September 2006

Baltimore Sun: Deep-Six REAL ID

by on September 28, 2006

The Baltimore Sun opinion page recognizes that the REAL ID Act’s national ID system “will neither weed out terrorists nor make a dent in the flow of illegal immigration – the two problems it was devised to address.” In light of the exorbitant cost and impossibility to implement, its advice is to junk the REAL ID Act.

Yesterday I argued that computerized voting was dangerous because it makes the voting process more centralized and less transparent. Today I’ll argue that open source voting is clearly better than proprietary computerized voting, but that paper ballots is preferable to either.

Open source voting software doesn’t do a whole lot to address the centralization issue. True, the development of the software would be decentralized, but the process of manufacturing the machines and loading the software onto them would still likely be handled by a commercial company that would constitute a single point of failure. If someone at the manufacturing facility is unscrupulous, or if someone finds a vulnerability in the software or hardware, he’s going to be just as able to compromise a large number of open source machines as he would with closed-source ones.

As for transparency, open source voting machines clearly enhance transparency in the sense that more people are able to study and criticize the design of the voting software. And that would certainly enhance security. It’s widely accepted among security professionals that openness and peer review is the best way to ensure a system’s security. If Diebold made the source code to its voting machines publicly available, it’s certain that security experts would have long since pointed out those the flaws Felten discovered and Diebold (I hope) would have fixed them.

Continue reading →

Forget missing laptops. The hot issue in the computer world lately is burning laptops. That’s right: while thousands of government laptops have gone astray, some of the rest have burst aflame. The most recent incident was about a week ago, when a Lenovo Thinkpad at Los Angeles International Airport spontaneously caught fire, leading several airlines to–at least temporarily–ban them from flights. The month before, a house burned down in Florida after a laptop sitting on a couch lit up. It appears that bad batteries are to blame, and have been recalled by several manufacturers.

Now here’s where the story gets odd. Two days after LAX fire, Greenpeace issued a report on laptops, urging manufacturers to “ditch” the fire retardants used in their products. Yes, that’s right. Two days after news of another laptop fire, Greenpeace urged less–not more–use of fire retardants.

To be fair, the Greenpeace report only scored use of a certain compound, a type of “brominated fire retardant,” which it says can be harmful in the waste stream. But there’s little evidence that the compound presents a significant risk. It can, however, save lives. Writes Dana Joel Gattuso, an adjunct analyst with the Competitive Enterprise Institute (and, for full disclosure, also my spouse):

:according to a growing body of research, the risks to human
health and the environment are far greater in the absence of brominated
flame retardants due to the increased chance of fire. A study by the Swedish
National Testing and Research Institute compared the outbreak of fires in
TV sets in Europe, where restrictions in the use of deca-bde has already
greatly limited its use on TVs produced and sold in Europe, to those
manufactured in the United States, where there were no limits to its use at
the time of the study. Using conservative estimates, the study found that
16 people die each year from TV fires in Europe, while in the U.S. there is
no record of fatalities from TV fires.

Did these retardants make a difference in the recent laptop fires? I don’t know the answer. But, on the whole, chemicals like these do have a safety impact, and incidents like these help remind us why they are there. It all makes you wonder what Greenpeace would have said if laptops weren’t catching fire.

CinemaNow Sells Crippleware DVDs

by on September 26, 2006

Businessweek reports that CinemaNow has delivered the Holy Grail of the online movie business: a mainstream movie (although, it must be said, not a very good movie) that consumers can purchase for $10 and burn to a DVD that can be played on an ordinary DVD player.

Well, sort of. BusinessWeek mentions in passing that they licensed technology “from a German company” to copy-protect the DVDs. That made me skeptical, as the technical problem involved was quite challenging. As has been discussed on this site before, the copy-protection on DVDs works by putting the encryption keys for the DVD in a part of the disc that can’t be written to on the type of DVD-R media that’s available to the general public (known as “G” media). That means that if a PC tries to copy a DVD, it can read the keys, but it can’t write them to the new disk.

But what that really means is that home computers can’t create any encrypted DVDs that will play on DVD players, because the only encryption scheme those players support is the one that requires “A” media, which isn’t available to ordinary consumers. All a PC can do is generate an unencrypted movie. And that, Hollywood believes, would be an unacceptable piracy risk. So, I thought, this magical German technology must be awfully sketchy to do what it claims to do.

