian recording industry has lost due to file sharing. As far as I can tell, he has never cited any source for this figure, and the next-highest estimate is 23% and many estimates are even lower. Sources: CRIA press release, Globe & Mail, National Post, LA Times. Additionally, CRIA (like RIAA) fails to acknowledge that the recent recession might have had a negative effect on music sales equal or greater to the effect of file sharing.
Microsoft labelled the legislation "anti-competitive", and warned that it could damage the Australian software industry. … "The ACT decision is of concern because it affects all software companies," [a spokeswoman for Microsoft] said. "Any legislation that seeks to mandate preferences for one platform over another can limit choice and can be anti-competitive and bad for the Australian software industry as a whole."The irony? The law merely "calls for government to 'consider' the purchase of open source software in procurement plans. The original version of the Bill would have required the ACT to 'prefer' open source software." I suppose that if you are Microsoft, even admitting the existence of open source alternatives can be bad.
The millions of Canadians who share music files on the Internet should be prepared for the possibility of facing a lawsuit early in the new year, the head of the Canadian Recording Industry Association said yesterday. … [Brian] Robertson would not specify how many lawsuits would be filed, but he did say the legal action would be similar to the lawsuits filed in the United States. For some time, CRIA has been using software that tracks and identifies users involved in trading free music files. "Users should be aware that using file-sharing services is a very public process," Mr. Robertson said.Since Canada has no analog to the Digital Millennium Copyright Act (DMCA), it will be interesting to see whether CRIA's tracking software is anywhere near as effective as RIAA's subpoenas. Neither one, it cannot be pointed out often enough, has any judicial oversight. And both are ripe for abuse.
Jason Schultz over at LawGeek has an excellent piece on Creative Commons licensing: "The Network Effects of Creative Commoning: Why Silver Will Eventually Be More Valuable Than Gold."
Enter the brilliance of the CC sampling license. Say you're an up-and-coming artist looking for a backbeat track to sample for your new song. You see two options: (1) a massive library of historically copyrighted works (All Rights Reserved) and (2) a much smaller but growing library of CC licensed works (Some Rights Reserved But Always Ok To Sample). […] Option 1 is like a pot of gold with scorpions in it. Option 2 is like a pot of silver.
God is considering his options for action against Bible pirates. "God did not rule out smiting as a final measure against those who share his most famous work, the Bible, on the Internet," wrote Kristian Werner of BBspot Technology News.
Citing misuse of His word, misquotation, and putting hardworking Bible printers out of work, God said he would now start hunting Bible pirating around the globe. "I have to defend both my world-famous brand the Bible and its distinctive likenesses and the livelihood of those who create and distribute legal copies of it. Sure, they live not by bread alone, but website hits someone else's website mind you don't pay the bills for these folks."
Since large portions of the Bible are many centuries old, many people believe the work to be in the public domain. Not so, said God. "Look, most copyright laws are based on something like the author's lifetime plus, let's say, 15 years. News flash: I'm still here."
BoingBoing reports (via Ben Hammersley) this interesting nugget: Sony Pictures is promoting its new Spiderman sequel via weblogs. The movie's promotional web site has templates for LiveJournal and Blogger ripe for the picking by anyone who wants to give free advertsing (and a higher PageRank) to a large, profitable corporation.
Mary over at bIPlog relates the horrifying tale of her experience trying to port her cell phone number from AT&T Wireless to Cingular ("My Nightmare With AT&T Wireless"). A summary could never do it justice, so suffice it to say that AT&T made numerous gross factual errors and flagrantly broke the law in repeated attempts to prevent her from leaving. Still, this episode highlights less about AT&T than it does about the harm that consumers can suffer at the hands of hucksters even when the hucksters know what they are doing is illegal because the consumer has pointed it out. I suppose Mary could sue AT&T to force the release of its high-tech hostage, but who has the time and money for litigation over a phone number?
