The Volokh Conspiracy

Here’s a revised version of an op-ed I published on the potential importance of the SOPA fight.  The original appeared in Hollywood Reporter (caution: paywall; free version is here)

What went wrong for SOPA, the entertainment industry’s proposal for stopping international piracy? And what does it mean for Hollywood’s future clout in Washington?

I had a ringside seat for the battle over SOPA, though not as a supporter.  I thought it would make Internet users more vulnerable to cybercrime. That was a problem that could have been fixed.  Instead, after a brief halt and some modest changes, the entertainment industry decided to press for a showdown.

And a showdown, of course, is what it got.

Why did it turn out so badly? The entertainment industry’s first mistake, then and now, is believing that its adversary is a group of other companies — Google, Internet service providers, and others — who are somehow hoping to profit from the Internet travails of the entertainment industry.

In fact, the industry is fighting what amounts to a new popular culture.

Unlike the old pop culture, this one is largely independent of the music, movie, and broadcast industries. In fact, people who spend hours on line instead of watching TV or going to movies will probably encounter the entertainment industry only when Youtube videos of their kids dancing to Prince or spoofing Star Wars are pulled down by Hollywood’s bots, or when the RIAA threatens to sue them for their college savings, or when digital rights software makes it hard to move their stuff to a new tablet or phone.

To the entertainment industry these episodes may seem like collateral damage in the fight to stop piracy.  To the new pop culture, though, collateral damage and misuse of enforcement tools is everywhere, and it threatens everyone.  The content industry has made itself into the villain. Increasingly it looks like an occupying power; obeyed at gunpoint, despised for its hamhanded excesses, and resisted from every dark corner.  Unfortunately for the entertainment industry, as its customers migrate to the Internet, it loses not just their money but their hearts and minds as well.

The industry’s miscalculation about the source of the resistance to SOPA may have led to an even bigger mistake.  As long as the campaign for better IP enforcement was an inside-the-beltway, company-versus-company struggle, it could be fought within the Congressional judiciary committees, where both Republican and Democratic politicians were wooed and won as individuals. As a result, strengthening intellectual property enforcement has been a bipartisan issue for the last 25 years.  But when the fight went from the committees to the floor, and Wikipedia went dark, every member of Congress was expected to take a stand.

The two parties reacted very differently. Despite widespread opposition to SOPA from bloggers on the left, Democrats in Congress (and the Administration) were reluctant to oppose the bill outright. The MPAA was not shy about reminding them that Hollywood had been a reliable source of funding for Democratic candidates, and that it would not tolerate defections.

But that very public message also reached another audience: Tea Party conservatives. Most of them had never given a second’s thought to intellectual property enforcement before coming to town. But many had drawn support from conservative bloggers.  They began to ask why they should vote against their Internet supporters to rescue an industry that was happily advertising how much it hated them. Pretty soon, far more Republicans than Democrats had bailed on SOPA, and the Republican presidential candidates had all come out for what they called “Internet freedom.”

That’s what really ought to worry the entertainment industry. For Republicans, opposition to new intellectual property enforcement is starting to look like a political winner. It pleases conservative bloggers, appeals to young swing voters, stokes the culture wars, and drives a wedge between two Democratic constituencies, Hollywood and Silicon Valley.

We’ve seen this movie before.  Immigration reform and the DREAM Act, free trade agreements, and the USA PATRIOT Act all commanded impressive bipartisan support. For a while. Now, not so much. Bills on these topics still come to the floor, and they sometimes even pass, but only after endless partisan point-scoring and amendments driven by talk radio and mass email. The same could soon be true of intellectual property enforcement.

With SOPA, the entertainment industry pushed a generation of Republicans into choosing sides between Hollywood and the Internet.

They may never look back.

While I’m on the subject, talk about culture clash: I’ve written two SOPA op-eds, for Politico and Hollywood Reporter, and both have been put without notice behind paywalls. That’s never happened to me before, and it seems a little odd. Sure, it must sound good to the publishers, at least for a while.  But they aren’t paying op-ed contributors in gobs of cash, or in massive circulation.  They’re giving circulation to the contributors’ ideas.  Or not, in the case of the paywalled publications.

Contributors who actually care about communicating to the public have to wonder why they should offer content to an outlet with such a policy.  That only makes sense to contributors who have a strong reason to communicate just to the elite audience that pays to get these highly specialized publications — lobbyists or studio execs in the case of Politico and Hollywood Reporter. It makes sense, in other words, only to contributors who see their op-eds as an alternative form of targeted advertising.

Nothing wrong with that, either, except that it means the subscribers who pay for the publications have to read even the op-eds with their hands on their wallets, wondering, “Now why did he want me, and only me, to read that?” Ironically, then, in the long run the paywalled op-eds are less valuable than op-eds that appear for free.

UPDATE: The Hollywood Reporter assures me that the paywall is temporary — likely to last only a day or two while they’re promoting the new issue.  So, uh, never mind.  When the public link is available, I’ll add it.

UPDATE 2: Done.

Matt Drudge and The Atlantic are hyperventilating, and Mark Hosenball of Reuters is bragging, about what The Atlantic calls an “exclusive” report that DHS “routinely monitors dozens of popular websites, including Facebook, Twitter, Hulu, WikiLeaks and news and gossip sites including the Huffington Post and Drudge Report.”

There are just two problems with this exclusive news report.

It isn’t news and it isn’t exclusive.

Readers of this blog could have learned exactly the same thing in one of my posts from, uh, February of 2010.

Here’s what I said two years ago:

With his usual nudge-and-wink, Matt Drudge invites us to be dismayed that “BIG SIS” — his moniker for Janet Napolitano — is “Monitoring Web Sites for Terror and Disaster Info.” Drudge links to a story saying that DHS will be monitoring social media like Twitter, as well as websites like Drudge, to keep abreast of events during the Winter Olympics. The source of the story is a twelve-page “Privacy Impact Assessment” issued by DHS.

This isn’t the first Privacy Impact Assessment (PIA) on DHS’s use of social media. A few weeks earlier, DHS wrote a similar assessment of using social media during Haitian rescue operations.

I am indeed dismayed, but not for Drudge’s reasons.  True, it’s disappointing that neither the Volokh Conspiracy nor www.skatingonstilts.com is deemed worthy of government monitoring.  But what’s really dismaying is that DHS and its Privacy Office felt obliged to labor over two separate and painfully obvious privacy assessments just to do things that you and I would do by simply firing up our browsers.

That’s it.  The story is that people at DHS are, gasp, browsing the Internet. As I said then, there’s no scandal, other than the electrons wasted by DHS agonizing over the privacy implications of browsing public Internet sources to find out what’s happening in the world.

And if it was a nonstory in February of 2010, what does that make it in January of 2012?

Actually, it’s a lesson — that both the mainstream media and the blogosphere are doggedly overreporting anything that could be deemed a privacy violation by government, especially DHS.  If you only followed these things casually, you’d be sure that DHS was constantly violating Americans’ rights, and reports like this would be a key bit of evidence.  But when you give the “story” a little scrutiny, all you find is an agency that needs to know what’s happening in an emergency and that is looking at public social media sites for information, just like the rest of us.  There’s no privacy issue there at all, despite the heavy breathing and the headlines.

Kind of makes you wonder how many more phony privacy violations you’ve been conned into believing, huh?

UPDATE: Mark Hosenball of Reuters says that he never called his report an exclusive, since he knew about the 2010 assessment; the “exclusive” label was applied by The Atlantic, not Hosenball.  I changed the first line to avoid tagging him with the statement.

I will be testifying next Wednesday against SOPA, reprising my concerns about its impact on implementation of new web security protocols.  I’ve blogged those concerns here and here. The hearings are being held by Darrell Issa (R-CA), chair of the House Oversight and Government Reform Committee, who is troubled by the Judiciary Committee’s determination to take SOPA to the floor without hearing from witnesses on this issue. More details here.

I recently read Popular Mechanics’ riveting article reconstructing the last minutes Air France 447, which in 2009 disappeared without explanation over the Atlantic between Rio and Paris. Using the cockpit transcript, the article reveals that the pilots essentially flew a fully functioning passenger jet into the sea. Why?  It appears that a temporary loss of flight speed data and then the disconnection of autopilot systems panicked a copilot into lifting the nose of the plane.  He then more or less kept the stick pulled all the way back as the plane lost forward speed and plunged into the ocean, paying no attention to dozens of blared stall warnings. Here’s a bit of the transcript and Popular Mechanics’ commentary:

02:10:55 (Robert) Putain!
Damn it!
Another of the pitot tubes begins to function once more. The cockpit’s avionics are now all functioning normally. The flight crew has all the information that they need to fly safely, and all the systems are fully functional. The problems that occur from this point forward are entirely due to human error.
02:11:03 (Bonin) Je suis en TOGA, hein?
I’m in TOGA, huh?
Bonin’s statement here offers a crucial window onto his reasoning. TOGA is an acronym for Take Off, Go Around. When a plane is taking off or aborting a landing—”going around”—it must gain both speed and altitude as efficiently as possible. At this critical phase of flight, pilots are trained to increase engine speed to the TOGA level and raise the nose to a certain pitch angle.
Clearly, here Bonin is trying to achieve the same effect: He wants to increase speed and to climb away from danger. But he is not at sea level; he is in the far thinner air of 37,500 feet. The engines generate less thrust here, and the wings generate less lift. Raising the nose to a certain angle of pitch does not result in the same angle of climb, but far less. Indeed, it can—and will—result in a descent.
While Bonin’s behavior is irrational, it is not inexplicable. Intense psychological stress tends to shut down the part of the brain responsible for innovative, creative thought. Instead, we tend to revert to the familiar and the well-rehearsed. Though pilots are required to practice hand-flying their aircraft during all phases of flight as part of recurrent training, in their daily routine they do most of their hand-flying at low altitude—while taking off, landing, and maneuvering. It’s not surprising, then, that amid the frightening disorientation of the thunderstorm, Bonin reverted to flying the plane as if it had been close to the ground, even though this response was totally ill-suited to the situation.

The article offers a final observation on what things were like in that cockpit, minutes from the crash:

Over the decades, airliners have been built with increasingly automated flight-control functions. These have the potential to remove a great deal of uncertainty and danger from aviation. But they also remove important information from the attention of the flight crew. While the airplane’s avionics track crucial parameters such as location, speed, and heading, the human beings can pay attention to something else. But when trouble suddenly springs up and the computer decides that it can no longer cope—on a dark night, perhaps, in turbulence, far from land—the humans might find themselves with a very incomplete notion of what’s going on. They’ll wonder: What instruments are reliable, and which can’t be trusted? What’s the most pressing threat? What’s going on? Unfortunately, the vast majority of pilots will have little experience in finding the answers.

