Slashdot Mirror

Slate's senior technology writer reports that his hunt for a reliable ISP "led me on a convoluted journey through accusations and counteraccusations, companies with shadowy leadership and those with conflicts of interest, and VPN ratings sites that might be even shadier than the companies they're reviewing." Many VPNs appear to be outright scams. Others make internet browsing sluggish. Free versions bombard you with ads. It's a world so thicketed that the leading firms and experts can't agree on the basic criteria for what counts as "reputable," let alone which companies best meet that description. The CEO of one top VPN company, Silicon Valley-based AnchorFree, told me in a phone interview that he suspects one of his top rivals is secretly based in China -- which would raise a red flag for many privacy advocates because of the Chinese government's aggressive surveillance regime... [But] many VPN users consider offshore providers preferable to U.S.-based firms. AnchorFree, for its part, has been dinged by reviewers for running a free, ad-supported VPN, which some privacy experts consider a conflict of interest. (It also offers a paid VPN service.) The two companies point to dueling trust reports by outside groups, each of which appears to reflect well on the firm that's touting it, thanks to different methodologies. "It is fascinating the amount of sniping that goes on" between VPN companies, said Joseph Jerome, who has closely studied VPNs in his role as policy counsel for the Privacy and Data Project at the nonprofit Center for Democracy & Technology. "They are very quick to pull out knives and shiv each other...."

If it's so hard to assess the credibility of the industry's top names...you can imagine how difficult it might be to suss out the myriad lesser-known alternatives. A January investigation by the site Top10VPN found that more than half of the top 20 free VPN apps on the iOS and Android app stores either have Chinese ownership or are based in China. That's all the more suspicious given that China officially banned VPNs last year. The concern: If China is allowing them to continue operating, it could be because they're sharing data on their users with the Chinese government. When you use a VPN, you're trusting that VPN with the same deep level of access to your online activity that you'd normally give your ISP. In other words, now they can see what you're up to whenever you're using the internet. VPNs may be more privacy-focused than big, corporate ISPs, but they're also smaller, more opaque, and less publicly accountable.
"I just wanted internet privacy. I hadn't bargained on a knife fight..." the author writes, concluding that "Several weeks, dozens of calls, and thousands of words later, I can't say I'm much closer to a clear-cut answer... One of the only definitive takeaways, besides 'steer clear of free VPNs,' is that your choice of VPN should depend on what you're using it for.

"If you're just trying to stay safe online, it may make sense to steer toward a larger, U.S.-based company that's clear about both who owns it and how it treats your data."

An anonymous reader quotes a report from Electronic Frontier Foundation: U.S. border control agents want to gather Facebook and Twitter identities from visitors from around the world. But this flawed plan would violate travelers' privacy, and would have a wide-ranging impact on freedom of expression -- all while doing little or nothing to protect Americans from terrorism. A proposal has been issued by U.S. Customs and Border Protection to collect social media handles from visitors to the United States from visa waiver countries. The Electronic Frontier Foundation opposes the proposal and has commented on it individually and as part of a larger coalition. "CBP specifically seeks 'information associated with your online presence -- Provider/Platform -- Social media identifier' in order to provider DHS 'greater clarity and visibility to possible nefarious activity and connections' for 'vetting purposes,'" reports EFF. "In our comments, we argue that would-be terrorists are unlikely to disclose social media identifiers that reveal publicly available posts expressing support for terrorism." They say this plan "would unfairly violate the privacy of innocent travelers," would cause "innocent travelers" to "engage in self-censorship, cutting back on their online activity out of fear of being wrongly judged by the U.S. government," and would lead to a "slippery slope, where CBP would require U.S. citizens and residents returning home to disclose their social media handles, or subject both foreign visitors and U.S. persons to invasive device searches at ports of entry with the intent of easily accessing any and all cloud data."

"You know something's up when politicians bring up a bill out of nowhere, and then try to ram it through over Memorial Day weekend," writes Fortune. "That's what's happening in Illinois, where state lawmakers -- allegedly at the behest of Facebook and Google -- are poised to gut a law that limits the use of facial recognition technology." An anonymous reader writes: Earlier this month a judge refused to throw out a class action complaint against Facebook for using facial recognition software to identify people without their permission and then inviting their friends to "tag" them. Now that suit's lawyer says a so-called "Biometric Information Privacy Act" will actually swap in new definitions for "photograph" and "scan" that will apparently shield Facebook and Google from liability.
The Center for Democracy and Technology called the bill "an unnecessary loss of privacy." Google didn't respond to Fortune's request for a comment, and Facebook said only "We appreciate Senator Link's effort to clarify the scope of the law he authored."

blottsie writes with news that the U.S. Senate voted 74-21 in favor of CISA, a controversial cybersecurity bill. All five amendments submitted in an attempt to bolster privacy failed to pass. From The Guardian's coverage: Try asking the bill’s sponsors how the bill will prevent cyberattacks or force companies and governments to improve their defenses. They can’t answer. They will use buzzwords like “info-sharing” yet will conveniently ignore the fact that companies and the government can already share information with each other as is. There were barely any actual cybersecurity experts who were for the bill. A large group of respected computer scientists and engineers were against it. So were cyberlaw professors. Civil liberties groups uniformly opposed (and were appalled by) the bill. So did consumer groups. So did the vast majority of giant tech companies. Yet it still sailed through the Senate, mostly because lawmakers - many of whom can barely operate their own email - know hardly anything about the technology that they’re crafting legislation about.

The U.S. House of Representatives has substantially reduced the effectiveness of the USA FREEDOM Act, a surveillance reform bill that sought to end mass collection of U.S. citizens' data. House Leadership was pressured by the Obama Administration to weaken many of the bill's provisions. The EFF and the Center for Democracy & Technology had both given their backing to the bill earlier this month, but they've now withdrawn their support. CDT Senior Counsel Harley Geiger said, "The Leadership of the House is demonstrating that it wants to end the debate about surveillance, rather than end bulk collection. As amended, the bill may not prevent collection of data on a very large scale in a manner that infringes upon the privacy of Americans with no connection to a crime or terrorism. This is quite disappointing given the consensus by the public, Congress, the President, and two independent review groups that ending bulk collection is necessary."

