Everything Computers!

By Emily Chung
October 25, 2011

Rogers throttles file-sharing traffic from BitTorrent more than any other internet provider in North America and may be violating Canadian net neutrality guidelines, a U.S. researcher says.

Data from connection speed tests run by users show that between the second half of 2008 and the first half of 2010, Rogers slowed down or throttled BitTorrent peer-to-peer traffic 78 to 91 per cent of the time, reports Syracuse University information studies researcher Milton Mueller in an interactive table posted on his website.

"Under the regulations that the CRTC promulgated for reasonable internet traffic management practices, I think 100 per cent, 24/7 throttling is not conformant," Mueller said in an interview Tuesday.

"So I think consumers would have a basis to complain and the CRTC would have a basis to act."

In a statement emailed to CBC News, Rogers said its network management "is in full compliance with CRTC regulations."

According to the company's network management policy, high-speed internet and portable internet customers face a maximum upload speed of 80 kilobits per second at all times for peer-to-peer file sharing. Rogers's advertised upload speed for its fastest internet service is up to two megabits per second or 26 times faster.

Rogers says it limits uploads of high-volume traffic that is not time sensitive, such peer-to-peer file sharing, to ensure a high level of service for time-sensitive tasks such as voice and video applications. It added that it does not limit download speeds for any application or protocol.

Rogers and other ISPs distinguish peer-to-peer traffic from other types of traffic using a technique called deep packet inspection.

Mueller's data was highlighted in a posting by Toronto-based technology blogger Pete Nowak on Oct. 24, the second anniversary of the CRTC's internet traffic management or "net neutrality" rules.

Those rules state that technology to manage internet traffic:

• Must be designed to address "a defined need and nothing more."
• Should be neither "unjustly discriminatory nor unduly preferential."

"The whole rationale for the throttling is you're conserving bandwidth for the people," Mueller said. "And the fact of the matter is, unless your bandwidth is congested 100 per cent of the time – in which case you ought to be maybe expanding it — there's no reason to be throttling 100 per cent of the time."

Affects 'viability' of some services

He added that throttling targeted at particular applications will affect internet users' choices.

"It's definitely something that's going to affect the viability of different kinds of services."

Data on throttling by ISPs around the world was crowdsourced through a test called Glasnost developed by the Max Planck Institute for Software Systems in Germany. Users visit a website where the test is hosted. It measures and compares traffic speeds for different applications to detect throttling, including whether it is applied to uploads or downloads, certain types of traffic, or traffic linked to certain port numbers.

The results, which include the IP address of the ISP involved, are stored in a database managed by Google M-Labs and organized by date.

The data show that the only other Canadian ISP that throttled BitTorrent connections more than 31 per cent of the time was Cogeco, which reduced its level of throttling from 82 per cent in the first half of 2009 to 44 per cent in the first half of 2010 following consumer complaints. The U.S. showed even lower levels of throttling and a sharper decline, with only one ISP conclusively registering any BitTorrent throttling at all in the first half of 2010 – Clearwire, with just 17 per cent. The data show a "background" of five per cent even if no throttling is taking place, so that only results above that threshold are conclusive.

Mueller is in the process of compiling the data for late 2010 and the first half of 2011.

In a recent study presented at the Telecommunications Policy Research Conference in Arlington, Va., in September, Mueller compared the public and regulatory reaction to the practice of BitTorrent throttling in Canada and the U.S.

U.S.-Canada paradox

"We got this very paradoxical result in which Canada has unambiguous, clear authority to impose net neutrality but they really did a lot less about BitTorrent throttling," he said, noting that the consumer outcry over the throttling practices was notable in both countries.

He suggested that perhaps the Canadian regulator is "a bit too cozy" with large Canadian telecommunications companies.

"I think they do give too much weight to Bell Canada and some of these heavyweight operators," he said. "I think that's starting to change now that they're starting to look more carefully at the use of this throttling."

This past September, the CRTC issued guidelines for resolving consumer complaints about throttling, with timelines for each step. It announced that a summary of complaints would be published four times a year and violators could face a third-party audit or even a public hearing. It also published a document explaining what ISPs are allowed to do or not allowed to do to manage their traffic and how consumers can make a complaint.

The announcement of the new guidelines came after months of complaints from gamers that Rogers throttles some non-file sharing traffic such as online games. Rogers said it had resolved the problem for World of Warcraft. It has acknowledged that other games and applications may be unintentionally throttled under certain circumstances. A complaint from gamers concerning other games remains before the CRTC.

Mueller said that type of complaint isn't surprising — the technology used to identify peer-to-peer traffic might get confused sometimes. That's one of the reasons why he thinks consumers should choose internet providers who use internet traffic management technology that targets points of congestion rather than singling out particular applications.

Internet providers that use application-specific throttling argue that it's necessary to improve users' experience of online activities such as streaming video that are more noticeably degraded when the network is congested.

"That's in some ways a justifiable argument," Mueller said. "But also, once you start picking out different applications, you're getting into some very difficult, technical discriminations that might have unintended consequences."

Mueller said his future research will examine whether other protocols besides BitTorrent are being throttled by ISPs and will look into the use of deep packet inspection for other purposes such as copyright policing, placing ads, government surveillance and censorship.

Source

by Mike Masnick
October 26, 2011

from the censorship-galore dept

As was unfortunately expected, the House version of PROTECT IP has been released (embedded below) and it's ridiculously bad. Despite promises from Rep. Goodlatte, there has been no serious effort to fix the problems of the Senate bill, and it's clear that absolutely no attention was paid to the significant concerns of the tech industry, legal professionals, investors and entrepreneurs. There are no two ways around this simple fact: this is an attempt to build the Great Firewall of America. The bill would require service providers to block access to certain websites, very much contrary to US official positions on censorship and internet freedom, and almost certainly in violation of the First Amendment.

Oh, and because PROTECT IP wasn't enough of a misleading and idiotic name, the House has upped the ante. The new bill is called: "the Enforcing and Protecting American Rights Against Sites Intent on Theft and Exploitation Act" or the E-PARASITE Act (though, they also say you can call it the "Stopping Online Piracy Act").

The bill is big, and has a bunch of problems. First off, it massively expands the sites that will be covered by the law. The Senate version at least tried to limit the targets of the law (but not the impact of the law) on sites that were "dedicated to infringing activities" with no other significant purposes (already ridiculously broad), the new one just targets "foreign infringing sites" and "has only limited purpose or use other than" infringement. They're also including an "inducement" claim not found elsewhere in US regulations -- and which greatly expands what is meant by inducement. The bill effectively takes what the entertainment industry wanted the Supreme Court to say in Grokster (which it did not say) and puts it into US law. In other words, any foreign site declared by the Attorney General to be "inducing" infringement, with a very broad definition of inducing, can now be censored by the US. With no adversarial hearing. Hello, Great Firewall of America.

And while defenders of this bill will insist it's only designed to target truly infringing sites, let's just recall a small list of sites and technologies the industry has insisted were all about infringement in the past: the player piano, the radio, the television, the photocopier, the phonograph, cable tv, the vcr, the mp3 player, the DVR, online video hosting sites like YouTube and more. All of these things turned out to be huge boons for the industry. And yet, with a law like this in place, the old industry gets to kill off technologies they don't understand. Scary stuff.

And it's not just foreign sites impacted by this law (despite what supporters would have you believe). It appears to expand who would have to take on the entire burdens of enforcing this blacklist -- broadly naming "service providers" as defined in the DMCA. That's significant, because a big part of this bill is to undermine and strip away the safe harbors of the DMCA. The DMCA set up an important balance that gave online service providers freedom from liability if they pulled down content upon notification. This new bill provides a massive and ridiculous burden: allowing the Attorney General to create an internet blacklist that all service providers will need to block access to:

A service provider shall take technically feasible and reasonable measures designed to prevent access by its subscribers located within the United States to the foreign infringing site (or portion thereof) that is subject to the order, including measures designed to prevent the domain name of the foreign infringing site (or portion thereof) from resolving to that domain name’s Internet Protocol address. Such actions shall be taken as expeditiously as possible, but in any case within 5 days after being served with a copy of the order, or within such time as the court may order.

On top of that, the bill says any attempt to get around such blocks can lead to liability. Would this put liability on things like MAFIAAfire? It sure sounds like it:

To ensure compliance with orders issued pursuant to this section, the Attorney General may bring an action for injunctive relief....

against any entity that knowingly and willfully provides or offers to provide a product or service designed or marketed for the circumvention or bypassing of measures described in paragraph (2) and taken in response to a court order issued pursuant to this subsection, to enjoin such entity from interfering with the order by continuing to provide or offer to provide such product or service.

While the text of the bill insists that nothing in it takes away the DMCA's safe harbors, once again this is a claim without the facts to back it up. A large part of the bill is an effective attempt to strip away the DMCA's safe harbors.

The only extraordinarily minor change against the interests of the entertainment industry is that the bill ever so slightly changes the "private right to action," which allows individual copyright holders to take action under this bill. This was a big problem in the old bill, and the only requirement here is that prior to making use of this private right to action, copyright holders have to provide "notice" to payment processors and ad providers. But then those service providers are expected to take action anyway, or face liability. So all this really does is take the court out of the process, and make it even easier for copyright holders to effectively kill off sites they don't like.

Think about this for a second: think how many bogus DMCA takedown notices are sent by copyright holders to take down content they don't like. With this new bill, should it become law, those same copyright holders will be able to cut off advertising and payment processing to such sites. Without court review.

And... because this bill wasn't already ridiculously bad enough, it also lumps in a House version of the felony streaming bill that will make huge swaths of Americans felons for streaming content online.

This bill is an abomination and an insult to the Constitution. It's unfortunate that Rep. Lamar Smith thinks this is worth introducing in its current state, and anyone who signs on to co-sponsor is effectively supporting mass censorship of the internet in the US, as well as the criminalization of huge numbers of Americans -- while putting a huge burden on the one part of the economy that actually is creating jobs. All because a few legacy companies in the entertainment industry refuse to adapt.

Source

By Lore Sjöberg
October 21, 2011

By now, you’ve heard about the UltraViolet Alliance, which is not a group of superheroes defending America from space vampires, but rather a consortium of unimaginably gigantic media companies.

I got a fax three days ago that claimed to be an early draft of the UltraViolet press release. When contacted, the UltraViolet Alliance denied the draft’s existence, and in fact pointed out that I was just pretending to call them in the first place.

Nonetheless, I think it’s important for you, the reader, to decide for yourself that I’m right. Here is the supposed UltraViolet Alliance press release, reproduced in full:

ULTRAVIOLET PRESS RELEASE!!!

SECOND DRAFT — TOP SECRET YOUR EYES ONLY!!!

I am proud to announce the debut of UltraViolet, a service designed to make buying a movie from a legitimate source almost as convenient as pirating it.

As you know, we’ve been keeping an eye on BitTorrent and other sources for illegal downloading of copyrighted movies. We know that millions of unscrupulous people are downloading free copies of our movies and playing them on all their devices, with no limitations on where, when or how they watch them. And we recognize that our paying customers deserve something almost, but not quite, as good.

Now, we know what you’re thinking. You’re thinking, “That’s insanity! If you sell a customer a movie without strict, even draconian, limitations, they’ll immediately go back in time and put it on the internet before it was even released. The only way to prevent piracy is to punish legitimate customers after it already happened!”

That’s sound thinking, but after about 10 years of careful thought and dwindling income, we’ve finally seen that it may not be completely airtight, logic-wise.

We’ve discovered that, contrary to our expectations, customers enjoy treating their purchased movies like an item they actually own that belongs to them, as if movies were just some petty knick-knack like a home or a car. They don’t understand that flawless cinema like Green Lantern is much too valuable to put in the hands of people who paid for it.

We had hoped people would get used to the idea that they’re merely licensing the movie, not actually buying a copy (except if they lose or damage the disc, in which case — tough luck, kid). But the market has spoken, and our customers have made it clear that they want nearly all the convenience and freedom they’d have if they’d just asked some junior high student to grab them a copy off IRC.

So we’re responding. UltraViolet will make purchasing a movie only slightly more of a pain in the ass than searching BitTorrent. Driving to a local video store and buying a copy on DVD or Blu-ray should only take about a half-hour more than downloading it, and I want to assure you that the legitimate copy will contain all the ads, auto-loading trailers and overproduced menu screens that even the pirates can’t figure out how to include.

Once you’ve bought it, all you’ll have to do is take the time to register it and give us whatever information we decide we need. We know pirates don’t have to do that, but we think you’ll find it fun. It’s sort of like Facebook, only instead of friends and family, you have a humongous powerful group of international corporations hanging on your every datum.

Once you’ve signed in, that’s when the fun begins. You see, the movies you paid for with your own money will be stored for you in your “locker.” Just like the lockers you use at school or the gym, they’ll be convenient, somewhat secure, they won’t actually belong to you and we can do anything we want with anything in them.

Let the pirates have their boring old “hard drives” and “networked media servers.” With UltraViolet, you’ve got a locker!

Once we have your movie (which, I’m obliged to remind you, is not actually your movie) locked up, you can access it on any of several devices, at any time that our service is running properly, with no limitations other than the ones in the EULA you agreed to without reading. It’s so much like piracy, you’ll be tempted to wear an eye patch!

So enjoy your newfound semi-freedom. If it works out, in time we might be inclined to treat you even less like a suspected pirate, and more like an actual pirate.

But if not, well, let’s just say we know where your movies live.

Source

By Anna Leach
October 26, 2011

UK wants jihadists off, Germany nixes Nazis, US wants to hide cop brutality

The UK government asked Google to take down 135 YouTube videos for reasons of national security in the first half of this year, states Google's biannual Transparency Report, released yesterday.

The report also shows that the German government asked for videos that included Nazi memorabilia to be removed, and that US police wanted videos taken down because they showed their officers in acts of brutality.

UK content removal requests went up 71 per cent compared to the previous six month period, when the government made no requests at all for content to be taken down on grounds of national security.

In January to June this year, UK police and government also requested that 61 YouTube videos be removed for reasons of Privacy and Security, three for violence and one for hate speech. The takedown of a further 20 was requested for reasons listed as "Other". Google fully or partially complied with 82 per cent of requests.

The Telegraph speculates that the bump in removal requests by the UK government since January this year came after MP Stephen Timms was stabbed by a student claiming to be a jihadist, and that the videos involved were jihad videos or those promoting Islamic terrorism.

It seems to be the Nazis that got the Germans sending in video removal requests. In total, the German police, government and courts asked for 583 YouTube videos to be removed – 322 of which contained hate speech. Google specified that this often meant Nazi content:

We receive lists of URLs from BPjM (BPjM-Modul), a federal government youth protection agency in Germany, for sites that contain content that violates German youth protection law, like content touting Nazi memorabilia, extreme violence or pornography, and we may remove those search results from google.de.

Google complied with 86 per cent of German content removal requests.

Among other things, US authorities got in touch with Google when they wanted to kill some YouTube videos showing police brutality. Google states:

We received a request from a local law enforcement agency to remove YouTube videos of police brutality, which we did not remove. Separately, we received requests from a different local law enforcement agency for removal of videos allegedly defaming law enforcement officials. We did not comply with those requests, which we have categorized in this Report as defamation requests.

In total the US courts, government and police asked for 113 videos to be taken down, one because it showed "government criticism".

Google complied with just 63 per cent of content removal requests from American authorities...

Source

by Andrew Ferguson
October 26, 2011

The High Court has given BT fourteen days to implement its blocking of Newzbin following a judgment on 26th October. The blocking will be accomplished using the CleanFeed technology that BT already uses to block sites on the IWF block list.

The question of how much of the BT Group should be subject to the blocking was raised and the decision passed down is that the blocking should be carried out for any connection where CleanFeed is incorporated or available as an option to the customer. This means that connections sold via BT Wholesale where CleanFeed is not available are not affected.

• 1. In respect of its customers to whose internet service the system known as Cleanfeed is applied whether optionally or otherwise, the Respondent shall within 14 days adopt the following technical means to block or attempt to block access by its customers to the website known as Newzbin2 currently accessible at www. newzbin .com, its domains and sub-domains and including payments. newzbin .com and any other IP address or URL whose sole or predominant purpose is to enable or facilitate access to the Newzbin2 website. The technical means to be adopted are:
• a) IP address re-routing in respect of each and every IP address from which the said website operates and which is notified in writing to the Respondent by the Applicants or their agents; and
• b) DPI-based URL blocking utilising at least summary analysis in respect of each and every URL available at the said website and its domains and sub-domains and which is notified in writing to the Respondent by the Applicants or their agents.
• 2. For the avoidance of doubt paragraph 1 is complied with if the Respondent uses the system known as Cleanfeed and does not require the Respondent to adopt DPI-based URL blocking utilising detailed analysis.