That all sounds right.  But like everything else these days, it made me think about cyberwar.  Some of the most effective tactics used by our adversaries have a social engineering component.  That is, they know how humans react to certain situations and take advantage of that reaction to gain control of our computers.  They know we’re likely to open messages and click on links sent by superiors in our organization. They know we will accept friend requests from people who are already connected to a lot of our friends.  Stuxnet took advantage of social engineering of a sort by making sure that the systems reported normal activity to the humans in the control center while sending abnormal requests to the machines.  The humans believed what their controls told them.

What does this have to do with the crash of AF447?  The reaction of the AF447 pilots was tragically human.  Once we lose faith in computer systems, especially in an emergency, all of us are likely to ask, “What instruments are reliable, and which can’t be trusted? What’s the most pressing threat? What’s going on?” And if we have only minutes to make a decision, we’re likely to lock on a fragment of our training and keep trying it. The evidence that we’re failing disastrously just makes us pull harder on the stick.

So:  Why can’t that reaction be engineered? Put another way, could a hacker have caused the AF447 crash, not by directly overriding the pilots but by manipulating their very human reactions? I should stress that I don’t believe a hacker did that.  Quite the reverse. I’m asking whether future cyberattacks will try to manipulate the human beings behind the computers.

On reflection, the answer is obvious.  All of war is an effort to manipulate the opponent into a different, defeated frame of mind. But the logical conclusions are pretty troubling. Even as we begin to deploy automated defenses against remote sabotage, attackers will turn to social engineering to defeat them. Once again, this gives the offense far more options than the defense.

Thus, imagine that we decide to improve our cyberdefenses by redesigning critical military or civilian systems so that computers alone cannot cause catastrophic missteps. That’s good, but it simply challenges the attacker to find a way to influence not just the computers but also the humans – to panic the humans into a catastrophic misstep. Even if the attacker can’t fly our planes into the sea, maybe he can get our pilots to do it for him. Even if he can’t cross the air gap to bring down our nuclear plants, he might be able to fake an emergency in the operations center that leads to the same outcome.

As AF447 shows, the key to such an attack is to create doubts about what is true in a situation where decisions must be made in minutes.  Then, as AF447 shows, humans revert to muscle memory and to training, which in some cases can lead rather predictably to disaster.

We’re already seeing rudimentary social engineering in cyberattacks.  We need to get ready for something a lot more sophisticated.

Critics of the Stop Online Piracy Act (H.R. 3261) have had an impact.  A manager’s amendment has been offered by Lamar Smith, R-TX, the Judiciary Committee chairman.  I was critical of the first version.  Here’s my take on the new version.

This version contains several provisions aimed at the security concerns raised about the first version.  The new bill insists that it is imposing no technology mandate and that it should not be construed to impair the security of the domain name system or the network of an ISP that receives an order. And it whittles away at the original requirement that ISPs must “block and redirect” visitors to pirate sites. Now, the ISPs are only obliged to block those efforts, not to redirect the subscribers to an alternative site that warns against piracy. ISPs also get a safe harbor that allows them some assurance that they don’t have to redesign their networks to carry out the blocking.

Unfortunately, the new version would still do great damage to Internet security, mainly by putting obstacles in the way of DNSSEC, a protocol designed to limit certain kinds of Internet crime. Today, it’s not uncommon for crooks to take over Internet connections in hotels, coffee shops and airports — and then to direct users to fake websites.  Users sent to a fake banking site are prompted to enter account and password data, which is used to loot the account. DNSSEC prevents such attacks by giving each website a signed credential that must be shown to the browser by the domain name system server before the connection can be completed.

That’s a great idea, but crooks will predictably try to override it.  Their best bet is to claim that the website doesn’t have a signed credential – a claim that will be plausible at least during the transition to DNSSEC.  What should a browser do if a website says it doesn’t have a signed credential yet?  The site might be telling the truth, or it might be a fake site backed by a DNS server that’s been tampered with.  To find out, the browser needs to ask a second DNS server, and if that server doesn’t give an answer, a third and a fourth server until it gets an answer. That’s the only way to keep criminals from blocking the real DNS credentials and offering their own.

Unfortunately, the things a browser does to bypass a criminal site will also defeat SOPA’s scheme for blocking pirate sites.  SOPA envisions the AG telling ISPs to block the address of www.piracy.com.  So the browsers get no information about www.piracy.com from the ISP’s DNS server. Faced with silence from that server, the browser will go into fraud-prevention mode, casting about to find another DNS server that can give it the address.  Eventually, it will find a server in, say, Canada.  Free from the Attorney’ General’s jurisdiction, the server will provide a signed address for piracy.com, and the browser will take its user to the authenticated site.

That’s what the browser should do if it’s dealing with a hijacked DNS server.  But browser code can’t tell the Attorney General from a hijacker, so it will end up treating them both the same. And from the AG’s point of view, the browser’s efforts to find an authoritative DNS server will look like a deliberate effort to evade his blocking order.

The latest version of SOPA will feed that view.  It allows the AG to sue “any entity that knowingly and willfully provides …a product … designed by such entity or by another in concert with such entity for the circumvention or bypassing of” the AG’s blocking orders.

It’s hard to escape the conclusion that this provision is aimed squarely at the browser companies. Browsers implementing DNSSEC will have to circumvent and bypass criminal blocking, and in the process, they will also circumvent and bypass SOPA orders. The new bill allows the AG to sue the browsers if he decides he cares more about enforcing his blocking orders than about the security risks faced by Internet users. Indeed, the opaque language about “another in concert with such entity” makes perfect sense in the context of browser extensions.  It allows the AG to sue not just browsers but also add-ons with this feature.

OK, that’s the law.  Now imagine you are Microsoft, or Google, or Apple, or Mozilla.  The DNSSEC guys come to you and ask you to implement DNSSEC.  It won’t increase your revenue, they admit, but it will make the Internet much safer for your users.  You want to be a good internet citizen, so you think maybe you should devote some precious code-writing resources to the cause.  But first you ask your lawyers whether they foresee any problems.

“Well, yes,” they’d have to say. “If you add code to the browser that implements DNSSEC, you’ll have to add code that circumvents criminal hijackings of the DNS system.  And that code can be declared illegal by the Attorney General pretty much whenever he likes.  You can litigate about it, of course, but if you lose, the AG can shut down all shipments of your browser until it’s been revised to the satisfaction of his staff and their advisers in Hollywood.”

Faced with that advice, would you implement DNSSEC?

Neither would I.

In fact, I wouldn’t even allow the DNSSEC guys to write an extension that implemented their protocol. And so, by poising a sword of Damocles over the browser companies, SOPA will kill DNSSEC.

Let’s hope that the opposition to SOPA hasn’t punched itself out against the first version of the bill, because this version is badly in need of a knockout punch.

The Wall Street Journal recently published a round-robin dialogue on privacy featuring Jeff Jarvis, danah boyd, Chris Soghoian, and me. Our vibrant discussion was quite heavily compressed for publication, so two of the other participants have now published their contributions in full.  Jeff Jarvis’s is here, and danah boyd’s is here. Publishing the full version on the web seems like good practice generally, so I’m following suit, with a few edits to avoid cross-referencing material that hasn’t been put on the web.  The Wall Street Journal’s questions are in bold italics.

How much should people care about privacy?

 That’s like asking how much they should care about the weather. Some, for sure. If we don’t, we’re liable to end up deeply uncomfortable from time to time.

 But let’s not kid ourselves. Privacy is like the weather in another way, too. For all the complaining, no one is going to do much about it.

 They can’t. The price of storing and analyzing data is dropping exponentially; and keeping that data hidden is a hopeless task.

 So, in the end, we will adjust.  Privacy is the most adaptable of rights. 

 Sometimes our sense of what is private shrinks. The man who invented the right to privacy, Louis Brandeis, was appalled that ordinary newsmen could snap his picture and print it in the paper without so much as a by-your-leave.  And most of us can sympathize, if we remember the shock of seeing ourselves in a photo, looking quite different than we imagined.  But no one today thinks that photography is a privacy violation. We’ve adjusted to the new technology. 

 And sometimes our sense of privacy grows. Most of us would be deeply uncomfortable at the idea of having strangers sleeping in our homes, listening to our family conversations, and gossiping about us over the back fence. But Brandeis never gave the privacy risk posed by his servants a second thought.

 It’s tempting, in that first uncomfortable moment when new technology starts to shrink our old sense of privacy, to ask for new laws to protect us from change.

 They won’t. Sooner or later, the laws on the books will yield to Moore’s law. But in the meantime, bad laws can do a lot of damage.

 Maybe it made sense to tell the FBI in Hoover’s day that its agents couldn’t compile clippings files on Americans who weren’t suspected of acting improperly. But by the time of 9/11, when any coed could assemble clips files on her blind dates — in seconds, for free, with the help of Google — did it really make sense for FBI agents to be the only people in the country barred from printing out name searches?

 So, sure, we should care about privacy. But we should also care about dumb privacy laws whose cost we won’t appreciate until it’s too late.

 What is the harm that can be inflicted by bad privacy laws? Will it prevent us from catching terrorists or drug cartels?

 Bad privacy laws abound, but the harm they do is too often downplayed in the media. 

 Take the story of September 11 itself. As the attacks loomed, the secret court that approves national security wiretaps had plunged the FBI into turmoil — but over privacy, not terrorism. Perhaps reacting to charges that it was merely a rubber stamp, the secret court had begun aggressively protecting Americans’ privacy — by imposing harsh, career-killing sanctions on an FBI agent who failed to observe the Wall between law enforcement and intelligence.

 As described in Skating on Stilts, the court’s harsh punishment was still reverberating when the FBI learned that two al Qaeda operatives had entered the US. Members of its massive Cole bombing task force begged for a chance to track them down.  But no one was willing to risk the secret court’s wrath by using a criminal task force to pursue intelligence leads.

 And so we missed our last, best chance to stop the 9/11 attacks — thanks to the secret court’s misplaced enthusiasm for a dubious privacy doctrine. That’s what turned me from a moderate privacy supporter into a profound skeptic. 

 Worse, because the secret court has never been held to account for its fecklessness, it is reportedly still following the same path — imposing new and secret privacy restrictions on our intelligence agencies. And leaving us all at risk of becoming the next privacy victims.

