Saturday, 31 January 2004
Confusion in a CAN
Lack of clarity in the law is generally a bad thing, although I will note one exception. Securities regulators have often said that they intentionally decline to clarify what, exactly, constitutes bad faith, unfair dealing, misappropriation of information, and other things forbidden by securities laws. The reason? Financial types are smart and act in the marketplace with blinding speed. The instant after regulators clearly define those concepts, some unethical investor will find a way to do anything he wants by staying just outside the articulated definition.
Is this situation analogous? Probably not. First off, I do not believe the CAN-SPAM Act is as unclear as the folks interviewed for the Wired article article think it is. Then again, I am a lawyer, and the article says, "In the rush to understand what Can-Spam requires, many people without legal training fell back on their own readings of the law, said Anne Mitchell, President and CEO of the Institute for Spam and Internet Public Policy, or ISIPP, which hosted the [Spam and the Law Conference]. As a result, she said, confusion about Can-Spam is rampant."
I certainly would not be able to read the statute as well as I can now if I had not gone to law school. However, I can offer a partial solution. The February issue of the Journal of Internet Law should be shipping right about now, and my paper on the Act is in it. I tried hard to explain the law and some of the technology in a way that non-lawyers and non-techies can understand. As promised, I will post the paper here after the JIL hits news stands.
Yesterday, the Federal Trade Commission (FTC) made its first proposal for a mandatory label for "adult" spam. (Via C|Net) The CAN-SPAM Act requires the FTC to pass a rule by the end of March establishing such a label for sexually-explicit spam. The FTC is now seeking public comment on its label, and the comment period will end on 17 February. What label did the FTC propose? "SEXUALLY-EXPLICIT-CONTENT:."
At first glance, this character string seems to be long enough and specific enough that the unwary are unlikely to trigger it accidentally and have their (presumably legitimate) email filtered out of recipients' inboxes. However, the law of large numbers guarantees that someone, somewhere, will trigger this by accident.
Furthermore, the Act requires that this label be the first thing the user sees when he opens the email — before he sees any of the labelled content. The purpose, of course, is to protect children from "adult" content. Unfortunately, I can think of few labels that would more quickly attract the attention of every minor I know.
I would prefer a label containing a long string of randomly-generated characters that could never be confused with the email's real content — i.e., a string of a thousand or more characters that might resemble a PGP key. True, this solves only the first problem. It would become familiar to porn-seeking children everywhere soon enough. I doubt there is any way to prevent that.
It was bound to happen sooner or later. A federal District Judge in Los Angeles has struck down a provision of the USA PATRIOT Act as unconstitutional. The New York Times highlights the First Amendment argument advanced by the Humanitarian Law Project: "[S]everal humanitarian groups that work with Kurdish refugees in Turkey and Tamil residents of Sri Lanka had sued the government, arguing in a lawsuit that the antiterrorism act was so ill defined that they had stopped writing political material and helping organize peace conferences for fear that they would be prosecuted."
The provision at issue forbids U.S. citizens from giving "expert advice or assistance" to known terrorist groups. As written, this language would prevent a dentist from cleaning a terrorist's teeth — there is nothing to limit the prohibition to advice or assistance that could be used to further terrorism. The court summarized this shortcoming: "The USA Patriot Act places no limitation on the type of expert advice and assistance which is prohibited, and instead bans the provision of all expert advice and assistance regardless of its nature." Naturally, this vague rule would encompass "unequivocally pure speech and advocacy protected by the First Amendment." Therefore, the First Amendment demanded that it be struck down.
Siva Vaidhyanathan, a media scholar at New York University, calls anecdotes like [the Diebold/electronic civil disobedience affair] "copyright horror stories," and there have been a growing number of them over the past few years. Once a dry and seemingly mechanical area of the American legal system, intellectual property law can now be found at the center of major disputes in the arts, sciences and — as in the Diebold case — politics. Recent cases have involved everything from attempts to force the Girl Scouts to pay royalties for singing songs around campfires to the infringement suit brought by the estate of Margaret Mitchell against the publishers of Alice Randall's book "The Wind Done Gone" (which tells the story of Mitchell's "Gone With the Wind" from a slave's perspective) to corporations like Celera Genomics filing for patents for human genes. The most publicized development came in September, when the Recording Industry Association of America began suing music downloaders for copyright infringement, reaching out-of-court settlements for thousands of dollars with defendants as young as 12. And in November, a group of independent film producers went to court to fight a ban, imposed this year by the Motion Picture Association of America, on sending DVD's to those who vote for annual film awards.
The Apple Macintosh turns 20 years old today. To honor that milestone, the San Francisco Chronicle ran this interesting, front-page retrospective: "The Machine that Changed the World: The First Human-Friendly Computer, the Mac, Turns 20."
