August 23, 2017

A Modest Proposal: Three-Strikes for Print

Yesterday the French parliament adopted a proposal to create a “three-strikes” system that would kick people off the Internet if they are accused of copyright infringement three times.

This is such a good idea that it should be applied to other media as well. Here is my modest proposal to extend three-strikes to the medium of print, that is, to words on paper.

My proposed system is simplicity itself. The government sets up a registry of accused infringers. Anybody can send a complaint to the registry, asserting that someone is infringing their copyright in the print medium. If the government registry receives three complaints about a person, that person is banned for a year from using print.

As in the Internet case, the ban applies to both reading and writing, and to all uses of print, including informal ones. In short, a banned person may not write or read anything for a year.

A few naysayers may argue that print bans might be hard to enforce, and that banning communication based on mere accusations of wrongdoing raises some minor issues of due process and free speech. But if those issues don’t trouble us in the Internet setting, why should they trouble us here?

Yes, if banned from using print, some students will be unable to do their school work, some adults will face minor inconvenience in their daily lives, and a few troublemakers will not be allowed to participate in — or even listen to — political debate. Maybe they’ll think more carefully the next time, before allowing themselves to be accused of copyright infringement.

In short, a three-strikes system is just as good an idea for print as it is for the Internet. Which country will be the first to adopt it?

Once we have adopted three-strikes for print, we can move on to other media. Next on the list: three-strikes systems for sound waves, and light waves. These media are too important to leave unprotected.

[Fran├žais]

On the emotions you feel when you do a security review

[I’m happy to introduce Dan Wallach, who will be blogging here from time to time. Dan is an Associate Professor of Computer Science at Rice University. He’s a leading security expert who has done great work on several topics, including e-voting. – Ed]

I was one of the co-authors of the Hart InterCivic source code report, as part of California’s “top to bottom” analysis of its voting systems. As many Freedom to Tinker readers now know, we found problems. Lots of problems. I’ve done this sort of thing before, as have many others, and I realized that there’s a somewhat odd emotion that we all feel when we do it. You’re happy because you found how to break something, but you’re sad that the system is so poorly engineered. It’s a great accomplishment that we were able to discover so much, but it’s terrible that widely used systems have such easily exploitable vulnerabilities. What word can describe that good/bad emotion?

About a year ago, I started asking everybody I knew, speakers of any language, if their language had a word to describe that emotion. Somebody, somewhere, must have such a word. There are lots of close-but-no-cigar choices, such as:

Schadenfreude (German) – the pleasure you feel at somebody else’s pain (common example: laughing at Hollywood celebrities arrested for drunk driving)

Bathos (Greek) – mixing serious issues with humor (a common literary device)

Neither quite capture it. Finally, in a discussion with my colleague, Moshe Vardi, we came up with a Yiddish coinage that seems to do the trick: oy gevaldik.

Origin? Oy vey is a standard Yiddish expression of woe (similar to “oh boy”). Oy gevalt is a stronger version of the same expression (similar to “oh expletive” for milder expletives). Curiously, the Yiddish word for beautiful is gevaldik, which sounds similar to gevalt. Put it together, and you get oy gevaldik. Oh, beautiful. And that’s what security reviews are all about.

Woman Registers Dog to Vote, Demonstrates Ease of Fraud

A woman in Seattle registered her dog to vote, and submitted absentee ballots in three elections on the dog’s behalf, according to an AP story.

The woman, Jane Balogh, said she did this to demonstrate how easy it would be for a noncitizen to vote. She put her phone bill in her dog’s name (“Duncan M. MacDonald”) and then used the phone bill as evidence of residency. She submitted absentee ballots in Duncan’s name three times, each ballot “signed” with a paw print. She says the ballots did not designate any candidates and only had “void” written on them, so the elections were not affected.

Nevertheless, she broke the law and now faces charges.

This relates to an issue every applied security researcher has faced: how to demonstrate a security problem is real. People take a problem more seriously when they have seen a real, working demonstration of the problem – otherwise the problem will be dismissed as theoretical. Often there is a lawful way to demonstrate a problem, for example by “breaking in” to your own computer. But sometimes there is no way to demonstrate a problem without breaking the law. Careful researchers will stop and assess the legality of what they’re planning to do, and will hold back if the demo they’re considering breaks the law.

Ms. Balogh went ahead and broke the law. Beyond that (serious) misstep, she did everything right: admitting what she did, avoiding any side-effect on the elections by filing blank ballots, and leaving obvious clues like the paw prints.

Fortunately for her, the prosecutor decided not to charge her with a felony but instead offered to let her plead guilty to a misdemeanor, pay a $250 fine, and do ten hours of community service. She was lucky to get this and will apparently accept the deal.

Any readers considering such a stunt should think again. The next prosecutor may not be so forgiving.