 You’ve said that privacy advocates have helped turn our computers into surveillance machines; what privacy laws are you referring to? And how should it have been prevented?

 There are indeed privacy laws that make computer defense much more difficult.  European laws protecting employee privacy make it harder to secure corporate networks, and U.S. privacy rules make it hard for the government to identify and warn Americans whose computers have been taken over by botnets. But the real problem is the way privacy groups have prevented the government from making policy changes in response to the growing danger of network attacks. 

 Take intrusion detection. Many corporate networks use technology that monitors networks to detect intrusions and alert administrators to threats. As long ago as the 1990s, the Clinton Administration proposed creating a Federal Intrusion Detection network, or FIDNet, that would do the same thing for civilian government networks.  It didn’t happen. FIDNet was condemned by privacy groups as “a monitoring system that threatens privacy and other civil liberties.” Along with their allies in the press, privacy advocates made FIDNet so controversial that Congress killed it. When George W. Bush revisited the idea, it made even less progress.  Only now, after a third President has raised the alarm about network attacks, are we beginning to roll out coordinated intrusion detection for the civilian arms of government.  Of course we’re a decade late; foreign governments have had ten years to steal all the information the privacy advocates now say they’re worried about – delays caused in large part by the privacy advocates themselves. 

If secret court orders protecting privacy led to 9/11, as you contend – isn’t the answer to not have secret courts? Not that privacy is terrible?

 Secrecy may well be cloaking dubious rulings by the secret court, just as it cloaked the court’s enforcement of the Wall. But we can’t expose those rulings without also exposing the highly classified intelligence operations the court is overseeing.  To solve this kind of dilemma, the Congress’s intelligence committees sometimes conduct classified investigations and release an unclassified summary of their findings.  Maybe the value of such an investigation is one thing that privacy advocates and I (and the Wall Street Journal) can all agree on.

 But the problem at its heart is not secrecy.  It’s the court’s willingness to create novel privacy and civil liberties protections.  That may sound like a good thing, but it cost us dearly in August 2001. We should consider that cost before we impose new privacy rules.

Why is there so much bad privacy law, and so many privacy victims? Here’s my theory.  Privacy advocates exploit that first uncomfortable moment when we realize that technology is changing our world, offering a Luddite illusion that law can prevent uncomfortable change.  The result is laws and court rulings on privacy that quickly become quaint.

It’s not hard to find support for that view if you compare United States v. Jones, the GPS 4th Amendment case, with an article in today’s Washington Post about the rapid spread of license plate readers:

When stored over time, the collected data can be used instantaneously or can help with complex analysis, such as whether a car appears to have been followed by another car or if cars are traveling in a convoy.

Police also have begun using them as a tool to prevent crime. By positioning them in nightclub parking lots, for example, police can collect information about who is there. If members of rival gangs appear at a club, police can send patrol cars there to squelch any flare-ups before they turn violent. After a crime, police can gather a list of potential witnesses in seconds.

…

Arlington police cars equipped with the readers regularly drive through the parking garage at the Pentagon City mall looking for stolen cars, checking hundreds of them in a matter of minutes as they cruise up and down the aisles.

At the same time that license plate readers are spreading across the landscape, companies like Google and Apple are investing heavily in location-based services for smartphones.  As a result, we’re rapidly losing any expectation that our location is private.  These fast-moving technologies make the technique at issue in Jones – whether law enforcement can physically attach a GPS tracking device to a suspect’s car – seem almost antediluvian.

Recall the moment that many journalists treated as the critical coup de grace for the government in Jones. Pressing the SG’s office about GPS tracking of Supreme Court Justices, Chief Justice Roberts asked, “So your answer is yes, you could tomorrow decide that you put a GPS device on every one of our cars, follow us for a month; no problem under the Constitution?” Many reporters and lawyers thought that this question was a killer for the government, likely hoping that the Court will ride to privacy’s rescue and  impose constitutional constraints on such tracking.

That may be so, but what the Court says about location privacy in Jones is not likely to stand the test of time. It’s as caught in the present moment as Adele’s “Someone Like You” – and a little less likely to endure. If the case had come up ten years ago, the Court, unthreatened by the location revolution, would likely have accepted the SG’s answer — that the FBI could physically follow the Justices’ movements in public without causing a constitutional concern, and a GPS device shouldn’t be viewed differently. And if the case came up ten years from now, the SG would answer, “Chief Justice Roberts, we don’t need to attach a GPS device to your car.  We can already track its movements with no warrant in a license plate database that is always getting bigger and more effective.  And we already have subpoena access to the third party location-based service providers that you all authorized when you activated your smart phones. Hell, soon, those services are going to merge.  People will mount dirt-cheap cloud-connected license-plate reading cameras on their cars as protection against a hit-and-run or road-rage attack — or to help the police find a kidnapper. No one is going to expect privacy in their car’s location then.”

In 2021, I predict, thirty-somethings will snuggle nostalgically to “Someone Like You,” and reminisce about the days when their parents didn’t know where they were – while smugly congratulating themselves that their kids will never be able to do the same to them.

And if the Court imposes constitutional restrictions on GPS tracking in Jones? What will be the ruling’s fate in 2021?  It seems to me that the debate is going to end in one of two ways.  Either constitutional restrictions on GPS devices will become a forgotten corner of the law, as law enforcement moves to newer location tracking techniques, or the Court will begin a campaign it cannot win – trying to regulate a host of location technologies in a vain effort to preserve twentieth century notions of privacy.

That’s where dumb privacy law comes from.

Photo credits:  Thanks to Francis Storr in Flickr and to Amazon.co.uk

Once again, Congress is being asked to make bad rules that will hurt network security, but this time the blame doesn’t fall on the privacy lobby.  This time the booby prize goes to the intellectual property lobby.

Below is an op-ed I wrote for Politico this week on the security consequences of the copyright enforcement bills now on the Hill — PROTECT IP and the Stop Online Piracy Act.  As it happens, the House Judiciary Committee held a hearing on the proposal on Wednesday, when the op-ed appeared, and some of the questioning turned on my op-ed.  Indeed, I gather that it contributed to an unexpectedly ragged performance from Hollywood’s normally smooth witnesses.

Unfortunately, the Politico article was posted behind a paywall.  That’s pretty ironic for an op-ed questioning the value of over-enforcing the copyright laws. So I’m posting it here, too:

Everyone knows that internet security is bad and getting worse.  Recognizing the problem, Congress is hard at work on cybersecurity, with a number of bills on the table.  Ironically, at the very same time, Congress is getting ready to pass a copyright enforcement bill that could kill our best hope for actually securing the internet.

How did that happen?  Let’s start with the internet, where fake websites cost users millions of dollars in fraud losses every year.  Unless we find a better system for locking down website identities, this and other forms of online crime will continue to skyrocket.

It turns out that internet engineers have already designed a system to solve this problem — a set of technical rules that go by the unlovely name of DNSSEC. Under these rules, an Internet website will be given identification credentials by the same company that registers its Internet name.  Thus, when Citibank claims the domain name citibank.com, the registry who issues the name will at the same time lock that name to a particular Internet address. From then on, anyone who types “citibank.com” into his browser will be sent to one and only one Internet address.  Under the new system, the browser simply will not take the user to a site that isn’t verified by Citibank’s unique credentials.

That’s protection that the people who bank online need today. 

Why don’t they have it?  Two reasons.  The first is friction.  Moving to the new rules won’t be free.  It will require a lot of work by browser companies, internet service providers, domain registries, and others – many of whom may never get any direct benefit from the change.  Naturally, these companies are a little slow to spend money that just makes the internet overall safer; that’s the tragedy of the commons.  But as the need for security becomes obvious to all, we’re slowly overcoming that friction, thanks in part to the leadership of my old agency, the Department of Homeland Security, in getting government to adopt the new procedures.

The second problem is new. It is Hollywood’s desperate desire to keep foreign websites from delivering pirated movies and music to American computers.  To do that, the movie industry wants a law that will require internet service providers block their customers from going to those sites.  Instead, the users are supposed to be sent to a site that warns them against copyright infringement.

 Hollywood has sold that idea to Congress, and bills are now moving through both houses to impose this “block and redirect” obligation on internet service providers.  And they’re moving fast. The Senate bill is out of committee, while the House judiciary committee is holding hearings on a similar bill this week.

 This is far faster than Congress’s cybersecurity effort, and it runs directly counter to that effort. Because “block and redirect” is exactly what crooks are doing today to bank customers.  If the bills become law, the security system won’t be able to tell the difference between sites that have been blocked by law and those that have been sabotaged by hackers. Indeed, it isn’t hard to imagine crooks redirecting users to sites that say, “You were redirected here because the site you asked for has violated copyright,” while at the same time planting malware on the user’s computer. 

 What’s more, the bill will likely break the fragile consensus that my former agency, the Department of Homeland Security, has spent years helping to build around the switch to DNSSEC.  If the bill passes, practically everyone who needs to make changes to implement DNSSEC will instead be on the phone to their lawyers, asking whether they will be sued for adopting a security technology that makes the mandated “block and redirect” system even more difficult. 

If “block and redirect” could stop Hollywood’s bleeding, perhaps a case could be made for undermining everyone’s security in order to protect the studios’ intellectual property. But it won’t stop the bleeding.  Even today, if someone is blocked and redirected away from his favorite pirate website, he can find many simple ways to defeat the block. He can paste his favorite pirate website’s number (rather than its name) into the address box on his browser.  Or he can simply tell his computer to look up the site’s address on a Canadian server instead of an American one.

Passing this bill will make Hollywood feel better, and richer. 

For about a minute. 

It will leave the rest of us hurting and poorer for years.

A recent report by Danah Boyd and others reveals that turning parents and children into liars is a principal effect of the Children’s Online Privacy Protection Act, or COPPA.  According to Consumer Reports, 7.5 million kids under 13 have joined Facebook. Since Facebook prohibits kids of that age from the service, that’s 7.5 million children who lied in the signup process.  And most of them got help in telling the lie from their parents.  According to Boyd’s study, the vast majority of parents were aware that their children joined Facebook before reaching 13; in fact, more than two-thirds of these parents helped their under-age kids join.

That’s a lot of lying.

COPPA more or less forces Facebook into excluding thirteen-year-olds.  The law and the FTC regs implementing it set stringent limits on the kinds of information that web services can collect from kids under 13 in the absence of “verifiable parental consent.” Obtaining verifiable consent requires mail, fax, phone calls, or credit card numbers; email is allowed only if accompanied by a cryptographically secure digital signature. It is quite deliberately a hassle.  And once the consent is received, the service is charged with knowledge that the customer is a child, which triggers special legal protections and limits, not to mention FTC and state attorney general oversight.