Apple does its part, too, preserving for posterity its famous "1984" Super Bowl advertisement.
C|Net reported yesterday that Microsoft apologized for threatening 18-year old Canuck Mike Rowe with a lawsuit ("Microsoft: We took MikeRoweSoft too seriously"). The young entrepreneur was using the domain Mikerowesoft.com in his part-time web design business. A company spokesman said, "We appreciate that Mike Rowe is a young entrepreneur who came up with a creative domain name. We take our trademark seriously, but maybe a little too seriously in this case."
The California Voter Foundation issued a news release a few days ago that gives a nice summary of recent developments regarding adoption of evoting machines in California. I will not regurgitate the summary here, but I will highlight a theme that seems to permeate each episode. Each time Diebold betrayed the public trust, it asked Californians to take it on faith that its breach was minor, inconsequential, or, as CVF writes, merely "cosmetic." An old saying keeps coming to mind: "Fool me once, shame on you. Fool me twice, shame on me."
Sorry for not being at the top of my blogging game recently. As I wrote in this space ten days ago, I started a new job last week. I did not mention at that time that I am moving to San Jose to be closer to my office. As soon as things calm down a bit, I will start blogging more regularly. In the meantime, you will have to put up with sporadic updates.
The Winnipeg Sun reports that McDonald's has confirmed that it is using biometrics in a payroll application in about half its restaurants in that city. Instead of punching time cards when they start and finish their shifts, employees run their hands past fingerprint and palm scanners. The devices are plugged directly into the company's computerized payroll system, which records the employee's working hours. The efficiency gains are obvious: "At McDonald's, the scanners are connected to the payroll department and save on paperwork, [McDonald's spokesman Ron] Christianson said. They also free managers from record keeping and get them out working with staff and the public, he added." Unfortunately, the restauranteur has failed to think through the privacy implications of this pilot program.
McDonald's does pay lip service to privacy: "Christianson said McDonald's will only use the prints for the stated purpose and has educated workers about its privacy policies and hired a privacy manager. There have been no complaints from Winnipeg workers about the time clock alternative." However, McDonald's does not appear to have subscribed to the best practices written by the BioPrivacy Initiative or any other published set of best practices. (Despite its name, the BioPrivacy Initiative is a biometrics industry trade group, not a privacy advocate.)
For example, McDonald's does not appear to have clearly and bindingly defined the scope of its biometric program. It is using biometrics solely for payroll purposes right now, but nothing would stop it from expanding the program to encompass other purposes tomorrow. A company spokesman's apology is little consolation for a long-gone former employee who falls victim to identity theft down the line. There is no indication that McDonald's is storing its employees' biometric templates separately from their other personally-identifying information, such as names and addresses. Christianson does not say anything about independent auditing of the company's biometric applications. Most importantly, there does not appear to be any ability for employees to control the use of their biometric data, nor does there seem to be any meaningful alternative for those who would prefer to opt out of the program.
In McDonald's defense, my sole source of knowledge of its biometrics program is the press, and this may simply be a case of newspapers oversimplifying the situation and failing to report all the facts. I have been surprised like that before. Unfortunately, this does not "smell" like such a case.
C|Net reports that a group of ISPs and telecommunication companies have banded together to create a "neighborhood watch" program for fighting spam. This is the sort of industry self-help that the CAN-SPAM Act encourages with its liability shield for private mail-handling policies. This partnership seems to go beyond similar efforts that existed in the past. Is this one attributable to CAN-SPAM? Probably not, but the law certainly did not hurt.
Lawrence Lessig blogged this morning on MoveOn's announcement of the winners of its "Bush in 30 Seconds" contest. He took the opportunity to comment on the "big picture" of participation in politics via electronic media. It was nice to see that he basically agrees with the thesis I put out there in my college thesis paper, "The Futures of ePolitics: Assessing Predictions of Political Discourse on the Internet."
Last week, Uncle Fed (specifically, the Department of Justice, the FBI, and the Drug Enforcement Administration (DEA)) asked the FCC to force providers of voice-over-Internet protocol (VoIP) services to provide easy "wiretapping" capability to federal and local authorities. See Declan's report on C|Net: "Feds seek wiretap access via VoIP." A few comments are in order before the press mangles this situation and manages to obscure the facts. (Not to impugn Declan; I thought his article was good.)
Lawyers are in the language business, so we should examine the word wiretap to shed some light on exactly what Uncle Fed is asking for. Webster's Dictionary defines wiretap as an intransitive verb meaning "to tap a telephone or telegraph wire in order to get information." This definition is too circular to be useful at first, but this circularity becomes important later. Dictionary.com's nominal definition is a better starting point: "A concealed listening or recording device connected to a communications circuit." This was an accurate physical description when the term arose, during electric telegraphy's youth.
