April 25, 2014

avatar

Spammers Concerned by CAN-SPAM?

Alan Ralsky, one of the biggest spammers, thinks the new CAN-SPAM act will hinder his spamming business, according to Saul Hansell’s story in today’s New York Times. Naturally, eventhing this guy says should be viewed skeptically, but the article is interesting nonetheless.

Mr. Ralsky talks a lot about himself in the article, and a revealing picture emerges. He has constructed a (rationalized) view of himself as a legitimate businessman who has been forced by those nasty antispam technologies to resort to practices like operating underground, forging mail headers, using open relays, and so on. Now the CAN-SPAM Act will ban some of those practices – and he wants us to feel sorry for him!

Mr. Ralsky also claims that he has been inactive (i.e., not spamming) for the past few weeks. I’ve been remarking to people for the last couple of weeks that there seems to be less spam than there was before. I almost wrote a blog entry asking all of you whether you had seen the same thing. Is it just the holiday season? Or is this one guy sending lots of my incoming spam?

Mr. Ralsky says he will soldier on, continuing to spam while complying with the new law. But he worries that his compliance will make it easier for people to filter out his messages. Let’s hope so.

avatar

RIAA Subpoena Decision, and Fallout

There’s been lots of talk about the DC Circuit court’s ruling that the RIAA cannot compel ISPs to identify customers who the RIAA suspects of infringing copyrights. The court ruled on narrow grounds, saying that Congress, in the text of the DMCA, did not authorize the type of subpoena that the RIAA wants to use.

This is good news, but it is not as big a deal as some people think. The subpoena provision in question was hardly the greatest injustice in the world. Yes, it was open to abuse by various bad actors; and yes, not everybody identified to the RIAA turned out to be an infringer. If I were king, I would not allow RIAA-style subpoenas without judicial approval. But unless you shed tears for the actual infringers whose names were revealed to the RIAA – which I don’t – this is not the huge privacy boon that some have suggested.

What happens next? One of two things. The RIAA may ask Congress to change the law, to allow the subpoenas in question. My guess is that Congress would give them what they want, perhaps with a few new safeguards to prevent the most egregious abuse scenarios. Alternatively, the RIAA may cut a deal with the major ISPs, in which the RIAA agrees not to ask Congress to change the law, and the ISPs agree in exchange to forward RIAA warning messages to customers who the RIAA identifies as probable infringers.

In the meantime, the RIAA says they intend to file John Doe lawsuits, in which they sue first and then use a traditional subpoena to identify the defendant.

avatar

More E-Voting Follies

Lately it seems that we’ve seen one story after another about the carelessness of e-voting vendors, especially Diebold. Here are two.

(1) Kim Alexander of the California Voter Foundation (who has been, in my experience, a reliable source of information) reported this:

This afternoon [apparently Tuesday – EF] I attended a meeting of the California Secretary of State’s Voting Systems Panel, which is in charge of certifying and decertifying voting systems for California elections.

At this meeting the initial results from the Secretary of State’s audit of counties using Diebold equipment were released. The Secretary of State’s auditors discovered that of the 17 counties using Diebold equipment (both optical scan and touchscreen), all 17 had some software or firmware version in use that was not certified by the Secretary of State.

It was an astonishing piece of information – no one knew how widespread the problem was of Diebold installing uncertified software in voting systems as was discovered in Alameda County. It turns out all of Diebold’s California clients are using some version of Diebold software or firmware that is not certified by the state.

It was a real bombshell. Secretary of State Kevin Shelley came into the meeting to address the panel and spoke very firmly and passionately about the need for voters to have confidence in elections. He also suggested that it is possible Diebold could be decertified in California altogether.

(2) An AP story by Rachel Konrad reported on allegations that Global Election Systems, a company purchased by Diebold, had employed convicted felons, some in upper management. Here’s a sample:

The programmer, Jeffrey Dean, wrote and maintained proprietary code used to count hundreds of thousands of votes as senior vice president of Global Election Systems Inc. Diebold purchased GES in January 2002.