All in all, unless you’re running a site focused exclusively on preteens, you’d be crazy to let them join.  Facebook isn’t crazy.  It excludes children.  But staying off Facebook isn’t really an option for kids with a social life, or grandparents for that matter. So the real effect of the law and Facebook’s policy is to force children and their parents to lie about the child’s age.

Teaching kids to lie isn’t exactly a government policy to be proud of.  But federal law has another unintended legal consequence in store for those parents and kids.  As Orin Kerr and I have pointed out, Facebook users who violate the site’s terms of service also violate the Computer Fraud and Abuse Act, at least according to the Justice Department. Which would make every one of those parents and children guilty of a federal misdemeanor.

By my count, that’s well over ten million misdemeanors, not to mention ten million privacy victims.

Now, you might ask, “Who the hell is the government to take away the decision whether my kids can join Facebook?”  Actually, most parents feel exactly this way.  When the study asked them who should have the final say about whether or not their child should be able to use online services, 93% chose the parents, 3% opted for the company providing the service, 2% chose the government, and  2% would leave the decision to the child.

So how did we end up with an online regime that is this intrusive, stupid, and unpopular?

It wasn’t easy.  It took a lot of lobbying, and the story may help explain why we have so many stupid privacy rules.

First, in the 1990s, when parents and children were just beginning to go online, no one knew what that would be like.  There was a lot of free-floating anxiety.   By the late 1990s, the Federal Trade Commission and groups like the Consumer Federation of America were maneuvering to focus that anxiety on fear that evil websites would extract information from trusting youngsters without parental knowledge.  My guess is that the Commission and the consumer groups wanted an overarching online privacy law, and they thought that a law focusing on children’s privacy would be a good first step.

The FTC released a study in 1998 that painted the online industry in dark colors:

The results with respect to the collection of information from children are … troubling. Eighty-nine percent of children’s sites surveyed collect personal information from children. While 54% of children’s sites provide some form of disclosure of their information practices, few sites take any steps to provide for meaningful parental involvement in the process. Only 23% of sites even tell children to seek parental permission before providing personal information, fewer still (7%) say they will notify parents of their information practices, and less than 10% provide for parental control over the collection and/or use of information from children. The Commission’s examination of industry guidelines and actual online practices reveals that effective industry self-regulation with respect to the online collection, use, and dissemination of personal information has not yet taken hold.

Later, in testifying before Congress, the FTC highlighted a few extreme examples:

One child-directed site collected personal information, such as a child’s full name, postal address, e-mail address, gender, and age. The site also asked a child extensive personal questions about financial information, such as whether a child previously had received gifts in the form of stocks, cash, savings bonds, mutual funds, or certificates of deposit; who had given a child these gifts; and whether a child had put monetary gifts into mutual funds, stocks or bonds. The site also asked for family financial information including whether a child’s parents owned mutual funds. Apparently in exchange for providing this information, a child was entered into a contest. Elsewhere on the Web site, contest winners’ full names, age, city, state, and zip code were posted.

Another child-directed site collected personal information to register a child for a chat room. The information included a child’s full name, e-mail address, city, state, gender, age, and hobbies. The Web site had a lotto contest that asked for a child’s full name and e-mail address. Lotto contest winners’ full names were posted on the site. For children who wished to find an electronic pen pal, the site offered a bulletin board service that posted messages, including children’s e-mail addresses. While the Web site said it asked children to post messages if they were looking for a pen pal, in fact anyone of any age could visit this bulletin board and use the Web site information directly to contact a child.

Those examples would have a lot less power today, partly because the gathering of online data doesn’t seem as alien or scary as it did in 1998.  We’ve given our email addresses to a lot of sites without being stalked by predators.  We also know that there are practical limits on web services data collection and usage. Sites that ask kids for too much information are unlikely to prosper because, as Boyd’s study shows, parents play a pretty big role in their preteens’ decision to join a service. 

But in 1998 the FTC’s stories were seen as disturbing portents of a dystopian future. And how could we head off this future?  Not to worry; the FTC also had a solution.  Casting itself as a vigilant defender of parental rights, the Commission told Congress that the solution was – what else? – an expansion of Commission authority over online privacy practices: “As a result of our activities over the past three years, the Commission has developed significant expertise regarding children’s privacy. … The Commission strongly supports the approach adopted in this legislation.”

The bill was enacted later that year.

Where were the privacy groups while this was going on?  On the case, sort of.  The Center for Democracy and Technology testified in favor of the overall bill, but it wanted changes to give parents even less knowledge about their kids’ online activities; it asked (with some success) for modification of provisions that would have given parents access to any information their child provided to a website and alerted them when the child gave his email address to a website.

If you were a parent in 1998, you probably felt pretty good when you heard about COPPA’s passage.  You’d been told that it was going to protect your kids’ privacy by empowering you. But in fact, it mainly empowered a government agency to decide what your kids can do online.  And the privacy groups you thought were on your side?  They were more interested in protecting your kids from, well, you.

This isn’t just history.  The story of COPPA is by and large the story of most privacy legislation: a new technology emerges, followed by a “privacy panic” over how it might be misused (often engineered by interested agencies and privacy groups), followed by hasty legislation with large-scale unintended consequences — and, soon, a new class of privacy victims.

If I were a libertarian, I’d be particularly troubled by the FTC’s role in this drama. In the name of privacy and parental control, we let the FTC create a legal regime that expanded government’s authority over the Internet and took away parents’ ability to control their childrens’ online memberships, at least without lying.

And this weird mix of the authoritarian and the libertarian is not a bug unique to COPPA; it is a deliberate feature embraced by most of the privacy lobby whenever they talk about setting privacy rules for the private sector.  Considering how many supporters of privacy legislation tend to be dubious about government authority, it’s remarkable how often privacy legislation empowers some bureaucrat to regulate some part of the economy more aggressively.

Photo credit: http://www.flickr.com/photos/joebehr/5130944038/sizes/o/in/photostream/

The British Commonwealth has endorsed an end to the traditional preference for sons over daughters in royal succession.  Said British Prime Minister David Cameron, “The idea that a younger son should become monarch instead of an elder daughter simply because he’s a man … this way of thinking is at odds with the modern countries that we’ve all become.”

So, instead of letting its ruler be determined by an accident of biology, the UK will now choose its ruler based on … a different accident of biology.

Anyone who’s read Skating on Stilts knows I am a big believer in using travel data for counterterrorism purposes.  What’s more interesting is that the Obama administration has been just as enthusiastic.  Some of the reasons for its enthusiasm showed up in testimony to the House Homeland Security Committee last week, when the Department of Homeland Security released stories about its use of travel data that I had not seen before. 

Remember Faisal Shahzad, the Times Square bomber who was pulled off a plane at JFK as it was preparing to leave the country?  It turns out that travel data was his nemesis, helping DHS and the FBI track him at every turn:

Early in this investigation, the Federal Bureau of Investigation (FBI) learned of Shahzad‘s cell phone number from a report shared by DHS.  The FBI ran the phone number in their ACS system and was able to connect it to the DHS report. Through good interagency cooperation, the FBI asked DHS if it had encountered any individual who reported this phone number during border crossings.  DHS searched its PNR database for the phone number, identified Shahzad, and learned other information he had provided to DHS.  DHS then provided the additional data to the FBI.  Later, Shahzad attempted to flee the United States, but DHS‘s analysis of departing passenger data identified him before departure and DHS removed him from the aircraft.

Najibullah Zazi was the guy who rented a truck and drove cross country to set off explosives in the New York City subway. It turns out we used travel data to identify the scope of the conspiracy and to interrogate him. According Indian news sources, Tom Bush, testifying for Customs and Border Protection, revealed that:

“Using PNR data, DHS and CBP worked closely with the FBI to crosswalk the names of his co-travelers against open counter-terrorism cases inside the United States and determined his co-travelers were being trained during the same trips to Pakistan in the same training camps. Zazi was arrested on September 19th, 2009, and the information from his PNR records were used in his questioning and his indictment. Zazi pled guilty in February 2010.”

Particularly impressive was the use of travel data to identify David Headley, the American who did reconnaissance work for the Mumbai attacks

“Law enforcement intelligence information implicated a specific person in the plotting of a 2008 Mumbai attack, as well as the possible attacks against a Danish newspaper office. … Starting with a very common first name, David, a partial travel itinerary and a very vague travel timeframe, CBP was able to review its PNR data in connection with other DHS databases…. Within 24 hours, CBP was able to provide the FBI with the person’s full name, address, passport number, travel history and other information useful to law enforcement pursuing him. You may know that person as David Headley, who pled guilty in March 2010.”

In short, travel data has been crucial in keeping Americans alive during the ten years since 9/11.  And during the same decade, the European Union has been doing everything it can to cripple our use of travel data.  It’s forced four rounds of negotiation on privacy standards for travel data and then has blown up every deal it’s reached, always threatening to cut off the flow of data if the US doesn’t keep talking.

With that record, you’d be forgiven for wondering whether Europe’s elite actually thinks it’s a good thing to keep Americans alive.

In fact, with that record, you’d probably be forgiven if you stopped wondering.

The Institute of Medicine, part of the National Academy of Sciences, has studied the problem of how to distribute antibiotics in the event of an anthrax attack.  It’s a big problem, because, as the study confirms, the antibiotics have to be in people’s hands (mouths, really) within 48 hours of an attack.  And it may take the government almost that long to realize we’ve been attacked.  So, the scientists had a choice between recommending (1) a Big Government solution, in which the government stockpiles the antibiotics, flies them to the affected area when needed, and relies on the near-bankrupt Postal Service to get them to the right people in time, or (2) letting people have (or buy) Medkit packets of antibiotics to store at home for an emergency.

The study was funded by HHS, so you won’t be surprised to discover that the Institute recommended (1) a Big Government solution.  The main reason it gives is that you and the rest of the public are just too bone stupid to be trusted with antibiotics.  But to spare your feelings, the Institute puts it this way:  letting you have antibiotics raises “the potential for inappropriate use in routine settings (e.g., using the antibiotics to treat a cold) and the potential for widespread inappropriate use in response to a distant anthrax attack, a false alarm caused by a nonanthrax white-powder event, or some other public health emergency for which antibiotics are not indicated.”

But, really, “too bone stupid” is pretty much what they meant.

