Thursday, March 30, 2006

Predictiions that went flop..

Not all IT related by any means, but I particularly like these three:

«This antitrust thing will blow over.»
Bill Gates, founder of Microsoft.

«Remote shopping, while entirely feasible, will flop - because women like to get out of the house, like to handle merchandise, like to be able to change their minds.»
TIME, 1966, in one sentence writing off e-commerce long before anyone had ever heard of it.

«There is no reason anyone would want a computer in their home.»
Ken Olson, president, chairman and founder of Digital Equipment Corp. (DEC), maker of big business mainframe computers, arguing against the PC in 1977.

BlogScript knows it's been a bit thin lately: it's sorry, but it's had new job negotiations and end of term to deal with, is off to funeral, and then off to BILETA, the UK/EU national IT law conference, in Malta, where hopefully it will not only give a paper on eBay and update itself on the latest in Islamic data protection law (for real!) but also try out of every one of the four pools at the conference centre hotel :-) After that, mega content!!

Thursday, March 23, 2006

Cruel and Unusual Punishment

MMORPG reintroduces crucifixion.

I wittily suggested that if online personae do exist, and have human rights (as my PhD student is currently trying to claim) then they could certainly claim this was torture and so illegal under the ECHR. A passing computer gamer however noted "And so is getting shot in the face."

Point taken. There are some places law should not go :-)

Tuesday, March 14, 2006

Free wi fi = free beer, free speech or stolen beer?

Interesting discovery - an outfit called FON who are aiming to provide access to members ("Foneros") to free but secure wi fi wherever you go. They're backed by some heavyweight names like Esther Dyson and Dan Gilmore. Basically, individuals are encouraged to sign up to FON and buy a FON-equipped router, (for the reduced sum of 25 Euros/USD)which allows other FON users to use their bandwidth, via pre arranged usernames and passwords, wherever they go. FON undertake that the original user will always be left with a "reasonable amount of bandwidth" whatever that means :-) - and it does have the big advantage of meaning you can share a wi fi connection with pals without leaving it unsecured.

The big question, of course, is how legal is it? A while back as an anecdotal exercise I looked at a few UK ISP subscriber contracts and found that few, if any, had any direct prohibition on bandwidth sharing. Yet one imagines they wouldn't be too happy if this sort of wi fi sharing took off globally. The FON people themselves rather cleverly cover their backs with a term in the legal notice:

"In accordance with the Terms and Conditions of Use of FON Services, Foneros who enter the FON Community must have access to the Internet where they are permitted to share bandwidth with others and/or to download FON Software onto your router."

Of course there is no implication that they will check this so the legal risk falls on the users, which is of even less comfort to ISPs one imagine - always better to have a node to sue than a multiplicity of users. (Can we foresee the invention of the tort of inducement of wireless bandwidth theft a la Grokster??)

There's also a few cases lately in US and UK which hold that war-chalking - stealing bandwidth without the consent of the original bandwidth renter - is a crime. Yet this is IMHO not that either, since everyone involved in the FON network has consented to wi fi sharing.

So I conclude it's legal. Stick Skype or similar on your PDA (the new Orange SPV 3G phone will do this nicely, even though it is the size of a brick) and you need never pay a long distance phone bill again. Will this take off? I wonder. My own needs for wireless are most prominent (a) in hotels (b) in airports - and neither is somewhere where FON subscribers are likely to live and have a FON router set up. But then I'm quite hapy to pay my £15 a month for broadband from Telewest - maybe others are more canny/mean.

Tuesday, March 07, 2006

Click and dick?

The Harlow Star reports that a councillor who was sacked for downloading obscene pictures has failed in his attempts to have the monitoring employed by the council declared illegal. Judge Bradbury said the council was entitled to monitor its computers to avoid breaches of its code of conduct, which includes a prohibition on accessing pornography.