Robyn Greene of the Open Technology Institute added, "We are especially disappointed by the weakening of the language intended to prohibit bulk collection of innocent Americans’ records. Although we are still hopeful that the bill’s language will end the bulk collection of telephone records and prevent indiscriminate collection of other types of records, it may still allow data collection on a dangerously massive scale. Put another way, it may ban ‘bulk’ collection of all records of a particular kind, but still allow for ‘bulky’ collection impacting the privacy of millions of people. Before this bill becomes law, Congress must make clear—either through amendments to the bill, through statements in the legislative record, or both—that mass collection of innocent people’s records isn’t allowed."

The U.S. House of Representatives has substantially reduced the effectiveness of the USA FREEDOM Act, a surveillance reform bill that sought to end mass collection of U.S. citizens' data. House Leadership was pressured by the Obama Administration to weaken many of the bill's provisions. The EFF and the Center for Democracy & Technology had both given their backing to the bill earlier this month, but they've now withdrawn their support. CDT Senior Counsel Harley Geiger said, "The Leadership of the House is demonstrating that it wants to end the debate about surveillance, rather than end bulk collection. As amended, the bill may not prevent collection of data on a very large scale in a manner that infringes upon the privacy of Americans with no connection to a crime or terrorism. This is quite disappointing given the consensus by the public, Congress, the President, and two independent review groups that ending bulk collection is necessary."

Robyn Greene of the Open Technology Institute added, "We are especially disappointed by the weakening of the language intended to prohibit bulk collection of innocent Americans’ records. Although we are still hopeful that the bill’s language will end the bulk collection of telephone records and prevent indiscriminate collection of other types of records, it may still allow data collection on a dangerously massive scale. Put another way, it may ban ‘bulk’ collection of all records of a particular kind, but still allow for ‘bulky’ collection impacting the privacy of millions of people. Before this bill becomes law, Congress must make clear—either through amendments to the bill, through statements in the legislative record, or both—that mass collection of innocent people’s records isn’t allowed."

An anonymous reader writes "In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA. 'NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,' writes cryptographer Marsh Ray on Twitter. In August, John Kelsey, working at NIST, described (slides 44-48) the changes to the algorithm, including reduction of the bit length from 224, 256, 384 and 512-bit modes down to 128 and 256-bit modes."

Techmeology writes "In response to declining utility of CALEA mandated wiretapping backdoors due to more widespread use of cryptography, the FBI is considering a revamped version that would mandate wiretapping facilities in end users' computers and software. Critics have argued that this would be bad for security (PDF), as such systems must be more complex and thus harder to secure. CALEA has also enabled criminals to wiretap conversations by hacking the infrastructure used by the authorities. I wonder how this could ever be implemented in FOSS."

dsinc sends this quote from Techdirt about the International Telecommunications Union's ongoing conference in Dubai that will have an effect on the internet everywhere: "One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression. The new Y.2770 standard is entitled 'Requirements for deep packet inspection in Next Generation Networks', and seeks to define an international standard for deep packet inspection (DPI). As the Center for Democracy & Technology points out, it is thoroughgoing in its desire to specify technologies that can be used to spy on people. One of the big issues surrounding WCIT and the ITU has been the lack of transparency — or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available."

Fluffeh writes "While it is a bit disappointing that companies might need a law to avoid providing tools that censor free speech to overseas regimes, an updated version of a bill that's been floating around for a few years — the Global Online Freedom Act — has passed out of the House Foreign Affairs Subcommittee on Africa, Global Health and Human Rights. The version that made it out of committee took out some controversial earlier provisions that had potential criminal penalties for those who failed to report information to the Justice Department. However, the Center for Democracy and Technology has raised some concerns: 'While some companies – such as GNI members Google, Microsoft, Websense, and Yahoo! – have stepped up and acknowledged these responsibilities in an accountable way, other companies have not been so forthright. GOFA, however, is a complex bill. While it presents a number of sensible and innovative mechanisms for mitigating the negative impact of surveillance and censorship technologies, it also raises some difficult questions: can export controls be meaningfully extended in ways that reduce the spread of (to borrow words from Chairman Smith) "weapons of mass surveillance" without diminishing the ability of dissidents to connect and communicate? How can – and should – U.S. companies engage with so-called "Internet-restricting" countries?'"

Wednesday is here, and with it sites around the internet are going under temporary blackout to protest two pieces of legislation currently making their way through the U.S. Congress: the Stop Online Piracy Act (SOPA) and the Protect-IP Act (PIPA). Wikipedia, reddit, the Free Software Foundation, Google, the Electronic Frontier Foundation, imgur, Mozilla, and many others have all made major changes to their sites or shut down altogether in protest. These sites, as well as technology experts (PDF) around the world and everyone here at Slashdot, think SOPA and PIPA pose unacceptable risks to freedom of speech and the uncensored nature of the internet. The purpose of the protests is to educate people — to let them know this legislation will damage websites you use and enjoy every day, despite being unrelated to the stated purpose of both bills. So, we ask you: what can you do to stop SOPA and PIPA? You may have heard the House has shelved SOPA, and that President Obama has pledged not to pass it as-is, but the MPAA and SOPA-sponsor Lamar Smith (R-TX) are trying to brush off the protests as a stunt, and Smith has announced markup for the bill will resume in February. Meanwhile, PIPA is still present in the Senate, and it remains a threat. Read on for more about why these bills are bad news, and how to contact your representative to let them know it.

Note: This will be the last story we post today until 6pm EST in protest of SOPA. Why is it bad?

The Stop Online Piracy Act is H.R.3261, and the Protect-IP Act is S.968.

The intent of both pieces of legislation is to combat online piracy, giving the Attorney General and the Department of Justice power to block domain name services and demand that links be stripped from sites not involved in piracy. The problem is that the legislation, as written, is vague and overly-broad. For one thing, it classifies internet sites as "foreign" or "domestic" based entirely on their domain name. A site hosted abroad like Wikileaks.org could be classified as "domestic" because the .org TLD is registered through a U.S. authority. By defining it as "domestic," Wikileaks would then fall under the jurisdiction of U.S. laws. Other provisions are worded even more poorly: in Section 103, SOPA lays out the definition for a "foreign infringing site" as one where "the owner or operator of such Internet site is committing or facilitating the commission of criminal violations punishable under [provisions relating to counterfeiting and copyright infringement]." The problematic word is facilitating, as it opens the door to condemning sites that simply link to other sites.