- Extract from England and Wales High Court (Chancery Division) Decisions Conclusion

The applicants who are Twentieth Century Fox Film, Universal City Studios, Warner Bros. Entertainment, Paramount Pictures, Disney Enterprises and Columbia Pictures are expected to take further action to see blocking carried out by other broadband providers once the blocking is in place and running for BT connections, though reading the full decision it appears the Applicants are hoping to avoid further lengthy court cases with providers simply following the lead from BT in blocking Newzbin. BT was chosen for no other reason than being the largest provider.

The costs of running the blocking will fall upon BT, and BT themselves estimate the cost as £5000 for the initial setup and £100 for each subsequent IP/url that is reported for re-routing/blocking. The danger here being that Newzbin may attempt to fight the blocking by constantly changing IP address or creating thousands of unique url's. The danger here is that the CleanFeed system may have problems coping, as well as eat up significant time/money, BT does have the ability to temporarily stop the blocking, but this is only allowed with the written consent of the Applicants or their agents.

There are other newsgroup aggregator services, that charge for access, so we would presume that in the near future, sites offering similar services to Newzbin will end being subject to blocking requests. The Daily Telegraph coverage highlights research from the Open Rights Group which indicates that only 58% of Bafta Best Film Award winners films are available via lawful downloads. It has been said before and it has to be said again, if a company is going to use the stick approach it should offer a carrot. One idea would be to offer relatively low quality streamed versions of older films for almost free, only charging the current £3.50 to £4.50 for the very latest high definition rentals.

Source

By Rik Myslewski
October 26, 2011

A top US government official believes that the internet is under fierce attack by authoritarian governments worldwide, and that the situation is rapidly deteriorating.

"Today we face a series of challenges at the intersection of human rights, connected technologies, business, and government. It's a busy intersection – and a lot of people want to put up traffic lights," said US Assistant Secretary of State Michael Posner, speaking at the Silicon Valley Human Rights Conference in San Francisco on Tuesday.

While the so-called "Arab Spring" may have proved the power of the internet to inform and unite repressed populations – an idea that Google's public policy honcho dismissed as "hype" – Posner believes that it also awakened repressive governments to the need to more tightly control communication among their citizens.

"The result has been more censorship, more surveillance, and more restrictions," Posner said.

In the past, those governments were content to set up firewalls to block content they disliked – or feared – from coming into their countries. Now, Posner said, they're using many more – and more sophisticated – tools, including deep-packet inspection and key-logger software.

"They are exerting over-broad state control over content, users, and over companies," he said, "and they're trying to change national and international legal standards to legitimize it all."

As an example of an attempt at usurping control, he cited an effort at the UN last month in which China and Russia were joined by Tajikistan and Uzbeckistan in an effort to impose what Posner called "an international code of conduct for information security." According to Posner, that effort – if successful – would "shift cyberspace away from being a multi-stakeholder, people-driven model, to a system dominated by centralized government control."

Iran, for example, hides its internet-controlling effort under the warm, fuzzy, Muslim term "halal internet". Posner also warned against various groups' calls for a "hate-free internet" – whether they be well-intentioned or motivated by a desire for thought control.

And as information communications technology moves ever deeper into less-developed countries, Posner sees the problems increasing. "These are the places where repressive regimes are getting hold of the latest, greatest Western technologies and using them to spy on their own citizens for purposes of silencing dissent," he said. "Journalists, bloggers and activists are of course the primary targets."

From his point of view, governments in some of these emerging markets "appear fiercely determined to control what people do online."

Tweets without Twitter

Directing his remarks to the industry members in his audience, he suggested that they stay in touch with the other half of the crowd: activists, journalists, and bloggers who can provide early warnings of oppression and surveillence. Those worthies, Posner said, are "the canaries in your coal mine."

He noted that "for the record, I offer that same advice to the very governments who often shoot the instant messenger by going out and jailing bloggers instead of listening to the valuable information they convey."

The private sector has a reponsibility to defend personal freedom, Posner said – adding that "the private sector is more powerful than ever."

He praised the vibrancy of the tech sector, and of its global reach. "Many people here have made it their life's work not only to develop transformative technologies but also to put them in the hands of people in places where digital empowerment is leaps ahead of political or financial or educational empowerment," he said. "Never have great ideas gone from dream to global distribution so quickly."

But it's not enough to make great products. Creative minds also need to protect the freedom of the internet. "So I challenge each of you to work with us to help figure out what can happen next, what must happen next, to preserve the Internet as we know it," he said. "Or the autocrats will figure it out for us."

After all, he said, "With great code comes great responsibility."

A transcript of Posner's remarks can be found on the US Department of State website.

Source

Sarah Kessler
October 25, 2011

Google started publishing requests from governments for user information about a year ago. On Tuesday, it revealed the number of user accounts involved in those requests — revealing that the U.S. not only makes more requests than any other country, but also requests data for far more user accounts than any other country.

Between January and June of 2011, the U.S. made 5,950 requests to Google for user data, more than three times more than the amount requested by India, the next highest country on the list. This isn’t surprising, as the U.S. has remained the leader throughout the period for which Google has made data available, but it is a 70% increase since Google last reported requests.

The number of user accounts affected by these requests on behalf of the U.S. was 11,057 — almost five times as many as India. Google filled nearly all of the requests from the U.S., unlike the requests from most other countries, which it filled anywhere from 0% to 87%.

Google’s motive in making these requests more transparent is a U.S. law regulating government access to online user information called The Electronic Communications Privacy Act (ECPA).

“The law was written in 1986 and is woefully out of date for today’s technology — the provisions of the law no longer match people’s reasonable privacy protections for their digital data,” wrote Google policy council Will DeVries in a blog post attacking the law last September.

Google has joined with tech giants such as IBM, eBay and Amazon in a coalition lobbying to reform the law, which it considers murky and outdated. The coalition’s main complaint is that law enforcement agencies don’t need a full search warrant to look into suspect’s digital data — only a judge-approved subpoena.

The vagueness of the law poses a problem drastic enough to unite heavily competitive companies. Many Internet users, especially corporations, hesitate to use cloud-based services because they are concerned about their information being compromised.

“They all realize that there’s a competitive disadvantage here,” explained ACLU legislative counsel Chris Calabrese in an interview at a Senate hearing on proposed updates to the law last year. “They all want to move their services online. They all want to take advantage of the economies of scale that cloud computing presents, and they know that their customers want to move all of their email online and they want to use social networking tools. But customers have consistently explained to them that they’re worried about their privacy, they’re worried about how their data is going to be shared, and so they want the government to provide assurances that this information is going to be protected in the same way that it would be protected if it were sitting at home in a drawer or computer.”

As of now, the law has not been changed. But Google is consistently bringing attention to the issue by announcing features that make government requested data more transparent. Last month, for instance, it released the raw data for its report on government requests in the hopes independent developers and researchers would use it to create either compelling visualizations or draw hypotheses about government behaviors online.

“As with many other Google products, we like to launch and iterate,” says the project’s FAQ. “The Transparency Report is no different. As we’ve worked on this project, we’ve figured out the best way to disclose more information.”

Source

By Ms. Smith
October 24, 2011

The Germans have wreaked all kinds of mass destruction, a double security and privacy whammy. A hacking group released a new SSL DDoS tool that can be successfully launched from a single laptop, a single DSL connection, to take down a server. Other researchers in Germany found and exploited a flaw that breaks the W3C XML Encryption standard with a serious attack that works in all cases. The researchers said that Microsoft, IBM, Red Hat, Apache and other major XML framework providers will need to adopt a new standard.

Establishing a secure SSL connection requires about 15 times more processing power on the server than it does on the client. But a server has so much more bandwidth than a single DSL connection that a traditional DDoS attack cannot be launched from a single DSL connection. It's no match for the server. A new SSL DOS tool turns that on its head. The German hacking group "The Hacker's Choice" (THC) released a killer new DDoS hacking tool for both Windows and Unix that has a deadly attack twist. The THC-SSL-DOS tool hits the server with thousands of SSL renegotiations via one little TCP connection until the server crashes and dies . . . until it is overloaded and knocked offline.

The hacking group said that traditional DDoS tools, which played "a vital role in demonstrations against oppressive governments (like the DDoS attack against Iran's leader) and against companies that violate free speech (like the DDoS attack against Mastercard for closing Wikileak's non-profit donation account)," are resource hogs. The THC-SSL-DOS attack tool "does not require any bandwidth and just a single attack computer." THC said the old saying is true, "Complexity is the enemy of security." SSL renegotiation was supposed to make SSL more secure, yet it is rarely used, is enabled by default, and is what makes servers more vulnerable to this attack. A THC member added, "Renegotiating Key material is a stupid idea from a cryptography standpoint."

"Here at THC the rights of the citizen and the freedom of speech are at the core of our research," said a member of THC. "We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in and fix the problem so that citizens are safe and secure again." They added that their testing revealed "the average server can be taken down from a single IBM laptop through a standard DSL connection. Taking on larger server farms who make use of SSL Load balancer required 20 average size laptops and about 120kbit/sec of traffic."

Darknet points out there is no real solution, but countermeasures include disabling SSL-Renegotion and investing in a SSL Accelerator. The ethical hacker that runs Darknet included tips and tricks for whitehats:

• The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
• Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
• Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, ... or the secure database port).

Meanwhile, more bad news for security as researchers in Germany from Ruhr University Bochum broke the W3C standard of supposed security for XML Encryption with a "serious attack" and said that large companies like "IBM, Microsoft and Redhat Linux that use XML standards for integrating Webservice projects for large customers" are affected.

XLM (eXtensible Markup Language) is the W3C standard for "platform-independent data exchange." As of 2009, "hundreds of XML-based languages have been developed, including RSS, Atom, SOAP, and XHTML. XML-based formats have become the default for most office-productivity tools, including Microsoft Office (Office Open XML), OpenOffice.org (OpenDocument), and Apple's iWork." W3C sets an XML Encryption standard "that defines how to encrypt the contents of an XML element."

The German researchers said, "XML Encryption was designed to protect the confidentiality of the exchanged data" and is used in a "large number of major Web-based applications," including business communications, e-commerce, financial services, healthcare applications, as well as governmental and military infrastructures. However, the message "everything is insecure" was highlighted when Juraj Somorovsky and Tibor Jager exploited a weakness and "were able to decrypt data by sending modified ciphertexts to the server, by gathering information from the received error messages." The attack works "against the implementations of companies that responded to the responsible disclosure - in all cases the result was the same: the attack works, XML Encryption is not secure."

Like The Hacker's Choice DDoS attack tool, there's no real solution to fix the problem as of yet.  Somorovsky stated, "There is no simple patch for this problem. We therefore propose to change the standard as soon as possible." The attack was presented at ACM Conference on Computer and Communications Security last week.

Source

By Juan Carlos Perez
October 18, 2011

Internet companies need to build consumer privacy and data controls into their online services to protect their brands, gain trust from their users, avoid civil lawsuits and prevent government probes, according to two regulators from the U.S. and Canada.

Failure to do so may put them at risk of litigation, regulatory sanctions and business problems.

For those reasons, privacy and data protection can't be an afterthought for businesses, even if they are small Web startups without an in-house legal department, the two officials said on Tuesday at Web 2.0 Summit.

"I'm the guy you don't want to see, and frankly I don't want to see you either," said David Vladeck, director of the U.S. Federal Trade Commission's Bureau of Consumer Protection, after jokingly comparing his role to that of a gym teacher at a high school prom.

"You need to be sensitive to privacy and data concerns," he added.

Among his tips: Businesses shouldn't collect data they don't need, and they shouldn't hold on to the data they do collect for longer than they need to. Both mistakes increase the company's vulnerability to data breaches that make them liable to legal and regulatory sanctions and that hurt their customers, he said.

"This is an issue you can't relegate to the back burner," he said.

The FTC is particularly concerned with Internet companies' collection of data from minors, which can be illegal in certain scenarios, and with the commercialization of face recognition software and tools, he said.

Ann Cavoukian, Information and Privacy Commissioner of Ontario, Canada, said that it's wrong to think that privacy controls and data protection diminish the capacity for a company to innovate. "That's a false dichotomy," she said.

The opposite is true, she said. "Privacy is an enabler of innovation." Companies that give consumers tools to manage and control the personally identifiable data collected on them will also get an edge over competitors who don't, she said.

Cavoukian recommended that conference attendees familiarize themselves with a series of best practices, methodology and principles in a website her agency has created called Privacy by Design.

Vladeck and Cavoukian answered questions on stage from Alexander Macgillivray, Twitter's general counsel, and from audience members.

Source

By Michael Kan
October 20, 2011

China on Thursday responded to U.S. concerns about its blocking of company websites, saying that China's Internet policies are open and clear. However, China said it objected to the U.S. exploiting the issue of Internet freedoms to interfere in its internal affairs.

"The Chinese government encourages and actively supports the Internet's development and we also protect the freedom of expression of citizens in China," said Chinese Foreign Ministry spokeswoman Jiang Yu. "We welcome foreign companies to invest and develop here, and we will continue to foster an open policy market."

"To promote the healthy development of the Internet, we are willing to work together to set up communication and exchanges," she said.

On Wednesday, the Office of the U.S. Trade Representative announced it was asking China to explain its policies covering the blocking of U.S. company websites in the country. The request, filed under World Trade Organization rules, is an effort to understand the trade impact of such blocking after a number of U.S. businesses have made complaints about access to their websites in China.

China heavily censors the Internet for anti-government and politically sensitive content. As a result, popular U.S. websites including Twitter, Facebook and YouTube have all been blocked in the country. The censorship is so prevalent, that companies including Google, have complained that the Internet blocking acts as a kind of trade barrier.

While China's foreign ministry said the country's Internet policies have been open and clear, the country's online censorship has often occurred without explanation when in practice. At times, Twitter-like services operated by local Chinese companies have blocked certain terms linked with protesting or Internet freedoms. Google also reported in March that its Gmail service was being blocked, a move experts said was part of a government-backed information clampdown.

The U.S. Trade Representative requests specifically seeks to understand how China's Internet policies work so that U.S. companies can avoid disruptions to their websites. Some of the questions include who in China determines which websites should be blocked, and if affected businesses can appeal the decision.

Source

By Kate O'Flaherty
October 20, 2011

Talktalk’s Heaney speaks out

THE COST of trying to stop copyright infringement will be passed on to broadband customers, according to Talktalk executive director of strategy and regulation Andrew Heaney.

Heaney was speaking at a Westminster Eforum in London today about his views on internet service providers (ISPs) role in suppressing copyright infringement. He said, "People always think Talktalk is pro-piracy but we don't say that and we don't refuse to send notifications letters.

"The key problem is the way the Digital Economy Act (DEA) works, it's effectively and indiscriminately dragnet."

Heaney said the move to send letters to alleged copyright infringers will "capture innocent subscribers" as it could be others who are using their WiFi. "The letters involve a number of threats and those threats are made to people who have done nothing wrong," he said.

Heaney criticised the appeals process, which will require users who are accused of infringing copyrights to pay £20.

"If someone uses my network I'm the one who gets punished. I don't think the appeals process is fair as it assumes you are guilty until proven innocent.

"No one has given any thought at all to ask to how a subscriber could prove it isn't them. Then you have to pay £20 for an appeal. It isn't fair," he said.

It will also cause churn as accused customers move to other ISPs to clear their accounts, said Heaney, and the costs will get passed through to the other customers. He asked, "Is it fair that customers have to pay to protect the copyright of private companies?

"Our view is, the DEA is unjust and we will continue to fight against it." he added.

Dominique Lazanski, head of digital policy at the Taxpayers' Alliance, agreed that costs could be passed down to the customer. She said, "We are looking to grow the economy through broadband. Costs will be passed down to the consumers through higher tariffs. What's needed [is to ask], is this a good approach and a good way to spend money?"

Source

By Emma Griffiths
October 20, 2011

Websites should have protection from defamation cases if they act quickly to remove anonymous postings which prompt a complaint, a report says.

A joint parliamentary committee says it wants a "cultural shift" so that posts under pseudonyms are not considered "true, reliable or trustworthy".

