Blown To Bits

Archive for June, 2010

Oh Dear, A Windows Messenger Privacy Mess

Tuesday, June 29th, 2010 by Harry Lewis

In the world of social media, it is hard to get the privacy defaults right, because the whole point of social media is to connect with other people. So you want to make that easy, so people don’t have to fight the system. And of course there is a network effect so the designers tip toward connecting more people to each other rather than less, where there is a choice. They don’t always get the design right, as the Google Buzz fiasco showed.

But then things happen that are just bugs, or unanticipated reactions between multiple databases and applications. In which category it seems the current problem with Microsoft Messenger falls. InfoWorld explains it thus:

Consider this sobering scenario: You and your boss use Windows Live Messenger (or MSN Messenger or Windows Messenger) to keep in touch. One day, you get a job offer from Snidely Whiplash at a competing company across town. You and Snidely have a brief IM conversation, using Messenger. Innocent and private, yes? Well, no.

The next time your boss logs into Hotmail — not Messenger, mind you, but Hotmail — your boss glances at the initial Hotmail screen and sees that you and Snidely have become “friends.” That’s what the notice says: “Woody Leonhard and Snidely Whiplash are now friends.”

Or think wife and girlfriend, instead of boss and competitor. Any two people with whom you are IM’ing who should certainly not be made aware that they are both part of your social circle.

This problem persists no matter how you have the privacy settings set. It’s the sort of high-stakes privacy glitch that undermines people’s trust in the entire Internet. Who knows what will go wrong with the next release of your favorite communications app?

Retroactive Copyright on Public Domain Works

Sunday, June 27th, 2010 by Harry Lewis

A federal appeals court has handed down a worrisome decision in the case of Golan v. Holder et al (decision available on DocStoc here). As part of the Uruguay Round Agreements (“URAA”) on international copyright, the U.S. agreed to extend copyright protection to certain foreign works which had previously been in the public domain in the U.S. Indeed, some of those erstwhile public domain works had been used by U.S. artists and writers to create derivative works. For example, one Richard Kapp, now deceased but whose estate is a plaintiff in the case, used a sound recording based on works by Dmitri Shostakovich to create a work of his own. Having in good faith acted creatively with public domain works, such plaintiffs now find that Congress has cut their legs out from under them, and maintained that Congress infringed their First Amendment rights.

The courts that dealt with the case went back and forth and this judicial stop is probably not its last. The court ruled that the government had sufficient reason to act as it did. Here is the key sentence, from page 12 of the decision.

The government argues on appeal that Section 514 is narrowly tailored to advancing three important governmental interests: (1) attaining indisputable compliance with international treaties and multilateral agreements, (2) obtaining legal protections for American copyright holders’ interests abroad, and (3) remedying past inequities of foreign authors who lost or never obtained copyrights in the United States. We hold that the government has demonstrated a substantial interest in protecting American copyright holders’ interests abroad, and Section 514 is narrowly tailored to advance that interest.

In other words, there are American copyright holders (the Motion Picture Association of America and several other agents of the content industries presented themselves as amici) who stand to benefit, because their works, previously in the public domain abroad, will now be protected. The judge carefully stated that he was offering no opinion on rationales (1) and (3).

Copyright and free speech are always in some tension. There is ample reason to believe that copyright has been the winner in that dynamic for the past 15 years or so. What is interesting here is the deference the U.S. is giving, and the court is supporting, to an international treaty as the basis for copyright expansion. Because the protests over the drafted-in-secret Anti-Counterfeiting Trade Agreement, ACTA, are getting intense. See Public Knowledge’s take and invitation to write to the White House. So the combination of treaty and copyright in the Golan case sounds alarm bells. Stay tuned.

On ACTA, see also the statement on the site of the Program on Information Justice and Intellectual Property.

Privacy and Petitioning

Friday, June 25th, 2010 by Harry Lewis

A fascinating case has been before the US Supreme Court this spring. Opponents of a gay civil union statute in Washington state petitioned to place its repeal on the ballot so voters could have the last word. Backers of the law asked the Secretary of State to declare the names of the petitioners a public record and post the names on the Web. The petitioners sued the state to prevent publication, saying they feared harassment.

It’s a wonderful puzzle. Both sides claim their free speech rights are at stake: the one side holding that the names are really part of the legislative process for which transparency is essential; and the other side arguing that their capacity to speak freely requires a level of anonymity. It’s an Internet-created issue, because although petitions have been around for centuries, until now it would have been impossible to publish them quickly enough to influence an election, and to sort and analyze them effectively enough to be a serious privacy threat.

The court’s decision is at once one-sided and inconclusive. By an 8-1 vote the court decided the immediate question before it: Petitions are, generally speaking, public. But the near-unanimity is only superficial, and may not even settle the question of the case at hand. Most, but not all, of the 8 allowed that there might be circumstances—some credible risk of harm, for example—under which petitioners would have a right to keep their names from being published. So the case goes back to a lower court, but may rise back up again.

