Adam Fields (weblog) » Law / Government entertaining hundreds of millions of eyeball atoms every day Mon, 08 Apr 2013 17:49:20 +0000 en hourly 1 Toys and Testing Wed, 10 Dec 2008 22:37:38 +0000 adam BoingBoing reports that new rules on consumer safety threaten to put small producers out of business because the testing is too expensive.

I have a few thoughts on this.

This is a pretty common libertarian vs. nanny state disagreement – should consumers be allowed to make their own choices, but I don’t think it’s that simple, for a few reasons. (Before you go on, I think it’s worth reading my previous piece on some failure modes of the market.)

Keeping toxic chemicals out of kids toys can’t really be the responsibility of the parents, because it’s not within their domain of control. You can be a responsible parent, you can only buy toys you “trust” (whatever that means) and your child will still be exposed to toys you didn’t have any say about. It’s unavoidable – other kids have toys, day care centers have toys, kids play with toys in the playground that other kids bring or leave behind. The only way to prevent these toys from coming into contact with kids is to keep them out of the marketplace to begin with. If you like, it’s society’s responsibility to keep poisons out of kids’ toys in general, because the incentives don’t line up for the individual actors.

After-the-fact deterrents are simply not effective. Lawsuits take years to resolve, are overly burdensome, and it may be impossible to even track down the responsible party (I’m told it’s nearly impossible to sue a foreign company). On top of that, even an expensive PR-nightmare lawsuit may not be a sufficient deterrent to a large corporation with a hefty legal budget. A few million dollar settlements can seem very small in the face of a few hundred million in profits per year. Also, it’s worth noting that this is a reactive response which doesn’t actually fix the problem, but tries to throw monetary compensation in an attempt to “make things better”. But that’s basically what we’re being asked to accept here with the free market solution – let us do what we want and if you don’t like it, sue us, because it’s “too expensive” to ensure that we make safe products. We have that prefrontal cortex for a reason – people are uniquely capable of making predictive decisions, and to allow reactive forces to handle problems we can plainly see are coming seems ridicuously primitive to me. One might argue that we don’t have the capacity to predict how our actions might affect these complex systems, but that’s exactly why we need to be able to adapt and tweak them as we go. I haven’t seen any evidence that the market makes better choices in these kinds of situations, and in fact the call for regulation is a response to the failure of market forces – these companies have already shown an inability to keep toxic ingredients out of their products, yet we still continue to have these problems. Public outrage and whatever lawsuits are currently in the pipeline haven’t served as an adequate deterrent. Why’s that? I don’t know.

This is similar to the conundrum faced by small food producers. See Joel Salatin’s Everything I Want To Do Is Illegal for a lot of good examples of this. The main thrust is that the rules that are meant for large corporations where the overhead gets absorbed by the scale are overly burdensome for small producers, who don’t have the resources for dedicated testing facilities but also have less capacity to do harm, both because they have fewer customers but also because some kinds of harm are caused by the steps needed to operate at scale in the first place. I like to buy local food from farmers that I’ve come to know and trust. This can work at a small scale – if I want to see their operation, I can go visit the farm. I have no similar way to verify that with a larger company.

I don’t think that broken regulation is a condemnation of the entire idea of regulation, but I think it’s obvious that the rules need to be different depending on the scale of the domain they apply to. It is not unreasonable for Hasbro and Mattel to have to follow different rules than the guy who’s carving wood figures in his garage and selling them on etsy. Scale matters – more is different, and bigger is different.

]]> 1
Dear Senator McCain Thu, 25 Sep 2008 14:09:06 +0000 adam Dear Senator McCain,

Please remember that you are in America, and in America, we don’t suspend elections.

Have a nice day.

]]> 0
The Google Chrome terms of service are hilarious Wed, 03 Sep 2008 20:02:28 +0000 adam I’ve been very busy lately, but this is just too much to not comment on.

There are other articles about how the Google Chrome terms of service give Google an irrevocable license to use any content you submit through “The Services” (a nice catchall term which includes all Google products and services), but the analysis really hasn’t gone far enough – that article glosses over the fact that this applies not only to content you submit, but also content you display. Of course, since this is a WEB BROWSER we’re talking about, that means every page you view with it.

In short, when you view a web page with Chrome, you affirm to Google that you have the right to grant Google an irrevocable license to use it to “display, distribute and promote the Services”, including making such content available to others. If you don’t have that legal authority over every web page you’ve visited, you’ve just fraudulently granted that license to Google and may yourself be liable to the actual copyright owner. (If you do, of course, you’ve just granted them that license for real.) I’m not a lawyer, but I suspect that Google has either committed mass inducement to fraud or the entire EULA (which lacks a severability clause) is impossible to obey and therefore void. [Update: there is a severability clause in the general terms, which I missed on the first reading. Does that mean that the entire content provisions would be removed, or just the parts that apply to the license you grant Google over the content you don't have copyright to? I don't know.]

Even more so than usual, these terms are, quite frankly, ridiculous and completely inappropriate for not only a web browser but an open source web browser.

Nice going guys.

]]> 3
Coming to a Rational First Sale Doctrine for Digital Works Mon, 24 Mar 2008 13:15:10 +0000 adam In reference to this Gizmodo piece analyzing the rights granted by the Kindle and Sony e-reader:

I think the analysis in that article is flawed. It doesn’t make any sense to be able to resell the reader with the books on it, because the license for the books is assigned to you, not to the reader. For example, if your Kindle breaks, you can move your books to another one. I’ve never heard anything other than the opinion that you can’t resell the digital copy – the assumption has always been that these sorts of transactions break the first sale doctrine. The problem then becomes “what are you buying?”, if there’s nothing you can resell.

The first sale doctrine has to apply to the license, not the bits themselves, because under the scenario in which it applies to the bits, arguably Amazon retains no rights whatsoever. They had no direct hand in arranging the bits of your copy the way they are – they merely sent instructions to your computer about how to arrange them in a certain pattern. The article asserts that you can’t “transfer” the bits, but in the same way, in downloading a copy, Amazon hasn’t actually “transferred” anything to you, either.