This is of a fair bit of interest legally, as very UK few reported decisions at courts (not EAT) level exist dealing with the legality of electronic employee surveillance, a matter which has been controversial ever since the Lawful Business Regulations and the Information Commissioner's Code on Employee Monitoring came out. But casual readers wil I suspect best remember this case for the councillor's excuse - he wasn't downloading porn, he was just checking out condom sizes as part of his role as the Liberal Democrat group's health spokesman conduting research into the European Union's recommended size for condoms.

Pull the other one, Matthew, it's got bells on it:-)

I am reminded of this delightful song - "Grab your dick and double click.."!

Is dongle still just a silly word?

.. or is two factor authentication the coming saviour for security in online banking?

Alliance and Leicester is set to roll out two-factor authentication to its internet banking customers.Two-factor authentication usually couples a password with some kind of device that generates a second passphrase. The isdea is that this makes it harder for fraudsters to steal both passwords and is therefore more secure than traditional methods of internet banking.

Bruce Schneier disagrees.

"The problem with passwords is that they're too easy to lose control of. People give them to other people. People write them down, and other people read them. ...
Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.

These tokens have been around for at least two decades, but it's only recently that they have gotten mass-market attention. AOL is rolling them out. Some banks are issuing them to customers, and even more are talking about doing it. It seems that corporations are finally waking up to the fact that passwords don't provide adequate security, and are hoping that two-factor authentication will fix their problems.

Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses."

So as Schneier says, imagine a customer is duped by a phishing email and website. He types in his password and he plugs in his dongle to generate a one time authentication code. As now, the site harvest both and logs in as him at the real site. How are we any further on? For a short while phishers may switch their attention to the old password-only sites as easier to crack, but that's just a blip till everyone has gone two-factor authenticated. the same problem arises if a Trojan is sitting on your hard disc harvesting everything you type in or send to a log in on a site.

back to the dongle board, folks..

Monday, March 06, 2006

EBay Makes Your Eyes Water

According to the Beeb, a prosecution brought against by the General Optical Council, for aiding and abetting in the illegal sale of contact lenses by persons other than registered opticians, under the Opticians Act 1989, has been dropped, after advice that EBay was protected by European law. One can only assume this refers to Art 14 of the EC Electronic Commerce Directive as implemented in the UK by the 2002 Regulations of the same name. Under this law, reg 19 states that:

"Where an information society service is provided which consists of the storage of information provided by a recipient of the service, the service provider (if he otherwise would) shall not be liable for damages or for any other pecuniary remedy or for any criminal sanction as a result of that storage where -

(a) the service provider -
(i) does not have actual knowledge of unlawful activity or information and, where a claim for damages is made, is not aware of facts or circumstances from which it would have been apparent to the service provider that the activity or information was unlawful; or
(ii) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information
, and

(b) the recipient of the service was not acting under the authority or the control of the service provider.

EBay's involvement came from some 200 individuals selling contact lenses via its site listings, not from any direct commercial activities of its own. What the GOC seem to have accepted then is that, as EBay themselves put it, "as an "information society service provider", [EBay's] duty is simply to remove illegal sale notices from its site when it is made aware of them, rather than to comb through it for them". This interpretation is reinforced by Art 15 of the Electronic Commerce Directive which provides that EC states shall not impose positive obligations of monitoring on information society service providers.

As the Beeb report points out, this leaves the GOC, as a public regulator, in a highly unsatisfactory position. The GOC spokesman said: "We feel that it is an unreasonable burden for a regulator, with limited resources, to have to monitor the millions of listings on auction websites. In effect, we would have to notify the website of each individual instance of an illegal sale in order for it to be de-listed."

But did the GOC cave too soon? First, Art 15 was never transposed into UK law. Arguably this makes no difference as remedies can be obtained in respect of Directives even where not transposed into domestic law, but it is still rather odd.