Continue reading →

Legislation to whitewash President Bush’s spying programs has moved another step closer to passage, as three of the Republican holdouts accepted a “compromise” that EFF’s Derek Slater says will still undermine civil liberties.

The most objectionable thing about the Specter bill, from my perspective, was the fact that it would have made FISA review optional for spying programs. So even if the Bush administration promises to get a warrant for this program, that still would have set a bad precedent for future administrations, who may opt not to get a warrant with Congress’s imprimatur. The Post article suggests that that language has been strengthened a little bit, but not very much:

According to the lawmakers, a second major change would clarify that a decision by the secret Foreign Intelligence Surveillance Court upholding the warrantless surveillance program’s legality would not give blanket authorization for the president to pursue wiretaps without court approval.

It’s not clear to me what this means, but it certainly doesn’t sound like what’s needed–a clear statement from Congress that surveillance of Americans without a court order is illegal. And given the sorry track record of recent moderate Republican “compromises” over civil liberties issues, color me skeptical that this one is any better.

The Limewire Strikes Back

by on September 26, 2006 · 40 comments

Techdirt notes that peer-to-peer network Limewire is returning fire in its battle with the RIAA:

Last month, the RIAA sued Limewire after Limewire wouldn’t agree to simply roll over and pretend the RIAA’s interpretation of the Supreme Court decision in the Grokster case was actually what the Supreme Court said. The court actually said that services could be found liable, if they were shown to actively induce infringement. The RIAA and the MPAA pretended this meant that any file sharing network that had unauthorized content was flat-out illegal. Of course, that’s a bit of a stretch. So, it already seemed like it would be an interesting case, but now Limewire has hit back even harder with counterclaims accusing the RIAA of antitrust violations, consumer fraud and other misconduct. Specifically, they seem to be making the case that the RIAA only wants to shut down Limewire because it is a competitive distribution mechanism that they cannot control, which helps compete with their monopolistic control on traditional distribution. It’s an interesting claim that does make some sense, though the RIAA will simply try to paint Limewire as a tool for “thieves.” As with many of these types of cases, there’s probably a decent chance that the sides will settle before any decision is made, but in this case, it would be very interesting to see the actual outcome of any lawsuit–both on the issue of whether or not simply running a file sharing network is inducement and on whether or not there really is an antitrust claim here. If the case does go forward and the RIAA loses on the antitrust issue, it could have a big impact on the traditional labels, and could actually be a catalyst towards forcing them to accept the changing nature of the market. This is becoming a case well worth watching.

Limewire’s point about the Grokster is an important one. The Supreme Court did not rule that peer-to-peer file sharing is illegal per se. What they said was that there was ample evidence (from advertisements, internal company emails, etc) that Grokster intended to make a business of copyright infringement, and so the courts didn’t have to reach the question of whether running a peer-to-peer network, as such, constitutes secondary copyright infringement. Frankly, I think Limewire probably still deserves to lose, but they should at least have the opportunity to persuade the judge that unlike Grokster they legitimately expect to make money through more legitimate channels.

I don’t find the antitrust angle very compelling. There are lots of alternative music distribution services that aren’t being sued. eMusic and MySpace come to mind. Those services have been making a good-faith effort not to facilitate piracy, and as a result the RIAA has left them alone. If Limewire is guilty of secondary copyright infringement, then it certainly shouldn’t trigger antitrust scrutiny for the RIAA to enforce its members’ rights under the law.

Quick update… Last week I discussed our government’s ongoing lost laptop follies after the House Committee on Government Reform reported that more than 1,100 laptop computers had vanished from the Department of Commerce since 2001, including nearly 250 from the Census Bureau containing such personal information as names, incomes and Social Security numbers. And the Committee is still collecting information about lost computers and compromised personal information from other federal agencies including: the departments of Agriculture, Defense, Education, Energy, Health and Human Services and Transportation and the Federal Trade Commission.

