August 31, 2016

Archives for August 2002


Apple Uses DMCA Threat Against Competing Product

Declan McCullagh at reports on Apple’s use of a DMCA threat to force a useful product off the market.

Apple’s iDVD application allows the user to burn DVDs – but only on Apple-brand drives. A DVD drive vendor called Other World Computing shipped its drives with a “DVD Enabler” program that modified iDVD so that it could burn DVDs on any FireWire-connected drive.

Apple was displeased, so it used various threats, including one based on the DMCA, to convince Other World to back down and yank DVD Enabler from the market. According to the story, the main reason for Other World’s quick backdown was a general desire to stay on Apple’s good side. But clearly Apple thought the DMCA threat would have some impact, or they wouldn’t have made it.

Apple’s use of the DMCA here has nothing to do with preventing copyright infringement, since Apple-brand drives can make infringing copies just as easily as other brands can. The real motive is to weaken competition in the market for Mac-compatible DVD drives.


Business Week: Internet is Evil

Business Week has an amazing article characterizing the Internet as a cesspool of crime and depravity. The article approvingly quotes somebody saying “[More than] 70% of all e-commerce is based on some socially unacceptable if not outright illegal activity.”

To give you an idea of the tone, the main body of the article starts with this:

Warning: You are about to enter the dark side of the Internet. It’s a place where crime is rampant and every twisted urge can be satisfied. Thousands of virtual streets are lined with casinos, porn shops, and drug dealers. Scam artists and terrorists skulk behind seemingly lawful Web sites. And cops wander through once in a while, mostly looking lost. It’s the Strip in Las Vegas, the Red Light district in Amsterdam, and New York’s Times Square at its worst, all rolled into one–and all easily accessible from your living room couch.

The remainder of the article reveals that there are bookies, con artists, and drug dealers on the Net. Thank God we don’t have those problems in the real world.


Who Controls Your PC?

One of the most interesting issues in technology today is the battle for control over users’ computers. Ray Ozzie offers some thoughts, and a nice tutorial.


Misleading Term of the Week: “Broadcast Flag”

[This posting inaugurates a new feature. Each week I will dissect one widely used but misleading bit of terminology. See my previous posting on the term “piracy” for more on why terminology is important.]

This week’s misleading term is “broadcast flag,” which is used by Hollywood to refer to a wide-ranging ban on video technologies that they are proposing via the Broadcast Protection Discussion Group (BPDG).

Technologists normally use the term “flag” to refer to a simple label that is attached to data to indicate some attribute of the data. A recipient of the data can use the flag as one factor in deciding what to do with the data, but most flags are strictly advisory and do not compel any action by the recipient. Such a flag is simple and nonrestrictive. Who could object to it?

Hollywood doesn’t need to ask for a true broadcast flag. The standards for digital television broadcasting already have a place for such a flag. No government action is needed to allow Hollywood to use a flag to indicate the broadcast status of a program.

Instead, they use the harmless-sounding term “broadcast flag” to refer to something else entirely. If you read Hollywood’s “broadcast flag” proposal, you’ll see that what they are really asking for is a draconian set of restrictions on video technology. Their proposal would even give them veto power over the development of new video technologies. Calling it a mere “flag” makes it sound simple and harmless. What a brilliant bit of misdirection!


What’s Up At CNet?

Declan McCullagh interviews Verizon lawyer Sarah Deutsch, over at CNet (Welcome back, Declan.) Verizon is taking the side of their customers, against Hollywood.

But check out the headline: “Why telecoms fly the pirate flag” (on the front page) and “Why telecoms back the pirate cause” (on the article itself). The pirate flag? The pirate cause? There’s nothing in the article about backing “pirates”. It’s all about Verizon building their business by defending the interests of their law-abiding customers.

This is a classic example of a headline undermining the point of an article. Usually when that happens, it’s because the reporter wrote the article and an editor wrote the headline. Are CNet’s editors so biased that they think anyone who opposes Hollywood must be an apologist for “pirates”?

UPDATE (Sept. 3): has since changed the headline to the more balanced “Verizon’s copyright campaign.”


Lessig on Software Copyright

Larry Lessig defends his view of the best copyright law for software. Lessig advocates that (1) software copyrights expire after ten years (but a new version of a program would acquire a new copyright), and (2) source code be put in escrow, to be released when the copyright expires.

Whether you think the optimal term for software copyright is five years, or ten, or twenty, or something else, I think you have to agree that the current 95-year term for software is ridiculous. A sensible term would not last beyond the point where the author had extracted most or all of the available revenue from the work. Will Microsoft still be extracting revenue from the original version of Windows 95 in the year 2090? Of course not.


