June 2011

If you’re like me, you woke up at the crack of dawn today to maximize your enjoyment of World IPv6 Day. Don’t want to miss a minute! If you’re like me, you’ll also say untruthful things as a very dry form of sarcasm. I hope you got that.

Whatever your interest in IPv6—learn more by reading this heresy—you should take interest in whether the next generation of the Internet protocol will erode or enhance your ability to protect privacy. That’s a question that’s been gnawing at me for a long time.

IPv4 was designed without enough numbers to accommodate the worldwide, multiple-device Internet we’ve got today. IPv5 seems to have disappeared—and I’m desperate to know what happened to it. (see above re: sarcasm) Now we’re talking about IPv6, a major feature of which is that it has enough numbers to assign one to every device on the globe.

IPv6’s ginormous number space is great for simplifying the maintenance of quality communications on the modern Internet, but it could suck for privacy. You see, if every device can be assigned a permanent number, that number will act as a permanent identifier, and lots of privacy-reducing inferences can be drawn. I.e., “If I saw this IP number before, it’s probably the same device and the same person I dealt with before.” Communications and interactions that don’t require or benefit from tracking become trackable anyway. We lose a structural protection of privacy.

Luckily, the designers of the IPv6 protocol thought of that. Christopher Parsons explains in a thorough post from last year that the IPv6 protocol calls for rolling assignment of randomized numbers for initiators of communications. A Web server has to have a fixed address, of course. It’s the target of communications requests, and people need to know where to find it. But the computers that ask for content from such servers do not. IPv6 allows those devices to have transient, pretty darn random numbers that change with regularity. This way, the records of your surfing that come to rest in servers all over the world cannot be combined into a dossier of everything you ever did online. Your computer’s IP address does not become your de facto worldwide identifier.

But here’s the question: To what extent is this part of IPv6 being implemented? Are the organizations implementing IPv6 including randomized numbers for initiators of communications? Parsons has a clever turn of phrase suggesting one reason why they may not: “the ‘security institutions’ are better at dissolving privacy protections than the privacy community is at enshrining privacy in law.” It could also be simply that there’s some cost associated with IPv6’s randomization.

So, does anyone know the status of randomization in the IPv6 protocol? Is it being implemented?

The good news, I think, is that it seems fairly easy to test whether an ISP is deploying IPv6 in full or short-cutting on randomization. Set up a server out there, ping it with a consistent communication, and see if it sees the communication coming from a consistent IP address. If it does, then IPv6 randomization is not working. That’s a problem.

Given the wisdom of “trust but verify,” I suppose this is not only an appeal for information about present practice, but a request that some group of technical smarties out there set up a system for routine verification that IPv6 randomization is fully and properly implemented by Internet service providers and other major deployers of Internet protocol. If you’ve already done it, do tell! Thanks!

The U.S. government doesn’t need to pick winners and losers and the last thing we should think about doing is messing up the Internet with inappropriate regulation.

Amen, sister! The above quote comes from Victoria Espinel, the U.S. Intellectual Property Enforcement Coordinator for the Office of Management and Budget (AKA the Copyright Czar), speaking at the World Copyright Summit in Brussels about how corporate innovation is often more effective than laws. She went on to explain that the cloud-based music services now offered by Apple, Amazon, and Google “may have the effect of reducing privacy by giving value to consumers …” Espinel is an Obama appointee, which calls into question the concerns voiced a year ago that the RIAA is taking over the Department of Justice.

The next stop on her speaking tour should be the Federal Communications Commission.

On May 26th, it was my great pleasure to participate in a panel discussion on “Growing Up with the Mobile Net,” which was co-sponsored by the Congressional Internet Caucus and Common Sense Media. It was a conversation about kids’ privacy, online safety, teen free speech rights, anonymity, and the possibility of expanding the Children’s Online Privacy Protection Act (COPPA) and implementing the so-called “Internet Eraser Button.”