This is the National Academy of Sciences, of course, so they’ve got scientific evidence of our stupidity.  Like, for example, the Center for Disease Control gave more than four thousand people in St. Louis special antibiotic medkits to hold for an emergency.  Months later, they went back and collected them.  They counted the people who had engaged in “inappropriate use in routine settings.” And they found, uh, four.  Not four percent, four people.  That’s one-tenth of one percent, last time I looked.

Apparently we weren’t as dumb as the National Academy of Sciences would like to think, so they declared that this science wasn’t settled, in fact it wasn’t even worth thinking about.  Why?  Because participants were promised a $25 gift certificate if they completed the study. According to the National Academy’s report, this promise of a gift card so tantalized the unwashed masses that they pretended to be less stupid than the scientists know we really are. So the study didn’t count.

Once all that nasty unpredictable science was out of the way, the National Academy of Sciences was free to say what it wanted to say all along:  No antibiotics for you.

But the gob-smacking foolishness of relying on government distribution of antibiotics in an emergency was simply too obvious for even the Institute of Medicine and the National Academy of Sciences to completely ignore.  So they encouraged the distribution of some medkits to some people.

Which people, you ask?

Do you really have to?  The study tentatively recommends that the life-saving kits be issued to “some first responders, health care  providers, and other workers that support critical infrastructure, as well as their families.” Apparently medical workers aren’t too stupid to live, according to the Institute of, uh, Medicine.  And neither are government workers – those postal workers, the cops that will have to accompany them, and anybody else in government who’s smart enough to call himself a first responder (want to bet that includes the Governor?).

And their families too, of course.  We’ll need to repopulate, after all.

Have I been unfair to the authors?  It’s possible.  I went through the report fast, and with mounting blood pressure.  So I welcome corrections in the comments. Or jokes about government health care, as you choose.

The more important question is:  What can you do to protect yourself from this astonishing feat of policy malpractice?

Here, at least, I can praise the report, because it acknowledges, a bit grudgingly, an option I highly recommend:  Ask your doctor for a prescription for antibiotics and stash them in a cool, dark,dry place (not your warm, light, wet bathroom).  If your doctor balks, you can quote this passage from the report:

Personal stockpiling might also be used for certain
individuals who lack access to antibiotics via other timely
dispensing mechanisms (for example, because of their
medical condition and/or social situation) and who de-
cide—in conjunction with their physicians—that this is
an appropriate personal strategy. This is allowed under
current prescribing practice and would usually be done
independently of a jurisdiction’s public health strategy
for dispensing medical countermeasures.

Of course you’re supposed to persuade your doctor that you’d “lack access to antibiotics via other timely dispensing mechanisms.” I suggest reading him the part about how the Postal Service will carry out the distribution.

If that doesn’t convince him, maybe you need a smarter doctor.

Photo credit: http://www.flickr.com/photos/hukuzatuna/2536746395/

The Kindle Fire is a remarkable innovation in the Apple mold:  taking a bunch of components that are pretty well known and combining them into a powerful new experience.  But unlike Apple, Amazon’s integrating vision isn’t visual design or even user delight.  Instead it’s far more ambitious — a new vision of the entire Internet ecosystem.

OK, let me try that again without the Valley babble.  The Kindle Fire forks Android into an Amazon-designed and Amazon–controlled operating system.  So far, no surprises. Amazon owns and subsidizes the hardware, too, so it can design features that integrate operating system and processor tightly.  Again, nothing that Apple can’t do.  But then comes the clever, almost-new idea:  Fire uses its own browser, called Silk, which is designed to work with Amazon’s massive cloud computer. So instead of downloading web pages one after the other and opening them on your computer, Amazon’s cloud stores and even opens them, sending you the end result.  This allows speedier downloads for a couple of reasons:  Caching of popular pages (or even parts of pages) avoids download delays when the original source is overloaded; and Amazon’s cloud can handle even the most processor-intense pages instantaneously, far faster than your wheezing desktop machine.  In short, your Internet experience on the Fire ought to be lightning quick.

There’s another advantage to this new vision of what might be called the Bezosnet.  The Bezosnet ought to be a lot more secure.  One way that hackers compromise your machine is by getting you to go to malware infected sites.  Just visiting the site triggers routines that take over the visitor’s computer.  But if the routine runs, not on a visitor’s computer but in a virtual environment at Amazon’s data center, the attacker’s code isn’t likely to work.

In fact, it looks to me as though Amazon has a remarkable security opportunity here.  It controls the Fire hardware, the Fire operating system, and the Fire user’s internet connection. If a Fire tablet joins a botnet, Amazon will know immediately. It can quarantine the tablet and alert the owner.  Indeed, it can go further, performing diagnostics to figure out and remedy the security flaw the botnet exploited. If a Fire tablet starts sending beacons or massive encrypted data files to a Chinese controller site, Amazon can spot the pattern and alert the user or even block the transmissions.  No one else, not even Apple, maybe not even DoD, will have the same ability to drive security into all parts of the Internet ecosystem.

If Amazon exploits its security opportunity, this could be transformative for users. To take one example, most people are, or should be, wary about Internet financial transactions.  Small businesses that do electronic funds transfers are at enormous risk today.  Like consumers, their machines are easily compromised, but unlike consumers, their losses to hackers are not underwritten by the banks.  That’s costing them easily hundreds of millions of dollars a year. As small businesses come to appreciate the risk, Amazon has a chance to persuade them that a dirt-cheap Amazon Fire tablet is the only safe way to access their funds.

Competitively, that could put Amazon squarely in the stream of high-value Internet transactions.  Maybe it becomes a bank.  Maybe it forces Mastercard and Visa to give it a discount because fraud on Amazon-mediated transactions is lower. Maybe it takes on Google’s relationship with advertisers, since now Amazon has insight into information advertisers really want:  what are consumers actually buying and how much are they paying? Maybe it kills the prospects of ISPs and telcos hoping to transcend dumb pipe status and exploit their direct connection to consumers; that connection won’t be much use if Amazon controls and can encrypt the entire stream of communication.

For consumers, the Fire opens up a prospect of feudal security on the Internet.  We already know that we can’t protect our own machines from attack. For all the talk of insecurity in the cloud, it’s almost certainly more secure than the decentralized system we have now. To take one example, I have a lot more faith in Google’s ability to protect my gmail account than in the ability of my system administrator to do the same for my corporate account.  And I have more faith in Amazon’s ability to spot malware infested websites than in my ability to do the same, even with help from Google and antivirus software. Yes, you’re putting all your eggs in one basket, but you’re also hiring someone to guard that basket while you get on with life. Sooner or later, to get security, it looks as though we’re all going to have to pick a liege lord and shelter under his castle walls. And now Amazon has an chance to build the first string of forts and castles across the most desirable territory.

Of course, where there’s feudalism, there’s droit de seigneur. The price for security will be, probably must be, a loss of privacy, anonymity, and control to Amazon.  Right now, Amazon’s terms of service provide some contractual anonymity to users, but as a technical matter Amazon has total visibility into everything that happens on a Fire tablet.  That visibility is very likely necessary for security, and it is damn sure valuable for commercial purposes.  So it’s hard to imagine that it won’t be used for both purposes.

I can hear the privacy Luddites cranking up their outrage machinery now.  As usual, they’ll be a day late.  But they’ll also be a dollar short, at least if I’m right that the alternative to sheltering under Amazon’s walls is living out on the plains alone, at the mercy of marauders. No one will thank the data protection authority that saves us from Amazon by pushing us into the arms of the Russian Business Network. What the authorities can do is police Amazon’s terms of service and perhaps hold Amazon to any promises of security with tough new liability rules.  But, like Regulation Z, which declares that credit card fraud can’t cost US consumers more than $50, a rule imposing liability on Amazon for Internet security breaches could turn out to be an enormous market advantage (not to mention a tough barrier to entry for imitators).

All in all, then, the Fire Tablet is potentially a very big deal.  Too bad I’m too cheap to buy one.

(As always when I get into the details of security technology, I do so with considerable humility about my grasp of, well, actual technical details. This is technology poetry, not prose, and a first draft of the poetry at that. I welcome technical corrections. )

I’ve just finished a longish piece on cyberwar and the role of lawyers, published in Foreign Policy magazine.  Here’s how it begins:

Lawyers don’t win wars. But can they lose one?

We’re likely to find out, and soon. Lawyers across the U.S. government have raised so many show-stopping legal questions about cyberwar that they’ve left the military unable to fight or even plan for a war in cyberspace.

…

And here’s the part that inspired the title of this post:

By the 1930s, everyone saw that aerial bombing would have the capacity to reduce cities to rubble in the next war. Just a few years earlier, the hellish slaughter in the trenches of World War I had destroyed the Victorian world; now air power promised to bring the same carnage to soldiers’ homes, wives, and children.

In Britain, some leaders expressed hardheaded realism about this grim possibility. Former Prime Minister Stanley Baldwin, summing up his country’s strategic position in 1932, showed a candor no recent American leader has dared to match. “There is no power on Earth that can protect [British citizens] from being bombed,” he said. “The bomber will always get through…. The only defense is in offense, which means that you have got to kill more women and children more quickly than the enemy if you want to save yourselves.”

The Americans, however, still hoped to head off the nightmare. Their tool of choice was international law. (Some things never change.) When war broke out in Europe on Sept. 1, 1939, President Franklin D. Roosevelt sent a cable to all the combatants seeking express limits on the use of air power. Citing the potential horrors of aerial bombardment, he called on all combatants to publicly affirm that their armed forces “shall in no event, and under no circumstances, undertake the bombardment from the air of civilian populations or of unfortified cities.”

Roosevelt had a pretty good legal case. The 1899 Hague conventions on the laws of war, adopted just two years after the Wright brothers’ first flight, declared that in bombardments, “all necessary steps should be taken to spare as far as possible edifices devoted to religion, art, science, and charity, hospitals, and places where the sick and wounded are collected, provided they are not used at the same time for military purposes.” The League of Nations had also declared that in air war, “the intentional bombing of civilian populations is illegal.”

But FDR didn’t rely just on law. He asked for a public pledge that would bind all sides in the new war — and, remarkably, he got it. The horror at aerial bombardment of civilians ran so deep in that era that Britain, France, Germany, and Poland all agreed to FDR’s bargain, before nightfall on Sept. 1, 1939.

Nearly a year later, with the Battle of Britain raging in the air, the Luftwaffe was still threatening to discipline any pilot who bombed civilian targets. The deal had held. FDR’s accomplishment began to look like a great victory for the international law of war — exactly what the lawyers and diplomats now dealing with cyberwar hope to achieve.