My law school roommate and I had a similar experience when we tried to buy DSL service in Boston. Despite being Verizon dialtone customers, we tried to hire a company called eConnects (a reseller of Verizon DSL connectivity) for Internet service. At the time, Verizon was required to permit access to its "last mile" network for others to offer competitively-priced residential DSL service. For months, eConnects tried to get us online, but Verizon dragged its feet when it came time to change certain physical settings on our line which it claimed could only be done inside our apartment. Verizon repeatedly failed to show up for appointments or showed up on the wrong day or at the wrong time, and it refused to schedule any appointment within two weeks of any call we made to their customer service department. Finally, we caved in and bought DSL service from Verizon at a higher monthly price than eConnects had offered us. Magically, Verizon had an appointment slot available four days later, and we were online ten minutes after that.
The newswires have a story that will be interesting to follow over the course of the news cycle. Professor Marc Galanter of the University of Wisconsin Law School (bio) and the London School of Economics (bio) has conducted a study of the U.S. federal court system at the behest of the American Bar Association.
Galanter's finding, dubbed "vanishing trials," documents the decline in the number of trials conducted in federal courts since 1962, notwithstanding a large increase in the number of cases filed. I have not been able to find a copy of the study online yet (please let me know if you can find it), and the newswires are a bit vague about the cause(s) of the decline. Pretrial dismissals, defaults, and settlements probably account for most of it, but I would still like to read Professor Galanter's study.
The San Jose Mercury News has the AP story, and the New York Times has some original reporting by Adam Liptak ("U.S. Suits Multiply, but Fewer Ever Get to Trial, Study Says").
Dr. Reviel Netz of Stanford, a renowned Archimedes scholar, recently announced the discovery of an ancient text once thought to be lost — Archimedes' Stomachion. Historians and mathematicians once dismissed Stomachion as a minor work, but the newly-discovered fragment of its text suggests that it founded the branch of mathematics known as combinatorics. Combinatorics is concerned with finding "how many ways a given problem can be solved," in the words of an article in today's New York Times ("In Archimedes' Puzzle, a New Eureka Moment").
I would like to comment briefly on one post in ATAC's weblog, "Face Recognition and False Positives." This post raises the point of "a classic security mistake: ignoring the false positive problem." I addressed this issue in "Static Measurements & Moving Targets," my law-school thesis paper on biometrics and privacy in the context of consumer banking. In that paper, I looked at the problem from a perspective opposite Ed's. He describes facial recognition in an identification application, where its goals are substantially different from what its goals would be in an authentication application.
The designer of an application that flags passers-by as registered sex offenders has an incentive to overinclude suspects for security reasons — that is, to err on the side of false positives. The designer of an ATM authentication application, on the other hand, has the opposite incentive — to err on the side of false negatives, to prevent fraud. The point is that false positives are not solely a privacy issue: they also represent a security risk, depending on the context.
That said, I do agree with Ed's basic point, as I wrote back in October ("Terrified of Terror Profiling?"). I supported the point there with links to articles by computer security expert Bruce Schneier and mathematician John Allen Paulos.
Robert Cringely has released part 2 of his column on e-voting. His analysis of e-voting problems from an IT project management perspective is refreshing; it is a perspective that has been sorely lacking in the debate thus far. Links: part 1 and part 2.
Virginia's Attorney General, Jerry Kilgore, announced yesterday that his office has launched two prosecutions on felony charges related to sending spam. One well known spammer, Jeremy Jaynes, a.k.a. Gaven Stubberfield, was arrested in Raleigh, NC, where his alleged coconspirator, Richard Rutowski, negotiated his surrender to authorities. (The New York Times and Washington Post have coverage: NYT "Virginia Indicts 2 Under Antispam Law," WP "Virginia Indicts Two Men On Spam Charges.")
Much ado has been made of the federal CAN-SPAM Act's preemption of state spam laws, so let us compare a few features of the Virginia and federal statutes.
The crime defined under the Virginia law becomes a felony when the spammer sends more than 10,000 illegal messages in a day or 100,000 in a month. CAN-SPAM's bar is set much lower, requiring only 100 and 1,000 messages, respectively, to trigger felony penalties. The maximum prison sentence is 5 years under both laws, assuming that aggravating factors are present. Finally, the Virginia law permits a fine up to $2,500, whereas CAN-SPAM permits fines under Title 18 U.S.C., which can reach many times higher than $2,500.