There’s no reason you shouldn’t be able to sell your Kindle, and the books don’t necessarily go with it, but if you want to sell the books separately, you can do that too. Legally, if you do that, you’d be obligated to destroy all of the copies you’ve made. Amazon’s inability to police that is as relevant as their inability to police the fact that you haven’t made a photocopy of the physical book you sold when you were done with it. There’s no weight to the argument that this will encourage rampant piracy, given that unencrypted cracked copies of all of these things are available to those who want them anyway, and always will be. People comply with reasonable laws willingly because they’re honest, it’s the “right thing to do”, and they feel that the laws are an acceptable tradeoff for living in a civilized society where sometimes you have to make compromises and not just do whatever you want. People do not comply with one-sided laws where they feel like they’re being ripped off for no reason. A law which turns your sale into a non-sellable license is of the latter kind. It turns normal users into petty criminals who don’t care when they break the law, because the law is stupid. Once they’ve ignored some of the terms, it’s a shorter step to ignore others, or ignore similar terms for other products. People like consistency, especially in legal treatments. I would argue that it’s in Amazon’s interest (and the others) to not niggle on this point, because a reasonable license with terms that look like a sale makes for happier customers who aren’t interested in trodding on the license terms, and that’s better for everyone.

(Yes, I’m arguing that restrictive license “sales” are anti-civilization.)

The Kindle ToS not only prohibits selling the Kindle with your books on it, it prohibits anyone else from even looking at it. If someone reads over your shoulder on the train, you’re in violation.

This is, of course, ridiculous.

The right legal response here seems to me to be to not dicker about with splitting hairs about whether you can sell your digital copies if they’re on a physical device and you can’t if they’re not, but to declare that anything sufficiently close to a “right to view, use, and display [...] an unlimited number of times” de facto consitutes a sale, and with it comes certain buyer’s rights regardless of what kinds of outrageous restrictions the licensor tries to bundle in the ToS. The fact that this also seems to be the right business response reinforces my belief that this is the correct path. This kind of a transaction is different from renting, which is by nature a temporary one.

It is the right thing for society to declare that if you’ve bought something that isn’t time or use limited, you’ve therefore also bought the right to resell it, whether it’s a physical object or a license.


Tags: , , , , , , , , ,

]]> 0
Why don’t we have degrees of terrorism? Tue, 04 Mar 2008 14:38:31 +0000 adam We have different classifications for the crime of “killing a person”, and those classifications encompass whether it was an accident or not, whether it was premeditated, and how many people were killed – e.g.: How serious a crime has actually been committed. But when we talk about terrorism, it’s always just “terrorism”. This results in the really sinister megacriminals being lumped in with the group of morons that can’t get it to together to leave the house without forgetting to wear pants, let alone actually arrange to blow anything up.

Most “terrorists” are less dangerous than your average serial killer or bus accident, but we still lump them all together simply because they have an agenda.

Similar to murder, I think we need some sort of classification system for these crimes:

  1. Intent to commit terrorism: you “plotted” with someone who may or may not have been an undercover cop, but didn’t actually acquire passports or learn how to make liquid explosives
  2. Manfrightening: you committed some other crime, and along the way someone got scared and called you a terrorist, but you have no stated agenda.
  3. Terrorism in the third degree: You actually blew up something, but no one was hurt.
  4. Terrorism in the second degree: You actually blew up something and killed some people, but failed to garner any sympathy from the public.
  5. Terrorism in the first degree: You actually blew up something, lots of people were killed, and the US declared war on some country you were unaffiliated with.

Tags: , ,

]]> 0
Brilliant DMCA side effect Fri, 11 May 2007 03:23:00 +0000 adam Crappy DRM company says the DMCA forces you to buy their technology instead of building your own because not buying their technology is a circumvention of an effective copyright tool.

The thing is, I think they’re right. I mean, it’s stupid, but then so is the DMCA.

There are some other provisions (which seem to not apply), but the crux of it is:

“No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that–

`(A) is primarily designed or produced for the purpose of
circumventing a technological measure that effectively
controls access to a work protected under this title;”

It explicitly does NOT say “copy the work”, it says “circumvent the technology”. “Circumvent” is not the word they were looking for.

In fact, now that I think about it, convincing someone that DRM is bad is also a violation, as that may be interpreted as offering a service that is primarily design for the purpose of circumventing technological protection. Crap.

(via boingboing.)

Tags: , ,

]]> 0
Remember when DoubleClick was pretty universally reviled and sued for privacy violations a few years back? Sat, 14 Apr 2007 14:49:46 +0000 adam Oh yeah.

]]> 0
NYT on the Iraqi version of the Daily Show Tue, 24 Oct 2006 13:45:11 +0000 adam This is a NYT article about an Iraqi show which seems to be called “Hurry Up, He’s Dead”.

The description is painful to read, a horrible ironic reminder of the awfulness:

“In a recent episode, the host, Saad Khalifa, reported that Iraq’s Ministry of Water and Sewage had decided to change its name to simply the Ministry of Sewage — because it had given up on the water part.”

“Mr. Sudani, the writer, said he has lost hope for his country. Iraq’s leaders are incompetent, he said. He fears that services will never be restored. The American experiment in democracy, he said, was born dead.

All anyone can do, he said, is laugh.”

Via Perry Metzger:

Tags: , , , ,

]]> 1
Step by step instructions on how to set up a webcam for security monitoring Fri, 29 Sep 2006 15:21:59 +0000 adam With an open source monitoring program – Dorgem.


]]> 0
Wikipedia refuses to censor in China Tue, 12 Sep 2006 04:10:16 +0000 adam Bravo.,,1869074,00.html

Tags: , , , ,

]]> 0
Doing what the terrorists want Fri, 25 Aug 2006 21:24:07 +0000 adam I’ve often said that terrorism is an auto-immune disease afflicting civilization. Bruce Schneier has a great article up about how responding to terrorism by locking things down is, in fact, exactly what the terrorists want.

Tags: , , , ,

]]> 0
An important lesson about key races Fri, 18 Aug 2006 15:13:36 +0000 adam WAS]]> Britt pointed me at this piece about how Lieberman still has very strong support:

There’s an important lesson in here. When you hang principles on a single race, and then lose, the principle goes with the race and suffers a horrible blow. This >WAS< the Dean mistake – it represented the internet way, and everybody fled when he lost, and how long has it taken that approach to recover its reputation?