Homeland Insecurity

Nice article by Charles Mann in the September 2002 issue of the The Atlantic, about Bruce Schneier and his opinions on homeland security. Bruce thinks insightfully about security, and is a great communicator as well. If you’re interested in computer security, Bruce’s CryptoGram newsletter is a must-read.

Bruce says that much of the money and effort being spent on improving homeland security is wasted, going to high-tech systems that fail often and sometimes catastrophically, and to new procedures that have little connection to any real threat. He argues that we should match our defenses carefully to the threat, and that we should rely more on human judgment and less on gee-whiz machines. All of this makes sense.

The article is properly skeptical about biometric identification technologies like fingerprint readers and iris scanning, explaining how many of them can be defeated by low-tech methods. Skepticism is the right response to any new security technology, but for some reason biometrics and the like often get a free pass. Many people know that new technologies are unreliable; yet they seem strangely predisposed to assume that big-brotherish ones will work.


SpamCop Responses

I received 59 responses to my SpamCop narrative. Because there are so many, I cannot respond individually to each one. Instead, I summarize below the major arguments raised by the messages. I give sample text from messages that asserted each argument, and I respond.

This posting is rather long, and some readers may not be interested in the whole thing, but I think the people who sent me constructive messages about the SpamCop incident deserved a response.

Argument 1: Blame the ISP, not SpamCop.


“The problem is not with Spamcop, but rather with your ISP. The ISP is required to assert that they have dealt with the issue, not that they have shut the website down. They can mark the issue ‘resolved’ with spamcop and then work with you to discover the true nature of the problem. The choice to shut the web site down now, and investigate later, was your ISP’s, not Spamcop’s. ”

Another sample:

“However, in this case, your ISP is responsible for bouncing your domain, not SpamCop. All SpamCop e-mails come with a link to the original report, so it was _your_ ISP who failed to research this and _your_ ISP who is to blame for suspending your site.”

My response: Certainly my ISP is the party who actually pulled the plug on my site. The ISP was intimidated by SpamCop and seemed to be trying to show that it was responsive to SpamCop complaints. Hence the quick shutoff of my account.

Yet even after I convinced my ISP that I was not a spammer, they still refused to reinstate my site, saying that to do so before SpamCop removed the complaint against me from its site would put the ISP’s other customers at risk. This refusal to reinstate my account is what convinced me that the ISP was afraid of SpamCop.

Whether the ISP was right to fear SpamCop, I cannot say. What I know is that the ISP chose to anger a paying customer, rather than risking what they perceived as the wrath of SpamCop. The fact that SpamCop engenders such fear is a big part of the problem. For me, the bottom line is this: if SpamCop didn’t exist, my site would not have been shut off.

Argument 2: SpamCop doesn’t block sites, ISPs block sites.


“SpamCop ( blocks nothing. SpamCop does have a DNS-based blackhole list that ISPs have the option of using—for example, I use it for all my domains as a backup to my own block list.”

Another sample:

“The spamcop blocklist is supposed to be used in order to tag certain email as possible spam. It is not to be used to block email (although some ISP’s do use it that way).”

Another sample:

“ISPs also use Spamcop, but it is the ISP, not Spamcop, that makes the determination whether something listed by Spamcop is deleted, flagged, or passed through. I happen to delete.”

My response: Nearly everybody who made this argument followed it by saying that they themselves do automatically block sites on the block list, or that many others do. This is hardly surprising. Even a perfect block list would do little good unless people used it to block. The alternative use of shunting aside email from sites on the list, and reading it later, doesn’t do much to address the spam problem. As far as I can see, there are only two sensible things to do with a block list: you can ignore the list, or you can use it to block sites.

That’s why they call it a “block list.” That’s why SpamCop’s site gives instructions for configuring common mail servers to block addresses on the list. SpamCop can hardly be surprised to see ISPs following these instructions and blocking the addresses on what SpamCop itself calls a “block list.”

Argument 3: SpamCop is just a clearinghouse for spam complaints and simply routes complaints that could have been sent even in the absence of SpamCop.


“SpamCop is a machine. It summarizes and reports what human individuals feed it.

Another sample:

“SpamCop is primarily a _reporting_ service which allows a user to easily report email abuse to the appropriate authorities. It has a parser which cracks email header information and figures out the true source of the email (as much as possible) despite forged header information.

This is just the same as manually email[ing] a complaint, but automates the header analysis (which can save a lot of time when the headers are intentionally obfuscated).

A user does not ‘send an accusation to SpamCop’ but uses SpamCop to email a complaint to abuse or postmaster addresses.”