In addition, the Virginia law requires that spam pass through the state. Unless an email is sent to a Virginia resident, it can be impossible to prove beyond a reasonable doubt that the message passed through the state's borders, unless it was handled and its header stamped by a mail server in that state. Virginia is more the exception than the rule in this area, as the home of America Online (AOL), the world's largest ISP. It is unlikely that any spam would not reach at least one AOL customer. The other 49 states would have a harder time proving this element of the crime. CAN-SPAM, on the other hand, is triggered when spam affects any "protected computer," as defined in 18 U.S.C. 1030(e)(2)(B): "a computer…which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States." That definition includes all computers that connect to the Internet.
Law.com reports that a Third Circuit panel has interpreted the Electronic Communications Privacy Act (ECPA) to permit an employer to search its employees' email messages that are stored on its network ("Federal Law Allows Employer's Search of Worker's E-Mails"). Such a search, the court held, does not constitute "interception" of messages during "transmission," as prohibited by the ECPA. The full text of the decision in Fraser v. Nationwide Mutual Insurance Co. is available via FindLaw.
Nevada Secretary of State Dean Heller announced yesterday that his state was the first in the country to demand that e-voting machines produce voter-verifiable paper receipts. The state's Gaming Control Board gave Diebold's products a harsh denunciation, writing that they "represented a legitimate threat to the integrity of the election process." After rejecting Diebold equipment, Heller settled on a system from Sequoia Voting Systems. "A paper trail is an intrinsic component of voter confidence," Heller said. Printers make e-voting systems cost more, he acknowledged, but "money takes a back seat to accuracy, security and voter confidence."
Doug Baker of Portland, Oregon really missed his dog, Fremont, after it ran away. He spent over $15,000 in his search and neglected his business to the point where it failed. After a conventional animal tracker failed to find the dog, the tracker put Baker in touch with several psychics.
Each psychic claims to have contacted the dog, but none could produce any tangible benefit — aside, of course, from cashing Baker's checks. Fremont was eventually found after someone responded to Baker's ad in the newspaper. Just for kicks, Baker has sued the dog sitter who was on duty when the dog ran away.
Baker hired all of them, paying between $55 and $100 a session. Each psychic claimed to have spoken with Fremont. One said someone had dragged Fremont into a car after putting something around his neck. Another said Fremont spoke to her, telling her that he saw a fence and the dogs were kept out of doors, sometimes in a kennel with a cover. Fremont told her, the psychic said, that the people holding him called him "Pal" and "Chief." He added that he missed his home.See also: "Owner sues pet sitter in loss of dog."
But the psychics couldn't tell Baker where Fremont was.
Baker then turned to a white witch, a woman brought in to cast spells with candles, herbs and dream cards. She had given Baker two cards to put above his bed so he could tap into the spiritual world, where he'd connect with Fremont. Although Baker had a vision of an orange license plate, he'd never had a solid dream because, he said, his girlfriend kept waking him when she got up to go to the bathroom.
Earlier today I mentioned the new trade group formed by the major electronic voting machine manufacturers when I had read only one media article about it. There is much more "out there" now. C|Net News has better coverage than the Washington Post article I linked to before. Additionally, the new Election Technology Council (under the umbrella of the Information Technology Association of America) has released a press kit with much more information.
The Editorial Board of eWeek Magazine published an editorial this week ("Copyright and Fair Use"), denouncing the rampant abuse of the Digital Millennium Copyright Act (DMCA). Civil libertarians have not been surprised by DMCA abuse, but eWeek's board apparently was. However, they make up for it with definitive language: "Repeated abuse of a statute is a sign that the law itself is defective." Their prime examples? The Skylink/Chamberlain and SCC/Lexmark cases.
The recent wave of criticism — and especially its press coverage — has prompted several major e-voting machine manufacturers to work together to counter the negative publicity. The Washington Post has the story: "Voting-Machine Makers To Fight Security Criticism."
Something about this (although I am sure exactly what) compels me to mention PR Watch.
Robert Cringely, the venerable PBS columnist, wrote an interesting column on the lack of a paper trail in e-voting machines ("No Confidence Vote: Why the Current Touch Screen Voting Fiasco Was Pretty Much Inevitable").
