Pre-class Discussion for Jan 10

From Cyberlaw: Internet Points of Control Course Wiki
Jump to navigation Jump to search

There's an interesting episode of the "Cranky Geeks" (great name!) webcast, hosted by PC Magazine columnist John Dvorak, that features Whit Diffie of public key encryption fame. It's a half-hour long, but it covers a wide range of the topics considered today and in this class as a whole. It is also fairly entertaining. At the end of the interview Diffie said he's proposing a goal of strict product liability for software in 10 years. See ref [1] --Tseiver 20:35, 9 January 2008 (EST)

  • One interesting topic discussed on this clip was whether or not encryption systems have a backdoor in which hackers can access the protected information. Dan Farmer suggested that it is extremely difficult to understand and figure out the mathematics behind the encryption system and only a few would be able to hack into the system. Regardless, this should be a concern for publishers who want to use encryption programs to secure their copyright works. It will only be a matter of time before hackers discover the backdoor into the encryption. I found one article from 2000 discussing DVD encryption hackers posting the de-encryption code on the Internet (the same decision discussed in "Cyber Law Journal: Assessing Linking Liability") DVD Hackers. My understanding is that the few are the ones we should be concerned about in these hacking situations. Generally, most computer users are not the ones developing software or decrypting codes to hack into systems, but it is the few who make the de-encryption codes available to others.KStanfield 21:47, 9 January 2008 (EST)
  • Harkening back to our discussions about defamation, the NY Times has an article today claiming that LA federal attorneys have filed a subpoena against MySpace relating to the suicide of the teenage girl in Missouri. The investigation is to determine whether setting up a false identiy online for the purpose of harassment can be defined as Internet fraud under federal statutes. See ref supoena article --Tseiver 08:00, 10 January 2008 (EST)
  • Here's two other short NY Times articles directly related to trusted systems technologies. The first regarding an open source authentication program being sponsored by Yahoo! See ref Yahoo! OpenID The other reports on a panel discussion at the Consumer Electronics Show of ISPs and telcos regarding network-level packet filtering. See ref ISP filtering --Tseiver 08:12, 10 January 2008 (EST)


Zittrain: Technological Complements to Copyright

  • Mark Stefik’s “Trusted Systems (I)”

In this article Stefik argues that usage-rights language is “essential to electronic commerce: and the range of things that people can or cannot do must be made explicit so that buyers and sellers can negotiate and come to agreements.” While I agree that it is important for end-users to understand the fees and conditions for any particular trusted system they may want to connect with, is there really a negotiation though? I think this has an interesting tie-in to Zittrain’s “The Future of the Internet” which states that how generativity allows for a variety of software to be built and content exchanged without anticipating what the market wants and is concerned that the harm that arises from generativity will create a lockdown. However, I wonder if the opposite could be true as well: if end-users are unable to negotiate the terms of trusted systems, and trusted systems continue to lock-down their products into very specific-single use machines, then perhaps even more generativity will result. More and more unsatisfied end-users that are unable participate in deciding the terms of their lock-downed machine may be incentivized to think of alternative software or generative platforms to run their programs (or perhaps as we’ve seen in many cases if chances of being caught for legal liability under 1201 of the DCMA are slim, users that create codes circumventing trusted systems lockdowns). Cseif 08:25, 10 January 2008 (EST) Cseif