In those days, telegraphic circuits were hard-wired — that is, each pair of telegraph stations was connected by a single wire with one operator at each end. (Busy pairs of stations were connected by multiple wires, each one having operators at both ends.) Each transmission wire was plugged into a magnet-driven apparatus at each end that translated incoming electric signals into audible sounds and generated outgoing electric signals when the operator pressed a button. For an excellent beginner's text on early telegraphic technology and the economic and cultural developments it spawned, see Tom Standage, The Victorian Internet (1998).
In this environment, police had two options for surreptitious surveillance: (1) force the operator to disclose a message's contents after he received it, or (2) intercept the signal between the stations. Option 1 was inefficient because it was slow (the police had to wait for someone else to translate the message from Morse code and deliver it to them), and operators could not always be trusted to keep surveillance secret. Therefore, laws were passed that made option two mandatory. Telegraph companies were required to cooperate with the installation of a device (the "tap") onto their transmission wires that allowed the police to siphon off a tiny amount of the electric signal between two stations and send that signal to a police-operated station.
Later, switching technology made telegraphy more flexible. A switching device made temporary connections between transmission wires coming into the telegraph station. This allowed one operator (or more, at busy stations) connected to the switch to monitor several incoming wires simultaneously. Wiretap devices evolved in lock-step with switches and were quickly moved inside the switches so that fewer taps could monitor more transmissions without being physically reinstalled over and over. Whether this new configuration continued to qualify as "tapping" a "wire" is debatable. Early switching devices made temporary physical connections between telegraph wires by means of a third wire. Early switch tapping devices siphoned the electric signal off this switching wire, so there is a plausible argument that the term was still an accurate physical descriptor. Today we would understand the tapping devices as monitoring the operation of the switch device, not an individual wire within the switch. While wiretapping remained a reasonably good logical description of the tapping device's function, its accuracy as a physical descriptor was highly questionable.
The point to take from this is that wiretap first became an ambiguous term more than a century ago. Now reconsider Webster's circular definition, "to tap a telephone or telegraph wire in order to get information." Webster probably intended to denote the tapping of a circuit, not a wire, but we can forgive lexicographers for not being electrical engineers. However, Webster's definition unambiguously means eavesdropping on a single transmission or group of transmissions between two specified end points. In my experience, this is how law enforcers, laymen, and journalists all use the term. To convey the idea of collecting more than this information, they use such words as surveillance, eavesdropping, or data sniffing.
If the introduction of circuit switching made wiretap an ambiguous term, then the introduction of packet switching renders it positively useless. Packet switching is the transmission technology underlying the Internet Protocol, which is used for all Internet (and most local area network (LAN)) transmissions. Packet switching involves breaking data down into tiny pieces ("packets") and sending each packet across the network individually. This system eliminates the need for circuit switching, which dedicates a circuit to each transmission for the duration of that transmission. Few transmissions use the circuit continuously, so circuit switching inevitably involves inefficient "down time" for active circuits. Consider, for example, how frequently people pause while talking on the telephone. No information is transmitted during these pauses, but their circuit is monopolized nonetheless. Other callers cannot use this circuit until the first call ends — which forces the phone company to install a sufficient number of circuits to carry the maximum foreseeable number of transmissions simultaneously. This extra infrastructure is expensive to install and maintain.
Packet switching allows a small number of circuits to accommodate many transmissions because each one uses the circuit only while information is being actively sent. During each pause, the circuit is used for other transmissions. Additionally, different packets from the same transmission often take different routes across the network. Intermediate nodes will send packets along different routes to bypass busy sections of the network to avoid delays, among other reasons. Since packets must reach the destination individually, it must contain complete addressing information so that intermediate nodes can route it appropriately.
The same features that make packet switching more efficient than circuit switching also make it cheaper. (Sarcastic aside: This is as close to a "law" as the "science" of economics can offer us.) They also make it much more difficult to monitor communications. By definition, packets of information do not all travel through a packet-switched network by the same route. Therefore, there is no central box inside which to install a tapping device, as there is in circuit-switched networks.
The good news for law enforcers is that there does exist a place where all packets of a transmission must pass through before they are dispersed. That place is wherever the sender connects to the Internet backbone. "Backbone" is the name for high-speed networks that carry most Internet data until that data gets very close to its destination, at which time it is moved to a smaller (and usually private) network. All packets must travel from the sender's computer to the backbone through some identifiable means of transmission, be it in a cable or via wireless transmission in a form such as Wi-Fi.