Now here's the really interesting part. Forgetting for a moment Diebold's voting machines, let's look at the other equipment they make. Diebold makes a lot of ATM machines. They make machines that sell tickets for trains and subways. They make store checkout scanners, including self- service scanners. They make machines that allow access to buildings for people with magnetic cards. They make machines that use magnetic cards for payment in closed systems like university dining rooms. All of these are machines that involve data input that results in a transaction, just like a voting machine. But unlike a voting machine, every one of these other kinds of Diebold machines — every one — creates a paper trail and can be audited. ould Citibank have it any other way? Would Home Depot? Would the CIA? Of course not. These machines affect the livelihood of their owners. If they can't be audited they can't be trusted. If they can't be trusted they won't be used.Thanks go to LawGeek for the heads up.
Now back to those voting machines. If every other kind of machine you make includes an auditable paper trail, wouldn't it seem logical to include such a capability in the voting machines, too? Given that what you are doing is adapting existing technology to a new purpose, wouldn't it be logical to carry over to voting machines this capability that is so important in every other kind of transaction device?
GrepLaw gives a pointer to Anita Ramasastry's FindLaw article criticizing the CAN-SPAM Act. She scores a few points, but she ignores several important provisions that render her conclusions — in my opinion — wrong.
CAN-SPAM's major faults, in Ramasastry's view:
Second, on enforcement by individual consumers. CAN-SPAM expressly provides for enforcement by at least 110 government bodies, plus any ISP "adversely affected" by illegal spam. The public servants will have strong political incentives to file spam lawsuits, and ISPs will have strong economic incentives. Why add hundreds of millions of consumers to this list when their lawsuits will inevitably be less well-funded than the institutional enforcers? With potential damage awards of $6 million for public enforcers and $3 million for private enforcers, those entities will easily be able to recoup their legal costs (even if they are not awarded attorney fees, as provided in the Act).
Third, on the difficulty of enforcing CAN-SPAM against foreign and judgment-proof spammers. The Act's third-party liability provisions will solve much of this problem. The Act attaches liability to (1) any business knowingly promoted via illegal spam and (2) any vendor that provides goods or services to a spamming operation with knowledge that those goods or services will be used to send spam. These provisions give third parties one free bite — before the first potential plaintiff sends a cease & desist letter, putting them on official notice. Much advertising currently distributed via spam promotes products on sale within the U.S. or manufactured or sold by people in the U.S. Once the first such person is prosecuted, the demand for advertising space in spam will decline precipitously. Spam will inevitably decline, as fewer people are willing to pay for it.
Fourth, on the purported shortcomings of the do-not-spam registry. For god's sake, give the thing a chance before you accuse it of failing. As I said above, the FTC can learn from the outcome of the pending do-not-call litigation, and there is an infinite variety of implementations that the do-not-spam registry could take. I proposed one not long ago. Also, the possibility that some spammers will evade it is not a reason not to try. CAN-SPAM's third-party liability provisions do not currently apply to registry violations, presumably because the registry does not exist and the Act only empowers the FTC to consider the idea of the registry. That shortcoming can easily be rectified by an amendment to the statute or FTC rule.
Fifth, on state spam laws. How, exactly, is the fundamental shortcoming of the Westphalian territorial legal system solved by having fifty state laws, no matter how restrictive? What if a spammer in California sent spam only to residents of other states and other countries? No state or country would have jurisdiction. The major complaint in this area that does have some validity is the preemption of California's tough opt-in law with the federal opt-out standard. This is a valid criticism, but it goes to the policy choices that Congress made when it traded opt-in for the possibility of an effective opt-out registry.
Sixth, on technological solutions. You cite Congress's findings on the rapid rise of spam traffic in an era that had no comprehensive spam law. The primary method of dealing with spam has been technological measures. And the volume of spam rose rapidly during that period. One of CAN-SPAM's greatest strengths is that it expressly permits ISPs to implement private mail policies — a provision that should exempt them from tort liability for doing so. It looks somewhat like § 230 of the Telecommunications Act of 1996 in that respect.
