When the Publishers Association mention “illegal content” – here’s an example. HT @PublishersAssoc @OpenRightsGroup

If you go to this page at the University of Pennsylvania, you’ll read the following text:

A Celebration of Woman Writers

Married Love, or Love in Marriage
By Marie Carmichael Stopes, Sc.D., Ph. D. (1880-1958)
New York: The Critic And Guide Company, 1918.

In the Unites States of America, [sic]
the 1918 edition of “Married Love” is in the public domain.
Follow this link to read this electronic edition.

In Great Britain and many other countries,
Stopes’ works are still under copyright.
Check the copyright laws of your country to determine what laws apply.

To obtain permission to reproduce Stokes’ works in the United Kingdom
or other countries where copyright applies, contact:

The Galton Institute
19 Northfields Prospect
London SW18 1PE
020 8874 7257
www.galtoninstitute.org.uk

So if you’re in the UK you should not click this link because that would take you to a text which in the UK is still under copyright (albeit that it is 94 years old). You should not do this because you would be accessing illegal content, as explained to me recently by a representative of the Publishers Association.

In the USA, you’re fine – download it, peruse it, consider it, enjoy.

The Publishers Association call the above illegal content because I (in the UK) would not have the necessary license under copyright to download it. They – or rather their representative – spoke about this issue in similar terms to terrorist instruction books, hate speech, and child-abuse imagery.

The latter would be “illegal content”, indeed.

But the book above is actually a 94 year old educational tome by a noted scientist of the time to explain to couples – men and women – that women have these things called menstrual cycles and much of what that entails.

And this also is “illegal content”?

The above is manifestly and clearly an example of the fact that not all content that is made available for download and is copyrighted in one sense is necessarily illegal in another.

Remember that fact. It prove be useful to you.


Update:

screen capture, in case the page should “go away”

My Search Neutrality reading list, from the recent #PICTFOR panel session with #Foundem on #SearchNeutrality

I spoke on a panel at PICTFOR on Search Neutrality a few days ago, and this comprises most of the reading list that I gathered in preparation for the meeting.

I was told forcefully and at great length by some individuals that somehow I had only discovered one side of the story, so I feel it incumbent upon me to publish exactly what I read so that that can become part of the discussion.
Continue reading “My Search Neutrality reading list, from the recent #PICTFOR panel session with #Foundem on #SearchNeutrality”

#Macroblogging & #Passionkillers – a definition & manifesto; Macroblogging is a social network activity performed by …

Definition

Macroblogging is a social network activity performed by someone who re-homes the majority of his social network updates – status updates, Likes, +1s, and other creative content – as postings on a non-mainstream blog-like platform, subsequently re-using his mainstream social networks (aka: stovepipes) to distribute links to this content.

The technical goal of macroblogging is for the macroblogger to obtain greater control over the format, structure and inclusion (eg: of video) of content that he creates, and for him to retain control over that content in the long term.

The human goal of macroblogging is to focus the macroblogger’s energy on better, more cohesive and elegant communication.

Challenges

Macrobloggers are not in control of how readers will respond to their postings; albeit he may have posted to his macroblog, responses to that posting may include Tweets, Facebook comments, and other feedback provided within these individual stovepipes.

Macrobloggers should not be assholes about this; if someone tweets a response then do reply in kind; don’t get in a hissy-fit that someone hasn’t worked out that they can comment directly upon blog postings – it would be rude to criticise someone who has bothered to respond at all.

Stovepipes

What constitutes a stovepipe?

  • Twitter, Facebook and Google+ are clearly stovepipes, and so is LinkedIn.
  • Tumblr and Posterous? Probably stovepipes.
  • WordPress.com? Perhaps, or perhaps not.
  • WordPress.org personal blogs? Probably not stovepipes.

Requirements for not being a stovepipe include:

  1. ability to completely customise look and feel for the visitor
  2. ability to post arbitrary content – text, image, audio, video, zip, even PDF – of arbitrary size
  3. ability to completely back up all content in original formats
  4. freedom to define (if desired) concepts of privileged third-party read/read-write access to content
  5. freedom from content-level editorialising by third parties
  6. freedom to delete the macroblog in its entirety

Corollary to the latter two requirements:

  • executive authority over the domain name used to access the macroblog.

