Everything Computers!

August 29, 2011

A film studio is taking extreme steps to try and stop its latest movie from being pirated online. Reliance Entertainment has obtained a court order which restrains thousands of ISPs and websites from making available their film Bodyguard, a move which the company believes will reduce piracy by 60%. A similar but less broad effort last month is reported to have cut file-sharing by 40%.

In July, millions of Indians discovered they could not access their favorite file-sharing sites including popular hosters such as Mediafire, MegaUpload and Hotfile.

The chaos came about because movie studio Reliance Entertainment had obtained a court order from the Indian High Court which restrained many Internet services providers from offering, even indirectly, a pirate copy of the movie Singham.

Concerned by the consequences of breaching the court order, some ISPs blocked entire sites just to be safe, much to the disappointment of their users.

Despite the collateral damage, according to Reliance Entertainment Vice-President Music and Anti-Piracy, Sanjay Tandon, the aggressive action was worth it since the movie broke several box-office records.

“We were able to bring down piracy by 40 per cent,” Tondon reports.

Just a month later and Reliance Entertainment are back with a new movie called Bodyguard. It’s being premiered in theaters on Wednesday and encouraged by their success with Singham, the company says Bodyguard is going to be protected from unauthorized online distribution with every resource they have.

Measured alongside the after-the-fact DMCA takedowns of the West, the effort being made by the studio is unprecedented.

Reliance has obtained a proactive ‘John Doe Order’ from the Delhi High Court which forbids any ISP, site or service which potentially might be involved in infringement from offering Bodyguard, directly or indirectly. Already the company says it has forwarded the order to more than 2,000 ISPs and sites informing them of their legal obligations.

“The order is a measure to prevent piracy of Bodyguard. With this, we expect piracy levels for the film to come down by 60 per cent,” said Tandon, adding that the company has created an anti-piracy department especially for the job.

“For Bodyguard, the company has readied a team that will conduct raids to identify those infringing on the copyright,” he added.

Although the High Court order is only effective for restraining local services, it will be interesting to see how those affected respond.

File-hosting services outside the country won’t remove content unless they’re served with a takedown request which will then put pressure on local ISPs providing access to sites like RapidShare and MegaUpload. Will they blank out the sites altogether or will they spend time and energy surgically striking at specific URLs? We’ll find out on Wednesday.

BitSnoop, a torrent site which was asked to comply with last month’s court order, told TorrentFreak that thus far there has been no contact from Reliance or their lawyers over Bodyguard.

Aside from their aggressive and proactive online enforcement strategy, Reliance Entertainment is also taking another step to reduce piracy by addressing the issue of availability. In mid-September, just 6 weeks after Bodyguard premieres in 2,500 theaters, Reliance will release the official Bodyguard DVD.

Source

by Mike Masnick
August 26, 2011

from the not-cool-folks dept

It's pretty difficult to question Paul Vixie's credibility when it comes to core internet infrastructure. Creator of a variety of key Unix and internet software, he's still most known for his work on BIND, "the most widely used DNS software on the internet." So you would think that when he and a few other core internet technologists spoke up about why PROTECT IP would break fundamental parts of the internet, people would pay attention. Tragically, PROTECT IP supporters, like the MPAA, appear to be totally clueless in arguing against Vixie. Their response is basically "it's fine to break the internet to evil rogue sites."

That, of course, is missing the point. It's not that anyone's worried about breaking the internet for those sites. It's that it will break fundamental parts of the internet for everyone else as well. And... it will do this in a way that won't make a dent in online infringement. Afterdawn sat down with Vixie who gave a clear and concise explanation of why PROTECT IP is a problem. The biggest issue is how it will impact DNSSEC, which adds encrypted signatures to DNS records to make sure that the IP address you're getting is authentic. You want that. Without that, there are significant security risks. But PROTECT IP ignores that.

Explained simply, for DNSSEC to work, it needs to be able to route around errors. But the way PROTECT IP is written, routing around errors will break the law:

Say your browser, when it's trying to decide whether some web site is or is not your bank's web site, sees the modifications or hears no response. It has to be able to try some other mechanism like a proxy or a VPN as a backup solution rather than just giving up (or just accepting the modification and saying "who cares?"). Using a proxy or VPN as a backup solution would, under PROTECT IP, break the law.

And, of course, none of these DNS efforts will actually stop infringement. As the Afterdawn article notes: "Bypassing DNS filtering is trivially easy. All you need to do is configure your computer to use DNS servers outside the US which won't be affected by the law."

And while supporters of PROTECT IP insist that there's nothing to worry about because it only impacts those "foreign websites," that's misleading in the extreme. PROTECT IP will impact a ton of US-based technology companies. First, if we have a less secure internet, that's going to be a problem for obvious reasons. Additionally, the way the law works is that it puts a direct burden on US companies to figure out ways to block sites declared rogue (you know, like the Internet Archive and 50 Cent's personal website), or face liability. This will increase both compliance and legal costs.

In the last few months we've been hearing from more folks in the startup world who are really concerned about the excessive burdens PROTECT IP is going to put on them. If you're an entrepreneur who's worried about this, we'd like to hear about it. Please contact us.

Source

by Mike Masnick
August 26, 2011

from the how-quickly-they've-fallen dept

Over the past few years, it really looked like Brazil was close to becoming one of the most progressive countries on copyright issues. It was embracing fair use and the public domain in a strong way, and was even considering proposals to fully legalize file sharing. And, of course, the music industry is thriving in Brazil as well, in part due to the embracing of free distribution. The government had also embraced open culture in a variety of ways, even using Creative Commons licenses on government websites.

How quickly things change.

Within months of a new administration coming to town, the new Culture Minister, ordered the Creative Commons license off of the Ministry's website. When asked why, she said "We will discuss copyright reform when the time comes." But having a CC license on a webpage has nothing to do with copyright reform. However, it was a warning sign that such efforts were coming, and rather than continuing the progress made in the country, the new administration was looking to go in the other direction.

Now it appears that we're seeing some of those efforts in action. The country is considering a broad new "cybercrime" bill, that, among other things, will criminalize both file sharing and ripping a CD to a computer. File sharing may involve infringement, but at a civil, not criminal level. The fact that the government seems to be going much further is ridiculous -- especially at a time when the Brazilian technobrega scene has demonstrated so clearly how an entire musical culture can thrive (and make lots of money) without even using copyright (and even actively ignoring it and encouraging the widespread sharing of works).

Source

Rick Carnes
August 23, 2011

The always-evolving relationship between ISPs and content owners took another turn toward cooperation and mutual respect in early July. Major ISPs including AT&T (NYSE: T), Cablevision (NYSE: CVC), Comcast (Nasdaq: CMCSA), Time Warner Cable (NYSE: TWC) and Verizon (NYSE: VZ), as well as rights groups representing the movie studios and the record labels (MPAA, RIAA, IFTA and A2IM), announced a voluntary agreement to implement a pro-consumer Copyright Alert System to assist in curtailing illegal online piracy.

This new Copyright Alert System establishes a standardized program in which ISPs will forward a series of up to six notices of escalated warning to Internet subscribers whose Internet accounts may have been misused for illegally distributing copyrighted content without authorization of the rightful owner.

The alerts will begin with two warnings informing consumers that their accounts may have been misused for copyright theft.  Each of these notices will refer the consumer to educational materials about copyright theft penalties, and point them to legal sources for content while also giving them information on how to secure their WiFi networks.  The third and fourth notifications will require the consumer to acknowledge the receipt of the notifications, so there can be no mistake that the consumer is aware of the alerts.

The fifth and sixth notifications will include the use of mitigation policies designed to deter further copyright theft.  These might include temporary reduction of the speed of their broadband connection and/or redirection to a landing page where the subscriber will be required to review educational materials on copyright. To ensure that subscribers have a fair opportunity to dispute the allegations contained in the notices before the use of a mitigation measure, the system will also include the availability of an independent review process.

Importantly, under this Copyright Alert Aystem, ISPs will continue to protect their subscribers' privacy and will not provide subscribers' names or other personally identifiable information to right holders.  Additionally, the mitigation measures used by ISPs will not cut off the subscriber's Internet service or prevent access to critical services such as 911 emergency phone calls. These warnings are an important aid to consumers for two reasons.  First, most consumers are honest and law abiding, and when they are notified that copyright theft (including their own activities) is illegal and may subject them to serious legal penalties, will instead choose  to use one of the many legal alternatives to access copyrighted content online. Second, some consumers, such as parents and people with unsecured WiFi systems, are likely unaware that their accounts are being used for illegal sharing of copyrighted content.  Once alerted, they will have the opportunity to secure their systems and/ordiscuss the issue with any friend or family member who uses their Internet connection.

In addition to the notification system, the agreement establishes a Center for Copyright Information with the mission of educating consumers about the importance of copyright protection in driving the creation of quality content, and about legal ways to obtain music and movies online. The Center will also help develop a common framework of best practices for ISPs in alerting Internet subscribers about possible copyright theft associated with their accounts.

Those of us in the creative community applaud this new cooperation between the ISPs and the content community to educate consumers. We also are pleased that this initiative recognizes that the massive theft of content online hurts every player in the content delivery chain. Consumers want great content delivered in a safe fashion, ISPs want to help protect their customers and provide legal content to them, and creators want to protect their works so they are able to continue earning a living at their crafts. Together, through the development of this new Copyright Alert System, we have formed the beginnings of a partnership that will commercially and culturally benefit consumers, creators, and ISPs alike.

Source

August 25, 2011

The ever-growing avalanche of lawsuits against BitTorrent users in the United States may have reached a turning point. The makers of The Expendables have voluntarily dismissed their case against 23,322 alleged BitTorrent users who they accused of illegally downloading and sharing their film. This means that the once-largest BitTorrent lawsuit ever is finally over, and it could signal the beginning of the end for the entire scheme.

Since 2010 the United States Copyright Group (USCG) has sued tens of thousands of BitTorrent users who allegedly shared films without the consent of copyright holders.

Their example was soon followed by other law firms, representing dozens of copyright holders, who saw an opportunity to convert instances of piracy into a healthy revenue stream.

One of the movie studios that teamed up with USCG is Nu Image, the makers of The Expendables, an independent production that grossed more than $100 million in the United States alone.

A massive list of 23,322 U.S. Internet users were targeted by the film studio, and for a short while Nu Image had the questionable honor of having started the biggest file-sharing lawsuit the world has ever witnessed.

But, instead of raking in millions of dollars from the accused file-sharers as was the plan, Nu Image has now thrown in the towel by voluntarily dismissing the case.

Late last month the film studio received bad news as District Court Judge Robert Wilkins ruled that Nu Image can only go after those individuals who are reasonably likely to be living in the District of Columbia. This means that the movie studio could not send any subpoenas to ISPs when the IP-addresses are located in other districts.

This effectively meant that 99% of the initial defendants walked free. A devastating blow to the plans of USCG and Nu Image, and as a result they’ve now decided to drop the case in its entirety, including the defendants who were sued in the right district.

“Plaintiff hereby gives notice that it voluntarily dismisses the case in its entirety, without prejudice,” the attorneys write in a brief notice to the court.

Although it is not the first time that a judge has ruled that defendants have to be sued in the right court, the current case adds extra weight because of the sheer number of defendants and the fact that it received widespread coverage in the media previously.

If other judges side with Wilkins, future mass-lawsuits against BitTorrent users will become more costly. Although it is unlikely that these cases will disappear entirely, it seems plausible to assume that lawyers will now think twice before they sue thousands of defendants in the wrong district.