It says websites which identify authors and publish complaints alongside comments should get legal protection.

But Mumsnet said the proposal could have a "chilling effect" on websites.

The report by the joint committee of MPs and peers who examined the draft defamation bill covers a wide range of defamation issues.

Its recommendations - including more protection for scientists and academics writing in peer-reviewed journals and more work on reducing "unacceptably" high costs of libel cases by encouraging more to be resolved through mediation - have been welcomed by the Libel Reform Campaign.

'Entirely legitimate'

The committee also proposes a new "notice and takedown procedure" for defamatory online comments - aimed at providing a quick remedy for those who are defamed and to give websites which use the procedure more legal protection.

Under the current law, websites are liable for defamatory statements made by their users. If they fail to take down a post when they receive a complaint, they risk being treated as the "primary publisher" of the statement.

The report says many "entirely legitimate" comments may be removed by websites who are keen to avoid legal liability.

It recommends that where complaints are made about comments from identified authors - the website should promptly publish a notice of the complaint alongside it.

The complainant can then apply to a court for a "takedown" order - which if granted, should result in the comment being removed, if the website is to avoid the risk of a defamation claim.

But where potentially defamatory comments are anonymous, the website should immediately remove them on receipt of a complaint, unless the author agrees to identify themselves, the report says.

Mischievous and malicious'

The author of the comment can then be sued for defamation but if a website refuses to take down an anonymous remark it "should be treated as its publisher and face the risk of libel proceedings".

The report also says a website could apply to a court for a "leave-up" order - if it considers the anonymous comment to be on a matter of "significant" public interest.

The committee criticises comments made anonymously, which it says "may encourage free speech but it also discourages responsibility" and sets out moves it hopes will lead to a "cultural shift towards a general recognition that unidentified postings are not to be treated as true, reliable or trustworthy".

It says the aim of its proposal is to reduce damage "inflicted by the mischievous and the malicious".

But Mumsnet, a parenting website, says many of its members rely on the ability to ask questions or post comments anonymously.

Many of the women posting messages do so under a "user name", rather than their real name - and the site is worried the proposal will mean more people demanding messages be taken down.

Its co-founder, Justine Roberts, said while it was right to stop people from "assassinating the character of others from behind the cloak of anonymity" the report did not recognise how useful anonymous postings were "in allowing people to speak honestly about difficult real-life situations".

"The recommendations could have a chilling effect on sites like Mumsnet where many thousands of people use anonymity to confidentially seek and give advice about sensitive real-life situations."

In 2007, the website settled a libel case with Gina Ford, author of the Contented Little Babies book, over comments posted about her by its users.

A spokeswoman said they received about 10 complaints a month about comments on the site - and "two or three big ones a year" - often from small companies who had been reviewed by its members. It often agrees to take comments down.

But she said anonymous posts were important to the site - for example in its campaign for better care for women who have miscarried, where they have had a midwife and doctor making anonymous contributions.

"What we're really keen to do is to say there is some value in it [anonymous posts] and that is very different to being an anonymous troll and waging war on someone.

"If you think all anonymity is bad you could end up with unintended consequences of removing peer-to-peer support, in particular around sensitive issues."

Source

Michael Geist
Wednesday October 19, 2011

The Supreme Court of Canada today issued its much anticipated ruling in Crookes v. Newton, a case that focused on the issue of liability for linking to allegedly defamatory content. The court provided a huge win for the Internet as it clearly understood the significance of linking to freedom of expression and the way the Internet functions by ruling that there is no liability for a mere hyperlink. The key quote from the majority, written by Justice Abella:

I would conclude that a hyperlink, by itself, should never be seen as “publication” of the content to which it refers.

This is an enormous win for the Internet since it rightly recognizes that links are just digital references that should not be viewed as republication of the underlying content. As Abella states:

Hyperlinks are, in essence, references.  By clicking on the link, readers are directed to other sources.  Hyperlinks may be inserted with or without the knowledge of the operator of the site containing the secondary article.  Because the content of the secondary article is often produced by someone other than the person who inserted the hyperlink in the primary article, the content on the other end of the link can be changed at any time by whoever controls the secondary page.  Although the primary author controls whether there is a hyperlink and what article that word or phrase is linked to, inserting a hyperlink gives the primary author no control over the content in the secondary article to which he or she has linked.

Abella continues:

Hyperlinks thus share the same relationship with the content to which they refer as do references.  Both communicate that something exists, but do not, by themselves, communicate its content.  And they both require some act on the part of a third party before he or she gains access to the content.  The fact that access to that content is far easier with hyperlinks than with footnotes does not change the reality that a hyperlink, by itself, is content neutral - it expresses no opinion, nor does it have any control over, the content to which it refers.

Abella then recognizes the crucial role that linking plays to the dissemination of information on the Internet and to freedom of expression:

The Internet’s capacity to disseminate information has been described by this Court as “one of the great innovations of the information age” whose “use should be facilitated rather than discouraged”.  Hyperlinks, in particular, are an indispensable part of its operation...The Internet cannot, in short, provide access to information without hyperlinks.  Limiting their usefulness by subjecting them to the traditional publication rule would have the effect of seriously restricting the flow of information and, as a result, freedom of expression.  The potential “chill” in how the Internet functions could be devastating, since primary article authors would unlikely want to risk liability for linking to another article over whose changeable content they have no control.  Given the core significance of the role of hyperlinking to the Internet, we risk impairing its whole functioning.  Strict application of the publication rule in these circumstances would be like trying to fit a square archaic peg into the hexagonal hole of modernity.

Finally, Abella concludes:

Making reference to the existence and/or location of content by hyperlink or otherwise, without more, is not publication of that content.  Only when a hyperlinker presents content from the hyperlinked material in a way that actually repeats the defamatory content, should that content be considered to be “published” by the hyperlinker.  Such an approach promotes expression and respects the realities of the Internet, while creating little or no limitations to a plaintiff’s ability to vindicate his or her reputation.  While a mere reference to another source should not fall under the wide breadth of the traditional publication rule, the rule itself and the limits of the one writer/any act/one reader paradigm may deserve further scrutiny in the future.

There are two additional opinions. Chief Justice McLachlan and Justice Fish emphasize that links could constitute publication if "read contextually, the text that includes the hyperlink constitutes adoption or endorsement of the specific content it links to." This is slightly different from Abella's standard of repeating the defamatory content.  Justice Deschamps offers a third opinion that also stands by the position that a mere hyperlink is not defamatory, but focuses on a deliberate act to make the information available as well as the need for a third party to have received and understood defamatory information.

This decision is amongst the most important the Supreme Court has issued involving the Internet. The court again demonstrates that it recognizes the importance of the Internet for freedom of expression and for the need to promote the ability to use the technology to disseminate information. The court clearly understood both the importance of linking as well as the technology behind a link. The decision rightly places responsibility for defamatory speech where it belongs - with the person who posted the content.  There is still the ability to commence legal action against that person, but subjecting anyone that links to allegedly defamatory content to potential liability would have been very dangerous.

While the decision is focused on defamation, the court's recognition of the limits of links does raise some interesting questions about other areas of the law including copyright, where some have tried to argue that linking to allegedly infringing content should itself constitute an infringement. This case doesn't decide that issue, but it suggests that the court recognizes that there are important limits on liability for linking.

Update: Howard Knopf assesses the impact of this decision on Access Copyright's efforts tariff proposal that seeks compensation for linking to recommended or required readings. Knopf argues "If a link or hyperlink by itself does not constitute “publication” for defamation purposes, it is difficult to see how it could, by itself, constitute publication or reproduction or any other activity covered by the Copyright Act."

Source

October 18, 2011

The administrators of two file-sharing sites have been sentenced to fines and a year in jail for linking to copyright works. Breaking a long run of operators being acquitted for similar activities, a Spanish court decided that the act of linking constituted a for-profit “public communication”. The lawyer for one of the defendants has denounced the decision, saying that it can only be understood in “political terms”.

In common with many similar sites, FenixP2P.com and MP3-es.com carried no content of their own, but instead linked to other locations where content was hosted. A negative ruling against their operators seemed unlikely as Spanish courts have continually acquitted defendants running similar sites.

It therefore comes as a quite shock to hear that the Provincial Court of Vizcaya has sentenced the operators of both sites not only to fines, but a year in jail.

After originally being acquitted, an appeal in the case was brought by ADES (Spanish Association of Distributors and Publishers of Entertainment Software) and Promusicae, the well-known recording industry outfit.

While the court agreed that neither site actually hosted any infringing content, it noted that the defendants organized and made available links which enabled free downloads of copyright works, from which they intended to profit via advertising.

Crucially, the Court of Vizcaya viewed linking very differently to other courts handling similar cases in the past, when it described the act as “communicating to the public” and not an exchange between individuals.

Lawyer for FenixP2P, Carlos Sanchez Almeida, says the decision is completely wrong and can only be viewed as a political statement.

“FenixP2P was a P2P links page that all courts have declared exempt from criminal liability in recent years,” he explained.

“Given the general atmosphere in the country after the internet campaign against the Sinde Law, a statement like this can only be understood in political terms.

“The Provincial Court of Vizcaya did not hear directly from experts and witnesses, in violation of the principles of contradiction and immediacy,” he added.

Almeida says he is considering his response to the decision, possibly to include an appeal to the Constitutional Court and even the European Court of Human Rights.

Source

By Iain Thomson
October 18, 2011

Content industry using 'cluster bomb' on tech sector

Web 2.0 Summit Attempts by the content industry to pass legislation like the Protect IP Act are the greatest threat to technology innovation, a senior US Senator told delegates at the Web 2.0 summit in San Francisco.

Ron Wyden, the senior Democratic senator for Oregon, was scathing in his criticism of organizations such as the RIAA for their role in crafting the legislation, and their spending to support politicians who back it. He said that the act attacked some of the fundamental principles of the internet and he was happy to have placed a public hold on the legislation to stop it becoming law.

“Social media needs to understand what the threat is, the threat to innovation of some of these policies,” he said. “We’re going to have to fight back. This is a question of whether the content sector can use the government as club to go after the innovation sector and everything it represents.”

Protect IP would allow the seizure of domains, he explained, and would effectively cede authority over the internet to private companies. It may damage hyperlinking and could also have a harmful effect on cybersecurity as well. Intellectual property must be defended, but not at the cost currently proposed.

“This is a cluster bomb where you should be going in with a laser, and the collateral damage to innovation and freedom is huge," he said.

Wyden was also scathing about the Patriot Act, pointing out that there were in fact two forms of the legislation, the public law and the interpretation of it by government - the latter being secret. He said that if the American people could see what the secret interpretation was they would be surprised and angry. He said he would love to lay out the way the act was being used, but was bound by secrecy rules. The New York Times is currently suing the government for refusing to disclose information on the Patriot Act.

The main problem with Washington, he said, was money. The US Supreme Court's Citizens United verdict, which allows unlimited campaign contributions by corporations, was enormous and moving the country away from democracy.

“Citizens United basically took the doors off the democratic process. The idea that powerful special interests, across the board, doesn’t even have to identify itself when spending these huge sums is a moral blot.”

Source

By Ms. Smith
October 17, 2011

At the start of this year, it seemed as if Facebook wanted to utilize its identity infrastructure already on millions of websites in order to issue your Internet driver's license. Apparently that wasn't aiming quite take-over-the-world high enough, since it now appears as if Facebook, via a trademark application, wants to issue your in-real-life offline identity cards as well.

At the start of this year, it seemed as if Facebook wanted to utilize its identity infrastructure already on millions of websites in order to issue your Internet driver's license. Apparently that wasn't aiming quite high enough, since it now appears as if Facebook has future plans to issue your offline identity cards as well. Facebook filed for a trademark for "goods and services" to use Facebook on "cards, namely business cards and non-magnetically encoded identity cards" that could be read by NFC and RFID-enabled devices. If that didn't make you shiver, then the new trademark application states, the "business card and identity card design services" and "printing services" would be for "facilitating social and business networking through the provision of data for use on business and identity cards."

Like Google Plus, Facebook regards pseudonyms as a sin and wants to kill off anonymity. Many sites have cut back on comment spam, though, by requiring Facebook Connect which in turn requires a user's real identity. Countless millions of websites have avoided the headaches and hassles of managing their own identity system by implementing the free and easy code for Facebook Connect to manage online identities. In fact, logging in, "liking" and sharing via Facebook has literally become a critical part of the Internet's identity infrastructure.

Another emerging potential giant gamer-changer is the ability for people to use their mobile devices with near field communication (NFC) technology to interact with everyday situations, objects and people. NFC can be used to exchange data between two devices that are close to each other. The Google Wallet app is expected to be huge since it will store virtual copies of your credit cards for easy and fast payment at checkout. Other eCommerce NFC apps could be used for boarding passes or for purchasing airline, movie, concert, or other event tickets. On the social networking side, NFC allows for fast file sharing, to pass out electronic business cards, to enter a multiplayer mobile game, or to "touch NFC devices together to Facebook friend each other."

Why wouldn't Facebook want to take advantage of its "identity management" to conquer the offline world as well? The filed trademark suggests the Facebook ID cards could work with NFC and RFID. "Smart tap" RFID and magstripe products "have been used in many different fields, such as finance, telecommunications, security, tax, parking, hospitals, retail and hotels." Even Windows 8 will include built-in NFC functionality, sending hardware and software firms scrambling to take advantage of the tap-to-share NFC RFID functionality.

When President Obama put the U.S. Commerce Department in charge of an "identity ecosystem," a cybersecurity attempt to give each American a unique Internet ID, many folks were leery to trust a government-sponsored ID system. This was around the time that Facebook's potential plans of wanting to issue your Internet driver's license came to light. As Facebook gobbles up opportunities to offer more goods and services, could it be aiming to be its own online and offline ID system, and then offer a credit card service at a later date? Put that way, Facebook could the first and last stop for about anything.

How many times has Facebook made automatic opt-in changes that users had to go opt-out in order to protect their privacy? The cybersecurity push to verify online identity is huge. However it seems ironic that Facebook which continues to outrage users by making horrible privacy mistakes, and does not seem to know what privacy-by-design even means, would be declared as the company to issue security and privacy-enhancing management of any kind. As for security, users are usually the weak link and very susceptible to social engineering. While it's not exactly Facebook's fault, nearly every day Sophos' Graham Cluley sounds the alarm on Naked Security of Facebook phishing scams that hook unsuspecting users, hijack accounts or infect systems with malware.

Of course it seemed like an asinine idea to me when, nearly a year ago, a New Zealand bank became the world's first to allow online Facebook banking; if logged into Facebook, bank customers could access their banking account information. In light of Facebook's new trademark application to control in-real-life identities, TMCnet asked, "How long before we hear the TSA say, "Boarding pass and Facebook ID please?"

I can almost hear the big evil muhahaha coming from Zuck with his possible plan to take over and rule the online and offline world with Facebook.

I don't understand why more people don't run from and "unfriend" Facebook like this Dear John letter by James Campbell.

Source

by Reilly Yeo
October 14, 2011

We've been working overtime to alert Canadians to the costly, invasive, and poorly thought-out nature of the government's proposed new online surveillance legislation. Imagine our reaction, then, when Vic Toews, the Minister responsible for the bill, went on record in the House of Commons claiming that the government's approach is "on par with the phone book."

Toews then repeated this phrase in Letters to the Editor of a set of New Brunswick papers (the Daily Gleaner, Times&Transcript, Telegraph Journal, & L'Étoile owned by the media mogul James Irving. Toews is putting the word out quite far from his home riding in Manitoba (where we ran an ad of our own last month). Toews didn't leave out his home riding though: he also published a blog on a community website repeating the same misrepresentation of the proposed laws.

But perhaps the most potentially damaging place this idea is appearing is in direct emails from Conservative MPs to their constituents. Supporters using our Email Your MP tool have been forwarding us responses from their MPs, which all go a little something like this:

"On the issue of privacy, our approach strikes an appropriate balance between the investigative powers used to protect public safety and the necessity to safeguard the privacy of Canadians.

Our proposed approach of linking an Internet address to subscriber information is on par with the phone book linking phone numbers to an address."

There's clearly a concerted effort by the government to paper over concerns with disingenuous talking points.

The "phone book" comparison has been around for a while—Jesse Brown did a good job taking the comparison apart in Macleans in April. But we think Annastacia Dickerson puts it best on OpenMedia.ca's Facebook wall:

"...while a phone book stops at listing a person's name, address and phone number, online spying would forge ahead in collecting and storing an individual's anonymous user names, online browsing history and commentary, social network activity, global positioning, etc... An individual has a freedom to choose to 'unlist' their contact information in a phonebook. This is not the case with the proposed legislation."