Don’t get too anal about stovepipes – someone who is arguing about this is not spending enough time blogging about other stuff such as “the importance of macroblogging”.

Guidelines

  • Macroblog blog post titles may be as long as you like
  • Macroblog blog post bodies may be as short as you like
  • Macroblog posts may contain what you like
  • Macroblog blog post titles will provide hyperlinks back to the original macroblog post, once submitted to stovepipes

Why

Macroblogging is partly about regaining control over your own data; but mostly it’s about the avoidance of passionkillers – that if you tweet about something then your drive to communicate may be lessened without providing the closure or completeness which would come from more complete communication.

Further: with the preponderance of stovepipes the question is which stovepipe should I choose, to alienate the least number of people with whom I communicate?

Macroblogging’s answer is choose none of them, and instead use the whole web.

Wherefore

I needed a word for it – I believe that this will take-off in the next year or two.

My new communications strategy: Let clarity become the new brevity and Twitter become a channel

Update: manifesto is here, first year’s results here

In case it’s not been obvious: to a first approximation I have stopped Tweeting; I engage, respond to questions and use DMs (etc) – but since early January I have imposed a few extra rules on myself:

  1. If it’s worth a tweet, it’s worth a short blogpost or longer
  2. If it’s a RT-with-own-commentary, then ditto it becomes a blogpost
  3. I unilaterally declare it to be acceptable to have a blogpost with a ~120 character title and minimal content, where req’d

On top of this is my existing infrastructure:

  1. All blogposts are automatically tweeted from WordPress into my Twitter feed via the TwitterTools plugin, which automatically adds a bitly link back to my blogposts
  2. My tweetstream then gets mirrored into LinkedIn and Facebook

All in all this is a return to the basics of blogging – but what an effect: in the past fortnight the traffic to my blog has trebled – plus I have a lot more space for opinion (no more 140-character limits) and am inclined to blog a lot more because I’m not diluting my… anger? … drive to write? … whatever … by dint of spwng it acrs a hndfl of sqshed tweets n bit.ly/URLs wch nbdy rds.

So I blog more, write better, and am getting a lot more comment feedback as well – the majority of which goes into the blog’s comments which means people come back to the blog, and start reading that more. It’s been so successful I have to take the blog down this weekend to fully enable WP-SuperCache so I can keep up with the load.

This is because it’s increasingly apparent that the 140-character limit of Twitter is a vestigial hangover from SMS, and is something which even Twitter themselves are not honouring – see their new shortlinking process. As such Twitter is essentially a microblog that sucks creativity and content away from my blog, so now I am reclaiming that and will be using Twitter as a RSS analogue instead.

Let clarity become the new brevity – smartphones and 3G (or better) are prevalent enough now that people can get at any content cheaply, and if the majority (?) of tweets link to other content then why should I post that content to Twitter rather than my site?

The wheel turns again…

seven basic rules for developers setting up password systems

  1. If any part of your user interface or code truncates password plaintext input at a length of less than 255 characters, it’s a bug.
  2. If you can’t cope with password plaintexts that contain SPACE and TAB characters (update: or if you impose any charset restrictions) it’s a bug.
  3. If your passwords are not hashed, it’s a bug.
  4. If you’re hashing your passwords with anything other than Bcrypt, it’s a bug; bcrypt() maxes out at 72 character passwords, but that’s not your fault…
  5. If you allow people to use a password of less than 12 characters, it’s a bug.
  6. If you do not encourage people to select a unique password for your service, it’s a bug.
  7. If you do not encourage people to use passphrases, it’s a bug.

Yes, the rules are opinionated. They are even biased and make sweeping assumptions. They don’t even address issues like UNICODE. But if you address these seven points in every application in the world, you’ll make password cracking a phenomenally tougher job.

original context

cyberclippings of cyberutility

cyberthanks to cyberdave cyberwalker amongst cyberothers…


Reducing Systemic Cybersecurity Risk

The authors have concluded that very few single cyber-related events have the capacity to cause a global shock. Governments nevertheless need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate. There are significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services. In addition, reliable Internet and other computer facilities are essential in recovering from most other large-scale disasters.