  • Would more and more end users necessarily be unsatisified? Might it be reasonable to expect that manufacturers (keeping a close eye in turn on lead users and their innovations) would push trusted systems just up to the intersection of enforceable security and demand if for no other reason than the vast majority of end users probably tend to be far more easily satisfied and less knowledgeable and thus less likely to look for alternatives (even if they feel some vague impulse to do so or would if they understood the extent of the lockdown) than lead users? Jhliss 10:59, 10 January 2008 (EST)
  • I was particularly thinking of NY Times article describing the DeCSS code developed by hackers in Europe to decode DVDs, where although the content of the code is illegal in the states and sites linking to the illegal content may be legally liable under the DCMA , it seems like nothing was done about the code itself (perhaps because of unenforceability) . The point above however is a very interesting point, and I agree, I think it depends a lot on how the market reacts to consumer wishes and demands, and satisfied consumers would in turn be less incentivized to find creative alternatives. Cseif 11:15, 10 January 2008 (EST) Cseif
  • I would assume with the implementation of the trusted system lock downs, technology will develop like other single-use products. As discussed by Professor von Hippel, products have developed in extreme sports by innovations of the lead users. Allowing the lead users to participate in product development seems key. Since the lead users are ahead of the curve, the majority of ordinary users will not even notice the need until the manufacturer puts the product on the market (in most cases). However, without the generativity of the internet, I believe that the pace of developing technologies will be cripled. Some of the lead users may modify their products to their satisfaction but couldn't some of these modifications go unnoticed? Eventually the market would catch up but it seems the generativity of the internet encourages a more competitive market and better technologies. KStanfield 11:48, 10 January 2008 (EST)
  • Professor Zittrain mentions the use of trusted systems in the music industry. Publishers will have the ability to require payments before the user accesses the information. However, there are privacy concerns that arise with the dissemination of such information. Ordinarly, when a individual purchases a compact disc, they do not have to give the retailer any identifying information. Under the new trusted systems, the user would have to give all information necessary for payment. Allowing these companies to have your name, address, and other information seems invasive. Even if the information provided to the seller is not vulnerable to hacking, I would still be concerned with every company that I purchase from having all of my personal information. Not only are there privacy issues, but also price discrimination, as mentioned by Professor Zittrain. Although this may be a major step for the music industry, consumers may not be as eager. KStanfield 12:12, 10 January 2008 (EST)
  • Another question I have regarding the move to trusted systems in the music industry is the time frame. When will CDs be obsolete and consumers will solely purchase digitial music? Currently, a number of people no longer purchase actual CDs, especially the younger generation. As products such as iTunes increase in availability, the shift seems inevitable and possibly quick. Throughout the years, we have seen the shift from tapes to CDs, VHS to DVDs, discman to iPods, and other similarly positioned products. Although CDs may be available for purchase, the market interest is clearly in digital media. I am not sure when the purchase of CDs will be no longer common, however, I do believe that a majority of listeners will no longer make that trip to Best Buy (or other compact disc provider stores). KStanfield 12:10, 10 January 2008 (EST)


  • Steven Levy: “Prophet of Privacy”

I think it's really interesting how Whitfield Diffie was drawn to cryptography because he thought it was important to personal privacy, however currently the trusted systems that use cryptography are extracting more and more personal information from users (as described above). Could this actually be furthering Diffie's desire for privacy, ensuring that online transactions occurring between two users are indeed private and secure from third party intrusion, or does it create a potential future problem if the identifying information passing through such transactions is retained, and available to attack and exploitation by hackers? Furthermore, do the benefits of e-commerce outweigh the threats to privacy that it may also possess? Websites benefit from retaining information because it becomes a cheaper marketing research tool than demographic studies, but should we allow them to do this, or should we require them to purge their system of stored identities and require a new authentication every time a user signs on or tries to purchase something online(which would then slow down the ease through which people can make transactions online)? Cseif 12:32, 10 January 2008 (EST)

  • The link provided by Tseiver above has Whitfield Diffie briefly commenting on the potential of hackers for encryption systems. He believes that hacking is ultimately impossible. As for the retention of information as a marketing strategy, disallowing businesses to retain the information from their sites seems as if it would be detrimental to developing products and understanding consumer demand. Requiring companies to wipe out all identifying information seems like an unnecessary burden. On the other hand, this suggestion may eliminate price discrimination and consumer concerns about companies retaining their information after purchase. But, is price discrimination always a bad thing? The manufacturers would be able to provide the products to the consumer who want them at a price the consumer is willing to pay. I do not think any student would protest the discounted movie ticket or bus fare. All in all, privacy issues seem to be the focal point of switching from one system to the next. If the trusted system is not used, consumers are exposed to hackers and other security threats. It seems that the trusted systems give the consumers the highest level of privacy possible. Currently there is no perfect solution. KStanfield 12:55, 10 January 2008 (EST)