USCG in particular has to change their tactics if they want to continue suing alleged copyright infringers, not least because their actions are being watched more closely after doubt was cast over the reliability of their evidence.

Source

by Marcia Hofmann
August 24th, 2011

This spring, agents from Immigration and Customs Enforcement (ICE) executed a search warrant at the home of Nolan King and seized six computer hard drives in connection with a criminal investigation. The warrant was issued on the basis of an Internet Protocol (IP) address that traced back to an account connected to Mr. King's home, where he was operating a Tor exit relay.

An exit relay is the last computer that Tor traffic goes through before it reaches its destination. Because Tor traffic exits through these computers, their IP addresses may be misinterpreted as the source of the traffic, even though the exit node operator is neither the true origin of that traffic nor able to identify the user who is. While law enforcement officers have seized exit relays in other countries, we weren't aware of any seizures in the United States until ICE showed up at Mr. King's home.

After the computers were seized, EFF spoke with ICE and explained that Mr. King was running a Tor exit relay in his home. We pointed out that ICE could confirm on the Tor Project's web site that a computer associated with the IP address listed in the warrant was highly likely to have been running an exit relay at the date and time listed in the warrant. ICE later returned the hard drives, warning Mr. King that "this could happen again." After EFF sent a letter, however, ICE confirmed that it hadn't retained any data from the computer and that Mr. King is no longer a person of interest in the investigation.

While we think it's important to let the public know about this unfortunate event, it doesn't change our belief that running a Tor exit relay is legal. And it's worth highlighting the fact that these unnecessary incidents are avoidable, and law enforcement agents and relay operators alike can take measures to avoid them in the future.

First, an IP address doesn't automatically identify a criminal suspect. It's just a unique address for a device connected to the Internet, much like a street address identifies a building. In most cases, an IP address will identify a router that one or more computers use to connect to the Internet. Sometimes a router's IP address might correspond fairly well to a specific user—for example, a person who lives alone and has a password-protected wireless network. And tracking the IP addresses associated with a person over time can create a detailed portrait of her movements and activities in private spaces, as we've pointed out in a case in which the government is seeking IP addresses of several Twitter users in connection with the criminal investigation of Wikileaks.

But in many situations, an IP address isn't personally identifying at all. When it traces back to a router that connects to many computers at a library, cafe, university, or to an open wireless network, VPN or Tor exit relay used by any number of people, an IP address alone doesn't identify the sender of a specific message. And because of pervasive problems like botnets and malware, suspect IP addresses increasingly turn out to be mere stepping stones for the person actually "using" the computer—a person who is nowhere nearby.

This means an IP address is nothing more than a piece of information, a clue. An IP address alone is not probable cause that a person has committed a crime. Furthermore, search warrants executed solely on the basis of IP addresses have a significant likelihood of wasting officers' time and resources rather than producing helpful leads.

In the case of Tor, the police can avoid mistakenly pursuing exit relay operators by checking the IP addresses that emerge in their investigations against publicly available lists of exit relays published on the Tor Project's web site. The ExoneraTor is another tool that allows anyone to quickly and easily see whether a Tor exit relay was likely to have been running at a particular IP address during a given date and time. The Tor Project can also help law enforcement agencies set up their own systems to query IP addresses easily. These simple checks will help officers concentrate their investigative resources on tracking down those actually committing crimes and ensure that they don't execute search warrants at innocent people's homes.

If you run an exit relay, consider operating it in a Tor-friendly commercial facility instead of your home to make it less likely that law enforcement agents will show up at your door. Also follow the Tor Project's advice for running an exit relay, which includes setting up a reverse DNS name for your IP address that makes it clear your computer is running an exit relay.

Source

Read more about Tor exit relay

August 26, 2011

The world’s largest recording labels have joined forces in Japan to sue a site which enables users to download material from YouTube. Universal, EMI, Sony, Warner and more than 25 other labels are seeking almost $3 million in damages and the closure of TubeFire, a site which converts the streaming-only experience of YouTube into music and videos to be enjoyed on any device, anytime.

YouTube is without doubt one of the greatest sites ever to grace the Internet. In its library it has countless videos, many accompanied by music, and for millions of web users its a site to visit every single day.

But for all its brilliance, YouTube isn’t perfect. YouTube requires an Internet connection to function and even once material has buffered in a user’s browser, once that window is closed that data is lost forever. If the user wants to view a video again or listen to a piece of music, they simply must be connected to the site.

This shortcoming has been noted by various companies around the world who have created tools and services to get around the issue. So-called ‘YouTube Downloaders’ allow users to keep the music and videos on local devices, meaning that no net connection is required to view them again.

One such site, TubeFire, has been in operation since 2007 but now it appears the world’s largest recording labels – including Universal, EMI, Sony, Warner and more than 25 others – have had enough.

On August 19th, the Recording Industry Association of Japan (RIAJ) filed a lawsuit at the Tokyo District Court against MusicGate, the Japanese owners of TubeFire. The plaintiffs in the case claim that by copying and converting YouTube videos and then distributing the resulting files to its userbase, TubeFire is in breach of copyright law.

According to their own studies, the labels believe that 10,000 music videos were transferred from the TubeFire service to users between May and June this year. Using this data the recording industry group says it is seeking total damages of around $3 million – the amount they say the labels would’ve earned if TubeFire had obtained official licenses.

“So far, we have given our best attention so as not to infringe copyright,” says a notice on the TubeFire website. “However, a complaint submitted to the Tokyo District Court accuses TubeFire of violating copyright.”

TubeFire say they have not yet received the full details of the complaint but as a precaution they have terminated their service, at least temporarily.

“In order to completely prevent the spread of the problem, from 23 August 2011 we decided to stop TubeFire and related services. We apologize for the inconvenience, thank you for your understanding.”

There are dozens of similar YouTube downloading services and tools which achieve the same end result so shutting down one isn’t going to make a huge difference to the labels.

While some like MakeItMP3 are web-based and extremely fast , Firefox extensions such as Easy YouTube Downloader (also available for Chrome) and others have millions of users.

Services such as Tubidy, which enable cellphone users to download free MP3s from music culled from YouTube, are also growing in popularity.

In late 2010, the MP3Rocket software abandoned its P2P roots and became a service which acquires its media from YouTube and other similar sites. Its operators now insist that all “downloads must be for time-shifting, personal, private, non-commercial use only” in order to comply with relevant laws.

Source

By Dan Goodin
August 22, 2011

Skype: Does not. Researcher: Does so

The latest version of Skype for Windows contains a security vulnerability that allows attackers to inject potentially dangerous code into a user's phone session, a German security researcher has reported.

The XSS, or cross-site scripting, vulnerability in Skype 5.5.0.113 is the result of the voice-over-IP client failing to inspect user-supplied phone numbers for malicious code, researcher Levent Kayan said. As a result, attackers might be able to exploit the bug to inject commands or scripts that hijack the machine running the program.

“An attacker could for example inject HTML/JavaScript code,” Kayan wrote in an advisory published on Wednesday. “It has not been verified though, if it's possible to hijack cookies or to attack the underlying operating system.” An attacker might also exploit the vulnerability to remotely execute malicious JavaScript files on external websites, he said.

A Skype spokeswoman disputed Kayan's account.

"We have had this reported to us by various media outlets and have confirmed that the person is mistaken, this is not a web window and while it does cause a phone number to be underlined, does nothing other than this," spokeswoman Brianna Reynaud wrote in an email.

In an email to The Register, Kayan stood his ground, insisting that at a minimum, the flaw allows an attacker to create a hyperlink on a victim's client that leads to a site of the attacker's choosing.

"According to Skype's spokeswoman, I wanted to tell you, that this is not really true what she said, because the entries in (home, office and mobile phone and even in "city") are embedded via HTML," he wrote.

Kayan said the unsafe content is displayed when users view a booby-trapped profile. The malicious profile is created by inserting a JavaScript command or web address where a phone number is expected. The reported vulnerability is eerily reminiscent of an XSS bug Kayan reported in an earlier version of Skype last month.

Such vulnerabilities open the possibility of creating self-replicating attacks if they can be used to target users contained in each victim's contact list. As each new user is exploited, the worm spreads virally by attacking a whole new set of people. A vulnerability reported in May for Mac versions of Skype was described as wormable, though there are no reports it was ever exploited in the wild. It's unclear if the current vulnerability might also allow for self-replicating attacks.

Microsoft is in the process of acquiring the popular internet-based phone service.

Source

By Greg Sandoval
August 22, 2011

The large record companies have filed an appeal in their long-running copyright case against Jammie Thomas-Rasset, a Minnesota woman who was found liable for illegal file sharing.

In court documents filed with the U.S. Court of Appeals for the Eighth Circuit in St. Louis, the Recording Industry Association of America (RIAA) says it is appealing several decisions made during the case, going back to 2008.

Last month, a federal court once again lowered the amount a jury ordered Thomas-Rasset to pay to compensate the RIAA for damages. Last year, Rasset was ordered to pay $62,500 for each of the 24 songs she was accused of uploading illegally to the Web. But U.S. District Court Judge Michael Davis in Minnesota lowered the sum to $2,250 per song and with that, instead of owing the music labels $1.5 million, Thomas-Rasset currently owes them $54,000.

According to the documents filed with the appeals court by the RIAA, the trade group that represents all four of the largest trade companies wants the judges to determine:

• Whether the district court erred by concluding that making a copyrighted work available for download on an online file-sharing network is insufficient to constitute a 'distribution' under 106(3) of the Copyright Act, and therefore refusing to enjoin defendant from making plaintiffs' copyrighted sound recordings available to the public.
• Whether the district court erred by concluding that it had committed an error in instructing the jury that making a copyrighted work available for download on a online file-sharing network constitutes a "distribution" under 1063 of the Copyright Act and therefore vacating the jury's verdict and ordering a new trial.
• Whether the district court erred by holding that the jury's award of statutory damages for defendant's willful copyright infringement violated the due process clause even though it was well within the range of damages awards authorized by 504(c) of the Copyright Act.

Source

By Dan Levine and Jim Finkle
August 23, 2011

(Reuters) - Online data tracking service comScore Inc siphons confidential information including passwords, credit card numbers and Social Security numbers from unsuspecting users, according to a lawsuit filed on Tuesday.

The proposed class action lawsuit, filed on behalf of two plaintiffs who downloaded comScore software, also says comScore scans all files on users' personal computers and modifies security settings, among other allegations.

The lawsuit against comScore, one of the leading companies that measures and analyzes Internet traffic, seeks an injunction against several alleged practices, as well as damages under U.S. electronic communications privacy laws.

ComScore collects data from people who get free software and chances to enter sweepstakes in exchange for their participation. It sells that information to more than 1,800 businesses around the world, including Best Buy Co, Facebook, Microsoft Corp and Yahoo Inc, according to comScore's website.

Concerns have surfaced about comScore's data collection practices in the past, though the complaint filed on Tuesday by Chicago-based law firm Edelson McGuire appears to be the first such legal action taken against the company.

The lawsuit says comScore's software scans all accessible files on a user's computer, as well as all files from other users on the same network, and transmits information about those files back to the company.

"We have reviewed the lawsuit and find it to be without merit and full of factual inaccuracies," said comScore spokesman Andrew Lipsman. "ComScore intends to aggressively defend itself against these claims."