The most obvious implication of this is that search engines would suddenly be responsible for monitoring and policing everything they index. Google indexed its trillionth concurrent URL in 2008. Can you imagine how many people it would take to double check all of them for infringing content? But the job wouldn't end at simply looking at them — Google would have to continually monitor them. Google would also have to somehow keep track of the billions of new sites that spring up daily, many of which would be trying to avoid close scrutiny. Of course, it's an impossible task, so there would need to be automated solutions. Automation being imperfect, it would leave us with false positives. Or perhaps sites would need to be "approved" to be listed. Either way, we'd then be dealing with censorship on a massive scale, and the infringing sites themselves would continue to pop up.

But the problems don't end there; in fact, SOPA defines "Internet search engine" as a service that "searches, crawls, categorizes, or indexes information or Web sites available elsewhere on the Internet" and links to them. That's pretty much what we do here at Slashdot. It's also something the fine folks at Wikipedia and reddit do on a regular basis. The strength of all three sites is that they're heavily dependent on user-generated content. Every day at Slashdot, readers deposit hundreds and hundreds of links into our submissions bin. Thousands of comments are made daily. We have a system to surface the good content, but the chaff still exists. If we suddenly had a mandate to retroactively filter out all the links to potentially copyright-infringing sites in our database, we wouldn't have many options. We're talking about reviewing hundreds of thousands of submissions, and every comment on 117,000+ stories. And we're far from the biggest site around — imagine social networks needing to police their content, and all the privacy issues that would raise.

Small sites and new sites would be hurt, too. A website isn't a single, discrete entity that exists on its own. A new company starting up a site would have to worry about its webhost, registrar, content provider, ISP, etc. The legislation would also raise significant financial obstacles. New companies need investments, and that would be much less likely (PDF) if the company could be held liable for content uploaded by users. On top of that, if the site was unable to live up to the vague standards set by the government and the entertainment industry, they could be on the receiving end of a lawsuit, which would be expensive to fight even if they won (and such laws would never, ever be abused). It's hard to conceptualize the internet without noting its unrivaled growth, and SOPA/PIPA would surely stifle it.

This legislation hits near and dear to the hearts of many Slashdotters; if SOPA/PIPA pass, IT staff for companies small and large are going to have their hands full making sure they aren't opening themselves to legal action or government intervention. Mailing lists, used commonly and extensively among open source software projects, would be endangered. Code repositories would need be scoured for infringing content; the bill allows for the strangling of revenue sources if its anti-infringement rules aren't being met. VPN and proxy services become only questionably legal. The very nature of the open source community — as the EFF puts it, "decentralized, voluntary, international" — is not compatible with the burdens placed on internet sites by SOPA and PIPA.

What can we do?

So, what can we do about it? There are two big things: contact your representative, and spread the word. Slashdot readers, on the whole, are more technically-minded than the average internet user, so you're all in a position to share your wisdom with the less internet-savvy people in your life, and get them to contact their representative, too. Here's some useful information for doing so:

Propublica has a list of all SOPA/PIPA supporters and opponents.
Here is the Senate contact list and the House contact list.
You can also use the EFF's form-letter, the Stop American Censorship form-letter, or sign Google's petition.
If you don't live in the U.S., you can petition the State Department. (And yes, you have a dog in this fight.)
SOPAStrike has a list of companies participating in the protest, and this crowd-sourced Google Doc tracks companies that support the legislation. Tell those companies what you think.

Further reading: Wikipedia has left their SOPA and PIPA pages up. The EFF has a series of articles explaining in more depth what is wrong with the bills. Here are some protest letters written to Congress from human rights groups, law professors, and internet companies.

Go forth and educate.

Wednesday is here, and with it sites around the internet are going under temporary blackout to protest two pieces of legislation currently making their way through the U.S. Congress: the Stop Online Piracy Act (SOPA) and the Protect-IP Act (PIPA). Wikipedia, reddit, the Free Software Foundation, Google, the Electronic Frontier Foundation, imgur, Mozilla, and many others have all made major changes to their sites or shut down altogether in protest. These sites, as well as technology experts (PDF) around the world and everyone here at Slashdot, think SOPA and PIPA pose unacceptable risks to freedom of speech and the uncensored nature of the internet. The purpose of the protests is to educate people — to let them know this legislation will damage websites you use and enjoy every day, despite being unrelated to the stated purpose of both bills. So, we ask you: what can you do to stop SOPA and PIPA? You may have heard the House has shelved SOPA, and that President Obama has pledged not to pass it as-is, but the MPAA and SOPA-sponsor Lamar Smith (R-TX) are trying to brush off the protests as a stunt, and Smith has announced markup for the bill will resume in February. Meanwhile, PIPA is still present in the Senate, and it remains a threat. Read on for more about why these bills are bad news, and how to contact your representative to let them know it.

Note: This will be the last story we post today until 6pm EST in protest of SOPA. Why is it bad?

The Stop Online Piracy Act is H.R.3261, and the Protect-IP Act is S.968.

The intent of both pieces of legislation is to combat online piracy, giving the Attorney General and the Department of Justice power to block domain name services and demand that links be stripped from sites not involved in piracy. The problem is that the legislation, as written, is vague and overly-broad. For one thing, it classifies internet sites as "foreign" or "domestic" based entirely on their domain name. A site hosted abroad like Wikileaks.org could be classified as "domestic" because the .org TLD is registered through a U.S. authority. By defining it as "domestic," Wikileaks would then fall under the jurisdiction of U.S. laws. Other provisions are worded even more poorly: in Section 103, SOPA lays out the definition for a "foreign infringing site" as one where "the owner or operator of such Internet site is committing or facilitating the commission of criminal violations punishable under [provisions relating to counterfeiting and copyright infringement]." The problematic word is facilitating, as it opens the door to condemning sites that simply link to other sites.

The most obvious implication of this is that search engines would suddenly be responsible for monitoring and policing everything they index. Google indexed its trillionth concurrent URL in 2008. Can you imagine how many people it would take to double check all of them for infringing content? But the job wouldn't end at simply looking at them — Google would have to continually monitor them. Google would also have to somehow keep track of the billions of new sites that spring up daily, many of which would be trying to avoid close scrutiny. Of course, it's an impossible task, so there would need to be automated solutions. Automation being imperfect, it would leave us with false positives. Or perhaps sites would need to be "approved" to be listed. Either way, we'd then be dealing with censorship on a massive scale, and the infringing sites themselves would continue to pop up.