Cyber Law Journal: Assessing Linking Liability

  • Why are copyright holders (or those being defamed, etc) going after the linker? Shouldn't they be more concerned about the destination site? If the answer is simply that the destination site is judgment-proof or that the linker has deeper pockets, such motivations seem skewed and out of line with the goals of copyright law. Why not view linking as a double-edged sword: although it provides surfers with access to forbidden information, it also provides copyright holders etc with free police work. The offended party can now go after the destination of the link. Cjohnson 10:37, 10 January 2008 (EST)
    • The linked site may be in a jurisdiction that doesn't recognize posting such information as a violation of copyright law; or it might be in a jurisdiction that doesn't recognize U.S. subpoenas, on an ISP that refuses to give out the name of the site owner. Going after linking sites would then be an imperfect way of stopping the flow of information, but in the eyes of the copyright holders, better than nothing. Eroggenkamp 10:45, 10 January 2008 (EST)
      • That makes sense. It would be interesting to see if this is, in fact, the type of linking that copyright holders are targetting. That is, are they only going after linkers as a plan-B, when they cannot reach the destination sites.Cjohnson 12:17, 10 January 2008 (EST)
  • What happens with news organizations? Although they may not meet the last prong of Kaplan's test, couldn't the news organizations still be liable for linking to pages with decrypting codes? If not, many users will be able to more readily access the codes and potentially infringe on the copyright holder's rights. Mark Lemley's concern about subjecting a too many people to liability is legitimate. With Kaplan's decision, I do not see why organizations or companies like the MPAA will not distribute a number of cease and desist letters/e-mails to linkers, including news organizations. As the article states, following Kaplan's decision the MPAA sent approximately 100 cease and desist letters to linkers that they believed had "intentions" to distribute DeCSS. Furthermore, this still leaves the MPAA (and other copyright holders) subject to de-encryption by existent sites that do not meet Kaplan's good/bad links test. However, I agree with Kaplan's hesitancy to extend the ruling to linkers that do not intend to distribute infringing software. The chilling effect can be detrimental to information available on the internet. Additionally, restricting linkers the ability to post links to pages with valuable information can compromise a person's free speech rights. KStanfield 11:34, 10 January 2008 (EST)
  • There's also some background to this case that the article leaves out. Corley ran a magazine called "The Hacker Quarterly" geared towards lead users which focused on vulnerabilities in computer security systems and how to exploit them. Thus, he made links available to exactly the type of people that would use the software and possibly distribute it to others. Also, the case started with him posting the code on his site, which the court ordered him to take down, and then he took the code down but linked to as many sites as he could that contained the code and told all of his readers to download it. I think part of why Kaplan ruled as he did is because he was angry at Corley for trying to get around his ruling. Anna 12:44, 10 January 2008 (EST)

Cohen: Copyright and the Jurisprudence of Self-Help

  • Can manufacturers of tethered appliances avoid privacy concerns via contract? If the consumer is bound by a EULA that states that the device might be shut off remotely (paralleling terms of service on Web 2.0 platforms - see comment by Jendawson below), it seems that there would no longer be a "reasonable expectation of privacy" and the controversy is avoided. Cjohnson 10:37, 10 January 2008 (EST)
  • One of the main concerns would be that mentioned by Cohen: "if reasonable expectations are defined solely by the limits of technological possiblity, privacy has a bleak future." Similarly, if manufacturers simply modify their contracts to notify consumers about remote shutdown or even phone home updates, the self-help favors manufacturers and places consumers in an unfavorable position. As Christina mentions below, the current (and forthcoming) technologies have a number of benefits in which consumers may willingly sacrifice their privacy for convenience. Similarly in Lessig's chapter about "Regulating Code," he questions whether anyone will resist giving up identifying information (and therefore privacy) for easier and more advanced uses of technology. However, consumers will still expect some level of privacy. If courts rule otherwise, the use of different programs may be stifled by the threats of privacy invasion and unpredictability of product uses. Are a majority of these provisions set out to combat "bad" actors? In that case, good actors may not have the same level of concern about shutdown and self-help if they are following the ordinary uses of the product. As with EchoStar, the users were not all intentionally "bad" actors, but still suffered the consequences of the court's decision. KStanfield 12:31, 10 January 2008 (EST)
    • I agree that "good" users would have legitimate concerns about their privacy or the possibility of remote shutdown as per the EULA. However, they have a simple solution: don't buy the product. Let the market sort itself out. In the case of a tethered appliance like the EchoStar box:
      • People can pay less for products that have the potential to be shut down, as per their EULA.
      • Alternatively, people can pay more for products where the manufacturer promises that this will not occur. If the product is then designed so that remote shutdown is impossible, there is no problem. If remote shutdown remains possible, and an EchoStar-esque court order forces it to occur, the consumer would theoretically have a breach of contract claim against the manufacturer and everyone ends up happy.Cjohnson 12:59, 10 January 2008 (EST)

