Thursday, August 25, 2011

The Privacy Bill of Rights

When it comes to the Federalist debates, I was always on the side that argued that creating a bill of rights would limit our rights rather than protect them. But, since we don’t live in that world, Congress is working on creating additional bills of rights (maybe this is just a fad). There was the recent Airline Passenger Bill of Rights. Now we’ve moved on to a Privacy Bill of Rights. Thanks goes to John McCain and John Kerry for putting their names behind this one.

The Privacy Bill of Rights would create 3 new rights for online users:

  • The Right to Security and Accountability
  • The Right to Notice and Individual Participation
  • The Right to Data Protection (which includes Data Minimization, Constraints on Distribution of Information, and The right to Data Integrity)

Like many of the current proposals for a Federal data privacy law, there is no private right of action. The bill relies on state Attorney’s General to pursue actions against companies who fall short on their privacy protections. The bill also has the highest per day civil penalties, but only a moderate maximum penalty when compared with the other bills on the table.

The FTC will have to issue rules which translate the Privacy Bill of Rights into something meaningful which businesses can follow. The bill provides for 180 days for the FTC to issue that guidance, but realistically…that process could take years. The FTC Red Flag rules were not implemented for 2 years due to confusion on the part of businesses as to who was covered and how to comply.

The bill requires an opt in for collection of information as well as an opt-out for advertising. This will go a long way to change the de facto PII collection and storage polices of web-based companies.

The 3 rights that I’m calling Data Protection (Data Minimization, Constraints on Distribution of Information, and The right to Data Integrity) are the most interesting part of the bill and set it apart from the rest of the bills out there. For example, the bill will restrict transfers of information to “unreliable third parties”. Presumably this means that spammers or companies who have been repeatedly hacked won’t be able to get personal information. The bill will prevent companies from combining multiple sets of personal information from multiple sources as well, which will put limits on data aggregators.

Finally, there is a data integrity component which requires companies to ensure the information that they collect is accurate. This is a very forward thinking aspect of the bill, and could have very broad reaching implications. This seems similar to requirements placed on the credit bureaus for credit scores.

Monday, August 22, 2011

Porn Pirates vs. Copyright Trolls

We’ve spent the last 10 years hearing about the evil forces of the RIAA suing single mothers and grandparents without a computer. The entertainment industry has seen declining CD sales for a number of years. Whether this is attributable to piracy and programs like Napster is hotly debated.

Behind the scenes, the RIAA has done more than sue individuals. They’ve blocked businesses from offering new services. The RIAA has been busy pioneering new anti-piracy technology.
The RIAA has also done a lot to work on new legislation. DMCA is a four letter word in many circles. They’ve also included new provisions for college campuses in the Higher Education Opportunity Act (HEOA) that require Universities to create programs to combat piracy, and Congress has seen fit to tie Federal funding to these programs. Universities spend tens of millions of dollars per year on technology and man hours policing the copyright of other for-profit organizations.

Satisfied with their victory, the RIAA announced that they won’t be bringing any more lawsuits.
This legislation has now paved the way for the Porn industry to take advantage of the structure that the RIAA helped establish.

Movie studios apparently see this as an opportunity for a new revenue stream. The sad part is that the studios may be using this as a way to make up for the funding for flops. They are using the movie, The Expendables, as a test case for this. They recently filed the largest John Doe lawsuit ever for the star studded movie that had disappointing results at the box office. If all of these defendants settle for for an average of $4,000-$5,000 (which seems to be close to what other lawsuits have settled for, the studio could stand to make an additional $100 million on the movie. This particular movie only made $103 million in the US box office.

There are a few differences between movie studios and porn studios when it comes to DMCA notices. Chief among these is embarrassment about being caught. If your spouse, your parents, your school, or your employer see a notice that you have been accused of stealing porn…whether it is legitimate or not, it will damage relationships in a way that movies can’t touch. (No pun intended.)

The closest single porn lawsuit in size to the Expendables case targets 15,551 BitTorrent users for downloading a handful of porn flicks with titles such as Big Dick Glory Holes and Spin on My Cock. A judge has not decided whether to authorize subpoenas in that case.

Unlike the RIAA or the MPAA, porn companies will usually include a settlement offer with their notices. This makes the DMCA notice more than just a takedown request. The DMCA was written for ISPs to be notified that their subscribers were sharing copyrighted content. For the RIAA the argument ends there.

This puts the ISP in a difficult position. Normally with a DMCA notice, they may notify the user or they may even turn off the users Internet access. In fact, a number of ISPs have announced that they will create a 6 strikes policy against copyright infringers.

The porn approach is problematic for businesses because it means that the ISP will feel compelled to pass the settlement portion of the DMCA notice along to the user. Businesses can be compelled via a subpoena to disclose the identity of their users, but including a settlement notice short circuits the subpoena process. ISPs won’t want to be in a position with their subscribers saying during a lawsuit that they would have settled a case had they only gotten the initial settlement offer.

The problem with the current DMCA process is that places the burden of proof on the subscriber to disprove infringement rather than on the copyright holder to prove their case. Especially in the case of an accusation from a porn studio and the associated embarrassment, an individual may be induced to settle a case.

There is no obligation on the part of the ISP to do any of their own fact checking to view network logs to see what, if any, traffic was coming from the user’s computer at the claimed time of infringement.