When Lieberman wins, the ENTIRE “unseat the incumbents” approach dies a horrible death, in one single event.

How to dissociate the principles from the individual race?

Tags: , , , , ,

]]> 0
AOL releases “anonymized” search data for 500k users Mon, 07 Aug 2006 16:03:26 +0000 adam This is a serious breach of user privacy, and I can’t imagine there won’t be lawsuits over this.

Either they didn’t think this through, or this is the best way they could think of to raise a public outrage.

Tags: , ,

]]> 1
Google Government search Fri, 16 Jun 2006 14:42:19 +0000 adam I think it’s simultaneously good that Google is turning a watchful eye on the government, but also somewhat creepy that they’re putting themselves in the position of proxying people’s access to potentially sensitive information. I do NOT think that the Google privacy policy is sufficient to cover this situation.

As many have predicted, this is also likely to expose some interesting accidentally unprotected things at some point in the future.

Tags: , , ,

]]> 0
The motivations of wiretapping Sun, 04 Jun 2006 18:33:43 +0000 adam Boingboing points out this Wired article about a reporter who crashed a conference of wiretapping providers, mentioning this quotation in particular:

‘He sneered again. “Do you think for a minute that Bush would let legal issues stop him from doing surveillance? He’s got to prevent a terrorist attack that everyone knows is coming. He’ll do absolutely anything he thinks is going to work. And so would you. So why are you bothering these guys?”‘

It’s an interesting read, but I fundamentally disagree with the above statement, and this is the problem.

It’s not the surveillance that bothers me, it’s the resistance to oversight, even after the fact.

If there was any confidence that what they were doing was a reasonable tradeoff, they wouldn’t have to a) lie or b) break the law to do it. Yet they’ve done both of these things.

If the law enforcement community said “well shit, we’re out of ideas about how to stop these people, and so we really need to have our computers read everyone’s email and tap everyone’s phones and we guarantee that this information won’t be used for anything else, and anyone we find doing something nefarious will be dealt with according to due process”, then we could, you know, engage in a meaningful discussion about this. And then we could move on to the fact that “terrorist” is not a useful designation for a criminal, and then maybe we could fire the people who thought up this brilliant idea and find someone who would practice actual security because wholesale surveillance and profiling have been widely debunked as largely useless for anything besides persecution, political attacks, and invasions of privacy.

But we won’t, because that’s not what this is about.

This opinion of a member of the Dutch National Police is particularly telling:

‘He said that in the Netherlands, communications intercept capabilities are advanced and well established, and yet, in practice, less problematic than in many other countries. “Our legal system is more transparent,” he said, “so we can do what we need to do without controversy. Transparency makes law enforcement easier, not more difficult.”

The technology exists, it’s not going away, and it’s really not the problem. The secrecy is the problem.,71022-1.html

Tags: , , ,

]]> 0
Elections are not enough feedback Mon, 15 May 2006 14:59:48 +0000 adam Another idea that came out of the tired and somewhat inebriated tail end of last night’s gathering, that I didn’t want to forget.

Our system of representative democracy is predicated on the core idea that elected representatives are beholden to their constituents, because if they’re not, they’ll get elected out on the next cycle. But this is typically a four-year turnaround, and that’s plenty of time to do irreparable damage. I posit that this is not enough feedback, and we need to have a way to get citizen input taken more seriously, with direct consequences for representatives who fail to listen. This also probably goes along with increasing the number of representatives, and possibly giving up on the presumption that people who live near each other necessarily share the same views (or have views that are not directly contradictory and can be rationalized into a coherent position by one representative).

I have to think about this more.

Tags: , ,

]]> 0
New “security glitch” found in Diebold voting systems Thu, 11 May 2006 14:08:34 +0000 adam “Elections officials in several states are scrambling to understand and limit the risk from a “dangerous” security hole found in Diebold Election Systems Inc.’s ATM-like touch-screen voting machines.

The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide.”

Perhaps it’s time to acknowledge that the Diebold systems themselves ARE the security glitch.

Tags: , ,

]]> 0
US Mandatory Data Retention laws are coming Sun, 30 Apr 2006 14:35:48 +0000 adam Remember the privacy implications of the government asking Google for search data? (

It’s going to get worse before it gets better. No online service considers your IP address to be private information, and now they will be required to maintain logs mapping your IP address to real contact information, for a period of at least one year after your account is closed.

The only way to prevent this information from being misused is to not keep it, and now there won’t be any choice.

I’ve discussed this before:

Tags: , ,

]]> 2
Watch out for the, uh, oven door scam Thu, 06 Apr 2006 17:42:45 +0000 adam OVEN DOORS]]> Apparently, crooks have been breaking into vacation homes, stealing the >OVEN DOORS<, repackaging them in real flat screen TV boxes, and selling them to dupes on the street.

Words fail me.

Tags: , , , ,

]]> 0
MIT student told to drop out of school by the RIAA to pay settlement fines Thu, 06 Apr 2006 15:22:31 +0000 adam

Of course, this is nothing compared to the fact that the RIAA says you shouldn’t be allowed to break DRM even if it’s going to kill you if you don’t:

I’ve discussed this before:

Tags: , , , ,

]]> 0
Impacts of Eolas patent on web pages Wed, 05 Apr 2006 14:43:41 +0000 adam Due to a lost patent claim, on April 11th, Active X controls (all embedded objects in IE) will have changed behavior and will require an “activation click” before they can be interacted with.,1895,1943847,00.asp

1) This does not affect pure DHTML/javascript, only DHTML/javascript that interacts with embedded applets.

2) As described in the MS article and some of the links below, it is possible to bypass the restriction by loading the objects from an external page, and this can be automated in some circumstances. Apparently, Adobe/Macromedia is also working on better fixes.