Here is a new entry for the annals of "depublishing" — the practice of removing or altering electronic articles after publication. (For background, see Greg Ritter's now-classic blog post on Dave Winer's depublishing in Scripting News, "The Ethics of De-Publishing.") This time, depublishing has lived up to its Orwellian promise, as political activists and the media have swallowed the altered version of history.
On May 1, 2003, the Whitehouse's Office of the Press Secretary released this press release, announcing "President Bush Announces Combat Operations in Iraq Have Ended." But then, with airbrush magic, now the same press release has been changed to this, which reports "President Bush Announces Major Combat Operations in Iraq Have Ended." No update on the page, no indication of when the change occurred, indeed, no indication that any change occurred at all. Instead, there is robots.txt file disallowing all sorts of activities that might verify the government. (Why does any government agency believe it has the power to post a robots.txt file?)The rub, of course, is in the word major. The original press release implies that combat operations are, well, ended. The silently doctored version makes the President seem better acquainted with the situation and prescient. The motives behind this are as old as politics itself, so the only thing that would seem to be new is the technology. However, something deeper is going on here.
Why would you need to check up on the Whitehouse, you might ask? Who would be so unAmerican as to doubt the veracity of the Press Office? Great question for these queered times. And if you obey the code of the robots.txt file, you’ll never need to worry.
The mainstream press, and even some Bush bashers, have swallowed the altered version of history. A Google News search for "major combat operations" & Iraq yields over 1,100 hits. Keep in mind that Google News indexes only mainstream sources, that its index only lasts a week or two, and that a comprehensive Lexis-Nexis search would probably yield tens or hundreds of thousands of hits. Here is a sampling of the first few Google hits. Note how each one treats the depublished ("afterpublished," really) word major as an historical fact:
The 1 December issue of CIO Magazine has an article on the technological and economic hurdles standing in the way of widespread RFID adoption: "The RFID Imperative." The article makes only passing reference to many the social implications of RFID, but the sidebars link to several other recent CIO articles covering those issues. Thanks go to Ernie the Attorney for the heads up.
The government of Mexico is threatening to charge three of its citizens with treason. They are executives of a company called Soluciones Mercadologicas en Bases de Datos, which sold a database private information on 65 million Mexican voters to ChoicePoint, an Atlanta-based database company. ChoicePoint bought the data at the behest of the U.S. government shortly after 11 Sept. 2001 to help bolster Uncle Sam's investigation of terrorism.
The database contained such private information as the number of cars owned in households and unlisted phone numbers. If nothing else, this episode highlights the incumbent dangers when a government any government collects massive amounts of data on its citizens without a compelling and clearly articulated purpose. What, for example, does voter registration have to do with the number of cars one owns?
The Macon Telegraph has the story: "Mexican company officials may face treason charges."
Neil J. Rubenking of PC Magazine explains and rates blog tools in this month's issue ("Blog Tools"). Top honors went to TypePad, the hosted version of Movable Type — the engine behind DTM :<|. Thanks go to Sabrina Pacifici of beSpacific for the heads up.
The State of Ohio moved to block deployment of e-voting machines last week. The move follows the release of a report [pdf] commissioned by the Secretary of State that revealed serious security flaws. Wired News reports ("Ohio Halts E-Voting Machines") that "some of Ohio's 88 counties still will be using punch-card systems for the 2004 election." Unfortunately, there seems to be no viable alternative.
John Borland of C|Net wrote an interesting column last Thursday, asking whether RIAA's lawsuits against P2P users were having the desired deterrant effect ("RIAA lawsuits yield mixed results"). "At the core of the RIAA's strategy has been the attempt to persuade as many people as possible to stop trading copyrighted files online. This appears to be working in at least some groups, but the evidence is mixed at best." That same day, he also wrote a good summary of the compulsory licensing discussion in Canada: "Should ISP subscribers pay for P2P?"
I finished writing my formal summary and commentary on the CAN-SPAM Act for the Journal of Internet Law. I would like to thank everyone who posted and emailed comments over the last two weeks; they all helped me clarify the issues. Several of you asked me to post the paper here. I will do so, as soon as I get "permission" i.e., confirmation that posting it here will not jeopardize its publication next month. Meanwhile, my preliminary thoughts are still available here.
