Wednesday, December 06, 2006

Curtains for DRM?

As I'm spending the evening wading through a PhD thesis on the dreadful wrongs of DRM, it seems mildly amusing to note in passing that where the shock troops of Creative Commons have failed, the market might just decide that DRM isn't a selling point anyway. The article makes the concise point (from the Wall St JOurnal) that pirate files get out via P2P or burned CDs anyway; so DRM doesn't stop illegal piracy, it just makes buying legal downloads more awkward - thereby alienating exactly the customers you most want to pander to.

Back to the battlefield..

More on Gower : ISP copyright cops are coming?

On the briefest of further scans, one item of particular interest to anyone who has been following the rather covert debate about how far ISPs can or should be enrolled to assist the state (or the BPI, etc) in cutting down on on line piracy.

Recommendation 39: Observe the industry agreement of protocols for sharing data between ISPs and rightsholders to remove and disbar users engaged in ‘piracy’. If this has not proved operationally successful by the end of 2007, Government should consider whether to legislate.

This is about whether ISPs should have to hand over logs of material downloaded automatially , or perhaps on request, to rightsholder groups so they can spot possible pirates. Should the user have a right to privacy or at least such a right prior to obtaining a court order or perhaps showing reasonable suspicion? Currently some ISPs are known to reveal anonymised logs of especially heavy downloades or uploaders, leaving it to the rightsholder then to come back and ask for disclosure on grounds permitted by the Data Protection Act. Some ISPs will only give away *any* details after court order, arguing that they may breach data protection rules otherwise and owe their clients confidentiality both by law and by contract. Others may feel that the public are entitled to presumption of innocence til proven guilty. Still others feel that they are merely ISPs , not mandated to act as judge and policemen in such cases where rightsholders might well ask for particular identified downloaders to be summarily disconnected.

Gower however signals a definite governmental backing both of voluntary disclosure by ISPs and of "notice and disconnection" (discussed before on this blog.)

ISPs "should assist rights holders by providing a procedure through which automatic action in courts will be avoided and would allow greater scrutiny on the actions of users. BCP [a model best common practice document] is an ideal way to proceed if an agreement can be brokered between the ISPs and the copyright owners and would respect safe harbour provisions for ISPs which were set up in good faith. If there is a failure to agree, the Government should look towards establishing an appropriate statutory protocol."

So there you go.

Incidentally I've changed my mind. The press may seize on 10 year sentences for downloaders, and Lessig and Cliff Richard may be (differently( excited about no term extensions; but my bet for Most Controversial Recomendation (possibly tieing with the already mentioned limited new introduction of private copying rights) is this one:

Recommendation 11: Propose that Directive 2001/29/EC be amended to allow for an
exception for creative, transformative or derivative works, within the parameters of the
Berne Three-Step Test.

Alrighty!! Who's going to be the first to create a sampled rap praising the Gower Report? maybe they can finance the implementation with the royalties from a few Snoopy Dog or Doggy Snop , records..

Ho hum! The view after Vista

David Utter, who left a nice comment re my rebutal of his article over at SecurityProNews, has also turned out some interesting security news items of his own, including evidence that although the majority of current malicious code may be defeated by the new security controls of Vista it can fairly swiftly be adapted to infect it by skilled operators. Indeed, three of the current top ten major viruses can already evade Vista's improved security.

Ah well! It's almost Xmas!!

Gower Report

No time right now but this is the summary of the recommendations for making copyright work in the digital age:

To ensure the correct balance in IP rights the review recommends:

ensuring the IP system only proscribes genuinely illegitimate activity. The Review recommends introducing a strictly limited 'private copying' exception to enable consumers to format-shift content they purchase for personal use. For example to legally transfer music from CD to their MP3 player;

enabling access to content for libraries and education establishments - to ensure that the UK's cultural heritage can be adequately stored for preservation and accessed for learning. The Review recommends clarifying exceptions to copyright to make them fit for the digital age;

recommending that the European Commission does not change the status quo and retains the 50 year term of copyright protection for sound recordings and related performers' rights.

On the other hand a stiff approach to IP crime, including sentences up to 10 years for music & film piracy.

Something for everyone then. In principle it mostly looks like damn sensible stuff. Lessig has already pulled out the most rallying-cry quote:

"Policy makers should adopt the principle that the term and scope of protection for IP rights should not be altered retrospectively."

Let the battle commence!

