Tuesday, 31 July 2007
Tuesday, 10 April 2007
Monday, 26 March 2007
Sanctions against KinderStart
I just learned that Google has won a dismissal and sanctions in the lawsuit brought by KinderStart. The dismissal order was without leave to amend, meaning that KinderStart's claims are dead. The court also ordered that KinderStart and its attorneys will be sanctioned.
KinderStart asserted a panoply of claims, including violation of the First Amendment, the Sherman antitrust act, unfair competition and unfair business practices under California law, and defamation. KinderStart's complaint specifically alleges that Google manipulates search results to censor political and religious speech and to boost the search results of companies that pay Google or comply with demands that Google makes. It also alleges that Google reduced KinderStart's position in search results and assigned it a PageRank of zero.
The sanctions come under Rule 11 of the Federal Rules of Civil Procedure. Rule 11 authorizes the court to "impose an appropriate sanction upon the attorneys, law firms, or parties that" file any paper without an appropriate factual or legal basis. "A sanction imposed for violation of this rule shall be limited to what is sufficient to deter repetition of such conduct or comparable conduct by others similarly situated."
In this case, the court found that several allegations made by KinderStart and its attorney, Gregory Yu, are "factually baseless and [that] Yu failed to perform an adequate investigation before filing them." The court will fix the amount of the sanction after it receives supplemental papers from Google "identifying the fees associated with its motion for sanctions and with other motion practice related to the sanctionable allegations. The Court will determine the amount of monetary sanctions after receiving Google's submission and Yu's response."
Tuesday, 20 March 2007
PTO: P2P threatens national security
The U.S. Patent & Trademark Office apparently thought it wasn't in the headlines enough this month. On March 5, it issued a press release announcing a November 2006 report (1.22mb) which claims that P2P networks threaten national security. The logic is, at best, bad and, at worst, intentionally deceptive.
Information Week reports:
The report, which the patent office recently forwarded to the U.S. Department of Justice, states that peer-to-peer networks could manipulate sites so children violate copyright laws more frequently than adults. That could make children the target in most copyright lawsuits and, in turn, make those protecting their material appear antagonistic, according to the report.Conclusion: Software is to blame when record companies act without social responsibility. The article continues:
File-sharing software also could be to blame for government workers who expose sensitive data and jeopardize national security after downloading free music on the job, the report states.The basis for this last statement is apparently a bullet point on page 22 of the report, which quotes an unnamed and undocumented source within the Department of Homeland Security as stating: "There are documented incidents of P2P file sharing where Department of Defense (DoD) sensitive documents have been found on non-US computers with no protection against hostile intelligence services." No documentation (or even a footnote) is provided in this report, however. The PTO report does not even state who within DHS made this claim or in what context.
Email me if you're interested in the betting pool on whether this "fact" was made up by DHS or by the PTO.
Wednesday, 14 March 2007
MadTV spoofs Apple's iEverything. Funny!
Tuesday, 27 February 2007
Posner's GPS society
I finally got around to reading U.S. v. Garcia, Case No. 06-2741 (7th Cir. February 2, 2007). I figured the hysterical blog posts were overstating Judge Posner's opinion for the Seventh Circuit. But I may have been wrong.
In Garcia, the defendant was charged with crimes relating to making methamphetamine. The police had received tips that the defendant was making meth, and they gathered evidence by tracking his car. Instead of assigning an officer to follow the car, they placed a GPS device under the rear bumper.
The police placed a GPS (global positioning system) "memory tracking unit" underneath the rear bumper of the Ford. Such a device, pocket-sized, battery-operated, commercially available for a couple of hundred dollars (see, e.g., Vehicle-Tracking, Incorporated, "GPS Vehicle Tracking with the Tracking Key,"www.vehicle-tracking.com/products/Tracking_Key.html, visited Jan. 21, 2007), receives and stores satellite signals that indicate the device's location. So when the police later retrieved the device (presumably when the car was parked on a public street, as the defendant does not argue that the retrieval involved a trespass), they were able to learn the car's travel history since the installation of the device. One thing they learned was that the car had been traveling to a large tract of land. The officers obtained the consent of the tract's owner to search it and they did so and discovered equipment and materials used in the manufacture of meth. While the police were on the property, the defendant arrived in a car that the police searched, finding additional evidence. [Slip Op. at page 2]
The court held that this did not constitute either a "seizure" or a "search" under the Fourth Amendment. The police therefore were not required to have a warrant or probable cause — or even a reasonable suspicion that Mr. Garcia had committed a crime.
Under this rule, the police are free to attach GPS tracking devices to any car at any time, and they can probably do it for any purpose. So long as they avoid direct harassment or a similar misstep, they can track protesters who exercise their First Amendment rights. They can track citizens with information embarassing public officials. They can track ethnic Arabs. And it's (apparently) legal.
I think I agree with the court on the seizure question. The police installed the device without the defendant's knowledge, so he was not deprived of the free use of the car. The device didn't take up any space in the passenger or storage compartments, so it didn't diminish his enjoyment of the car. I suppose the slight additional weight may reduce the car's gas mileage, so it might have imposed a slightly increased cost of operating the car. But that cost is probably negligible, impossible to measure, and overwhelmed by the weight of other cargo. So I would have a hard time calling this a "seizure" of the car.
I think I disagree on the search question, however. Judge Posner wrote (slip op. at pages 4–6):
The Supreme Court has held that the mere tracking of a vehicle on public streets by means of a similar though less sophisticated device (a beeper) is not a search. United States v. Knotts, 460 U.S. 276, 284-85, 103 S. Ct. 1081, 75 L. Ed. 2d 55 (1983). But the Court left open the question whether installing the device in the vehicle converted the subsequent tracking into a search. Id. at 279 n. 2. […]
Fourth Amendment jurisprudence grew up in an era when practical constraints (like manpower and cost) limited surveillance to situations where crime was reasonably probable. Our society's balance between liberty and government power depended on these practical constraints. When a constraint is removed, the balance is upset. This is one of the most fascinating themes of science fiction literature. Imagine some activity that is limited today by practical constraints. Then imagine a technology that removes the constraint and examine the implications of our current laws and values when the activity is unrestrained. Unfortunately, Judge Posner is writing law and not science fiction.
Judge Posner recognizes that a tipping point will come when some new technology allows police to gather information quickly and cheaply on a massive scale where it would otherwise require expensive efforts. At that time, Judge Posner writes, we will have to reexamine the Fourth and Fifth Amendments to see if sui generis violations occur. He even acknowledges that "programs of mass surveillance of vehicular movements" may require the courts "to decide whether the Fourth Amendment should be interpreted to treat such surveillance as a search." (Slip op. at page 8)
Unfortunately, Garcia precludes this possibility and requires its own reversal whenever Judge Posner feels that day has come. If one instance of an act is not a search under the Fourth Amendment, as Judge Posner insists, then two instances of the same act is also not a search. How many does it take? I can't think of a good reason to pick any number. Either the act has Fourth Amendment implications or it doesn't.
The court expressly ignored the possibility that a trespass occurred because Mr. Garcia didn't raise it. (The court assumed the GPS device was retrieved while the car was parked on a public street.) Initially, I thought this might be the answer to my troubling Fourth Amendment concerns, but it isn't. Even if the police retrieve the device while the car is parked in a public place, the fact of tracking on a private road might provide some basis for finding that a search occurred. I don't think this makes me feel better, however, for two reasons. First, most people simply don't drive on many private roads. Second, I don't think Fourth Amendment rights should be that serendipitous — my rights could be different on Tuesday and Wednesday, depending on my schedule.
I don't have a good answer to these issues yet. The only thing I can say for sure is that Judge Posner's reasoning makes me uncomfortable because it is absolute.
Friday, 22 December 2006
This clock harnesses the electrical potential of fresh fruits and vegetables for power. This is one of the most expensive ways I can think of to power a clock. But, then again, you can't eat a used battery. Via Improbable Research.
Tuesday, 15 March 2005
I've been trolled
In the last 24 hours I received several emails relating to my last blog post, "Piracy Phishing." A couple have informed me (one politely, one hilariously) that I have been trolled. The "email" I received from "Jack Meihoff" of LiquidGeneration is a well-executed spoof. Run to your nearest Flash-enabled browser and check out this explanation of the gag.
Saturday, 5 March 2005
"Phishing" is a growing problem. In a cross between spam and scam, an email designed to look like a legitimate query from eBay, your bank, or someone else you trust purports to alert you to some problem and asks you to visit a web site, type in your name and password, and verify some information. The press has spent a lot of ink on this recently.
I just got caught a phish with an interesting twist. The email I received purports to be from the Motion Picture Association of America (MPAA). It accuses me of pirating movies and demands an unspecified payment. Then it provides a link which, I am told, will tell me the exact amount I owe to settle the claims of MPAA. The email is quoted below.
Unfortunately, the MPAA has never heard of the sender, Jack Meihoff, and it also states that it does not handle piracy cases in this manner. Also, the MAC address identified in the email is ficticious, and the domain in the link it points to (saynotopiracy.org) is registered to an entity called LiquidGeneration, Inc., incorporated in Illinois. The only individual person associated with its whois entry is one Bruce Freud. He can apparently be reached at:
I can find no mention of Jack Meihoff, Bruce Freud, or LiquidGeneration on MPAA's web site, and Google returns no hits for searches on mpaa.org for those keywords. Very likely, LiquidGeneration wants me to click on the link (which contains a long strong of random-looking characters to verify my email address in its spam database. The email originated from db1.liquidgeneration.com (184.108.40.206). Maybe it even has a payment mechanism and would ask me to type in a credit card number. If anyone out there actually cares, you are welcome to investigate the matter further. For my part, I will shortly send an email to the Federal Trade Commission and the California Attorney General with a link to this post.
The email follows:
Tuesday, 15 February 2005
ChoicePoint & Privacy
I used to consider myself reasonably well informed about the issues surrounding privacy and information technology. I admit to feeling a little smug when I read Bob Sullivan's article on MSNBC yesterday, about breaches of consumer privacy admitted by ChoicePoint ("Database giant gives access to fake firms"). Mostly, I felt smug about one consumer whom Sullivan quoted as saying she had never heard of ChoicePoint the data mining company that tries to collect and organize information about every consumer, business, and transaction that occurs in the United States.
However, my smugness vanished when I clicked through to a linked article, by Robert O'Harrow, Jr., of the Washington Post, that describes ChoicePoint in some detail ("ChoicePoint finds wealth in information"). I had no idea the company had reached such an enormous size and was still growing so fast. It was pretty humbling.
Wednesday, 6 October 2004
Blogging For Jobs
I started writing DTM :<| last October, when I was looking for my first job after law school. (I had meant to mention my first blogiversary on Sunday, but I ran out of time.) Last November I had some correspondence with an editor of the Journal of Internet Law, who had read one of my posts on the CAN-SPAM Act, and he asked me to write a paper [pdf] for his journal. As soon as I finished writing the paper, I started using it as my writing sample when I went to interviews. It was a lovely gimmick — asking the lawyers across the table not to circulate my essay because it would soon be published. This would always get them to ask for the story behind the paper, so I got a chance to talk about my blog. About half of them took a look at it after I left.
When I started working for my firm, a few people mentioned that they had skimmed through my blog. A few months later, we hired a new associate. On his first day, he mentioned that he had seen my web site and read some posts in my blog. Thus, in a very short span of time, I was on both sides of the table. Although I was not directly involved in the hiring process for this new associate, he had gone to the trouble to check me out. Not a bad idea, I suppose — we work together a lot now.
When I have time to write a lot for DTM :<| (not so much in the last few months, regrettably), it reflects pretty well the things I think about on a daily basis. That sort of information is hard to convey in a cover letter, resume, and job interview.
Thursday, 19 August 2004
MGM v. Grokster affirmed
Right now I have nothing to add to what is being said on the 9th Circuit's affirmation [pdf] of MGM v. Grokster — except to recommend Ernest's comments, then Derek's Leftovers and Frank's link collection.
...And then let's raise our voices with a collective WOOHOO!!!
Wednesday, 11 August 2004
Gillmor interview in Wired
Among the highlights:
I'm worried, because the forces of centralization are winning almost all of the legal and political fights so far. Note the state attorneys general letter to the P2P folks — full of misinformation and bizarre interpretations of reality, but part of the copyright cartel's war on all forms of media it can't control.
Tuesday, 10 August 2004
CBO releases report: "Copyright Issues in Digital Media"
I have not had time to read the whole thing yet. Having only skimmed the summary and the first few sections, it seems that it could provide a good starting point for debates over new legislation. It is not as heavily laden with economic or legal terms as other analyses have been.
Oh, yeah...and I like the frame it created for the debate. From the summary:
C|Net asks: Are blogs worth the hype?
Thursday, 5 August 2004
FCC subjects VoIP to CALEA
The FCC acted this week on Uncle Fed's request that it subject VoIP providers to CALEA, the Communications Assistance for Law Enforcement Act. Last month, the FBI asked the Commission to exercise its authority to extend the group of technologies to which the act applies to include VoIP — in other words, to expand the reach of cheap and easy "wiretapping" for Uncle Fed and other law enforcement agencies. (Well, not literally "wiretapping," as I explained in detail a few months ago: "Wiretapping & VoIP.")
Yesterday, the FCC adopted a Notice of Proposed Rulemaking and Declaratory Ruling [pdf] in which it concluded that broadband providers whose facilities can be used for VoIP should be subject to the surveillance rules that govern traditional phone service providers:
[T]he Commission tentatively concludes that CALEA applies to facilities-based providers of any type of broadband Internet access service — including wireline, cable modem, satellite, wireless, and powerline — and to managed or mediated Voice over Internet Protocol ("VoIP") services. These tentative conclusions are based on a Commission proposal that these services fall under CALEA as "a replacement for a substantial portion of the local telephone exchange service."
Now, it wants public comment on implementation:
The Commission seeks comment on telecommunications carriers' obligations under section 103 of CALEA and compliance solutions as they relate to broadband Internet access and VoIP. In particular, the Commission seeks comment on the feasibility of carriers relying on a trusted third party to manage their CALEA obligations and whether standards for packet-mode technologies are deficient and thus preclude carriers from relying on them as safe harbors for complying with CALEA.
The kicker? Broadband providers are expected to bear the full cost of this law government program:
With regard to costs, the Commission tentatively concludes that carriers are responsible for CALEA development and implementation costs for post-January 1, 1995 equipment and facilities; seeks comment on cost recovery issues for wireline, wireless and other carriers; and refers to the Federal-State Separations Joint Board cost recovery issues for carriers subject to Title II of the Communications Act.
The New York Times has coverage: "F.C.C. Supports Surveillance Rules on Internet Calls". See also Declan's column from last week, for background info: "FBI targets Net phoning."
Wednesday, 4 August 2004
Quotable in the news
Rob Pegoraro, the Washington Post's "Fast Forward" columnist, has a great quote in last Sunday's column, "TiVo vs. the Broadcast Flag Wavers." Discussing the broadcast flag's unintended blurring of the copyright sphere into the patent sphere, he lamented that TiVo had to ask Uncle Fed for permission to build a feature into the next version of its flagship product. Rob writes:
Huh? Permission? Doesn't the government's involvement in consumer electronics stop with making sure that a gadget doesn't jam your neighbor's reception or electrocute you? Since when do the feds get to vote on product designs? [...] The answer is, since last November, when the FCC voted to require manufacturers to support the "broadcast flag" system by July 1 of next year..., which brings us to TiVo's vaguely Soviet predicament.