Thanks Annastacia and everyone else who has been helping us combat the government's misleading PR campaign.

As the EFF put it,

"Your IP address can tell authorities what websites you visit and who you communicate with. It could reveal otherwise anonymous online identities, your social networking contacts, and even at times your physical location via GPS. Just this amount of data linked to your real identity could be used to create a nicely detailed police profile—all without any suspicious activity or legal justification."

The facts are clear: the online spying plan will allow authorities to access the private information of any Canadian at any time, without a warrant. Obfuscating the real privacy implications of the legislation and the potential for our data to fall into the wrong hands is extremely irresponsible. It is unfortunate that the government has reacted to reasonable concerns with a highly coordinated effort to cover up the dangers of this legislation with misleading talking points.

It's a crucial time—we need to complete and launch our new Letter to the Editor tool, which will help supporters get the message that online spying is warrantless, invasive, and costly into papers across the country.

Source

By Bill Ray
October 17, 2011

You are the product, even if you're paying for the service

US operator Verizon Wireless is to log, and sell, customers' browsing and location history, unless the customers specifically opt out of being tracked at every turn.

Only anonymised data will be sold, according to an email sent out to customers and an update of the telco's privacy policy, but internally Verizon will use profiles of its customers based on the URLs visited, the handset and features they use, as well as their physical location. Personal data will be used for accurate delivery of advertisements, while anonymous statistics will be sold to analysts and other interested parties.

That means a website that discovers it is receiving significant traffic from Verizon customers (based on the originating IP address) could ask the operator for a breakdown by age, or gender, for a fee. Meanwhile an advertiser could ask Verizon to target customers of a specific demographic, using a specific model of phone, within a specific location, unless the customers have manually opted out of the system.

Profiling customers is something many operators do, but generally with the permission of those customers and in exchange for a bribe of some sort. In the UK, O2 More and Orange Shots both promise exclusive offers and tokens, and the popularity of both services proves customers will exchange privacy for cheap stuff, but Verizon is taking that stage further by assuming consent and failing to offer a bribe.

Customers may decide to opt out, but the operator warns that "You will receive mobile ads whether you participate or not, but under the advertising program, ads may be more relevant to you".

All mobile operators are sitting on mountains of information, in fact the pure volume of data often intimidates operators into shying away from making use of it. Five years ago Malaysian operators were mining call records to identify popular teenagers, to discover who's worth advertising to, in one example of just how far operators could go.

In Europe the operators have moved very cautiously, with opt-in schemes such as O2 More and Orange Shots, as legislators stand ready to knock them back at the first sign of customer backlash.

In the USA privacy hasn't been such a big deal, and Verizon is taking a significant step forwards in assuming consent for targeted advertising and reselling of demographic data, it will be up to the customers to decide if they're prepared to let that happen.

Source

By Nicole Kobie
October 17, 2011

A small team of students decides what content should be blacklisted by several of Britain's leading ISPs, McAfee has admitted.

McAfee creates blacklists of online content, categorising sites into pornography, gambling or 30 other definitions, in order to let ISPs block them.

BT and Sky use McAfee's lists for their parental controls, which a new Government-sponsored code of conduct requires them to offer to all customers. The system is already used by tens of thousands of users around the world, McAfee said.

However, there's no way to view the list of sites that are blocked and appeals are at the discretion of McAfee, meaning incorrectly categorised sites could be wrongfully blocked. And, despite the inherent subjectivity in labelling pornography and the like, the categorisation of such websites is left to a small team with little training.

The overall process is mostly automated, with McAfee's system looking for keywords on a site to classify it. "We have crawlers that try to classify websites automatically," Toralv Dirro, a security strategist at McAfee's Avert labs told PC Pro. "If there’s any doubt, we do have a team of people that take a look at a website and correct a classification if it’s necessary.”

The team also looks at more sensitive subjects, such as pornography. “In those cases, it takes a human to take a look at it, to figure out if it’s more hardcore or if it’s more of an erotic website – that’s really something that automation couldn’t do reliably.”

Rating team

The team responsible for covering McAfee's customers worldwide is made up of between five to ten people. "I think it’s a fairly popular job for students," Dirro said. "The training is basically going through a number of websites and the various ratings so they get a basic idea. I’m not quite sure how exactly they work, but it would normally be one person who does a rating and one person who double checks it."

“You could probably start rating websites after one day of seeing various categories," he said. "It’s really not that difficult.”

However, he admits the very sites the small team is asked to judge are those that are the most subjective. “Drawing the line between erotic and hardcore pornography is probably the most difficult," he said. "Another thing is websites that go into extreme left or right side [politically], but still do news or something like that."

"So that can be difficult to differentiate between a normal website and one categorised as hate or something like that," Dirro said. "There is very often a grey zone. That is why we have that team of people and their judgement to do that."

"With pornography, it also depends on the cultural aspect, what you think pornography is," Dirro admitted. "In the Middle East, people think completely differently about what pornography is than the UK, for example. So there are several categories, such as hardcore pornography or erotic websites."

Dirro admitted there can be difficulties when a mainstream site features material that could be deemed pornographic to some people.

“Maybe they had pornographic or erotic stuff on their site, which for example could happen with a newspaper site, if they have the 'Page 3' picture of a woman on the front page, then it may suddenly be rated as erotic," Dirro noted. "But then when the picture vanishes, it could be rated as a normal site.”

Normally, the entire site would be banned, not only the offending page. However larger sites such as The Sun have "markers" to prevent them from being slotted into a category and subsequently blocked.

"If it’s a small news site with erotic content on it, this could be one of the cases where it’s wrongly classified, and we’d have to go and fix it.”

Appeals

The lists aren't made public, and McAfee doesn't notify sites when they're added, so it's difficult to know which are blocked unless you're using the service.

"The list is constantly changed and updated... there's no way you can obtain the complete list from us," Dirro said, adding McAfee would never publish the full list for intellectual property reasons. "If you published that list, anyone could just take it and use it and create their own products. For this reason alone it simply won’t happen that we release that list."

A site owner could contact McAfee and ask if it's been put in any categories, but it's not easy to get the full picture. "We're not the only company that offers that kind of rating, so then they'd have to send an email to what, 50 companies on the planet? 100?"

If a site has been wrongly categorised, which Dirro admitted does happen, the site owner can open a ticket with support to get it changed. If McAfee refuses to change it, there's "not really much” that a site can do, Dirro admitted. End users can add manual exclusions to access a site if they want to see one that's been blocked, however.

Dirro said he's "not aware" of any legal action taken against McAfee because of a site being categorised incorrectly.

Source

Lindsey Pinto
October 14, 2011

It's an exciting time for Internet defenders! The Green Party, the NDP, the Canadian Civil Liberties Association (CCLA), and the highly-revered international digital rights organization, the Electronic Frontier Foundation (EFF), are all lending their support to the Stop Online Spying campaign.

First off, the Green Party of Canada has come out against the proposed electronic surveillance laws, and championed the Stop Online Spying campaign in an email to their supporters:

Your voice can change things, as proved by a campaign by OpenMedia which was successful in removing the online “spying” bills from the omnibus crime bill and presenting them separately: “After months spent decrying the bills as invasive, costly, and poorly thought out the government’s move to remove warrantless electronic surveillance from the omnibus is a clear step forward,” says Steve Anderson, executive director of OpenMedia.ca, the coordinating organization behind the Stop Online Spying coalition.

The Green Party is holding us up as an example of successful citizen engagement—if there was ever an indication that we're winning, this is it. We're proud to have this increasingly influential federal party on board with the campaign, advocating for Canadians' access to the open, surveillance-free Internet. Thanks, pro-Internet community, for spreading the word and making this happen.

The NDP has also taken a stand against online spying. In a press release today, they let Canadians know that Privacy Critic Charlie Angus and MP Charmaine Borg sent a letter to the Conservatives' Public Safety Minister Vic Toews, asking for answers about the upcoming online spying bills. They write:

“Canadians are pushing back against this bill. And little wonder. Lawful Access would require your local cell-phone or internet service provider to be used as surveillance tools without your knowledge.”

When it comes to free speech, privacy, innovation, and consumer rights around the world, the EFF represents the best of the good guys, and we're delighted to have them on-side as well.

The EFF Activist Team wrote to their supporters, telling them that "the Canadian government has embarked on a reckless crusade to quietly turn Canada into an unchecked surveillance state." They encourage friends of digital rights to sign the petition at http://StopSpying.ca and to then go a step further:

Tell your Canadian friends that putting their fellow citizens under digital surveillance should require a warrant and notification to subscribers. Insist that the Canadian Parliament thoroughly vets this reckless legislation and ensures that any "lawful access" scheme includes robust oversight and effective audit and reporting requirements.

The EFF's Annie Harrison also co-authored a piece with their International Rights Director Katitza Rodriguez. In it, they described the Canadian pro-Internet community's fight against warrantless online spying legislation, and called readers to action:

Canadians have so often been a voice of calm reason during international debates; now we must come to their defense before the right to privacy and anonymous free expression in Canada is gutted like – well, a fish.

Strong stuff.

The CCLA is also encouraging its members and supporters to express their concerns about the proposed legislation by adding their names to the Stop Online Spying petition. This group has been with us from the start—they're founding members of the Stop Online Spying Coalition, appeared in the mini-documentary and are very pro-Internet overall.

We here at OpenMedia.ca want to thank the Green Party, the NDP and the EFF, and the CCLA for taking action on this issue, and we welcome any and all of their supporters to the campaign.

Also, to the pro-Internet community at home, thanks for all the work you've done to spread the word, and getting large international rights organizations like this one to take notice. With your help, we're building much-needed consensus around the Stop Online Spying campaign.

Source

By Dan Goodin
October 14, 2011

'Like' cookies tracked users, even when logged out

A Mississippi woman has accused Facebook of violating federal wiretap statutes by tracking her internet browsing history even when she wasn't logged onto the social networking site.

In a lawsuit filed on Wednesday in federal court in the northern district of Mississippi, Brooke Rutledge of Lafayette County, Mississippi, also asserted claims for breach of contract, unjust enrichment, trespassing, and invasion of privacy.

The complaint, which seeks class-action status so other users can join, comes three weeks after Australian blogger Nik Cubrilovic published evidence that Facebook “Like” buttons scattered across the web allowed Facebook to track users' browsing habits even when they were signed out of their accounts.

“Leading up to September 23, 2011, Facebook tracked, collected, and stored its users' wire or electronic communications, including but not limited to portions of their internet browsing history even when the users were not logged-in to Facebook,” the 17-page complaint stated. “Plaintiff did not give consent or otherwise authorize Facebook to intercept, track, collect, and store her wire or electronic communications, including but not limited to her internet browsing history when not logged-in to Facebook.”

The complaint claims the behavior violated provisions of Facebook's own privacy policy that state: “If you're logged out or don't have a Facebook account and visit a website with the Like button or another social plugin, your browser sends us a more limited set of information. For example, because you're not logged in to Facebook, we don't receive your User ID.”

But according to Cubrilovic Facebook cookies containing unique identifiers remain on a user's hard drive and are sent back to the social network each time he visits a third-party site containing a Facebook Like icon.

“Even when you are logged out, Facebook still knows and can track every page you visit,” Cubrilovic wrote.

Facebook has since said that many of the cookies Cubrilovic referred to are intended to foil spam and phishing attacks and that not all of the data sent back to the social networking site is logged.

Wednesday's complaint is the latest to seek redress for alleged privacy violations that result from cookies and other files that websites use to track the browsing habits of their visitors. In the past 18 months, Disney, Microsoft, McDonalds, and others have all been sued, often for using technologies that respawn tracking cookies even after users have deleted them. Many of them have been tossed out of court because plaintiffs couldn't quantify monetary damages that resulted from the practice.

Facebook representatives didn't respond to an email seeking comment for this post.

Source

October 13, 2011

Court papers filed in one of the mass-lawsuits against BitTorrent users reveal some interesting facts. In an attempt to justify suing dozens of people at once, the attorney claims that this is a practical issue. Apparently the copyright holder has decided to throw out a lot of cases, because the defendants have died, are political or public figures, employed by the army, or part of a covert police operation.

In federal courts all across the U.S. hundreds of thousands of alleged BitTorrent users have been targeted by copyright holders.

In recent months many of these defendants walked free because various judges ruled – for a wide range of reasons – that copyright holders should file individual lawsuits instead of joining many in one suit to save costs.

This week the attorney for adult company K-Beech, bankruptcy expert James C. White, submitted a rather incoherent declaration to the court where he argues the opposite.

In response to motions from defendants, White explains that these mass-lawsuits are warranted because not all the IP-addresses they filed suit against are actually targets worth pursuing. To keep the costs low, joining these IP-addresses in one suit is therefore a practical (and financial) consideration.

Although the above holds no ground as far as the law is concerned, the lawyer does review a few interesting details about the IP-addresses they target. As it turns out, even undercover cops have been caught red-handed, downloading and sharing porn.

“In similar copyright infringement suits filed by Plaintiff’s lawyers across the country, a police department running a covert investigation was identified as a John Doe defendant, and Plaintiff voluntarily dismissed that John Doe,” White explains.

Besides undercover cops, the adult entertainment company also has a policy of dismissing their cases against military personnel stationed oversees, according to the lawyer. The dead and famous are not settlement material either.

“Several of the John Doe Defendants have died prior to being identified. Several John Does have been public or political figures who Plaintiff did not choose to sue,” White writes.

Although it’s no surprise that dead people are not the easiest group to settle with, it’s unclear why politicians and public figures have to be excluded. This group generally speaking can afford to pay a settlement fee, and as the settlements are undisclosed the press would never find out. It’s also possible, however, they may just put up an embarrassing and potentially expensive fight.

The lawyer then goes on to name several instances where it’s impossible for them to find out who the real infringer is. This causes even more IPs to be dropped from the initial list of defendants.

“Myriad IP addresses trace back to multiple dwelling units such as apartment complexes, universities, coffee shop Wifi hotspots, casinos and domestic violence shelters,” White continues. “IT personnel at these entities have often tried to trace hits to actual individuals, but it most often proves impossible.”

And then there’s the issue of “data loss.” Apparently Internet providers can’t cough up details on more than 10% of their subscribers. K-Beech’s lawyer discovered this serious issue, which means the administration at all ISPs must be a complete mess.

“Plaintiff loses 10% -15% of the Doe identities it subpoenas nationally due to ISP data failure or deletion issues,” he writes.

The potential pool of defendants is then even further reduced because Internet subscribers get new IP-addresses every so often. As a result, K-Beech sued the same person so many times that it couldn’t even keep count.

“Due to the dynamic ISP [sic] issue, Plaintiff has sued the same Doe Defendant innumerable times in several joined suits across the country,” White explains.

Of course none of the above is a very good legal argument for joining this many defendants in one lawsuit. Not in legal terms at least. But in yet another twist White argues that it’s not only pragmatic to file a mass-lawsuit, but that it is also in the best interests of their business model.

“Increasing the costs associated with this litigation by forcing Plaintiffs to file individual suits would only increase the settlement demands and make settlements less probable.”

That would be a shame of course, as it would result in a far less profitable scheme. But would a judge see that as a valid legal argument? We doubt it.

All in all the above shows that copyright holders are quite selective in picking their targets. It also showed BitTorrent users who don’t have money to settle their case or fight it, that there’s another option to make it go away.

Join the army…

Source

By John Leyden
October 12, 2011

Skype-snooping Bundestrojaner legal, insists gov

Five German states have admitted using a controversial backdoor Trojan to spy on criminal suspects.

Samples of the so-called R2D2 (AKA "0zapftis") Trojan came into the possession of the Chaos Computer Club (CCC), which published an analysis of the code last weekend.

German federal law allows the use of malware to eavesdrop on Skype conversations. But the CCC analysis suggests that the specific Trojan it wrote about is capable of a far wider range of functions than this – including establishing a backdoor on compromised machines and keystroke logging. The backdoor creates a means for third parties to hijack compromised machines, while the lack of encryption creates a mechanism for miscreants to plant false evidence. The CCC slams the code as being both "amateurishly written" and illegal.

Although the Federal police denied using this specific Trojan, at least five German states – including Baden-Württemberg, Brandenburg, Schleswig-Holstein, Bavaria and Lower Saxony – have admitted that local police have used the spyware, Deutche Welle reports. The so-called "Bundestrojaner" (Federal Trojan) has been used in criminal cases, some involving drug investigations, for around two years.

Local government officials said the Trojan was used within the law, contrary to CCC's claims. Bavarian Interior Minister Joachim Herrmann said local authorities had acted within the law but nonetheless offered to review the use of the technology.

Justice Minister Sabine Leutheusser-Schnarrenberger said that federal and state governments ought to mount a joint investigation into the technology.  The sample of the Trojan obtained by the CCC was apparently placed on a suspect's laptop when he passed through customs at the Munich International airport. German lawyer Patrick Schladt, the defence lawyer in the case, handed over the laptop to the CCC, with the permission of his client.

Documents leaked via WikiLeaks suggest that the German Customs Investigation Bureau purchased surveillance services from German software developer DigiTask valued at more than €2m. The same set of documents suggest that DigiTask develop a commercial Trojan intended for law enforcement called Skype Capture Unit. This is significant because the installer file uses the filename scuinst.exe, short for Skype Capture Unit Installer.

Net security firm F-Secure hasn't seen the Trojan in the wild but it has seen the installer file numerous times since December 2010. That's because the installer was submitted to VirusTotal multiple times. VirusTotal analyses suspicious files using multiple antivirus engines. The service shares uploaded files with participating security firms, so anyone who uploaded the file must have cared little about keeping the technology secret and therefore effective for longer, or they were incompetent, as net security firm F-Secure notes.

Net security firm Sophos has put together a well-written and compressive FAQ on the R2D2 (AKA "0zapftis") Trojan here.

Source

By Kelly Hodgkins
Oct 12, 2011

Verizon is reportedly changing its privacy policy in a way that'll let the carrier monitor your usage and mine that information for marketing reports and targeted ads.

The new privacy policy will gather a long list of information including URLs, search terms, location information, app usage and feature usage. And if that isn't enough, Verizon will monitor how you use your calling plan and what mobile phones you buy. It'll also compile your demographic information. The only stuff it won't plunder is your identifying information which is off-limits and will not be shared.

Verizon plans to use this information internally to serve up targeted ads and generate marketing reports. It'll also share this data with third-party companies to create even more marketing reports. If you find this collecting and sharing a bit unsettling, you can at least opt out by calling Verizon at 1-866-211-0874 or by filling out this web form.

Source

October 11, 2011

Two of the UK's biggest internet service providers (ISPs) are continuing their battle against the controversial Digital Economy Act (DEA) and have won an appeal against it.

BT and TalkTalk have been given the green light to appeal against a High Court ruling that rejected the majority of their complaints about the law. They argue that the anti-piracy legislation infringes EU legislation by forcing ISPs to contact broadband customers who are suspected of engaging in illegal file sharing.

Under the DEA, broadband providers can be forced to send letters to account holders threatening legal action if they continue to infringe copyright laws.

BT and TalkTalk believe the act is in contravention of the EU's technical standards, authorisation, e-commerce and privacy, and electronic communications directives.

EU directives on data protection and electronic privacy control how organisations gather, process and use information online. They also govern what information can be gathered from electronic communications and state that ISPs should not be responsible for material sent over their network unless informed about infringements of the law. It has been decided that information obtained from IP addresses to identify users is personal data but that it is acceptable for copyright holders to use this information to seek redress for copyright violation.

BT and TalkTalk said that the DEA only allowed copyright holders to use the information if they were certain that they would proceed with legal action, but this idea was rejected in a judicial review.

Nevertheless, an BT spokesperson stated that "We're pleased to have been granted permission to appeal the High Court judgement and we now expect the hearing will take place as soon as possible."

While the appeal has been welcomed by BT and TalkTalk, it has prompted criticism from rights holders in the TV, music and film industries. Critics of the decision expressed disappointment stating that it represents a further delay to the implementation of the government's anti-piracy measures. Nevertheless, they are pleased that the appeal hearing will be fast tracked, and expect that the appeal and uphold the High Court's ruling.

Source

By Kevin Murphy
October 11, 2011

No court order necessary

VeriSign, which manages the database of all .com internet addresses, wants powers to shut down "non-legitimate" domain names when asked to by law enforcement.

The company said today it wants to be able to enforce the "denial, cancellation or transfer of any registration" in any of a laundry list of scenarios where a domain is deemed to be "abusive".

VeriSign should be able to shut down a .com or .net domain, and therefore its associated website and email, "to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process", according to a document it filed today with domain name industry overseer ICANN.

The company has already helped law enforcement agencies in the US, such as the Immigration and Customs Enforcement agency, seize domains that were allegedly being used to sell counterfeit goods or facilitate online piracy, when the agency first obtained a court order.

That seizure process has come under fire because, in at least one fringe case, a seized .com domain's website had already been ruled legal by a court in its native Spain.

Senior ICE agents are on record saying that they believe all .com addresses fall under US jurisdiction.

But the new powers would be international and, according to VeriSign's filing, could enable it to shut down a domain also when it receives "requests from law enforcement", without a court order.

"Various law enforcement personnel, around the globe, have asked us to mitigate domain name abuse, and have validated our approach to rapid suspension of malicious domain names," VeriSign told ICANN, describing its system as "an integrated response to criminal activities that utilize Verisign-managed [top-level domains] and DNS infrastructure".

The company said it has already cooperated with US law enforcement, including the FBI, to craft the suspension policies, and that it intends to also work with police in Europe and elsewhere.

It's not yet clear how VeriSign would handle a request to suspend a .com domain that was hosting content legal in the US and Europe but illegal in, for example, Saudi Arabia or Uganda.

VeriSign made the request in a Registry Services Evaluation Process (RSEP) document filed today with ICANN. The RSEP is currently the primary mechanism that registries employ when they want to make significant changes to their contracts with ICANN.

The request also separately asks for permission to launch a "malware scanning service", not dissimilar to the one recently introduced by ICM Registry, manager of the new .xxx extension.

That service would enable VeriSign to scan all .com websites once per quarter for malware and then provide a free "informational only" security report to the registrar responsible for the domain, which would then be able to take re-mediation action. It would be a voluntary service.

RSEP requires all registries including VeriSign to submit to a technical and competition evaluation.

Sometimes, ICANN also opens up an RSEP question to public comment, as seems likely in this case.

But ICANN's board of directors would have the make the ultimate decision whether to approve the anti-abuse policy and the malware-scanning service.

VeriSign is already anticipating that there may be criticisms from internet users "concerned about an improper takedown of a legitimate website" and told ICANN it plans to implement a "protest" policy to challenge such decisions.

The company's move echoes policy development in the UK, where .uk registry Nominet is in the late stages of creating rules that would allow it to suspend domains allegedly involved in criminal activity at the behest of law enforcement.

Source

by Mike Masnick
October 11, 2011

from the not-like-people-weren't-warned dept

After the US government, via Homeland Security's Immigration and Customs Enforcement (ICE) division, started seizing domains without any notification or adversarial hearing (things that most of the world would consider to be reasonable due process), some folks quickly put together a browser extension, called MAFIAAfire, that would route around any ICE seizures and take you directly to the sites whose domains had been seized. This is, as the internet saying goes, a form of seeing censorship as "damage" and routing around it. Of course, that could be done on a much larger scale. As a bunch of the folks who built key pieces of the core internet infrastructure warned, continuing this kind of policy (and extending it with PROTECT IP) will lead to more workarounds that inevitably will fracture key pieces of the internet and make it significantly less secure. Supporters of PROTECT IP refuse to heed this warning -- and, from what we've heard -- refuse to compromise and make sure that the basic functioning of DNS will be protected.

So now, totally as expected, we're already seeing alternative DNS systems showing up, advertising that they should be used to route around US government censorship of such websites. The one getting attention these days is called BlockAid.me.

What's just as stunning as the fact that supporters of PROTECT IP still can't figure out how this is really, really bad, is that they also don't realize how this pretty much destroys any argument the US makes around the globe in trying to protest political censorship. Some claim it's entirely different, but it's not. Both involve a government entity deciding that websites cannot be reached without a trial. This makes the US look ridiculous in the eyes of the world, but I guess as long as it makes sure that Universal and Warner Bros. can prop up their profits for a few more years... it's all good.

Source

By Barry Collins
October 7, 2011

ISPs are over-egging the costs of meeting the ever-increasing demand for data, according to a new report.

Both fixed and mobile providers have claimed that increased internet traffic has resulted in "ballooning" costs for networks. Some ISPs have argued that content providers should pay them to help meet the cost of supplying bandwidth-intensive services such as the BBC iPlayer.

However, a new report commissioned by content providers - including the BBC, Channel 4 and Skype - claims the costs of delivering additional internet traffic have been wildly exaggerated by the ISPs.

"Traffic-related costs are a small percentage of the total connectivity revenue, and despite traffic growth, this percentage is expected to stay constant or decline," claims the report, written by telecoms experts Plum Consulting.

The report claims the cost of delivering additional gigabytes of data are mere pennies. "Studies in Canada and in the UK... put the incremental cost of fixed network traffic at around €0.01-0.03 per GB."

The report concedes that the cost of adding capacity on mobile networks "are significantly higher than they are for fixed networks" because "the radio-access network is shared by users".

However, it claims forthcoming 4G technologies will significantly reduce those costs. "Forward-looking estimates which take account of the transition to LTE [Long Term Evolution], additional spectrum and traffic subscriber growth... puts the cost to the mobile network operators at under €1 per GB," Plum Consulting claims.

As the report states, that cost is "well below existing smartphone data tariffs of around €10 per GB".

Describing claims of ballooning costs as a "myth", the report concludes that "for fixed networks, traffic-related costs are low, falling on a unit basis and likely to fall overall given declines in traffic growth and on-going cost-reducing technical progress".

Mobile network data costs are also "declining on a unit cost basis".

"Rubbish" figures

ISP representatives claim the figures quoted in the report are inaccurate. "The reality is bandwidth is shooting up," said Trefor Davies, CTO of communications provider Timico and a member of the board at the Internet Service Providers' Association (ISPA). "Bandwidth is by far the greatest proportion of cost for an ISP."

Davies said this is especially the case for smaller ISPs who rent lines on a wholesale basis from BT. "It's very much you pay for what you use," he said. "If you use twice as much bandwidth, you're going to be paying twice as much."

Even for ISPs running their own network, such as BT, Davies claims the figures of €0.01-0.03 per GB are "rubbish". "It's an order of magnitude greater than that," he claimed.

Source

By Ed Bott
October 8, 2011

Summary: A well-established group of German hackers has accused the German government of releasing a backdoor Trojan into the wild. Security firm F-Secure has confirmed that the program includes a keylogger and code that can take screenshots and record audio.

A well-established group of German hackers, the Chaos Computer Club, has accused the German government of releasing a backdoor Trojan into the wild. According to Mikko Hypponen of F-Secure, the announcement was made public on the group’s website in the form of a 20-page PDF (in German).

The accompanying English-language post claims the group reverse-engineered and analyzed the program, which it calls “a ‘lawful interception’ malware program used by German police forces”.

It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.

The trojan can, for example, receive uploads of arbitrary programs from the Internet and execute them remotely. This means, an “upgrade path” from Quellen-TKÜ to the full Bundestrojaner’s functionality is built-in right from the start. Activation of the computer’s hardware like microphone or camera can be used for room surveillance.

According to the CCC, Quellen-TKÜ means “’source wiretapping’ or lawful interception at the source” and Bundestrojaner means “federal trojan” and is “the colloquial German term for the original government malware concept.”

The group includes a screen shot purporting to show the Trojan in action.

According to the report, the CCC wrote its own remote control program that wrested control of the Trojan, which consists of a Windows DLL and a kernel driver. That allowed the group to analyze the program’s behavior and determine that it goes well beyond the ability to “observe and intercept internet based telecommunication” (in other words, wiretapping Internet-based telephony), which is allowed by German courts.

Here’s a partial list of what the CCC analysis uncovered:

The trojan can … receive uploads of arbitrary programs from the Internet and execute them remotely.

Activation of the computer’s hardware like microphone or camera can be used for room surveillance.

[T]he design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.

[With an additional module] it can be used to remotely control infected PCs over the internet [and] watch screenshots of the web browser on the infected PC – including private notices, emails or texts in web based cloud services.

In its own analysis, F-Secure confirmed the workings of the program:

The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.

The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.

In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 and 207.158.22.134.

F-Secure sidestepped the thorny question of where the Trojan came from, saying, “We do not know who created this backdoor and what it was used for. … We have no reason to suspect CCC’s findings, but we can’t confirm that this trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.”

The company further added, “We have never before analysed a sample that has been suspected to be governmental backdoor. We have also never been asked by any government to avoid detecting their backdoors.”

This isn’t the first time a government has been accused of using software to clandestinely spy on its citizens. The recent takeover of digital certificates issued by the Dutch firm DigiNotar was attributed by some sources to the Iranian government, which then reportedly used the forged certificates to snoop on its citizens’ communications via Google Mail.

Similarly, the Chinese government was blamed for Operation Aurora, a 2010 attack that broke into servers at Google and as many as 30 other large corporations.

Over the years, Microsoft has been accused of working with the U.S. National Security Agency to build backdoors into Windows. Those accusations have been mostly discredited. (See this 2008 report and an earlier, overblown dustup over a cryptographic key dating back more than a decade.)

If the CCC analysis turns out to be accurate, this will be a first, and a significant black eye for a government that has largely been in the forefront of safeguarding personal privacy of its citizens.

The German government has not yet responded.

Source

October 5, 2011

Usenet indexing site Newzbin2, who are no strangers to the issue of court-ordered website blocking, have made an interesting addition to the software tool they released last month. From today their anti-censorship client now includes a feature to bypass DNS blocking not only on Newzbin2, but on the world’s most famous torrent site, The Pirate Bay.

All the experts warned what would happen but governments around the world didn’t listen and seemingly the MPAA, RIAA and other affiliated groups don’t care. Website blocking does not work and when you try to fight technology with technology, there is always a work-around.

Last month and before the court-ordered ISP level block of Usenet indexing site Newzbin2 even came into effect, the site launched a home-grown tool to defeat it. TeamRDogs – the group behind the site – released Newzbin Client 1.0.0.127, the first public piece of software designed to circumvent ISP BT’s Cleanfeed censorship system, the tool the MPA hopes can neutralize Newzbin2 in the UK.

Within days Newzbin2 told TorrentFreak that they would extend their support to other sites affected by DNS and IP address blocks. Today they announce their first partner.

“We have updated the Newzbin2 Client with a special link to The Pirate Bay, in response to the blockage in Belgium,” TeamRDogs’ programmer Mr Violet told TorrentFreak.

The ‘blockage in Belgium’ is a reference to the news yesterday that two ISPs, Belgacom and Telenet, were ordered by a court to implement DNS blocks against The Pirate Bay.

Tests by TorrentFreak confirm that the Newzbin2 tool will indeed circumvent a DNS blockade of The Pirate Bay. Those looking for other ways to unblock the site can find information here.

“We at Newzbin2 are HUGE fans of The Pirate Bay badboyz: we’d like them even if they beat up our mothers. The fact that they, like us, suffer pointlessly at the hands of the Copyright Dinosaurs disposes us to assist them in any way we can,” Newzbin2′s Mr White told TorrentFreak.

“They certainly don’t need us and this is as more of a solidarity gesture than a Mink lined lifeboat with minibar. We have no ties to TPB but us Swedes gotta stick together.”

Mr White says the team have also been keeping an eye on BREIN’s work over in the Netherlands.

“The block [in Belgium] is astonishing to us and we also wonder whether BREIN have been smoking too much dope in Dutch coffeeshops. What with the recent ‘ban’ on Usenet in the Netherlands we can only assume the European rights agencies occupy a building exposed to high levels of stupid rays,” he adds.

As website blocking becomes more aggressive it is likely that more tools such as the one offered by Newzbin2 will appear and become ever more sophisticated. Rather than having hard-coded parameters they will be updated automatically via plugins, online updates and user input as they become more savvy.

For file-sharers, unblocking sites will become just another part of the game, a game they’ve been playing virtually unhindered for more than a decade, despite millions of dollars being spent to stop them.

“TPB won’t be silenced: we won’t be silenced,” Mr White concludes. “We serve a valuable role in disseminating culture. And free stuff. We are here to stay, deal with it. ‘Barman! a jug of Pina Colada for the Pirate Bay guys.’

Source

By Mikey Campbell
October 5, 2011

Apple's domination of the digital media marketplace is more of a threat to movie companies than piracy, according to Miramax CEO Mike Lang.

Lang argued at the MIPCOM entertainment media event in Cannes this week that in order for movie companies to survive, there must be parity in the digital distribution marketplace, adding that iTunes is hurting competition.

"Piracy really is not the bigger issue for our company or for our library," Lang said. "It's been a lack of exploitation, just not getting it out there."

With Apple's domination of media distribution through its iTunes online store, Lang said the electronics maker is hindering movie companies from distributing their catalogs to a wider audience. The Miramax chief believes that more competition is healthy for both creators of media and the end consumer, as it drives prices down and allows for more content to be available in more places.

Lang also pointed out that the movie industry as a whole needs to not let iTunes dominate distribution as it does with the music industry. While music companies were fighting piracy battles in court, Apple slowly amassed an overwhelming presence in the digital music market and now has the largest online catalog with up to 20 million tracks.

"Apple is the strongest company in the music industry, and because there was not enough competition, and still to this day is not enough competition, as an industry it can't then influence packaging, merchandising, all the things that are vital," Lang said. "As the movie business we have to be very cognizant of that."

He thinks the film industry needs to take note of the lessons learned by the music industry and try to foster cross-platform competition instead of focusing on one channel of distribution.

"That's why we did our deal with Netflix, and why we also did our deal with Hulu," he said. "We want multiple players to be successful."

Miramax inked a deal with Netflix in May, that allows the movie rental company to stream "several hundred" of the studio's movies through its service. The company also signed with online video streaming site Hulu in June to allow streaming of hundreds of commercial-free movies on Hulu Plus, as well as 15 commercial-sponsored videos that are rotated every month.

"It's really important as an industry that we try to allow multiple players in markets around the world," Lang said.

Source

By Ben Dummett
October 6, 2011

Regulator sees no evidence that rise of streaming services is causing consumers to ditch regular TV subscriptions.

Canada's broadcast regulator said Wednesday it found "no clear evidence" that services offered in the country by Netflix Inc. are spurring Canadians to reduce or cancel their television subscriptions.

Los Gatos, Calif.-based Netflix launched its Canadian service in September 2010, allowing consumers to stream television and movies over the Internet at prices cheaper than purchasing speciality-television programming from established Canadian providers.

In May, the Canadian Radio-television and Telecommunications Commission launched a fact-finding mission to determine if so-called over-the-top content providers like Netflix have an advantage over Canadian specialty-TV operators Astral Media Inc. and Corus Entertainment Inc., and thus needed to be regulated.

Currently, Canada's broadcast industry is required to spend certain amounts of money on Canadian television content as part of the country's efforts to promote and protect its culture. Netflix and other companies that distribute content over the Internet are exempt from this rule. The CRTC had determined that over-the-top content providers complement rather than act as a substitue for more traditional broadcasting services.

The CRTC launched the fact-finding mission after Canadian representatives of the country's media industry, dubbing themselves the Over-The-Top Services Working Group, asked the regulator in April to review its stance towards over-the-top content providers.

In a release Wednesday, the regulator echoed its previous view that online and mobile programming "appears complementary to the content offered by the traditional broadcasting system."

The CRTC noted "Canadian broadcasters and distributors are also launching their own online mobile programming services."

Though the CRTC maintained its current position towards over-the-top content providers, the regulator said it will "continue to monitor the evolving communications environment, and this growing activity will be the main focus of its annual consultation with the broadcasting industry in November 2011."

Respresentatives from Corus and Astral couldn't immediately be reached for comment.

Source

By Damon Poeter
October 3, 2011

UPDATE: Some in the Anonymous collective believe the threat against the NYSE and the group behind it don't really represent the Anonymous movement or the Occupy Wall Street protests. We've published a report on those counter-claims here.

Anonymous declared "war" on the New York Stock Exchange this weekend and vowed to "erase" the NYSE from the Internet on Oct. 10 as the Occupy Wall Street protest entered its third week in New York City after a weekend that saw hundreds of protesters arrested during a planned march across the Brooklyn Bridge.

"On Oct. 10, NYSE shall be erased from the Internet. On Oct. 10, expect a day that will never, ever be forgotten," intoned a computer-generated male voice common to many Anonymous videos, in a warning posted on TheAnonMessage YouTube channel (video here).

The AnonMessage channel has been used to post several Occupy Wall Street-related video messages since the protest against lax regulation of the financial sector and growing economic inequality began on Sept. 17. Those messages include Anonymous' initial "official" video regarding Occupy Wall Street and a warning sent last week to the New York Police Department that threatened retaliation if "the brutality does not stop" against Occupy Wall Street protestors.

Anonymous, until recently known mostly for wreaking havoc on the Internet through blunt-force takedowns of websites and opportunistic hacking attacks, has lent its help to low-tech street protests of late. Prior to its participation in Occupy Wall Street, the initiation of which is credited to the Canadian activist group Adbusters, Anonymous also had a large role in a string of live protests against actions taken by the Bay Area Rapid Transit (BART) authority's police force.

The threat to "erase" the NYSE from the Internet was not explained, though in comments on the YouTube video, some speculated that Anonymous was planning a Distributed Denial-of-Service (DDoS) attack on the public-facing NYSE.com website, similar to DDoS attacks the group has used to take down websites in the past.

Others felt that would only be a minor setback for the NYSE and guessed that Anonymous was planning a larger attack, perhaps even an attempt to actually disable trading on the exchange.

Here's the transcript of the latest Occupy Wall Street video from Anonymous:

Greetings, institutions of the media.

We are Anonymous.

The events transpiring within Wall Street have caught our eye.

It seems that the government and federal agencies enjoy enforcing the law a little bit too much. They instate unjust laws as mindless automatons, blindly following orders with soulless precision.

We witness the government enforcing the laws that punish the 99 percent while allowing the 1 percent to escape justice, unharmed, for their crimes against the people.

We have observed this same government failing to enforce even the minimal legal restraints of Wall Street's abuses. This government who has willingly ignored the greed at Wall Street has even bailed out the perpetrators that have caused our crisis.

We will not stand by and watch the system take over our way of life.

We the people shall stand against the government's inaction.

We the people will not be witnesses to your corruption and ill-gotten profits.

We will not labor for your leisure.

We will not assist you in any way.

This is why we choose to declare our war against the New York Stock Exchange. We can no longer stay silent as the population is being exploited and forced to make sacrifices in the name of profit.

We will show the world that we are true to our word. On Oct. 10, NYSE shall be erased from the Internet. On Oct. 10, expect a day that will never, ever be forgotten.

Vox Populi, Vox Anon.

The Voice of The People is The Voice of Anonymous.

We are Legion. We are the 99 percent.

We do not forgive. We do not forget.

Wall Street: Expect us.

Source

by Glyn Moody
October 4, 2011

from the who's-leader-of-the-*free*-world-now? dept

One of the striking features of the Anti-Counterfeiting Trade Agreement is that it is mainly being signed by Western/“developed” countries – with a few token players from other parts of the world to provide a fig-leaf of nominal inclusiveness. That's no accident: ACTA is the last-gasp attempt of the US and the EU to preserve their intellectual monopolies – copyright and patents, particularly drug patents – in a world where both are increasingly questioned.

Much of the challenge to the old order is coming from the BRICS group of emerging countries – Brazil, Russia, India, China and South Africa – none of which has been involved in ACTA. Of those, the one in the vanguard of adopting innovative approaches to making knowledge widely accessible in the Internet age is Brazil.

For example, the federal government has actively supported open source software by creating a Public Software Portal. The country has also been at the forefront of open content use: just this week, the city of São Paulo specified that all educational materials produced for it must be released under the Creative Commons CC BY-NC-SA license.

It's true that there have also been some mixed signals recently, notably the re-surfacing of the punitive “cybercrime bill”, which Techdirt reported on a couple of months ago. But here's some positive news coming out of the country, in the shape of a draft of a bill for a civil rights-based framework for the Internet:

The draft bill proposition for a Civil Right’s Based Framework for Internet in Brazil has just reached Congress. The English translation of this version is available here

It is the result of an initiative from the Brazilian Ministry of Justice, in partnership with the Center for Technology and Society of the Getulio Vargas Foundation (CTS/FGV), to develop a collaborative online/offline consultation process in which all the actors from Brazilian society could identify together the rights and responsibilities that should guide the use of the Internet in Brazil. The process, which resulted in a Bill of Law, is an example of the importance and the great potential of multistakeholder involvement on policy-making.

NGOs, universities, internet service providers (collectively though associations, as well as individually), business companies, law firms, law enforcement agencies, individuals, Brazilian Embassies from all over the world, and many other participants have joined the online public hearing. The participation of several stakeholder groups has promoted the diversity of opinions and the availability of high quality information and expert advise, which have helped the government to draft a balanced bill. The openness and transparency of the process, entirely conducted online, in the public eye, has improved the legitimacy of the bill. Marco Civil was introduced in Congress with the political weight and the legitimacy that the Bill would be expected to have after a complex multistakeholder discussion.

Among its fundamental principles:

I – safeguarding freedom of speech, communication, and manifestation of thought, in the terms of the Constitution;

II – the protection of privacy;

III – the protection of personal data, in accordance to the law;

IV – the preservation and safeguarding of net neutrality, in compliance with further regulation;

And this is *real* net neutrality, not the compromised US kind:

Article 9. The party responsible for the transmission, switching or routing of data has the obligation of granting equal treatment to every data package, with no distinction by content, origin and destination, service, terminal or application; any traffic discrimination or degradation that does not arise out of the technical requirements necessary to the adequate provision of services is prohibited, in accordance to further regulation.

It also comes out strongly in favor of guaranteeing access to the Internet, respect for personal privacy online, and against any kind of “three strikes” laws cutting off users for alleged copyright infringement:

Article 7. Access to the Internet is essential for the exercise of citizenship, and the following rights are secured to its users:

I – the non-violation and secrecy of communications on the Internet, except under judicial order, in the hypotheses and form established by law, for criminal investigations or the gathering of evidence for criminal procedures;

II – the non suspension of Internet connections, except for debts directly related to their use;

It has plenty to say on the vexed issue of keeping users' access logs, including:

Article 10. The storage and disclosure of the connection logs and Internet application access logs regulated by this law must preserve intimacy, private life, the reputation and image of the parties directly or indirectly involved.

§1 The Internet service provider responsible for the storage of logs will only be constrained to disclose the information that allows the identification of the user under a judicial order

Nor is ISP liability overlooked:

Article 14. Internet connection providers shall not be responsible for damage arising from content generated by third parties.

Article 15. Except otherwise established by law, Internet application providers can only be responsible for the damages caused by content generated by third parties if, after receiving a specific judicial order, they do not take action to, in the context of their services and under the established time frame, make unavailable the infringing content.

And the crucial issue of judicial requests for logs is also spelled out in detail:

Article 17. Interested parties may, for the purpose of gathering evidence in civil and criminal proceedings, of either accidental or autonomous nature, request a judge to order the party responsible for storing Internet service access logs, or connection logs, to disclose these logs.

Sole Paragraph. Without prejudice of other legal requirements, the application shall contain, under penalty of not being admissible:

I – solid evidence of the occurrence of an illegal act;

II – a motivated justification for the utility of accessing the requested logs, for the purposes of investigation or the gathering of evidence;

III - the period that the logs refer to.

Article 18. It is the obligation of judges to take the measures necessary to guarantee the secrecy of the information received, and the preservation of the intimacy, private life, honor and image of Internet users. Judges are capable, for that purpose, to constitute the information as secret, including with respect to requests for the storage of logs.

All-in-all, it's a remarkable document, forming in effect an "anti-ACTA" that guarantees many of the protections for Internet users that ACTA seeks to eradicate, and forbids repressive measures that ACTA aims to introduce.

However, two big questions hang over the draft. First, whether it will be passed by the Brazilian Congress in its present form (or at all), and, second, how it can be squared with the harsh penalties proposed in the “cybercrime” bill mentioned above if that too comes into force. But whatever happens, Brazil has already shown leadership by drafting a bill that dares to question and oppose the copyright maximalist orthodoxies underlying ACTA – something signally lacking in other countries.

Source

By Kazi Stastna
September 30, 2011

Canada has been trying to reform its copyright legislation, which was last updated in 1997, for several years now.

There have been four attempts to date to pass amendments that would bring the Copyright Act in line with the digital age — one by the Liberals in 2005 and three by the Conservatives, in 2008, 2010 and, now, in 2011.

In this latest attempt, Heritage Minister James Moore said the government "didn't alter a comma" in the original Bill C-32 it had introduced last year and would not be opening up new consultations on the proposed legislation. Instead, it would pick up where hearings left off, with a view to passing the bill by the end of 2011.

Extensive public consultations were held across the country in 2009. The parliamentary committee reviewing the bill heard from groups representing consumers, musicians, authors, educators, performers, the music, movie and other creative industries, librarians, publishers, legal experts, software producers, video game developers and others.

The bill has been closely watched by many interested parties, mainly because of its implications for the production, sale, distribution and consumption of digital content, including music, video, electronic books and software.

Although the bill could still be amended, most expect it will not be substantially altered between now and its passing.

Below are some of the most significant proposed changes to the Copyright Act that will affect users.

If passed in its current form, the Copyright Modernization Act will allow Canadians to:

• Copy content from one device to another, such as from a CD to a computer or an iPod. This provision, however, does not apply to content protected by a digital lock, which is any technological measure, such as encryption or digital signatures, that rights holders use to restrict access to or prevent the copying or playing of CDs, DVDs, e-books, digital files and other material.
• Record television, radio and internet broadcasts and listen to or view them later on whatever device they choose but not for the purposes of building up a library or for commercial use. This provision does not extend to content that is offered "on-demand" (streamed video, for example) or protected by a digital lock.
• Make a backup copy of content to protect against loss or damage — again unless that content is protected by a digital lock or offered as an on-demand service.
• Incorporate legally acquired copyrighted content into their own user-generated work, as long as it's not for commercial gain and does not negatively impact the markets for the original material or the artist's reputation. An example would be the posting of your own mash-up of a Lady Gaga song and, say, a Beyoncé number on YouTube.
• Use copyrighted content for the purposes of education, satire or parody. This expands what is known as the fair dealing provisions of the existing law — which until now covered only research, private study, criticism and news reporting.
• Copy copyrighted material that is part of an online or distance learning course in order to listen to or view it at a later time. Under this provision, teachers can provide digital copies of copyrighted material to students as part of the course but only if they and the students destroy the course material within 30 days of the end of the course. Teachers are also expected to take reasonable measures to prevent the copying and distribution of the material other than for the purposes of the course. Critics have referred to this part of the Act as the "book burning" provisions.

The new law will also:

• Prohibit the circumventing of digital locks, even for legal purposes — such as the education or satire uses protected by other sections of the Act. This is one of the most controversial parts of the legislation. Many experts have criticized the government for not including an exemption that would allow for the bypassing of digital locks for legitimate purposes, such as the copying of parts of digitally locked textbooks to view on another device or for use in an assignment.
• Prohibit the manufacture, importation and sale of technologies, devices and services designed primarily for the purpose of breaking digital locks. This includes technology designed to allow you to play foreign-bought DVDs on your North American player, for example.
• Require internet service providers to notify their customers that they are violating the copyright law if a copyright holder informs the ISP of possible piracy. The ISP is required to retain "relevant information" about the user such as their identity, and that information could potentially be released to the copyright holder with a court order.
• Exempt ISPs and search engines from liability for the copyright violations of their users if they are acting strictly as intermediaries in the hosting, caching or communication of copyrighted content.
• Prohibit a person to provide a service over the internet or another digital network that the person "knows or should have known is designed primarily to enable acts of copyright infringement." This clause is targeted at websites created for the purpose of distributing copyrighted content, such as the many popular peer-to-peer file-sharing sites used to swap video and audio, and is meant to "make liability for enabling of infringement clear."
• Differentiate between a commercial violation of copyright law and an individual violation. Individuals found violating the law could be liable for penalties between $100 and $5,000, which is below the current $20,000 maximum.
• Allow librarians to digitize print material and send a copy electronically to users, who can view the material on a computer or print one copy.
• Allow disabled consumers to adapt copyrighted material to a format they can more easily use.

