Monday, September 26, 2011

Netflix Hates Privacy?

There’s been a lot of news about how Netflix wants to fight an arcane video law, passed almost 25 years ago, to enable the future of movie streaming. Hulu wants to do the same thing, with their new video campaign, “This is my favorite part…” I like the Hulu commercials, but I’m not convinced that I want people to automatically know I’m watching reruns of Cashmere Mafia. It’s my wife, I swear.

Facebook has already been sued for sharing Blockbuster rental information, according to Wired.

Intro to the Video Privacy Protection Act

I think all the best consumer protection laws come from when politician’s private lives are exposed to us. This is what happened to get the VPPA enacted. A supreme court nominee’s local video store gave up his viewing history to a reporter. The reporter published the videos in an attempt to embarrass the nominee and derail his nomination, but instead, members of congress all realized that they’d be in deep trouble if clever reporters could all do the same thing to them. Interestingly, the bill was written by Senator Leahy, whose committee is now being asked to amend the bill in favor of Netflix sharing your movie tastes with everyone.

Some have called the VPPA the strongest protection of consumer privacy against data collection. Even stronger than HIPAA? Yes, it is. The reason is that it creates a private right of action for consumers to sue the offending offender directly. HIPAA and all of the new privacy legislation proposed so far in 2011 do not create a private right of action, instead putting the burden on the states Attorneys General.

Draw your own conclusions here, but I’m liking the VPPA a lot more than the new legislation currently being drafted. Giving the power to the consumers is a better solution than assuming an Attorney General will go after infringers. They already have the power to do this under HIPAA, and they haven’t exercised that power very often. Class Actions for privacy issues are also problematic, since courts are more and more reluctant to let them move forward.

Privacy is dead. Long live privacy.

Thursday, September 15, 2011

Hacking is free speech!

Hacking Is Free Speech! (or is it?)

I should start by noting that not all speech is protected under the 1st Amendment. For example, I can’t say to someone that I am a detective with Miami Metro Homicide, because I’m not. That’s called impersonating a police officer and carries a prison sentence. There are particular acts in speech that breakdown the structure of our society, so we don’t protect them. Libel. Slander.

The problem with laws governing fraud covering the Internet is that everyone is a fraud on the web. Why do we allow hate speech to be protected while we chastise hackers for typing in simple letters and numbers in URLs? One may very well incite violence, but the other is much more insidious somehow because we call it Cross Site Scripting? One is more insidious because a software company produced a terrible product and doesn’t spend enough resources keeping their software up to date?

Let’s face it. The Internet makes us bipolar. The whole point of the Internet is being connected, yet we put up barriers and firewalls to protect us. At the same time that we say we are worried about hackers and identity thieves ruining our lives, we believe news articles from people we don’t know the credentials of and we open up to complete strangers whom we’ve never met. Why can’t we just accept that you shouldn’t trust anyone on the Internet?

If we can accept it as true that nothing on the Internet should be trusted, then we wouldn’t be surprised when information was leaked or when sites went down. Should Hacking be considered protected speech under the 1st Amendment? In other words, should hacking be free speech?

As security practitioners and government legislators, we should accept the reality of computer insecurity rather than fight the evil hoardes that attempt to subvert our pristine online ivory towers.

Why not have laws that make it illegal to ship a computer product that is susceptible to computer hacking? Why not make it illegal to not patch a known vulnerability within a reasonable period of time? Why not make create real penalties for failed security at companies that have high value targets just like we have for banks and other institutions?

Because it’s impossible to make a computer secure? Exactly my point!

Because it’s easier to label ‘hackers’ as bad guys and go after them than change our paradigm?

The truth is that we don’t really understand the virtual world enough to apply the law to them. While I can accept the application of RICO to rings of identity thieves, it makes no sense that a person can get jail time for being an internet troll. (Keep in mind the difference between US and UK law…in the US there is a church that goes to protest at military funerals.)

So you say you want a revolution? You say that as the computer elite you should be the ones to change the world? Okay, let’s say that hacking is civil disobedience. There have been some meaty articles written on this in The Guardian, Slate, and Shiny Ideas.

Okay, so instead of being a Civil Rights Worker, you’re a Hacktivist. Now what? You should be prepared to be arrested. Civil Rights activists had a specific goal they were working towards and they were prepared to be arrested to support their cause, for change. The very act of their arrest only added to their cause. If you are a Hacktivist and you believe in whatever cause you are supporting, then nobly stand behind it. But don’t undermine your own cause by trying to overthrow society itself.

This is the problem then. What is the cause that Hactivitism supports? Is there only one? Are there more parallels with Batman or Martin Luther King Jr.?

Friday, September 9, 2011

What Would Jesus Hack

Interesting article in the Economist about the connection between Christian values and the values of the Hacker/Open Source Community: