February 2012

David Weinberger on knowledge

http://surprisinglyfree.com/wp-content/uploads/weinberger.jpg

by on February 21, 2012

On the podcast this week, David Weinberger, senior researcher at Harvard Law’s Berkman Center for the Internet & Society and Co-Director of the Harvard Library Innovation Lab at Harvard Law School, discusses his new book entitled, “Too Big to Know: Rethinking Knowledge Now That the Facts Aren’t the Facts, Experts Are Everywhere, and the Smartest Person in the Room Is the Room.” According to Weinberger, knowledge in the Western world is taking on properties of its new medium, the Internet. He discusses how he believes the transformation from paper medium to Internet medium changes the shape of knowledge. Weinberger goes on to discuss how gathering knowledge is different and more effective, using hyperlinks as an example of a speedy way to obtain more information on a topic. Weinberger then talks about how the web serves as the “room,” where knowledge seekers are plugged into a network of experts who disagree and critique one another. He also addresses how he believes the web has a way of filtering itself, steering one toward information that is valuable.

Related Links

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

Given the importance of privacy self-help—that is, setting your browser to control what it reveals about you when you surf the Web—I was concerned to hear that Google, among others, had circumvented third-party cookie blocking that is a default setting of Apple’s Safari browser. Jonathan Mayer of Stanford’s Center for Internet and Society published a thorough and highly technical explanation of the problem on Thursday.

The story starts with a flaw in Safari’s cookie blocking. Mayer notes Safari’s treatment of third-party cookies:

Reading Cookies Safari allows third-party domains to read cookies.

Modifying Cookies If an HTTP request to a third-party domain includes a cookie, Safari allows the response to write cookies.

Form Submission If an HTTP request to a third-party domain is caused by the submission of an HTML form, Safari allows the response to write cookies. This component of the policy was removed from WebKit, the open source browser behind Safari, seven months ago by Google engineers. Their rationale is not public; the bug is marked as a security problem. The change has not yet landed in Safari.

Mayer says Google was exploiting this yet-to-be-closed loophole to install third-party cookies, the domain of which Safari would then allow to write cookies. After describing “(relatively) straightforward” cookie synching, Mayer says:

But we noticed a special response at the last step for Safari browsers. … Instead of responding with the “_drt_” cookie, the server sends back a page that includes a form and JavaScript to submit the form (using POST) to its own URL.

Third-party cookie blocking evaded, and users’ preferences frustrated.

Ars Technica has published Google’s response, which doesn’t seem to have gone up on any of its blogs, in full. Google says they created this functionality to deliver better services to their users, but doing so inadvertently allowed Google advertising cookies to be set on the browser.

I don’t know that I’m technically sophisticated enough to register a firm judgement, but it looks to me like Google was faced with an interesting dilemma: They had visitors who were signed in to their service and who had opted to see personalized ads and other content, such as ‘+1′s but those same visitors had set their browsers contrary to those desires. Google chose the route better for Google, defeating the browser-set preferences. That, I think, was a mistake.

I wonder if there isn’t some Occam’s Razor that a Google engineer might have applied at some point in this process, thinking, “Golly, we are really going to great lengths to get around a browser setting. Are we sure we should be doing this?” Maybe it would have been more straightforward to highlight to Safari users that their settings were reducing their enjoyment of Google’s services and ads, and to invite those users to change their settings. This, and urging Apple to fix the browser, would have been more consistent with the company’s credo of non-evil.

Now, to the ideological stuff, of which I can think of two items:

1) There is a battle for control of earth out there—well, a battle over whether third-party cookie blocking is good or bad. Have your way advocates. I think the consuming public—that is, the market—should decide.

2) There is a battle to make a federal case out of every privacy transgression. An advocacy group called Consumer Watchdog (which has been prone to privacy buffoonery in the past) hustled out a complaint to the Federal Trade Commission. I think the injured parties should be compensated in full for their loss and suffering, of which there wasn’t any. De minimis non curat lex, so this is actually just a learning opportunity for Google, for browser authors, and for the public.