My response: SpamCop does more than just forward complaints. It anonymizes the complainant’s address, thereby making it harder for the ISP receiving the complaint to judge the complaint’s credibility. SpamCop puts the complaint on the Web for others to see. And SpamCop tries to find patterns among its complaints, and adds addresses to its block list based on these patterns. All of these factors contributed to my dilemma.

If SpamCop were merely a complaint router, then SpamCop would be ineffectual. It is SpamCop’s “value added” that caused me trouble.

Argument 4: Blame the person who erroneously reported the “spam,” don’t blame SpamCop.


“The SpamCop user, not SpamCop itself, is ultimately responsible for what is sent. Each report has been individually submitted by a user, then individually selected by the user before sending.”

Another sample:

“The ‘mistaken’ reporter of spam violated SpamCop’s terms of service, period. It doesn’t matter if you call 911 to report a fire or a burglary: at the end of the day, individuals are responsible for their reporting, the telephone company is not to be blamed for prank calls to 911.”

My response: This is really just a variant of Argument 3, and fails for the same reasons.

SpamCop is ultimately responsible for its reporting, too. The 911 analogy doesn’t apply, since the phone company merely receives the report but SpamCop repeats reports and amplifies them. SpamCop took what would otherwise have been a private report, to be dealt with between the reporter and my ISP, and posted it for the whole world to see. And it gave the report increased credibility and force.

Argument 5: The attributes of SpamCop that Felten complained about are necessary to prevent spam, or to prevent retaliation by spammers.


“In the absence of anti-spam laws with teeth, technical[ly] shunning ISPs who deliberately harbor spammers is the only alternative to control spam.”

Another sample:

“[SpamCop anonymizes the complainant’s address because] real spammers might take action against a spam reporter, such as using their address as the ‘From’ on a spam run.”

My response: Yes, SpamCop’s designers had good intentions. Yes, effective spam-fighting was their goal. My point is that in their zeal to fight spam, they built a system that overreacts to erroneous or malicious spam reports. I for one would not be willing to accept that kind of collateral damage, even if doing so would completely prevent spam (which it cannot).

Several people said that SpamCop is slower to act against accused parties than some other anti-spam services are. That may well be true. If it is, then the other services are presumably causing even more collateral damage.

Argument 6: Felten really is a spammer.

“[Quoting Felten: ]’Never mind that I had never sent a single e-mail message from the site.’

Reply: Someone did:

Mail for is handled by (0)

If you look here, you will see two different headers that came from this IP address, both of which are dated July, 31:

Those are only examples; there could have been many more spams reported through that address.”

My response: I did not send those messages. The writer apparently believes that if the messages came from “my” IP address, then I must be responsible for them. But it’s not my IP address – it’s shared by many of my ISP’s customers. Perhaps the cited messages came from one of them.

This argument nicely illustrates the problem with SpamCop. By collecting complaints in one place and indexing them, SpamCop facilitates the making of this kind of accusation. And by repeating allegations made by others, SpamCop gives them more credibility than they deserve.


SpamCop Responses

I have gotten plenty of email from SpamCop advocates in response to my previous posts. Due to a work-related deadline, it will take me several days to sort through them and post a response. I hope to have my response up here by the end of Monday.


Have You Seen This Man?

Washington, DC police today intensified their search for missing reporter and columnist Declan McCullagh, as evidence of his disappearance mounted. Police spokesman Harvey Hoax explained, “We believed initially that Declan was submitting his columns from an unknown location, but further examination of the columns revealed that they must have been written by someone else.”

According to sources, this week’s column was the key tip-off. Investigators have concluded that the column was partially written by Declan before his disappearance, and then completed by an unknown person. Police believe that the paragraph calling the DMCA an “egregious law” that is “probably unconstitutional” and “should be unceremoniously tossed out by the courts” was indeed written by Declan, as it is consistent with his often-stated views. However, later paragraphs characterizing the DMCA as no big deal appear to have been written by an unknown person.

Police now suspect that last week’s column, urging technologists not to be politically aware, was most likely written by the same unknown person. “Declan has devoted much of his career to bridging the gap between politics and technology, and he is widely respected for it,” said an anonymous source. “Clearly the column was written by someone else. That person probably knows where Declan is being held.”

When asked who might have altered Declan’s columns, RIAA Chairman Hilary Rosen quickly swiveled her computer monitor out of view and stammered, “Uh, no comment.”

Anyone with information about Declan’s whereabouts, or the authorship of his last two columns, is urged to contact the Washington police.

[Note to the humor-impaired: It’s a joke, for God’s sake.]

[Note2: Missing-Declan idea stolen shamelessly from Slashdot poster “idonotexist” and expanded upon here.]