Yesterday, SCO President & CEO Darl McBride released an Open Letter on Copyrights to defend his company's position in ongoing litigation to the public. Pamela Jones over at GrokLaw called it "Darl McBride's 'Greed is Good' and it's constitutional too manifesto."
He goes to great lengths to portray the Free Software Foundation and others as cranks:
[T]here is a group of software developers in the United States, and other parts of the world, that do not believe in the approach to copyright protection mandated by Congress. In the past 20 years, the Free Software Foundation and others in the Open Source software movement have set out to actively and intentionally undermine the U.S. and European systems of copyrights and patents. Leaders of the FSF have spent great efforts, written numerous articles and sometimes enforced the provisions of the GPL as part of a deeply held belief in the need to undermine or eliminate software patent and copyright laws.Then he introduces SCO's view:
At SCO we take the opposite position. SCO believes that copyright and patent laws adopted by the United States Congress and the European Union are critical to the further growth and development of the $186 billion global software industry, and to the technology business in general.McBride fails to realize that the GNU Public License depends on copyright law for its very existence. Lawrence Lessig had perhaps the most concise response to this point (and the rest of his response is worth reading, too):
Despite RMS's aversion to the term, the GPL trades on a property right that the laws of the US and EU grant "authors" for their creative work. A property right means that the owner of the right has the right to do with his property whatever he wishes, consistent with the laws of the land. If he chooses to give his property away, that does not make it any less a property right. If he chooses to sell it for $1,000,000, that doesn't make it any less a property right. And if he chooses to license it on the condition that source code be made free, that doesn't make it any less a property right.
I love it when companies are willing to spend money to clarify the law in areas where it is murky. Playboy used to be great in this area, filing many suits that pushed copyright and trademark law into the digital age at a time when the Internet had barely entered the popular lexicon. Many of those cases went all the way to judgment and appeal — which gave something back to the public, in exchange for the judicial resources that Playboy consumed.
Now Google has started. Last week the search company filed a declaratory judgment action against American Blind & Wallpaper Factory, asking the U.S. District Court in San Josι to clarify its rights. American Blind (among many others) has complained recently to Google about Google's sale of keywords to its advertisers. Google has been fairly responsive about such trademark requests, but AB and others frequently claim to have rights in words and phrases that do not precisely match their registered or common law trademarks. They do have some trademark-like rights in such terms, but it is often difficult to discern exactly what they are. This case should help.
Earlier this week the State of Ohio joined Maryland and California in criticizing the electronic voting products currently on the market. Ohio's Secretary of State announced the findings of a comprehensive study of several electronic voting systems. (Summary of Findings & Recommendations [pdf], full report [pdf]) The result: 57 potential security risks.
Diebold Election Systems had five high potential risk areas, two medium and eight low potential risk areas. [Election Systems & Software] had one high potential risk area, three medium and 13 low potential risk areas. Hart InterCivic had four high potential risk areas, one medium and five low potential risk areas. Sequoia Election Systems had three high potential risk areas, five medium and seven low potential risk areas. [Hyperlinks added]Thanks go to Ed Felton (Freedom to Tinker) for the heads up.
Derek Slater reports the tribulations of Asheesh Laroia, a student at Johns Hopkins University. Despite never having received a cease & desist letter, JHU cut off access to the memoranda. Even after Laroia informed JHU that Diebold had retreated (1, 2), the university persisted, writing that it "cannot allow its resources to be used in violation of copyright law, whether or not the holder of the copyright (in this case Diebold) plans to prosecute."
All I can say is I am glad I am not a student there.
There have been many questions about how a do-not-spam registry should be implemented. This proposal suggests a regime for funding for the registry and the highest level logical operation of its database. My plan would allow consumers to choose (through market forces) an opt-in system while still adhering to the overall opt-out structure of the CAN-SPAM Act. For that reason, I believe it solves some of the nagging First Amendment problems that come with a government-madated opt-in system.
If you have not already seen my summary of the CAN-SPAM Act, I suggest you check it out before reading this.