Tags: , , , , , ,

]]> 0
Hidden dangers for consumers – Trojan Technologies Mon, 20 Mar 2006 16:55:33 +0000 adam I’ve been collecting examples of cases where there are hidden dangers facing consumers, cases where the information necessary to make an informed decision about a product isn’t obvious, or isn’t included in most of the dialogue about that product. Sometimes, this deals with hidden implications under the law, but sometimes it’s about non-obvious capabilities of technology.

We’re increasingly entering situations where most customers simply can’t decide whether a certain product makes sense without lots of background knowledge about copyright law, evidence law, network effects, and so on. Things are complicated.

So far, I have come up with these examples, which would seem to be unrelated, but there’s a common thread – they’re all bad for the end user in non-obvious ways. They all seem safe on the surface, and often, importantly, they seem just like other approaches that are actually better, but they’re carrying hidden payloads – call them “Trojan technologies”.

To put it clearly, what I’m talking about are the cases where there are two different approaches to a technology, where the two are functionally equivalent and indistinguishable to the end user, but with vastly different implications for the various kinds of backend users or uses. Sometimes, the differences may not be evident until much later. In many circumstances, the differences may not ever materialize. But that doesn’t mean that they aren’t there.

  • Remote data storage. I wrote a previous post about this, and Kevin Bankston of the EFF has some great comments on it. Essentially, the problem is this. To the end user, it doesn’t matter where you store your files, and the value proposition looks like a tradeoff between having remote access to your own files or not being able to get at them easily because they’re on your desktop. But to a lawyer asking for those files, it makes a gigantic difference in whether they’re under your direct control or not. On your home computer, a search warrant would be required to obtain them, but on a remote server, only a subpoena is needed.
  • The recent debit card exploit has shed some light on the obvious vulnerabilities in that system, and it’s basically the same case. To a consumer, using a debit card looks exactly the same as using a credit card. But the legal ramifications are very different, and their use is protected by different sets of laws. Credit card liability is typically geared in favor of the consumer – if your card is subject to fraud, there’s a maximum amount you’ll end up being liable for, and your account will be credited immediately, as you simply don’t owe the money you didn’t charge yourself. Using a debit card, the money is deducted from your account immediately, and you have to wait for the investigation to be completed before you get your refund. A lot of people recently discovered this the hard way. There’s a tremendous amount of good coverage of debit card fraud on the Consumerist blog.
  • The Goodmail system, being adopted by Yahoo and AOL, is a bit more innocuous on the surface, but it ties into the same question. On the face of it, it seems like not a terrible idea – charge senders for guaranteed delivery of email. But the very idea carries with it, outside of the normal dialogue, the implications of breaking network neutrality (the concept that all traffic gets equal treatment on the public internet) that extend into a huge debate being raged in the confines of the networking community and the government, over such things as VoIP systems, Google traffic, and all kinds of other issues. I’m not sure if this really qualifies in the same league as my other examples, but I wanted to mention it here anyway. There’s a goodmail/network neutrality overview discussion going on over on Brad Templeton’s blog.
  • DRM is sort of the most obvious. Consumers can’t tell what the hidden implications of DRM are. This is partly because those limitations are subject to change, and that in itself is a big part of the problem. The litany of complaints is long – DRM systems destroy fair use, they’re security risks, they make things complicated for the user. I’ve written a lot about DRM in the past year and a half.
  • 911 service on VoIP is my last big example, and one of the first ones that got me started down this path. This previous post, dealing with the differences between multiple kinds of services called “911 service” on different networks, is actually a good introduction to this whole problem. I ask again ‘Does my grandmother really understand the distinction between a full-service 911 center and a “Public Safety Answering Point”? Should she have to, in order to get a phone where people will come when she dials 911?

I don’t have a good solution to this, beyond more education. This facet must be part of the consumer debate over new technologies and services. These differences are important. We need to start being aware, and asking the right questions. Not “what are we getting out of this new technology?“, but “what are we giving up?“.

Tags: , , , , , , , , , ,

]]> 3
Claim your settlement from Sony Thu, 16 Mar 2006 00:11:48 +0000 adam If you bought an infected CD from Sony, you’re entitled to some benefits under the lawsuit settlement:

Tags: , , , , ,

]]> 0
Google forced to release records by the court Tue, 14 Mar 2006 20:37:28 +0000 adam As predicted, U.S. Judge James Ware intends to force Google to hand over the requested data to the DoJ.

Tags: , , , ,

]]> 0
Outrage fatigue roundup 3/2/2006 Thu, 02 Mar 2006 17:26:59 +0000 adam The big news this week – video that Bush knew that Katrina would destroy New Orleans a day before the storm hit:

Asking for complaint forms in Flordia Police stations gets you harassed and threatened:

Greek cell phone taps of high officials were enabled by embedded surveillance tech:

Zogby poll shows 72% of troops want to get out of Iraq in the next year, but also that 85% of them think they’re there to retaliate for Saddam’s attacking us on 9/11. So, there’s that:

Human rights abuses in Iraq are worse than under Saddam (oops, Freudian slip – I typed Bush there first):

Daily Kos is mumbling something about State-initiated impeachment:

And, a kitten:

Tags: , , ,

]]> 0
Greek wiretaps were enabled by embedded spy code Thu, 02 Mar 2006 14:47:34 +0000 adam Power, once given, will be abused. And not necessarily by those it’s given to.

Bruce Schenier has a blog entry about the Greek cell phone tapping scandal – about 100 cell phones of politicians and officials, including the American embassy, have been tapped by an unknown party since the 2004 Olympics.

Bruce points out that the “malicious code” used to enable this was actually designed into the system as an eavesdropping mechanism for the police.

“There is an important security lesson here. I have long argued that when you build surveillance mechanisms into communication systems, you invite the bad guys to use those mechanisms for their own purposes. That’s exactly what happened here.”

Tags: , , , ,

]]> 0
Conversation about CC licenses Wed, 01 Mar 2006 20:18:40 +0000 adam Joe Gratz and I are having an interesting discussion about Creative Commons licenses over in the comments of his blog post about Schmap:

Tags: , , , ,

]]> 0
The Hurtt Prize Tue, 21 Feb 2006 17:24:11 +0000 adam Harold Hurtt, police chief of Houston, has advocated changing building permits to require cameras in public areas of malls and apartment complexes, to try to deter crime:

He’s quoted in the article, saying “I know a lot of people are concerned about Big Brother, but my response to that is, if you are not doing anything wrong, why should you worry about it?”