But that’s not how this story ends.

…

I find even good flight search sites, like Hipmunk, Yapta, and Kayak, a little frustrating.  Now Google Flight Search is getting ready to do what Google does best – transform Internet tools for free. Google’s new travel search service is the first fruit from its acquisition last year of ITA Software, a travel search firm.

Lots of travel sites trembled when Google bought ITA.  And well they should.

This thing is cool.

You kind of have to explore it yourself, but the visualization tools are excellent and will save you money.  Example: A weekend trip Burlington from Washington would cost $845 right now.  Last time I took that trip, I had to fly to Albany and drive to get a decent fare.  Now, thanks to Google Flight’s visualization of future weekend fares, I’ve discovered that United will sell me a $219 weekend ticket from Dulles to Burlington if I just make reservations about a month in advance.  (To see this example, go to the search page for that trip and click on the little calendar icon on the top right side of the page.)

That’s the kind of thing you could learn from the other sites only by laboriously typing dates over and over again, then waiting to see what turned up. With Google Flight, the low fare just jumps out at you.  There’s lots more geeky fun to be had with other tools, too.

The Obama Administration’s legislative proposals on cybersecurity are a distinctly mixed bag.  But probably the worst ideas are those put forward by the Justice Department, which last week testified about the need to update the Computer Fraud and Abuse Act.

Again.

In fact, for the eleventh time since it was adopted in the 1980s.  We’ve seen this movie. Every time Congress gets exercised about cybersecurity, the Justice Department claims that the CFAA needs to be updated.  But “updated” almost always turns out to be a euphemism for “made more prosecutor-friendly.”

Justice’s latest proposals fit squarely into this mold.  Justice wants to create a new crime, hacking a critical infrastructure computer, with a mandatory minimum sentence of three years.  It wants to impose the same penalties on conspiracies and attempts as on successfully completed crimes.  It would get rid of first-time offender provisions in sentencing, increase sentences in general, allow civil forfeiture of hackers’ real estate, and make violation of the CFAA a RICO predicate, which would allow heightened penalties and private civil suits against violators.

Well, you might ask, why not get tough with hackers?  Surely we shouldn’t be playing pattycake with Anonymous and Lulzsec, let alone the foreign hackers endangering our national security.  That’s true, but the problem we have with those hackers is not the weakness of our criminal penalties but the fact that, most of the time, we can’t find them.  Until we do a better job of breaking the anonymity that protects them, increasing penalties for criminals we don’t catch will not make much difference.

Take a look at the website where Justice maintains a representative list of its most significant prosecutions.  What’s striking is how few prosecutions it has to brag about – less than 50 – and how few of those (maybe half) represent cases in which we actually caught the kind of remote hackers we’re most threatened by. I’m willing to bet that there is no other federal criminal law that has been amended so often in prosecutors’ favor with so few successful prosecutions to show for it.

The latest amendments are more of the same:  Shooting in the dark with a bigger gun. As protections against cyberattack, these amendments are useless.  They are added to the administration’s package mainly to give it the appearance of heft.

They are the legislative equivalent of Hamburger Helper.

Actually, they’re worse than that.  The RICO provision is far more dangerous than it first appears. To explain, I’ll need to repeat some of what Orin Kerr has been saying for years, so if you’re already familiar with that, you can skip the next ten paragraphs.

***

As I’ve said, the remarkable growth in cyberattacks over the last quarter century has enabled Justice to turn the CFAA into what may be the most prosecutor-friendly criminal statute on the books.  What does “prosecutor-friendly” mean in practice?  That any competent prosecutor can find a way to indict and convict anyone who does anything Really Bad with a computer.

With the CFAA, that’s mission accomplished:  The law imposes harsh criminal penalties on anyone who accesses a protected computer “without” or “in excess of” authorization.  The definition of a “protected computer” has been expanded until it covers any computer used in interstate or foreign communication, which in the Internet age is, well, every computer. As a practical matter, then, you can be indicted any time you do something on a computer that isn’t authorized. That term isn’t defined, but you can bet that if you do something Really Bad with a computer, it will turn out to be unauthorized.

Take Lori Drew, an overprotective, nasty mother who created a fake teenage-boy identity on MySpace in an effort to humiliate her daughter’s teenaged frenemy.  The scheme worked so well that the teen killed herself.  There’s no doubt that Lori Drew’s behavior was Really Bad, and it involved computers, so federal prosecutors decided it must violate the CFAA. And, mirabile dictu, it did.  By using a fake identity, Drew had violated MySpace’s terms of service, which meant that she had accessed a MySpace computer “in excess of” authorization. Drew was convicted, although in the end, with Orin Kerr’s help, the guilty verdict was overturned.

This kind of prosecutorial overreach is an inherent risk of the CFAA, given its reliance on the slippery concept of authorization.  As some civil liberties groups recently pointed out, the CFAA at its heart makes it a federal crime to violate a private contract, even a contract of adhesion like a social network’s terms of use:

If, for example, an employee photocopies an employer’s document to give to a friend without that employer’s permission, there is no federal crime (though there may be, for example, a contractual violation).  However, if an employee emails that document, there may be a CFAA violation.  If a person assumes a fictitious identity at a party, there is no federal crime.  Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation.

I don’t want to be too hard on the drafters of the CFAA;  they faced a tough drafting problem.  Hackers cause terrible harm, but the things they do aren’t all that different from the things legitimate users do.  Legitimate users open files, modify code, install programs, and send data to remote sites.  So do hackers.  We know the difference between the two, but it’s not easy to express that difference without falling back on the notion that the good guys are authorized to do those things and the bad guys aren’t.

I think this means that any statute that criminalizes hacking is likely to be either too broad or not broad enough.  Congress chose broad language to make sure that hackers couldn’t get off on a technicality, but in the process it gave Justice enormous prosecutorial discretion. Justice Department official James Baker gave a persuasive defense of the “authorization” test in last week’s testimony.  But the Department’s misuse of its broad discretion in the Lori Drew case suggests a need for greater accountability and discipline within the Department.  Requiring that the head of the Criminal Division sign off on all such cases — and take the blame if they turn out badly — may be a more workable solution than taking away the prosecutors’ discretion by changing the law.

Remarkably, though, that isn’t even the worst problem created by the CFAA.  The law also creates a private cause of action, handing a big legal weapon to everyone from the RIAA to the Church of Scientology.  And private parties aren’t exactly showing a lot of restraint.  According to the Center for Democracy and Technology, at least one company has brought a CFAA counterclaim in a pregnancy discrimination case, seeking damages under the Act because its employee acted in excess of authorization on the corporate network.  What did she do?  She violated a corporate proscription on “excessive Internet use.”  Equally abusive is a case that Orin Kerr has pointed out – Sony’s threat to sue PS3 hackers because they used their own computers in violation of Sony’s licensing restrictions.

Maybe back in the 1980s, Congress thought that creating a civil action would unleash the plaintiff’s bar on real hackers.  If so, Congress was deluded.

Civil CFAA lawsuits have proliferated but by and large they aren’t being filed against people who hack into systems.  Instead, they’re being brought by corporations against employees thought to have downloaded too much information from the corporate network before quitting.  They’re being brought by websites to keep competitors from using “scraper” software to collect their pricing data. Maybe those are bad things.  If so, they’re probably already torts under state law, and it’s hard to see why the cases should be in federal court.  And if they aren’t torts under state law, well, it’s even harder to see why they should be in federal court.  It’s the law of unintended consequences run amok.

***

OK, that’s the Gospel According to Orin Kerr. Now back to the latest proposal from Justice.

Justice wants to make the CFAA one of the federal crimes that qualify as “racketeering activity” under the Racketeer Influenced and Corrupt Organizations Act, or RICO.  This would add RICO prosecutions to the long list of get-tough measures that Justice rarely uses against actual hackers because, well, because it can’t catch most actual hackers.

But that doesn’t mean the amendment would have no effect.  Because, like the CFAA, RICO creates a private cause of action against RICO violators.  Actually it’s not just a private cause of action.  It’s a bonanza. Plaintiffs can recover treble damages plus attorney’s fees by bringing suit against “racketeers.” And what do you know, just like CFAA civil suits, it turns out that most RICO civil suits have been brought against ordinary businessmen, “rather than against the archetypal, intimidating mobster,” according to the Supreme Court.

The Supreme Court and Congress have struggled for decades to curb abuses of civil RICO.  Now, almost casually, the Justice Department proposes to open another can of RICO liability for unintended defendants.

How would that happen?  First, treble damages under civil RICO can be claimed by any person “injured in his business or property by reason of” a RICO violation.  18 U.S.C. § 1964(c).    A violation of RICO occurs, inter alia, when a “person employed by or associated with any enterprise engaged in” interstate or foreign commerce participates, “directly or indirectly, in the conduct of such enterprise’s affairs through a pattern of racketeering activity.”  (Sorry for the dense language; it may help to parse the language by thinking of a mobster who acquires partial ownership of a legitimate “enterprise” through threats of violence. He would be squarely covered by the provision, as long as he committed a  pattern of racketeering activity –- that is, more than one predicate crime.  But the words will sweep in far more conduct than classic mobster tactics, especially if Justice gets its way and violating the CFAA becomes a predicate offense.)

Pulling these elements together, let’s look at what the Justice Department’s proposal would mean for some of the unnecessary federal litigation now being brought under the CFAA.  We can start with the employer lawsuits against departing employees.  Employers who want to turn their CFAA claims into much more potent RICO claims would have to show that the departing employee committed two CFAA violations, which should be easy, since every unauthorized download is a new offense.  And, they’d have to show that they were injured in their business by reason of the racketeering; this they can do by showing the same damages that supported the CFAA case.  In short, on a quick look, the Justice Department seems to have created a massive incentive for companies to sue departing employees, and perhaps the companies they join, as racketeers.  Anyone who has a plausible CFAA case today will have a plausible RICO case once Justice gets its amendment.

Okay, another one: How about CDT’s favorite case – the pregnant worker accused of a CFAA violation because of excessive Internet use?  Well, she probably violated the rule on Internet use more than once, which makes for a pattern of racketeering, and she’s employed by an enterprise, in whose affairs she participated by misusing its computers.  The enterprise has been injured, too, by virtue of not getting her full attention at work.  What do you know? She sounds like a racketeer too!  It would be malpractice not to hit her with a counterclaim for treble damages and attorneys’ fees.