Thursday, 29 July 2004
Analyzing popularity of online resources
TRN reports an interesting new method for analyzing popularity of online resources ("Online popularity tracked"). In a nutshell, a group of researchers from Cornell University and the Internet Archive have developed a method for determining the "batting average" of a given resource.
The item description batting average is different from just tracking the output of a hit counter, which measures the raw number of item visits or downloads, said Jon Kleinberg, an associate professor of computer science at Cornell University. "The batting average addresses the more subtle notion of users' reactions to the item description as it appears in the fraction of users who go on to download the item."
Wednesday, 28 July 2004
Arlo uppercuts Jib Jab
The latest Flash cartoon floating around is a hilarious parody of the U.S. Presidential campaign. The animated creation of Jib Jab stars President Bush and John Kerry, dancing to the tune of Arlo Guthrie's classic "This Land Is Your Land" and calling each other names like "right-wing nutjob" and "liberal sissy."
Despite the dangers (see: Idiot's guide to combatting satire), the company that owns the rights to Arlo's song has sicced its lawyers on Jib Jab. (See this CNN report.) President Bush learned first-hand in the last election that nearly any attempt to suppress Internet-based satire will fail spectacularly. Even if you have forgotten the incident, you probably remember Bush's (in)famous quote: "There ought to be limits to freedom."
CORRECTION (28 Aug.): Two days after posting this, I realized that Woody Guthrie not his son, Arlo wrote "This Land Is Your Land." I meant to post a correction but, unfortunately, managed to leave it in "save as draft" limbo. Yesterday, a concerned neighbor of Arlo's emailed me to set me straight on the facts. She also said that Arlo was unhappy with the record company's actions and that he thought his father would be, too. Then she pointed me to this link. I appreciate it when people constructively (and politely!) point out my mistakes.
Will Florida be the next Florida?
The New York Times reports on one Florida county's inability to keep proper election records after installing expensive new evoting machines. The money quote: "This shows that unless we do something now or it may very well be too late Florida is headed toward being the next Florida."
The records disappeared after two computer system crashes last year, county elections officials said, leaving no audit trail for the 2002 gubernatorial primary. A citizens group uncovered the loss this month after requesting all audit data from that election.
Thursday, 6 May 2004
New: Gigalaw has launched the CAN-SPAM Library (www.canspamlibrary.com) a collection of law, articles, studies, commentary, discussion, and links on the CAN-SPAM Act. Well worth reading (and linking). Via GrepLaw.
Thursday, 1 April 2004
Tossing Amazon's cookies
For those not familiar with PTO Rule 56, it requires patent applicants to disclose all sorts of juicy information to the examiner but only if they have actual knowledge of that information. I find it difficult to believe that a programmer working for Amazon would not have actual knowledge of more than one paper written about browser cookies. Anyone accused of infringing this patent would have a tailor-made inequitable conduct defense.
Monday, 15 March 2004
FBI proposes expansive broadband "wiretap" rules
Declan McCullaugh and Ben Charny report on C|Net that Uncle Fed issued a proposal for expedited rulemaking [pdf] which would grant him new and expansive "wiretapping" powers for broadband Internet services. In this case, Uncle Fed is backed by the Federal Bureau of Investigations (FBI), Department of Justice (DOJ) and the Drug Enforcement Agency (DEA).
Two months ago, Uncle Fed asked the Federal Communications Commission (FCC) to do this dirty work for him. FCC Chairman Michael Powell paid some lip service to security concerns at the time, but he has apparently let the request languish. (At least, I have not seen the media report any subsequent FCC actions.) Around that time, I blogged on the word wiretap and complained that it makes a poor analogy to surveillance of digital communications ("Wiretapping & VoIP"). I would like to make the same comment again now and point out that Uncle Fed's newest proposal supports my point even more clearly.
I promise to write more on this in the near future. Unfortunately, I do not have time today to write a multi-volume treatise on the dangers these regulations would pose to civil liberties.
Friday, 12 March 2004
Blundering through security
It appears the U.S. Patent & Trademark Office (PTO) has removed the infamous ricin patent (No. 3,060,165) from its online database. The PTO boasts that it provides all patents since 1976 in searchable text and images of patent pages from 1790. Obviously, this is now false. (Via Ernest, via Dan Gillmor, via Bruce Schneier.)
Half the developed world's patent offices make this patent available over the Internet. Considering that the patent was granted in 1965, I think a few paper copies might also exist. Therefore, this is about as effective a security measure as requiring travelers to show a driver's license before they board an airplane that is to say, wholly ineffective. All this does is inconvenience the law-abiding American public when it tries to do research.
Ernest makes the important point that the fundamental principal underlying our patent system is that inventors get exclusive rights to their inventions in exchange for full disclosure of the invention to the public. This is hardly the first case where the public has been shortchanged in the name of security. Ernest also has the best summary comment thus far (hyperlink original):
Rest assured Senator, the lack of the patent in the US database means that terrorists will never be able to figure out how to make ricin because even web-savvy bloggers can't get the information very easily .... ooops. Never mind.
Thursday, 11 March 2004
Satan, meet Lucifer. Lucifer, Satan.
"Yes, Microsoft did introduce BayStar to SCO." So admits a representative of BayStar. The tech world was abuzz for a week after a leaked memo linked the two Linux enemies. After SCO denied the then-rumor, BayStar now apparently admits the link.
Wednesday, 3 March 2004
I got a two emails after my last post, both asking how to make Proxomitron do what I described. If two people cared enough to write, then a few more must be suffering in silence so here is the answer.
I am not going to rewrite the Proxomitron help files, which are already excellent. I will, however, give you some entries in my URL Alias List that will help you get started with looking up legal citations. Basically, the entries have to be in this format:
where "dotstring" is the character string you want to trigger the alias and "url" is the url you want to visit. In this example, \1 will take whatever "extra" text you type and plug it into the URL at the appropriate place.dotstring\1/ & $JUMP(url)
Here are some of my entries to get you started:
In the first example, typing .37cfr1.56 into your browser's address bar would bring up 37 C.F.R. ง 1.56, which is PTO Rule 56, requiring inventors to disclose information to the Examiner during patent prosecution. If you replace "1.56" with another section number, you would get that other section number. For example, typing 37cfr1.660 will get you 37 C.F.R. ง 1.660, which requires patentees to give notice to the PTO in some cases where patents are challenged.
My recent favorite (one that would benefit any young IP litigator) is the patnum entry. Use this with any patent number (with or without commas, it makes no difference), and you will go instantly to the U.S. patent bearing that number. My new favorite patent is No. 5,920,923, invented by Penn Jillette, of Penn & Teller fame.
For posterity, the other entries listed above will give you (in order): sections of the California Civil Code, sections of the California Evidence Code, and Rules of the Federal Rules of Civil Procedure.
Saturday, 24 January 2004
Happy Birthday, Macintosh
The Apple Macintosh turns 20 years old today. To honor that milestone, the San Francisco Chronicle ran this interesting, front-page retrospective: "The Machine that Changed the World: The First Human-Friendly Computer, the Mac, Turns 20."
Apple does its part, too, preserving for posterity its famous "1984" Super Bowl advertisement.
Wednesday, 14 January 2004
The Winnipeg Sun reports that McDonald's has confirmed that it is using biometrics in a payroll application in about half its restaurants in that city. Instead of punching time cards when they start and finish their shifts, employees run their hands past fingerprint and palm scanners. The devices are plugged directly into the company's computerized payroll system, which records the employee's working hours. The efficiency gains are obvious: "At McDonald's, the scanners are connected to the payroll department and save on paperwork, [McDonald's spokesman Ron] Christianson said. They also free managers from record keeping and get them out working with staff and the public, he added." Unfortunately, the restauranteur has failed to think through the privacy implications of this pilot program.
McDonald's does pay lip service to privacy: "Christianson said McDonald's will only use the prints for the stated purpose and has educated workers about its privacy policies and hired a privacy manager. There have been no complaints from Winnipeg workers about the time clock alternative." However, McDonald's does not appear to have subscribed to the best practices written by the BioPrivacy Initiative or any other published set of best practices. (Despite its name, the BioPrivacy Initiative is a biometrics industry trade group, not a privacy advocate.)
For example, McDonald's does not appear to have clearly and bindingly defined the scope of its biometric program. It is using biometrics solely for payroll purposes right now, but nothing would stop it from expanding the program to encompass other purposes tomorrow. A company spokesman's apology is little consolation for a long-gone former employee who falls victim to identity theft down the line. There is no indication that McDonald's is storing its employees' biometric templates separately from their other personally-identifying information, such as names and addresses. Christianson does not say anything about independent auditing of the company's biometric applications. Most importantly, there does not appear to be any ability for employees to control the use of their biometric data, nor does there seem to be any meaningful alternative for those who would prefer to opt out of the program.
In McDonald's defense, my sole source of knowledge of its biometrics program is the press, and this may simply be a case of newspapers oversimplifying the situation and failing to report all the facts. I have been surprised like that before. Unfortunately, this does not "smell" like such a case.
ISPs & others form "neighborhood watch" for spam
C|Net reports that a group of ISPs and telecommunication companies have banded together to create a "neighborhood watch" program for fighting spam. This is the sort of industry self-help that the CAN-SPAM Act encourages with its liability shield for private mail-handling policies. This partnership seems to go beyond similar efforts that existed in the past. Is this one attributable to CAN-SPAM? Probably not, but the law certainly did not hurt.
Tuesday, 13 January 2004
Lessig on ePolitics
Lawrence Lessig blogged this morning on MoveOn's announcement of the winners of its "Bush in 30 Seconds" contest. He took the opportunity to comment on the "big picture" of participation in politics via electronic media. It was nice to see that he basically agrees with the thesis I put out there in my college thesis paper, "The Futures of ePolitics: Assessing Predictions of Political Discourse on the Internet."
Monday, 12 January 2004
Wiretapping & VoIP
Last week, Uncle Fed (specifically, the Department of Justice, the FBI, and the Drug Enforcement Administration (DEA)) asked the FCC to force providers of voice-over-Internet protocol (VoIP) services to provide easy "wiretapping" capability to federal and local authorities. See Declan's report on C|Net: "Feds seek wiretap access via VoIP." A few comments are in order before the press mangles this situation and manages to obscure the facts. (Not to impugn Declan; I thought his article was good.)
Lawyers are in the language business, so we should examine the word wiretap to shed some light on exactly what Uncle Fed is asking for. Webster's Dictionary defines wiretap as an intransitive verb meaning "to tap a telephone or telegraph wire in order to get information." This definition is too circular to be useful at first, but this circularity becomes important later. Dictionary.com's nominal definition is a better starting point: "A concealed listening or recording device connected to a communications circuit." This was an accurate physical description when the term arose, during electric telegraphy's youth.
In those days, telegraphic circuits were hard-wired — that is, each pair of telegraph stations was connected by a single wire with one operator at each end. (Busy pairs of stations were connected by multiple wires, each one having operators at both ends.) Each transmission wire was plugged into a magnet-driven apparatus at each end that translated incoming electric signals into audible sounds and generated outgoing electric signals when the operator pressed a button. For an excellent beginner's text on early telegraphic technology and the economic and cultural developments it spawned, see Tom Standage, The Victorian Internet (1998).
In this environment, police had two options for surreptitious surveillance: (1) force the operator to disclose a message's contents after he received it, or (2) intercept the signal between the stations. Option 1 was inefficient because it was slow (the police had to wait for someone else to translate the message from Morse code and deliver it to them), and operators could not always be trusted to keep surveillance secret. Therefore, laws were passed that made option two mandatory. Telegraph companies were required to cooperate with the installation of a device (the "tap") onto their transmission wires that allowed the police to siphon off a tiny amount of the electric signal between two stations and send that signal to a police-operated station.
Later, switching technology made telegraphy more flexible. A switching device made temporary connections between transmission wires coming into the telegraph station. This allowed one operator (or more, at busy stations) connected to the switch to monitor several incoming wires simultaneously. Wiretap devices evolved in lock-step with switches and were quickly moved inside the switches so that fewer taps could monitor more transmissions without being physically reinstalled over and over. Whether this new configuration continued to qualify as "tapping" a "wire" is debatable. Early switching devices made temporary physical connections between telegraph wires by means of a third wire. Early switch tapping devices siphoned the electric signal off this switching wire, so there is a plausible argument that the term was still an accurate physical descriptor. Today we would understand the tapping devices as monitoring the operation of the switch device, not an individual wire within the switch. While wiretapping remained a reasonably good logical description of the tapping device's function, its accuracy as a physical descriptor was highly questionable.
The point to take from this is that wiretap first became an ambiguous term more than a century ago. Now reconsider Webster's circular definition, "to tap a telephone or telegraph wire in order to get information." Webster probably intended to denote the tapping of a circuit, not a wire, but we can forgive lexicographers for not being electrical engineers. However, Webster's definition unambiguously means eavesdropping on a single transmission or group of transmissions between two specified end points. In my experience, this is how law enforcers, laymen, and journalists all use the term. To convey the idea of collecting more than this information, they use such words as surveillance, eavesdropping, or data sniffing.
If the introduction of circuit switching made wiretap an ambiguous term, then the introduction of packet switching renders it positively useless. Packet switching is the transmission technology underlying the Internet Protocol, which is used for all Internet (and most local area network (LAN)) transmissions. Packet switching involves breaking data down into tiny pieces ("packets") and sending each packet across the network individually. This system eliminates the need for circuit switching, which dedicates a circuit to each transmission for the duration of that transmission. Few transmissions use the circuit continuously, so circuit switching inevitably involves inefficient "down time" for active circuits. Consider, for example, how frequently people pause while talking on the telephone. No information is transmitted during these pauses, but their circuit is monopolized nonetheless. Other callers cannot use this circuit until the first call ends — which forces the phone company to install a sufficient number of circuits to carry the maximum foreseeable number of transmissions simultaneously. This extra infrastructure is expensive to install and maintain.
Packet switching allows a small number of circuits to accommodate many transmissions because each one uses the circuit only while information is being actively sent. During each pause, the circuit is used for other transmissions. Additionally, different packets from the same transmission often take different routes across the network. Intermediate nodes will send packets along different routes to bypass busy sections of the network to avoid delays, among other reasons. Since packets must reach the destination individually, it must contain complete addressing information so that intermediate nodes can route it appropriately.
The same features that make packet switching more efficient than circuit switching also make it cheaper. (Sarcastic aside: This is as close to a "law" as the "science" of economics can offer us.) They also make it much more difficult to monitor communications. By definition, packets of information do not all travel through a packet-switched network by the same route. Therefore, there is no central box inside which to install a tapping device, as there is in circuit-switched networks.
The good news for law enforcers is that there does exist a place where all packets of a transmission must pass through before they are dispersed. That place is wherever the sender connects to the Internet backbone. "Backbone" is the name for high-speed networks that carry most Internet data until that data gets very close to its destination, at which time it is moved to a smaller (and usually private) network. All packets must travel from the sender's computer to the backbone through some identifiable means of transmission, be it in a cable or via wireless transmission in a form such as Wi-Fi.