Especially with the huge increases in the numbers of DMCA notices, the incentive to do any due diligence on the part of ISPs has been completely removed. ISPs can only expect the numbers of DMCA notices to continue to increase as new content holders get in on the act. As many content holders have outsourced their monitoring activities, these monitoring companies are paid based on the number of infringers they find. These companies are very secretive in their methods, but these methods are questionable. It’s unclear for example, if a failed or incomplete download might result in a notice of infringement being sent to the user. If ISPs are not keeping detailed logs and a user removes the infringing file (assuming they remove it completely), the only evidence is the word of the copyright holder that an infringement took place.

Tuesday, August 16, 2011

How Many DMCA Notices does the RIAA send every year?

How Many DMCA Notices does the RIAA send every year? This is a question I've been asking myself (and others) for years now.

The solution was pretty obvious...on the tip of my proverbial nose the whole time.
The RIAA appears to use a sequential numbering system in its case tracking system. There is no way to tell what percentage of the cases represented in their case tracking actually lead to a generated DMCA notice. Duplicates or false positives may account for some percentage of this figure. Judging by the number of duplicates and false positives that we actually receive, I would guess not. In looking at the volume, however, I’d be willing to bet that each case number represents an individual DMCA notice.

Using the sequential numbers as a framework, you can now estimate how many DMCA notices were sent on a monthly basis. The numbers also vary widely over time, so you can’t assume that the same numbers of notices are sent every day. In one twenty four hour period in July, the numbers increment by nearly 600,000. Most 24 hour periods see less than 100,000.

Based on the claims that billions of dollars per year are lost to illegal file sharing, these numbers might seem low, however, the RIAA and others have never claimed to be able to catch 100% of all file sharing. This is undoubtedly a fraction. If you still think that these numbers are low, however, think about what these notices do to ISPs and Universities. Each notice probably takes between 30 minutes to address the forensic work that needs to be done to find the user, validate that there was network traffic at that time, send a notice to the user, and interact with the user afterwards. Even if only 20% of DMCA notices go to Universities, that means Universities probably spent nearly a million man hours responding to DMCA notices in 2010. In only the first 7 months of 2011, the RIAA has sent 4 million more notices than in all of 2010, which means the total for 2011 will probably be double that of 2011.

Monday, August 15, 2011

Should There Be a CyberWar Treaty?, Part 1

The Department of Defense released their Strategy For Operating In Cyberspace in July. In the document, they add Cyber to the traditional 4 domains...Land, Sea, Air, and Space.

This paper raises the question, at least in my mind: Should there be a Cyberwarfare treaty? I think the short answer is a definite “Maybe.”

I think a longer answer is that a arms treaty, like chemical or nuclear, is meant to deter the production of those types of weapons by government entities. Even if such a treaty were to be ratified, it would not stop other entities, whether commercial, criminal, or private from creating the same.

Similarly, all computer software has a shelf life, and this is also true for computer viruses. A hacker creating a computer virus is reliant upon an operating system. When those operating systems are updated, patched, or replaced, the virus ceases to have value. This is not true for other types of arms control. A 50 year old nuclear warhead is still dangerous.

What would such a treaty say? Should it be specific to the types of code that shouldn’t be written? Should it ban countries from producing soldier-hackers? Should it create an outright ban on the types of computer warfare that are not allowed? Should there be a Geneva Convention for the Internet?

All these conventions don’t fit the makeup of the internet. This is the internet where companies and technologies, whole computer languages, have lifecycles measured in months, not years. Assuming that a written treaty could apply is a misunderstanding of how the Internet is governed. Every aspect of the internet is governed by social convention, software licenses, and terms of service. These conventions necessarily change very quickly over time. Not to mention that even if such a treaty could be ratified, it would be obsolete by the time the ink was dry.

It would be great if Governments were willing to commit to one another that they won’t attack each others nuclear reactors with computer viruses. Jails. Air traffic Control systems. This misses the point of the greatest protection we already have…the one that worked throughout the cold war…mutually assured destruction. Because of Globalization, an attack on the US, would have immediate and drastic economic consequences for every other nation state in the world. Even a small scale attack on a major country would have similar consequences…given the amount of damage that the world has felt the problems in Ireland, Greece, and Portugal. And there is no reason to think that an attack would be limited to only one country at one time. If such an attack were to take place, it would be just as easy to attack everyone that is against your particular point of view.

A treaty like this would probably be unnecessary given current Alliances.

The best idea for a treaty like this would be a world wide treaty that includes all major players to share resources, visibility, intelligence, to protect critical infrastructure against non-state actors. This would be very similar to how many organizations as well as state governments have developed inter-organizational Information Security Advisory Councils to share real time threat information. Some large ISPs like AT&T and Verizon are offering this kind of real time threat monitoring from a world-wide perspective, so it would be a huge step in CyberSpace if governments took the same measures.

Click here for part 2 of my series on Cyber Warfare Treaties.

Monday, August 8, 2011

Cyberwar - Cyber Arms Dealers

Business Week has a nice article on the Cyberwarfront arms race:

I think the most interesting part about the article is the idea of a Cyber "Arms Dealer". This makes me wonder what other analogs to traditional warfare might be out there... Mercenary Hackers?