The registry should not necessarily be funded by taxes, because that would require people without email accounts to share the burden a system that carries no direct benefit for them. ISPs stand to benefit the most (in financial terms, at least), because a successful registry will reduce their bandwidth and other costs substantially. I would hesitate to levy mandatory fees on ISPs because they would look too much like the fees imposed on bell companies to fund rural telephone lines and the 911 system. I would prefer to leave ISPs as unregulated as possible while still having them share in the cost of the registry. I would not be averse to paying a few dollars to get myself into the registry, but ISPs should not have a free ride while consumers fund the entire thing.
My proposal is to make ISPs intermediaries between the FTC, which would manage the registry, and consumers, who will have ultimate control over the status of their addresses.
First, charge ISPs a monthly fee for having their domains listed in the registry. This fee would be assessed according to the number of email addresses at each domain, and those addresses would be automatically opted out of receiving spam. If a user wants to change that status, he would ask his ISP, which would relay the request to the FTC. An ISP would be charged a small transaction fee for each username it changes from its default status, as an incentive to "guess" what most customers will prefer. Individuals whose ISPs do not list their domains in the registry would have the option of opting out individually, paying the same transaction fee directly to the FTC. This option would be available to anyone in the U.S. with an email address, even those who maintain email addresses at their own personal domains and do not use an email address provided by an ISP.
To keep the size of the database's output manageable, it would need to spit out three separate lists. The first list would contain all the domains listed in the registry. The second list would contain all the individual email addresses that have requested opt-out status. Any email address covered by these two lists would be off-limits to spam. The final list would contain the addresses of ISP customers who have decided to switch away from their ISPs' default opt-out status. Addresses on list #3 are fair game for spam.
My plan would require some taxpayer funding for startup costs, although these could be recouped over the first few years by charging slightly higher fees during that time. After that, the monthly fees for listing domains and the per-user transaction fees would cover operational costs. ISPs will inevitably pass some of those costs on to consumers. However, there is harsh competition among ISPs, so the market would quickly allocate those costs efficiently. I believe this is more equitable than a program funded wholly by taxes. The recently-implemented do-not-call registry is funded by taxes because telephone penetration is nearly 100% in this country. However, many fewer people have email accounts than telephones, so full funding by tax dollars seems unfair to me.
The system is national in scope, so it will be large enough that the fees per domain and and per user can be small. Only a few indigent people and organizations could legitimately complain about the cost, and these might be exempted from paying fees. To start, the exemptions might be granted to educational institutions, 501(c)(3) organizations, and individuals below the poverty line. I have little experience in this area of social policy, so I would leave it to others to work out those details.
This structure would allow the market to demonstrate once and for all whether the public really favors an opt-in or an opt-out system. Many people have speculated on this question, but the truth is that nobody knows for sure. We may see a surge of subscriber defections away from ISPs that choose to be listed, or we may see a surge of individuals listing their own addresses. The point is that consumers, not the government and not spammers, would finally have direct control over the marketing they receive.
Some feisty discussion has broken out in the comments section of my blog post where I summarized and explained some features of the CAN-SPAM Act. I have been accused of favoring an opt-out system over opt-in. This is probably my fault for overstating my position as a reaction to most people's knee-jerk favoring of opt-in.
I do not favor opt-out in all its manifestations — I just think that most people decide to favor opt-in without considering the issues thoroughly. There are serious free-speech problems with the government mandating a regime that forbids a certain type of speech to be distributed in a certain channel. Those problems are reduced (although not entirely eliminated) by an opt-out regime that provides consumers with an en mass opt-out mechanism like a do-not-spam registry. The problems are further reduced the more fine-tuned the en mass mechanism becomes. The present FTC/FCC do-not-call registry is a blunt instrument, requiring consumers to choose all or nothing.
Someone may yet convince me that opt-in is the way to go; but, until that happens, I choose to err on the side of free expression.
Oz is about to get its own national spam law, and I am curious to know how it differs from the American CAN-SPAM bill, which I have written a lot about in recent days. If anyone can find the text of the Australian bill online, please let me know.