The bad news for law enforcers is that each computer (or network) that connects to the Internet is connected via its own "pipe." They must install "tapping" devices on the connection used by each individual computer whose users' communications they intend to monitor. This requires that they get much closer to the target of the surveillance than they did with circuit-switched networks. In the old days, they could install tapping devices inside the switch at the telephone company's office. Conceivably they might do something similar at the target's Internet service provider (ISP). The FBI's (since-renamed) Carnivore project was an example of this. Unfortunately, this arrangement monitored traffic from all the ISP's customers, not just the intended surveillance target. In order to separate the target's transmissions from everyone else's, Carnivore has to read all packets that pass through. The only real solution to this problem is to install a device very close to the target — for example, in the cable that physically connects him to his ISP or at the antenna via which he transmits information to his ISP. This poses two main problems. First, the target may notice an unfamiliar device outside his house or office and become aware of the surveillance. Second, it is expensive because the police need to build many more devices and pay officers for the time it takes to install them at disparate locations.
By now, the linguistic difficulty of referring to any surveillance of data transmitted via the Internet as "wiretapping" should be obvious. At this point, I would like to shift direction slightly and briefly address a few related problems.
First, it is far from clear that the FCC has the authority to regulate VoIP as if it were a telecommunication service. It was widely reported last October that a federal judge in Minnesota ruled that VoIP companies provide "information" services, not "telecommunication" services, which means that states cannot regulate them under the Telecommunications Act of 1996. On the other hand, the 9th Circuit ruled earlier that month that the FCC erred in classifying cable broadband as an "information" service rather than a "telecommunication" service.
Second, according to Declan, Uncle Fed wants the FCC to require VoIP providers "to rewire their networks to guarantee police the ability to eavesdrop on subscribers' conversations." This is technically possible only for a few such services. In my understanding, Vonage sells black boxes that take input from a telephone and transmit data through the user's broadband ISP connection to Vonage's network, where Vonage routes it to another Vonage device or to a circuit-switched telephone network. Therefore, Vonage may be able to install devices that "tap" a specified user's conversations. Other services, however, operate in a fundamentally different way. Skype, for example, does not have any communications network at all. Its client software transmits voice data using the same decentralized P2P architecture found in Kazaa, the popular file-sharing client. (Skype was, after all, designed by the makers of Kazaa.) Therefore, Skype has no capability to install tapping devices, even if it wanted to cooperate with a hypothetical FCC order.
Third, as discussed above, to surveil transmissions on a packet-switched network, the police must read all data packets that pass through. If they ignore any individual packet, they may miss a piece of the message they intend to intercept. This makes it an unavoidable certainty that any "packet sniffer" will collect data that is not legally subject to surveillance — it would exceed the scope of all but the most expansive warrants. (Never mind that any warrant so expansive is probably unconstitutional because it would fail to state with particularity the information intended to be collected). Depending on the environment where the sniffer is installed, it may also collect data transmitted by third parties, who are not the intended targets of surveillance and who have a reasonable expectation of privacy in their communications. This is a Fourth Amendment problem of enormous magnitude — one that is well beyond the scope of this weblog.
Fourth, Uncle Fed's own statistics for 2002 show that about 80% of all wiretaps — both federal and state — were for criminal investigations in the course of enforcing drug laws. Only the remaining 20% were used for all other types of investigations. One is left to wonder whether the alarmist language in Uncle Fed's letter to the FCC was disingenuous: "criminals, terrorists, and spies (could) use VoIP services to avoid lawfully authorized surveillance." Uncle Fed tries to make it sound as if wiretaps are already an effective tool against such people when his own statistics show that wiretaps are rarely used against them. It would be another matter entirely if Uncle Fed intended to use VoIP monitoring technology to enforce drug laws. Even then, none of the dope dealers I knew of in college even knew what "broadband" meant — so it was unlikely that any of them had the equipment necessary to use VoIP. Even if drug importers are more sophisticated, the police can still monitor their communications through conventional warrants and responsible police work.
In conclusion, the only thing I can really say is that Uncle Fed's request is problematic, at best — and I am just a guy with an interest in Internet law, not an expert in history, technology, or constitutional law. If Uncle Fed was trying to start a national debate on the merits of Internet surveillance, it is about time we had one. If he thought he could slip this in under the radar, shame on him.
Thursday, 8 January 2004
Academic credit for blogging?
Professor Stephen Bainbridge of UCLA Law asks a serious question. A few days ago, he mentioned that a paper in the Yale Law Journal cited his weblog, then he made a flippant quip: "Now the Dean will have to give me credit for the time I spend blogging. Hah!" That flippant quip drew a deluge of responses. (Via Lawrence Solum)
Why not give academic kudos — in some form — to professors who blog? They add to the general environment of intellectual curiosity that universities strive to create, and blogged ideas often grow into "real" academic papers. See my own example: An editor from the Journal of Internet Law saw my blog post on the CAN-SPAM Act and asked me to submit a paper that will be published in the February 2004 issue.
Tuesday, 6 January 2004
Diebold/DMCA summary & analysis
Monday, 5 January 2004
EFF calling for Pioneer nominations
Norweigan authorities drop DeCSS case
Tuesday, 30 December 2003
Third-party fix for IE URL spoof vulnerability
While Microsoft has yet to fix the URL spoof vulerability in its Internet Explorer browser, at least one amateur software enthusiast community has come up with a robust solution. Users of Proxomitron have found a way to use the local proxy server and web filtering client to work around IE's shortcoming. The proxomitron filters posted in this forum alter links and buttons that lead to web pages that exploit this vulnerability. Additional filters posted there will trigger an alert message box when the active web page contains links that exploit the vulnerability.
These solutions were created by users, free of charge and with no expectation for payment for fun and for the benefit of Internet users generally. The first request for a fix was posted on 12 December, and four filters were available that same day. Over the next five days, the filters were refined and made more robust, until they handled all situations yet conceived by their developers. Note for emphasis: amateurs created a comprehensive solution in five days. All this happened while Microsoft, one of the most profitable software companies in the world, has been unable or unwilling to fix the problem for nearly a month. Anyone care to explain to me again how high-quality software cannot exist without a profit motive?
Monday, 29 December 2003
Cyberbullying and school (in)action
The Christian Science Monitor has a feature article by Amanda Paulson on "cyberbullying." The article outlines the problem, analyzes it as merely a new platform for old-fashioned bullying, and discusses the perils of censoring speach for short-term disciplinary goals. I think that analysis is on the right track, but I would like to add a few points.
The article ignores the grandaddy of all cyberbullying cases and the publicity that surrounded it the case of Jake Baker and the University of Michigan. Mr. Baker's First Amendment defense ultimately led to his exoneration of charges of making threats. (See the EFF case archive for comprehensive information.) The CS Monitor article does, however, discuss the more recent case of "Ghyslain, the Canadian teenager who gained notoriety this year as 'the Star Wars kid.'" This young man videotaped himself goofing around with a broomstick, as if it were a fighting staff.
Some peers got hold of the video, uploaded it to the Internet, and started passing it around. Doctored videos, splicing him into "The Matrix," "The Terminator," or the musical "Chicago," with added special effects and sounds, soon followed. He's now the most downloaded male of the year. According to news reports, he was forced to drop out of school and seek psychiatric help.
The article also mentions that (public) schools may lack the authority to shut down off-campus channels of speech used for bullying. The author seems to divide this into two distinct points, one practical and one legal, but it could stand some clarification. First, schools lack the practical ability to censor such centralized speech channels as web-based bulletin boards and instant messaging networks because the school is not the central entity. These are generally physically controlled by private companies. When it comes to open and decentralized channels (like email, IRC, or usenet), the school has no chance. Second, the legal barriers. Any action that schools take or fail to take can open them up to the modern American passtime, lawsuits. Any course of action necessarily requires the school to make judgments that pit one student's civil rights against another's specifically, the right of the bully to speak vs. the right of the victim to have a public education free from harassment. Schools are understandably reluctant to break any new ground in this context. If I were a school board lawyer, I might recommend the most conservative course of action I could think of.
However, schools are not always so loathe to target Internet speech that is generated off-campus. Some get trigger happy when a student's web site criticizes teachers or administrators. Just the other day, I blogged on a recent case involving the Oceanport School District in New Jersey. I could probably turn up ten more examples in as many minutes on Google.
Finally, I want to highlight a case described in the article that displays the best the First Amendment has to offer. "J. Guidetti, principal of Calabasas High School, did get involved, after comments on schoolscandals.com caused many of his students to be depressed, angry, or simply unable to focus on school." All of Guidetti's initial efforts failed as long as he used a law-enforcement approach. Then, he decided to counter speech with speech:
Eventually, a local radio station got involved and put enough pressure on the people running the site a father-son duo that they took it down in the spring. Already, there's a schoolscandals2 relatively harmless, so far. Guidetti checks it regularly for offensive content, one of the ever-growing tasks of a 21st-century principal.
To be clear, I do not advocate publicly shaming people for their speech. However, opinions that wilt in sunlight are exactly the sort that the Framers of the constitution believed could be controlled by encouraging counter-speech. Guidetti engaged in honest public debate, convinced more people than his opponents, and won the day. By taking his case to the airwaves, Guidetti created speech where he had previously tried to destroy it, and liberty had a rare chance to serve a utilitarian purpose.
Sunday, 28 December 2003
The New York Times points out, rather amusingly, that most members of Congress were engaged in sending a massive wave of unsolicited email to their constituents this weekend — barely ten days after unanimously approving the CAN-SPAM Act. Article: "We Hate Spam, Congress Says (Except Ours)."
"They are regulating commercial spam, and at the same time they are using the franking privilege to send unsolicited bulk communications which aren't commercial," David Sorkin, a professor at the John Marshall Law School in Chicago, said. "When we are talking about constituents who haven't opted in, it's spam."
Scam exploits IE URL spoof vulnerability
It was only a matter of time before someone exploited the Internet Explorer URL spoof vulnerability. (As Xeni Jardin points out, Microsoft has yet to issue a fix.) This particular scam involves an email that purports to be from PayPal and includes a link that appears to take the unwary reader to PayPal's web site, where he is asked to "verify" his account information. The users is really taken to http://www.epack.ch/p/verify.htm, which looks like a legitimate PayPal page and which the scammer thoughtfully induced IE to make it look like it is hosted at PayPal.
Thursday, 25 December 2003
2003 tech year in review
C|Net has released five year-in-review features, covering open source, utility computing, VoIP, Wi-Fi, and patents. Each one has a summary introduction and links to C|Net articles from the past year. This is a great way to get up to speed for anyone who fell behind in the news.
Wednesday, 24 December 2003
Year 2003 in cyberlaw
Doug Isenberg, founder of GigaLaw, summarizes the year 2003 in cyberlaw: "Internet law in 2003 was full of surprises, with Congress passing an antispam bill, the courts blessing pop-up advertising, the music industry losing lawsuits and the Supreme Court finally upholding an Internet law." (Via Inter Alia)
Tuesday, 23 December 2003
Napster Runs for President in '04
Frank Rich wrote a fascinating and entertaining editorial for the New York Times a few days ago ("Napster Runs for President in '04"). Between his attempts to be vogue by dissing the mainstream candidates and media for not "getting" the Howard Dean campaign's various uses of the Internet, Rich makes a few novel points. Among them, that we should view Dean more like FDR and JFK than George McGovern and Barry Goldwater. His conclusion:
Should Dr. Dean actually end up running against President Bush next year, an utterly asymmetrical battle will be joined. The Bush-Cheney machine is a centralized hierarchy reflecting its pre-digital C.E.O. ethos (and the political training of Karl Rove); it is accustomed to broadcasting to voters from on high rather than drawing most of its grass-roots power from what bubbles up from insurgents below.Thanks to Mary Hodder of Napsterization for the heads up.
Saturday, 20 December 2003
DC Circuit stumps RIAA
By now the world has heard of the D.C. Circuit decision in RIAA v. Verizon. Previously, the D.C. District Court ruled that Verizon must comply with RIAA's subpoenas, issued under § 512 of the Digital Millennium Copyright Act (DMCA). Those subpoenas are designed to force ISPs to disclose the identities of users whom RIAA suspects of illegally making copyrighted music available for others to download. RIAA can trace users by itself as far as their IP addresses (the sets of numbers that uniquely identifies every computer on the Internet), but it needs the cooperation of ISPs to connect an IP address with an individual's name and address. Once it has that information, it can send a cease & desist letter or file a lawsuit.
Yesterday's Circuit decision reverses the District Court's interpretation of the statute. The appeals court gave the statute an extremely close reading in rendering its decision. The relevant section has a complex sentence structure and many cross references, so it is no wonder that the parties (and two different courts) disagreed as to its meaning. Derek Slater makes a few interesting points, including: "I find it fascinating when opinions contrast in this way — when they see the same issue clearly, unambiguously, but oppositely. [District] Judge Bates, just like [Circuit Judge] Ginsburg, claims to stick to the statute's text and go no further, yet their opinions are night and day."
The decision is a victory for privacy, but not a victory for privacy as such. The result was reached on a technical reading of the statute, and turned on the fact that a subpoena can only be sent if a DMCA notice-and-takedown letter can also be sent. […] The constitutional issues that would have made this a victory for privacy as such, or for freedom of expression, were not addressed by the court.
The Circuit panel adopted most of Verizon's statutory argument — that § 512(h) authorizes subpoenas only in cases where the plaintiff alleges that the infringing material is stored on media controlled by the ISP. However, when the ISP is a mere conduit for data stored on media controlled by a third party (the ISP's subscriber, in this case), § 512(h) does not permit subpoenas outside of the context of a lawsuit.
This line of reasoning rests on the cross references between § 512(h) and § 512(c). Subsection (h) permits a copyright owner to apply to the Clerk of the court for a subpoena so long as the application contains "a copy of a notification [of claimed copyright infringement, as] described in [§ 512](c)(3)(A)." The relevant language in § 512(c)(3)(A) is: "To be effective under this subsection, a notification of claimed infringement must be a written communication … that includes substantially the following" six elements. The third enumerated element is "(iii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material." (Emphasis added)
The court agreed with Verizon that this language requires the subpoena application to assert that the ISP has the ability to remove or disable access to the allegedly infringing material. However, most current P2P applications use a decentralized architecture. This means that all shared data is stored on users' computers, not on any central server — except for temporary copies incidental to transmission, which the DMCA permits. Therefore, the ISP has no legal right to remove or disable access to the material shared on the P2P network:
No matter what information the copyright owner may provide [in its subpoena application], the ISP can neither "remove" nor "disable access to" the infringing material because that material is not stored on the ISP's servers. Verizon can not remove or disable one user's access to infringing material resident on another user's computer because Verizon does not control the content on its subscribers' computers.
This holding does have some privacy implications, but they are small compared to Verizon's alternative argument. Having decided this case on statutory grounds, the court ducked the larger First Amendment questions.
So what implications does it have? Dozens of people predict that RIAA will lobby Congress to close what it surely sees as a loophole in the DMCA. Ernest quipped, "[T]he RIAA has nearly hosed itself." The trade group has been trying to consolidate all its DMCA subpoena litigation in Washington, D.C. for administrative convenience. Now, however, it cannot be happy with its "success" in transferring the SBC case to the D.C. District from the Northern District of California in San Francisco — because the Verizon decision is now binding precedent in the nation's capital. This will not stop RIAA from getting users' information, however. It will only make the process slower and more expensive. Instead of paying its lawyers simply to draft subpoena applications, it now has to pay them to draft and file complaints and motions in addition to subpoena applications. These costs will be passed on to consumers in the form of higher average settlements.