The bad news for law enforcers is that each computer (or network) that connects to the Internet is connected via its own "pipe." They must install "tapping" devices on the connection used by each individual computer whose users' communications they intend to monitor. This requires that they get much closer to the target of the surveillance than they did with circuit-switched networks. In the old days, they could install tapping devices inside the switch at the telephone company's office. Conceivably they might do something similar at the target's Internet service provider (ISP). The FBI's (since-renamed) Carnivore project was an example of this. Unfortunately, this arrangement monitored traffic from all the ISP's customers, not just the intended surveillance target. In order to separate the target's transmissions from everyone else's, Carnivore has to read all packets that pass through. The only real solution to this problem is to install a device very close to the target — for example, in the cable that physically connects him to his ISP or at the antenna via which he transmits information to his ISP. This poses two main problems. First, the target may notice an unfamiliar device outside his house or office and become aware of the surveillance. Second, it is expensive because the police need to build many more devices and pay officers for the time it takes to install them at disparate locations.
By now, the linguistic difficulty of referring to any surveillance of data transmitted via the Internet as "wiretapping" should be obvious. At this point, I would like to shift direction slightly and briefly address a few related problems.
First, it is far from clear that the FCC has the authority to regulate VoIP as if it were a telecommunication service. It was widely reported last October that a federal judge in Minnesota ruled that VoIP companies provide "information" services, not "telecommunication" services, which means that states cannot regulate them under the Telecommunications Act of 1996. On the other hand, the 9th Circuit ruled earlier that month that the FCC erred in classifying cable broadband as an "information" service rather than a "telecommunication" service.
Second, according to Declan, Uncle Fed wants the FCC to require VoIP providers "to rewire their networks to guarantee police the ability to eavesdrop on subscribers' conversations." This is technically possible only for a few such services. In my understanding, Vonage sells black boxes that take input from a telephone and transmit data through the user's broadband ISP connection to Vonage's network, where Vonage routes it to another Vonage device or to a circuit-switched telephone network. Therefore, Vonage may be able to install devices that "tap" a specified user's conversations. Other services, however, operate in a fundamentally different way. Skype, for example, does not have any communications network at all. Its client software transmits voice data using the same decentralized P2P architecture found in Kazaa, the popular file-sharing client. (Skype was, after all, designed by the makers of Kazaa.) Therefore, Skype has no capability to install tapping devices, even if it wanted to cooperate with a hypothetical FCC order.
Third, as discussed above, to surveil transmissions on a packet-switched network, the police must read all data packets that pass through. If they ignore any individual packet, they may miss a piece of the message they intend to intercept. This makes it an unavoidable certainty that any "packet sniffer" will collect data that is not legally subject to surveillance — it would exceed the scope of all but the most expansive warrants. (Never mind that any warrant so expansive is probably unconstitutional because it would fail to state with particularity the information intended to be collected). Depending on the environment where the sniffer is installed, it may also collect data transmitted by third parties, who are not the intended targets of surveillance and who have a reasonable expectation of privacy in their communications. This is a Fourth Amendment problem of enormous magnitude — one that is well beyond the scope of this weblog.
Fourth, Uncle Fed's own statistics for 2002 show that about 80% of all wiretaps — both federal and state — were for criminal investigations in the course of enforcing drug laws. Only the remaining 20% were used for all other types of investigations. One is left to wonder whether the alarmist language in Uncle Fed's letter to the FCC was disingenuous: "criminals, terrorists, and spies (could) use VoIP services to avoid lawfully authorized surveillance." Uncle Fed tries to make it sound as if wiretaps are already an effective tool against such people when his own statistics show that wiretaps are rarely used against them. It would be another matter entirely if Uncle Fed intended to use VoIP monitoring technology to enforce drug laws. Even then, none of the dope dealers I knew of in college even knew what "broadband" meant — so it was unlikely that any of them had the equipment necessary to use VoIP. Even if drug importers are more sophisticated, the police can still monitor their communications through conventional warrants and responsible police work.
In conclusion, the only thing I can really say is that Uncle Fed's request is problematic, at best — and I am just a guy with an interest in Internet law, not an expert in history, technology, or constitutional law. If Uncle Fed was trying to start a national debate on the merits of Internet surveillance, it is about time we had one. If he thought he could slip this in under the radar, shame on him.
Earlier this week, residents of Broward County, Florida cast votes to fill a vacant seat in the House of Representatives. Unfortunately, their shiny new electronic voting machines — which replaced the punch card system that became the bane of Al Gore's existence — failed to record 134 votes. The voting machines were made by Election Systems & Software. (Via LawGeek)
How so many happened to cast nonvotes remains a riddle. Unlike with punch cards or paper ballots, there's no paper record with electronic voting that might offer a clue to the voter's intent.
The percentage of nonvotes — 1.3 percent — is modest compared to the days of ''hanging'' and ''pregnant chads.'' But in Tuesday's race, every vote was crucial. In a seven-candidate field, Ellyn Bogdanoff beat Oliver Parker by just 12 votes.