Secondly, and rather controversially, could it be argued that the EBay sellers of contact lenses were acting "under the authority or the control of" EBay? EBay do contractually allow sellers to sell on its site, and take a cut of the profits for doing so. Is this not "authority"? As I have noted before, they are hardly in the same position as a traditional ISP handling myriads of communications in a hands off way. EBay furthermore do at least present something that looks rather like "control" in that they have various Acceptable Use policies relating to what can and cannot be sold on EBay. Contact lenses are specifically mentioned under the "prohibited" list. EBay do their best to make these warnings look advisory - "eBay is here to help, but you are ultimately responsible for making sure that buying an item or selling your item(s) is allowed on eBay and is not prohibited in the eyes of the law. Follow these steps to find out whether or not your item can be listed on eBay."
- but such words cannot detract from the fact that it seems a reasonable interpretation that eBay's various "prohibited" policies for buyers and sellers are incorporated by reference as part of the terms of the contract with eBay .

If eBay can be characterised as having either "authority or control" then the immunity provided by reg 19 in respect of criminal liability will fail to protect them.

Thirdly, nothing in the ECD or the UK regs stops a litigant seeking an injunction or interdict in relation to hosting liability. Reg 20 states: "Nothing in regulations 17, 18 and 19 shall ...(b) affect the rights of any party to apply to a court for relief to prevent or stop infringement of any rights." This language speaks of civil law rights, but could it be read also as allowing the GOC to take an injunction preventing eBay from selling contact lenses without a trained optician on staff? If so, the regulator's need for swift and single-targeted action can be met. Such an approach would not be out of step with the rest of the EU - in Germany, in two cases, the Supreme Court has allowed injunctions against on line auction sites in respect of illegal content they were hosting.

This case is significant for more than just the illegal sale of contact lenses. It is the first UK case, and one of the first EU cases, to decide in any shape or form whether eBay's habitual claim of immunity as a "neutral intermediary" will be unquestioningly accepted. As reported on this blog earlier, an action is also pending from Tiffany the diamond sellers in relation to rampant trademark infringement on eBay. If the GOC case is accepted in practice as any kind of precedent (it is not in strict law, being simply the abandonment of the case), it will be hard for any case on civil or criminal hosting liability to stand up against eBay.

Yet in a civil case such as a trademark infringement action, eBay can be held liable not just if it has actual notice, but also if it has constructive knowledge of the infringement. So in the upcoming TM case, I expect to see evidence that eBay must reasonably have known that its listings were full of counterfeit Tiffany goods, even if it was not compelled to actually monitor its site to see just how many counterfeit listings it had - simply from the NTD requests it received on an ongoing basis. The very advice eBay gives about prohibited listings could be seen as evidence that eBay knew quite well these sort of goods were habitually sold on its site. If that were to be proven - and it would not be hard, one feels - a defense of take down only on actual notice would be irrelevant.

Anyone know what lawyers advised the GOC?

Wednesday, March 01, 2006

EFF attack Yahoo!/AOL email postage stamp

EFF are co ordinating mass opposition to Yahoo!/AOL's email postage stamp scheme, as blogged by me a few days ago. And bloody right too.

"A pay-to-send system won't help the fight against spam - in fact, this plan assumes that spam will continue and that mass mailers will be willing to pay to have their emails bypass spam filters. And non-paying spammers will not reduce the amount of mail they throw at your filters simply because others pay to evade them.
Perversely, the new two-tiered system AOL proposes would actually reward AOL financially for failing to maintain its email service. The chief advantage of paying to send CertifiedEmail is that it can bypass AOL's spam filters. Non-paying customers are being asked to trust that after paid mail goes into effect, AOL will properly maintain its spam filters so only unwanted mail gets thrown away.

But the economic incentives point the other way: The moment AOL switches to a two-tiered Internet where giant emailers pay for preferential service, AOL will face a simple business choice: spend money to keep regular spam filters up-to-date, or make money by neglecting their spam filters and pushing more senders to pay for guaranteed delivery. Poor delivery of mail turns from being a problem that AOL has every incentive to fix to something that could actually make them money if the company ignores it. "