Privacy advocates have grown more concerned about data collection, inadvertent or not, as people increasingly transfer tasks from shopping to banking onto the Internet.

Last year, Google Inc was criticized for its Street View cars, which roam city streets for mapping purposes, because they accidentally collected reams of data from open, unsecured Wi-Fi networks.

URGE TO PURGE

ComScore warns visitors to its premieropinion.com website that its software monitors all Internet activity, including filling a shopping basket, completing an application form or checking online accounts.

"We make commercially viable efforts to automatically filter confidential, personally identifiable information such as UserID, password, credit card numbers, and account numbers," the warning says.

"Inadvertently, we may collect such information about our panelists; and when this happens, we make commercially viable efforts to purge our database of such information."

In a 2008 blog post, comScore chairman Gian Fulgoni said the company obtains consent from people before installing data collection software, and that it does not disclose personally identifiable information to its clients.

ComScore data is routinely cited in media reports about consumer preferences and social networking website use, among other topics.

The company's biggest customer is Microsoft, which accounted for about 11 percent of the $175 million it took in last year. Media companies like News Corp are also clients, according to the lawsuit, as is Reuters parent company Thomson Reuters Corp.

The lawsuit does not accuse comScore clients of any wrongdoing. Best Buy, Microsoft and Thomson Reuters spokespeople declined to comment. Representatives for Facebook, Yahoo and News Corp were unavailable to comment.

EMBEDDED

According to the lawsuit, comScore attracts some users by advertising on websites. But the lawsuit also accuses comScore of using subsidiaries with innocuous names to disseminate its software and gain access to millions of consumers' computers and networks.

ComScore software is embedded in free screensavers, games and other applications without proper notice, according to the lawsuit, which was filed in a Chicago federal court.

Once downloaded, comScore software modifies a computer's firewall settings and gains full rights to access and change any file on the computer, the lawsuit says.

It is nearly impossible to disable the software once it is installed, the lawsuit says.

Jay Edelson, an attorney who represents the plaintiffs, said his firm began its investigation of comScore in July 2010.

"We retained multiple digital forensic firms, who each conducted dozens of independent tests," Edelson said.

The case in U.S. District Court, Northern District of Illinois, is Mike Harris and Jeff Dunstan, individually, and on behalf of a class of similarly situated individuals v. comScore Inc, case no. 11-cv-5807.

Source

By Richard Chirgwin
August 23, 2011

Australia’s attorney-general Robert McClelland will host what could be a very uncomfortable meeting in September, with the copyright industry on one side of the table, and ISPs on the other.

According to The Australian, the death-match industry consultation is designed to “gauge the views of key stakeholders” about copyright enforcement in Australia.

It could be argued that “key stakeholders” had already made their views well-known. On the one side, there’s the roll-call of copyright industry heavyweights lined up behind Village Roadshow as plaintiffs against iiNet, with a High Court appeal seeking to put the onus on ISPs to enforce “grauduated responses” to alleged infringement.

On the other side, ISPs and carriers have been critical both of the copyright industry’s proposals and its tactics, which Exetel described earlier this year as “bullying”. Earlier this year, Telstra stated that copyright law reform should be held in abeyance until the movie industry’s High Court appeal is decided.

The report in The Australian says the copyright industry line-up will include the overlapping Australian Content Industry Group, the Australian Federation Against Copyright Theft (AFACT), and the Digital Entertainment Alliance Australia*.

New Zealand’s “three strikes” law, enacted amid heavy criticism and some confusion, is still being held up as a model for Australia by the content industries. The law appears to please nobody, with ISPs still worried about the burdens it may carry, and the copyright industry resentful at the $NZ25-per-notice ISPs can charge to forward copyright infringement notifications to customers.

Attorney-general McClelland has told both sides that the government would prefer an industry response rather than legislation. This, however, would almost certainly hinge on the outcome of the High Court action: if the court decides to retain the “safe harbour” immunity that is the current status quo, ISPs have little incentive to co-operate, and calls for legislation would almost certainly grow louder.

Telstra has confirmed that it will attend the meeting, while Optus is believed to have received an invitation but has yet to comment.

El Reg: *The Digital Entertainment Alliance Australia’s membership creates a conflict of interest for journalists. Its membership includes the Media, Entertainment and Arts Alliance, presumably because that union represents actors. It also represents journalists, but as far as this writer is aware, journalists were never asked whether or not they wanted to take sides in a current and highly controversial debate.

Source

Anna Heim
August 20, 2011

Google wants to force people to use their real names online, say many Google+ detractors. Yet, it’s precisely for defending three bloggers’ right to anonymity that its Brazilian subsidiary was fined this Thursday by a local judge. Let’s have a look at what happened.

Varzea Alegre’s mayor vs. Google Brasil

Varzea Alegre may be a small town of 38,000 inhabitants in the State of Ceara, in Northern Brazil, but the decision its local judge pronounced yesterday probably didn’t go unnoticed in Mountain View. Indeed, the judge decided to freeze R$225,000 from Google Brasil’s bank accounts – around US$141,000. He also imposed a US$3,100 fine to the company for not complying with former sentences. Indeed, it wasn’t the first time this court pronounced a decision against Google Brasil in this case.

It all started at the beginning of the year, when Varzea Alegre’s mayor sued Google Brasil, asking for the company to remove three anonymous blogs accusing him of corruption and embezzlement. In February, a local judge ordered Google’s subsidiary to close these blogs and provide contact details for their authors. Arguing that its role was limited to hosting and citing freedom of information, Google Brasil didn’t comply, which led the judge to order a US$3100 daily fine in May. Again, Google Brasil refused to pay and reveal the bloggers’ identity, which led to a new sentence this week, although it can still appeal.

More than an isolated case?

This case puts into light the difficulties facing Brazilian bloggers. Death threats and executions are unfortunately not unheard of. More generally, “Brazilian courts have become a press censorship tool”, according to the Deutsche Welle. Although freedom of information is recognized in the Constitution, deficiencies in the legal system let the door open to abuses; journalists and bloggers are often at risk of lawsuits. For Reporters Without Borders, “abusing the possibility of bringing defamation actions is a form of censorship”.

It’s also worth noting that this case is only one of the many requests Google receives from the Brazilian government and its representatives. According to the detailed Google Transparency Report which was released in June, Brazil was the second country in terms of user data requests during the second half of 2010 (after the US).

This may come as a surprise from a democracy such as Brazil. However, these numbers shouldn’t be misinterpreted either. Google itself points out a partial explanation:

“Government requests for content removal are high in Brazil relative to other countries partly because of the popularity of our social networking website, Orkut.”

Managing such a social network generated a large number of content removal requests whose legitimacy is less debatable, for reasons such as crime apology, racism and pedophilia. Don’t misinterpret us here, libel is an offense and should be punished; but defamation lawsuits shouldn’t be used to gag dissent.

Source

by Mike Masnick
August 19, 2011

Earlier this week, I went to see Rep. Bob Goodlatte speak at a State of the Net West event in Palo Alto. It was basically a Q&A session, hitting on a variety of points concerning legislation that impacts the tech industry. Honestly, there wasn't too much surprising said, though he was clearly well-briefed and ready for a variety of questions on copyright, patents and privacy -- which were the main themes of the discussion. The one thing that really caught my attention was in response to a question about PROTECT IP asked by EFF lawyer Michael Barclay. Goodlatte noted, correctly, that the current PROTECT IP bill being discussed is the one in the Senate, and that the House has yet to introduce its version, but will in the next few weeks. He claimed that the people working on the bill were definitely aware of the criticism being leveled at the Senate version, and he expected that people would be surprised at the House version. He insisted that it aimed to fix some of the problems of the Senate version, but that it might include some "other things" that might upset the tech community. We'll see what's in there when it's ready, though we've already heard that a version of S.978 -- the bill that can put people in jail for embedding YouTube videos -- will be rolled into the House's version of PROTECT IP. Still, while admitting pretty clearly that the bill was "being driven by" the recording industry and the movie industry, he also noted that they "might not be too happy" with some of the things in the bill when it comes out.

I doubt they'll be too disappointed (other than being upset that it's not draconian enough), but his statements at least raised some basic questions about how you could fix PROTECT IP. Larry Downes takes a stab at the five essential changes needed to fix the bill. He goes into more detail at that link, but the quick version:

1. Don't destabilize the domain name system
2. Leave search engines and hyperlinks out
3. No private enforcement
4. Correct ongoing abuses by DHS
5. Clearly define "rogue" Web site

If I had to guess, I would think that the House bill might actually tackle number one, but I doubt any of the others are under serious consideration. There has been some push for number three, but the entertainment industry lobbyists are salivating so heavily over that one I can't see them giving it up. I haven't seen any indication that anyone (other than Rep. Lofgren) in the House seems to care about the DHS's abuses, so that's out.

But, really, a bigger question may be whether PROTECT IP is needed at all? I agree that the five changes listed above would be a massive improvement, and would make the bill significantly less objectionable. But, why is this even needed? In this era when we're supposed to be focused on evidence-based copyright changes, the industry doesn't show any evidence of actual harm caused by these "rogue sites." They just insist that they must be "losing" billions. But that ignores the point made over and over again in the research: which is that this is a business model issue, not a legal issue. If the industry spent one-tenth the effort it spends on crafting bad legislation on actually innovating and creating services that people like, this wouldn't even be considered a problem at all.

Source

By Frederic Lardinois
August 19, 2011

Updated: German websites based in the state of Schleswig-Holstein have until the end of September to remove Facebook‘s ‘like’ button or face a fine of up to 50,000 Euro.

Germany has a long tradition of using laws to protect its citizen’s privacy. Home owners, for example, can ask Google to pixelate their houses in Street View (maybe so that their garden gnomes can stay incognito?). Facebook’s facial recognition feature has also come under fire in recent weeks. The latest target of Germany’s privacy advocates is Facebook’s ‘like’ button („Gefällt mir,“ in German). Thilo Weichert, the head of the Independent Centre for Privacy Protection of the northern German state of Schleswig-Holstein, argues that Internet sites based in his state that use the ‘like’ button are illegally sending this data to Facebook, which in turn uses it to illegally create a profile of its users web habits.

Note: the original article didn’t sufficiently stress the fact that Weichert’s jurisdiction is limited to Schleswig-Holstein only. I’ve updated the story to reflect this more clearly.

Weichert argues that data from any user who clicks the ‘like’ button – including those who are not Facebook users (which seems to be the crux of the problem for Weichert) – is immediately transmitted to a server in the United States. Weichert told German newspaper FAZ that his concern is that “Facebook can track every click on a site, how long I’m there, what I’m interested in.”

According to the Independent Centre for Privacy Protection’s press release, Facebook uses this data to create “a broad individual and for members even a personalised profile. Such a profiling infringes German and European data protection law. There is no sufficient information of users and there is no choice; the wording in the conditions of use and privacy statements of Facebook does not nearly meet the legal requirements relevant for compliance of legal notice, privacy consent and general terms of use.”

According to the Associated Press, Weichert is also telling users to “‘keep their fingers from clicking on social plug-ins’ and ‘not set up a Facebook account’ to avoid being profiled.”

Facebook, of course, rejects Weichert’s claims and argues that its operating well within Germany’s and Europe’s data and privacy protection laws. Its users, Facebook says, stay in “full control of their data.”