According to a public court document released before GES hired him, Dean served time in a Washington correctional facility for stealing money and tampering with computer files in a scheme that “involved a high degree of sophistication and planning.”

Diebold said that Mr. Dean left his job when Diebold bought GES. Diebold apparently did not comment on the status of the other four current or past employees who are said to be convicted felons.

[Link credit for (2): Siva Vaidhyanathan.]

avatar

Do We Want a Do-Not-Email List?

The CAN-SPAM Act, signed into law yesterday by President Bush, will take effect on January 1. The Act asks the Federal Trade Commission to study whether a national do-not-spam list, akin to the much-loved do-not-call list, should be implemented. It’s an interesting question.

The crux of the problem is the danger that the do-not-spam list would become, in the hands of unscrupulous spammers, a who-to-spam list. We know that spammers pay money for lists of known-to-be-active email addresses. Surely, they would be more than happy to get such a list – and an unusually large and accurate one – from the government for free.

There are countermeasures, though. If we put some newly minted, fictitious addresses on the list, any mail sent to those addresses later must have involved misuse of the list. If we give out separate copies of the list to different spammers, we might put different fictitious addresses into each copy, so we can tell later whose copy was misused. Of course, spammers may collude and compare their copies to find the bogus addresses, so we want some of the bogus addresses to appear in multiple copies so that we have an idea of who to blame even if lists are combined. Figuring out how best to use duplicate bogus addresses for this purpose is a nice little exercise in theoretical computer science.

Some have suggested another approach, in which bulk emailers are given access to an “oracle” that will answer queries about whether a particular address is on the do-not-spam list. This could be done by providing an on-line service that answers queries, or by giving giving out cryptographic information (i.e., the cryptographic hashes of the addresses on the list) that allows address-by-address querying. In either case, the worry is that spammers will use the oracle to “purify” their address lists, by discarding addresses that aren’t on the do-not-spam list.

Another approach, perhaps ironically, is to provide a mailing service that will forward email to any recipient, except those on the do-not-spam list. Bulk emailers who used such a forwarding service would be able to send mail, via the service, to anybody who isn’t on the list, but they would have no easy way to test for membership of an arbitrary address on the list.

What’s the right answer? I don’t know. But I’m glad that we’re not rushing ahead with a list before we figure out how to do it or whether it’s a good idea in the first place.

avatar

Painters Buy White Canvases for a Reason

Wendy Seltzer (pointing to Ross Mayfield) quotes Verisign CEO Stratton Sclavos as saying, “We have to move the complexity back into the center of the network and remove it from the edge.” As even mid-level netheads know, this is the antithesis of the Internet’s design – the Internet approach is to put intelligence at the edge of the network. Here’s Wendy:

Painters buy white canvases for a reason. The Internet has succeeded as a platform for innovation because its architecture does not preempt its uses; instead, the stupid network offers a neutral background for line drawing, oil painting, and collage. Sure a grid on the blank canvas would help those making mechanical drawings at the right scale, but it’s just noise to the rest, who now need to paint an extra layer to cover it up. Complexity built into the network (such as a search engine that responds to every nonexistent domain name query [i.e., Verisign's abortive stunt]) may enable a few uses, but it slows or breaks many more, and impedes the development of alternatives.

I’m not sure why Verisign thinks that its contract to perform certain administrative functions gives it a license to redesign the Net; but somehow it does. Just another reminder that the Net does need to be governed, if only to keep outfits like Verisign from fouling it up. Even ICANN looks pretty good at times like this.

avatar

Techno-Lockdown Not Likely

Steven Levy, in Newsweek, offers a dystopian vision for the future of the Internet:

Picture, if you will, an information infrastructure that encourages censorship, surveillance and suppression of the creative impulse. Where anonymity is outlawed and every penny spent is accounted for. Where the powers that be can smother subversive (or economically competitive) ideas in the cradle, and no one can publish even a laundry list without the imprimatur of Big Brother. Some prognosticators are saying that such a construct is nearly inevitable. And this infrastructure is none other than the former paradise of rebels and free-speechers: the Internet.