(At this point, you may be wondering why the Obama administration, of all administrations, wants to give employers even heavier litigation weapons to use against their employees. Beats me.  Maybe it has something to do with trial lawyers.  Maybe it’s just prosecutorial myopia.  James Baker’s testimony doesn’t even acknowledge the issue.)

OK, let’s try a harder problem.  You’re a copyright holder — Jon Stewart, say — and you’d like faster takedowns and more respect from YouTube.  Posting copyrighted material on YouTube is a violation of law and can lead to termination of your YouTube account.  The Lori Drew case tells us that the people who post clips in violation of that policy are using YouTube’s computers “in excess of authorization.” That’s a CFAA violation.  Do it twice and it becomes a pattern of racketeering, at least if Justice gets its way.  Now, the people doing the posting aren’t employees of YouTube, but they are “associated with” the YouTube enterprise, and they are participating indirectly in the conduct of YouTube’s affairs by virtue of their shocking CFAA violations.  What’s more, the Daily Show can claim injury in its business because it has lost viewers and ad revenue.  Presto!  Another racketeer takes the fall.  Maybe they’ll name YouTube’s parent, Google, as a co-conspirator just to keep it on its toes.

Oh, and what about you, dear reader?  Have you ever violated the terms of service on a website?  Hell, have you ever read them?  C’mon, I’ve seen the comments on my privacy and TSA posts. Are you sure yours didn’t violate the site’s proscription on “abusive or denigrating comments”?  Cause if you did it twice, that’s a predicate, and VC is an interstate enterprise that you are associated with and in whose affairs you are participating by virtue of your appalling violations of the terms of use and thus of the CFAA.  Best of all, VC has what strikes me as a pretty upscale readership.  Treble damages and attorney’s fees would go a long way toward finally monetizing my blogging habit.

(Had you going there, huh?  Actually, as far as I know, VC doesn’t have any terms of use for commenters, so fire away. You’re safe.)

I’m not a RICO lawyer, thank God, so maybe I’m oversimplifying what it takes to make out a civil RICO suit.  But, what the hell, the lawyers representing departing or pregnant employees aren’t RICO lawyers either.  If the claim against them is plausible on its face, they will face overwhelming pressure to settle, quite possibly by abandoning good claims, especially if their next employer is dragged in as a co-conspirator.  Ditto for the YouTube uploaders.

And in exchange for all this uncertainty and injustice, what benefit can we expect in fighting actual criminals?  About as much as we’ve gotten from the CFAA’s private right of action, which is nothing, and from RICO’s private right of action, which is less than nothing.

This is Hamburger Helper with a dose of cyanide.

UPDATE: Clarified with a reference to Google’s ownership of YouTube

Photo credits:

http://www.flickr.com/photos/arkangl/with/4709166389/

http://www.flickr.com/photos/like_the_grand_canyon/3853938360/lightbox/

Iran is to cyberwar what 1930s Spain was to airwar – contested ground where everyone tries out new technology and tactics.  After being on the receiving end of Stuxnet, which sabotaged the Natanz enrichment plant and showed that cyberweapons could replace cruise missiles, it looks as though the Iranian government has gone on the offensive.

The Dutch government’s electronic certification authority, DigiNotar, was compromised by a hacker in July of this year.  DigiNotar handled the hack badly, trying to fix the problem without disclosing it. As a result, DigiNotar’s credentials are being revoked by all of the major browsers.  This means that most web users will not be able to verify the bona fides of any site that DigiNotar has vouched for.  That includes a lot of Dutch government sites, and there are some reports that the Dutch government is leaning on Microsoft to keep the credentials operative for another week.  It also means that DigiNotar will be either out of business or buried in lawsuits that could also reach its parent, VASCO Data Security International.

The hacker who pulled off the compromise has posted messages claiming that the hack was revenge for Dutch peacekeepers’ surrender of thousands of Muslim men to Serb militias during the Balkan wars; the men were executed. The hacker says nothing about Iranian government sponsorship.

So why do I think the Iranian government was involved?

To understand that requires a bit of background about the role of certificate authorities on the Internet.  One of Netscape’s cleverest technological innovations was its solution to the problem of Internet eavesdropping.  It used public key encryption to encrypt the channel between a website and each user.  The user could look up a site’s public key and use that key to encrypt all of the user’s communications with the site.  (I’m oversimplifying here, but that’s the idea.)

The only problem was that the system was open to a “man in the middle” attack, where Mallory turns what’s meant to be a secure link between Alice and Bob into two secure links with himself as a secret hub and Alice and Bob as unsuspecting spokes.

Put another way, if an Iranian user asks Google for its public key, and he uses it to encrypt his communications, how does he know that he’s really using Google’s key?  If the Iranian government wants to read his Gmail, it could intercept his request and send him its own key.  He’d set up a secure channel with the government, which would then simply pass his login credentials on to Google.  For the rest of the session the government would sit in the middle, reading and passing on all the packets from both sides of the transaction.  Not good.

To prevent that, Netscape decided to bake a set of public keys into its browser.  The companies with the baked-in keys were certification authorities.  They could issue certificates vouching for the credentials of every site that wanted to offer secure, encrypted communications.

It was a great system, lightweight and very secure.  But only if the certification authorities kept their credential-signing process completely secure.  If they didn’t, then users would not know who was at the other end of the line, the website they wanted or a man in the middle.

Occasionally, of course, some fraudster would use fake documents to persuade a certification authority to sign credentials for a site the fraudster didn’t own.  That sort of thing could be fixed pretty easily.  Browser providers had already recognized that there had to be a way to revoke website certificates obtained by fraud, so browsers now do an online check each time they use a certificate; in essence, they ask an online server whether the certificate they are about to use has been revoked. So a single fraudulently obtained credential can be rendered harmless as soon as the fraud is discovered.

What happened to DigiNotar was not so easily fixed.  It appears that the hacker gained control of the credential-signing process for some weeks during July of this year, and he signed credentials for hundreds of online sites, including Google, Microsoft, and the CIA.

Now, that’s deeply embarrassing, and it probably would have been enough on its own to spell the end of DigiNotar.  But what came next was even worse.

Starting in August, according to investigators, online revocation checks for DigiNotar certificates jumped. Suddenly lots of people wanted to know whether the DigiNotar certificate for Google had been revoked.  This meant that hundreds of thousands of users were sure that DigiNotar was the authority that had signed Google’s credentials.  (In fact, Google signs its own credentials.) And 99% of the users asking about DigiNotar’s certificate for Google came from Iran. (Even the 1% of requests that didn’t come from Iran seem to have come from proxies and TOR routers in other countries, meaning they too could have been Iranian users.)

Clearly a lot of Iranian users had been fooled into thinking that DigiNotar had issued Google’s credentials.  I can only think of one way that could happen – if the Iranian government and ISPs were systematically intercepting packets bound for Google and saying, in effect, “I’m Google. Here are my credentials, signed by DigiNotar.  Let’s go secure and foil any eavesdroppers.” The user’s browser would say, “Wait a minute while I check to make sure DigiNotar hasn’t revoked your DigiNotar credentials, Google… Ok, you check out, let’s talk.”  As soon as the user started sending his login name and password to the fake Google, the middleman would use those credentials to log in to Google, which would set up a secure communications channel with the middleman.  The entire session would be encrypted unbreakably at every point in the chain save the one that mattered:  the government listening post in the middle. The Iranian government would be sitting pretty — Mallory between Alice and Bob.

Some observations, mostly additional reasons for thinking that this was an Iranian government operation, and what that means:

• The notes posted by the DigiNotar hacker make him sound like a flake and a braggart, hardly the kind of postings you’d expect from the Iranian secret police. Maybe this is misdirection, or maybe he pulled off the exploit and then handed over his loot to the Iranian government, voluntarily or involuntarily. But the implementation of the man-in-the-middle attack was so quick and so smooth that it looks to me as though the hacker was working with the government from the start.
• The same hacker who compromised Diginotar claims to have carried out attacks on Comodo and Globalsign, two other certification authorities. Both companies agree that they were hacked, although Globalsign is not admitting that its credentials were compromised. Again, compromising certification authorities is a great idea if you’re in the business of man-in-the-middle attacks; otherwise it’s got mostly nihilistic look-at-me-trashing-your-infrastructure appeal, which might make you wonder why this hacker has specialized in such attacks if he doesn’t work for the government.
• If this were an Iranian government op, the websites for which fake credentials were issued should be an Iranian government wish list — all the places where it most wants to be in the middle between the site and Iranian users. If so, the point of the fake CIA certificate wasn’t help hackers break into the CIA’s network. The point was to impersonate the CIA on line – to lure dissidents into setting up an apparently secure communications channels with a foreign intelligence service.  Iranian government paranoia about the CIA’s influence is so profound it’s almost flattering, and the Iranian government probably is kidding itself that the election protests were the result of foreign meddling, not the government’s unpopularity.
• In fact, the domains whose credentials were falsified do seem to be a kind of museum of Iranian government paranoia. Along with Google, Microsoft, and the CIA, the hacker made fake credentials for Mossad, MI6, Facebook, Skype, WordPress, Twitter, azadegi.com (an Iranian dissident site in Persian), Walla.co.il (a site in Hebrew), torproject.org, and Yahoo, along with others.  The full list is here.  In some ways, it’s an honor roll.
• It’s also a tell — more evidence that the attack on DigiNotar was government sponsored.  After all, if the DigiNotar hacker was really acting on his own, without government guidance, how did he manage to create so many certificates that would have so much value for an Iranian government man-in-the-middle attack?
• If this is cyberwar, it’s an Iranian government war against its own people.  And a very dangerous one. The flood of revocation checks coming from Iran continued all through August, meaning that anyone in that country who logged on to Gmail or Hotmail or the other honor-roll sites has probably lost control of everything – not just emails they sent in August but their passwords, their stored emails, their stored files, anything that could be accessed by passwords they used in August.
• As a result, DigiNotar’s security breakdown could foretell a new human rights disaster, with hundreds of thousands of victims. And, since we know the IP addresses that checked DigiNotar’s certificates, we could probably identify each victim individually.
• Which raises this question: We know from the online revocation checks that three hundred thousand Iranian users were fooled into using fake  DigiNotar certificates for Google. The same information should be available for Microsoft, Facebook, and every other fake certificate that was issued by the hacker.  Those numbers are the big story, and I don’t understand why reporters have dropped the ball on it, unless they don’t appreciate its significance.
• Mozilla has done a particularly good job of dealing with this issue, communicating more details earlier than most browser companies. Most recently, it called on the certification authorities it bakes into its browser to audit their security — and to put automatic blocks on some of the names, such as Google or Facebook, that are most likely to inspire man-in-the-middle attacks and least likely to change certificate authorities on short notice.  In contrast, Apple handled the whole affair pretty badly, taking days longer than the other big browsers to announce that it was revoking DigiNotar’s credentials.
• Iranian dissidents probably could protect themselves from these attacks by installing a browser extension called CertPatrol, which warns you if a site you’ve visited before has suddenly changed its certificate authority.  CertPatrol likely would have told all those Gmail users that, instead of going to a “Google” site that Google vouched for, they were instead going to a “Google” site that DigiNotar vouched for. They could also protect their Google account by turning on Google’s two-step verification process, which won’t let you log on from strange IP addresses until you’ve typed in a separate code sent directly to your phone.