But the problems don't end there; in fact, SOPA defines "Internet search engine" as a service that "searches, crawls, categorizes, or indexes information or Web sites available elsewhere on the Internet" and links to them. That's pretty much what we do here at Slashdot. It's also something the fine folks at Wikipedia and reddit do on a regular basis. The strength of all three sites is that they're heavily dependent on user-generated content. Every day at Slashdot, readers deposit hundreds and hundreds of links into our submissions bin. Thousands of comments are made daily. We have a system to surface the good content, but the chaff still exists. If we suddenly had a mandate to retroactively filter out all the links to potentially copyright-infringing sites in our database, we wouldn't have many options. We're talking about reviewing hundreds of thousands of submissions, and every comment on 117,000+ stories. And we're far from the biggest site around — imagine social networks needing to police their content, and all the privacy issues that would raise.

Small sites and new sites would be hurt, too. A website isn't a single, discrete entity that exists on its own. A new company starting up a site would have to worry about its webhost, registrar, content provider, ISP, etc. The legislation would also raise significant financial obstacles. New companies need investments, and that would be much less likely (PDF) if the company could be held liable for content uploaded by users. On top of that, if the site was unable to live up to the vague standards set by the government and the entertainment industry, they could be on the receiving end of a lawsuit, which would be expensive to fight even if they won (and such laws would never, ever be abused). It's hard to conceptualize the internet without noting its unrivaled growth, and SOPA/PIPA would surely stifle it.

This legislation hits near and dear to the hearts of many Slashdotters; if SOPA/PIPA pass, IT staff for companies small and large are going to have their hands full making sure they aren't opening themselves to legal action or government intervention. Mailing lists, used commonly and extensively among open source software projects, would be endangered. Code repositories would need be scoured for infringing content; the bill allows for the strangling of revenue sources if its anti-infringement rules aren't being met. VPN and proxy services become only questionably legal. The very nature of the open source community — as the EFF puts it, "decentralized, voluntary, international" — is not compatible with the burdens placed on internet sites by SOPA and PIPA.

What can we do?

So, what can we do about it? There are two big things: contact your representative, and spread the word. Slashdot readers, on the whole, are more technically-minded than the average internet user, so you're all in a position to share your wisdom with the less internet-savvy people in your life, and get them to contact their representative, too. Here's some useful information for doing so:

Propublica has a list of all SOPA/PIPA supporters and opponents.
Here is the Senate contact list and the House contact list.
You can also use the EFF's form-letter, the Stop American Censorship form-letter, or sign Google's petition.
If you don't live in the U.S., you can petition the State Department. (And yes, you have a dog in this fight.)
SOPAStrike has a list of companies participating in the protest, and this crowd-sourced Google Doc tracks companies that support the legislation. Tell those companies what you think.

Further reading: Wikipedia has left their SOPA and PIPA pages up. The EFF has a series of articles explaining in more depth what is wrong with the bills. Here are some protest letters written to Congress from human rights groups, law professors, and internet companies.

Go forth and educate.

Khyber writes "Three data and security breach notification bills have been approved by the Senate Judiciary Committee, one of which includes an amendment that adds clarity with regards to the Computer Fraud and Abuse Act. These three bills would require businesses to develop data privacy and security plans, and it would set a federal standard for notifying individuals of breaches of very sensitive personally identifiable information, such as credit card information or medical records. This clarification is welcomed, making the statute more focused towards hackers and identity thieves, instead of consumers that run afoul of ToS or AUPs of websites and service providers."

Frequent Slashdot contributor Bennett Haselton writes "A woman sued Yahoo because they wouldn't remove a page created by her ex-boyfriend pretending to be her and soliciting strangers for sex. What would be an effective system for large companies like Yahoo to handle 'impostor' complaints, without getting bogged down by phony complaints and unrelated disputes? This is a harder problem than it seems because of the several possible cases that have to be considered. One possible solution is given here." Read on for Bennett's analysis.

When I first heard that Yahoo had been sued because they refused to remove a page created by the ex-boyfriend of a woman named Cecilia Barnes to impersonate her -- portraying her as a slut looking for sex with strangers (who obliged by hounding her office with phone calls and e-mails) -- I thought Yahoo's conduct was indefensible. Even though, as the court ruled, they may have been exempt from liability under the Communication Decency Act of 1996, what possible excuse could Yahoo have had for the way they handled the situation, exposing Barnes to months of harassment, when it would have taken them only seconds to review the page, see that it was obviously causing harm, and remove it?

Then I thought more about the consequences of the rule that I was implicitly advocating by making that argument. Obviously, if an ISP has a policy of removing a user's page if some third party merely complains that the page is impersonating them, then one of your enemies could get your page removed by filing a complaint saying that they were really "you", and that your page was impersonating them. But if the ISP has a policy of not acting on such complaints, then someone could create a user account pretending to be you, and you wouldn't be able to get it removed.

In both cases, there are two problems. One is the fact that the ISP has to have a way to figure out who is telling the truth. The second is that the solution has to scale well, even for a company like Yahoo that probably gets so many complaints about user conduct every day that it would be impossible to read them all. It should be possible for genuine complaints about impostors, to reach the attention of the right people and get an account closed, without accounts being shut down because of (a) people who file complaints about 'rude behavior' that get unintentionally mixed in with 'impostor' complaints by someone who is too overworked to read them all very carefully; or (b) people who file outright false complaints that a given account is an 'impostor', just to get it shut down; or (c) people who are really sneaky, and file complaints about things like rude behavior, but who craft the complaints in a way that is deliberately designed to get them mixed in with the 'impostor' reports, in order to get the account shut down (this way, if the complainer ever sued or otherwise confronted about the complaint that they filed, they can say that they "didn't lie"!).

It's hard to think of a solution that covers all of these bases. For example, John Morris of the Center for Democracy and Technology explained how many ISPs use faxed driver's licenses to decide impersonation complaints:

In many cases involving real people, the challenged site (whether it is a legit site or a bogus site) contains one or more photographs of the person involved. What service providers do in this case is to get the person to submit a copy of their driver's license, and the provider decides whether the person submitting the license is the same person depicted in the photos. And if so, that person is the one who can control whether the site stays up or not. This works in lots of cases (because pictures are often, but certainly not always, involved).