Pretty scary! Fortunately, it’s not gonna happen.

To understand why, let’s rewind, as Levy does, to the early days of Internet mania, when many saw the Net as an anarchist utopia that didn’t have laws, and didn’t need them. A few contrarians like Larry Lessig argued that the Net wasn’t inherently immune from control and regulation, and that society would bring its norms, and government its laws, to the Net. And indeed that is what happened.

This should have been obvious, considering the pervasive connections between our on-line and off-line lives. I write and publish this posting in cyberspace; but at the same time I’m sitting in a chair in Princeton, New Jersey, watching the sun rise out my back window. I have one foot in cyberspace and one foot in meatspace. And how can one foot be bound by laws and the other be immune? The rules of cyberspace and the rules of meatspace will necessarily be similar – any big disparity between them will be resolved by changing the rules on one side or the other.

For the same reason, a locked-down Net can’t really happen, at least not here in the free world. For how can one foot be enslaved while the other is free? To lock down the Internet is to disconnect it from everyday life, from the life where I can send an invitation, or a business memo, or a home movie to anyone at any time, where I can read whatever I like without asking a censor’s permission.
We might go some short distance down the road of control, but ultimately the rules of cyberspace are firmly tethered to the rules of meatspace. And in the rules of meatspace – at least where I’m lucky enough to live – lockdown isn’t allowed.

This isn’t to say that we should ignore the forces of control, or that we should acquiesce in whatever small victories they may be able to win. We need to be vigilant and fight for the right to build and use new technologies. It’s that struggle that keeps the Net connected to the freedoms we enjoy in the real world. It’s that struggle that keeps techno-lockdown in the realm of speculation and not reality.

avatar

Abusable Technologies Awareness Center

That’s the name of a new group blog on cyber-security, at http://www.abusabletech.org, to which I’ll be contributing. There are nineteen contributors, including some of the most prominent researchers in the field. I’m excited to be associated with such an eminent group, and I have high hopes for ATAC.

Freedom to Tinker will continue as always. Any of my ATAC postings that seem relevant to Freedom to Tinker readers will be linked to or duplicated here. But if you’re interested in cybersecurity, you should read ATAC so you can hear from the other panelists.

avatar

Devil in the Details

There’s been a lot of discussion lately about compulsory license schemes for music. I’ve said before that I’m skeptical about their practicality. One reason for my skepticism is a concern about the measurement problem, and especially about the technical details of how measurement would be done.

To split up the revenue pool, compulsory license schemes all measure something – some proxy for consumer demand – and then give each copyright owner a share of the pie determined by the measured value. Most proposals require measuring how often a song is downloaded, or how often it is played.

Most compulsory license advocates tell us what they want to measure, but as far as I know, nobody has gone into any detail about how they would do the measurement. And based on the thinking I have done on the “how” question, there doesn’t seem to be an easy answer.

So here is my challenge to compulsory enthusiasts: tell us, in technical detail, how you propose to do the measurements. You don’t have to give us working code, but do tell us which programs you would write or modify, and what specifically they would look for. Tell us how you would cope with backward compatibility, and the diverse formats in which people download and store music. Tell us how you would deal with non-PC platforms such as Macs, Linux boxes, and iPods, as well as non-traditional network setups such as public WiFi access points.

The devil is in the details; so show us the details of your plan.

avatar

Voting Machine Vendors To Do … What?

In today’s Washington Post, Jonathan Krim reports on a new effort by the e-voting machine vendors to do … something or other. The article, which is titled “Voting-Machine Makers to Fight Security Criticism”, doesn’t quite say what they’re planning to do. The following two paragraphs come the closest to revealing their plans:

Electronic-voting-machine companies announced yesterday that they are banding together to counter mounting concerns about whether their machines are secure enough to withstand tampering by hackers.