John Palfrey sees a broader trend: "Add this development to the Grokster opinion, and the trend of the law in favor of digital rights holders is at least in a holding pattern." The trend may be even broader than Palfrey recognizes — this was a banner week for civil liberties everywhere. (It could, however, be just a blip on the post-9/11 radar screen.) The Dutch supreme court ruled that the makers of Kazaa are not liable under Dutch law for copyright infringement committed by the software's users. A day earlier, the Second Circuit ruled that the U.S. government may not classify Jose Padilla as an enemy combatant — which should assure that his constitutional rights are no longer suspended. Just a few hours later, the Ninth Circuit wrote "that the [Bush] administration's policy of imprisoning about 660 non-citizens on a naval base in Guantanamo Bay, Cuba, without access to U.S. legal protections 'raises the gravest concerns under both American and international law'" (source).
If nothing else, we live in interesting times.
Wednesday, 17 December 2003
Happy flight day!
Happy flight day! I hope everyone enjoyed the festivities surrounding the centennial of Orville Wright's historic flight. Unfortunately, the weather in Kill Devil Hills did not cooperate with the long-planned reenactment.
CAN-SPAM coauthors respond to criticism
The two coauthors of the CAN-SPAM Act, U.S. Senators Ron Wyden (D-Ore.) and Conrad Burns (R-Mont.), published an essay yesterday in response to criticism of their bill. They state in no uncertain terms what I have been saying all along — that CAN-SPAM is not a silver bullet but that it is a good first step. The money line: "Big-time spammers will inevitably violate the Can-Spam Act because it strikes at the heart of how their sleazy businesses work." (Thanks to GrepLaw for the heads up.)
Also, I did not mention yesterday that President Bush signed the Act.
Monday, 15 December 2003
God Considers Smiting Copyright Pirates
God is considering his options for action against Bible pirates. "God did not rule out smiting as a final measure against those who share his most famous work, the Bible, on the Internet," wrote Kristian Werner of BBspot Technology News.
Citing misuse of His word, misquotation, and putting hardworking Bible printers out of work, God said he would now start hunting Bible pirating around the globe. "I have to defend both my world-famous brand the Bible and its distinctive likenesses and the livelihood of those who create and distribute legal copies of it. Sure, they live not by bread alone, but website hits someone else's website mind you don't pay the bills for these folks."
BoingBoing reports (via Ben Hammersley) this interesting nugget: Sony Pictures is promoting its new Spiderman sequel via weblogs. The movie's promotional web site has templates for LiveJournal and Blogger ripe for the picking by anyone who wants to give free advertsing (and a higher PageRank) to a large, profitable corporation.
Spam rage defendant pleads not guilty
Sunday, 14 December 2003
Nightmare on Portability Street
Mary over at bIPlog relates the horrifying tale of her experience trying to port her cell phone number from AT&T Wireless to Cingular ("My Nightmare With AT&T Wireless"). A summary could never do it justice, so suffice it to say that AT&T made numerous gross factual errors and flagrantly broke the law in repeated attempts to prevent her from leaving. Still, this episode highlights less about AT&T than it does about the harm that consumers can suffer at the hands of hucksters even when the hucksters know what they are doing is illegal because the consumer has pointed it out. I suppose Mary could sue AT&T to force the release of its high-tech hostage, but who has the time and money for litigation over a phone number?
My law school roommate and I had a similar experience when we tried to buy DSL service in Boston. Despite being Verizon dialtone customers, we tried to hire a company called eConnects (a reseller of Verizon DSL connectivity) for Internet service. At the time, Verizon was required to permit access to its "last mile" network for others to offer competitively-priced residential DSL service. For months, eConnects tried to get us online, but Verizon dragged its feet when it came time to change certain physical settings on our line which it claimed could only be done inside our apartment. Verizon repeatedly failed to show up for appointments or showed up on the wrong day or at the wrong time, and it refused to schedule any appointment within two weeks of any call we made to their customer service department. Finally, we caved in and bought DSL service from Verizon at a higher monthly price than eConnects had offered us. Magically, Verizon had an appointment slot available four days later, and we were online ten minutes after that.
Saturday, 13 December 2003
I would like to comment briefly on one post in ATAC's weblog, "Face Recognition and False Positives." This post raises the point of "a classic security mistake: ignoring the false positive problem." I addressed this issue in "Static Measurements & Moving Targets," my law-school thesis paper on biometrics and privacy in the context of consumer banking. In that paper, I looked at the problem from a perspective opposite Ed's. He describes facial recognition in an identification application, where its goals are substantially different from what its goals would be in an authentication application.
The designer of an application that flags passers-by as registered sex offenders has an incentive to overinclude suspects for security reasons — that is, to err on the side of false positives. The designer of an ATM authentication application, on the other hand, has the opposite incentive — to err on the side of false negatives, to prevent fraud. The point is that false positives are not solely a privacy issue: they also represent a security risk, depending on the context.
That said, I do agree with Ed's basic point, as I wrote back in October ("Terrified of Terror Profiling?"). I supported the point there with links to articles by computer security expert Bruce Schneier and mathematician John Allen Paulos.
Cringely, part 2
Robert Cringely has released part 2 of his column on e-voting. His analysis of e-voting problems from an IT project management perspective is refreshing; it is a perspective that has been sorely lacking in the debate thus far. Links: part 1 and part 2.
Friday, 12 December 2003
ECPA permits employer to search stored email
Law.com reports that a Third Circuit panel has interpreted the Electronic Communications Privacy Act (ECPA) to permit an employer to search its employees' email messages that are stored on its network ("Federal Law Allows Employer's Search of Worker's E-Mails"). Such a search, the court held, does not constitute "interception" of messages during "transmission," as prohibited by the ECPA. The full text of the decision in Fraser v. Nationwide Mutual Insurance Co. is available via FindLaw.
Thursday, 11 December 2003
Nevada demands e-vote paper trail; Gamblers reject Diebold's voting machines
Nevada Secretary of State Dean Heller announced yesterday that his state was the first in the country to demand that e-voting machines produce voter-verifiable paper receipts. The state's Gaming Control Board gave Diebold's products a harsh denunciation, writing that they "represented a legitimate threat to the integrity of the election process." After rejecting Diebold equipment, Heller settled on a system from Sequoia Voting Systems. "A paper trail is an intrinsic component of voter confidence," Heller said. Printers make e-voting systems cost more, he acknowledged, but "money takes a back seat to accuracy, security and voter confidence."
Tuesday, 9 December 2003
Robert Cringely on the e-vote paper trail
Robert Cringely, the venerable PBS columnist, wrote an interesting column on the lack of a paper trail in e-voting machines ("No Confidence Vote: Why the Current Touch Screen Voting Fiasco Was Pretty Much Inevitable").
Now here's the really interesting part. Forgetting for a moment Diebold's voting machines, let's look at the other equipment they make. Diebold makes a lot of ATM machines. They make machines that sell tickets for trains and subways. They make store checkout scanners, including self- service scanners. They make machines that allow access to buildings for people with magnetic cards. They make machines that use magnetic cards for payment in closed systems like university dining rooms. All of these are machines that involve data input that results in a transaction, just like a voting machine. But unlike a voting machine, every one of these other kinds of Diebold machines — every one — creates a paper trail and can be audited. ould Citibank have it any other way? Would Home Depot? Would the CIA? Of course not. These machines affect the livelihood of their owners. If they can't be audited they can't be trusted. If they can't be trusted they won't be used.Thanks go to LawGeek for the heads up.
Monday, 8 December 2003
Lessig highlights Bush's depublishing — but misses the real story
Here is a new entry for the annals of "depublishing" — the practice of removing or altering electronic articles after publication. (For background, see Greg Ritter's now-classic blog post on Dave Winer's depublishing in Scripting News, "The Ethics of De-Publishing.") This time, depublishing has lived up to its Orwellian promise, as political activists and the media have swallowed the altered version of history.
On May 1, 2003, the Whitehouse's Office of the Press Secretary released this press release, announcing "President Bush Announces Combat Operations in Iraq Have Ended." But then, with airbrush magic, now the same press release has been changed to this, which reports "President Bush Announces Major Combat Operations in Iraq Have Ended." No update on the page, no indication of when the change occurred, indeed, no indication that any change occurred at all. Instead, there is robots.txt file disallowing all sorts of activities that might verify the government. (Why does any government agency believe it has the power to post a robots.txt file?)The rub, of course, is in the word major. The original press release implies that combat operations are, well, ended. The silently doctored version makes the President seem better acquainted with the situation and prescient. The motives behind this are as old as politics itself, so the only thing that would seem to be new is the technology. However, something deeper is going on here.
The mainstream press, and even some Bush bashers, have swallowed the altered version of history. A Google News search for "major combat operations" & Iraq yields over 1,100 hits. Keep in mind that Google News indexes only mainstream sources, that its index only lasts a week or two, and that a comprehensive Lexis-Nexis search would probably yield tens or hundreds of thousands of hits. Here is a sampling of the first few Google hits. Note how each one treats the depublished ("afterpublished," really) word major as an historical fact:
CIO on RFID
The 1 December issue of CIO Magazine has an article on the technological and economic hurdles standing in the way of widespread RFID adoption: "The RFID Imperative." The article makes only passing reference to many the social implications of RFID, but the sidebars link to several other recent CIO articles covering those issues. Thanks go to Ernie the Attorney for the heads up.
Mexico threatens 3 with treason charges for data sale
The government of Mexico is threatening to charge three of its citizens with treason. They are executives of a company called Soluciones Mercadologicas en Bases de Datos, which sold a database private information on 65 million Mexican voters to ChoicePoint, an Atlanta-based database company. ChoicePoint bought the data at the behest of the U.S. government shortly after 11 Sept. 2001 to help bolster Uncle Sam's investigation of terrorism.
The database contained such private information as the number of cars owned in households and unlisted phone numbers. If nothing else, this episode highlights the incumbent dangers when a government any government collects massive amounts of data on its citizens without a compelling and clearly articulated purpose. What, for example, does voter registration have to do with the number of cars one owns?
The Macon Telegraph has the story: "Mexican company officials may face treason charges."
Sunday, 7 December 2003
PC Magazine rates blog tools
Neil J. Rubenking of PC Magazine explains and rates blog tools in this month's issue ("Blog Tools"). Top honors went to TypePad, the hosted version of Movable Type — the engine behind DTM :<|. Thanks go to Sabrina Pacifici of beSpacific for the heads up.
Borland on P2P
John Borland of C|Net wrote an interesting column last Thursday, asking whether RIAA's lawsuits against P2P users were having the desired deterrant effect ("RIAA lawsuits yield mixed results"). "At the core of the RIAA's strategy has been the attempt to persuade as many people as possible to stop trading copyrighted files online. This appears to be working in at least some groups, but the evidence is mixed at best." That same day, he also wrote a good summary of the compulsory licensing discussion in Canada: "Should ISP subscribers pay for P2P?"
Friday, 5 December 2003
Google files DJ action against American Blind
I love it when companies are willing to spend money to clarify the law in areas where it is murky. Playboy used to be great in this area, filing many suits that pushed copyright and trademark law into the digital age at a time when the Internet had barely entered the popular lexicon. Many of those cases went all the way to judgment and appeal — which gave something back to the public, in exchange for the judicial resources that Playboy consumed.
Now Google has started. Last week the search company filed a declaratory judgment action against American Blind & Wallpaper Factory, asking the U.S. District Court in San Jos้ to clarify its rights. American Blind (among many others) has complained recently to Google about Google's sale of keywords to its advertisers. Google has been fairly responsive about such trademark requests, but AB and others frequently claim to have rights in words and phrases that do not precisely match their registered or common law trademarks. They do have some trademark-like rights in such terms, but it is often difficult to discern exactly what they are. This case should help.
Thursday, 4 December 2003
Johns Hopkins still bars publication of Diebold memos
Derek Slater reports the tribulations of Asheesh Laroia, a student at Johns Hopkins University. Despite never having received a cease & desist letter, JHU cut off access to the memoranda. Even after Laroia informed JHU that Diebold had retreated (1, 2), the university persisted, writing that it "cannot allow its resources to be used in violation of copyright law, whether or not the holder of the copyright (in this case Diebold) plans to prosecute."
All I can say is I am glad I am not a student there.
Mechanics of the CAN-SPAM registry
There have been many questions about how a do-not-spam registry should be implemented. This proposal suggests a regime for funding for the registry and the highest level logical operation of its database. My plan would allow consumers to choose (through market forces) an opt-in system while still adhering to the overall opt-out structure of the CAN-SPAM Act. For that reason, I believe it solves some of the nagging First Amendment problems that come with a government-madated opt-in system.
If you have not already seen my summary of the CAN-SPAM Act, I suggest you check it out before reading this.
The registry should not necessarily be funded by taxes, because that would require people without email accounts to share the burden a system that carries no direct benefit for them. ISPs stand to benefit the most (in financial terms, at least), because a successful registry will reduce their bandwidth and other costs substantially. I would hesitate to levy mandatory fees on ISPs because they would look too much like the fees imposed on bell companies to fund rural telephone lines and the 911 system. I would prefer to leave ISPs as unregulated as possible while still having them share in the cost of the registry. I would not be averse to paying a few dollars to get myself into the registry, but ISPs should not have a free ride while consumers fund the entire thing.
My proposal is to make ISPs intermediaries between the FTC, which would manage the registry, and consumers, who will have ultimate control over the status of their addresses.
First, charge ISPs a monthly fee for having their domains listed in the registry. This fee would be assessed according to the number of email addresses at each domain, and those addresses would be automatically opted out of receiving spam. If a user wants to change that status, he would ask his ISP, which would relay the request to the FTC. An ISP would be charged a small transaction fee for each username it changes from its default status, as an incentive to "guess" what most customers will prefer. Individuals whose ISPs do not list their domains in the registry would have the option of opting out individually, paying the same transaction fee directly to the FTC. This option would be available to anyone in the U.S. with an email address, even those who maintain email addresses at their own personal domains and do not use an email address provided by an ISP.
To keep the size of the database's output manageable, it would need to spit out three separate lists. The first list would contain all the domains listed in the registry. The second list would contain all the individual email addresses that have requested opt-out status. Any email address covered by these two lists would be off-limits to spam. The final list would contain the addresses of ISP customers who have decided to switch away from their ISPs' default opt-out status. Addresses on list #3 are fair game for spam.
My plan would require some taxpayer funding for startup costs, although these could be recouped over the first few years by charging slightly higher fees during that time. After that, the monthly fees for listing domains and the per-user transaction fees would cover operational costs. ISPs will inevitably pass some of those costs on to consumers. However, there is harsh competition among ISPs, so the market would quickly allocate those costs efficiently. I believe this is more equitable than a program funded wholly by taxes. The recently-implemented do-not-call registry is funded by taxes because telephone penetration is nearly 100% in this country. However, many fewer people have email accounts than telephones, so full funding by tax dollars seems unfair to me.
The system is national in scope, so it will be large enough that the fees per domain and and per user can be small. Only a few indigent people and organizations could legitimately complain about the cost, and these might be exempted from paying fees. To start, the exemptions might be granted to educational institutions, 501(c)(3) organizations, and individuals below the poverty line. I have little experience in this area of social policy, so I would leave it to others to work out those details.
This structure would allow the market to demonstrate once and for all whether the public really favors an opt-in or an opt-out system. Many people have speculated on this question, but the truth is that nobody knows for sure. We may see a surge of subscriber defections away from ISPs that choose to be listed, or we may see a surge of individuals listing their own addresses. The point is that consumers, not the government and not spammers, would finally have direct control over the marketing they receive.