This week, in response to these findings, Rep. Tom Davis (R-VA), the Chairman of the committee, has introduced H.R. 6163, the “Federal Agency Data Breach Protection Act.” The bill would establish “policies, procedures, and standards for agencies to follow in the event of a breach of data security involving the disclosure of sensitive personal information and for which harm to an individual could reasonably be expected to result.” In other words, federal agencies would have to do a better job informing the public when personal data had been lost or compromised. Of course, it might be easier if they just stopped losing so many laptops!

Incidentally, why are government agencies allowing so much sensitive personal information to be kept on laptops, anyway? It doesn’t seem to make much sense to me in light of how easy it is for laptops to be taken out of a government building. Why not follow these two simple rules instead: (1) Keep the really sensitive stuff on desktop computers that are bolted to desks and make sure they don’t have any external inputs for personal storage devices. (2) If a government employee still finds a way to take that information home and then loses it, fire them immediately (and perhaps consider other penalties). After all, we’re talking about personal information about American citizens here. This stuff should not be taken lightly.

A couple of weeks ago, Luis Villa had an excellent comment about the merits of open source voting. I had expressed the opinion that open source voting machines would be preferable to the status quo, but that the ideal outcome would be not to use computers in voting machines at all. Louis responded:

I think you’re discounting how corruptible the current system is, and focusing only on what the current generation of e-voting machines do or don’t do, security-wise. Well done e-voting (particularly including the printing of a reliable paper trail) could be much more reliable than the current mishmash of paper technologies, which as any resident of Florida, Ohio, or Chicago will tell you is deeply insecure already.

This is a good point. Paper ballots clearly aren’t perfect, and so when we’re evaluating the merits of computerized voting, it’s important not to hold them to a standard of perfection that’s not attainable with any technology. But I still think we’d be better off dispensing with computers entirely, as I’ll explain below the fold.

Continue reading →

Baby Steps

by on September 25, 2006 · 2 comments

I was pleasantly surprised to see sanity slowly creeping back into airport security rules, as the TSA allows liquids on airplanes:

The new rules, which will go into effect Tuesday, allow travelers to carry liquids, gels or aerosols in containers of 3 ounces or less, as long as they all fit into a clear 1-quart plastic bag that can be screened at the security checkpoint. Drinks and other items purchased in the secure part of the airport, beyond the checkpoint, will also be allowed onto planes.

The new regulations will apply to all domestic and international flights departing from United States airports, the agency said.

It’s good to know that travelers will face the minor inconvenience of placing their liquids in a zip-lock bag, rather than the major inconvenience of having to check their luggage. I fear, however, that this is as far as the TSA will go in the direction of sanity. The TSA appears to have singled out shoes and liquids for extra scrunity solely because a terrorist happened to try to use those items in terrorist plots in the past. But as they say in the investment business, past performance is no guarantee of future results. Chances are, the next terrorist will use a different approach. It’s a little silly to automatically place an item on the heightened scrutiny list–forever–every time a terrorist even attempts to blow up an airplane with it.

So bravo to the TSA for relaxing a silly rule. Let’s hope that it’s the first of many such decisions. I’m not going to hold my breath, though.

Scholars at RAND Europe recently released a comprehensive analysis of the European Union’s controversial Audiovisual Media Services Directive (AVMS), more commonly known as the “Television without Frontiers Directive.” This effort, which is being coordinated by EU Commissioner Viviane Reding, aims to bring some rationality to inconsistent EU media regulations. The problem is, in an effort to make the rules more rational, Reding has essentially proposed a significant expansion of government regulation for new media outlets and operators, including the Internet. (See these three papers by my PFF colleague Patrick Ross for a detailed explanation of the dangers of Reding’s efforts to expand content regulation).

Thus far, most of the criticism of the AVMS has been based on social / content-related concerns. Rightly so. There is little doubt that the directive will threaten freedom of speech and expression on the Internet and over other new media outlets / services. But the new RAND study takes a different approach to the issue by focusing on the potential economic impact of the AVMS directive on European companies and the EU’s competitive standing in the new media world more generally. [An executive summary of the report and the full report can be found on the Ofcom website here].

RAND’s conclusions are not encouraging… unless you happen to be an American or Asian company rooting for your European competitors to be handicapped by excessive government regulation!

Continue reading →