Elisabeth Rader has a summary of the 7th Circuit's decision in Assessment Technologies v. WIREdata. I will not get a chance to read the full text of the decision until next weekend, but it promises to be quite interesting. (Thanks go to Donna at Copyfight for the link.)
I just found this delightful web site, Yesterday's Tomorrows. It is the Internet arm of a traveling Smithsonian exhibit on the history of technology prediction. "From ray guns to robots, to nuclear powered cars, to the Atom-Bomb house, to predictions and inventions that went awry."
Zachary Seward reports in the Harvard Crimson that a Diebold spokesman confirmed that the company will not sue students who posted internal company memoranda on the Internet ("Diebold Won't Sue Students"). Thanks go to John Palfrey for the heads up. The article has one interesting point that bears mentioning here:
In one memorandum from April 23, 1999, [a Diebold] employee acknowledges a flaw in one of the company's electronic ballots. "I don't expect you will see a fix in time for the election," the employee writes, "since it is tomorrow." Diebold will not comment on the memoranda but has said that any imperfections in their systems have subsequently been fixed.Note that this claim can be interpreted to apply only that those particular ballot problems tailor-made plausible deniability. It does not claim to have fixed the security flaws found in two independent reviews earlier this year. In one review, researchers at Johns Hopkins and Rice universities found weaknesses that could easily allow someone to cast multiple votes for one candidate. (Report (pdf), press release) The other report, conducted for the State of Maryland, concluded that flaws exist but that they were unlikely to cause practical problems in real elections but only if external safeguards are in place. (Report (pdf))
Also recall that Diebold is the only manufacturer of ATMs in the world whose machines have become infected with a worm.
The search engine watchdogs have argued fiercely over Google's most recent update, dubbed "Florida," since it was implemented two weeks ago. See, e.g., Barry Lloyd's article on Search Engine Watch: "Been Gazumped by Google? Trying to make Sense of the 'Florida' Update!" Last week, prolific writer Seth Finkelstein weighed in, arguing that Google had installed Bayesian filters ("Google Bayesian Spam Filtering Problem?").
Yesterday, Seth reiterated in his blog his strong belief that blogging will remain an insigificant source of political power, relative to Big Media. ("Recent Report Readership - Statistical Analysis") The evidence? His referrer logs, which indicate most of his hits coming from a slashdot comment (60%) and much smaller numbers coming from his own site (6%) and miscellaneous "noise." However, he dismisses nearly a quarter of his hits that came without a referrer as having come from Slashdot. I do not think this is valid. I, for one, have disabled referring logging in my browser, and I followed a link to Seth's report that I found in a blog. Aside from others like me, there are probably many people who copy/pasted the URL from an email, which might have registered in the referrer log as having no source.
No, the blogosphere is not presently as big or as powerful as Big Media. However, Seth dismisses its potential too readily.
BBC News reports a new twist on an old scam. ("E-commerce targeted by blackmailers") A Russian organized crime syndicate is allegedly threatening e-commerce sites with distributed denial of service (DDoS) attacks unless they pay protection money.
Last year it was Wal-Mart; this year it is Best Buy. Every holiday season, someone gets worked up over FatWallet, a company that aggregates information about retail sales on its web site. Working at its best, FatWallet publishes the information before the sale starts — the point being to help consumers plan their shopping. Retailers, however, jealously guard their sale information for fear that it could give their competitors an advantage — especially in the Thanksgiving-to-Christmas season, which accounts for the bulk of retail profits for the year. Every year, in this season of giving, major retailers serve FatWallet with legal demands to take down the information under the Digital Millennium Copyright Act (DMCA).
So far FatWallet has successfully fought back with § 512(f) of the DMCA, which prohibits abuse of the rest of the Act. Last year, FatWallet only sent letters to the bullying retailers, explaining that they were abusing the DMCA. Last week, FatWallet sued Best Buy under § 512(f), seeking money damages to cover the costs FatWallet incurred while responding to Best Buy's specious demand. See FatWallet's press release here and its complaint here (pdf).
Update: It was inexcusable neglect when I first posted this entry that I forgot to link to EFF's classic article, "Unsafe Harbors: Abusive DMCA Subpoenas and Takedown Demands."