Digital locks undermine otherwise balanced bill: critics

The parts of the proposed law that have received the most criticism are the ones concerning digital locks. Many internet, copyright and legal experts say Canada has gone too far in appeasing the corporate interests that use the locks at the expense of consumers, who are entitled to use copyrighted content lawfully but prevented from doing so by the excessively restrictive digital lock amendments.

"In many ways what we have here is a tale of two bills," says Michael Geist, a University of Ottawa law professor who specializes in internet law and has a strong interest in copyright issues.

"There is a whole series of provisions where there is genuine attempt to strike a balance — on fair dealing, on the liability of internet providers when it comes to infringement on their networks, on damages. The outlier are the digital lock rules, which run counter to what the government consistently has heard from every education group, consumer group and tens of thousands of Canadians."

The solution, Geist says, would be to amend the bill so that the circumvention of a digital lock would be a violation only if it was linked to actual copyright infringement.

"Where you've got someone who circumvents a lock with the intent of burning 1,000 copies and selling them on a street corner, absolutely the law ought to target that," Geist said. "But where we're talking about the consumer who wants to play the DVD they've purchased in Europe or in Asia, or the student who wants to make use of the electronic book on their laptop, or the journalist who wants to use a clip out of a DVD for a news report or the teacher who wants to do a mutlimedia presentation, it seems to me that the law currently says they have those rights, and those shouldn't be lost just because there is a digital lock on the content."

Geist and others say the unnecessarily restrictive digital lock provisions mimic similar ones adopted in the U.S. and were driven by pressure from U.S. authorities, not by Canadian interests. Earlier this month, Geist published an article about internal government documents leaked by WikiLeaks that suggest Canadian officials were eager to tailor the copyright bill to U.S. interests and at one point even offered to show a draft of the bill to U.S. officials before it was tabled in the House of Commons.

The irony, says Geist, is that the U.S has recently introduced changes that make its laws on digital locks less restrictive than Canada's would be.

30-day 'book burning' rule

Another provision that has raised the ire of critics is the one requiring students and educators to destroy online course material that uses copyrighted works within 30 days of the course being over.

"That exemption tries on the one hand to facilitate distance learning and the use of technology, but at the same time, if you rely on that exception, you are then subject to the limitation of destroying the materials," Geist said.

ISPs, peer-to-peer sites

File-sharing sites have been a popular target of copyright advocates, but the proposed law doesn't really alter much on that front. The clause prohibiting services designed to "enable acts of copyright infringement" doesn't go much further than the existing copyright law, says Geist.

It was under the existing law, for example, that the Canadian Recording Industry Association and several major record labels launched a still-ongoing court case against the website isoHunt. The Vancouver-based site acts as a search engine for finding video, audio and other types of files that are shared using the file-sharing protocol known as BitTorrent.

"The reality is we already have the laws to deal with those issues," Geist said.

"What we've seen in many ways is not shortcomings in the law but a lack of willingness among some of those industries to go after some of the sites in Canada where there is a problem."

As for the role of internet service providers in policing copyright infringement, the system of notifying alleged violators that the law entrenches has been praised as an effective way of dissuading copyright violations and already exists at many of the large ISPs.

Rogers Communications, Canada's second-largest ISP, for example, testified before the committee reviewing the copyright bill that very few of its customers who receive notices of potential copyright violations need a second reminder, Geist said.

More on the bill

The government has posted several backgrounders and FAQs about the legislation online.

• Backgrounder on the Copyright Modernization Act
  
• Q&A about the Act
  

Geist has posted extensive material on the copyright legislation on his blog, much of it obtained through access to information requests. The material includes the government's clause-by-clause justification of its proposed amendments and the talking points prepared for the heritage and industry ministers in advance of their November 2010 appearance before the committee examining the copyright bill.

Source

Natalie Apostolou
October 2, 2011

Listen to the market signal

Australia will set an unwelcome precedent if it capitulates to the movie industry in its legal fight with iiNet, warns BitTorrent CEO Eric Klinker.

Last month the Australian High Court allowed the Australian Federation against Copyright Theft (AFACT) to appeal the decision of the Full Federal Court handed down in February this year over the long-running copyright dispute with iiNet, a leading ISP.

In that case, iiNet secured a landmark ruling against a consortium of movie studios and AFACT, which meant it was not liable for the illegal downloading of filmed content by its users.

The revived case should be heard later in the year.

BitTorrent usage is at the heart of AFACT’s woes, but Klinker says the matter goes back to keeping up with changing market dynamics.

"It is a market signal, the whole ecosystem (of file sharing) is a market signal. If you can’t embrace that signal and use it to guide your content efforts then you are missing out on an opportunity," he says.

He adds that one solution could fall back to the government for better laws. “That’s certainly what the MPAA (Motion Picture Association of America) would like to see. Stronger copyright, more enforcement. I think it’s a balance. You always want to balance two things, against the public good, that copyright is meant to foster in the first place but you always want to balance it against the interests of innovation. You would not want to stifle ongoing innovation with burdensome IP rights or copyrights.”

Klinker is following the iiNet vs AFACT case and views it as ‘picking on the small guy’. Why didn’t they go after Telstra, he asks.

“I’m sympathetic to the content rights holders as they have a great challenge. They don’t have an easy, cost effective way to enforce it, but the act of infringement is where it needs to be policed. The first time it’s published, the first time it’s leaked. How does it get there that’s the point of attack. Every technology provider - whether you're providing an ISP service or writing software - needs to be able to preserve the ability to operate their business and continue to innovate.”

Source

By Natalie Apostolou
October 3, 2011

Voltage still hopes to zap hundreds more downloaders

The world's largest P2P legal imbroglio has been downgraded, with 90 per cent of the alleged file sharers caught up in the Hurt Locker downloading case dismissed.

The Oscar-winning war film’s producers Voltage Pictures instigated legal action last year against 14,583 netizens for allegedly illegally downloading the movie. The unprecedented class action against users snowballed to 24,583.

The suit is now down to a little more than 2,300 defendants. The rest were “voluntarily dismissed without prejudice”, but it is unclear how many of those settled out of court. Voltage is still pursuing the case but has yet to positively identify most of the defendants as it needs to work with ISPs to link IP addresses with the suspected freetards.

The DC District Court has been flooded with letters claiming innocence.

Take the bosses of a resort in Michigan: "We object to the suit given the fact that we operate a timeshare resort that is 46 units all of which have a Wi-Fi connection using our IP address. We have numerous users at various times and are unable to monitor or control what they are doing on the computer in their room. I can assure you that the movie was not downloaded from any of the five computers that we use in our office on a daily basis."

According to recent filings, “in circumstances where a Doe [unidentified] defendant has not filed the motion and only sent it to the ISP, most ISPs withhold the identifying information so that the Doe defendant can then file the motion with the court. Further, plaintiff’s counsel has been informed by the ISPs that numerous Doe defendants have recently re-filed their motions or have filed motions for reconsideration of the Court’s prior rulings".

The upshot is that Voltage now realises that trying to nail 24,000 torrent slurpers is tricky: it is seeking more time from the court to identify and serve the remaining 2,300 defendants.

The Electronic Frontier Foundation has asserted that “an IP address doesn't automatically identify a criminal suspect”. The EFF’s Marcia Hofmann said “sometimes a router's IP address might correspond fairly well to a specific user — for example, a person who lives alone and has a password-protected wireless network. But in many situations, an IP address isn't personally identifying at all.”

Source

October 3, 2011

EFF-Backed Bill Will Protect Californians' Reading Habits

Sacramento, CA - California Governor Jerry Brown has signed the Reader Privacy Act, updating reader privacy law to cover new technologies like electronic books and online book services as well as local bookstores.

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) were sponsors of the bill, authored by California State Senator Leland Yee. It had support from Google, TechNet and the Consumer Federation of California, along with the Internet Archive, City Lights Bookstore, and award-winning authors Michael Chabon and Ayelet Waldman. The Reader Privacy Act will become law on January 1, and will establish privacy protections for book purchases similar to long-established privacy laws for library records.

"This is great news for Californians, updating their privacy for the 21st Century," said EFF Legal Director Cindy Cohn. "The Reader Privacy Act will help Californians protect their personal information whether they use new digital book services or their corner bookstore."

Reading choices reveal intimate facts about our lives, from our political and religious beliefs to our health concerns. Digital books and book services can paint an even more detailed picture -- including books browsed but not read, particular pages viewed, how long spent on each page, and any electronic notes made by the reader. Without strong privacy protections like the ones in the Reader Privacy Act, reading records can be too easily targeted by government scrutiny as well as exposed in legal proceedings like divorce cases and custody battles.

"California should be a leader in ensuring that upgraded technology does not mean downgraded privacy," said Valerie Small Navarro, Legislative Advocate with the ACLU's California affiliates. "We should be able to read about anything from politics, to religion, to health without worrying that the government might be looking over our shoulder."

"California law was completely inadequate when it came to protecting one's privacy for book purchases, especially for online shopping and electronic books," said Yee. "Individuals should be free to buy books without fear of government intrusion and witch hunts. If law enforcement has reason to suspect wrongdoing, they should obtain a court order for such information."

Source

October 3, 2011

All around the world Hollywood is influencing politics and law enforcement, mainly through local anti-piracy groups. Aside from lobbying, they also employ private investigators to track down and bust copyright infringers. Today, one of them spills the beans. Gavin “Tex” Warren reveals how he was instructed to boost statistics, link piracy to drug trafficking, and manipulate the police in order to secure more interest for the war on piracy.

Hollywood goes to extremes to protect its interests worldwide. By now it’s public knowledge that MPAA-funded groups are lobbying at the highest political levels, but when it comes to law enforcement they have their ways of being heard too.

In the U.S. the MPAA was the outfit that tipped the authorities off on many of the ‘rogue’ sites that had their domain names seized in the last year. Similarly, in the U.K. the MPAA-funded group FACT carried out most of the investigative work in cases against the operators of the BitTorrent community FileSoup and the streaming site TV-Links.

Today we talk to Gavin “Tex” Warren, a private investigator who worked for the Hollywood backed group AFACT in Australia. While he mostly worked on offline piracy, his inside view allows us to learn more about how the anti-piracy agenda is sold to the outside world.

Warren became a private investigator in 2000, and prior to that he served as a detective in the Australian Federal Police for twelve years. From 2003 until 2008 he worked as an investigator, undercover operative handler and then lead investigator for AFACT. When AFACT moved their priorities from offline piracy to ISPs, they eventually let Warren go.

The Big Score

“Initially AFACT was called the Australasian Film and Video Security Office and was run out of Sydney by Mr Steve Howes,” Warren says, explaining how it all started for him in 2003. “The lead investigator here in Melbourne was another former AFP officer, Greg Hooper.”

“I had an undercover operative who worked for me (name withheld) that I shall refer to as “Short Round”. We were contracted to make purchases of DVDs and back then, VHS tapes of copyright infringing movies. In our first operation which lasted about six months, we had infiltrated a manufacturing “laboratory” and the dodgy sales team at the local trash and treasure market.”

Warren’s team then made so-called ‘trap purchases’ and all the evidence they gathered was then presented to the Victoria Police. The operation resulted in the execution of three simultaneous search warrants, netting about fifteen thousand exhibits, $30,000 cash and a dozen computer towers. It was a great success that was quickly communicated to the media.

“The press were informed and all was tied up in a neat bundle. Column inches were filled, sound bites were created and everyone was happy, except the pirates,” Warren recalls.

“This success ensured that Short Round and I had ongoing work. The AFVSO was subsumed by AFACT soon thereafter. Steve Howes was replaced by Neil Gane, a former British Hong Kong Police Inspector who had been working in Malaysia with the MPAA against piracy.”

Boosting Statistics

“At this time, Short Round and I were trotted out to meet Neil and to show him our equipment and discuss tactics. Mr Gane gave the impression of being very committed to stopping the evil scourge of piracy and was far more media savvy than his predecessor.”

“He was adamant that we needed to boost our statistics to make the media sit up and take notice and that the large numbers would make it easier to get the local Police interested. This was especially difficult to do as local police had no jurisdiction over copyright infringing product and the AFP were desperately short on manpower. We were encouraged to find links to drugs and stolen goods wherever possible.”

“We discussed the formula for extrapolating the potential street value earnings of ‘laboratories’ and we were instructed to count all blank discs in our seizure figures as they were potential product. Mr Gane also explained that the increased loss approximation figures were derived from all forms of impacts on decreasing cinema patronage right through to the farmer who grows the corn for popping.”

Gane understood that the media was an essential tool towards AFACT’s goal of getting tougher copyright legislation in place. And for this purpose, it was a good idea to bend the truth a bit. The results of this recalculation are quite amazing.

“2002 impact estimates were $100 million to today’s figure of $1.36 billion in nine years…. That’s a lot of extrapolating,” Warren says.

Courting the Police

Aside from influencing lawmakers with creative statistics, Warren and his colleagues also had to court the police on a regular basis. AFACT worked with both local law enforcement and the attorney general’s office where they delivered evidence and information to, based on their own investigations.

“Funded solely by MPAA, AFACT lobbies hard for changes to Australian law and enhance the sexiness of their case by making vague references to links to terrorism. Sometimes not so vague. I was instructed to tell police officers that the profit margins were greater than dealing heroin. It was bizarre. A twisted logic that AFACT spewed out with monotonous regularity,” Warren says.

One of the examples Warren gives is that they assumed that all burners and DVD replicators would run 24/7, making these operations appear very lucrative.

“Each burner cranking out ten discs an hour, multiplied by ten dollars per disc is potentially a hundred dollars an hour, multiplied by number of burners by hours in a year gives a yearly potential…. Very pumped up statistics.”

When the local police were convinced about the to need to follow-up on the case, Warren delivered them all the evidence they would need on a silver platter.

“In my time at AFACT we developed relationships with various police officers (detectives) and would work our cases up to a stage where we could present them with enough information, intelligence and evidence that most of the work was done. This is called a ‘walk up start’.”

“Police on the other hand would sometimes find large quantities of copyright infringing material whilst executing warrants, eg: drug warrant executions would invariably turn up some dodgy DVDs and I would get a call to come and identify the product and prepare a brief of evidence for prosecution.”

“It was a matter of educating the police officers what to look for. In this vein, I would regularly deliver half day seminars to police on their training days. It was a good system and had the effect of increasing their prosecutions and my investigations statistics. Collaboration had such a dark overtone. Cooperation is my preferred term,” Warren says.

Like many other private investigators Warren is a former police detective. And although the statistics may have been pumped a little, Warren was always careful to act within the boundaries of the law when it comes to his investigative work.

“The PI license is relatively difficult to obtain and easy to lose, therefore we tend to shy away from any activity that would jeopardize our livelihood. The key to efficient and effective investigations is to know all aspects of the various legislations that cover things such as Surveillance Devices, hidden cameras etc. At no time did I authorize or condone the breaking of any laws or rules.”

“Undercover operations, to be used in evidence, need to be squeaky clean. The last thing any investigator needs is to have evidence thrown out of court because of the breach of legislation, or compromise by way of entrapment,” Warren told TorrentFreak.

Bye Bye PI

At the end of 2007 Warren had a meeting with Neil Gane, who just returned to AFACT after serving as the Australasian Operations Manager for the MPAA for a brief while. Gane told Warren that AFACT would be focusing more on ISPs and online piracy instead of the street work Warren did.

Warren was still welcome to submit a tender for piecemeal work at an hourly rate, instead of daily. However, he later learned that his partner and former friend, Short Round, had undercut him, and was working on an as-needed basis for AFACT.

This ended Warren’s ‘career’ in the anti-piracy business. In the years that followed he continued to monitor what AFACT was up to, and he still can’t help but crack a smile when he reads about the disastrous piracy statistics AFACT tells the media about. And so do we.

Source

Michael Geist
September 29, 2011

Later today, the government will table Bill C-11, the latest iteration of the Canadian copyright reform bill that mirrors the previous Bill C-32. It was widely reported this fall that the government would reintroduce the previous bill unchanged, re-start committee hearings where they left off in March (with prior witnesses not asked to return), and move to quickly get the bill passed by the end of the calendar year. That seems to be what is happening with today's tabling and a new legislative committee to follow.

Assuming it is the same bill, the government's talking points remain relevant as does its clause-by-clause analysis, both of which I obtained under Access to Information.  From "Radical Extremism" to "Balanced Copyright": Canadian Copyright and the Digital Agenda, the book that I edited on Bill C-32 that includes contributions from 19 leading copyright experts from across Canada, is still useful and is available from Irwin Law in paper or as a Creative Commons licensed download. For those looking for background information on key elements of the bill, there is my initial analysis, a five-part series on the C-32's digital lock provisions in a single PDF, a lengthy post on C-32's fair dealing reforms, data on the effectiveness of the ISP provisions, and a post that puts statutory damages into perspective.