http://www.oecd.org/dataoecd/57/44/46889922.pdf


OECD’s Cyber Report Misses Key Facts

It s important to note that the professors have taken care to only address pure cyber war, not hybrid or multi-modal warfare where cyber is one component of a kinetic attack. Personally I think that greatly diminishes the value of the project because it ignores the evolving nature of cyber warfare, particularly as it has been conducted since late 2009 in favor of a theoretical academic exercise. And that s really the crux of my problem with this report it s more ivory tower than street and while parts of their work are well-researched, other parts show little to no research at all. Here are a few of their biggest flaws.

http://www.forbes.com/sites/jeffreycarr/2011/01/19/oecds-cyber-report-misses-key-facts/


Cyber Security and the UKs Critical National Infrastructure

[…]

The report is based on a series of high-level interviews through which the authors sought to gauge the various organizations overall understanding of, and response to, the problem of cyber security. Rather than interview communications officers or representatives of IT departments, the authors sought wherever possible to assess the level of cyber security awareness at board level, and particularly among the most senior executives who had no specific IT expertise.

http://www.chathamhouse.org/sites/default/files/public/Research/International%20Security/r0911cyber.pdf


Cybersecurity is a Board-Level Issue, Says Chatham House Report

Government should communicate cyber risk information in plain English

The ‘Cyber Security and the UK’s Critical National Infrastructure’ report from think tank Chatham House, sponsored by BAE Systems’ Detica business, recommended that businesses should make all staff across their organisations aware of cyber risks, and that this should be led from the top.

Senior management should be confident enough in their understanding of cyber security to “ask the right questions from those tasked with providing security within their organisation,” the report said.

“Critical National Infrastructure (CNI) enterprises [such as utilities and banking providers] should seek to take on greater responsibility and instil greater awareness about the nature of cyber risks across their organisations.

“Senior management should, for example, create incentives for departments and individual employees to recognise and address cyber dependencies and vulnerabilities as they arise,” the Chatham House report stated.

“However, this will only be achieved to the extent that board members are themselves more aware of the opportunities and threats presented by cyberspace.

http://www.csoonline.com/article/689885/cybersecurity-is-a-board-level-issue-says-chatham-house-report


U.S., Australia to add cyber realm to defense pact

Cyberattacks are about to carry even more weight, with the United States and Australia expected to include them in a mutual defense treaty.

The two nations will declare the cyber realm to be part of the 60-year-old treaty tomorrow, Reuters reports. The inclusion will mean that a cyberattack on one country could lead to a response by both.

“We will be releasing a joint statement saying that the ANZUS treaty applies to cyberspace,” Reuters quoted a senior U.S. defense official as saying of the rare move.

The Australia, New Zealand, United States Security Treaty, signed in 1951, is the military alliance that binds Australia and New Zealand and, separately, Australia and the United States to cooperate on defense matters in the Pacific region. The agreement, however, is understood today to relate to attacks in any area.

The expansion of the treaty will take place in San Francisco, where defense and diplomacy leaders from the U.S. and Australia are meeting 60 years after the alliance was sealed in the city on September 1. New Zealand has been an inactive partner of the alliance since 1985.

Speaking to the press today on a flight to San Francisco, U.S. Defense Secretary Leon Panetta said applying the cyber realm to ANZUS underscores the seriousness with which the U.S. views cyberthreats.

“I think it’s in large measure a recognition of what I’ve been saying time and time again, which is that cyber is the battlefield of the future,” Panetta said.

http://news.cnet.com/8301-1009_3-20106450-83/u.s-australia-to-add-cyber-realm-to-defense-pact/


Just a mouse click away from war

Kevin Rudd

THERE was a time when war was begun with a shot. Now it can begin with the simple click of a mouse. A silent attack that you may never even know occurred until it all unfolds in front of you.

This new world goes by the names of cyber security, cyber warfare or cyber terrorism.

Put very simply, it means people, organisations, or for that matter, foreign governments using sophisticated computers to cripple the information systems of our biggest companies, our government departments or our defence forces.

Because if our corporate and government institutions lose their information systems, the country cannot operate effectively, if at all.

If, for example, some were smart enough, and malicious enough, to break into the elaborate computer information systems that run our electricity systems, we would lose power supply to households, small businesses, and much more.

http://www.dailytelegraph.com.au/news/opinion/just-a-mouse-click-away-from-war/story-e6frezz0-1226140275845


DoD: 24,000 files swiped in March from military contractor systems

Department of Defense Deputy Secretary William Lynn said that 24,000 files were taken in March from military contractor systems. That data leakage is increasingly common in the military complex. The good news? The DoD has a plan to fix its defenses.