Zittrain: FOI/Web 2.0

I think this article makes a good point about the dependence that Web 2.0 spawns, even if it untethers us from the physical boxes we used to rely on. Looking over the Facebook terms of service provided, it's obvious the lack of recourse users have if their data is lost or the service discontinued. I've recently started doing some productivity-type tasks online with Google Documents and their TOS (which I just looked up!) are just as harrowing, if not more. "You acknowledge and agree that Google may stop (permanently or temporarily) providing the Services (or any features within the Services) to you or to users generally at Google’s sole discretion, without prior notice to you. ... You acknowledge and agree that if Google disables access to your account, you may be prevented from accessing the Services, your account details or any files or other content which is contained in your account." In essence, the only guarantee I have that Google won't ruin all my stuff and delete my documents is their reputation. I may start doing more frequent exports of what I post there--Microsoft Word suddenly seems to have one big advantage. Jendawson 09:48, 10 January 2008 (EST)

  • I wonder how businesses, especially sensitive information businesses like banks and credit card companies deal with this when they use wildly successful business solutions that are SaaS such as Salesforce.com. I wonder if the market/contracting takes care of ensuring that data is secure and preserved lest the service gets disrupted? I'm not certain of this but I think Google intends to target businesses as well with their hosted productivity solutions, as a substitute to costly in-house IT. --Jumpingdeeps 10:24, 10 January 2008 (EST)
    • My impression is that paid services can afford to offer contracts that guarantee security, but I could be wrong. I'm curious, if Google began to offer guaranteed security for Google Documents for people willing to pay, and its current level of security for everyone else, whether anyone would bother to switch? --NikaE 11:42, 10 January 2008 (EST)
  • * I'm betting that this contract is more CYA than something they expect to be perfectly enforced if, for some reason, they suddenly lose all of somebody's valuable data. I think of this as a parallel to, for example, an airline's frequent flyer miles program. All of those agreements say something like 'this program may be modified or ended at any time,' but the companies would never do so without warning their customers because they'd lose business. The main difference I see is the potential for outside interference; it would be very difficult for someone malicious to destroy an airline's frequent flyer program (although if they could get at the database where it is stored, they could probably do some damage), but it would probably be much easier for a malicious hacker to destroy the data on the Google Documents server. We've already seen how easy it is for a random MIT grad student to write a virus that gives him root control over most of the computers in the world; computer security is better now than it was in 1988, but so are the hackers. I think the real danger in using trusted systems is not that their contracts of adhesion are skewed in their favor, it is that it's difficult to really trust that they won't be the subject of attack, particularly once they reach a size that makes them a tempting target. The obvious solution is to periodically load all of the shared documents on to an autarkic backup computer, but even that is imperfect if a document is itself infected with a destructive virus. Eroggenkamp 10:56, 10 January 2008 (EST)
  • This sounds similar to the Echostar case discussed yesterday, were consumers had no recourse when their machines were wiped out completely (although done by a court order rather than the will of the service provider). I would particular be very upset if I was a consumer. Although I fully agree with the problems with Web 2.0 platforms described above (I backed up all my Netlocker and Google documents and spreadsheets last night after reading about what could happen), the programs also come with some great benefits to end-users which may balance out questions of permanency, such as mobility to view and edit from any computer at any time, allowing multiple users to use, share and edit at the same time, and (ironically) providing a backup in case a PC crashes. I find it very interesting that both autarkic machines and Web 2.0 programs seem to coexist in a very symbiotic-like relationship. Cseif 11:49, 10 January 2008 (EST)
Retrieved from "http://cyber.harvard.edu/ipc/?title=Pre-class_Discussion_for_Jan_10&oldid=2365"