1) “Wrong” is always changing, and isn’t always correct.

2) Our society and legal system are neither constructed for or capable of handling perfect law enforcement.

3) It’s not worth any price to catch all of the criminals. There are tradeoffs to be made.

The Hurtt Prize is a $1000-and-growing bounty offered for anyone who gets a video capture of Mr. Hurtt committing a crime.

Tags: , , ,

]]> 1
China loves the Patriot Act Wed, 15 Feb 2006 00:36:55 +0000 adam In an interview with a senior Chinese official responsible for policing the Internet, he defends China’s monitoring and filtering as no different from what other countries do to enforce their laws and keep the content on the internet “safe”. He points to the Patriot Act as evidence that the US is “doing a good job on this front”.

Tags: , ,

]]> 0
Detailed survey of verbatim answers from AOL, MS, Yahoo, and Google about what details they store Fri, 03 Feb 2006 16:42:32 +0000 adam Declan McCullagh has compiled responses from AOL, Microsoft, Yahoo and Google on the following questions (two of which are nearly verbatim from my previous query, uncredited):

So we’ve been working on a survey of search engines, and what data they keep and don’t keep. We asked Google, MSN, AOL, and Yahoo the same questions:

- What information do you record about searches? Do you store IP addresses linked to search terms and types of searches (image vs. Web)?
- Given a list of search terms, can you produce a list of people who searched for that term, identified by IP address and/or cookie value?
- Have you ever been asked by an attorney in a civil suit to produce such a list of people? A prosecutor in a criminal case?
- Given an IP address or cookie value, can you produce a list of the terms searched by the user of that IP address or cookie value?
- Have you ever been asked by an attorney in a civil suit to produce such a list of search terms? A prosecutor in a criminal case?
- Do you ever purge these data, or set an expiration date of for instance 2 years or 5 years?
- Do you ever anticipate offering search engine users a way to delete that data?

Tags: , , ,

]]> 0
US-VISIT approximate costs: $15M per criminal Wed, 01 Feb 2006 22:48:08 +0000 adam The system has cost around $15 billion, and has caught about 1000 criminals. No terrorists, all immigration violations and common criminals.

This estimate doesn’t include lost tourism revenue, academic implications of detaining foreign students or professors, or a count of how many of those criminals might have been caught anyway.

Tags: , , ,

]]> 7
What’s the big fuss about IP addresses? Sun, 29 Jan 2006 20:33:56 +0000 adam Given the recent fuss about the government asking for search terms and what qualifies as personally identifiable information, I want to explain why IP address logging is a big deal. This explanation is somewhat simplified to make the cases easier to understand without going into complete detail of all of the possible configurations, of which there are many. I think I’ve kept the important stuff without dwelling on the boundary cases, and be aware that your setup may differ somewhat. If you feel I’ve glossed over something important, please leave a comment.

First, a brief discussion of what IP addresses are and how they work. Slightly simplified, every device that is connected to the Internet has a unique number that identifies it, and this number is called an IP address. Whenever you send any normal network traffic to any other computer on the network (request a web page, send an email, etc…), it is marked with your IP address.

There are three standard cases to worry about:

  1. If you use dialup, your analog modem has an IP address. Remote computers see this IP address. (This case also applies if you’re using a data aircard, or using your cell phone as a modem.)
  2. If you have a DSL or cable connection, your DSL/cable modem has an IP address when it’s connected, and your computer has a separate internal IP address that it uses to only communicate with the DSL or cable modem, typically mediated by a home router. Remote computers see the IP address of the DSL/cable modem. (This case also applies if you’re using a mobile wifi hotspot.)
  3. If you’re directly connected to the internet via a network adapter, your network adapter has an IP address. Remote computers see this IP address.

Sometimes, IP addresses are static, meaning they’re manually assigned and don’t change automatically unless someone changes them (typically, only for case #3). Often, they’re dynamic, which means they’re assigned automatically with a protocol called DHCP, which allows a new network connection to automatically pick up an IP address from an available pool. But just because they can change doesn’t mean they will change. Even dynamic IP addresses can remain the same for months or years at a time. (The servers you’re communicating with also have IP addresses, and they are typically static.)

In order to see how an IP address may be personally identifiable information, there’s a critical question to ask – “where do IP addresses come from, and what information can they be correlated with?”.

Depending on how you connect to the internet, your IP address may come from different places:

  • If you use dialup, your modem will get its IP address from the dialup ISP, with which you have an account. The ISP knows who you are and can correlate the IP address they give you with your account. Your name and billing details are part of your account information. By recording the phone number you call from, they may be able to identify your physical location.
  • If you have a DSL or cable connection, your DSL/cable modem will get its IP address from the DSL/cable provider. The ISP knows who you are and can correlate the IP address they give you with your account. Your name and physical location, and probably other information about you, are part of your account information.
  • If you’re using a public wifi access point, you’re probably using the IP address of the access point itself. If you had to log in your account, your name and physical location, and probably other information about you, are part of your account information. If you’re using someone else’s open wifi point, you look like them to the rest of the internet. This case is an exception to the rest of the points outlined in this article.
  • If you’re directly connected to the internet via a network adapter, your network adapter will get its IP address from the network provider. In an office, this is typically the network administrator of the company. Your network administrator knows which computer has which IP address.

None of this information is secret in the traditional sense. It is probably confidential business information, but in all cases, someone knows it, and the only thing keeping it from being further revealed is the willingness or lack thereof of the company or person who knows it.

While an IP address may not be enough to identify you personally, there are strong correlations of various degrees, and in most cases, those correlations are only one step away. By itself, an IP address is just a number. But it’s trivial to find out who is responsible for that address, and thus who to ask if you want to know who it’s been given out to. In some cases, the logs will be kept indefinitely, or destroyed on a regular basis – it’s entirely up to each individual organization.

Up until now, I’ve only discussed the implications of having an IP address. The situation gets much much worse when you start using it. Because every bit of network traffic you use is marked with your IP address, it can be used to link all of those disparate transactions together.