Declan explains on C|NET that in March 2003 TTB solicited comments from the general public on "a proposal that could raise the price of malt beverages like Bacardi Breezer and Smirnoff Ice." The Bureau promised: "For the convenience of the public, we will…post comments received in response to this notice on the TTB Web site. All comments posted on our Web site will show the name of the commenter, but will not show street addresses, telephone numbers, or e-mail addresses." Far be it from us to expect an express promise to be kept. Fortunately (for democratic interests) but unfortunately (for TTB), the agency was overwhelmed with comments.
As news of the proposed regulations circulated around malt beverage aficionados online, word-of-mouth took over and comments started flooding in to firstname.lastname@example.org. By October, the Treasury Department had received about 9,900 e-mail messages, plus 4,800 comments sent through the U.S. mail or fax — and decided it could no longer keep its promise.
"The unusually large number of comments received…has made it difficult to remove all street addresses, telephone numbers and e-mail addresses from the comments for posting on our Internet Web site in a timely manner," the Treasury Department said in a follow-up notice, published last month in the Federal Register. "Therefore, to ensure that the public has Internet access to the thousands of comments received…at the earliest practicable time, we will post comments received on that notice on our Web site in full, including any street addresses, telephone numbers, or e-mail addresses contained in the comments."
I am pleased to announce a new stage in my career. This afternoon I accepted an offer from Mount & Stoelker in San Jose, California to become its newest IP litigation associate. I will start next Thursday.
Today would not be complete without marking the anniversary of Elvis Presley's birth. Happy 69th, if you are reading!
Professor Stephen Bainbridge of UCLA Law asks a serious question. A few days ago, he mentioned that a paper in the Yale Law Journal cited his weblog, then he made a flippant quip: "Now the Dean will have to give me credit for the time I spend blogging. Hah!" That flippant quip drew a deluge of responses. (Via Lawrence Solum)
Why not give academic kudos — in some form — to professors who blog? They add to the general environment of intellectual curiosity that universities strive to create, and blogged ideas often grow into "real" academic papers. See my own example: An editor from the Journal of Internet Law saw my blog post on the CAN-SPAM Act and asked me to submit a paper that will be published in the February 2004 issue.
Tom Vail, a veteran tour guide at Grand Canyon National Park has written a new book called Grand Canyon: A Different View (on sale at the Institute for Creation Research). This book encapsulates everything that is wrong with the creation "science" movement, and Vail's own words in the introduction summarize the main problem nicely, despite his obvious contrary intention:
For years, as a Colorado River guide I told people how the Grand Canyon was formed over the evolutionary time scale of millions of years. Then I met the Lord. Now, I have a different view of the Canyon, which according to a biblical time scale, can't possibly be more than a few thousand years old.
In other words, Vail once held a scientifically-justifiable opinion as to the Grand Canyon's origin. Then he underwent a religious conversion and decided that his prior conclusion was inaccurate — without having seen any evidence contradicting it. Finally, he set out to collect evidence supporting his new conclusion. This last step would be a good thing (having more evidence to evaluate is almost always a good thing), except that Vail has decided to cherry-pick the evidence he wants to believe. The geological evidence surrounding the Grand Canyon's formation points overwhelmingly to a slow formation over millions of years, but Vail refuses to give the evidence a fair shake.
The book is currently on sale at the Grand Canyon National Park gift shop, among many other places. It is a small consolation that "the book was moved from the natural sciences section to the inspirational reading section of park bookstores" after the park's irate staff complained, according to the Julie Cart of the Los Angeles Times (via Arizona Republic). At the same time, President Bush's faith-based National Park Service has blocked the distribution of informational pamphlets to park rangers and guides that would allow them to answer visitors' questions on the subject. (Source)
Abandoning the incentives not to report cybercrime (see my last blog entry), Best Buy called in the FBI when it received emails threatening to expose security weaknesses in its e-commerce site unless the retail giant forked over $2.5 million. The Bureau worked with Best Buy to snare Thomas E. Ray III, of Mississippi, the would-be scammer. The most interesting feature of this case is in the tools used by the FBI to catch the alleged blackmailer. The Bureau responded to Ray's messages with its own emails laced with something that allowed it to trace the IP address from which he read them.
Unfortunately, the early press reports are unclear as to exactly what that something was. The St. Paul Pioneer Press reports that the investigation "was aided by a computer-tracing technique." The FBI got "permission from the courts to use a specialized e-mail device — called the Internet Protocol Address Verifier — to track down the author." I have no idea what an "Internet Protocol Address Verifier" is, but it sounds an awful lot like a web bug.