Kudos and thanks are due to Jonathan Mayer, as well as ★★★★★ and Ashkan Soltani, for exposing this issue.

Today the Federal Trade Commission released a new report entitled, “Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing,” which concludes that “confusing and hard-to-find disclosures do not give parents the control that they need in this area. The FTC argues that “parents need consistent, easily accessible, and recognizable disclosures regarding in-app purchase capabilities so that they can make informed decisions about whether to allow their children to use apps with such capabilities.”

It’s hard to be against the FTC’s “the more disclosure, the better” policy recommendation and I’m not about to come out against it here. But the question is: how much disclosure is enough? Reading through the report and seeing how hard the FTC hammers this point home makes me think the agency wants our app store checkout process to be littered with the pages of fine print disclosure policies that now accompany our credit card statements and home mortgage payments! Seriously, would that make us better off?

As a parent of two kids who both download countless apps on my Android phone, my wife’s iPhone, and our family’s Android tablet, I appreciate a certain amount of disclosure about what sort of information apps are collecting and how they are using it. I think Google’s Android marketplace strikes a nice balance here, providing us with the most crucial facts about what the application will access or share. Apple could do more on disclosure but the company also prides itself (to the dismay of some!) on its rigorous pre-screening process to make sure the apps in the App Store are safe and don’t violate certain privacy and security policies. Yet, as the FTC correctly points out, “the details of this screening process are not clear.” Of course, most Apple users simply don’t give a damn. They’re all too happy to let Apple just take care of it for them even if they’re not really sure what’s happening to their data behind the scenes. The more privacy-sensitive crowd wants greater disclosure and control, of course, and I’m sympathetic to that plea.  But again, how much disclosure is enough? Are you going to wade through pages of disclosure policies and privacy opt-ins before downloading that latest iteration of “Angry Birds” or “Cut the Rope”? Yeah, I didn’t think so.

Anyway, I don’t want to dwell on that. The more interested findings in the survey relate to price and market dynamics and I am hoping people don’t ignore them. Continue reading →

Ahead of today’s cybersecurity hearing in the Senate, I wanted to jot down some thoughts on the issue. For over a year now, I’ve been questioning the need for federal intervention in cybersecurity and calling for a slower and more deliberate process. Perhaps I come across as a refusenik, but I hope that I’m at least lending some balance to the debate.

First, let me say that I fully recognize that the U.S. faces serious cyber threats. [Here is](http://selil.com/archives/2985) one of the best (and most honest) cases for being worried that I’ve seen. I get it.

That said, what I try to point out is that the existence of a threat [does not necessarily mean](http://techliberation.com/2012/02/16/too-big-to-face-incentives/) that regulation is necessary. In many cases, the threat [can be internalized](http://techliberation.com/2012/01/24/is-there-a-market-failure-in-cybersecurity-its-not-an-open-and-shut-case/) by affected private actors. Even if we determine that some private actors are not internalizing the costs, prescriptive regulation can sometimes do more harm than good. The best thing we can do is not try to prevent harm at all costs, but instead make sure that we are resilient so that no single threat can destroy us. And we [may be more anti-fragile](http://mercatus.org/publication/beyond-cyber-doom)–more resilient and more capable of adaptation–than we’re led to believe.

That brings me to the other thing I try to point out: that the rhetoric surrounding cybersecurity is often unnecessarily alarmist. Introducing the Cybersecurity Act of 2012, Sen. Rockefeller equated the cyber threat with the nuclear threat. I’m sorry, but I don’t think that’s right. It does scare people, however, and I’m afraid that we will be sold an expensive bill of goods based on fear.

So I’m happy to see that both the Senate and the House have begun to take more realistic approaches to cybersecurity. For example, the [Rockefeller-Snowe bill](http://www.opencongress.org/bill/111-s773/show) from last congress would have required the Department of Commerce to develop “a national licensing, certification, and periodic recertification program for cybersecurity professionals,” and would have made certification mandatory for anyone engaged in cybersecurity. I’m happy to see that’s gone in the new bill. I’m glad that there is no “[Internet kill switch](http://techliberation.com/2011/02/19/the-internet-kill-switch-debate/).” I’m also happy to see that the bill includes a way for private industry to appeal its inclusion in the regulatory regime.

