RE: [projectvrm] The marketing/cybercrime symbiosis

["T.Rob" < >]

Hi Mary,

My main objection here is a lopsided balance of power.  If I circumvent
controls that protect content, it violates the DMCA.  Back in 2001 a
programmer named Dmitry Skylarov went to Defcon to present a session on
software that he developed capable of bypassing Adobe's copy protection on
PDF files in order to render them in text-to-speech engines for the blind -
a function Adobe had declined to include at that time.

* The software was perfectly legal in Russia where it was developed.
* The software was a proof-of-concept and not available to the public.
* Skylarov brought slides to present, not code.
* No actual damages were ever claimed.
* Rendering of PDF content to screen readers is a protected Fair use.
* Adobe declined to press charges.

Despite all this, Skylarov was held in Federal custody for a month, then
released on bail but restricted to Northern California for another 4 months.

Contrast this with malvertising which deliberately circumvents user-side
controls resulting in actual damages:

* Consumes the user's cognitive capacity.
* Imposes a burden of vigilance on the user.
* Consumes the user's time since malvertising weighs down page load times.
* Consumes the user's bandwidth, CPU and storage.
* On mobile devices, consumes battery capacity.
* Delivered under terms of service separate from that of the hosting site
and which the user never sees.
* Phones home with extensive data about the user and their device.
* Correlates the data to track the user's movements online.
* Correlates online and offline data to track the user's movements in
meatspace.
* Correlates data to de-anonymize the user.
* Facilitates Man-In-The-Middle and other attacks when the adtech fails to
use SSL.
* Delivery of malware payloads onto the user's device resulting in financial
damages, identity theft and in some known cases, death.
* Malvertisers maintain that they have an absolute right to behave in this
fashion.

Corporations not only get to throw individuals into Federal detention
without ever claiming damages, but they also get to inflict damages onto
individuals with impunity?  Individuals, on the other hand, have no
reciprocity under the DMCA when it comes to circumvention of their user-side
controls. Seems to me that natural citizens aren't getting equal protection
under the law and Corporations are not just citizens, but rather
*privileged* citizens.  So forget about "things," with this big an imbalance
of power IoT really means "Internet of Thugs."

I'm also finding it difficult to draw the line that designates public versus
private space on the Internet because there is no opt-out of malvertising.
The deal we are offered is to either accept the adtech or else don't use the
site.  But even though "the site" might arguably be public, the ads that are
being served aren't coming from the site you are visiting.  So it's not like
"I went to wsj.com and all these ads were there."  A more accurate
description would be "I went to wsj.com and they silently gave access to my
browser session to 35 non-WSJ domains who then downloaded 200 scripts to my
PC and executed them without my knowledge or consent, and without any
accountability as to what exactly those scripts do to my PC or what
information they collect."  

Would you be OK with it if you went to the mall and while you were inside 35
different companies put GPS trackers on your car then broke in and slathered
the dashboard and windshield with advertising printed on adhesive stickers?
Because what you see in context of the WSJ page is one thing.  Downloading
scripts onto your PC, causing your PC to execute them, and then exfiltrating
data from your PC back to the mother ship is a whole lot more like finding
your car bugged and covered in ads than it is seeing a billboard while
walking in the park.

Kind regards,
-- T.Rob

T.Robert Wyatt, Managing partner
IoPT Consulting, LLC
+1 704-443-TROB
https://ioptconsulting.com
https://twitter.com/tdotrob