As always when I venture too far into technical territory, I am quite aware that there are fine points I may be missing.  I welcome corrections and comments.

Earlier this year, Bloomberg reporters sneaked onto a conference call that Swatch held with invited securities analysts.  The reporters taped Swatch executives’ two-hour exchange with the analysts, even though the call-in preliminaries included warnings that the call would be recorded for Swatch and that no other recordings should be made. When Bloomberg started selling its own transcript of the call, Swatch sued.

You might think that Swatch had some sort of privacy claim – that Bloomberg violated the wiretap or computer hacking laws.  In fact, though, Swatch registered its recording of the call with the US Copyright Office and sued Bloomberg for infringement.

Bloomberg’s actions are controversial, for sure.  But how can copyright extend this far?  We live in a world where more or less everything can be recorded. If Swatch has a copyright claim here, what about former Senator George Allen? Having learned from his macaca moment six years ago, can he announce that he’s recording all his campaign events, so no one else can?  What about a police officer who objects to bystanders using their phones to film him in action?  Can he point to his cruiser-cam and accuse the bystanders of infringing copyright?

That seems to be the view of Manhattan federal judge Alvin Hellerstein, 78, who approved Swatch’s copyright claim with little display of concern about its implications.  Denying the motion to dismiss, Judge Hellerstein blandly found that Swatch had met the requirements for claiming copyright: (1) the call was “fixed” on tape and (2) Swatch executives had exercised creativity during the call.  (Point 2 might give Swatch investors pause, of course, but that’s a different question.)

Bloomberg will be free to assert a “fair use” defense at trial, but that’s cold comfort, especially if, as I suspect, Swatch’s registration of copyright allows it to seek massively punitive statutory damages.

You might think that Judge Hellerstein was forced into this unappetizing precedent by a broadly written copyright law.  But he wasn’t.  In fact, the statute as written seems to require that Swatch give Bloomberg and everyone else 48 hours’ notice before Swatch could turn the call into a copyrighted performance.  But the court adopts Nimmer’s view and refuses that reading of the statute because limiting copyright damages claims “would serve no purpose.”

And I suppose that’s true, as long as you can’t imagine the law serving any purpose other than enforcing copyright.

UPDATE:  Corrected typo; with thanks to “great unknown.”

At Ben Wittes’s request, I’ve put up a post on Lawfare reflecting on the things I got wrong in the days after 9/11. I can’t pretend it’s much of an apology.  Here’s the gist:

First, I misread the willingness of the press and the Pulitzer committee to stop celebrating disclosures of classified information. A few years later, two New York Times reporters Eric Lichtblau and James Risen, were actually awarded a Pulitzer for blowing the secrecy of the Bush administration anti-terror wiretap program.  given the doubts about its legality, that’s understandable.  But the same two reporters, along with the Times itself, shortly thereafter disgraced themselves by disclosing a secret Treasury Department program that tracked terrorist finances — a disclosure they made despite a complete lack of either scandal or illegality.

The second thing I got wrong was thinking that the press still mattered in the same old way.  I thought that the only way to influence the national conversation about terrorism was to persuade the editors of the Times to expand their Circle of Respectable Opinion to include a greater concern for security. Instead, the months after 9/11 created massive demand for independent bloggers who were willing to highlight stories and analyses that the press was filtering out. And so began a hemorrhage of readers, a loss of indispensability, that would fatally undercut the hold that mainstream media had on the national attention.

In an odd way, the two errors are connected.  Because the mainstream media didn’t take its loss of influence well.  In fact, it acted like a country parson who begins to deliver fire and brimstone sermons as his flock starts to dwindle. Remember the New York Times’s endless campaign in 2002 against the Augusta Country Club for, um, something or other? Its attack on Bush’s antiterror programs was part of that same doubled-down bet. But the mix of self-righteousness and flop sweat that infected the Times gradually forced anyone with views to the right of Manhattan’s Upper West Side to look elsewhere for news judgment.

This just in: The right kind of bacteria in your gut can literally change your mind – reducing anxiety in stressful situations.  Now we know why they call it intestinal fortitude. Because it is.

I have an op-ed in the NY Post, commenting on the role that bureaucratic turf fights may play in the Associated Press story looking for scandal in NYPD’s counterterrorism tactics. 

Here’s a sample:

When you’re done [with the story], you find that NYPD is uniquely determined to find terrorists before they strike.  To do that, NYPD is willing to go far outside its borders — to London, to Jerusalem, even to New Jersey.

It partners with counterterror analysts at the CIA.  It looks for leads in places where terrorists have been found before – in immigrant communities and in mosques, for example – and it doesn’t give terrorists a haven where they know the cops can’t  go.  It takes advantage of its diversity by asking its officers to hang out in communities where they blend in.  It recruits street sources wherever it can find them. It maps the neighborhoods it’s most concerned about.

Shocked yet?

Me neither. 

So what gives? How come we’re getting this story, at this length, at this time?

One possibility is turf…. 

It appears that Chinese TV inadvertently disclosed custom-built software in the act of attacking Falun Gong websites.  In a story that originally broke on Falun Gong media outlets but has since been corroborated by others,  background footage from a government-run channel’s documentary “showed a piece of custom-built Chinese software actually launching a cyberattack against a U.S. target.” According to Security News Daily,

The clip shows a Chinese-language dialogue box with two drop-down menus, which, according to The Epoch Times, give users the option of selecting which IP addresses or specific websites to attack, followed by a button labeled, “Attack.”

The text above atop the software tool translates to “Select Attack Destinations,” and is credited to the Information Engineering University of China’s People’s Liberation Army.

In the video, which can be seen in its entirety here, the perpetrators apparently use or spoof an IP address belonging to the University of Alabama at Birmingham to attack Minghui.org, the main website of the Falun Gong, a Chinese spiritual practice banned in its homeland.

(The University later offered this statement: “It is impossible to tell how old the archival footage used in the military technology program is. UAB decommissioned the website in question in 2001. It appears from the Chinese video that the purpose was not to launch an attack from that website, but to block access to it. We are not aware of any attack, current or historical, involving that IP address.” )

What gives?  Are the Chinese dumb enough or insouciant enough to disclose on national TV a cyberattack program so well established that it has its own purpose-built software?  Ordinarily, we’d be left with no answers beyond this rather unsatisfying news story.  But the involvement of an American IP address almost certainly gives US prosecutors authority to investigate the incident as a possible violation of the Computer Fraud and Abuse Act.  And right now, the website of the US Attorney in the Northern District of Alabama is highlighting such achievements as “Federal Judge Sentences Hueytown Tax Preparer To 2 ½ Years In Prison.”

I’m guessing that, compared to policing Hueytown tax preparers, going after Chinese cyberattacks might look pretty good to federal investigators in Birmingham. So perhaps someday we’ll get more definitive answers about that 6-second clip.

My book, Skating on Stilts, has been named a 2010 Book of the Year, winning a bronze in the Political Science category from ForeWord Review, whose awards are made each year by a panel of librarians and booksellers choosing among the offerings of independent publishers.

I’m back from my trek through Mustang, Nepal.  Since I blegged here for toys, books, and laptops to take to rural schools along my route, I thought readers might want to learn what actually happened on the trek.  I’ve begun posting installments from my travel journal on Skating on Stilts.  Since the Volokh Conspiracy isn’t exactly a travel blog, I don’t plan to post them all here.  But for those who are interested, here’s a link, and a taste, from the first installment.  More to come soon.

The Royal Audience

It’s time for our audience with the raja.

There’s just one problem.

“What else can I wear?” I ask my son, Gordon.

I mean it literally. The raja and his remnant kingdom are tucked high in the Himalayas between Tibet and Nepal at an altitude of 12,000 feet and more. And with the shadows growing long, I am cold.

So, protocol can go hang. What I want to know is whether there are any more clothes I can put on before we meet the Raja of Lo. I’m wearing a watch cap, a rain jacket, cargo pants, and long underwear.  Not enough.  After walking four days to get to Lo Manthang, the kingdom’s ancient capital, we’ve already got on all the clean clothes we brought with us. And most of the dirty ones.

I feel a little guilty. I spent nearly four years representing the United States in meetings with foreign officials — meetings where it was a major faux pas to wear the wrong lapel pin. The kingdom of Lo has can trace its roots to 1380; it has had a king about three times as long as the United States has had a president. And I am going to sit down with its king wearing dusty hiking shoes and a watch cap.

I am pretty sure our protocol officer wouldn’t have approved.

Our guide entered the room. “Quickly please!” he said. “The raja will see you now.” I rise to my feet and head down to the street, stopping only to tuck a small bottle of local whiskey into my pocket.

Deputy Secretary Lynn has given a speech unveiling the unclassified parts of the Pentagon’s cyberwar strategy.  All of the “pillars” and practically all the unclassified content of the cyberwar strategy are defensive.  Here’s the theme: 

“Our strategy’s overriding emphasis is on denying the benefit of an attack.  Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries’ incentives in a more fundamental way.  If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place.”

 This is not completely comforting.  It’s like hearing that our nuclear war strategy is to build more fallout shelters. 

The network defenses we have today, and even the ones we hope to have tomorrow, will not deter adversaries or deny them the benefits of an attack.  The DIB Cyber Pilot, for example, is an classified version of technology the private sector has been using for nearly ten years. It’s a good thing, but it hasn’t exactly stopped hackers cold.

Defensive research is also a good idea, although neither of the ideas flagged in the speech — self-healing networks and methods for processing encrypted data — are likely to change the enormous advantage currently held by attackers in cyberspace.

So this is at best a partial strategy.  The Pentagon deserves credit for taking on the issue and doing the planning.  But the plan as described fails to engage on the hard issues, such as offense and attribution and, well, winning. 

I hope that the actual classified version doesn’t suffer from the same diplomatic and political correctness.