Where do I think there may be a role for government? Information sharing certainly comes to mind. There is no doubt that there’s a lot that the public and private sectors can learn from each other. And to the extent that private actors are prevented by privacy laws to cooperate on cybersecurity, there should be a way to facilitate cooperation without endangering consumer protections. Additionally, requiring disclosure of security breaches is not a bad idea. It would allow insurance markets and other markets serve as an alternative to regulation, or as Cass Sunstein calls it, regulation through transparency.

Too big to face incentives

by on February 16, 2012 · 1 comment

Here, in one sentence, is what’s wrong with [Stewart Baker's testimony](http://www.skatingonstilts.com/skating-on-stilts/2012/02/testifying-about-cybersecurity-legislation.html) on cybersecurity before the Senate Homeland Security committee today:

>If an asset is not designated as “covered critical infrastructure,” then the owner has no obligation under the bill to guard against attack by hackers, criminals, or nation states, leaving those who depend on the asset unprotected.

The logic here is that if a private network is not forced by government to protect itself, then it will be left unprotected and wide open for attack. There is no private incentive to secure one’s investment, the argument seems to be. If you’d like an explanation of why this isn’t logical, see Eli Dourado’s [paper on cybersecurity market failure](http://mercatus.org/publication/there-cybersecurity-market-failure-0).

One more thing: according to Baker, present network insecurity “could easily cause the United States to lose its next serious military confrontation.” I understand asymmetric threats, but here is a l[isting of military spending by country](http://en.wikipedia.org/wiki/List_of_countries_by_military_expenditures). “Easily” doesn’t come to mind.

Kevin Drum and Tim Lee have been having an [interesting](http://motherjones.com/kevin-drum/2012/02/should-idiots-be-allowed-regulate-internet) [exchange](http://arstechnica.com/tech-policy/news/2012/02/copyright-enforcement-and-the-internet-we-just-havent-tried-hard-enough.ars) about whether those of us who oppose granting copyright holders stronger enforcement powers feel this way because we are ideologically opposed to IP protection. Tim points out that copyright owners have, as a matter of fact, received greater and greater enforcement powers–almost on an annual basis. As a result, Tim says, “most of us are not anti-copyright; we just think enough is enough, and that the menu of enforcement tools Congress has already given to copyright holders is more than sufficient.”

Sufficient for what, though? Sufficient to significantly reduce piracy online? That’s certainly not the case. Piracy is rampant on the net. Some would say, though, that the only meaningful ways left to enforce copyright would (dare I say it?) break the Internet as we know it.

So I think that when Tim says that the powers copyright holders now have are “more than sufficient,” I think he means sufficient to provide an incentive to create. After all, the purpose of copyright is to “promote the progress of science,” not to protect some Lockean notion of property. It may be the case that while owners’ rights are no doubt being violated, a further reduction in piracy won’t affect the incentive to create.

This is why many, including [Julian Sanchez](http://www.cato.org/pub_display.php?pub_id=14028), [Tim O'Reilly](https://plus.google.com/107033731246200681024/posts/BEDukdz2B1r), [Mike Masnick](http://www.techdirt.com/blog/?tag=sky+is+rising) and [Jonathan Coulton](http://surprisinglyfree.com/2012/02/14/jonathan-coulton/), question whether piracy is really a problem at all. That is, they don’t believe it may be the case that the present level of piracy doesn’t hurt content owners’ bottom lines because it’s clear that not every infringement would have otherwise been a sale. If that’s the case, then the costs of new enforcement powers would outweigh any benefits. So, the argument goes, we should do nothing.

Continue reading →

Friends of Internet freedom, I need your assistance. I think we need to develop a principled, pro-liberty blueprint for Internet policy going forward. Can you help me draw up five solid principles to guide that effort?

No, wait, don’t worry about it… it has has already been done!