50,000 Euro Fine

Indeed, Weichert isn’t actually ready to sue Facebook itself because it is outside of his jurisdiction. His agency, however, is threatening to sue site owners who continue to implement the ‘like’ button on their sites with a fine of up to 50,000 Euro. Site owners have until the end of September to remove the ‘like’ button from their sites.

Source

By Michael J. Coren
August 18, 2011

Everyone needs the Internet, and as our data requirements explode, it's putting a strain on broadband networks. Luckily, scientists can make wireless signals come from your TV and your lightbulb.

Internet traffic is booming, and something has got to give. Cisco reported  this June that global IP traffic increased eightfold during the last five years, and is expected to jump by a factor of four, as we reach the rather ominously named "zettabyte threshold" by 2015. With the proliferation of millions of networked devices, and the popularity of Internet video, none of this data demand is expected to slacken.

Very few of those devices are going to require a cable. But Wi-Fi is only one (rather limited) option of getting Internet signals through the air to you. In the future, the Internet might come from the "white space" in your television spectrum, unused satellite signals, or the LED office lights overhead. Perhaps all of them. For the immediate future, your new lightbulb is a leading contender.

A German physicist has come up with a wireless Internet solution to send data through an LED lightbulb fluctuating in intensity faster than the human eye can detect. The invention, dubbed D-Light, can send data faster than 10 megabits per second--faster than the average broadband connection--simply by altering the frequency of the ambient light in the room. It has new applications in hospitals, airplanes, military, and even underwater.

Similar technology has already landed at some U.S. offices. Mohsen Kavehrad, a Penn State electrical engineering professor, says Internet speeds up to 10 Mbps are not a problem using existing infrastructure such as electric power lines. He also noted by email that far faster speeds, at least several hundred megabytes per second, have been achieved in laboratories around the world and could hit the market within several years.

To start easing the load on broadband, the Federal Communications Commission is already considering opening up the wireless spectrum from televisions to mobile devices and even satellites. One of its core strategies is a "flexible use" policy for multiple dynamic users to sop up spare bandwidth as it becomes available. But with spare valuable television "white space" already handed out to unregistered wireless devices, and the technical challenge of throwing open the spectrum to more users still unresolved, traffic jams may be looming. So, for now, turning on the Internet with your light switch just might be a bright idea.

Source

By Jerry Brito
August 17, 2011

Last week's horrific London riots have been blamed on everything from solar flares to incredibly good design, but one contributing factor has been villainized above all others: social media.

The Daily Mail ran the headline, “Rioting thugs used Twitter to boost their numbers in thieving store,” and police officials and members of parliament called for a suspension of BlackBerry Messenger service.

But the riots seem to be the iceberg's tip of social media unrest this week. In the U.S., Twitter-organized flash mobs have been descending on convenience stores and department stores, allowing dozens of congregating vandals to loot goods and then leave, shielded by the anonymity of a crowd. Such mobs have been reported in D.C., Philadelphia, Cleveland, Los Angeles and elsewhere. In one case in April, a “gang incited” Twitter mob trashed Venice Beach shops and left a man shot.

Twitter also facilitated what was essentially a denial of service attack on the Compton Sheriff's station phones on Friday. Rapper "The Game" tweeted the police station's phone number to his 580,000 followers saying they should call to apply for a music industry internship. As a result, police phone lines were tied up for several hours, affecting 911 service. The rapper may now be facing charges.

Back in the U.K., police are beginning to crack down. On Friday, Essex police arrested a man for sending a BBM text message encouraging people to take part in a mass water-gun fight. And two men from Cheshire have been sentenced to four years in jail for posting Facebook messages inciting rioting and looting. (Their pleas were unsuccessful.)

“Everyone watching these horrific actions will be struck by how they were organized via social media,” Prime Minister David Cameron told Parliament after the riots. “Free flow of information can be used for good. But it can also be used for ill.”

And there's the rub.

Twitter and other social media are value-neutral tools, and they can be put to incredibly destructive uses. Let's never forget, though, that the vast majority of the time social media is used constructively, connecting friends and family, facilitating expression and creativity, and even spawning amazing spontaneous efforts like the volunteer clean-up after the riots.

It's perfectly legitimate to be concerned over its potentially destructive uses, but let's be careful what we do about it. Cameron went on to tell parliament that he had asked police if they needed new powers to tackle social media hooliganism. If that includes the ability to shut down new media or restrain people from speaking, that's a bad idea.

One reason is that police and politicians are not going to be very good at distinguishing between harmless fun flash-mobbing, legitimate political protest, and incitements to crime. They will tend to err on the side of caution—and the side of avoiding any potential controversy at all.

Last week saw a case in point when San Francisco transit authorities shut down cell phone service at some of their subway stations after they got word that a group would be protesting a recent fatal shooting of an unarmed man by BART Police. That's the kind of preemptive censorship of protestors that Western government railed against this spring when it was Arab regimes pulling the plug.

Police will tend to ignore the overwhelming amount of good that social media facilitates at the first sign of a potential threat. That's a dangerous tendency, and that's why governments—democratic or autocratic—should not have the power to pull the plug on communications.

What's the alternative? Police should police and apprehend and prosecute the small minority of delinquents who use the new tools for ill. There's uncertainty in that, and a real possibility that new media will be used for crime. It's also a lot more work for officials. But that is the small price we must pay for a free society.

Source

by Mike Masnick
August 16, 2011

It's been two years since we first warned of the pending fight concerning musicians asserting their copyright termination rights. As you hopefully know by now, copyright law includes a "termination right," which cannot be contractually given up, which allows the original content creator to "reclaim" the copyright on their works 35 years after it was created. The only real exception is in cases where the work qualifies as "work for hire." I'm actually not a huge fan of termination rights in the first place for a variety of reasons, but the fact is that they're there... and they scare the entertainment industry silly.

The big legal fights so far have mostly been about the comic book industry, with the heirs of Superman's creators having won back some rights to Superman -- while Jack Kirby's heirs failed to win back the rights to The Incredible Hulk and X-Men. Kirby's family just appealed and there are still additional disputes around the Superman stuff.

However, the real showdown is about the music industry. The NY Times has an article about the impending battle, which has a variety of interesting tidbits, but none more ridiculous than the RIAA officially making it clear that it intends to totally screw over musicians. As we made clear two years ago when we wrote about this, the RIAA was going to come out fighting to try to block what the law clearly allows, and will do everything it can to screw over artists and keep them from regaining their own copyrights.

“We believe the termination right doesn’t apply to most sound recordings,” said Steven Marks, general counsel for the Recording Industry Association of America, a lobbying group in Washington that represents the interests of record labels. As the record companies see it, the master recordings belong to them in perpetuity, rather than to the artists who wrote and recorded the songs, because, the labels argue, the records are “works for hire,” compilations created not by independent performers but by musicians who are, in essence, their employees.

First, this may be the first time the mainstream media has accurately pointed out that the RIAA represents the "interests of the record labels" rather than the interests of the music industry or musicians. As is clear in this case, the RIAA's interests are diametrically opposed to the interests of artists, and the fact that Marks has the gall to flat out say that termination rights don't apply to most sound recordings is so intellectually dishonest.

The RIAA knows full well that termination rights absolutely do apply to most sound recordings. To be fair, this is mostly an accident of history. As was detailed in an excellent IP Colloquium episode last summer all about termination rights, what got covered and what didn't basically depended on who was in the room and who was more aggressive in their lobbying. Nine "work-for-hire" exceptions were put into the law. It doesn't make much sense which ones made it and which didn't, but that's lobbying for you.

However, the reason we know that the RIAA is fully aware of the fact that copyright termination does apply to most sound recordings is because a dozen years ago, recognizing that this was going to become an issue, the RIAA famously had a small time Congressional staffer by the name of Mitch Glazier sneak four innocuous looking words in the middle of a totally unrelated bill to quietly and retroactively have sound recordings declared "works for hire." This literally happened overnight with no elected officials who were voting on the bill being made aware of it.

Once that became public, artists (quite reasonably) freaked out and went very, very public about how the RIAA was totally screwing them over. It's one of the few times in history when Congress actually went against the RIAA, removing the language soon after it was approved. Of course, the guy who slipped the language in, Mitch Glazier, came out of this fine. Just three months after putting in that language, he was hired by the RIAA at a $500,000 per year salary, and he's just been promoted to the number two spot at the RIAA.

If you ever needed any more evidence that the RIAA is entirely anti-artist, this is it. It's put the guy who tried to take away their right to regain copyrights in the number 2 spot just weeks before out and out declaring that the organization simply doesn't believe sound recordings qualify for termination rights.

So, since they know damn well that sound recordings do qualify for termination rights, how are they going to claim otherwise? They may (as the NY Times article suggests) try to rely on last year's ruling concerning Bob Marley's recordings, in which they were declared "work for hire" and his family was unable to reclaim the copyright. But that's a different story, as those recordings happened prior to the rules of the 1976 Copyright Act, so the ruling really doesn't apply.

Instead, my bet is they're going to lean heavily on a Second Circuit Appeals Court ruling from last year, which claimed that an album is a single compilation for the purposes of copyright law. That matters, because while "sound recordings" are not covered as a "work for hire," "compilations" are. Of course, the obvious intent of including "compilations" was based on the realization that if multiple people contribute pieces to a larger whole compilation, separating out those rights later under termination laws would be freakishly impossible. Thus it was just easier to label the entire compilation as held by the producer. But a single album by a single artist clearly is not a compilation in that sense, despite the RIAA's claim above.

Other than that, the only way the RIAA can make a work for hire claim stick is to say that musicians were employees who created the music "within the scope of his or her employment." That, obviously, is completely laughable, since the labels don't hire musicians, nor do they pay them salaries. In fact, while they give them "advances," those are merely a form of loan that the artists have to pay back out of their own earnings. So the labels aren't even paying for the music creation.

Either way, it's pretty stunning that the RIAA has so blatantly declared war on artists. I'm somewhat surprised that more musicians aren't speaking out about this, but it's going to happen. No wonder the RIAA is so desperate to get things like PROTECT IP passed now, before this next battle comes to fruition. Once you have a bunch of big name musicians going very public about how the RIAA is screwing them over, it's going to be increasingly difficult for the RIAA to keep up the facade about how it's representing the interests of musicians while it's actively and vocally trying to totally screw them over.

Source

By Mathew Ingram
August 15, 2011

In the aftermath of the London riots, Britain’s prime minister has said the government is considering blocking people from using social media such as Twitter and Facebook, and a British MP has compared this kind of shutdown to closing a road or shutting down train service during an emergency. Today in the Wall Street Journal, a columnist makes effectively the same argument, saying a ban on social media does not violate the principle of freedom of speech, and “techno-utopians” are getting worried about nothing. But are they? Or are these kinds of moves a step on a slippery slope that leads to Chinese-style control over information networks?

A reasonable compromise?

In his WSJ column, Gordon Crovitz says that British prime minister David Cameron and his allies were “widely ridiculed” for suggesting they might shut down access to social media, but argues that such restrictions are justified, and ”permitting peaceful protests while stopping violence seems like a reasonable compromise.” The WSJ columnist notes that the Bay Area Rapid Transit authorities shut off cell service on the system’s platforms because of a threatened protest (which my colleague Erica wrote about last week), and says this was a success because “the world did not end.” Crovitz adds:

[A]ll uses of technology are not equally virtuous. Enthusiasm for technology should not lead to a moral and political relativism that confuses crime with free speech and the British police with authoritarian governments.