> -----Original Message-----
> From: M a r y H o d d e r 
> [mailto:
 ]
> Sent: Sunday, September 21, 2014 18:36 PM
> To: T.Rob
> Cc: 'ProjectVRM list'; 'Doc Searls'
> Subject: Re: [projectvrm] The marketing/cybercrime symbiosis
> 
> I've been thinking about this, TRob, since you posted it.
> 
> So the forced disrobing done to various women a couple of weeks ago, by
> hacking their iCloud backups through the back door using law enforcement
> software, .. that to me was a sexual crime. It doesn't matter to me that
> it was digital..  or the perpetrators have never met their victims.
> 
> Regarding invading my intellectual space, the forced grabbing of my
> attention.. when I'm out, in physical space or visiting another online
> site.. I don't have a problem with that.
> At least that's what I tell myself.. it's the bargain for going to public
> commercial spaces.
> 
> But the notion that marketers can come into my home or my own personal
> cloud, to do invade my space without my permission, is another matter.
> 
> I don't have a word for it either.
> 
> But the key violation with sex crimes, rape, sexual abuse of children,
> etc. is that the perpetrator is violently communicating to the victim that
> "the victim doesn't control their own body"
> or their body isn't theirs to self-determine. The victim has no choice and
> therefore has to live forever feeling and reliving the violation of that
> reality.
> 
> This communication, which becomes deeply rooted in the victim's body,
> known to them all the time, which is why the act changes people's lives
> and causes them to develop things like severe PTSD, OCD and other severe
> mental illness.
> 
> So.. the thing I've been wondering the past few days is whether there is
> an intellectual equivalent:  we are intellectually invaded out there..
> online or in person, but we choose to go to those places, knowing there
> may be intellectual invasion.
> 
> But when we are in our own space, what does it do to us to be
> intellectually invaded?
> 
> We, the US, as well as many other places that have bought into our ways of
> creating advertising and media as the internet's influence is far reaching
> the past couple of decades....
> We have bought into the notion that this is all okay and we take public
> intellectual invasion by choice.
> 
> But what happens to us psychologically when we are personally
> intellectually invaded? Is the message similar to rape? "You don't own
> your own mind; we do."
> or "You can't control your own inputs, and therefore your thoughts are not
> yours to control."
> 
> I don't have an answer, but I do think it's very interesting to
> contemplate. We are a culture that is becoming more deeply addictive,
> which is one of the things that often happens to those who lose control
> over their own bodies via external attacks. I wonder if we aren't also
> becoming addictive (looking for relief from our own pains by using things
> to feel better, needing those things for relief) due to intellectual
> invasion.
> 
> In the past I've thought about our increasingly addictive nature as a
> culture as something that people chose because the advertisers of all
> things we might "use"
> are so alluring.. but ultimately it's a choice.  But maybe increasing
> addictiveness is also due to intellectual invasion, where we cannot face
> the loss of our own autonomy and choice, head on.
> 
> So we are even more susceptible to the marking of things we might use to
> feel better.
> 
> Anyway....
> 
> (Sunday afternoon ramblings...).
> 
> Mary
> 
> 
> On Sep 17, 2014, at 2:44 PM, T.Rob wrote:
> 
> > At the suggestion of a list member I reworded a couple of sentences in
> > the post.  We do not have a good word for the type of violation that
> > occurs when someone forcibly invades your personal digital space,
> > against your will and over your strongly voiced objections.  It isn't
> blackmail or bribery.
> > Coercion doesn't begin to come close to describing it.  When it is in
> > the real world and sexual we call it rape.  If you imagine being
> > surrounded by a mob of aggressive marketers, all vying to get close
> > enough to shove their message down your throat, rape may seem a good
> > analogy.  It did to me at that moment.
> >
> > However, if you've experienced that in the physical world the digital
> > equivalent nothing else deserves to share the word.  Rather than
> > diminish the word any further with the analogy, I've updated the post
> > to compare Marketers to a horde of mindless zombies relentlessly
> > pursuing you to get a piece of your brain.  We're back to something
> > that falls far short of describing the violation of a Marketer
> > bypassing consumer-side controls to surveill you, while asserting (and
> > apparently believing) that they have an absolute right to exploit you in
> this way.
> >
> > So it's slightly less strong shit.  But thanks for the tweet. :-)
> >
> > Kind regards,
> > -- T.Rob
> >
> > T.Robert Wyatt, Managing partner
> > IoPT Consulting, LLC
> > +1 704-443-TROB
> > https://ioptconsulting.com
> > https://twitter.com/tdotrob
> >
> >
> >> -----Original Message-----
> >> From: Doc Searls 
> >> [mailto:
 ]
> >> Sent: Wednesday, September 17, 2014 17:25 PM
> >> To: T.Rob
> >> Cc: ProjectVRM list
> >> Subject: Re: [projectvrm] The marketing/cybercrime symbiosis
> >>
> >> On Sep 17, 2014, at 6:15 PM, T.Rob 
> >> <
 >
> >>  wrote:
> >>
> >>>> The marketing industry as a whole can never address the integrity