The problem is that even this could be abused when used against a company like Yahoo that handles an extremely high volume of complaints. Suppose that Yahoo publishes a standard procedure for submitting complaints about impersonation, that includes the requirement of a faxed driver's license. Abusers of the system would figure this out, and they could start filing "complaints" against users and websites by faxing in complaint letters along with a copy of their driver's license, where the letters were not complaints about impersonation at all, but just bogus complaints about other things like "This guy was mean to me". Because the driver's license accompanying the letter is real and the statements in the letter are true (or at least a matter of opinion), the complainer can't be accused of lying or forging government documents. And if anyone ever challenged them and asked, "Why did you send your driver's license with the complaint letter? Weren't you trying to trick the ISP into thinking that this was an impersonation complaint so they would take it seriously?", the complainer could play dumb and say, "Well, I heard that if you file a complaint against someone, you're supposed to fax your driver's license with it." But if Yahoo is still getting too many messages to sort through them carefully, some of these crank complaints could still get users' accounts shut down.

So now you have an interesting, non-trivial problem. Before reading further, it's worth thinking about how you would solve this. What's a good policy that would honor legitimate complaints, without giving cranks a way to get their enemies' pages shut down for no reason, and that would scale well for large companies like Yahoo? There are really two questions here: (1) What would you do if you were drafting an ISP policy and trying to balance the interests of all parties? and (2) What would you do if you were drafting a law requiring ISPs to implement certain policies, also while balancing the interests of all parties? (The best solution may be no law at all, but I think you would have to argue that position, rather than taking the default libertarian stance and simply assuming that. After all, the "no law" status quo didn't do much good for people like Cecilia Barnes who had a legitimate grievance and couldn't get anybody to listen.)

The non-verifiability of complaints is the same problem that I've posed to hard-core anti-spam advocates who have said that ISPs should have a zero-tolerance policy towards spam and cancel any account that is generating spam complaints. The problem with that is that unless the ISP has logs of all mail sent out by a customer (and if the customer is leasing a dedicated server, this would usually not be the case), the ISP can't tell for sure if a spam complaint is real or not. If they adopt a policy of removing a site in response to a complaint (or three or ten complaints), then someone could easily get one of their enemies' sites shut down by filing phony spam complaints sent from multiple Hotmail or Gmail accounts. (You would have to forge some e-mail headers to make it look convincingly like the spam came from the site in question, but this is not very difficult.) If the hosting company has a policy of kicking customers off in response to some threshold number of spam complaints, then a dedicated adversary could just file that many complaints until the customer was terminated. On the other hand, if the hosting company won't kick off customers for any number of spam complaints, then they have no deterrent against their customers spamming. (This is mostly an academic question, because I tried filing complaints against all the dozens of spammers who spammed me in a given one-day period a few years ago, and none of the hosting companies terminated any of the sites I complained about. I wouldn't have expected any of them to terminate a customer based on one complaint, but I assume that some of the hosting companies were getting spam complaints about those customers from other people as well.)

The big difference between spam incidents and impersonation incidents, is that while there may be no reliable record of whether a piece of mail was sent in the past or not, the fact of whether the Yahoo user "bennetthaselton" really is Bennett Haselton is something that can be determined with evidence that still exists in the present day. Some kinds of evidence are more readily available than others. If I were drafting an internal policy for an ISP on when to remove pages in response to an impersonation complaint, I would take care of the low-hanging-fruit cases first:

• If the page directs people to contact the page owner at an e-mail address or phone number (as the page created by Barnes' ex-boyfriend did), and you e-mail the address or call the number and someone answers by saying, "No, I didn't create that page, it's a fake", then you don't need to do any checking of the real-world identities of the parties involved -- all you need to know is that the page purports to be created by the owner of that phone number, but it isn't, so it's a fake and should be removed. This would take care of the most vicious cases of goading visitors into harassing someone directly.

  (Although I'd make clear in the policy that this wouldn't apply to consumer pages about companies, telling visitors to call such-and-such a company to complain about their conduct. Encouraging people to air their grievances is legitimate as long as the page owner isn't claiming to actually represent the company. I'm ducking the question of whether this should apply to pages about individuals -- if I make a page saying, "My ex is a skank, call her at this number for a 'good time'," am I infringing on her rights? But since I'm not claiming to be her, the situation wouldn't be covered by a policy about impersonation pages.)

• If the page is created by a paid user, then you can check if the real name on file with their credit card information, matches the name on the site. If it doesn't, that doesn't necessarily mean the page is a fake (possibly one person paid for the account while another one created the content), but if it does match, the page owner is probably not guilty of impersonating anyone. (Here I'm ducking the question of what to do if someone shares their name with a celebrity -- for example, if your name really is Julia Roberts and you create a page saying "Hi, I'm Julia Roberts", that's probably not enough to count as impersonation. But what if you talk about your interest in film and your exploits as an actress in local community theater, how much are you allowed to let people think that you might be "the Julia Roberts?)

• If the page violates the hosting company's Terms of Service in other ways, then it can be removed without determining whether the page owner is guilty of impersonation or not. The Yahoo Terms of Service doesn't actually mention sexual content (they used to allow users to post "adult profiles" in their Yahoo Profiles accounts as long as the profile owner flagged them as such), but the document prohibits content that is "vulgar" or "...otherwise objectionable". I haven't seen the page created by Barnes's ex-boyfriend soliciting strangers for sex, but it probably violated the Terms of Service in itself.

And there may be other low-hanging-fruit options that I'm not thinking of. But what if there is no easy call, because none of these simplifying factors apply? A user creates a profile on a free site claiming to be Mr. X. A third party complains that they are the real Mr. X and that the profile is fake. What should the ISP do, if they don't want to spend money verifying the real-world identities of the parties involved, every time they get a crank complaint about any users on their system?

This is essentially an economics problem. Cecilia Barnes wasn't asking Yahoo to do anything that would have been too burdensome for them -- the "labor" required to look at a faxed copy of her driver's license probably wouldn't have cost more than $5, at which point Yahoo could have initiated the process of shutting the page down, which they already have built-in procedures for. The benefit to her of getting the page shut down could have been valued in the hundreds or thousands of dollars. Normally, when you need someone else to do something that costs them $5 worth of effort and brings you $1,000 worth of benefit, the natural arrangement is to pay them, but Yahoo doesn't offer this as an option.

In fact, I assume the real cost to Yahoo here would not have been actually reviewing Barnes's complaint, but actually finding it buried among all the bogus complaints that they receive, and noticing that it had real merit. Again, including a $5 payment would be one way to ensure that your complaint gets taken more seriously than all the others. But while the $5 fee might have helped in this specific situation, it's easy to imagine how that could set a bad precedent -- ISPs charging exhorbitant fees for users to submit abuse complaints to them, or users not filing complaints because they didn't want to share their payment information or pay money at all.