Lynn didnt provide further details on the attack or the contractor. On Thursday, the DoD released its strategy for operating in cyberspace.

http://www.zdnet.com/blog/security/dod-24000-files-swiped-in-march-from-military-contractor-systems/9026


U.S. agencies making progress on cybercrime, officials say

But criminals continue to target U.S. businesses, with the FBI currently investigating 400 wire transfer cases

The FBI is investigating more than 400 cases involving unauthorized wire transfers from bank accounts of U.S. businesses, said Gordon Snow, the assistant director there. Those 400 cases involved the attempted theft of $255 million, with actual losses of $85 million, and the cases involving the takeover of accounts represent just one type of attack against financial systems, he said.

Snow also listed recent examples of payment processor breaches, stock trading fraud, ATM skimming, mobile banking attacks and other schemes targeting the U.S. financial system. Cybercriminals’ capabilities are at “an all-time high,” although combating cybercrime is a top priority for the FBI and other agencies, he said.

The annual cost of cybercrime is about $388 billion, including money and time lost, said Brian Tillett, chief security strategist at Symantec. That’s about $100 billion more than the global black market trade in heroin, cocaine and marijuana combined, he said.

http://www.computerworld.com/s/article/9220017/U.S._agencies_making_progress_on_cybercrime_officials_say


U.S. needs to be on-guard for a big cyberattack

The cost of cybercrime to the global economy is estimated at $1 trillion Alexander stated and malware is being introduced at a rate of 55,000 pieces per day, or one per second. As troubling as these statistics may be, Alexander said his bigger concern is, “what’s coming: a destructive element.”

http://www.computerworld.com/s/article/9220018/U.S._needs_to_be_on_guard_for_a_big_cyberattack


Bot army being assembled, awaiting orders

Network World – A mammoth army of infected computers is being assembled, but it’s unclear yet what purpose they will be put to.

Wave after wave of malicious email attachments has been sent out since August, and with average success rates for such mailings, millions of machines could be compromised, says Internet security firm Commtouch.

http://www.computerworld.com/s/article/9220057/Bot_army_being_assembled_awaiting_orders


THE COST OF CYBER CRIME

A Detica report in partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office.

In our most-likely scenario, we estimate the cost of cyber crime to the UK to be 27bn per annum. A significant proportion of this cost comes from the theft of IP from UK businesses, which we estimate at 9.2bn per annum. In all probability, and in line with our worst-case scenarios, the real impact of cyber crime is likely to be much greater.

Although our study shows that cyber crime has a considerable impact on citizens and the Government, the main loser at a total estimated cost of 21bn is UK business, which suffers from high levels of IP theft and industrial espionage

http://www.detica.com/uploads/press_releases/THE_COST_OF_CYBER_CRIME_SUMMARY_FINAL_14_February_2011.pdf


The wartime economy

A recent report claims that cybercrime is costing the UK economy 27 billion annually. But Wendy Grossman argues that the report may be over-stating the case

Everyone loves a good headline, and 27 billion always makes a *great* one. In this case, that was the sum that a report written by the security consultancy firm Detica, now part of BAE Systems and issued by the Office of Cyber Security and Information Assurance (PDF) estimates that cybercrime is costing the UK economy annually.

The claim was almost immediately questioned by ZDNet’s Tom Espiner, who promptly checked it out with security experts. They complained that the report was full of “fake precision” (LSE professor Peter Sommer), “questionable calculations” (Harvard’s Tyler Moore), and “nonsense” (Cambridge’s Richard Clayton).

http://zine.openrightsgroup.org/comment/2011/the-wartime-economy


Mapping and Measuring Cybercrime

There is, as we have already noted, no legal definition of e-crime nor are data on the incidence, investigation or prosecution of e-crimes (that is to say, crimes committed by means of or with the assistance of the use of electronic networks) collected.