I was joined on the panel by Jules Polonetsky, Co-chair and Director of the Future of Privacy Forum, and Alan Simpson, Vice President of Policy at Common Sense Media. And the session was very ably moderated, as always, by the supremely objective Tim Lordan.*  We really unpacked the “Eraser Button” and “right to be forgotten” notion and thought through the ramifications. And the discussion about the extent of First Amendment rights for teenagers was also interesting.

The video for this 48-minute session can be found on the Congressional Internet Caucus YouTube page here and is embedded below.

Note: During the session, Tim Lordan claimed that he takes no position and that if anyone says he take positions on issues that he will slap a super-injunction on them. Well, I say Tim Lordan is brimming with positions and he’s letting them fly at every juncture. In fact, I’ve never met someone so full of controversial positions in my life as Tim Lordan! OK, so sue me Tim!

Over at his blog, our old TLF colleague Tim Lee has been discussing the AT&T – T-Mobile merger and the ways libertarians should think about antitrust more generally.  In his latest post, he pushes back against a brief comment I posted on a previous essay. You can head over to his site and read that exchange and then see my latest comment. But I thought I would also post it here for those interested.

____________

Tim… My thinking on antitrust is very much shaped by the choice between ex ante vs. ex post regulation. How much faith should we place in sector-specific regulators to get things right through preemptive, prophylactic regulation versus allowing things to play out and then — on the rare occasions when intolerable monopolies over essential goods develop — letting antitrust regulators devise a remedy?

More than any other economic value, I care about experimentation. I am completely under the sway of the Austrian School of thinking about markets and competition as an ongoing experiment, an evolutionary journey, a discovery process.  How are we to know if intolerable monopolies over essential goods will actually develop unless we let things play out?

As I argued in my critiques of the Lessig/Zittrain/Wu school of thinking, we need to be a bit more humble and have a little faith that ongoing experimentation and discovery will help us evolve into a better equilibrium. It’s during what some regard as a market’s darkest hour when some of the most exciting forms of disruptive technologies and innovation are developing. [I’ve elaborated more on this point in this lengthy discussion about Gary Reback’s recent book on antitrust.] Continue reading →

On this week’s podcast, Larry Downes, who writes for CNet, blogs at Forbes.com and the Technology Liberation Front, and is the author of several books, including most recently, The Laws of Disruption, discusses enforcement of intellectual property rights online. Downes talks about the Protect IP Act, a bill recently introduced into Congress that aims to curtail infringement of intellectual property rights online by so-called rogue websites. Downes argues that forcing intermediaries to blacklist domain names has the potential to “break the internet.” He discusses how the rogue website problem could better be addressed and how the proposed bill could be improved.

Related Links

To keep the conversation around this episode in one place, we’d like to ask you to comment at the web page for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

In my latest weekly Forbes column is entitled “The Internet Isn’t Killing Our Culture or Democracy” and it’s a short review of the new book, The Filter Bubble: What the Internet is Hiding from You, by MoveOn.org board president Eli Pariser. As I note in my essay, Pariser’s book covers some very familiar ground already plowed by others in the burgeoning Internet pessimism movement:

[The Filter Bubble] restates a thesis developed a decade ago in both Cass Sunstein’s Republic.com and Andrew L. Shapiro’s The Control Revolution, that increased personalization is breeding a dangerous new creature—Anti-Democratic Man. “Democracy requires citizens to see things from one another’s point of view,” Pariser notes, “but instead we’re more and more enclosed in our own bubbles.”  Pariser worries that personalized digital “filters” like Facebook, Google, Twitter, Pandora, and Netflix are narrowing our horizons about news and culture and leaving “less room for the chance encounters that bring insights and learning.” “Technology designed to give us more control over our lives is actually taking control away,” he fears.