The leading voting-machine companies, which argue that their systems are safe, have yet to put forward any proposals on addressing the concerns. But under the umbrella leadership of the Information Technology Association of America, the industry hopes to foster conversation that includes security experts, academics, local elections officials, and the National Institute of Standards and Technology, the federal agency overseeing technical standards.

In other words, although they “have yet to put forward any proposals”, they hope to have some conversations with people. Amusingly, the chairman of the ITAA calls this “an inflection point in the history of voting in this country.”

You’ve really gotta wonder how a non-story like this got onto page 2 of a major newspaper.

avatar

Reflections on the Harvard Alternative Compensation Meeting

Yesterday I attended a daylong workshop at Harvard Law School about alternative compensation systems for digital media. It was a great meeting, with many interesting people saying interesting things. There was a high density of other bloggers, including Ernie Miller, John Palfrey, Derek Slater, Aaron Swartz, and Eugene Volokh, and I hope to read their reactions to the meeting. (Eugene has already posted a brief recap.)

The morning focused on mandatory license systems, such as those proposed by Fisher and Netanel. The conversation immediately turned to the core problem, which strategic behavior by users, intended to channel the system’s revenues to their friends. Examples include Eugene Volokh’s “Second Amendment Blues” scenario, in which the NRA releases a song and NRA members obsessively download and play it, and my scenario in which I play and play my brother’s off-key rendition of “Feelings”. The result is that tax money gets channeled to the NRA or my brother, rather than to real artists. Everybody agreed that this cannot be eliminated, but there are some things you can do to reduce the distortion it causes. (And don’t forget that the goal is only to be less inefficient than the current system.) Two issues remained largely unexplored. First, some have suggested that social norms will cause most people to avoid gaming the system, out of a feeling of obligation to artists. We don’t know how strong those norms will prove to be. Second, some people expressed concern that people will find other perverse ways to respond to the off-kilter incentives that a mandatory license creates. It seems to me that we can predict most of the first-order effects of a mandatory license, but we haven’t thought much about second- and third-order effects.

There was also some discussion about the “porn problem” – the fact that some of the media material consumed under the license will be pornographic, and there will be strong political opposition to any system that causes the government to send checks to porn publishers. (Excluding porn from the system raises other legal and practical problems.) One response is to propose a system in which each person gets to designate the destination of their own tax money. That helps the political problem somewhat, but I still think that some people would object to any system that treats porn as a legitimate kind of content.

At the end of the morning I was a bit less pessimistic than before about the advisability of adopting a mandatory license. But I’m still far from convinced that it’s the right course.

The afternoon discussion was about voluntary license schemes. And here an interesting thing happened. We talked for a while about how one might structure a system in which consumers can license a pool of copyrighted music contributed by artists, with the revenue being split up appropriately among the artists. Eventually it became clear that what we were really doing was setting up a record company! We were talking about how to recruit artists, what contract to sign with artists, which distribution channels to use, how to price the product, and what to do about P2P piracy of our works. Give us shiny suits, stubble, tiny earpiece phones, and obsequious personal assistants, and we could join the RIAA. This kind of voluntary scheme is not an alternative to the existing system, but just another entrant into it.

This is not to say that a few ISPs or universities can’t get together and cut a voluntary deal with the existing record companies (and other copyright owners). Such a deal would still be interesting, and it would lack some of the disadvantages of the more ambitious mandatory license schemes. Of all of the blanket license schemes, this would be both the least risky and the easiest to arrange. But it hasn’t happened yet. (Penn State’s deal with Napster doesn’t count, since it’s just a bulk purchase of subscriptions to a service, and not a blanket license that allows unrestricted use of music on the campus.)

All in all, it was a very instructive and fun meeting. Big thanks to the Harvard people for arranging it. And now, due to a big snowstorm, I get to spend an extra day or two in lovely Cambridge.