Wednesday, 3 December 2003
Clarifying my position on opt-out
Some feisty discussion has broken out in the comments section of my blog post where I summarized and explained some features of the CAN-SPAM Act. I have been accused of favoring an opt-out system over opt-in. This is probably my fault for overstating my position as a reaction to most people's knee-jerk favoring of opt-in.
I do not favor opt-out in all its manifestations — I just think that most people decide to favor opt-in without considering the issues thoroughly. There are serious free-speech problems with the government mandating a regime that forbids a certain type of speech to be distributed in a certain channel. Those problems are reduced (although not entirely eliminated) by an opt-out regime that provides consumers with an en mass opt-out mechanism like a do-not-spam registry. The problems are further reduced the more fine-tuned the en mass mechanism becomes. The present FTC/FCC do-not-call registry is a blunt instrument, requiring consumers to choose all or nothing.
Someone may yet convince me that opt-in is the way to go; but, until that happens, I choose to err on the side of free expression.
Australian spam law
Oz is about to get its own national spam law, and I am curious to know how it differs from the American CAN-SPAM bill, which I have written a lot about in recent days. If anyone can find the text of the Australian bill online, please let me know.
Monday, 1 December 2003
Where's my hovercraft?
I just found this delightful web site, Yesterday's Tomorrows. It is the Internet arm of a traveling Smithsonian exhibit on the history of technology prediction. "From ray guns to robots, to nuclear powered cars, to the Atom-Bomb house, to predictions and inventions that went awry."
Crimson confirms Diebold will not sue students
Zachary Seward reports in the Harvard Crimson that a Diebold spokesman confirmed that the company will not sue students who posted internal company memoranda on the Internet ("Diebold Won't Sue Students"). Thanks go to John Palfrey for the heads up. The article has one interesting point that bears mentioning here:
In one memorandum from April 23, 1999, [a Diebold] employee acknowledges a flaw in one of the company's electronic ballots. "I don't expect you will see a fix in time for the election," the employee writes, "since it is tomorrow." Diebold will not comment on the memoranda but has said that any imperfections in their systems have subsequently been fixed.Note that this claim can be interpreted to apply only that those particular ballot problems tailor-made plausible deniability. It does not claim to have fixed the security flaws found in two independent reviews earlier this year. In one review, researchers at Johns Hopkins and Rice universities found weaknesses that could easily allow someone to cast multiple votes for one candidate. (Report (pdf), press release) The other report, conducted for the State of Maryland, concluded that flaws exist but that they were unlikely to cause practical problems in real elections but only if external safeguards are in place. (Report (pdf))
Also recall that Diebold is the only manufacturer of ATMs in the world whose machines have become infected with a worm.
Google updates & blog power
The search engine watchdogs have argued fiercely over Google's most recent update, dubbed "Florida," since it was implemented two weeks ago. See, e.g., Barry Lloyd's article on Search Engine Watch: "Been Gazumped by Google? Trying to make Sense of the 'Florida' Update!" Last week, prolific writer Seth Finkelstein weighed in, arguing that Google had installed Bayesian filters ("Google Bayesian Spam Filtering Problem?").
Yesterday, Seth reiterated in his blog his strong belief that blogging will remain an insigificant source of political power, relative to Big Media. ("Recent Report Readership - Statistical Analysis") The evidence? His referrer logs, which indicate most of his hits coming from a slashdot comment (60%) and much smaller numbers coming from his own site (6%) and miscellaneous "noise." However, he dismisses nearly a quarter of his hits that came without a referrer as having come from Slashdot. I do not think this is valid. I, for one, have disabled referring logging in my browser, and I followed a link to Seth's report that I found in a blog. Aside from others like me, there are probably many people who copy/pasted the URL from an email, which might have registered in the referrer log as having no source.
No, the blogosphere is not presently as big or as powerful as Big Media. However, Seth dismisses its potential too readily.
Sunday, 30 November 2003
Freaky food or biotech bounty?
The debate over this technology has become a leading issue in international relations, subject of a huge trade battle. Wall Street is watching anxiously as it presses companies to recoup their massive biotech investments by selling more seeds. Environmental advocates are marching in the streets to oppose the crops. Even the Vatican is weighing the issue, recently opening a debate about which is the moral course.
Saturday, 29 November 2003
More Congressional ineptitude
After reviewing the highlights of the CAN-SPAM Act for my blog last week, I was asked to write a more comprehensive review for the Journal of Internet Law. During my more careful, second reading of the bill, I noticed an inexcusable discrepancy. Early on, the bill defines a "commercial electronic mail message" (its verbose term for spam) as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service." ง 3(2)(A). A few paragraphs later, the bill states, "It is the sense of Congress that [s]pam has become the method of choice for those who distribute…viruses, worms, and Trojan horses into personal and business computer systems." ง 4(c).
This passage shows (1) that the House has no idea what those terms mean or what spam is, and (2) the House has no idea how it defined spam just a few paragraphs earlier!
Friday, 28 November 2003
P2P & anonymity
Four years ago I wrote my senior thesis at Yale, The Futures of e-Politics, in which I complimented several Congressmen and Senators for having done well to educate themselves on digital communications technologies in a relatively short time. Today I may recant that compliment.
I just got around to reading C|Net's coverage of a letter sent last week from several Senators to the executives of several P2P companies. The lawmakers asked the companies to regulate themselves — i.e., to censor their networks for pornography and copyrighted material. C|Net reports (Senators ask P2P companies to police themselves) a quote from Senator Lindsey Graham (R-N.C.) that I did not see reported elsewhere. In a "statement" accompanying the letter, he said (emphasis added):
Purveyors of peer-to-peer technology have a legal and moral obligation to conform to copyright laws, and end the pornographic trade over these networks. These programs expose our children to sexually explicit materials and provide an anonymous venue for child pornographers to hide behind the veil of technology.If we have learned anything from RIAA this year, it is that P2P activity is not anonymous. If you are going to make national policy, or at least pretend to, it is not unreasonable to ask that you pay attention.
Thursday, 27 November 2003
Worm infects Diebold ATMs
Diebold, the very same company being raked over hot coals for its authoritarian response to criticism, now has the ignoble honor of being the first ATM manufacturer to have its machines infected with a worm. (New Scientist: "Cash machines infected with worm")
The controversy over Diebold's electronic voting machines is no longer theoretical (if it ever was). This is a real-world, already-happened, no-excuses problem affecting a Diebold product very similar to its voting machines. How could this happen? Simple — Diebold's ATMs run Windows XP.
Diebold backs down
Diebold filed court papers on Monday, stating that it would not file copyright infringement suits against people who hosted and linked to the infamous cache of damaging documents. Kudos go to the Stanford Cyberlaw Clinic, which represented two Swarthmore students in their lawsuit against the voting machine manufacturer. Too bad Rule 11 does not apply to DMCA notice-and-takedown letters. You have my best wishes if you sue Diebold under anti-SLAPP laws and for intentional infliction of emotional distress.
Wednesday, 26 November 2003
Man charged in "spam rage" case
This seems to be a first. Charles Booher of Sunnyvale, California has been arrested and charged with 11 counts for threats he made to a company he blamed for sending him spam and causing web popup ads on his computer. Wired News reports ("Man Arrested Over 'Spam Rage'"):
Booher threatened to send a "package full of Anthrax spores" to the company, to "disable" an employee with a bullet and torture him with a power drill and ice pick; and to hunt down and castrate the employees unless they removed him from their e-mail list, prosecutors said.
This case presents a good opportunity to mention a recurring a point about defining classes of speech for legal purposes. I have yet to see a case where this was not problematic, but it is never more so than when the communication of words alone constitutes a crime. Mr. Booher's words (as reported in Wired) clearly threatened physical violence, his intent to make a threat seems clear, and he communicated the threat to the threatened person satisfying the basic requirements of most threat statutes. Do prosecutors have a slam dunk case? Maybe. But the inquiry only starts there.
It is what Wired failed to report that I find interesting. The article in Saturday's San Jose Mercury News makes Booher look much more sympathetic. (Article: "Spam sends local man into rage") There, we learn that Booher "is a three-time survivor of testicular cancer" and that the overwhelming flood of spam that triggered his emotional outburst was hawking you guessed it penile enlargement products. Suddenly, his response is understandable.
Before you send me angry email, note that I do not condone what Booher did. My point here is that it is irresponsible to condemn someone based on a small amount of information. When the condemnation implicates the most basic liberties of any free society, we have to be especially careful. Some of you may remember Jake Baker, the University of Michigan student who wrote a revolting rape/torture/murder fantasy story about a classmate and posted it on alt.sex.stories. Baker was charged with making threats, notwithstanding that he had unambiguously stated that the story was fiction. The subsequent uproar ended with his exoneration of all charges of making threats a result demanded by the First Amendment. For those unfamiliar with the case, the Electronic Frontier Foundation (EFF) maintains an archive of relevant documents. (If you have a strong stomach, the story is still available online. However, you have been warned: This is pretty sick stuff.)
Tuesday, 25 November 2003
Spam canned throughout the land?
The House of Representatives approved the CAN-SPAM Act on Friday, by a vote of 392-5. The acronym stands for the not-so-clever moniker, "Controlling the Assault of Non-Solicited Pornography and Marketing Act." The Senate is expected to approve the measure this week, and President Bush has agreed "in principle" to sign the bill.
This bill would have been a reasonable first step to take against spam five years ago, and Congress should be ashamed of itself for dawdling so long. We should be debating the second or third revision of the Act by now. What is done is done, however, so let us explore what the CAN-SPAM act says.
Update, 29 Nov 2003. I have been asked to revise and augment this essay for publication in the Journal of Internet Law. Toward that end, I would appreciate any constructive comments from any reader.
The full text of the bill is available at C|Net. The news agency also gives a bullet-point summary amidst its coverage, and the Institute for Spam & Internet Public Policy (ISIPP) gives a ten-point summary. Finally, C|Net gives this brief summary of the entire bill:
If the measure becomes law, certain forms of spam will be officially legalized. The final bill says spammers may send as many "commercial electronic mail messages" as they like as long as the messages are obviously advertisements with a valid U.S. postal address or P.O. box and an unsubscribe link at the bottom. Junk e-mail essentially would be treated like junk postal mail, with nonfraudulent e-mail legalized until the recipient chooses to unsubscribe.
First, a few preliminary comments before I get into specific provisions. Spam has been a scourge on the 'net since the early 1990s, when non-academics and non-scientists first logged on in large numbers. The volume of commercial email was low at first but has grown exponentially for years. The result has been frustration for users who drown in the flood of messages, higher costs for service providers who must process all the unwanted email, embarrassment for legitimate businesses whose servers are hijacked by spammers trying to disguise their identities, and the corruption of children whose parents try to shield them from pornography and other sex-based products. The Act does not go as far as many people think it should (which is why Congress's long inaction is so lamentable); but it is, as I said above, a reasonable first step. The House seems to have made a genuine effort not to be heavy-handed with the rights of advertisers. Still, the Act has some sharp teeth for consumers and, if it is properly enforced, has the potential to significantly reduce the burdens caused by spam.
Now, some comments on specific provisions. This is not intended to be a comprehensive analysis of the bill but rather a few thoughts on the provisions I think are important or interesting.
Update (6pm):Several readers have asked me to insert anchors in my subject headings so they can link to specific pieces of this article. Here they are:
The "false header information" provision is perhaps the easiest part of the bill for non-technologists to grasp, because you can examine the underlying problem even if you do not understand the technology. Spammers often disguise the origin of their advertising to make it more difficult for individuals and ISPs to use automated methods to filter and delete spam. These disguises also induce recipients to open the spam mail and begin reading by pretending to be legitimate messages (e.g., with a deceptive or misleading subject line). Imagine paper junk mail, delivered by the post office, that comes in an envelope whose return address seems to be from your bank or your doctor. When you open the envelope, you find a flier for hard core pornography.
When spam is disguised as legitimate mail, more people will open the message and read the first few lines before realizing its true nature. This gives the advertiser a better chance of selling his product, be it pornography, generic viagra, or home mortgage services. As more spam is dealt with by human beings (rather than filtered by computers), more advertisements get read, and more products will be sold even if most people hit the delete key immediately. In paper based "direct mail" ad campaigns, a response rate of one buyer per 100 mailings is generally enough to break even. The cost of sending email is much lower than the cost of sending paper mail, so a response rate of one buyer per 100,000 mailings is likely to earn a profit. The cost of sending email only seems lower to the sender, however, because most of the costs are shifted to the receiver and the receiver's ISP.
Here is how the technology works, in a nutshell. An email's "header" is the addressing and routing information such as the to, from, and date fields that you see at the top of each message. Most email software hides the bulk of the header from you, unless you take an extra step to have it displayed. This "hidden" information documents where the email originated and the route it took across the Internet to your inbox. Each computer on the Internet has a unique "IP address" consisting of four numbers separated by dots (periods). Each line of the "hidden header" contains the IP address of each computer that touched the email en route and states the action that computer performed. Usually, these intermediary computers simply receive the message and hand it off to another computer that is "closer" to the recipient; after five or six hops, the email arrives at your inbox, and the process stops. Each intermediary computer adds a line to the top of the header, so the very top line always documents your mail server's delivery to you. Each successive line below that will document where each computer got the message from, going all the way back to the original sender. For example, and email I received this morning has these two lines in its header:
The first line is from my mail forwarding service (which sent the message to my ISP after it added this stamp, and my ISP later delivered the message to me). The name of this computer is andros.alumniconnections.com, which resolves to the IP address 220.127.116.11. Before that, the message was handled by a computer named voyager.bna.com (18.104.22.168). This makes sense because the email in question was an Internet law newsletter from BNA, a publisher of print and electronic news, analysis, and reference products. Also note that each header line has a date & time stamp.
Some automated spam filters take advantage of this stamping process by searching the email header for computers that are known to be used for sending spam. The bottom line of the header should be the original sender, and the identities of the biggest spammers are well known, so it should be an easy matter to delete all messages coming from them. Spammers know this, however, so they go to great lengths to forge these headers and route their mail through other people's servers to disguise its true origin. CAN-SPAM's "false header information" provision would make this illegal. The practice is already arguably illegal under a patchwork of existing laws, which could be interpreted to cover this situation. However, there is no substitute for a clear, specific statute directly on point that removes all doubt.
The "resource misappropriation" provision is perhaps the most difficult for non-technologists to understand. Congress borrowed this idea from a line of judicial opinions based on a tort called trespass to chattel. A "chattel" is simply the legal term for an item of personal property a toaster or a chair, for example. I cannot make toast or sit down when someone else is using my chattels without my permission. That property belongs to me, so the common law allows me to sue the person using it. If I prove my case, I would get money for the damages I suffered from the delay in satisfying my hunger or relaxing my legs, and the court would order the trespasser to stop. The crux of this policy is that a computer is a chattel just like a toaster or a chair. Intuitively, we all understand that if someone else is using my laptop, he is blocking me from using it at the same time.
In the spam context, we must look at the technology on a slightly deeper level than this simplistic first approach allows. The Internet relies on powerful computers called servers, which answer queries from many people at the same time. When I read Yahoo!'s home page, the odds are very high that many other people are reading it at the same time. Yahoo!'s web server can dish out thousands of pages at the same time. However, when the number of readers grows too high, even the most powerful server has trouble keeping up, and users experience delays or worse, the server "crashes."