Pariser joins a growing brigade of Internet pessimists. Almost every year for the past decade a new book has been published warning that the Internet is making us stupid, debasing our culture, or destroying social interaction.  Many of these Net pessimists—whose ranks include Andrew Keen (The Cult of the Amateur), Lee Siegel (Against the Machine), Jaron Lanier (You Are Not a Gadget) and Nicholas Carr (The Shallows)—lament the rise of “The Daily Me,” or the rise of hyper-personalized news, culture, and information. They claim increased information and media customization will lead to close-mindedness, corporate brainwashing, an online echo-chamber, or even the death of deliberative democracy.

If you’ve read anything I’ve written on this topic in recent years, you will not be surprised to hear that I disagree with Pariser and these other Net pessimists when it comes to fears about hyper-personalization and user customization. As I noted in my recent book chapter, “ The Case for Internet Optimism, Part 1 – Saving the Net From Its Detractors“: Continue reading →

It might be tempting to laugh at France’s ban on words like “Facebook” and Twitter” in the media. France’s Conseil Supérieur de l’Audiovisuel recently ruled that specific references to these sites (in stories not about them) would violate a 1992 law banning “secret” advertising. The council was created in 1989 to ensure fairness in French audiovisual communications, such as in allocation of television time to political candidates, and to protect children from some types of programming.

Sure, laugh at the French. But not for too long. The United States has similarly busy-bodied regulators, who, for example, have primly regulated such advertising themselves. American regulators carefully oversee non-secret advertising, too. Our government nannies equal the French in usurping parents’ decisions about children’s access to media. And the Federal Communications Commission endlessly plays footsie with speech regulation.

In the United States, banning words seems too blatant an affront to our First Amendment, but the United States has a fairly lively “English only” movement. Somehow, regulating an entire communications protocol doesn’t have the same censorious stink.

So it is that our Federal Communications Commission asserts a right to regulate the delivery of Internet service. The protocols on which the Internet runs are communications protocols, remember. Withdraw private control of them and you’ve got a more thoroughgoing and insidious form of speech control: it may look like speech rights remain with the people, but government controls the medium over which the speech travels.

The government has sought to control protocols in the past and will continue to do so in the future. The “crypto wars,” in which government tried to control secure communications protocols, merely presage struggles of the future. Perhaps the next battle will be over BitCoin, an online currency that is resistant to surveillance and confiscation. In BitCoin, communications and value transfer are melded together. To protect us from the scourge of illegal drugs and the recently manufactured crime of “money laundering,” governments will almost certainly seek to bar us from trading with one another and transferring our wealth securely and privately.

So laugh at France. But don’t laugh too hard. Leave the smugness to them.

Earlier this week, Adrian Chen wrote [a great exclusive](http://gawker.com/5805928/the-underground-website-where-you-can-buy-any-drug-imaginable) for Gawker about the online market for illicit drugs Silk Road. I strongly commend the piece to you. The site is only accessible via the [anonymizing router network TOR](http://en.wikipedia.org/wiki/Tor_(anonymity_network)), although it is [viewable using tor2web](https://ianxz6zefk72ulzz.tor2web.org/). Transactions are made using bitcoins, the virtual digital currency I’ve [previously](http://techland.time.com/2011/04/16/online-cash-bitcoin-could-challenge-governments/) [written](http://techliberation.com/2011/04/16/bitcoin-imagine-a-net-without-intermediaries/) about, and which I explain in a [new video for Reason.tv](http://www.youtube.com/watch?v=yYTqvYqXRbY&feature=youtu.be&t=16s) (below), also out this week.

After his piece was published, Chen added the following addendum:

>**Update:** Jeff Garzik, a member of the Bitcoin core development team, says in an email that bitcoin is not as anonymous as the denizens of Silk Road would like to believe. He explains that because all Bitcoin transactions are [recorded](http://en.wikipedia.org/wiki/Bitcoin#Transactions) in a public log, though the identities of all the parties are anonymous, law enforcement could use sophisticated network analysis techniques to parse the transaction flow and track down individual Bitcoin users.

>”Attempting major illicit transactions with bitcoin, given existing statistical analysis techniques deployed in the field by law enforcement, is pretty damned dumb,” he says.