Despite these possible correlations, not one of the major search engines considers your IP address to be personally identifiable information. [Update: someone asked where I got this conclusion. It's from my reading of the Google, Yahoo, and MSN Search privacy policies. In all cases, they discuss server logs separately from the collection of personal information (although MSN Search does have it under the heading of "Collection of Your Personal Information", it's clearly a separate topic). If you have some reason to believe I've made a mistake, I'm all ears.] While this may technically be true if you take an IP address by itself, it is a highly disingenuous position to take when logs exist that link IP addresses with computers, physical locations, and account information… and from there with people. Not always, but often. The inability to link your IP address with you depends always on the relative secrecy of these logs, what information is gathered before you get access to your IP address, and what other information you give out while using it.

Let’s bring one more piece into the puzzle. It’s the idea of a key. A key is a piece of data in common between two disparate data sources. Let’s say there’s one log which records which websites you visit, and it stores a log that only contains the URL of the website and your IP address. No personal information, right? But there’s another log somewhere that records your account information and the IP address that you happened to be using. Now, the IP address is a key into your account information, and bringing the two logs together allows the website list to be associated with your account information.

  • Have you ever searched for your name? Your IP address is now a key to your name in a log somewhere.
  • Have you ever ordered a product on the internet and had it shipped to you? Your IP address is now a key to your home address in a log somewhere.
  • Have you ever viewed a web page with an ad in it served from an ad network? Both the operator of the web site and the operator of the ad network have your IP address in a log somewhere, as a key to the sites you visited.

The list goes on, and it’s not limited to IP addresses. Any piece of unique data – IP addresses, cookie values, email addresses – can be used as a key.

Data mining is the act of taking a whole bunch of separate logs, or databases, and looking for the keys to tie information together into a comprehensive profile representing the correlations. To say that this information is definitely being mined, used for anything, stored, or even ever viewed is certainly alarmist, and I don’t want to imply that it is. But the possibility is there, and in many cases, these logs are being kept, if they’re not being used in that way now, the only thing really standing in the way is the inaction of those who have access to the pieces, or can get it.

If the information is recorded somewhere, it can be used. This is a big problem.

There are various ways to mask your IP address, but that’s not the whole scope of the problem, and it’s still very easy to leak personally identifiable information.

I’ll start with one suggestion for how to begin to address this problem:

Any key information associated with personally identifiable information must also be considered personally identifiable.

[Update: I've put up a followup post to this one with an additional suggestion.]

Tags: , , , , ,

]]> 21
Google does keep cookie- and IP-correlated logs Fri, 27 Jan 2006 23:18:10 +0000 adam I asked John Battelle the question about whether Google keeps personally identifiable search log information, particularly search logs correlated with IP address. He asked Google PR, who confirmed that they do.

From my comment there, ultimately, this is bad for users. If the information is kept, it’s available for request, abuse, or theft.

Tags: , , , , , ,

]]> 1
Some evidence that Google does keep personally identifiable logs Fri, 27 Jan 2006 06:00:48 +0000 adam This article from Internet Week has Alan Eustace, VP of Engineering for Google, on the record talking about the My Search feature.

“Anytime, you give up any information to anybody, you give up some privacy,” Eustace said.

With “My Search,” however, information stored internally with Google is no different than the search data gathered through its Google .com search engine, Eustace said.

“This product itself does not have a significant impact on the information that is available to legitimate law enforcement agencies doing their job,” Eustace said.

This seems pretty conclusive to me – signing up for saved searches doesn’t (or didn’t, in April 2005) change the way the search data is stored internally.


(This was pointed out to me by Ray Everett-Church in the comments of the previous post, covered on his blog:

Tags: , , , , , ,

]]> 0
Does Google keep logs of personal data? Thu, 26 Jan 2006 15:16:43 +0000 adam The question is this – is there any evidence that Google is keeping logs of personally identifiable search history for users who have not logged in and for logged-in users who have not signed up for search history? What about personal data collected from Gmail, and Google Groups, and Google Desktop? Aggregated with search? Kept personally identifiably? (Note: For the purposes of this conversation, even though Google does not consider your IP address to be personally identifiable, at least according to their privacy policy, I do.)

It is not arguable that they could keep those logs, but I think every analysis I’ve seen is simply repeating the assumption that they do, based on the fact that they could.

Has there ever been a hard assertion, by someone who’s in a position to know, that these logs do in fact exist?

I have a suspicion about one possible source of all this. Google’s privacy policy used to say (amended 7/2004):

Google notes and saves [emphasis mine] information such as time of day, browser type, browser language, and IP address with each query.“.

But the policy no longer says that. The current version reads: “When you use Google services, our servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser.“. Again, no information about what’s being done with that data or how long it’s kept.

Given the possibility that they don’t, I think it drastically changes the value proposition of those free subsidiary tools. Obviously, if you ask for your search history to be saved, they’re going to keep it. But maybe that decision is predicated on the assumption that they’re going to keep it anyway, and you might as well have access to it. If the answer is that they’re not keeping it, that’s a different question.

It’s critical to point out that these issues are not even close to limited to Google. Every search engine, every “free” service you give your data to, every hub of aggregated data on the web has the same problems.

Currently, there’s no way to make an informed decision, because privacy policies don’t include specific information about what data is kept, in what form, and for how long. With all of the disclosures in the past year of personal data lost, compromised, and requested, isn’t it time for us to know? In the beginning of the web, having a privacy policy at all was unheard of, but now everybody has one. I don’t think it’s too much to ask of the companies we do business with that the same be done with log retention policies.

I agree with the request to ask Google to delete those logs if they’re keeping them, but I haven’t seen any evidence that they are. Personally, I’d like to know.

Tags: , , , , , ,

]]> 2
Tim Wu article on Google and search engine privacy Wed, 25 Jan 2006 16:03:41 +0000 adam This is pretty much exactly the point I’ve been trying to make – while Google is commendable for standing up to the government, they created this problem in the first place by aggregating search data.