Of course, Crovitz doesn’t say how a social-media or cellphone shutdown (or both) would allow the British government — or anyone else, for that matter — to “permit peaceful protests while stopping violence.” Presumably, it would allow people to protest so long as they didn’t want to communicate with each other via the Internet or their cellphones about those peaceful protests. But that’s part of the problem with such an approach: It prevents everyone from using these tools, regardless of their intent.

In other words, the BART blockade prevented people from using their phones for peaceful or even emergency purposes as well as nefarious purposes — all because the agency was afraid of a protest that never actually occurred. Is that a fair trade? What if someone at those stations had been trying to call the hospital or the police?

China and Iran are watching us

Foreign-policy writer Evgeny Morozov has also written a piece in the Wall Street Journal that makes reference to the London riots and the desire of the authorities to shut down or restrict access to communication networks and social-media tools. But in his column, entitled “Repressing the Internet, Western-Style,” Morozov warns that advocates of such behavior should be aware that repressive governments in countries such as China and Iran are watching what Western democracies do, and that every infringement of liberties will be taken as a vindication of their own repressive behavior.

Britain’s prime minister isn’t the only one considering a social-media shutdown. In a series of comments posted to Twitter in the wake of the London riots, MP Louise Mensch said that she sees the shutdown of all social-media and other communication networks as no different from the police closing a road during an emergency. “If in a major national emergency police think Twitter and FB should take an hour off? So be it,” she wrote. “I don’t have a problem with a brief temporary shutdown of social media just as I don’t have a problem with a brief road or rail closure.” She went on to say:

If short, necessary and only used in an emergency, so what. We’d all survive if Twitter shut down for a short while during major riots… Social media isn’t any more important than a train station, a road or a bus service… If riot info and fear is spreading by Facebook & Twitter, shut them off for an hour or two, then restore. World won’t implode.

This kind of argument that “the world didn’t end” or “the world won’t implode” is part of the problem: It encourages us to see such behavior as fine so long as there isn’t a massive negative outcome. But despite Crovitz’s blasé response to the idea, every subsequent shutdown or restriction chips away at important principles like freedom of speech. Do governments have the right to restrict those kinds of things in certain emergency situations? Sure they do. But those situations should be chosen very carefully, and we should force the authorities who do so to justify that choice.

Speech needs to be protected in all its forms

Aren’t these kinds of restrictions just like closing a road, as Louise Mensch argues? No. Public speech, of the kind that social-media tools like Twitter and Facebook allow — not to mention cellphone or other networks — isn’t like driving to the store for a carton of milk, where a mild inconvenience is not a big deal. Advocates of a shutdown like to claim that no one has a right to use Twitter, or that such tools are inconsequential and frivolous, and so a ban doesn’t matter. But restricting speech is wrong, no matter what tool the speaker is using to distribute it, or how silly we think the service is.

In his column, Crovitz says that “the kind of thuggish behavior on display in Britain… is often just below the surface of civilized societies.” He’s right. But then, so is the urge of governments and other authorities to smother or restrict speech — purely for peace-keeping purposes, of course, and in the interests of public safety. He and Louise Mensch may be convinced that they know where to draw the line, but history has shown us it’s all too easy to blur that line, and difficult to stop that process once it begins.

Source

By Dave Neal
August 15, 2011

PRIVACY LAWS in the UK do not do enough to protect citizens against abuse, says a report from the Equality and Human Rights Commission.

This is because current privacy laws have failed and will continue to fail to stop breaches of personal data privacy, according to the commission, and have fallen behind the pace of technology and personal data collection.

"It's important that the government and its agencies have the information they need about us to do their job, for example to fight crime, or protect our health. However, the state is holding increasing amounts of information about our lives without us knowing, being able to check that it's accurate or being able to challenge this effectively," said Geraldine Van Bueren, a commissioner for the Equality and Human Rights Commission.

"This needs to change so that any need for personal information has to be clearly justified by the organisation that wants it. The law and regulatory framework needs to be simplified and in the meantime public authorities need to check what data they have and that it complies with the existing laws."

The commission is expecting that the Government will heed its warnings and bring in changes that will better protect personal information. This is perhaps not too much of a leap, especially if some clever wag was to put it to them, "It would perhaps be wise, Sir, if we were to give ourselves more control over personal information."

Currently the way that data is handled is "deeply flawed", according to the commission, and as a result it is difficult for citizens to assess what information might be held about them, by whom and why.

The fact that so much data is intangible means that it is hard for individuals to find out where there are errors about them and, if there are, how they should challenge them. Individuals, added the commission, are also lacking in knowledge about how to challenge breaches, or indeed when such a breach has occurred.

The commission added that breaches of privacy are only likely to worsen, and recommended the piecemeal reform of any relevant laws in the area.

This, in an ideal world. would mean that current legislation is streamlined, that any bodies that hold information justify their need for it, and that any requests that these bodies make for further information is actually warranted and is proportionate and justified.

Source

By Dan Goodin
August 16, 2011

New and improved cookie 'respawning' revealed

A privacy researcher has revealed the evil genius behind a for-profit web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser's privacy mode.

The technique, which worked with sites including Hulu, Spotify and GigaOm, is controversial because it allowed analytics startup KISSmetrics to construct detailed browsing histories even when users went through considerable trouble to prevent tracking of the websites they viewed. It had the ability to resurrect cookies that were deleted, and could also compile a user's browsing history across two or more different browsers. It came to light only after academic researchers published a paper late last month.

KISSmetrics CEO responded with a post on its website claiming the research “significantly distorts our technology and business practices.” The company also responded by adding a “consumer-level opt-out for those who wish to be entirely removed from all KISSmetrics tracking, going well beyond the options that other analytics companies provide.”

Ashkan Soltani, one of the researchers, stands by the findings and said KISSmetrics' recently updated privacy policy doesn't make it clear how users go about opting out of tracking.

At the heart of the technique is the practice of storing a unique identifier, known as an ETag value, in a browser's cache and metadata folders. A piece of JavaScript hosted on kissmetrics.com accesses the serial number each time one of the KISSmetrics websites is viewed.

“It's effectively acting like a cookie because with every connection to KISSmetrics, it will send a referrer header and the ETag value,” Soltani told The Register. “The ETag is effectively acting as a cookie. It has the same exact value of the cookie as well.”

KISSmetrics analytics combined the the ETag technique with several other controversial technologies that use cookies based on Adobe Flash and HTML5 to reproduce tracking cookies even after a user had specifically deleted them. Soltani and his colleagues first documented the sneaky move in 2009 and dubbed it cookie “respawning.”

Adobe responded by building an application interface that made it easy for users to delete Flash cookies using standard features in a browser's menu. The advent of server-based scripts that pull up ETag data means that it's once again trivial for analytics services to defy the wishes of visitors who don't want to be tracked.

“The more accurately they can represent the number of uniques that have visited their sites the more value they can provide for their analytics customers,” Soltani explained. “That might mean you as a person who doesn't want to be tracked uniquely trying to opt out. They're incentivized to circumvent that opt-out.”

Soltani said the only way to block the tracking using the technique is to block all cookies and to clear the browser cache after each site visited. He has published a detailed technical description of the new technique here.

Source

By Duncan Geere
August 13, 2011

Amidst widespread calls from MPs, David Cameron  has pledged to investigate the possibility of turning off social networks during times of crisis, lumping Britain in with some rather unsavory company.

The U.K. has long criticized countries like China, Iran and Libya for censoring the web and clamping down on dissent, which appears incredibly hypocritical to the rest of the world if he then proceeds to do the same thing on his own turf. Opinion pieces in international newspapers have already started popping up with headlines like “what goes around, comes around.”

The Telegraph quotes one commentator in China’s official Communist Party mouthpiece — People’s Daily — going even further. The commentator says “The West have been talking about supporting internet freedom, and oppose other countries’ government to control this kind of websites, now we can say they are tasting the bitter fruit [of their complacency] and they can’t complain about it.”

Chief among the claims by those who want to see more controls on freedom of speech on the web is that social networks amplify panic, spread misinformation and cause already-stretched police communications channels to be overloaded by people worried about some rumor they’ve read online.

That might be a valid complaint, and even the most synergistic of social media gurus would have to admit — between creating engaging integrated solutions, no doubt — that Twitter  wasn’t exactly a paragon of truth and accuracy during the riots, but you can hardly pin the blame solely on social media when rolling news channels like BBC News 24 and Sky News are running looped footage of burning buildings, overlaid with interviews with those who’d lost property and possessions in the looting. It might have been passed through an editorial filter, but continually presenting the worst of the footage creates a very skewed representation of reality.

Hitwise reckons that 3.4 million people in the U.K. visited Twitter’s homepage on Aug. 9, the day with the most hype around the riots, compared with numbers from Sky News and BBC News 24 of 9.2 million and 13.1 million, respectively. With so much of a greater a reach, clearly the scaremongering potential of traditional media is far higher than that of social networks. We’ve seen that in the past, with innocent people targeted by vigilante mobs after the News of the World ran a campaign to “name and shame” paedophiles.

On the flip side, social networks allow for others to debunk claims, rapidly establishing what the facts about a situation are with thousands of eyes on the ground. One cyclist in Bristol was even taking requests from Twitter to go around, fact-checking whether buildings were in fact damaged or not. It’s hard for traditional news infrastructure to cope with situations where violence is springing up in multiple locations simultaneously, but it’s trivial to set up filters for social media that cut through the rumour to deliver eyewitness accounts. Filtering out any tweet with the word “apparently” in would be a good start.

So if we’re turning off social media for “safety”, why aren’t we shutting down television networks at the same time? Why aren’t politicians demanding that news channels, with their greater reach and potential to panic the public, be turned off during exceptional circumstances, too? After all, it’s all for the safety of the public. Right?

Source

August 13, 2011

As politicians call for more online controls after London and Norway, authoritarian states are watching

Did the youthful rioters who roamed the streets of London, Manchester and other British cities expect to see their photos scrutinized by angry Internet users, keen to identify the miscreants? In the immediate aftermath of the riots, many cyber-vigilantes turned to Facebook, Flickr and other social networking sites to study pictures of the violence. Some computer-savvy members even volunteered to automate the process by using software to compare rioters' faces with faces pictured elsewhere on the Internet.

The rioting youths were not exactly Luddites either. They used BlackBerrys to send their messages, avoiding more visible platforms like Facebook and Twitter. It's telling that they looted many stores selling fancy electronics. The path is short, it would seem, from "digital natives" to "digital restives."

Technology has empowered all sides in this skirmish: the rioters, the vigilantes, the government and even the ordinary citizens eager to help. But it has empowered all of them to different degrees. As the British police, armed with the latest facial-recognition technology, go through the footage captured by their numerous closed-circuit TV cameras and study chat transcripts and geolocation data, they are likely to identify many of the culprits.

Authoritarian states are monitoring these developments closely. Chinese state media, for one, blamed the riots on a lack of Chinese-style controls over social media. Such regimes are eager to see what kind of precedents will be set by Western officials as they wrestle with these evolving technologies. They hope for at least partial vindication of their own repressive policies.

Some British politicians quickly called on the BlackBerry maker Research in Motion to suspend its messaging service to avoid an escalation of the riots. On Thursday, Prime Minister David Cameron said that the government should consider blocking access to social media for people who plot violence or disorder.

After the recent massacre in Norway, many European politicians voiced their concern that anonymous anti-immigrant comments on the Web were inciting extremism. They are now debating ways to limit online anonymity.