House of Lords Science and Technology Committee (2007: 64)

http://www.law.leeds.ac.uk/assets/files/staff/FD18.pdf


Cybercrime cost estimate is ‘sales exercise’, say experts

Cybercrime experts have questioned a 27 billion (US$43.8 billion) annual cybercrime cost figure released by the Cabinet Office in a report last week, saying it is little more than a sales exercise for Detica, the company that researched the report.

Professor Peter Sommer of the London School of Economics (LSE) called the report an “unfortunate item of British Aerospace puffery”. Detica is owned by BAE Systems, and is involved in intelligence analysis for the U.K. government. The company also sells data protection and information assurance products.

Sommer told ZDNet Asia’s sister site ZDNet UK that the Office of Cyber Security and Information Assurance (Oscia) should not have allied itself so closely with the report, which put a figure of 21 billion pound (US$34.1 billion) annual losses to U.K. businesses through crimes including intellectual-property theft and espionage. The remaining losses are attributed to consumers and the government.

http://www.zdnet.co.uk/news/security-threats/2011/02/18/cybercrime-cost-estimate-is-sales-exercise-say-experts-40091866/


Marcus Ranum

Cyberwar: a Whole New Quagmire. Part 1: The Pentagon Cyberstrategy http://fabiusmaximus.wordpress.com/2011/09/02/28486/

Cyberwar: a Whole New Quagmire. Part 2: Do as I say, not as I do shall be the whole of the law. http://fabiusmaximus.wordpress.com/2011/09/11/28842/

Cyberwar: a Whole New Quagmire. Part 3: Conflating Threats http://fabiusmaximus.wordpress.com/2011/09/14/28778/


Outage Affects Millions in Southwest, Mexico

A power outage accidentally triggered by an Arizona utility company worker darkened a broad swath of the Southwest and Mexico on Thursday, cutting power to millions of people, bringing some San Diego freeways and airport traffic to near-standstills and leaving inland desert residents sweltering without air conditioners in the summer heat, officials said.

http://abcnews.go.com/US/wireStory?id=14478079


Power Outage Worsened by Plant Shutdown

The first power generating station to shut down after an equipment failure in Arizona was in Mexicali.

http://www.nbclosangeles.com/news/local/Power-Outage-Exacerbated-by-Plant-Shut-Down-130017958.html


BritNed

BritNed Development Limited is the owner and operator of the high voltage direct current Interconnector between the Isle of Grain (GB) and Maasvlakte (NL), delivering unparalleled efficiency, reliability and safety, vital to the energy needs of Great Britain and the north-western European Region.

BritNed is an international organisation combining innovative technical and commercial expertise. BritNed employs highly skilled and motivated people who are proud of ‘their company. They work as one single team with one vision joining the expertise of TenneT and National Grid.

http://www.britned.com/


Russia Ukraine gas disputes

The Russia Ukraine gas disputes refer to a number of disputes between Ukrainian oil and gas company Naftogaz Ukrainy and Russian gas supplier Gazprom over natural gas supplies, prices, and debts. These disputes have grown beyond simple business disputes into transnational political issues involving political leaders from several countries that threaten natural gas supplies in numerous European countries dependent on natural gas imports from Russian suppliers, which are transported through Ukraine. Russia provides approximately a quarter of the natural gas consumed in the European Union; approximately 80% of those exports travel through pipelines across Ukrainian soil prior to arriving in the EU.[1]

http://en.wikipedia.org/wiki/Russia%E2%80%93Ukraine_gas_disputes


…you cry less if you’re drunk when you read them…

A #cybersecurity reporting tip for journalists and other #HHLDN attendees – #johnreid #labour #cyberspace

Here’s a tip: if you’re reporting on cyberspace and cybersecurity, even in passing please don’t analogise “cyberspace” to an object or place in the manner that Labour’s John Reid recently did in the FT:

Quote:

Cyberspace cannot be controlled any more than the sea. Joseph Conrad said the seaman with an undue sense of security “becomes at once worth hardly half his salt”. I am afraid that when Mr Harvey says “existing international frameworks can be applied to cyberspace too”, I feel our salt draining away.

I’ve written about this polemically elsewhere, but the really short synopsis is a simple equation:

cyber = internet = communication = speech

You may feel when buying something from www.amazon.com that you are surfing around in some kind of cyber shopping mall, but you’re not. You’re receiving information, you are sending information. You are communicating, and the word that is applied to the inhibition of communication is censorship.