A similar phenomenon occurs with mail servers the computers that process email after it is sent and before it is received. Suppose the average email user sends and receives an average of 20 legitimate messages per day and receives an average of 80 spam messages per day. His Internet Service Provider's (ISP) mail server will spend 80% of its time processing spam and only 20% processing the "real" mail which is what the user (the ISP's paying customer) wants it to process. Instead of buying the server it wanted to buy, the ISP had to buy one with five times the processing power to accommodate the unwanted extra load. This does not increase the cost of the server linearly (by five times), but it does increase the cost of the server by a measurable amount. Similarly, the ISP has to pay for five times the bandwidth (transmission capacity) that its customers want to use. Even if the ISP filters out spam as a service to its customers, it must still pay for all this extra capacity to receive each piece of mail, look at the contents of each message, and flag each message for deletion or delivery.
The first case to examine spam from this perspective was CompuServe v. Cyber Promotions, 962 F. Supp. 1015 (S.D. Ohio 1997). CompuServe, an ISP, sued Cyber Promotions (CP) over spam that CP was sending to CompuServe's customers. (CP is no longer in that line of business.) That court built on the analysis written by a California Court of Appeals from a year before in Thrifty-Tel, Inc. v. Bezeneck, 56 Cal. App. 4th 1559, 1567 (1996). The California court had held that "Electronic signals generated and sent by computer have been held to be sufficiently physically tangible to support a trespass cause of action." CompuServe, 962 F. Supp. at 1021. In other words, the electric impulses that computers use to communicate constitute a physical invasion of property when they are sent into a privately-owned system without permission. In Thrifty-Tel, a telephone company had sued the parents of children who engaged in "phreaking" attempting to crack the company's authorization codes in order to make long distance calls without paying for them. The most famous decision in this line of cases is eBay v. Bidder's Edge, 100 F. Supp. 2d 1058 (2000), which extended the same reasoning to web servers.
Two pieces of the bill the "working unsubscribe" and "anti-resubscribe" provisions belong under the same conceptual umbrella, which I call the "meaningful unsubscribe mechanism."
The "working unsubscribe" provision would require each piece of spam to include instructions for the recipient to "opt out" of future advertising. This opt-out mechanism must function for 30 days after the spam is sent, to ensure that recipients have a reasonable opportunity to use it. Otherwise, the spammer could shut it down immediately after clicking send before most people have received the junk mail.
Some spammers get around states' opt-out laws by removing people from lists when they make opt-out requests, then immediately adding the same person to a new list. This new list has a much higher economic value to the spammer because the addresses on it are "verified" the spammer knows that each one belongs to and is being actively used by a live person. This formalistic interpretation of many state laws' opt-out requirements is not possible under CAN-SPAM's "anti-resubscribe" provision, which bars the spammer from adding opted-out addresses to other lists.
The "working unsubscribe" provision is the most controversial and troubling provision in the Act. A great controversy surrounds the question of whether spam should be an opt-in or an opt-out enterprise. An opt-in system would forbid unsolicited commercial email by requiring spammers to document that the owner of each email address on a mailing list has requested to be placed on that list. An opt-out system would permit unsolicited commercial email but requires spammers to remove an address from their lists when the person who owns it asks to be removed. The CAN-SPAM bill passed by the House came down on the side of opt-out.
The foundation of American law is the U.S. Constitution, and the First Amendment to the Constitution provides that "Congress shall make no law abridging the freedom of speech, or of the press." Despite this plain language, the Supreme Court has held that not all speech is equal under the First Amendment. While indecent speech (e.g., ordinary pornography) is protected from most government interference, obscene speech and child pornography enjoy no First-Amendment protection whatsoever. (See, for example, Ashcroft v. Free Speech Coalition, 535 U.S. 234, 122 S. Ct. 1389 (2002) for child pornography and Miller v. California, 413 U.S. 15, 24-25 (1973); Smith v. U.S., 431 U.S. 291, 301-02, 309 (1977); and Pope v. Illinois, 481 U.S. 497, 500-01 (1987) for obscenity.) Commercial speech gets an intermediate level of protection. Central Hudson Gas & Electric Corp. v. Public Service Commission of N.Y., 477 U.S. 557, 564-65 (1980).
Since the First Amendment was ratified, it has been axiomatic that "prior restraints" on speech are one of the greatest evils threatening the health of our polity. A prior restraint is a government prohibition on a particular message before the speaker has a chance to communicate it. The freedom of speech and the fundamental liberty of self-expression demand that everyone be given an opportunity to voice his thoughts. Some speech is always socially harmful such as threats of violence or statements made in the formation of a criminal conspiracy. However, it is simply not possible to articulate in advance a definition of all forms that such harmful speech will take without our definition also encompassing many forms of legitimate speech. Therefore, we only punish speech after it has been uttered, when we can analyze the facts of each case. True, this allows some harms to occur that we might otherwise prevent, but a system of prior restraints would create far more and far greater harms by having a "chilling effect" on socially-necessary speech.
Therefore, everyone must have a reasonable opportunity to stand in a public square, tap passers-by on the shoulder, and say, "Would you like to hear what I have to say?" However, the freedom of speech guarantees a right to speak not a right to force others to listen. Each listener has the right to say, "No, I find your views offensive, and I do not want to listen to you." Spam may be the 21st century, commercial-speech embodiment of this tap on the shoulder. The mandated opt-out system is the listener's opportunity to decline.
Many people believe that commercial speech should get less protection than it does today. Consumer protection demands it, they argue. How else can we prevent hucksters from selling snake oil through lies and deceit? These arguments do have merit, and I do not mean to dismiss them here; they are just beyond the scope of this blog. However, it would be irresponsible not to note at this point that, in recent years, the Supreme Court has been backing away from the Central Hudson doctrine because it is proving impractical to differentiate commercial speech from other types of speech. In ten years, what is "commercial speech" today may get full constitutional protection.
Spammers employ many strategies to collect email addresses for their spam lists. One common strategy is called "harvesting." Spammers write software that trolls the Internet for character strings that appear to be email addresses. The software scans the text of web pages, chat rooms, message boards, and usenet, recording all the email addresses it finds. The CAN-SPAM Act will make this practice illegal. The very next paragraph of the Act prohibits another common strategy, "randomly generating electronic mail addresses by computer." The combination of these two prohibitions will make it much harder for spammers to get a hold of functional email addresses.
The Act allows states to enforce the act by suing spammers on behalf of their citizens and ISPs to sue on their own behalf or on behalf of their subscribers. This is a common-sense compromise between the factions advocating a private right of action (which would permit individuals to sue spammers for themselves) and those advocating federal enforcement (which would permit only the U.S. Attorney General to enforce the Act).
Both extreme positions carry dangers and benefits. With a private right of action, the courts might be clogged with individual or class action suits, and it would take too long to reach large judgments against spammers for the law to be effective. On the other hand, leaving enforcement in the Attorney General's hands exposes the law to the dangers of under-enforcement and political cherry-picking. First, spam may seem minor compared to violent crimes, which rightfully get prosecutors' prime attention. Spam prosecutions might fall by the wayside. Second, the economic and technological damage caused by any two pieces of spam are identical, but does anyone honestly believe that John Ashcroft would approve the prosecution of inkjet toner vendors if there are any pornography vendors still standing? With finite resources, any Attorney General (like any manager) must set priorities for his office, and I would never fault Ashcroft for setting clear guidelines. However, I frequently disagree with the content of his guidelines; and, in this context, his preferences would probably lead to systematic selective enforcement, which would be untenable under the First Amendment which prohibits the government from treating different speech differently, based on its content or viewpoint. With all fifty states and hundreds of ISPs bringing spam suits, the danger of selective enforcement declines.
CAN-SPAM expressly "preempts" state laws dealing with spam. The Supremacy Clause of the U.S. Constitution (article 6, ง 2) establishes that the Constitution, laws, and treaties of the United States "shall be the supreme law of the land" and that they preempt state laws where they are in conflict (and in certain other situations). California, in particular, has passed several statutes prohibiting spam. California's most recent statute, which will not take effect until January, is far more protective of consumers than CAN-SPAM. All of these laws would be rendered unenforceable by the federal Act.
The House considered drafts of the bill that would have required the Federal Trade Commission (FTC) to maintain a "Do Not Spam" registry, similar to the "Do Not Call" registry that it recently established in conjunction with the Federal Communications Commission (FCC). Spammers would have been required to compare the email addresses in this registry to their own mailing lists and remove any addresses that match. In effect, it would have been illegal to send unsolicited commercial email to any address in the registry. However, the House rejected this provision (which would have required the FTC to create the registry) in favor of one that merely requires the FTC to study the issue and permits the it to create a registry if it sees fit.
Anyone taking odds on what the FTC will do? Before you answer, consider that the bill fails to allocate a single dollar to fund the registry.
By making certain kinds of email illegal, the Act, by implication, renders all other kinds of email legal. However, some spam that Congress intended to make illegal will always slip through cracks in the law's definitions. (This is a fundamental shortcoming of human language, not necessarily a fault of Congress.) Therefore, the bill expressly permits ISPs to devise and implement their own, private email-handling policies.
Without this provision, ISPs would be vulnerable to lawsuits from spammers if they decide to block this slippery spam on their own. By blocking mail that is technically legal, the ISPs would arguably be liable for such torts as interference with business relations (for blocking legal business communications) and defamation (for falsely labelling messages as "spam"). Much like ง 230 of the Telecom Act of 1996 (47 U.S.C. ง 230), CAN-SPAM's "private mail policy" provision is designed to protect ISPs from an onslaught of litigation that would render them unable to conduct business. If ISPs cease operating out of fear of litigation, consumers would be unable to access the Internet at all.
Tuesday, 18 November 2003
History of voting technology
Amid the Diebold controversy, it is interesting to take a step back and ponder how we reached this point. Thanks to a post in LawMeme, I found this fascinating history of voting technology in America. The web site was compiled by Rachael Deane, on behalf of Dr. Jeffrey McClurken for a course at Mary Washington College.
Monday, 17 November 2003
File sharing zeitgeist
The Contra Costa Times ran an interesting, yet unsurprising, AP story on Saturday (Music industry mines data from downloads). In a nutshell: "Despite their legal blitzkrieg to stop online song-swapping, many music labels are benefiting from — and paying for — intelligence on the latest trends in Internet trading." That is right, P2P networks are the best tool yet-invented for gathering realtime data on music consumer tastes. By tracking the number of downloads for particular artists and particular songs and the rough geographical distribution of those downloads, the industry can better target its marketing and products.
I would accuse RIAA of batting both ways (like I did H&R Block this morning), but this phenomenon raises an issue more important than copyright law. For the first time in the history of human social interaction, we have the technology to gather realtime information on the thoughts of a cross-section of a nation. P2P file sharing is a specific example, and the Google Zeitgeist is a more general one.
H&R Block bats both ways
SiliconValley.com reprints a story from the Kansas City Star, reporting a defamation lawsuit filed by H&R Block (H&R Block sues anonymous online critic). Essentially, the accounting firm believes that an employee is behind a series of postings on a Yahoo! message board that criticize the company. The article is a bit sketchy, but apparently both the complaint and company a spokesman said that the message board posts constituted (1) false and misleading statements and (2) improper disclosures of confidential information.
H&R Block is trying to bat from both sides here. If the anonymous poster's statements were accurate, they would prove highly embarassing to the company, and he would have disclosed confidential information. If they are not accurate, they would be defamatory. Either way, H&R Block maintains plausible deniability for long enough to force Yahoo! to reveal the anonymous poster's identity. Ultimately, H&R Block may have a difficult time proving either claim because damages (an essential element of both claims) would be too speculative. The author writes, "The defendant's comments don't appear to have had a material effect on Block stock," and goes on to detail the fluctuation of H&R Block's share price during the relevant time period and concluding that it was a mere penny off its 52-week high shortly after the statements. Proving a link between these statements and any trend in revenue would be exceedingly difficult, if not impossible.
This is a SLAPP — a strategic lawsuit against public participation. After Yahoo! breaches the poster's anonymity, we have no guarantee that H&R Block will pursue the lawsuit. More likely, it merely needed a subpoena to learn whether the poster was an employee — and will promptly forget about the suit after getting what it wants. Better to make an example by loudly firing a wayward employee than to waste time and money on a lawsuit against someone who will not have millions of dollars to pay in damages, in the unlikely event that you win. The last portion of the article begins, "Lawsuits aimed at forcing Internet service providers to provide the names of anonymous Internet users have become increasingly common in recent years." Little question exists as to the effect this is having on the freedom of speech.
Sunday, 16 November 2003
Cheap tricks & Primer on PC Audio
Ever since the copyright industry first made noise about the dangers of digital distribution and the need for DRM, pundits have pointed out that "downstream" copying (capturing sound in an analog state, en route from its storage medium to a computer's speakers) could eviscerate any DRM scheme. Today I got curious about just how easy and cheap downstream really is. High Criteria's product, Total Recorder, comes highly recommended for this task, and it costs a mere $11.95. That's it — twelve bucks to foil a multimillion-dollar DRM regime. I also found the company's excellent Primer on PC Audio. This is a good introduction for anyone interested in digital audio technology but without a lot of technical knowledge.
Saturday, 15 November 2003
Extent of secrecy in Wal-Mart's RFID testing
Controversy over the use of radio frequency identification (RFID) chips in retailing has raged for some time. Although I have not covered RFID developments in this blog, I do follow them closely. Yesterday C|Net published a once-over of the newest RFID front, and I want to highlight one important point that the author glossed over too quickly. (Article: 'Smart shelf' test triggers fresh criticism)
Wal-Mart, the world's largest retailer, stopped a small RFID trial in Boston last year, after CASPIAN (Consumers Against Supermarket Privacy Invasion And Numbering) called public attention to it. Wal-Mart tried again last summer, in Tulsa, with a larger group of products. C|Net reports that company "sold, from March to July, Max Factor Lipfinity products embedded with the special tracking chips. A Wal-Mart representative, who told CNET News.com in July that the company had never sold products with chips in them, now says he only recently became aware of the Lipfinity test." In other words: Not only did Wal-Mart hide its activities from the public, it also hid them from its own spokespeople, causing them to deceive the press.
Thursday, 13 November 2003
Diebold & Democracy
The venerable Mary Hodder over at bIPlog gives us a terse summary of the goings on in California, with respect to Diebold Election Systems. (Article: Diebold Latest: The Effects of Student Spread Memos on CA Secretary of State) More importantly, I cannot overstate my support for her synopsis of the implications this affair holds for the future of American democracy.
Mary hit the nail on the head when she wrote:
[S]tudents at Swarthmore, followed by students at many other institutions…in spreading the Diebold memos around, have accomplished the goal of causing those with review power over Diebold systems to take another look at Diebold's work. … Even if the review doesn't cause the state to discontinue using Diebold systems or require severe changes (and I'm sure the pressure is enormous TO certify), the fact is the memos raise disturbing issues and the review is very necessary. If companies providing services of this sort feel that they can quash documents out on the Internet by using the DMCA, if Diebold succeeds on this point, we and our democracy will be the poorer for it.