Web bugs are tiny pictures embedded in email messages using HTML. When an HTML-enabled mail client opens the message, it renders the HTML — including any image tags. The sender can embed an image tag that will query his own web server for an image file, then examine his server logs to determine from what IP address the query came. For example, I could send an email with HTML tags pointing to images stored on www.danfingerman.com, then record the IP addresses of all requests for that image. After I collect the IP addresses and dates & times the image was accessed, I could take a page from RIAA's playbook and find a way to intimidate ISPs into telling me which individuals were using each IP address at the relevant date and time. Then I would know who read my email, the exact date and time, and I could get more information with some extra effort — like the reader's home address and phone number or the geographic location where he read the message.
Web bugs got the name bug after spammers started using them to verify email addresses. Recording calls to an image stored in a static location on a web server is not very helpful when you send email to millions of addresses and have no good way to link each IP address & time/date combination to a particular email address. (Believe it or not, the DMCA does have limits.) Spammers began to design web server software with dynamic links to a single image measuring 1x1 pixel. The images are tiny so that most people will not notice them (how often do you really view the source code of your email?) and to make them load quickly — before most people could hit the delete key. The relevant HTML tag written into each individual email would include a directory path that included the address to which that message was sent. Then, the web server's log would record the image request with the email address (as a simple text string) as part of the directory path to the image. This made it obvious which email addresses the queries were coming from. "Verified" email addresses are like gold for spammers, and they would use this information to charge higher prices for their services — because they could now guarantee that a higher percentage of their emails were being delivered to addresses where an actual person would see them.
The Pioneer Press article makes the FBI's Internet Protocol Address Verifier sound a bit like a web bug, but it is ambiguous. For example, it calls the verifier "a specialized e-mail device." Furthermore, the St. Paul Star Tribune had this to say ("Feds thwart extortion plot against Best Buy"):
The federal search warrant was obtained the morning of Oct. 24  and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.
Assistant U.S. Attorney Paul Luehr said the address verifier was one of several investigative tools the government used to track Ray down.
"It was a tool that helped us confirm that other leads were moving in the same direction," said Luehr, who declined to discuss details of the investigation.
If anyone knows what the heck an Internet Protocol Address Verifier really is, please let me know.
From the "understandable but regrettable" department. A study [pdf] by the Victorian Parliamentary Drugs and Crime Prevention Committee found that individuals and companies were reluctant to report cybercrimes and fraud. Being taken advantage of can be embarrassing, and businesses fear losing revenue after being perceived by the public as insecure or incompetent. These reasons are understandable (and occasionally rational); but, from a social-welfare perspective, I would like to see this trend reverse.
This morning David Bernstein wrote an entry on selective thinking for the Volokh Conspiracy. Ignoring the word "sports" in the second sentence, this is a concise summary of the largest thorn in the side of skeptical inquiry.
I've noticed that Americans have a tendency to publicly attribute any success they have had — anything ranging from winning a Little League playoff game to winning the lottery — to God's intervention on their behalf. But I haven't noticed a countervailing tendency to blame God when things go wrong, an especially annoying defect in the sports world, where victories are freely attributed to Jesus's blessings. If God wanted the Marlins to win the World Series, doesn't that mean he wanted the Yankees to lose? Just once, I'd like to see the losing Super Bowl quarterback tell the media "Guess Jesus really had it in for me today."
Pure VoIP players like Vonage tout their low prices, relative to ordinary telephone service (local plus long-distance). When the big telecom players — AT&T, Verizon, and SBC — announced their plans to launch consumer VoIP services, they all cited the cost savings that VoIP provides. Unfortunately, that cost savings may be illusory at worst or artificial at best:
[S]ome critics say a big reason Vonage and other Internet-based phone providers can cut costs is because they do not have to adhere to the same rules and regulations as the conventional telephone companies on whose local and national networks the Internet providers depend. Even an Internet telephony fan like Jeff Pulver, who was formerly on the Vonage board, acknowledged that a substantial amount of cost savings comes from avoiding the taxes, surcharges and access fees used to support the traditional phone network.
"Vonage benefits by not having to comply with those rules," he said. Mr. Pulver acknowledges that the Internet upstarts are practicing regulatory "arbitrage." But in his view the public policy response should be to deregulate all phone companies.
The fact that Vonage is not regulated and did not pay to build the national network may obscure the real cost of providing Internet-based phone service. Likewise, the cost to customers is not as low as it may seem. While consumers may pay less each month for Internet telephone service than for regular phone service, they cannot obtain the service unless they first have high-speed Internet access — on which they are likely to spend $40 to $70 a month. So the ability to use Internet phone service may actually require a total monthly outlay of $100 or more.