Does the Internet really need an overhaul of norms, laws and technologies that gives more control to governments? When the Egyptian secret police can purchase Western technology that allows them to eavesdrop on the Skype calls of dissidents, it seems unlikely that American and European intelligence agencies have no means of listening the calls of, say, a loner in Norway.

We tolerate such drastic proposals only because acts of terror briefly deprive us of the ability to think straight. We are also distracted by the universal tendency to imagine technology as a liberating force; it keeps us from noticing that governments already have more power than is healthy.

The domestic challenges posed by the Internet demand a measured, cautious response in the West. Leaders in Beijing, Tehran and elsewhere are awaiting our wrong-headed moves, which would allow them to claim an international license for dealing with their own protests. The yare also looking for tools and strategies that might improve their own digital surveillance.

After violent riots in 2009, Chinese officials had no qualms about cutting off the Xinjiang region's Internet access for 10 months. Still, they would surely welcome a formal excuse for such drastic measures if the West should decide to take similar measures in dealing with disorder. Likewise, any plan in the U.S. or Europe to engage in online behavioral profiling—trying to identify future terrorists based on their tweets, gaming habits or social networking activity—is likely to boost the already booming data-mining industry. It would not take long for such tools to find their way to repressive states.

But something even more important is at stake here. To the rest of the world, the efforts of Western nations, and especially the U.S., to promote democracy abroad have often smacked of hypocrisy. How could the West lecture others while struggling to cope with its own internal social contradictions? Other countries could live with this hypocrisy as long as the West held firm in promoting its ideals abroad. But this double game is harder to maintain in the Internet era.

In their concern to stop not just mob violence but commercial crimes like piracy and file-sharing, Western politicians have proposed new tools for examining Web traffic and changes in the basic architecture of the Internet to simplify surveillance. What they fail to see is that such measures can also affect the fate of dissidents in places like China and Iran. Likewise, how European politicians handle online anonymity will influence the policies of sites like Facebook, which, in turn, will affect the political behavior of those who use social media in the Middle East.

Should America and Europe abandon any pretense of even wanting to promote democracy abroad? Or should they try to figure out how to increase the resilience of their political institutions in the face of the Internet? As much as our leaders might congratulate themselves for embracing the revolutionary potential of these new technologies, they have shown little evidence of being able to think about them in a nuanced and principled way.

Source

Jesse Kline
August 5, 2011

This fall, legislatures in both Canada and the U.S. are set to vote on bills that would force private Internet service providers (ISPs) to store information about their customers, in order to allow the government to spy on its citizens. With an increasing amount of our everyday activity being conducted online — from banking, to shopping, communicating with friends and family, dating, learning and reading — allowing the state to monitor all our activities in cyberspace sets a dangerous precedent.

Last week, a U.S. House of Representatives committee approved a bill that would force ISPs to store detailed information on customers and their activities. This would likely include retaining names, addresses, phone numbers, financial information and IP addresses.

The bill is being touted as a means of protecting children from pornography, but tracking your identity, along with what sites you’re visiting, and handing that information over to the government upon request, has nothing to do with porn.

“The bill is mislabeled,” Congressman John Conyers told CNET News. “This is not protecting children from Internet pornography. It’s creating a database for everybody in this country for a lot of other purposes.”

Indeed, pornography is perfectly legal and the logs would be available to law enforcement officials investigating all crimes. They may even be accessible to people involved in civil litigation, in order to gather information on ex-lovers and disgruntled employees. The legislation even has a provision exempting U.S. marshals tracking sex offenders from obtaining a court order before forcing ISPs to hand over private information.

If the bill becomes law, it will have the same effect as the gun registry in Canada — violating the rights of law-abiding citizens, while criminals find ways to avoid it entirely. It will be easy enough for individuals intent on committing crimes to log onto the public wi-fi network at the local coffee shop, or use a cellular network (wireless carriers were able to lobby their way out of the bill). There are also plenty of freely available software tools that can encrypt data and facilitate anonymous activities.

Canada’s Conservative government has been trying to pass legislation that goes a step further. Previous incarnations of the legislation died on the order paper for various reasons, but there will be nothing stopping the new majority government from passing it in the fall. In fact, the Conservatives are expected to include the measures in an omnibus crime bill, meaning Parliament will not get a chance to scrutinize or debate it separately from the rest of the package.

The so-called “lawful access” legislation would force ISPs to disclose customer information to the government — on demand and without obtaining a warrant.

“This will allow law enforcement to identify individuals involved in a striking array of online activity including anonymous political opinions made in blog posts or newspaper comments, location data posted online from a smart phone, social networking activity, private online instant message or email exchanges,” wrote NDP MP Charlie Angus in a letter to Public Safety Minister Vic Toews.

It would also require ISPs to install real-time surveillance equipment on their networks, which will cost millions of dollars. But who’s going to pay for big brother to spy on us? The answer to that is not entirely clear, but taxpayers will likely be forced to shoulder some of the burden and the rest of it will fall on private businesses. Smaller ISPs could even be driven out of business, which is not a good thing in a market that is already uncompetitive.

It is not hard to see the serious speech and privacy implications of such a law (not to mention the violation of private property rights). Might as well just put a camera in every bedroom and feed it directly to the prime minister’s office. Welcome to 1984 folks. If you forget to sign the guest book, don’t worry. They know exactly who you are.

Source

By Steve Anderson
August 1 2011

CRTC invites 'stakeholders' to help it decide. Why so few small innovators and regular citizens?

In early February, OpenMedia.ca received word that the CRTC was planning a set of invitation-only meetings on March 23-24 in Ottawa. Entitled Shaping Regulatory Approaches for the Future, the forum was meant to bring together the "stakeholders" of Canadian telecommunications for "meaningful discussions" on modern regulatory approaches to the telecom industry in Canada. In other words, the meeting was set to be a consultation on the future of Internet in Canada.

OpenMedia criticized the invitation-only and closed structure of the forum and pressured the CRTC to invite the real "stakeholders" in the future of the Internet -- Canadian citizens. The CBC picked up on this message and put the issue to the CRTC. In response, on March 14th, the CRTC expressed its desire to "open up" the forum and invited me to attend.

The CRTC refused to video or audio stream the meeting and imposed Chatham House Rule, which prevents attendees from attributing comments. The forum's organizers argued these rules would better allow invitees to "speak freely" and discuss issues openly. This in itself is telling of the kind of "stakeholders" invited to attend. If the CRTC felt that invitees would pontificate and perform in favour of their special interests, perhaps the commission should question their motives in influencing Canada's digital regulatory future in the first place.

Innovators underrepresented

At the meeting, innovators were certainly underrepresented, especially given the topic at hand. It seemed that the discussion could have used more voices from innovative services like Hootsuite and online media projects like OpenFile or The Tyee. It's interesting that this sector was the least represented at the forum, since this is where the most innovation, entrepreneurialism, and economic development is happening.

Though it depends on how you define "public interest," by my estimates, the public was represented by only six people out of just over 70 in attendance. I think organizations that represent the public should be the most represented category, considering we're talking about regulations that will fundamentally shape the way the public uses the Internet.

At one point during the forum, I spoke to a telecom rep who said he had previously worked for the CRTC. This is probably not unique and is evidence of the revolving door between industry and the commission. What was interesting is that, after I tweeted this fact and it caused a stir, people seemed so shocked that I would indelicately point this out to the public. Really, this is the kind of stuff that needs to be publicized.

CRTC needs structural repairs

We can't fix the CRTC's structural problems without finding the cause of those problems. The CRTC's insulation is clearly a problem and the antidote is to ensure its meetings are more transparent and its processes more open and accessible.

This past week, the CRTC wrapped up a landmark public hearing on Internet metering -- an issue that nearly half-a-million Canadians have spoke out against by signing the StopTheMeter.ca petition. I attended the hearing and presented before the commission twice. I'm happy to report that at the hearing, I witnessed the beginning of what looks like a shift towards a more citizen-centric approach at the CRTC.

The commission had more individual Canadians make presentations than at any previous hearing. The testimony was authentic and personal, but also remarkably consistent. Canadians want the commission to break the stranglehold big telecom companies (i.e. Bell, Rogers, Telus, Shaw, Videotron) have on the Internet in this country. It's time to ensure the Internet is more open and affordable by enabling access to the Internet independent of big telecom.

Effort has produced progress

It's too early to say, but I believe the hearing showed a break in the CRTC's longstanding practice of shielding big telecom at the expense of the Canadian public. The commission finally admitted that there is an Internet affordability problem in this country, and that change is required to fix this dire situation. It appears that when the CRTC takes the time to listen to Canadians, they see things clearer.

We'll have to keep a watchful eye on the CRTC to make sure their rhetoric is backed up by action. But one thing is clear: the best way to safeguard the open and affordable Internet is for Canadians to stay informed, engaged and active on these issues.

Source

by Mike Masnick
August 10, 2011

from the safe-harbors-be-damned dept

We've talked many times about the importance of the various safe harbors in the DMCA and the CDA, in the US, in protecting service providers from liability for actions by their users (e.g., YouTube should not be legally responsible if one of its users uploads an infringing work). Other countries have not been nearly as strong on this, though many seem to recognize the basic reasons to not make service providers liable. Unfortunately, it looks like India may have just done away with such safe harbors in a recent decision. Amlan Mohanty alerts us to the detailed writeup he just did about a lawsuit against MySpace in India, and the reasoning of the decision, which definitely appears to wipe out protections for intermediaries and suggests they're perfectly liable for actions of their users.

I'm certainly not an expert on Indian law, but it really sounds like yet another case of bad legal drafting by lawmakers, in which they approved two laws that seemed to contradict each other. The end result is pretty ridiculous, as was some of the reasoning. For example, the court claimed that because MySpace put in some tools to deal with infringement, that could show it had "knowledge" of infringement. In other words, it seems that according to this ruling, a company is safer in India (though not in most other countries) if it has no policies and no tools to deal with infringement, so that it can claim no knowledge. That's ridiculous.

However, the court builds on this form of "knowledge" to say that the law requires a site to block infringement if it has such knowledge... In the US, this (mostly, with one exception) means actual knowledge of specific infringing works via a DMCA takedown notice. But, in this ruling the court appears to say that the general knowledge, proved by the mitigation tools, means that MySpace has an obligation to find and block all infringing works, based on just a list given to them by rights holders. Separately, they claim that because MySpace put ads into the videos at issue, it showed that they were reviewing the videos, and thus should have reviewed them for infringement. That such ad insertions are likely automated (and most certainly not done by copyright law experts) does not seem to occur to the court.

Then there's this whopper. The court apparently decides that MySpace must do a "preliminary check in all the cinematograph works relating Indian titles before communicating the works to the public rather than falling back on post infringement measures." Yup. There go any safe harbors. If you're a service provider online with Indian users... you may want to beware...

Source

By John Leyden
August 10, 2011

Malware that seeks and destroys other malware

A turf war is developing between rootkit-touting cybercrooks over control of infected PCs.

Rootkits are strains of malware designed to hide below the level of anti-virus scanners and programmed to carry out functions such as click fraud. The Russian developer of one of the more potent strains of rootkit, TDL, is supplementing his income by selling the source code for the malware to other cybercrooks via underground forums.

But one of the groups who bought the code has done its own tinkering to develop a related strain of rootkit, called ZeroAccess. As well as adding click fraud modules the second group has begun bundling functionality that uninstalls the TDL rootkit from infected machines, effectively double crossing the original TDL3 author, according to an analysis by web security firm Webroot.