Tuesday, December 05, 2006

Ps - late egoboo:)

I was in New Scientist a few weeks back , rather curtailedly extolling my theories-in-progress of how a security commons might be created to reduce the insecurity currently caused by zombified home computers. As many of you know, zombies or "bot networks", computers emslaved by viruses unknown to their owners, are the leading cause of everything from spam, phishing and spyware to keylogging, ID theft, click-fraud and probably, dandruff. In particular almost all denial of service attacks are now carried out as distributed attacks via enslaved bot networks. By a"security commons", I meant joint action and joint responsibility by all p[artioes involved in a safer Internet: users, software writers, hosts and ISPs.

Illness intervened in my reporting (cof, cof) but here is the link for you my loyal readers :) Unfortunately New Scientist printed only the smallest part of what I told them over the phone (sigh) so it looked like I was suggesting that ISPs ONLY should be liable where a denial of service attack is carried out. Whereas in fact I continue to advocate that ISPs should take a positive role in (a) identifying zombified machines, not necessarily by deep packet inspection, as NS reported, but possibly only by external changes in patterns of traffic or congestion analysis (b) making available secured ISP services to consumers as well as businesses - as some companies like Nildram do already, thus protecting customers who don't know a firewall from a firelighter; and (c) where necessary, isolating identified zombies until they can be cleaned out.

ISPs would not necessarily be "held legally liable" if they failed to provide these services; they could be provided as competitive market price services, with users held liable if they did not avail themselves of them. Other methods such as compulsory "home computer user insurance" (like motor insurance) could be employed to reach the same reult.

Rather gratifyingly, there has already been a hostile response (always nice to know someone's listening.) David Utter suggests that if I had my way, ISPs might be held liable for hosting sites like Slashdot, which post links which often bring down sites by their sheer popularity. I was not in any way suggesting simple vicarious liability for ISPs hosting sites responsible for DOS attacks - for a start, the EU E Commerce Directive would currently probably forbid that. I have my own concerns about how the CMA amendments in the Police and Justice Act deal with inadvertent "slashdots" - given the late amendment to s 3 to allow recklessness as sufficient for "intention to impair the operation of a computer", it seems quite possible that innocent slashdotting is now prosecutable as denial of service in the UK. (Of course from a sysop point of view, whether a server goes down because of malice or carelessness is irrelevant - so maybe this was deliberate?) But it won't be the ISP that carries the can, even if this is true.

More interesting points are raised by a George Scriban on a blog called Global Nerdy

"Surely the ISPs of the world aren't the most responsible party in a DDoS attack? What of the companies who provide vulnerable operating systems? The customers who misuse, misconfigure, or undermaintain those systems, making them ideal zombie targets? ISVs whose software defects render systems vulnerable? And, of course, we have the criminals conspiring to commit these crimes themselves. There's enough blame to go around that it seems strange to focus the blunt instrument of government regulation on ISPs in particular."

But the whole point is that we're looking at here isn't moral retribution - ie, allocation of blame. What's the good of tinkering with the criminal law to punish DoSers when they're usually tidily hidden away in Moldova, Estonia or similar hi tech law enforcement havens? Or untraceable , because they've worked through a network of a million bots, enslaved via a Trojan virus sent by a third party? Or have their assets stashed in still another country?

Better to try to actually secure the Internet so it doesn't fall over, taking our hospitals and air traffic controllers with it - and worry about wreaking punishment on the guilty afterwards. The people the police forces (or civil courts, or insurance companies) of the US, EU and the rest of the developed world can usually get to are the users - you and me- and the ISPs. Regulation that would persuade the Microsofts of this world to produce less buggy software would also be good. Creating a safe Internet has to be done , right now, either by building it differently from scratch - which may have catastrophic effects for generativity, innovation and privacy and will take decades - or by regulating those three sets of people. Forget the Russian mafiosi, for every one you catch you will tie up the UK's entire National Hi Tech Crime Unit-as-was for months if not years . We need to move from blame to gain.

Oh, the anti-ci-pation..

Just a heads up that Tomorrow is Gower Day.

"The Report of the Gowers Review of Intellectual Property is due be published on Wednesday,6 December.
It will be available on the Treasury website from 08.00:
We expect the Chancellor to refer to it during his pre-budget statement to the House of Commons, starting at 12.15."

Will private copying and sharing of mix tapes be legalised? Will term in sound recordings be left as it is? will Cliff Richard turn green and burst out of his leather trousers? only the Shadow knows!!

GikII ppts etc

I'm gratified to discover (though someone could have TOLD me, heh, Andres!!) that the powerpoints from the (she says nonchalantly) successful cutting edge blue skies cyberlaw workshop, GikII, are now available.

Talks are also underway towards turning GikII into a book on Geek Law and finding a home for GikII 2: This Time It's Personal. If you too want to be absorbed into the Geek Collective, contact Pangloss at the editorial address.