Jonathan Krim of the Washington Post reports that the flow of spam has not decreased since the beginning of the year ("Spam Is Still Flowing Into E-Mail Boxes"). Irresponsible journalism is rare in that paper; this is the only example of it I can recall in several years. Although he does not say so explicitly, Krim's tone throughout the article suggests that the CAN-SPAM Act is a failure. The main unstated assumption, of course, is that five days is sufficient for the Act to reduce spam in a measurable way (the Act became effective on 1 January).
Some reasons why this is irresponsible follow, in no particular order.
Assuming perfect compliance with CAN-SPAM, we should not expect to see any decrease in spam until 10 January. The Act became effective on 1 January and gives spammers a ten-day grace period to remove an address from a mailing list after receiving an opt-out request. Even 10 January is a ludicrously early date to measure CAN-SPAM's success because it assumes that a large number of people submitted opt-out requests on 1 January for spam that was sent on that day. (Spam and opt-out requests sent prior to the Act's effective date are not subject to its requirements.)
Even if it were reasonable to expect the law to have a measurable effect in "Internet time," the evidence that Krim presents in this article could not, even in principle, measure any effect. The "data" comes solely from an informal survey of executives from ISPs and email filtering companies. This is problematic for two reasons. First, anecdotes are not a valid basis for measuring empirical phenomena. Second, these anecdotes come from parties with obvious interests in the effect being measured. ISPs spend lots of money fighting spam and want to eliminate it entirely. Filtering companies sell services to ISPs and consumers. A widespread public perception that spam is a bigger problem than it really is will help ISPs lobby for stricter laws and help filtering companies sell more services. (I am not trying to minimize the spam problem here; I am merely pointing out a probable source of bias in the data presented.)
CAN-SPAM is designed to permit spam to be sent until the receiver opts out or unless the message is deceptive in one of several ways. Therefore, the overall volume of spam (measured at the ISP level, with no knowledge of opt-outs or deceptiveness) bears no relation to the Act's success or failure. Any ISP that claims it can differentiate between misleading spam and non-misleading spam — which several of Krim's interviewees did — has just admitted to reading its customers' email. I wonder whether they first secured permission from those customers?
Laws take time to be enforced properly. After the first case of mad cow disease was uncovered in the U.S., the media widely reported the enforcement problems that both the Clinton and Bush administrations faced with the rules restricting the types of feed that cattle were permitted to consume. Nearly a year after the rules were first implemented in 1997, the compliance rate was estimated at 50%. Five years later, the compliance rate was estimated at 97%. And cattle ranchers are people whom most of us would regard as forthright, upstanding citizens who generally try to comply with the law. Few of us can say the same about spammers — whose livelihood for years has depended on deception and evasiveness. Even if we equate spammers with cattle ranchers, we can look forward to a 50% reduction in illegal spam a year from now — to say nothing of the legal spam that will remain.
I have said many times that we should give CAN-SPAM a reasonable amount of time to work (1, 2, 3, 4, 5, 6, 7). I have said almost as many times that it will probably take one prosecution — either civil or criminal — before the level of spam will drop significantly.
I want spam to stop as much as the next guy. The CAN-SPAM Act is no silver bullet, but it is a reasonable first step. So stop whining and give it a chance to work!
This morning I finally got a chance to read the 9th Circuit's decision in Mattel v. Walking Mountain Productions [pdf], handed down last week. The decision affirms a District Court's grant of summary judgment to Tom Forsythe, the man selling photos of nude Barbie dolls being attacked by kitchen appliances. I think the 9th Circuit's opinion will make an excellent teaching tool in law school courses.
When I took courses on Copyright and Trademarks & Unfair Competition, my casebooks included a few cases that discussed the First Amendment, but I never felt like any case tied up all the loose ends for me. I think Mattel does this. The court did a nice job explaining the intersections between copyright, trademark, trade dress, the First Amendment, and fair use. However, it does not seem to have assumed that many laymen would read its opinion, so it did not spend an excessive amount of ink reasoning from first principles.