So, rather than paying a small fee directly, a better approach might be to require complainants to post some sort of "bond" -- which may not be something financial, as some examples will show -- in order to get their complaint to the front of the queue. Recall the example of submitting your driver's license along with an impersonation complaint. It's important to understand the subtle reason why this procedure actually works. It's not because someone couldn't still file a bogus complaint with a phony ID. (While it's somewhat hard to create a fake driver's license that you can hold in your hand, creating a fake faxed driver's license would be easy.) It's because if the complainant is lying, now they can be prosecuting for forging government documents. Essentially the complainant is posting their freedom as a "bond", going out on a limb and saying: "I can't prove to you that I'm telling the truth. But now you know that if I'm lying, I'll go to jail. Bet you the other guy won't be willing to make a binding promise like that."

So naturally I'd put that in the ISP's policy as well: If someone sends in a complaint about our user impersonating them, and they're willing to fax in a copy of their government ID proving that they are who they say they are, and we can verify that the page owner is claiming to actually be that person (and not merely complaining about that person or their business), then we would remove the page unless the account owner can submit even more compelling evidence that they are who they say they are.

This addresses the problem of the impersonation complaints that are completely fake. However, you still have the problem of what to do about people who fax in their driver's license along with letters saying "This guy is a jerk", hoping to get someone's account closed down. If a company like Yahoo is too big to read through all the complaints carefully, then it becomes hard to sort through the complaints to see which ones are really about impersonation and which ones are about other behavior that doesn't violate their TOS.

What might be a solution would be to borrow some of the non-terrible aspects of the Digital Millenium Copyright Act. The two most controversial provision of the DMCA are (1) a ban on software that enables the user to circumvent copyright restrictions, and (2) a requirement that ISPs have to respond to copyright-violation "takedown" notices in a certain manner. As I've said before about the DMCA, I'm opposed to #1 in principle because I think software should be protected by the First Amendment; I'm not against #2 in principle, but just concerned about how it could be abused in practice.

But one thing the DMCA does is solve the "sorting problem" -- how to get complaints about copyright violations to the top of the pile. Service provides often have a procedure for handling DMCA complaints that is separate from the regular complaint channels. The DMCA also provides protection for users against phony complaints, by stipulating that anyone who files a false complaint can be sued for statutory damages and attorney's fees, as in a case where Diebold, Inc. agreed to pay $125,000 as a penalty for sending false "takedown" notices. In other words, the DMCA solves the "bonding" problem too -- by sending a DMCA complaint, a user is effectively saying, "I agree to pay big money if I'm lying. So, I'm probably telling the truth."

So, a law addressing how ISPs should handle "impersonation" pages, modeled after the DMCA to solve the "top of the pile" problem and the "binding promise" problem, might go something like this:

• For a user to file a complaint, the complaint should cite the name of the anti-impersonation law, as in, "This complaint is being filed under the Anti-Impersonation Act of 2009". This gives ISPs an easy way to sort these complaints to the top of the pile, the same way that they have specialized channels for handling DMCA complaints.
• In the complaint, the user has to assert unambiguously that the page they are complaining about is impersonating them, and is not merely posting gripes about them or their business.
• The complaint should include a copy of a government-issued ID. (Again, this is not because this is hard to forge, but because now the complainant is promising, "If this is fake, I'll go to jail.")
• If the impersonation page is directing visitors to call a phone number or e-mail an e-mail address, and the takedown notification to the ISP includes a request to call that number or e-mail that address to verify that it doesn't actually belong to the page owner, then the ISP should follow up on that within a given time period of receiving the complaint. (And once they call that number or e-mail that address and get a response saying, "No, that page is definitely not mine", then the ISP should shut the page down.)
• Anyone who files a phony complaint citing that statute, can be held liable for statutory damages and attorney's fees, and if they faxed a phony government ID, then they can be prosecuted for that as well.

The problem-solver in me says that this is one way to ensure that legitimate complaints will be acted on, while making phony complaints much harder and riskier. It also seems to me that this is a minimal solution, in the sense that if you remove any part of it, it no longer solves the problem. For example, if you remove the part about complaints having to cite the anti-impersonation law, then you no longer have an effective means for these complaints to get to the top of the pile. And if you remove the part about civil penalties for filing phony complaints, then you no longer have any disincentive for people to tie up the system with crank complaints trying to get their enemies' accounts cancelled. Perhaps others can come up with an alternative solution that meets the logical requirements of enabling real complaints while discouraging fake ones. Meanwhile, the civil libertarian in me doesn't get a queasy feeling from it right away. It seems that it could only be used to stop cases of actual impersonation, and even as a free speech advocate I don't think that you have the moral right to impersonate someone else in a non-satirical manner for the purpose of actually deceiving or harassing people.

But even the absence of such a law is hardly an excuse for what Yahoo did. All they had to do is go to the page, look at the phone number, call the number and hear her say, "Yes, this is me and no that's not my page", and shut it down. The fact that they couldn't do this, shows a contempt for the process of handling legitimate complaints. Apart from the harm caused to Cecilia Barnes directly, incidents such as these might lead to Congress narrowing the scope of the immunity given to providers for hosting content posted by their users. Of course I'm technically suggesting a law that would narrow the scope of that immunity too, but only in a very narrowly prescribed way. If, on the other hand, Congress or the courts ever adopt the vague principle that providers can be held "jointly responsible" for whatever their users say once they've been "made aware" of it, it's going to get a lot harder for people to find Web hosting who have anything controversial to say.

Frequent Slashdot contributor Bennett Haselton writes "A woman sued Yahoo because they wouldn't remove a page created by her ex-boyfriend pretending to be her and soliciting strangers for sex. What would be an effective system for large companies like Yahoo to handle 'impostor' complaints, without getting bogged down by phony complaints and unrelated disputes? This is a harder problem than it seems because of the several possible cases that have to be considered. One possible solution is given here." Read on for Bennett's analysis.

When I first heard that Yahoo had been sued because they refused to remove a page created by the ex-boyfriend of a woman named Cecilia Barnes to impersonate her -- portraying her as a slut looking for sex with strangers (who obliged by hounding her office with phone calls and e-mails) -- I thought Yahoo's conduct was indefensible. Even though, as the court ruled, they may have been exempt from liability under the Communication Decency Act of 1996, what possible excuse could Yahoo have had for the way they handled the situation, exposing Barnes to months of harassment, when it would have taken them only seconds to review the page, see that it was obviously causing harm, and remove it?