I’ve been [asked](https://twitter.com/#!/elidourado/status/76088980852064257) by several folks about this: just how anonymous is bitcoin? My answer is that we don’t exactly know yet. Yes, all transactions are recorded in the public ledger that is the bitcoin network, but all that means is that you can see how many bitcoins were transferred from one account on the network to another account. This tells you nothing about the identity of the persons behind the accounts. Theoretically, you could identify just one person on the network and ask them (or coerce them) to identify the persons from whom they received payments, then go to those persons in turn and ask them who they accepted payment from, etc., until you’ve identified everyone, or just a person of interest. But you can imagine all the reasons this is impractical. More likely, a bitcoin user will be revealed through [identifying information inadvertently revealed](http://forum.bitcoin.org/index.php?topic=8.msg10621#msg10621) in the course of a transaction.

That all said, it seems that this week has also brought us a “natural experiment” that might settle the issue. LulzSec, the hacker group responsible for the [recent PBS hack](http://www.nytimes.com/2011/05/31/technology/31pbs.html), this week [announced](http://www.informationweek.com/news/security/attacks/229900111) that it has compromised the personal information of over a million Sony user accounts and has released a batch of 150,000. Here’s the thing: LulzSec is [accepting donations via Bitcoin](https://twitter.com/#!/LulzSec/status/76388576832651265) and [say they have received](https://twitter.com/#!/LulzSec/status/76667674947633152) over $100 so far. The group’s bitcoin receiving address is 176LRX4WRWD5LWDMbhr94ptb2MW9varCZP. Also, while in control of PBS.org, the group [offered vanity subdomains](https://twitter.com/#!/LulzSec/status/75159378801598464) (e.g. techliberation.pbs.org) for 2 BTC each.

So, here’s a high-profile group the FBI and Secret Service are no doubt itching to get their hands on. A bitcoin receiving address for them is public. I guess we’ll find out how anonymous it is.

[The following essay is a guest post from Dan Rothschild, Managing Director of the State and Local Policy Project at the Mercatus Center at George Mason University.]

As cell phone ownership has tripled in the United States over the last decade, policymakers have increasingly seen mobile devices as a cash cow. In some states, consumers now pay as much as a quarter of their cell phone bills in taxes. And while state revenues are beginning to tick back up from their low point during the recession, Medicaid costs are fast on their tails. So it’s likely that over the coming years, states will be looking to find taxes to hike or new taxes to create — all without calling them tax hikes, of course.

Policy makers may be tempted to hike taxes on cell phones, or to create (or “equalize”) taxes on untaxed (or “under taxed”) parts of wireless telephony, such as cell phone data plans or e-readers with cellular connections. As I argue in a recent issue of Mercatus on Policy, this is a bad idea for a number of reasons. Continue reading →

Jim [posted earlier today](http://techliberation.com/2011/05/31/be-sure-to-attend-cfp/) about the [Computers, Freedom and Privacy](http://www.cfp.org/2011/wiki/index.php/Main_Page) conference June 14th to 16th, which I’m very much looking forward to attending. If you’re in town for that, though, I’d like to bring to your attention two other related conferences being put on by the Center for Infrastructure Protection and Homeland Security at George Mason University.

The first is the **The Tenth Workshop on Economics of Information Security**, the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science. Prior workshops have explored the role of incentives between attackers and defenders, identified market failures dogging Internet security, and assessed investments in cyber-defense. [It starts on June 13th and the program is here.](http://www.regonline.com/builder/site/tab1.aspx?EventID=960652)

More relevant to my interests is the **Workshop on Cybersecurity Incentives** to be held June 16th, and featuring a keynote by Bruce Schneier. [The program is here.](http://www.regonline.com/builder/site/tab2.aspx?EventID=959995) The workshop will look at how scholarship in law, economics and other fields within the behavioral sciences inform stakeholders about how markets, incentives and legal rules affect each other and shed light on determinations of liability and responsibility.