"The original author of the TDL3 rootkit made two versions of TDL3. He kept the second version of the rootkit code for himself and sold the first version to the guys behind ZeroAccess," Jacques Erasmus of Webroot told El Reg.

The group who bought the TDL3 code from the original author added a module called z00clicker that allowed infected machines to be used in click fraud around 12 months ago. ZeroAccess uses an ad clicker plugin called z00clicker2. In addition, the filesystem used by both TDL and ZeroAccess are similar, another sign that the adapted version of TDL3 and ZeroAccess are related.

Adapting purchase source code is all part of software development, whether in the legitimate or underground cyber-economies. However Webroot's analysis suggests that things have turned sour between the original TDL3 and ZeroAccess groups because ZeroAccess has begun bundling functionality to remove TDL3 from infected machines with a specific module called Anti-TDL.

"TDL3 Authors sold a version of TDL3 sourcecode to ZeroAccess authors. Now ZeroAccess guys are double crossing the TDL3 author by uninstalling the TDL rootkit," Erasmus told El Reg, adding that the behaviour recalls earlier turf wars between purveyors of the ZeuS and SpyEye banking Trojans when the latter begun bundling functions to nuke instances of ZeuS from PCs it infected in order to gain sole control of compromised boxes.

ZeroAccess is spreading rapidly via cracks and keygens websites. The malware is particularly difficult to eradicate because it goes out of its way to prevent security software from running on infected machines, as illustrated by a video on YouTube made by Webroot.

Source

August 9, 2011

As the mass-lawsuits against BitTorrent users in the United States drag on, detail on the collateral damage this extortion-like scheme is costing becomes clear. It is likely that thousands of people have been wrongfully accused of sharing copyrighted material, yet they see no other option than to pay up. One of the cases that stands out is that of a Californian man who’s incapable of watching the adult film he is accused of sharing because he is legally blind.

March last year the law firm Dunlap, Grubb and Weaver imported the mass litigation “pay up or else” anti-piracy scheme to the United States, and in the month that followed they targeted nearly 100,000 people.

In total, cases have been filed against more than 200,000 alleged infringers, many of which are accused of downloading and sharing adult films.

A significant number of the defendants are likely to be guilty, but there’s also a lot of collateral damage. Firstly it’s unclear how accurate the evidence gathering techniques of the copyright holders are, and even when they have the correct IP-address it doesn’t necessarily follow that the account holder on file is actually the infringer.

Doe 2,057 in the case of Imperial Enterprises v. Does claims to be one of these wrongfully accused persons.

This May he received a letter from Comcast informing him that Imperial Enterprises had filed a lawsuit against him for illegally downloading and sharing one of their adult titles — Tokyo Cougar Creampies. To some people this title may seem inviting, but it’s not the type of content Doe 2,057 is interested in.

Not least because he’s legally blind.

“To be honest, it’s a little ridiculous. My movie-watching ability is nonexistent. My kids watch movies, but they are 4 and 6, so they don’t watch porn either. Well, hopefully they don’t,” the Doe told the Village Voice Media.

Although it’s not impossible for blind people to be interested in porn – after all there are plenty of auditory stimuli and interesting dialogues – it’s not really the target group for this type of content. So if this blind man is innocent, who downloaded and shared the movie?

According to Doe 2,057 one of his neighbors must have used his open WiFi connection to grab the file.

“I didn’t have time to set up the wireless network in my old apartment,” he explained. “I was working 18-hour days, so I just told my wife to go to Best Buy and pick up a router. She installed it, hit next, next, finish, and — boom — that was it. We lived in a very upscale building; there was no riffraff. We just assumed we didn’t have anything to worry about.”

But now he does have something to worry about, and that’s the few thousand dollars Imperial Enterprises is demanding from him in settlement.

Although it’s absolutely not certain that a judge will hold him liable the alleged offense, like many other defendants he believes that settling is the best option available. Hiring an attorney will cost just as much as the settlement fee, but without any guarantee that he’ll be off the hook.

“The sad part about this entire porn thing is it will cost more to go to a judge,” Doe says. “At the end of the day, I’ll probably settle and pay the fee to make this go away.”

And he’s not alone. TorrentFreak has spoken to several people who swore their innocence but paid up just to get rid of the threat.

The copyright holders and lawyers are very aware of the position these defendants are in, but they gladly take their money. With most neutral observers, however, the whole scheme should raise an eyebrow to say the least.

Can we really call that justice?

Source

By Ms. Smith
August 9, 2011

Homeland Security plans to operate a massive new database of names, photos, birthdays and biometrics called Watchlist Service, duplicated from the FBI's Terrorist Screening Database which has proven not to be accurate many times in the past. DHS wants to exempt the Watchlist Service from Privacy Act provisions, meaning you will never know if you are wrongfully listed. Privacy groups worried about inaccurate info and mission creep have filed a protest, arguing the Privacy Act says DHS must notify subject of government surveillance.

Homeland Security has a plan to expand its Watchlist Service by duplicating the FBI's existing system of watchlist records and then feed that info into a massive database in which more government people would have immediate access. According to the FBI, the consolidated Terrorist Watchlist is "one of the most effective counterterrorism tools for the U.S. government." But according to the ACLU, FBI spying on free speech is nearly at Cold War levels and that the FBI lied to the Justice Department about continuing improper surveillance of peace groups. So it's not some kind of conspiracy theory, it's a fact that innocent people end up on terrorist watchlists.

So now Homeland Security has proposed to exempt portions of its Use of the Terrorist Screening Database System of Records "from Privacy Act provisions because of criminal, civil, and administrative enforcement requirements." The system of records to be duplicated and expanded into the DHS Watchlist Service will include each suspected terrorists' name, place and date of birth, driver's license and passport info, photos and biometric data, and other personal info.

This newly proposed DHS Watchlist Service will combine four different DHS systems of records including the TSA-managed Transportation Security Threat Assessment System and TSA's Secure Flight Records, Treasury Enforcement Communication System (TECS) managed by Custom and Border Protection (CBP) Passenger Systems Program Office, and IDENT which is managed by the US-VISIT Program. In case you were unaware, according to the July 13th testimony before the Senate Committee on Homeland Security, the US-VISIT's IDENT is "fully interoperable" with the FBI's "10-fingerprint-based" identity system to run against the watchlist and the "FBI's entire criminal master file of over 69 million identities in near real time."

The DHS proposal did not please the Electronic Privacy Information Center. EPIC then led a coalition of privacy groups and civil rights organizations to file a protest to Homeland Security's plan to centralize and expand access to the FBI's suspected terrorist database. The privacy groups are challenging Homeland Security's plan to change the Watchlist Service, "a secretive government database filled with sensitive information. The agency has solicited comments on the program, which entails developing a real-time duplicate copy of the database and expanding the groups and personnel with immediate access to the records."

The statement filed by EPIC and the other privacy and civil right groups [PDF], points out that DHS has admitted that it "does not control the accuracy of the information in system of records" and that "individuals do not have an opportunity to decline to provide information." Additionally, the DHS Watchlist Service attempts to circumvent privacy protections established by the Privacy Act. Congress previously found that "the privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies. Congress also emphasized that "the right to privacy is a personal and fundamental right protected by the Constitution of the United States."

The joint letter argues that the 1974 Privacy Act requires Homeland Security to "notify subjects of government surveillance in addition to providing a meaningful opportunity to correct information that could negatively affect them." Furthermore, "secretive government lists without any meaningful safeguards present a very real risk of 'mission creep,' in which a system is pressed into unintended or unauthorized uses. Under this proposal, the agency would have the right to maintain and rely upon information it does not know to be accurate, relevant, timely, or complete without recourse—the right to subject citizens to arbitrary decisions."

On OMB Watch, Gavin Baker wrote, "DHS' approach twists the purpose of the Privacy Act exemptions almost beyond recognition. Exemptions should be limited to the time when they're needed, and no longer. But the proposed exemptions would never expire, even if the subjects in the database aren't under active investigation. This isn't necessary to protect the integrity of investigations, and it invites abuses. As our comment to DHS notes, 'the notion of an investigation that is ongoing in perpetuity and without completion would be absurd.'"

There were already not enough people in Intelligence to properly analyze and verify all the suspicious reports, but Homeland Security's push for "See Something Say Something" just adds to the data flood and is too easily used in a grudge-match by neighbors who report neighbors as suspicious. Each year, the number of people added to no-fly and terrorist watchlists doubles, according to calculations done by SHFTplan. "At this rate, there will be about 550,000,000 people on the watch list by 2019, which exceeds the population of the United States and then some. By 2023, the watch list will actually exceed the population of the entire earth - at which point one can speculate that the government of the U.S. will restrict all air travel."

While we certainly don't want terrorists running around free to commit mayhem, the way Homeland Security is wanting to expand and duplicate the watchlist, yet keep it a complete secret from We the People is ludicrous. It's also fairly scary stuff, America. Not everyone is a terrorist. How many thousands are wrongfully on the watchlist right now? Eventually, as SHFTplan suggests, will everyone who does not work for the government wind up on the watchlist? If DHS gets its way, you can ask if you are on it, but it will never tell you.

Source

August 5, 2011

A U.S. federal court has ruled that the domain seizure of sports streaming site Rojadirecta does not violate the First Amendment, and has refused to hand the domain back to its Spanish owner. The order stands in conflict with previous Supreme Court rulings and doesn’t deliver much hope to other website owners who operate under U.S. controlled domain names.

At the end of January 2011 the U.S. authorities began yet another round of domain seizures, this time against sites connected with sports streaming. This third round of action in ‘Operation in Our Sites’ took control of domains owned by sports streaming site Rojadirecta.

While most owners of affected domains have decided not to appeal the seizures, the Spanish owner of the Rojadirecta, one of Spain’s most popular sites, did.

Two months ago the company behind the site, Puerto 80, filed a petition in the Southern District of New York for the return of its domains. This call was later supported by the Electronic Frontier Foundation (EFF) who together with Center for Democracy and Technology and Public Knowledge submitted an amicus brief in support of the Spanish company.

Yesterday, United States District Court Judge Paul Crotty decided to deny Puerto 80′s request, which means the domain will remain in the hands of the U.S. Government. The Judge argues that seizing Rojadirecta’s .com and .org domains does not violate the First Amendment of the Constitution.

“Puerto 80’s First Amendment argument fails,” the Judge writes.

“Puerto 80 alleges that, in seizing the domain names, the Government has suppressed the content in the ‘forums’ on its websites, which may be accessed by clicking a link in the upper left of the home page. The main purpose of the Rojadirecta websites, however, is to catalog links to the copyrighted athletic events — any argument to the contrary is clearly disingenuous.”

The Judge further ruled that the claimed 32% decline in traffic and the subsequent harm to Puerto 80′s business is not an issue as visitors can still access the site through foreign domains. Puerto 80′s argument, that users may not be aware of these alternatives, was simply waived.

“Rojadirecta argues that, because ‘there is no way to communicate the availability of these alternative sites on the .org or .com domains . . . the vast majority of users will simply stop visiting the sites altogether.’ This argument is unfounded — Rojadirecta has a large internet presence and can simply distribute information about the seizure and its new domain names to its customers,” the Judge writes.

“In addition, Puerto 80 does not explain how it generates profit or argue that it is losing a significant amount of revenue as a result of the seizure. Specifically, Puerto 80 states that it does not generate revenue from the content to which it links, and it does not claim to generate revenue from advertising displayed while such content is playing,” Judge Crotty adds.