What is most interesting is that the views of the justices cut obliquely across the usual liberal-conservative lines. In fact, the justice who is the most dismissive of any privacy right, and the sole justice who would have made privacy the norm, not the exception, are the two most conservative justices, Scalia and Thomas, who rarely split their votes on anything. Scalia called for “civic courage, without which democracy is doomed,” and added that he does “not look forward to a society which … exercises the direct democracy of initiative and referendum hidden from public scrutiny and protected from the accountability of criticism.” Thomas held with equal conviction that routinely publishing the names of petition signers would unacceptably chill free speech through a loss of “associational right to privacy.”

A case of the Internet confusing the traditional alignments on free speech issues.

Cyberspace as a National Asset

Thursday, June 24th, 2010 by Harry Lewis

That is the name of the bill introduced this week by Senators Lieberman, Collins, and Carper, giving broad powers to the executive branch to control the Internet in case of certain emergencies. It is an important bill and it’s going to excite a lot of discussion about how much we need, and how much we fear, government control of the Internet.

The worries have been growing. A year ago a similar bill was introduced by Jay Rockefeller of WV. Richard Clarke’s Cyberwar is #1605 on Amazon as I write this post. We all know the damage that teenagers and criminals can do — imagine what an organized cyber-attack orchestrated by our enemies could accomplish.

As the worries have been growing, so has the skepticism. There was a terrific Intelligence Squared debate a couple of weeks ago about whether the “cyberwar” risks had been exaggerated. Mike McConnell of Booz Allen Hamilton, and former director of the NSA, argued that the risks had not been exaggerated, and he was joined by Jonathan Zittrain. Arguing the other side were privacy expert Marc Rotenberg and computer security expert Bruce Schneier. Shneier listed some of the purple language that had been used to describe the attacks that are occurring already — 9/11, Pearl Harbor, etc. — and noted that we in the U.S. love to use war language for describing things that are not wars but crimes, almost as much as we hate labeling as wars things that really are wars, our decade-old undeclared wars abroad. McConnell acknowledged that “war” is a metaphor, but so was “Cold War,” and no one doubts that the risk was real and that we won.

But it was Rotenberg who drilled down on the underlying problem with the rhetoric, which is not the semantic question of metaphors and language, but that purple language has repeatedly been used by the government in the past to argue for sweeping technological controls that undermine personal liberties. Rotenberg referred to the demands (recounted in Chapter 5) for government control of encryption technology, key escrow requirements, and the proposed requirement for the Clipper Chip). None of these supposedly essential measures wound up being approved, Rotenberg notes, and here are our friends from NSA back to help us again. McConnell responded that there was no danger to civil liberties — you just have to get the laws right and then unwarranted government surveillance would be illegal. Mark exploded that mere illegality had not stopped warrantless wiretapping under the Bush administration. McConnell promised to return to the issue if asked to, but it never happened.

I do think that exchange was at the crux of the issue. If you could trust the government, we wouldn’t worry about government monitoring what we are doing. But the whole Constitution is premised on the fact that we can’t trust the government always to do the right thing. Even reasonable-sounding laws are written with vague edges — especially laws about technology, which are drafted to cover innovations that haven’t happened yet. Prosecutors and other government officials, confronted with people they don’t like and a law with elastic edges, will stretch the law to cover the situation, and such cases often don’t even come to trial because the defendant pleads to a lesser charge rather than risk the judgment of the court on whether a harsh law is being stretched too far. (See Harvey Silverglate’s gripping and scary Three Felonies a Day.)

The Lieberman-Collins proposal allows the President to declare a “national cyber emergency” (the term is defined, but based on the examples in Clarke’s book and McConnell’s debate remarks, the NSA would probably argue that we have been in one several times, perhaps continuously). A new bureaucracy, the National Center for Cybersecurity and Communications, would reside within Homeland Security and would be charged with developing plans for responding to emergencies and seeing that they are implemented. CNET’s Declan McCullagh described the legislation as creating an Internet “kill switch,” separating problematic servers from the Net by government edict. Lieberman’s spokespeople were offended, saying that the legislation actually restricted authority the president already had under the 1934 Telecommunications Act.

The devil will be in the details.

Missing in the immediate reaction is the answer to a question raised by Chris Soghoian in the Intelligence Squared debate. None of this would be as much of a problem if our computer software wasn’t buggy. If Microsoft’s operating system were not so vulnerable to attack, the risks to the nation of being attacked would be a lot less. Is anyone in Washington thinking about requiring Internet security  at that level–with some significant financial penalties for violators?

Blog rescued!

Thursday, June 24th, 2010 by Harry Lewis

We owe a big debt to researchers at Carnegie Mellon University, who took it upon themselves to disinfect this blog. As reported earlier, it had been riddled with links to an online drug store, which was riding the coat tails of our Google page rank to attract hits. Huge thanks to Timothy Vidas and Nicolas Christin for figuring out how the infection worked and resolving it. And thanks to Tyler Moore for connecting us to them!