The Diebold affair neatly illustrates two points. First, it shows the unconscionable overbreadth of the Digital Millenium Copyright Act (DMCA) — in this case, the "notice and takedown" provision. Second, it underscores the growing relevance of the blogosphere to national politics. The activists hosting the internal Diebold memoranda that triggered this affair deserve the lion's share of the credit for bringing this issue to light. Bloggers deserve the credit for keeping it there. While bloggers were giving the issue its due, the mainstream press was comparatively slow to report the acts of civil disobedience at Swarthmore and elsewhere. Bloggers can force the media to pay attention to important issues. We can force public officials to take notice. We can make a difference.
Thursday, 6 November 2003
Penn State lends credibility to Napster 2.0
Pennsylvania State University announced today that it would offer its students a chance to partake in Napster 2.0. The original incarnation of Napster — once synonymous with wanton copyright violation — shut down two years ago, under the crushing weight of a legal assault from the Recording Industry Association of America (RIAA). Sometime thereafter, a small software company named Roxio purchased the defunct Napster's source code and brand, betting that Napster's worldwide name recognition would help it launch a legal music distribution service. Not long ago, Napster 2.0 launched, selling individual songs for 99ข and monthly "subscriptions" for $9.95. The Nittany Lions intend to fund their new service from the $160-per-year "information technology fee" that its students are required to pay. The university declined to state how much it paid per student in the deal but claims the amount was "substantially less" than Napster's standard $9.95 per month. See the New York Times' coverage: "Penn State Will Pay to Allow Students to Download Music."
Update: Sony Music and BMG intend to merge
After reporting yesterday on the burgeoning business of partnerships among media companies (Media Giants Getting Together), the Washington Post reports today that "Sony Music Entertainment Inc. and BMG Entertainment have signed a nonbinding letter of intent to merge, creating a goliath that would control a quarter of the world's music business." (New Duet in Music World) See yesterday's blog on media partnerships.
Wednesday, 5 November 2003
Partnerships mask media consolidation
The Washington Post has an interesting article about the rise of partnerships in the news media industry. (Media Giants Getting Together) In a field where scoops were once jealously guarded, they are now shared with abandon.
More and more media organizations — newspapers, magazines, television networks, Web sites — are forming globe-spanning, interlocking and often-cyclic partnerships with each other; some paid, others not. In an effort to hold budgets in line while expanding out of their traditional niches, newspapers give stories to each other, print reporters appear on television news shows and Web sites link to newspapers, television networks and magazines.In recent years, civil libertarians have lamented media consolidation with increasing frequency and volume. The more outlets that are controlled by Big Media, they argue, the fewer voices will be heard in the marketplace of ideas. If, for example,
The partnership model is supposed to mitigate this dystopia. No single company could possibly expand fast enough to grow all the businesses mentioned above internally. Therefore, they must either acquire other companies or form partnerships with other companies to extend their reach as far as possible. Mergers and takeovers result in unified control from the top down. Partnerships are more fluid, usually comprising only a small number of specified joint projects and lasting only for limited times. Projects and their durations are specified in advance in contracts between the partners. Partnerships are likely to focus on efforts most likely to deliver a cost-savings benefit or extend the partners' "reach" as far as possible in a short time. As reported in the Washington Post:
"One of the major justifications proffered for broadcast mergers and newspaper/broadcast combos is 'efficiencies' and 'synergies,'" said Andrew Schwartzman, president of the Media Access Project, which has opposed many media mergers. "As these deals demonstrate, it is possible to achieve both without actually purchasing or controlling both properties." [Hyperlink mine] At the same time, however, Schwartzman warned that such partnerships "can be abused as a means of reducing service, especially at the local level."
What does this mean for the average consumer of news, entertainment, and other information? One can no longer determine the ultimate source of information from the medium in which it is received or from the "brand name" at the top of the page or at the beginning of the broadcast. An article in the Washington Post may come from the Dow Jones company (via the Post's partnership with the Wall Street Journal). A Discovery Channel documentary may come from the New York Times (via their collaboration on the Discovery Times cable channel).
Would you trust an NBC news report on the latest consumer electronics? Before you answer, consider that NBC is owned by General Electric and has a 50% stake in MSNBC, along with Microsoft. Consider whether NBC has a financial incentive to make people more inclined to buy products made by GE or Microsoft. Now answer the question.
Tuesday, 4 November 2003
Update: MIT suspends music-on-demand service
The New York Times reports that the Massacusetts Institute of Technology (MIT)has "temporarily suspended" its ballyhooed music-on-demand service. (Article: Music-Sharing Service at M.I.T. Is Shut Down) (See my prior blogs on this issue: 1, 2.)
Sunday, 2 November 2003
Monsanto sues farmers for saving soybeans
Taking a page from the RIAA playbook, agriculture giant Monsanto Corp. has taken to suing farmers to enforce its patent on Roundup Readyฎ (RR) Soybeans. Monsanto developed the patented soybean seeds (bearing a trademarked name, no less) to resist its best-selling herbicide, Roundupฎ. The new plants allow farmers to apply more herbicide to control weeds without killing their crops. However, Monsanto does not simply sell the seeds. It licenses them, and the license terms prohibit saving seeds from one season for planting in the next. Never mind that saving seeds has been standard operating procedure in farming for the entire history of human agriculture.
I have no beef with Monsanto licensing its patented technology rather than selling outright the products based on it. However, it has done an inexcusably negligent job of informing farmers of the contents of the form contracts by which it sells RR soybeans. The New York Times (NYT) reports (Saving Seeds Subjects Farmers to Suits Over Patent) that farmers sign the contracts without reading them believing they are the same standard seed-sale agreements they have signed in previous years. Although some farmers are aware of the $6.50 "technology fee" per sack of seeds, Monsanto appears to have made no effort to call attention to the anti-saving provision. Obviously, many farmers saved some seeds and replanted them in the next season, violating both the contract and Monsanto's patent. The NYT article says that many farmers are fighting the lawsuits, taking them all the way to judgment, and that the first is now up on appeal. It is only a matter of time before we get appellate-level decisions on the enforceability of these contracts under contract-of-adhesion and antitrust law.
Saturday, 1 November 2003
Park mixes it up at Senate CS&T
Bob Park, the University of Maryland physicist and publicist for the American Physical Society, got snarky this week in his testimony [pdf] before the U.S. Senate Committee on Commerce, Science, and Transportation. Expressing his concern that protein crystal research is still on the International Space Station (ISS) agenda despite a bounty of research suggesting that the crystals grow identically in microgravity and at 1g (on Earth) not to mention the Australian crystal fraud [see item 3] Park was interrupted by Senator Bill Nelson (D-FL) for a question. "And they still haven't grown one crystal that hasn't been grown on Earth?" the Senator asked. "Not one," the physicist replied.
How much of my money are they going to spend chasing leprechauns?
Friday, 31 October 2003
Update: MIT lacks music licenses
As I blogged a few days ago, a group of MIT students devised an analog system for transmitting music via the university's cable television infrastructure. They intended to distribute streaming music free of charge to students without triggering copyright rules that mandate royalties for digital on-demand distribution. Today the Los Angeles Times reports that MIT had to suspend service for part of its music library because Loudeye Corp., the company from which it believed it had purchased licenses for the music, did not have the relevant licenses to sell. (Article: Music Service at MIT Hits a Snag) MIT and Loudeye are now engaged in very public finger-pointing.
Thursday, 30 October 2003
Laser printers, razor blades, and the DMCA
The much-blogged-on exemptions from the Digital Millennium Copyright Act (DMCA), issued by the Copyright Office earlier this week, contain an interesting passage beginning at page 172. (The report is 198 pages long.) Lexmark, the #2 printer manufacturer, brought a widely publicized lawsuit against Static Control Corporation (SCC) alleging, inter alia, violations of the DMCA. When SCC filed for an exemption under the copyright rulemaking procedures, the Register was backed into the unusual corner of commenting on pending litigation.
Razor & Blades Business Model
Laser printers use an "ink" called toner, which comes in cartridges that are inserted into the printer. A new printer is sold with a full cartridge, and a moderate level of printing will use up one cartridge's worth of toner in about six months. Once this occurs, the user has two options: buy a new or refurbished (refilled) cartridge. Printer manufacturers sell new cartridges with full warranties against defective parts and workmanship. Refurbished cartridges are refilled by either the manufacturer or a third party in an aftermarket, and they generally do not carry warranties. Refurbished cartridges have two major selling points — one theoretical and one practical. First, refurbishing is a form of recycling and is more environmentally-friendly. Second, refurbished cartridges are cheaper than new ones.
The laser printer industry has long used the razor-and-blades business model famously pioneered by King C. Gillette. Shaving razors are a classic consumable good because ordinary wear and tear render them useless after a short time. A week or so of shaving will render the blade too dull to shave effectively, so the consumer discards the old blade and buys a new one. Once upon a time, razor blades were manufactured with their handles attached, as a single piece. Since each purchase entailed buying the entire unit, purchasing a Brand X blade one week did not bind a customer to buying the same brand the next week. While there may have been differences in quality among the various blades, most consumers could not objectively detect those differences, so there was no brand loyalty, and price was the chief (and perhaps only) discriminator. Gillette's innovation changed all that.
Gillette realized that he could manufacture the handles separately from the blades and that blades alone would be cheaper to make than the blade-handle combination. At the same time, he could make his handles and blades in a special shape so that neither unit would "fit" another brand. Once a consumer bought a Gillette handle, he would be locked into buying Gillette blades because nobody would want to buy relatively cheap blades that would not fit into an already-owned and relatively expensive handle. Consumers benefitted because they paid less money for blades in the long run — because they were consuming less material, since they discarded only the blades. Gillette benfitted with a steady stream of blade sales, proportional to the number of handles previously sold. (In IT jargon, the number of handles was Gillette's "installed user base.") To induce consumers to buy into this system, Gillette sold his handles as cheaply as possible, often just breaking even or taking a loss. He could afford to do this because the markup on blades was quite high, yielding a high per-blade profit, so he would make up for any loss on the handle after just a few blades.
The laser printer industry uses the same basic business model. Lexmark and competitors like Hewlett-Packard (HP) sell printers at- or below-cost, in an attempt to make them seem as inexpensive as possible in the first instance. Each manufacturer's printers work only with its own toner cartridges, as each company seeks to guarantee that its customers have to buy its toner for the life of the printer. Toner sales drive these companies' profits. (See, e.g., third quarter profit reports released by Lexmark and HP earlier this month.)
With this razor-and-blades model foremost in mind, Lexmark designed its T-series printers so that certain features that would work only with new toner cartridges or those refurbished by Lexmark but would fail with cartridges refurbished by third parties. Third-party refurbishers, Lexmark believes, hijack its aftermarket revenue stream from toner sales that "subsidize" the cheap initial price of printers. For example, T-series printers display a message when the level of toner in the current cartridge falls below a certain level, to warn the user that he should buy a new cartridge. A microchip in the cartridge feeds this information to the printer, and this chip cannot read the toner level after the cartridge has been refilled. Lexmark can correct this when it recycles its own cartridges, putting a new chip in the old cartridge that can read the toner level. However, when another company puts new chips in old cartridges (or manufactures its own cartridges and microchips in the same shape, that will fit in Lexmark printers), Lexmark cries foul. This is exactly what SCC did and how Lexmark responded. Lexmark sued SCC, alleging patent infringement and copyright infringement under the DMCA.
The reader should understand one additional point, too. Lexmark introduced an additional step into the razor-and-blades model, selling two types of toner cartridges. The first type embodies the classic model described above. The second type, called "prebate" cartridges, are sold at a $50 discount — but only under a contract that obligates the purchaser to return the empty cartridge to Lexmark once the toner is gone. In addition to this contractual protection, Lexmark builds into prebate cartridges an additional, technological measure of protection. As the Register explains, prebate cartridges contain microchips that engage
in an authentication sequence, or 'secret handshake,' with the Printer Engine Program on the Lexmark T-series printers. This authentication sequence runs each time a toner cartridge is inserted into a Lexmark T-series printer, each time the printer is turned on, or whenever the printer is opened and closed. This authentication sequence must be successfully performed in order for the Toner Loading Program to exchange information with Printer Engine Program and to allow the printer to function. If, on the other hand, the authentication sequence does not successfully occur, the printer will not recognize the toner cartridge as authorized and access to the Printer Engine Program will be disabled. [pages 174–75]
SCC designed its own printer cartridges and microchips that mimicked the functionality of Lexmark's products. Of course, SCC did this without Lexmark's permission; Lexmark never would grant permission for a product would deprive it of its most important revenue stream. So Lexmark sued SCC for patent and copyright infringement, seeking damages (money, measured as the sales of toner that Lexmark lost due to SCC's actions) and an injunction (a court order for SCC to stop).
The Register's Report
Patent law is supposed to protect inventions, devices and other functional technology, whereas copyright law is supposed to protect creative works like writings and music. This is why Lexmark's decision to invoke copyright law to protect its printers is so discordant. In my opinion, Lexmark alleged just enough creative/expressive content in its chips to avoid Rule 11 sanctions, but the District Court obviously disagreed with me — and granted it a preliminary injunction. It is generally understood in the industry and in (at least) some courts that computer software is expressive for copyright and first-amendment purposes — notwithstanding that it has functional (non-expressive) characteristics. It is also generally-accepted that someone may copy another's computer program for the sole purpose of reverse engineering it, so long as the reverse-engineered code is original and no copyrighted code is used in the final product. This is what Lexmark alleged that SCC did when it claimed copyright infringement. The District Court agreed with Lexmark that this constitutes "circumvent[ion of] a technological measure that effectively controls access to a work protected under" copyright law — which the very first section of the DMCA renders illegal.
The Register of Copyrights, in her report, pointed to § 1201(f) of the statute, which Congress "intended 'to avoid hindering competition and innovation in the computer and software industry.' Congress did not intend the DMCA to change the effect of pre- DMCA case law that allowed legitimate software developers to continue engaging in certain activities for the purpose of achieving interoperability between computer programs." (page 178, quoting House Manager's Report at 14 and citing the landmark case, Sega Enterprises Ltd. v. Accolade, Ind., 977 F.2d 1510 (9th Cir. 1992)) This concern for interoperatbility covers "not only … individual use, but [extends to] enabling competitive choices in the marketplace." (Id.) This "statutory exemption," the Register wrote, "goes far beyond the limits of this rulemaking" proceeding. (Id. at 180)
While the report denies a specific exemption to SCC, it recognizes that the exemption in § 1201(f) is broad and that SCC's activity falls within it. This interpretation of the statutory language — on the public record, by an entity with great persuasive authority in the courts — is a boon for competition. Furthermore, it reflects the instinctive dichotomy between patent and copyright law, leaving patents to protect technology and keeping copyrights focused on expression. The Register's opinion does not bind the Sixth Circuit, where the Lexmark suit is now pending, but courts of appeal do take notice when a specialized regulatory agency publishes such a strongly-worded opinion on the public record — so while SCC nominally "lost" (the Register refused to grant it an exemption), it may have "won" in a broader sense that it did not anticipate.
Wednesday, 29 October 2003
Update: Press coverage of DMCA exemptions
The Wired article has this succinct summary of the exemptions granted yesterday: "People may bypass a digital lock to access lists of websites blocked by commercial filtering companies, circumvent obsolete dongles to access computer programs, access computer programs and video games in obsolete formats, and access e-books where the text-to-speech function has been disabled."