From the above the Judge concludes that the drop in visitor traffic due to their seizure does not establish a substantial hardship, and therefore no reason exists to return the domain.

This line of reasoning goes directly against previous rulings in First Amendment cases. As the EFF points out, in two earlier Supreme Court decisions it was concluded that having alternatives available does not mean that freedom of speech isn’t violated.

According to the EFF, the peculiarities of the ruling don’t end there.

“As if misapplying the relevant substantive First Amendment analysis wasn’t bad enough, the court failed to even address the fatal procedural First Amendment flaws inherent in the seizure process: namely, that a mere finding of ‘probable cause’ does not and cannot justify a prior restraint. How the court believes that the seizure satisfies the First Amendment in this regard is a mystery,” they write.

The decision of District Court Judge Paul Crotty to stand firmly behind the Government is worrying for all other websites who operate under U.S. controlled domains. It’s yet another step in granting the Government and copyright holders more control over the Internet, at the expense of smaller businesses and the rights of citizens.

Source

By John Letzing
August 5, 2011

Sanford Wallace accused of clogging up social network with unsolicited messages.

Sanford Wallace, long known as the "Spam King," has surrendered to the U.S. Federal Bureau of Investigation after being indicted for allegedly clogging Facebook Inc. with millions of unsolicited messages.

The U.S. Department of Justice said Thursday that Wallace, 43, had been indicted by a federal grand jury on multiple counts of fraud, intentional damage to a protected computer and criminal contempt.

According to the July 6 indictment, Wallace accessed Facebook's computer network multiple times between Nov. 2008 and March 2009 in order to plant programs that compromised 500,000 Facebook accounts, and filled the Palo Alto, Calif.-based social-networking service's servers with 27 million spam messages.

Click here to find out more!Wallace made his initial court appearance on Thursday and was released on $100,000 unsecured bond, the DOJ said.

Facebook has grown rapidly since its founding in 2004 and now has over 600 million users.

The company sued Wallace in 2009, alleging that he had hijacked legitimate Facebook accounts and used them to distribute spam messages.

Facebook's civil lawsuit was ultimately referred to the U.S. Attorney's office for possible criminal proceedings.

A Facebook spokesman didn't immediately respond to a request for comment.

Wallace originally gained notoriety in the 1990s, after filling inboxes with unsolicited email.

He is scheduled to make his next court appearance on Aug. 22, the DOJ said.

Source

By Ryan Singel
August 3, 2011

Website analytics firm KISSmetrics and more than 20 of its customers, including Spotify, AOL’s About.me, Slideshare.net, Spokeo and the news site Gigaom.com were sued Monday on the grounds that KISSmetrics’ tracking technology violated federal and state privacy laws.

The suit, filed in a federal court in Northern California, is seeking class-action status and unspecified damages.

At issue are methods KISSmetrics used — first reported by Wired.com — to track users who have deleted their cookies. The company juggled a variety of other technologies including Flash, Silverlight, HTML5 and so-called ETags in cached browser files to place and read unique identifiers.

The suit was filed by a group of lawyers, including Scott Kamber, who already filed suit against Hulu and KISSmetrics on Friday, the same day a U.C. Berkeley report said those companies were re-creating cookies after users deleted them.

Sometime over the weekend, KISSmetrics published a longer privacy policy, and changed the “How It Works” page on its website to reveal that the company would stop using ETags. “As of July 30, 2011 KISSmetrics uses standard first-party cookies to generate a random identity assigned to visitors to our customers sites,” the new text promises. “This identity by itself does nothing.” The company added in a separate privacy policy for end-users that users can now set an opt-out cookie that excludes them from tracking entirely — as one can do with many online advertising companies and some analytics companies.

KISSmetrics founder Hiten Shah told Wired.com that KISSmetrics was very respectful of privacy and that it’s hardly the only site on the net to use ETags as cookie replacements.

“KISSmetrics has never shared any information about a user with any third party, including with any customer other than the one that interacted with that user,” Shah said via e-mail. “Our business model is uniquely pro-privacy precisely because our tools enable insights without sharing any user information across websites and without developing or storing user profiles across sites, and that for this reason, KISSmetrics offers key differences from third parties that link up user data across the Internet.”

But the lawsuit has a different take.

“Defendants circumvented Plaintiffs and Class Members browser privacy controls, conducted tracking in unreasonable and unexpected way, and used Plaintiffs and Class Members’ Computer Assets to store LSOs [Local Storage Objects, or cookie-like files in Flash] and engage in other tracking exploits….”, the suit alleged. “Defendants did so knowing Plaintiffs and Class Members’reasonably believed their privacy was protected.”

UPDATE: Shah responded to the suit itself, saying:

This lawsuit is completely lacking in merit. KISSmetrics has never shared user information with any third party, and its tools are specifically designed to ensure that its customers only obtain insights into the information they already have. We use standard and lawful technologies that are widely used throughout the Internet, and that do not do the things alleged in the complaint. KISSmetrics has retained counsel who was successful in dismissing virtually identical claims filed by the same plaintiffs’ lawyers, and we have every confidence that these claims also will be found to be entirely baseless.

A similar set of suits were filed in 2009, after U.C. Berkeley researchers uncovered “zombie cookies” being used on some of the net’s top sites, including Hulu, thanks to technology from Quantcast and Clearspring. Those suits were settled for $2.4 million and a promise from the two providers never to use that technology again.

Those companies’ clients were largely spared in the settlement and agreed only to disclose in their privacy policy if they were using Adobe Flash’s storage capability. They also agreed to provide a link in the policy for users who wanted to block that storage.

When asked about the suit, Spotify told Wired.com that it used KISSmetrics to “help us understand customer registration and purchase flow, and to make the process of using our website as easy as possible for users,” and that it takes privacy seriously.

Source

August 1, 2011

Previously confidential documents detailing Universal Music’s meetings with the former UK government over the Digital Economy Act are revealing a whole lot more than the pair intended. Blacked-out sections now uncovered show that Universal believed that ISPs could spy on their users and hand over information to rightsholders in order for them to sue.

As reported in our earlier article, documents requested from Lord Mandelson’s office under the Freedom of Information Act have already proven interesting reading.

The documents detail meetings held in 2009 with Lord Mandelson, then Secretary of State (SoS) for Business, on the UK’s then-upcoming Digital Economy Act.

One report is titled ‘Note of Secretary of State’s meeting with Lucian Grainge (CEO, Universal Music Group International). In common with many documents released under FOI requests, this one (marked ‘RESTRICTED’) has blacked-out sections, hiding information deemed too sensitive for the public eye.

However, due to the government’s failure to black-out the text in all versions of the document (and leaving the PDF version open to exploitation) we can now reveal the contents of a censored paragraph.

In it, Universal CEO Lucian Grainge begins by talking about a deal his company struck with Virgin Media.

“Universal have entered into an arrangement with the Internet Service Provider (ISP) Virgin to target legitimate broadband users with a £10 ‘all you can eat’ offer,” Grainge explained.

Indeed, in mid-2009 that particular deal was hailed as “ground-breaking” but the other major labels didn’t sign on to provide the necessary momentum. Quietly, even Universal had reservations.

“There is a commercial risk with this strategy, which could be like putting a Coca Cola pipe in your house which would then supply the whole street,” Grainge told the meeting.

But the deal with Virgin was two-way. To combat piracy concerns like these the ISP agreed to do something for Universal.

“In return for a fixed fee revenue share Virgin have agreed to anti-piracy measures, including pop-up warnings on screens,” Grainge confirmed.

Eventually the Universal/Virgin deal fizzled out and now more than two years later the Spotify service is on the horizon instead.

However, it is Grainge’s final comments during the meeting on anti-piracy enforcement that will raise eyebrows, particularly since the government has tried and failed to censor this statement from the Freedom of Information request.

“As ISPs can monitor the amount of power used by specific users and the sites connected to, it is possible for ISPs to pass on any details to owners of particular rights, who could then take legal action,” Grainge concludes.

The mere suggestion from the head of a major label that ISPs could spy on their customers is outrageous enough, but mentioned in the same breath as a deal with Virgin Media will cause even greater concern.

In late 2009 it was revealed that Virgin Media had partnered with technology company Detica to install a Deep Packet Inspection (DPI) system. Called CView, the product was to be installed to monitor the instances of illicit file-sharing on Virgin’s network.

“Understanding how consumer behaviour is changing will be an important requirement of Virgin Media’s upcoming music offering [with Universal Music] and, should they become law, the Government’s legislative proposals will also require measurement of the level of copyright infringement on ISPs’ networks,” Virgin Media’s executive director Jon James explained at the time.

The assurances were, however, that all of the data collected by CView on Virgin’s network (and on other ISPs – Detica were in talks with them too) would be anonymized, but groups such as Privacy International still had concerns.

The notion of ISPs becoming “copyright cops” is an increasingly worrying topic. With the voluntary warning system just agreed in the US, ISPs are slowly revealing that they are prepared to work with the music and movie industries. Where they will draw that final cooperative line remains to be seen but if we take Lucian Grainge’s comments at face value, we can see where the labels might be aiming.

Source

by John D. Sutter
August 3, 2011

Las Vegas (CNN) -- Don Bailey says he can unlock thousands of cars across the United States simply by sending a few texts from his Android phone.

And that's not even the scary part.

Bailey, a senior security consultant with iSEC Partners, said in an interview with CNN at the Black Hat security conference here at Caesars Palace that the same hack he has used to demonstrate unlocking and even starting a car via text message also could be used to attack industrial systems, the power grid and the water system.

"I could care less if I could unlock a car door," he said. "It's cool. It's sexy. But the same system is used to control phone, power, traffic systems. I think that's the real threat."

Bailey would not share details about which cars or which auto systems are vulnerable to the hack that he showed off publicly at the event.

The hack affects many kinds of devices that connect to cellular GSM networks, like the one used by AT&T. As cars and plenty of other stuff -- from pill bottles to trees, he said -- start connecting to cell grids and the Internet, Bailey said they become more vulnerable.

Certain electronic components that accept wireless signals are vulnerable to the hack, he said. Those components are in the cars Bailey said he can unlock remotely.

Again, he would not name which cars have them.

Strangely enough, Oprah Winfrey kinda-sorta inspired this research.

Bailey said he was watching an "Oprah" show about a device called the Zoombak, which the TV host said could be used by parents to track the locations of their kids.

"I heard that and thought, 'Oh dear God no. Please Oprah, no, no no!' " he said in a presentation at Black Hat. "This was my thinking: That's dangerous. That can definitely be owned. Let's own that thing."

In hacker-speak, "own" means to take control of a device.

Once he figured out how to take control of the kid-tracker, Bailey moved on to cars, which he said was more difficult but still not impossible.

"I couldn't just straight-up text message it and be like, 'Gimme yo' datas!' " he said, referring to the car parts. "So it was a little more work."

It's not all doom-and-gloom, though.

Bailey said manufacturers could purchase more expensive parts that would keep these types of hacks from being possible. He thinks industry associations should put out recommendations suggesting this approach, even though cost increases would be "highly significant."

"We have to," he said. "We have to find elegant ways to find that sweet spot between cost and security."

Black Hat is an annual gathering of hackers and security professionals in Las Vegas. Researchers hope that by showing off how to hack certain systems, the computer industry will take steps to make infrastructure and consumers safer.

Source