“Imagine we were to find out one day that Starbucks had been recording everyone’s conversations for the purpose of figuring out whether cappuccino is more popular than macchiato. Sure, the result, on the margin, might be a better coffee product. And, yes, we all know, or should, that our conversations at Starbucks aren’t truly private. But we’d prefer a coffee shop that wasn’t listening – and especially one that won’t later be able to identify the macchiato lovers by name. We need to start to think about search engines the same way and demand the same freedoms.”

]]> 2
More thoughts on Google Fri, 20 Jan 2006 15:55:13 +0000 adam Having examined the motion and letters, I see a different picture emerging.

I am not a lawyer, but from my reading of the motion, it appears that Google’s objections are thin. Really thin.
Also, they seem to have been completely addressed by the scaling back of the DOJ requests. Of course, that’s not the complete story, but if the arguments in the motion are correct, it seems like to me that Google will lose and be compelled to comply.

Based on the letters and other analysis, they’re also pulling the slippery slope defense – “we’re not going to comply with this because it will give you the expectation that we’re open for business and next time you can ask for personal information”. If that’s true, I think that’s the first good news I’ve heard out of them in years. Good luck with that.

Google’s own behavior is inconsistent with their privacy FAQ, which states Google does comply with valid legal process, such as search warrants, court orders, or subpoenas seeking personal information. These same processes apply to all law-abiding companies. As has always been the case, the primary protections you have against intrusions by the government are the laws that apply to where you live. (Interestingly, this language is inconsistent with their full privacy policy, which states that Google only shares personal information … [when] We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request.

I wonder if they intend to challenge the validity of the fishing expedition itself, which would be the real kicker (and probably invalidate the above paragraph). I also idly wonder if they expect to lose anyway and have simply refused to comply with bogus arguments in order to get the request entered into the public record.

Interesting stuff. A lot of my criticisms of Google are about their unwillingness to publicly state their intentions with respect to the data they get (and the extent to which they may or may not be retaining, aggregating, and correlating that data), and I don’t think this case is any different. I think Google’s interest here in not releasing records is aligned with the public good, and as such, I wish them well. It’s been asserted that Google has taken extraordinary steps to preserve the anonymity of its records, and that well may be true. It’s also kind of irrelevant. Beyond this specific case, of whether the govnernment can request information about Google searches (let alone any of their more invasive services, or anyone’s more invasive services), is the issue of the ramifications of collecting, aggregating, and correlating this data in the first place.

There is no question that Google has access to a tremendous amount of data on everyone who interacts with its service. It is still troubling that its privacy policy is inadequate. It’s still troubling that Google (and Yahoo, and how many others) considers your IP address to be not personally identifiable information. It’s still troubling that Google (and Yahoo and how many others) do all of their transactions unencrypted and that search terms are included in the URL of the request. As this case has shown, Google’s actual behavior may not correlate to their stated intentions, of which there are few in the first place. By Google’s own slippery slope logic, this time it works for you – will it next time?

Perhaps it’s time to hold companies accountable for the records they keep.

]]> 0
Update on DOJ/Google Thu, 19 Jan 2006 23:52:09 +0000 adam This is a fascinating deconstruction of the court documents and letters available so far:

]]> 0
DOJ demands large chunk of Google data Thu, 19 Jan 2006 15:10:32 +0000 adam

The Bush administration on Wednesday asked a federal judge to order Google to turn over a broad range of material from its closely guarded databases.

The move is part of a government effort to revive an Internet child protection law struck down two years ago by the U.S. Supreme Court. The law was meant to punish online pornography sites that make their content accessible to minors. The government contends it needs the Google data to determine how often pornography shows up in online searches.

In court papers filed in U.S. District Court in San Jose, Justice Department lawyers revealed that Google has refused to comply with a subpoena issued last year for the records, which include a request for 1 million random Web addresses and records of all Google searches from any one-week period.

I’m sort of out of analysis about why this is bad, because I’ve said it all before.

See (particularly 4 and 5):


It really comes down to one thing.

If data is collected, it will be used.

It’s far past the time for us all to take an interest in who’s collecting what.

]]> 0
More Schneier on secret surveillance Thu, 22 Dec 2005 15:01:50 +0000 adam “This rationale was spelled out in a memo written by John Yoo, a White House attorney, less than two weeks after the attacks of 9/11. It’s a dense read and a terrifying piece of legal contortionism, but it basically says that the president has unlimited powers to fight terrorism. He can spy on anyone, arrest anyone, and kidnap anyone and ship him to another country … merely on the suspicion that he might be a terrorist. And according to the memo, this power lasts until there is no more terrorism in the world.”

]]> 0
Schenier on NSA surveillance in Salon Wed, 21 Dec 2005 14:08:26 +0000 adam Bruce Schneier has an excellent piece in Salon on the recent wiretap revelations:

]]> 0
Perry on felonious wiretaps Mon, 19 Dec 2005 16:36:09 +0000 adam This is an editorial that Perry sent to his cryptography mailing list.

I posted this earlier today to a mailing list for cryptographers that I run. Please feel free to send it to anyone you like.

To: cryptography
Subject: A small editorial about recent events.
From: “Perry E. Metzger” Date: Sun, 18 Dec 2005 13:58:06 -0500

A small editorial from your moderator. I rarely use this list to express a strong political opinion — you will forgive me in this instance.

This mailing list is putatively about cryptography and cryptography politics, though we do tend to stray quite a bit into security issues of all sorts, and sometimes into the activities of the agency with the biggest crypto and sigint budget in the world, the NSA.

As you may all be aware, the New York Times has reported, and the administration has admitted, that President of the United States apparently ordered the NSA to conduct surveillance operations against US citizens without prior permission of the secret court known as the Foreign Intelligence Surveillance Court (the “FISC”). This is in clear contravention of 50 USC 1801 – 50 USC 1811, a portion of the US code that provides for clear criminal penalties for violations. See:

The President claims he has the prerogative to order such surveillance. The law unambiguously disagrees with him.

There are minor exceptions in the law, but they clearly do not apply in this case. They cover only the 15 days after a declaration of war by congress, a period of 72 hours prior to seeking court authorization (which was never sought), and similar exceptions that clearly are not germane.