Then I thought more about the consequences of the rule that I was implicitly advocating by making that argument. Obviously, if an ISP has a policy of removing a user's page if some third party merely complains that the page is impersonating them, then one of your enemies could get your page removed by filing a complaint saying that they were really "you", and that your page was impersonating them. But if the ISP has a policy of not acting on such complaints, then someone could create a user account pretending to be you, and you wouldn't be able to get it removed.

In both cases, there are two problems. One is the fact that the ISP has to have a way to figure out who is telling the truth. The second is that the solution has to scale well, even for a company like Yahoo that probably gets so many complaints about user conduct every day that it would be impossible to read them all. It should be possible for genuine complaints about impostors, to reach the attention of the right people and get an account closed, without accounts being shut down because of (a) people who file complaints about 'rude behavior' that get unintentionally mixed in with 'impostor' complaints by someone who is too overworked to read them all very carefully; or (b) people who file outright false complaints that a given account is an 'impostor', just to get it shut down; or (c) people who are really sneaky, and file complaints about things like rude behavior, but who craft the complaints in a way that is deliberately designed to get them mixed in with the 'impostor' reports, in order to get the account shut down (this way, if the complainer ever sued or otherwise confronted about the complaint that they filed, they can say that they "didn't lie"!).

It's hard to think of a solution that covers all of these bases. For example, John Morris of the Center for Democracy and Technology explained how many ISPs use faxed driver's licenses to decide impersonation complaints:

In many cases involving real people, the challenged site (whether it is a legit site or a bogus site) contains one or more photographs of the person involved. What service providers do in this case is to get the person to submit a copy of their driver's license, and the provider decides whether the person submitting the license is the same person depicted in the photos. And if so, that person is the one who can control whether the site stays up or not. This works in lots of cases (because pictures are often, but certainly not always, involved).

The problem is that even this could be abused when used against a company like Yahoo that handles an extremely high volume of complaints. Suppose that Yahoo publishes a standard procedure for submitting complaints about impersonation, that includes the requirement of a faxed driver's license. Abusers of the system would figure this out, and they could start filing "complaints" against users and websites by faxing in complaint letters along with a copy of their driver's license, where the letters were not complaints about impersonation at all, but just bogus complaints about other things like "This guy was mean to me". Because the driver's license accompanying the letter is real and the statements in the letter are true (or at least a matter of opinion), the complainer can't be accused of lying or forging government documents. And if anyone ever challenged them and asked, "Why did you send your driver's license with the complaint letter? Weren't you trying to trick the ISP into thinking that this was an impersonation complaint so they would take it seriously?", the complainer could play dumb and say, "Well, I heard that if you file a complaint against someone, you're supposed to fax your driver's license with it." But if Yahoo is still getting too many messages to sort through them carefully, some of these crank complaints could still get users' accounts shut down.

So now you have an interesting, non-trivial problem. Before reading further, it's worth thinking about how you would solve this. What's a good policy that would honor legitimate complaints, without giving cranks a way to get their enemies' pages shut down for no reason, and that would scale well for large companies like Yahoo? There are really two questions here: (1) What would you do if you were drafting an ISP policy and trying to balance the interests of all parties? and (2) What would you do if you were drafting a law requiring ISPs to implement certain policies, also while balancing the interests of all parties? (The best solution may be no law at all, but I think you would have to argue that position, rather than taking the default libertarian stance and simply assuming that. After all, the "no law" status quo didn't do much good for people like Cecilia Barnes who had a legitimate grievance and couldn't get anybody to listen.)

The non-verifiability of complaints is the same problem that I've posed to hard-core anti-spam advocates who have said that ISPs should have a zero-tolerance policy towards spam and cancel any account that is generating spam complaints. The problem with that is that unless the ISP has logs of all mail sent out by a customer (and if the customer is leasing a dedicated server, this would usually not be the case), the ISP can't tell for sure if a spam complaint is real or not. If they adopt a policy of removing a site in response to a complaint (or three or ten complaints), then someone could easily get one of their enemies' sites shut down by filing phony spam complaints sent from multiple Hotmail or Gmail accounts. (You would have to forge some e-mail headers to make it look convincingly like the spam came from the site in question, but this is not very difficult.) If the hosting company has a policy of kicking customers off in response to some threshold number of spam complaints, then a dedicated adversary could just file that many complaints until the customer was terminated. On the other hand, if the hosting company won't kick off customers for any number of spam complaints, then they have no deterrent against their customers spamming. (This is mostly an academic question, because I tried filing complaints against all the dozens of spammers who spammed me in a given one-day period a few years ago, and none of the hosting companies terminated any of the sites I complained about. I wouldn't have expected any of them to terminate a customer based on one complaint, but I assume that some of the hosting companies were getting spam complaints about those customers from other people as well.)

The big difference between spam incidents and impersonation incidents, is that while there may be no reliable record of whether a piece of mail was sent in the past or not, the fact of whether the Yahoo user "bennetthaselton" really is Bennett Haselton is something that can be determined with evidence that still exists in the present day. Some kinds of evidence are more readily available than others. If I were drafting an internal policy for an ISP on when to remove pages in response to an impersonation complaint, I would take care of the low-hanging-fruit cases first:

• If the page directs people to contact the page owner at an e-mail address or phone number (as the page created by Barnes' ex-boyfriend did), and you e-mail the address or call the number and someone answers by saying, "No, I didn't create that page, it's a fake", then you don't need to do any checking of the real-world identities of the parties involved -- all you need to know is that the page purports to be created by the owner of that phone number, but it isn't, so it's a fake and should be removed. This would take care of the most vicious cases of goading visitors into harassing someone directly.

  (Although I'd make clear in the policy that this wouldn't apply to consumer pages about companies, telling visitors to call such-and-such a company to complain about their conduct. Encouraging people to air their grievances is legitimate as long as the page owner isn't claiming to actually represent the company. I'm ducking the question of whether this should apply to pages about individuals -- if I make a page saying, "My ex is a skank, call her at this number for a 'good time'," am I infringing on her rights? But since I'm not claiming to be her, the situation wouldn't be covered by a policy about impersonation pages.)