Whatever your position on censorship – perhaps hate speech should be banned, perhaps it should be met with more, contrary speech, whatever – the problem with referring to the internet and internet communications as “cyberspace” or with (in this case) nautical similes is that you implicitly position the internet as a domain – a place suitable for state or military control – and you also inaccurately set your reader’s minds into that expectation.

I would hazard that:

1) It’s generally a bad idea to encourage or let military, police, or similar state entities become important in a position of censorship.

2) Such an expectation foments bad thinking overall; if we substitute references to “cyberspace” with the intentionally-silly-but-equally-accurate “telephoneworld”, you get technically correct government verbiage which seems somehow deflated:

The risks from telephoneworld (including the internet, wider telecommunications networks and computer systems) have been identified by the Government as a high priority risk.

The UK is facing an ongoing, persistent threat from other states, terrorists and criminals operating in telephoneworld. In less than 15 years the number of global web users has exploded from 16 million in 1995 to more than 1.7 billion today. British shoppers spent 4.4 billion online in August 2010 – up 15% on previous year, and telephone-crime has been estimated in the billions per year globally, with untold human cost. Therefore we must act now to protect the value we place in telephoneworld.

Reading the above you can clearly see that the quote is actually about “[bad] people talking to each other” – so when a Mafia don dramatically “holds meetings in cyberspace” in truth he is just talking to his thugs, just as a journalist might talk with a source, or an activist might talk with a dissident.

But you also see that statements supporting state control often frame cyberspace as being a place like the ocean, or the grimy city streets, or a terrorist state. Somewhere tangible, to be invaded or policed. The statements are framed in that way because that’s how the problem is often perceived by government – it’s a case of language shaping thinking.

But back to my first point: the internet is clearly not tangible. Hence the metaphor is bad.

So decide for yourself whether you want to encourage the government in its ability to inhibit people from communicating with each other, for whatever reason, and phrase accordingly.

In the meantime please remember: Cyberspace means Speech.

CEO of Saatchi and Saatchi calls for advertisers to be worshipped beyond reason, jargon expunged

Really. Watch this…

Simon Francis

…CEO of Saatchi & Saatchi in EMEA …

…serving the twin gods of our world, which are really both advertisers and consumers

…online publishers and advertising agencies really have to serve both of them…

…what i’m going to make a claim for is for everyone to change their way of working and refocus on serving those twin gods…

…that that really means is driving compelling content solutions that drive loyalty beyond reason

…they could be filmic, they could be experiential, … data, … gaming

…requires a new level of collaboration between everyone in the food chain that isn’t really happening now…

He then got up on stage and told the IT industry that it had to stop using jargon.

Um, yeah.

“Burning Haystack” at ComputerWeekly – by @alecmuffett & @webmink

Last night at about 11pm, Simon Phipps IMs me and writes:

Want to write a guest posting for my CWUK open source blog on Haystack and what has gone wrong?

Answer: “Hell yes” – and I was going to go to bed and do it this morning, but just then I saw Jacob Appelbaum tweeted:

Haystack is the worst piece of software I have ever had the displeasure of ripping apart. Charlatans exposed. Media inquiries welcome.

…and bang ended any thoughts of sleep; while Simon wangled an interview with Jacob, I fired up Skype, GoogleDocs and the Nespresso machine, and we started gathering the notes. We got 15 minutes with Jacob via phone at around 0300, Simon turned in around 0430 and me about an hour later, and I got up again at 0830 to finish it by which time news broke of Daniel Colascione’s resignation… so rework, re-edit and post.

The result originally had the title Burning Haystacks – with a rather sharper byline – and is now at up ComputerWorld:

Award-Winning Haystack Security System Could Risk Iranian Lives
The naive enthusiasm of an American marketing graduate, hyped by the world media, may have risked the lives of Iranian activists through over-reaching claims for an inadequately understood software system

Haystack – brainchild of Guardian Innovator of the Year Austin Heap – has in less than 24 hours crashed from cause célèbre to epic, life-threatening tragedy. A marketing graduate from a business college, Heap’s positive, naive “Can-Do” attitude and bright-eyed philanthropic spirit would be enough to power a rescue mission. But it takes more than energetic goodwill to solve difficult security problems. A Chaos Computer Club investigator has discovered sadly that Heap and his team’s lack of experience has carried through to the design of Haystack and that this has potentially endangered the lives of Iranian activists.