Despite its sympathy for free expression interests (which ultimately won the day), the court was not unmindful of the business realities in this case. It began its analysis where Mattel's real interest lay — the market value of its Barbie brand and the potential future value of Barbie dolls and authorized derivative works. However, after detailing the small income that Forsythe realized from his parodic photographs, the court gave us this gem: "Purchases by Mattel investigators comprised at least half of Forsythe's total sales." (page 5, note 3)
The court sprinkled its opinion with language that strongly reinforced the freedom of expression concerns at stake in a case like this. For example, on Mattel's copyright claim:
However one may feel about [Forsythe's] message — whether he is wrong or right, whether his methods are powerful or banal — his photographs parody Barbie and everything Mattel's doll has come to signify. Undoubtedly, one could make similar statements through other means about society, gender roles, sexuality, and perhaps even social class. But Barbie, and all the associations she has acquired through Mattel's impressive marketing success, conveys these messages in a particular way that is ripe for social comment. (page 15)This was immediately followed by footnote 7:
Mattel strongly argues that Forsythe's work is not parody because he could have made his statements about consumerism, gender roles, and sexuality without using Barbie. Acceptance of this argument would severely and unacceptably limit the definition of parody. We do not make judgments about what objects an artist should choose for their art. For example, in [Campbell v. Acuff-Rose Music, Inc., 510 U.S. 569 (1994)], the Supreme Court found that hip-hop band 2-Live Crew's rendition of "Pretty Woman" was a parody because it targeted the original song and commented "on the naivete of the original of an earlier day, as a rejection of its sentiment that ignores the ugliness of street life and the debasement that it signifies." [Campbell,] 510 U.S. at 583. No doubt, 2-Live Crew could have chosen another song to make such a statement. Parody only requires that "the plaintiff's copyrighted work is at least in part the target of the defendant's satire," not that the plaintiff's work be the irreplaceable object for its form of social commentary. [Dr. Suess Enters., L.P. v. Penguin Books USA, Inc., 109 F.3d 1394, 1400 (9th Cir. 1997).]
On the trademark infringement claim:
As we recently recognized in [Mattel, Inc. v. MCA Records, Inc. [pdf], 296 F.3d 894 (9th Cir. 2002), cert. denied, 123 S. Ct. 993 (2003)], however, when marks transcend their identifying purpose and enter public discourse and become an integral part of our vocabulary, they assume a role outside the bounds of trademark law. Where a mark assumes such cultural significance, First Amendment protections come into play. In these situations, the trademark owner does not have the right to control public discourse whenever the public imbues his mark with a meaning beyond its source-identifying function. [Internal quotation marks and citations ommitted.]
The Rogers balancing test requires courts to construe the Lanham Act "to apply to artistic works only where the public interest in avoiding consumer confusion outweighs the public interest in free expression." Rogers, 875 F.2d at 999 (emphasis added [by the Mattel court]). Accordingly, the Rogers test prohibits application of the Lanham Act to titles of artistic works unless the title "has no artistic relevance to the underlying work whatsoever or, if it has some artistic relevance, unless the title explicitly misleads as to the source or the content of the work." [Some internal citations omitted]
The major downside to using this case as a teaching tool is its length — forty pages. Fortunately, the last seven pages deal with procedural issues and attorney fees under the copyright and Lanham acts. These sections could easily be separated from the rest when discussing free expression issues.
The New York Times reports sad passing of Steven Bazerman — the erstwhile IP lawyer whose work pioneered many aspects of the law concerning trade dress and secondary meaning. Among his accomplishments:
Companies today understand the value of such details as the shape of a bottle or the position of a label on a pair of pants. But the idea that these details could be protected under trademark law was largely untested until Mr. Bazerman began taking product imitators to court in the 1980's.Via Furdlog
His legal work helped to build a body of case law around "secondary meaning," which Mr. Bazerman said could include the unwritten, unspoken signals about a product's origin that are given off by its appearance.
Mr. Bazerman [used] consumer surveys to his advantage in…lawsuits, most notably in a case in which LeSportsac sued Kmart in the Southern District of New York for selling a line of bags that looked like LeSportsac's highly successful ripstop nylon luggage and handbags. The Kmart bags did not have labels suggesting they came from LeSportsac, but consumer surveys by both companies showed that many people could not distinguish the origin of either bag. … Today some consider the LeSportsac case the primary case in the development of "trade dress protection" under the Lanham Act.
Sure, it is early, but I am ready to nominate this as the best fair use of the year: Towers are the Players — a translation of Lord of the Rings into hiphop. (Requires Shockwave Flash) Via the Trademark Blog.
How well does a well-marketed brand "stick" in the minds of consumers? Monochrom, an Austrian group describing itself as "an art-technology-philosophy group of basket weaving enthusiasts and theory do-it-yourselfers," did an experiment. Twenty-five people were asked to draw, from memory, a dozen logos for popular brands. The results are, if nothing else, entertaining.
In case anyone needed a concrete example of how the Bush administration imperils both U.S. foreign relations and American citizens' privacy at the same time, check out this Reuters article (via Yahoo!):
Federal Judge Julier Sebastiao da Silva, furious at U.S. plans to fingerprint and photograph millions of [Brazilian] visitors on entering the United States, ordered Brazil's authorities do the same to U.S. citizens starting on Thursday.Via BoingBoing.
"I consider the act absolutely brutal, threatening human rights, violating human dignity, xenophobic and worthy of the worst horrors committed by the Nazis," said Sebastiao da Silva in the court order released on Tuesday.