Tuesday, 28 October 2003
Columbia astronaughts might have inspected wing in spacewalk
The Columbia Accident Investigation Board (CAIB) officially released volumes II-IV of its Final Report. Today's releases contain one tidbit that compels me to acknowledge that a public statement I made last February was partially wrong. With the benefit of eight months' hindsight, CAIB has concluded that the Columbia astronaughts might have undertaken a highly risky two-man spacewalk to inspect the damage to the spacecraft's left wing — "if one of them had used the other as a ladder," in the words of one New York Times article (Reports Detail a Hypothetical Shuttle Rescue).
In a post to CTY-L on 11 February 2003, I stated (wrongly, it turns out) that the Columbia astronaughts could not have inspected or repaired the damage. While CAIB concluded that the astronaughts might have inspected the damage, the report does not suggest they could have repaired it in space, or that they should have attempted to do so. Indeed, the shuttle did not have the appropriate materials or tools on board to carry out such a repair. See, e.g., this Washington Post article: "Astronauts on Columbia and engineers in Mission Control were not aware of the extent of damage to the shuttle wing. But officials said that, in any case, there was no equipment on the shuttle to patch the wing even if the problem were recognized." (Article: Paint Brush May Aid in Repair of Shuttle)
Copyright Office issues DMCA exemptions
The U.S. Copyright Office today issued its report creating a new set of exemptions under the DMCA for the next three years. (Links: short version and long version) The Register granted two major exemptions and denied many others. Ernest Miller has a collection of blog links. Derek Slater has a good, short summary.
Law driving innovation
The government should occassionally drive innovation. This is especially true when the potential benefits of a new science or technology are great but the probability of developing products based on them within a reasonable time is small. This is an obtuse reference to the old argument that the government should, in some cases, support "pure" research. In most cases, however, government intervention in the market for research and development (R&D) is unwarranted and even destructive. The case for government intervention absolutely breaks down when market forces have already produced the first viable product. Where multiple products compete, there is no plausible argument yet-made for government intervention.
Sometimes, however, government actions shape innovation as the unintended consequence of legitimate actions taken in another sphere. This is happening right now in the area of copyright law. Since the first Congress enacted the first American copyright act in 1789, copyright law has grown in two directions: more complex and more protective of copyright owners' interests. Both trends have deeply affected copyright markets in the last two centuries. Since the 1976 copyright act — the most recent major overhaul to copyright law in this country — the complexity of the law has had a disproportionate impact on the technologies developed to serve the copyright industry. My theoretical opinion and this practical reality collide in the project of two Massachusetts Institute of Technology (MIT) students.
The New York Times reported yesterday that MIT students Keith Winstein and Josh Mandel have developed a system for distributing music via campus information networks that appears to comply with copyright law and partially render moot the grand public debate over file sharing. (Article: With Cable TV at M.I.T., Who Needs Napster?) The project transmits music over MIT's cable television infrastructure in analog form — thereby taking advantage of the bulk licenses that copyright producers routinely grant to television and radio operators and avoiding digital transmission, which triggers the nastier niceties of the copyright act. This new technology adds precisely zero end-user functionality to existing distribution systems (namely, file sharing networks and radio). Its sole purpose was to formally circumvent a distribution mechanism that copyright producers find objectionable. John Schwartz of the NYT writes that "some legal experts say the M.I.T. system mainly demonstrates how unwieldy copyright laws have become." Mike Godwin, senior technology counsel to Public Knowledge, says the students have "sidestepped the stonewall that the music companies have tried to put up between campus users and music sharing."
Copyright law's burgeoning complexity may be the lifeblood of intellectual property lawyers, but it is bad social policy. I admit this as someone currently aspiring to become an IP and cyberlaw lawyer. Another prime example of complexity breeding bad results lies in the recent episode where the Minnesota Public Utilities Commission (MPUC) tried regulate Vonage and other VoIP providers as telephone service providers. The Federal Communications Commission (FCC) long ago penned the legal distinction between "telecommuniction services," which states may regulate, and "information services," which they may not regulate (because such regulations are preempted by federal law. Vonage and other VoIP providers offer consumers and businesses a method of conducting voice communication, which we would ordinarily recognize as "phone calls." The only difference, from the end-user's perspective, is that his phone is plugged into a black box which, in turn, is plugged into the wall, instead of the phone being plugged directly into the wall. The user still dials a number, talks, and listens just as he would with an ordinary telephone. The problem is that the law created two legal categories and treated them differently. As technology allowed, the market made this distinction spurious at best by offering products that straddled the line between the two categories.
In both cases, the complexities of the law drove technology and they way we use it. In the former, copyright law inspired wasteful development of a system that is, at best, as efficient as preexisting systems. In the latter, the law held up development of a highly efficient technology (compared to what it would replace) with wasteful litigation that sought to resolve whether it was really the old technology or something new. The commonality is the resources consumed by the attempt to apply overly complicated laws to new facts. These examples are drawn from this and last week's headlines. I could probably select one example per week over the last five years, with some effort. I think, however, that my point is made.
Monday, 27 October 2003
AP picks up the Diebold story
The Associated Press has picked up the story of Diebold's cease & desist demands under the DMCA. (Article: Diebold threatens publishers of leaked electronic-voting documents.) This should lead more mainstream news outlets to carry the story, beyond the paltry few that have carried it thus far (1, 2, 3). This could be the third major story with national political implications broken in the blogosphere after the mainstream press ignored it.
Sunday, 26 October 2003
Update: Indirect linking & the DMCA
Today, LawMeme asked essentially the same question I asked on Friday. I cannot link directly to the LawMeme article, in order to preserve the experiment I proposed on Friday (due to trackbacking effects). You can find it easily, however. The title is "How Direct is Too Direct When It Comes to Hyperlinks?," the author is James Grimmelmann, the publication date is 26 Oct 2003, and the category is copyright.
Friday, 24 October 2003
Antipiracy indoctrination gets off to rocky start
The Motion Picture Association of America (MPAA), the chief Hollywood lobbyist, has launched an indoctrination campaign in public schools. Although MPAA calls it "education," the program fits all the elements of the definition of indoctrination in Webster's Dictionary. MPAA paid $100,000 to deliver its message to 900,000 children over the next two years, taking advantage of public schools' budget crises. Although the program's title is "A Guide to Digital Citizenship," its curriculum is more accurately reflected by its slogan, "If you haven't paid for it, you've stolen it."
As a statement of law, this slogan is absolutely wrong. There are many situations in which one can lawfully acquire property without paying for it, and a good number of those apply to file sharing, the main target of MPAA's effort. As reported by AP, the MPAA curriculum is a simplistic and one-sided presentation on a complex area of law, delivered to children, many of whom are likely to lack the knowledge and sophistication to engage the instructors in productive discussion. In one example reported by AP, one knowledgable student was cut off by the teacher when he disagreed with the scripted lesson.
Note to MPAA: Discussion is good, but proselytization is not.
Thursday, 23 October 2003
Benefits of free wi-fi hotspots
On Monday, Computer World reported that companies offering free wi-fi hotspots were boasting measurable returns on their investment ("Free hot spots pay dividends"). The article compares the experiences of companies that provide free hotspots with those of companies offering fee-based wi-fi service (ala Starbucks) or ethernet. This is not the first time Starbucks has missed the boat entirely. Try turning off cookies in your browser before you go to Starbucks' web site.
Wednesday, 22 October 2003
Terrified of Terror Profiling?
Bruce Schneier, the renowned expert in computer security (as well as founder and Chief Technical Officer of Counterpane Internet Security, Inc.) wrote a column this week for Newsday: "Terror Profiles By Computers Are Ineffective." As the title suggests, Schneier argues that all the approaches yet taken to "profiling" terrorists suffer from the same fundamental design flaw. "There's a common belief — generally mistaken — that if we only had enough data we could pick terrorists out of crowds," Schneier writes. He goes on to show that the types of information that we have endeavored to gather — indeed, the types of information that we can gather — bear no statistically significant relationship with terrorist acts, or even propensity toward terrorism.
Schneier's argument is bolstered by the simple, elegant, and compelling mathematical analysis done by Temple University mathematician John Allen Paulos, in the January 2003 installment of his column "Who's Counting?." The article, "Future World: Privacy, Terrorists, and Science Fiction," assumes that a project such as the recently de-funded Terrorist Information Awareness program (n้e "Total Information Awareness"), has succeeded beyond the wildest dreams of its founders by 2054, the year when the film Minority Report is set. This hypothetical program has a predictive success rate of 99%. Examining this number and assuming that the U.S. has 300 million citizens, Paulos proves that it would imprison just under 1,000 terrorists and just under 3 million innocent people.
Tuesday, 21 October 2003
CDT report on broadcast flag
Today, the Center for Democracy and Policy (CDT), Public Knowledge and Consumers Union (publisher of Consumer Reports) issued a 31-page report entitled "Implications of The Broadcast Flag: A Public Interest Primer" [pdf]. The report has an excellent description of the background of the broadcast flag and explains how the issues affect the television and film industries, the government, and the public interest with remarkable clarity. This is a must-read for anyone interested in the most active area of debate in copyright law for the next three years.
The report's three most important findings (in my opinion) are:
Monday, 13 October 2003
Update on Google's reliability
The Washington Post (and perhaps other mainstream media) has picked up the story of Google's fallibility. This particular article speaks to the problem of result misreporting uncovered by Googlewhackers earlier this month, now being discussed on slashdot. The most thorough discussion of this problem yet published is Seth Finkelstein's paper, "Google Spam Filtering Gone Bad."
I have discussed this problem in this space before and will continue to monitor it.
John Halderman cracked an encryption and DRM system called MediaMax CD3, a product of SunComm Technologies. Why? He is a PhD candiate in Princeton University's Department of Computer Science, writing his thesis in computer security. In classic academic style, Halderman published the resulting paper on the web. In classic cranky-three-year-old style, SunnComm threatened to sue Halderman on several grounds, including a claim under the Digital Millenium Copyright Act (DMCA). SunComm's CEO's quote in the first news cycle since this story broke was precious: "No matter what their credentials or rationale, it is wrong to use one's knowledge and the cover of academia to facilitate piracy and theft of digital property." SunComm backed down from its lawsuit threat within 48 hours after an enormous public outcry fueled by the blogosphere.
This episode is important for two reasons. First, it shows the excesses of the DMCA and underscores how ridiculously overbroad its language is (in addition to being bad policy). SunComm must have interpreted Halderman's paper as either a "device" intended to "circumvent a technological measure that effectively controls access to a [copyrighted] work" under DMCA ง 1201(a) or as trafficking in such devices. No person who speaks ordinary English would ever confuse a research paper with a device. Besides, Halderman defeated the system merely by holding down his shift key, so how "effective" could it be? Effectiveness of the DRM system is, after all, an essential element of the DMCA claim. SunComm may have deserved the $10 million decline in its stock-price value the day after the blogosphere picked up this story.
Second, it shows the power of the blogosphere. The first Internet publisher to become a legitimate force in American politics was Matt Drudge when he broke the Monica Lewinsky story in 1997 after the traditional press (namely, Newsweek) declined to print the story. The Internet's role in politics was considered routine barely five years later, when bloggers brought down Trent Lott again, after the traditional news media dismissed an important story. The SunComm episode clearly shows that Internet publishers' influence has outgrown the first level of the political sphere, where rumor and innuendo are weapons in their own right. This time, bloggers slapped around a software company working for several major record labels in two industries driven by bottom-line considerations. Blogging tools make Internet publishing easier than ever, and the number of bloggers is growing daily. Their voices are heard by one another and now by the major media and corporate America. If we can continue to avoid demagoguery, this may be a good thing.
Sunday, 12 October 2003
Google's reliability in question
The word "Google" has long since become synonymous with "search" in the Internet context. I used to believe whole-heartedly that this moniker was richly deserved by the king of search engines because the quality of its product search results was unparalleled. When Google bought the most extensive usenet archive in existence from D้jเ and applied its search technology to it, the usenet community relished having a more reliable and efficient search form for the archive. Google has grown so important to the Internet community that otherwise-honorable businesses engage in shenanegans (and occasionally outright scams) to boost their "rank" in the search engine's hit list.
Before this backdrop, serious questions about Google's reliability have been raised in recent weeks.
In one notable example, Google misreports the number of pages in its index that match certain search criteria. One particular series of searches reveals a systemic flaw in Google's reporting. On 30 September 2003, a search for the keywords "quote dog cat stone" (without the quotes) yields the following reported result: "Results 1 - 10 of about 75,600." On that same day, a search for the keywords "quote dog stone" (again, without the quotes) yields the following reported result: "Results 1 - 10 of about 48,700."
Note the difference between these two searches. The first query had four keywords, and the second had three the word "cat" was removed. Google's default boolean operator is AND, meaning that when you search for more than one word, Google automatically looks for documents containing all of your search terms. You can change this behavior by typing "OR" or some other operator between the words. The default, however, should always produce more results when there are fewer keywords. It seems likely that many pages on the web will have at least one of our keywords, since quote, dog, cat, and stone are all relatively common words. But how many will contain two of the words? Cognitively, dog and cat go together, but it is easy to imagine many pages devoted to dogs that do not mention cats at all. Similarly, how many pages devoted to Craig Venter's poodle will mention "quote" or "stone"? This number will be even lower if we look for pages that contain all four words. In sum, the fewer keywords we use in the query, the more documents we should retrieve. However, Google's reported results were the opposite of what we expected: 75,600 hits for the four-word query and 48,700 for the three-word query. Meanwhile, very few documents were actually returned for these searches fewer than ten documents for each.
Why does all this matter?
First, the public trusts Google to return search results reliably and impartially. Some civil libertarians fear that Google's position in the Internet search industry may eventually grow into a monopoly. Imagine having only one search engine available: it could, for example, direct everyone to its advertising partners, as opposed to the web pages that are really the best matches for the queries it gets. (A Machiavellian future, to be sure, but a possible one.)
Second, researchers rely on Google. This is simultaneously the easiest and the hardest example to understand. Everyone has experience searching for information in an Internet search engine. When you do your research, you rely on the search engine to return accurate results. On top of this straightforward problem, consider the dilemma of the linguists in alt.usage.english. These academics and amateur enthusiasts rely on Google's reported results to determine how widely words and phrases are used. If, for example, 1 million web pages contain the word "cool" but only 10 thousand contain "groovy," this is evidence of a change taking place in our language. This technique also extends into demographic research. Google reports 1,490,000 documents containing "Filipino" but only 97,400 documents containing "Pilipino." This has some bearing on the number of people from the Philippines who are publishing information on the web because they are much more likely than non-Filipinos to use "Pilipino" in English text.
We have documented one instance where Google's reported results differ markedly from its actual results, so it is reasonable to suspect that other examples exist. The company guards its search algorithms as proprietary; so it is unlikely that we, the public, will ever know exactly what causes these discrepancies. And it is not always possible to catch Google red-handed. Today, the queries I posted earlier ("quote dog cat stone" and "quote dog stone") yield actual results that appear commensurate with the reported results. The company has evidently heeded the complaints it has received over the last few weeks and taken action to correct this particular problem. You, the reader, must rely on my good word (and that of a few usenet posters) that this discrepancy really did exist at the end of September. Since the largest usenet archive is under Google's exclusive control, the company might conceivably alter its contents to erase all dated posts that mention this problem.
Please note that I do not believe such a scenario is likely. Also, I believe that, at this point, the problems I have outlined above remain relatively minor and affect only a small group of Internet users. That said, we should remain vigilant for such problems, to avoid being surprised by even bigger problems in the future.