As I noted in my latest weekly Forbes column, “Fifteen years ago, the Clinton Administration proposed a paradigm for how cyberspace should be governed that remains the most succinct articulation of a pro-liberty, market-oriented vision for cyberspace ever penned. It recommended that we rely on civil society, contractual negotiations, voluntary agreements, and ongoing marketplace experiments to solve information age problems. In essence, they were recommending a high-tech Hippocratic oath: First, do no harm (to the Internet).”

That was the vision articulated by President Clinton’s chief policy counsel Ira Magaziner, who was in charge of crafting the administration’s Framework for Global Electronic Commerce in July 1997.  I was blown away by the document then and continue to genuflect before it today. Let’s recall the five principles at the heart of this beautiful Framework: Continue reading →

Tate Watkins and I have [an essay in Wired today](http://www.wired.com/threatlevel/2012/02/yellowcake-and-cyberwar/) looking at how the overheated rhetoric and unsupported claims around cybersecurity inflate the threat and may lead us to a new cyber-industrial complex. It’s the same theme we explore in our recent Harvard National Security Journal article and also in a feature in Reason a few months ago.


What do we mean by overheated rhetoric that serves more to scare than to inform? Here are some statements from Sen. Jay Rockefeller introducing the comprehensive cybersecurity bill on the Senate floor today:

>”The experts are warning us that we are on the brink of something much worse. Something that could bring down our economy, rip open our national security, or even take lives. The prospect of mass casualty is what has propelled us to make cybersecurity a top priority for this year, to make it an issue that transcends political parties or ideology. …

>”Admiral Mike Mullen, former Joint Chiefs chairman, said that a cybersecurity threat is the only other threat that is on the same level as Russia’s stockpile of nuclear weapons. …

>”We are on the brink of what could be a calamity. A widespread cyber attack could potentially be as devastating to this country as the terror attacks that tore apart this country 10 years ago. …

>”Think about how many people could die if a cyber-terrorist attacked our air traffic control system, both now and when it’s made modern, and our planes slammed into one another. Or rails switching networks were hacked causing trains carrying people, and more than that perhaps hazzardous material, toxic materials, to derail or collide in the midst of our most populate urban areas like Chicago, New York, San Francisco, Washington, DC, etc.”

He also touch on pipeline explosions and electricity blackouts, of course, and said that we needed to act immediately. It seems that some GOP senators are [calling for a delay on the bill](http://thehill.com/blogs/hillicon-valley/technology/210671-gop-senators-call-for-delay-on-cybersecurity-bill). Stay tuned.

On the podcast this week, Jonathan Coulton, a musician, singer-songwriter, and geek icon, who releases his music under a Non-Commercial Creative Commons License, discusses his thoughts on piracy from an artist’s point of view. Coulton talks about quitting his day job so he could focus on his music. He bypassed the traditional route of becoming a musician, which usually means signing to a record label, and began releasing one song per week on his website. This lead to eventual success, according to Coulton, who now makes his living as a full-time musician by touring and selling his music on his website. The discussion then turns to piracy. Coulton explains why he thinks piracy cannot be stopped and describes what he considers “victimless piracy.” He goes on to discuss the difficulties of addressing piracy issues, especially when taking fairness and practicality into account.

Related Links

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

Over at TIME.com I write that we should keep a close eye on moves by Russia, China and other countries to move Internet governance to the UN:

>All this year, and culminating in December at the World Conference on International Telecommunications in Dubai, the nations of the world will be negotiating a treaty to govern international telecommunications services between countries. It is widely believed that some countries, including Russia and China, will take the opportunity to push for U.N. control of Internet governance. Such a turn of events would certainly be troubling. …

>It’s amazing to think about it, but no state governs the Internet today. Decisions about its architecture are made by consensus among engineers and other volunteers. And that, in fact, is what has kept it open and free.

>“Upending the fundamentals of the multi-stakeholder model is likely to Balkanize the Internet at best, and suffocate it at worst,” FCC Commissioner Robert McDowell said recently in a speech. “A top-down, centralized, international regulatory overlay is antithetical to the architecture of the Net, which is a global network of networks without borders. No government, let alone an intergovernmental body, can make decisions in lightning-fast Internet time.”

Read the whole thing at TIME.com.