> >>>> issue, because there's always someone who's willing to be a little
> >>>> creepier, a little closer to the edge.
> >>>
> >>> Let's hope that isn't true.  The problem is they lost sight of their
> >> mission.  More thoughts here: http://iopt.us/1wq8LSW   (At 1805 words
> it's
> >> a short one for me.)
> >>
> >> For some reason my tweet about this doesn't show in my timeline, or
> >> the timeline of the one guy who retweeted it. But here is what it said:
> >>
> >> @tdotrob: The Marketing/Cybercrime Symbiosis: http://bit.ly/1o4297w
> >> Strong shit. #VRM #marketing #security #privacy
> >>
> >>>> The question is how many of the high- reputation brand advertisers
> >>>> will split off from the bottom-feeders.
> >>>
> >>> The most recent exploit in the news wasn't bottom feeders.  The
> >>> entire
> >> model based on circumventing consumer controls is indistinguishable
> >> from malware.  It is in fact nothing more than legal malware.
> >>
> >> That's a pull-quote.
> >>
> >> Doc
> >>
> >>>
> >>>
> >>> Kind regards,
> >>> -- T.Rob
> >>>
> >>>> -----Original Message-----
> >>>> From: Don Marti 
> >>>> [mailto:
 ]
> >>>> Sent: Wednesday, September 17, 2014 10:20 AM
> >>>> To: Katherine Warman Kern
> >>>> Cc: T.Rob; 
> >>>> <
 >
> >>>> Subject: Re: [projectvrm] The marketing/cybercrime symbiosis
> >>>>
> >>>> The marketing industry as a whole can never address the integrity
> >>>> issue, because there's always someone who's willing to be a little
> >>>> creepier, a little closer to the edge.  The question is how many of
> >>>> the high- reputation brand advertisers will split off from the
> >>>> bottom-
> >> feeders.
> >>>>
> >>>> A little history... We had a good tool against email
> >>>> spam: a broad "private right of action"
> >>>> in state antispam laws such as Washington's CEMA (
> >>>> http://www.dwt.com/advisories/9th_Circuit_Deals_Blow_to_Professiona
> >>>> l_
> >>>> CANSP
> >>>> AM_Complaint_Mills_08_10_2009/
> >>>> ).  The federal CAN-SPAM law, backed by the Direct Marketing
> >>>> Association, pre-empted state antispam laws and we lost private
> >>>> right
> >> of action.
> >>>>
> >>>> Yes, the DMA sided with spammers over its own members who send
> >>>> legit,
> >>>> opt- in marketing email.
> >>>>
> >>>> The same thing is happening now with the IAB and the creepy ads.
> >>>> Existing organizations such as the DMA and IAB have been captured
> >>>> by the intermediaries who sit between advertisers and content
> creators.
> >>>>
> >>>> There's a growing recognition from both "ends" that the "middle"
> >>>> isn't working.  The question is how to connect dissatisfied web
> >>>> publishers to dissatisfied brand advertisers without the creepy
> >>>> stuff
> >> in the middle.
> >>>> Doc covers the problem here:
> >>>>
> >>>> http://blogs.law.harvard.edu/doc/2014/09/16/giving-respect-to-brand
> >>>> -
> >>>> advertising/
> >>>>
> >>>> Don
> >>>>
> >>>>
> >>>>
> >>>> begin Katherine Warman Kern quotation of Wed, Sep 17, 2014 at
> >>>> 06:49:33AM -
> >>>> 0400:
> >>>>>
> >>>>> T.Rob, I wish there were a way to convince the marketing industry
> >>>>> to
> >>>> address the integrity issue. The huge volume of both intentionally
> >>>> malicious and unintentionally intrusive marketing makes it more and
> >>>> more difficult and expensive for an advertiser with integrity to
> >>>> stand
> >> out.
> >>>>>
> >>>>> K-
> >>>>> Katherine Warman Kern
> >>>>> @comradity
> >>>>>
> >>>>>> On Sep 16, 2014, at 8:01 PM, "T.Rob" 
> >>>>>> <
 >
> >> wrote:
> >>>>>>
> >>>>>> Recently I posted to this list a claim that marketing has become
> >>>>>> the
> >>>> R&D lab for cybercrime.
> >>>>>>
> >>>>>> 1.      Users find ways to stay anonymous and block ads.
> >>>>>> 2.      Marketing devices new adtech to circumvent user controls.
> >>>>>> 3.      Cybercriminals ride the rails marketing builds.
> >>>>>> 4.      Rinse, repeat.
> >>>>>>
> >>>>>> I asked whether marketing would ever voluntarily take
> >>>>>> responsibility for their role and whether there is a line that
> >>>>>> even Marketing won't cross.  In other words, will Marketing ever
> >>>>>> say "just because we can doesn't mean we should" and find a
> >>>>>> business model that does not support cybercrime.  To my surprise,
> >>>>>> it turns out I'd overlooked some significant activity in this
> >>>>>> area.  The OTA is saying the same thing, except they are saying it
> to Congress:
> >>>>>> http://iopt.us/1r6io96
> >>>>>>
> >>>>>> "According to OTA research, malvertising increased by over 200%
> >>>>>> in
> >>>> 2013 to over 209,000 incidents, generating over 12.4 billion
> >>>> malicious ad impressions."
> >>>>>>
> >>>>>> " In the absence of policy and traffic quality controls,
> >>>>>> organized
> >>>> crime has recognized malvertising as the "exploit of choice"
> >>>> because it offers the ability to be anonymous and remain undetected
> for days."
> >>>>>>
> >>>>>> "Failure to address these threats suggests the needs for
> >>>>>> legislation
> >>>> not unlike State data breach laws, requiring mandatory
> >>>> notification, data sharing and remediation to those who have been
> harmed."
> >>>>>>
> >>>>>>
> >>>>>> Kind regards,
> >>>>>> -- T.Rob
> >>>>>>
> >>>>>> T.Robert Wyatt, Managing partner
> >>>>>> IoPT Consulting, LLC
> >>>>>> +1 704-443-TROB
> >>>>>> https://ioptconsulting.com
> >>>>>> https://twitter.com/tdotrob
> >>>>>>
> >>>>
> >>>> --
> >>>> Don Marti
> >>>> http://zgp.org/~dmarti/
> >>>> 
 
> >>>
> >