When Bill C-32 was introduced in June 2010, I described it as "flawed but fixable", noting that there was a lot to like in the bill but that the digital lock provisions constituted a glaring problem that undermined much of the attempt to strike a balance. Months later, those remain my views. The bill has some good provisions, but the unwillingness to budge on digital locks - even as the U.S. has created new exceptions - is easily its biggest flaw.

In trying to understand the government's copyright strategy, it increasingly apparent that this is really an omnibus copyright bill that combines two bills: the Copyright Modernization Act together with the Reduce U.S. Pressure Copyright Act. The Copyright Modernization Act portion is a reasonably balanced piece of legislation that seeks to strike a compromise on many key issues:

• on fair dealing, it adds education, parody, and satire as categories. This isn't as far as the government could (or should) go in creating a flexible fair dealing provision, but the government deserves credit for sticking by the fair dealing reforms in the face of a relentless misinformation campaign by publishers and copyright collectives.
• on education, it creates several limited new exceptions, that arguably are too limited, but still mark an improvement over the current act.
• on consumer rights, it creates important new exceptions for time shifting, format shifting, and backup copies. Those exceptions are undermined, however, by the digital lock rules.
• on Internet providers, it creates a notice-and-notice system, which has proven effective and will require active cooperation from ISPs to deal with allegations of infringement on their networks.
• on creativity, it establishes the new remix provision that protects individuals who create their own non-commercial mashups
• on enforcement, it distinguishes between commercial and non-commercial infringement for the purposes of statutory damages (which will not stop Hurt Locker-style lawsuits) and establishes new powers to target websites that enable infringement (despite the fact that CRIA has an ongoing lawsuit against isoHunt using current Canadian law).

While my copyright bill would look somewhat different, the same can be said for virtually all stakeholders and interested parties. Perhaps that is a sign of a compromise copyright bill.

On the other hand, a portion of this bill might be described as the Reduce U.S. Pressure Copyright Act. This part of the bill contains the digital lock provisions, which are amongst the most restrictive in the world. As the government's own clause-by-clause analysis of the bill states, these provisions apply even when there is not "an infringement of copyright and the defences to infringement of copyright are not defences to these prohibitions." It is worth noting that:

• the government admitted at the C-32 legislative committee that the digital lock rules trump education rights
• the digital lock rules extend far beyond those required for compliance with the WIPO Internet treaties
• many of our trading partners, including New Zealand and Switzerland, have adopted more balanced digital lock rules
• Canada itself proposed a more balanced approach in Bill C-60, a prior copyright bill
• even the U.S. offers more flexibility than Canada, with an exception for DVD circumvention in some circumstances and a mandatory review of the digital lock rules every three years
• concerns over digital locks was the top issue raised during the 2009 national copyright consultation and in the submissions to the Bill C-32 legislative committee. As noted yesterday, a wide range of large stakeholders, including virtually every education group in Canada, consumer groups, and technology companies all support compromise language
• creator groups such as the Documentary Organization of Canada have called for compromise language on digital locks
• Canadian copyright collectives have expressed doubt about the benefits of digital lock rules. For example, CMRRA and SODRAC told the C-32 committee in their submission that "these measures would be unlikely to result in any substantial increase at all in legitimate online revenues for the music industry."

So why is Canada sticking to digital lock rules when a more balanced approach that is consistent with the WIPO Internet treaties is readily available?  The answer is obvious - the digital lock rules are primarily about satisfying U.S. pressure, not Canadian public opinion. The U.S. pressure on Canada is not a secret with criticism of past bills and regular demands for action on copyright in return for progress on other border and trade issues. Nor is the internal Canadian response:

• Prime Minister Harper personally promised U.S. President George Bush in 2008 that Canada would pass copyright reforms
• former Industry Minister Maxime Bernier raised the possibility of leaking an advance copy of the copyright bill to the U.S.
• former Industry Minister Tony Clement's copyright policy advisor encouraged the U.S. to pressure Canada by elevating us on their piracy watch list
• former Canadian Heritage Minister Bev Oda caved to U.S. pressure by enacting an anti-camcording bill despite departmental analysis that no changes to the law were needed
• an official at the Privy Council Office leaked the content of mandate letters for then-Ministers Prentice and Verner
• Canada participated in a WTO complaint on copyright against China at the request of the U.S. despite the inability to amass credible evidence of harm against Canadian interests

After years of false starts, it is clear that this copyright bill will pass, likely before the end of the year. While there is much to like in the bill, the unwillingness to stand up for Canadians on digital locks represents a huge failure. Moreover, it sends the message that when pressed, Canada will cave. The Europeans have already figured that out with their extensive intellectual property demands in the Canada - EU Trade Agreement and the U.S. will no doubt be back again, this time demanding new IP enforcement rules not included in this bill. If global intellectual property developments over the past two decades teach anything, it is that efforts to reduce foreign pressures invariably lead to a brief respite before escalating demands and political pressures. The failure of C-11 is that the government isn't relieving the copyright pressure. It is asking for more.

Source

By Jan Libbenga
September 30, 2011

'Impossible to check the contents of 15 to 20 million messages a day'

Europe’s biggest Usenet provider News-Service Europe (NSE) says anti-piracy organisation BREIN has "killed Usenet". The Dutch organisation this week lost a landmark case in which it was ordered to remove all pirated content or risk fine of €50,000 per day.

"It is technically as well as economically impossible to check the contents of the 15 to 20 million messages that are exchanged on a daily basis," NSE said in a statement. "There is no automated way of checking whether Usenet messages contain copyrighted material or whether permission has been obtained for the distribution of such material. Consequently, we see no way of complying with this verdict. Furthermore, the verdict endangers our very existence as a company, and is a threat to Usenet itself."

NSE CEO Patrick Scheurs says the verdict came as a big surprise. According to the Dutch Civil Code, internet service providers cannot be held liable for any copyright violations by their users, but the judge chose to ignore this legal framework altogether.

However, BREIN managing director Tim Kuik says the verdict affects a "major pillar" of Usenet. BREIN estimates at least 80 per cent of binaries shared through Usenet are illegal. "NSE knows this, but doesn’t want to invest in technology to remove illegal content. Which isn’t surprising, because this is what makes Usenet attractive."

BREIN says it does not want to take down Usenet, just wants the large-scale copyright infringement to end. Earlier this year BREIN already won a case against FTD, the Netherlands’ largest Usenet community, which allowed its members to index the location of content on newsgroups. Now BREIN wants to form partnerships with payment processors such as PayPal in order to "strangle the finances of file-sharing sites".

Source

By Jonathan Stempel
September 30, 2011

(Reuters) - Verizon Communications Inc (VZ.N) on Friday asked a federal appeals court to block the Federal Communications Commission from imposing new rules on how Internet service providers manage their networks.

The FCC last Friday said its so-called net neutrality rules were scheduled to take effect on Nov. 20. [ID:nS1E78M1AB]

These rules would forbid broadband providers from blocking users from accessing lawful content, such as movie files, while giving the providers flexibility to manage their networks and prevent congestion.

Critics call the rules an unwarranted government intrusion into regulating the Internet, including which content consumers may access and which companies may provide that content.

In a filing with the federal appeals court in Washington, D.C., Verizon said the FCC was "arbitrary" and "capricious" and acted beyond its statutory authority in imposing the rules.

The rules "impose potentially sweeping and unneeded regulations on broadband networks and services and on the Internet itself," Michael Glover, deputy general counsel at Verizon, said in a statement.

"Verizon is fully committed to an open Internet, he added.

New York-based Verizon is one of the largest U.S. phone companies, and with Vodafone Group Plc (VOD.L) owns Verizon Wireless, the largest U.S. mobile phone service.

The FCC did not respond to requests for comment. It has said the rules boost predictability, stimulate investment and ensure job creation and economic growth.

Some public interest groups have also criticized the FCC rules, saying they are weak and favor some phone and cable companies with large Internet presences, such as AT&T Inc (T.N) and Comcast Corp (CMCSA.O).

The D.C. Circuit in April threw out a challenge by Verizon and MetroPCS Communications Inc (PCS.N) to the rules, calling it premature.

FCC rulemaking generally cannot be challenged until rules are published in the Federal Register, as the agency has now done.

In April, the Republican-controlled House of Representatives voted to overturn the FCC rules. That effort faces a tougher battle in the Democratic-controlled Senate.

The White House has said advisers to President Barack Obama would recommend a veto of any resolution against the rules.

The case is Verizon v. FCC et al, D.C. Circuit Court of Appeals, No. 11-1359.

Source

By Dan Goodin
September 28, 2011

Hundreds of sites caught employee secret snoop tech

Two US lawmakers have called on the Federal Trade Commission to investigate the use of “supercookies” that secretly log web visitors' browsing histories across multiple sites, even when the users delete browser cookies to elude tracking.

In a letter sent Tuesday to FTC Chairman Jon Leibowitz, the co-chairs of the Congressional Bi-Partisan Privacy Caucus Edward Markey and Joe Barton said they believed a probe of supercookies falls within the consumer watchdog's mandate of protecting Americans from unfair and deceptive acts. The letter follows revelations that hundreds of websites, including Microsoft's MSN.com, Hulu.com, Spotify, and GigaOm have deployed sneaky code that reconstructs browsing-history cookies even after users have taken the trouble to delete them.

“We believe this new business practice raises serious privacy concerns and is unacceptable,” the congressmen wrote in their letter (PDF). “We are also very concerned about the extent of this practice by websites as well as the impact supercookies have on consumers. Furthermore, we believe the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for the misuse of personal information, and provides another way for consumers to be tracked online.”

The practice of issuing supercookies and zombiecookies is the subject of several lawsuits. In August, Microsoft and several other companies sued for allegedly using them were dismissed because the plaintiff in the case couldn't quantify the monetary damages she suffered.

Source

By David Kravets
September 28, 2011

The nation’s major mobile-phone providers are keeping a treasure trove of sensitive data on their customers, according to newly-released Justice Department internal memo that for the first time reveals the data retention policies of America’s largest telecoms.

The single-page Department of Justice document, “Retention Periods of Major Cellular Service Providers,” (.pdf) is a guide for law enforcement agencies looking to get information — like customer IP addresses, call logs, text messages and web surfing habits – out of U.S. telecom companies, including AT&T, Sprint, T-Mobile and Verizon.

The document, marked “Law Enforcement Use Only” and dated August 2010, illustrates there are some significant differences in how long carriers retain your data.

Verizon, for example, keeps a list of everyone you’ve exchanged text messages with for the past year, according to the document.  But  T-Mobile stores the same data up to five years. It’s 18 months for Sprint, and seven years for AT&T.

That makes Verizon appear to have the most privacy-friendly policy. Except that Verizon is alone in retaining the actual contents of text messages. It allegedly stores the messages for five days, while T-Mobile, AT&T, and Sprint don’t store them at all.

The document was unearthed by the American Civil Liberties Union of North Carolina via a Freedom of Information Act claim. (After the group  gave a copy to Wired.com, we also discovered it in two other places on the internet by searching its title.)

“People who are upset that Facebook is storing all their information should be really concerned that their cell phone is tracking them everywhere they’ve been,” said Catherine Crump, an ACLU staff attorney. “The government has this information because it wants to engage in surveillance.”

The biggest difference in retention surrounds so-called cell-site data. That is information detailing a phone’s movement history via its connections to mobile phone towers while its traveling.

Verizon keeps that data on a one-year rolling basis; T-Mobile for “a year or more;” Sprint up to two years, and AT&T indefinitely, from July 2008.

The document also includes retention policies for Nextel and Virgin Mobile. They have folded into the Sprint network.

The document release comes two months before the Supreme Court hears a case testing the government’s argument that it may use GPS devices to monitor a suspect’s every movement without a warrant. And the disclosure comes a month ahead of the 25th anniversary of the Electronic Privacy Communications Act, an outdated law that the government often invokes against targets to obtain, without a warrant, the data the Justice Department document describes.

“I don’t think there there is anything on this list the government would concede requires a warrant,” said Kevin Bankston, a staff attorney with the Electronic Frontier Foundation. “This brings cellular retention practices out of the shadows, so we can have a rational discussion about how the law needs to be changed when it comes to the privacy of our records.”

Sen. Patrick Leahy (D-Vermont) has proposed legislation to alter the Electronic Privacy Communications Act to protect Americans from warrantless intrusions. Debate on the issue is expected to heat up as the anniversary nears, and the Justice Department document likely will take center stage.

Source

By Byron Acohido
September 27, 2011

The keepers of the Internet have become acutely concerned about the Web's core trustworthiness.

Hackers cracked three companies that work with the most popular Web browsers to ensure the authenticity of Web pages where consumers type in sensitive information, such as account log-ons, credit card numbers and personal data.

The hacked firms are among more than 650 digital certificate authorities, or CAs, worldwide that ensure that Web pages are the real deal when served up by Microsoft's Internet Explorer, Firefox, Opera, Apple's Safari and Google's Chrome.

But a hacker gained access to digital certificate supplier DigiNotar this summer and began issuing forged digital certificates for hundreds of Web pages published by dozens of marquee companies.

Unable to cope with the fallout, the Dutch firm last week filed for bankruptcy under Dutch law and abruptly closed up shop. Two other digital certificate companies — New Jersey-based Comodo and Japanese-owned GlobalSign — were similarly hacked in the summer, exposing a glaring weakness in the Internet's underpinnings, security analysts say.

"The infrastructure baked into the Internet, which is based on trust, is starting to fall apart," says Michael Sutton, research vice president at security firm Zscaler. "If somebody can issue faked digital certificates, it throws the entire process into chaos."

Digital certificates enable consumers to submit information that travels through an encrypted connection between the user's Web browser and a website server. The certificate ensures the Web page can be trusted as authentic. But the unprecedented attacks against CAs show how fragile that trust can be.

The counterfeiter that gained a foothold deep inside of DigiNotar's system issued valid certificates for 531 fake pages, impersonating online properties of Google, Microsoft, Skype, Equifax, Twitter, Facebook, and the CIA, among others, according to consulting firm Fox-IT.

This touched off a scramble to cut off the fake pages. But the successful hacks demonstrated that it is possible to "impersonate any site on the Internet," says Josh Shaul, chief technical officer at security firm AppSec.

No banks or payment service websites were targeted, says Mikko Hypponen, chief researcher at anti-virus firm F-Secure.

The hacker seems much more interested in harvesting personal data from e-mail services, social networks, credit bureaus, blogging sites and anonymity services. The possible end game: espionage or political gain.

According to the Fox-IT report, the DigiNotar hacker issued counterfeit digital certificates for Web pages on google.com, android.com, microsoft.com, update.microsoft.com, login.live.com, login.yahoo.com, aol.com, wordpress.com, twitter.com, facebook.com, equifax.com and cia.gov, among other Web domains.

The forged Google Web pages were used to spy on some 300,000 Internet users in Iran. "I'm most concerned about disruption as a motive," says Roel Schouwenberg, senior researcher at Kaspersky Lab. "I'm talking about cyberwar, but even more so about hacktivism."

Google spokesman Jay Nancarrow noted that Google's Chrome browser detected one of the fake certificates "that ultimately led to the revelation of the DigiNotar compromise."

The pressure is now on CAs worldwide to make themselves more hack-proof. And for the browser makers to do more to identify and quickly eradicate counterfeit certificates and fake Web pages, security experts say.

Symantec senior director Michael Lin says the current system can be salvaged. "Consumers need to be able to interact with websites with confidence," says Lin.

Jeff Hudson, CEO of digital certificate management firm Venafi, cautions that the hacks that unfolded this summer are just the beginning. "This is a huge issue with significant ramifications to business productivity and company brand," says Hudson. "No one knows where the next breach will occur, or whether it will occur in a week or three months."

Microsoft, maker of the world's most widely used Web browser, Internet Explorer, declined to comment, as did Apple, maker of the Safari browser.

However, spokesmen for Mozilla, maker of the No. 2 Firefox browser, and Opera, a browser used widely in Europe and on cellphones, noted that steps are being taken to shore up the current system.

"The security of the Web is our collective responsibility," says Johnathan Nightingale, Mozilla's director of Firefox engineering. "To improve it, we need a continuing, and open, dialog supported by focused action."

Source