[…]

[This article was written by Alec Muffett of greenlanesecurity.com, with assistance from Simon Phipps]

It’s nice to be back in print again; thanks, Simon.

Understanding Your Personal Information’s Value = The End of “Nothing To Hide”

“I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy
Daniel J. Solove 2007.
Associate Professor, George Washington University Law School; J.D., Yale Law School.
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565

“If you have nothing to hide, you have nothing to fear.”

Solove’s paper makes a wonderful summary of all arguments that are based upon the fallacious proposition that, in the event of the Government / some entity wanting it, information about you is either embarrassing (in which case it should remain hidden) or it is neutral (in which case it may be shared without restriction) – and the fallacious argument that has sprung up from these premises to coerce the fearful into surrendering data.

But it’s curious that much of the discourse contrasts the “value of privacy” with the “value of security”, yet misses a critical point. As I have discussed elsewhere, privacy and security are abstract qualities rather than substances, and as such they are concepts which are truly hard to price — but if value (and thus price) is under such broad discussion in the paper, then why has no-one hit upon considering the positive value of personal information?

For me the exchange should go thusly:

QUESTION: If you have nothing to hide, what have you got to fear? (in losing your privacy)

ANSWER: Fear is bunk. Information about me is valuable. I shaln’t share it to third parties without payment; moreover I wouldn’t trust you to keep it safe, nor do I trust you to infer from it wisely. However: gimme $1000 and I’ll license a feed to you, with updates, for specific purposes, for up to a year.

Any attempt to get data without payment is thusly extortion or theft. More cynical readers are invited to flail their hands around and say “but it doesn’t work like that!” – to which my answer is: “why not, at least some of the time?” Check some of the examples in the latter section of Solove’s paper – if the personal information were considered an asset which was diluted by being shared, rather than in terms of “loss leading to minimal harm to the individual”, I believe it would improve the positions of the plaintiffs considerably.

Solove is halfway there when he writes:

The deeper problem with the nothing to hide argument is that it myopically views privacy as a form of concealment or secrecy. But understanding privacy as a plurality of related problems demonstrates that concealment of bad things is just one among many problems caused by government programs such as the NSA surveillance and data mining.

…which is cool in that it attacks the eavesdropper; but it still fails to recognise personal value in information.

If there is one thing #TheMineProject has taught me it is that the information I have about me has real, fiscal value; what we lack to date are both individual awareness and tools to keep and broker both data and the value inherent in it.

Our laws (and expectation) aren’t based on the notion that the individual can broker information about themselves; but then we and our laws are only now getting to grips with the concept of any individual having the ability to publish to a global audience without censorship – so change only takes a decade or so.

In the above I am channeling Adriana Lukastheory of identity [UPDATE: LINK ADDED] quite considerably, but that’s not surprising given whom it was that started TheMineProject; I suspect some enterprising individuals in the VRM and Identity communities will leap onto my above observation and try to claim it as their own or leverage it to support their projects; but since so many of them are involved in projects to create services to re-intermediate users – ie: that will aggregate information on the user’s behalf, in one or more silos away from the user’s control – then I see them being in no way preferable to Google, ChoicePoint, Experian or the Government in this matter.

The point – and the benefit – is to do it yourself, as much as you can.

To make a side observation: when physical money is stolen you lose it doubly – you lose the opportunity to exercise it, plus you lose the money itself, because in the physical world both are as one; but in contrast if someone “steals” information then you still have the original copy left behind; you still have the use of it whilst you can equally attempt redress against the person who copied it.

Because of this difference a “money” bank generally has to be an imposing building with a big safe and a big door with a big lock; they are expensive to build, easy to (attempt to) rob, and uneconomic to replicate to an adequate standard in every household. In contrast, a “data” bank can look like an SD-card, fit in your phone, and can have stronger crypto-locks on it than any bank door would provide you.

So – cutting a long story short: if you could broker your information your self – as easily as you can blog – and if you could keep it safe enough, and if you could receive some kind of value or benefit when you do choose to share it … then why would you require an intermediary to do it for you?

TheMineProject is a first step towards that goal.

Hat Tip: Glyn Moody, What “Nothing to Hide” is Hiding