There is no room for doubt or question about whether the President has the prerogative to order surveillance without asking the FISC — even if the FISC is a toothless organization that never turns down requests, it is a federal crime, punishable by up to five years imprisonment, to conduct electronic surveillance against US citizens without court authorization.

The FISC may be worthless at defending civil liberties, but in its arrogant disregard for even the fig leaf of the FISC, the administration has actually crossed the line into a crystal clear felony. The government could have legally conducted such wiretaps at any time, but the President chose not to do it legally.

Ours is a government of laws, not of men. That means if the President disagrees with a law or feels that it is insufficient, he still must obey it. Ignoring the law is illegal, even for the President. The President may ask Congress to change the law, but meanwhile he must follow it.

Our President has chosen to declare himself above the law, a dangerous precedent that could do great harm to our country. However, without substantial effort on the part of you, and I mean you, every person reading this, nothing much is going to happen. The rule of law will continue to decay in our country. Future Presidents will claim even greater extralegal authority, and our nation will fall into despotism. I mean that sincerely. For the sake of yourself, your children and your children’s children, you cannot allow this to stand.

Call your Senators and your Congressman. Demand a full investigation, both by Congress and by a special prosecutor, of the actions of the Administration and the NSA. Say that the rule of law is all that stands between us and barbarism. Say that we live in a democracy, not a kingdom, and that our elected officials are not above the law. The President is not a King. Even the President cannot participate in a felony and get away with it. Demand that even the President must obey the law.

Tell your friends to do the same. Tell them to tell their friends to do the same. Then, call back next week and the week after and the week after that until something happens. Mark it in your calendar so you don’t forget about it. Politicians have short memories, and Congress is about to recess for Christmas, so you must not allow this to be forgotten. Keep at them until something happens.


]]> 0
USPTO apparently grants patent for warp drive Wed, 16 Nov 2005 17:38:18 +0000 adam I don’t remember who originally sent this to me, but I got it a few times. This is apparently a patent for a warp drive.

” A cooled hollow superconductive shield is energized by an electromagnetic field resulting in the quantized vortices of lattice ions projecting a gravitomagnetic field that forms a spacetime curvature anomaly outside the space vehicle. The spacetime curvature imbalance, the spacetime curvature being the same as gravity, provides for the space vehicle’s propulsion. The space vehicle, surrounded by the spacetime anomaly, may move at a speed approaching the light-speed characteristic for the modified locale.”

They’re off their rocker.,960,975.WKU.&OS=PN/6,960,975&RS=PN/6,960,975

]]> 0
What’s wrong with the Google Print argument Sat, 12 Nov 2005 00:36:35 +0000 adam Does this phrase sound familiar? “You may not send automated queries of any sort to Google’s system without express permission in advance from Google.” It’s from Google’s terms of service, and it’s just one of several aspects of that document that make this leave a bad taste in my mouth.

Larry Lessig makes the point that “Google wants to index content. Never in the history of copyright law would anyone have thought that you needed permission from a publisher to index a book’s content.” But that’s not what Google wants to do. Google wants to index content and put their own for-pay ads next to it. Larry says ” It is the greatest gift to knowledge since, well, Google.”

Don’t forget this for a second. Google is not a public service, Google is a business. Google isn’t doing this because it’s good for the world, Google is doing this because it represents a massive expansion in the number of pages they can serve ads next to. In order to do that, the index remains the property of Google, and no one else will be able to touch it except in ways that are sanctioned by Google. It’s not really about money, it’s about control. It’s against the terms of service to make copies of Google pages in order to build an index. Why should it be okay for them to make copies of other people’s pages in order to build their own? It’s not that they’re making money that bothers us, it’s the double standard. The same double standard that says that Disney can take characters and stories from the public domain, copyright them, and then lock them up and prevent other people from using them.

Oh, but you hate that, don’t you, Larry? (And I think a lot of us do.) How is what Google is doing any different? Google is just extending the lockdown one step further, into their own pockets. There’s no share alike clause in the Google terms of service, and that is what’s wrong with it. They want privileges under the law that they’re not willing to grant to others with respect to their own content.

The day Google steps forward and says “we’re building an index, and anyone can access it anonymously in any way they please”, then sure – I’m all with you.

(Found at

]]> 0
MIT students study tinfoil hats Fri, 11 Nov 2005 19:51:47 +0000 adam Conclusion: tinfoil hat makes it easier for the gummint to read your brain. It’s a conspiracy!

]]> 0
Preaching to the Esquire Thu, 10 Nov 2005 17:01:54 +0000 adam Long article copied shamelessly from Esquire about”Idiot America”.

“Idiot America is a collaborative effort, the result of millions of decisions made and not made. It’s the development of a collective Gut at the expense of a collective mind. It’s what results when politicians make ridiculous statements and not merely do we abandon the right to punish them for it at the polls, but we also become too timid to punish them with ridicule on a daily basis, because the polls say they’re popular anyway. It’s what results when leaders are not held to account for mistakes that end up killing people.”

Via Novitz:

]]> 0
Patenting Storylines Fri, 04 Nov 2005 19:11:52 +0000 adam “A Plot or Storyline Patent application seeks to patent the underlying
novel and nonobvious storyline of a fictional story.”

Here’s an article about it:

And the actual patent application:

]]> 0
On responses to threats Tue, 11 Oct 2005 18:26:20 +0000 adam I love this comment on Bruce Schneier’s blog in reference to the recent NYC subway threat which turned out to be a hoax:

“Every time I read this kind of nonsense, I have a mental image of our government — from city level on up — as a strung-out derelict curled up in a fetal position in a corner, screaming about the spiders all over him as he clutches a bottle of cheap fortified wine cut with paint thinner.”

]]> 0
Unhappy Birthday Tue, 11 Oct 2005 17:42:54 +0000 adam This is a good page describing the legal situation surrounding the copyright of the song “Happy Birthday”.

Via Perry:

]]> 0
New $10 or something Fri, 30 Sep 2005 15:31:33 +0000 adam Can we please stop calling it “The New Currency” everytime we release a new kind of money? I’m getting confused about whether this is the new $10, the last new $10, or the one before that. They need version numbers or years or funny names like Hurricanes have.

Bonus points for scoring “” though!

]]> 0