• If the page is created by a paid user, then you can check if the real name on file with their credit card information, matches the name on the site. If it doesn't, that doesn't necessarily mean the page is a fake (possibly one person paid for the account while another one created the content), but if it does match, the page owner is probably not guilty of impersonating anyone. (Here I'm ducking the question of what to do if someone shares their name with a celebrity -- for example, if your name really is Julia Roberts and you create a page saying "Hi, I'm Julia Roberts", that's probably not enough to count as impersonation. But what if you talk about your interest in film and your exploits as an actress in local community theater, how much are you allowed to let people think that you might be "the Julia Roberts?)

• If the page violates the hosting company's Terms of Service in other ways, then it can be removed without determining whether the page owner is guilty of impersonation or not. The Yahoo Terms of Service doesn't actually mention sexual content (they used to allow users to post "adult profiles" in their Yahoo Profiles accounts as long as the profile owner flagged them as such), but the document prohibits content that is "vulgar" or "...otherwise objectionable". I haven't seen the page created by Barnes's ex-boyfriend soliciting strangers for sex, but it probably violated the Terms of Service in itself.

And there may be other low-hanging-fruit options that I'm not thinking of. But what if there is no easy call, because none of these simplifying factors apply? A user creates a profile on a free site claiming to be Mr. X. A third party complains that they are the real Mr. X and that the profile is fake. What should the ISP do, if they don't want to spend money verifying the real-world identities of the parties involved, every time they get a crank complaint about any users on their system?

This is essentially an economics problem. Cecilia Barnes wasn't asking Yahoo to do anything that would have been too burdensome for them -- the "labor" required to look at a faxed copy of her driver's license probably wouldn't have cost more than $5, at which point Yahoo could have initiated the process of shutting the page down, which they already have built-in procedures for. The benefit to her of getting the page shut down could have been valued in the hundreds or thousands of dollars. Normally, when you need someone else to do something that costs them $5 worth of effort and brings you $1,000 worth of benefit, the natural arrangement is to pay them, but Yahoo doesn't offer this as an option.

In fact, I assume the real cost to Yahoo here would not have been actually reviewing Barnes's complaint, but actually finding it buried among all the bogus complaints that they receive, and noticing that it had real merit. Again, including a $5 payment would be one way to ensure that your complaint gets taken more seriously than all the others. But while the $5 fee might have helped in this specific situation, it's easy to imagine how that could set a bad precedent -- ISPs charging exhorbitant fees for users to submit abuse complaints to them, or users not filing complaints because they didn't want to share their payment information or pay money at all.

So, rather than paying a small fee directly, a better approach might be to require complainants to post some sort of "bond" -- which may not be something financial, as some examples will show -- in order to get their complaint to the front of the queue. Recall the example of submitting your driver's license along with an impersonation complaint. It's important to understand the subtle reason why this procedure actually works. It's not because someone couldn't still file a bogus complaint with a phony ID. (While it's somewhat hard to create a fake driver's license that you can hold in your hand, creating a fake faxed driver's license would be easy.) It's because if the complainant is lying, now they can be prosecuting for forging government documents. Essentially the complainant is posting their freedom as a "bond", going out on a limb and saying: "I can't prove to you that I'm telling the truth. But now you know that if I'm lying, I'll go to jail. Bet you the other guy won't be willing to make a binding promise like that."

So naturally I'd put that in the ISP's policy as well: If someone sends in a complaint about our user impersonating them, and they're willing to fax in a copy of their government ID proving that they are who they say they are, and we can verify that the page owner is claiming to actually be that person (and not merely complaining about that person or their business), then we would remove the page unless the account owner can submit even more compelling evidence that they are who they say they are.

This addresses the problem of the impersonation complaints that are completely fake. However, you still have the problem of what to do about people who fax in their driver's license along with letters saying "This guy is a jerk", hoping to get someone's account closed down. If a company like Yahoo is too big to read through all the complaints carefully, then it becomes hard to sort through the complaints to see which ones are really about impersonation and which ones are about other behavior that doesn't violate their TOS.

What might be a solution would be to borrow some of the non-terrible aspects of the Digital Millenium Copyright Act. The two most controversial provision of the DMCA are (1) a ban on software that enables the user to circumvent copyright restrictions, and (2) a requirement that ISPs have to respond to copyright-violation "takedown" notices in a certain manner. As I've said before about the DMCA, I'm opposed to #1 in principle because I think software should be protected by the First Amendment; I'm not against #2 in principle, but just concerned about how it could be abused in practice.

But one thing the DMCA does is solve the "sorting problem" -- how to get complaints about copyright violations to the top of the pile. Service provides often have a procedure for handling DMCA complaints that is separate from the regular complaint channels. The DMCA also provides protection for users against phony complaints, by stipulating that anyone who files a false complaint can be sued for statutory damages and attorney's fees, as in a case where Diebold, Inc. agreed to pay $125,000 as a penalty for sending false "takedown" notices. In other words, the DMCA solves the "bonding" problem too -- by sending a DMCA complaint, a user is effectively saying, "I agree to pay big money if I'm lying. So, I'm probably telling the truth."

So, a law addressing how ISPs should handle "impersonation" pages, modeled after the DMCA to solve the "top of the pile" problem and the "binding promise" problem, might go something like this:

• For a user to file a complaint, the complaint should cite the name of the anti-impersonation law, as in, "This complaint is being filed under the Anti-Impersonation Act of 2009". This gives ISPs an easy way to sort these complaints to the top of the pile, the same way that they have specialized channels for handling DMCA complaints.
• In the complaint, the user has to assert unambiguously that the page they are complaining about is impersonating them, and is not merely posting gripes about them or their business.
• The complaint should include a copy of a government-issued ID. (Again, this is not because this is hard to forge, but because now the complainant is promising, "If this is fake, I'll go to jail.")
• If the impersonation page is directing visitors to call a phone number or e-mail an e-mail address, and the takedown notification to the ISP includes a request to call that number or e-mail that address to verify that it doesn't actually belong to the page owner, then the ISP should follow up on that within a given time period of receiving the complaint. (And once they call that number or e-mail that address and get a response saying, "No, that page is definitely not mine", then the ISP should shut the page down.)
• Anyone who files a phony complaint citing that statute, can be held liable for statutory damages and attorney's fees, and if they faxed a phony government ID, then they can be prosecuted for that as well.

The problem-solver in me says that this is one way to ensure that legitimate complaints will be acted on, while making phony complaints much harder and riskier. It also seems to me that this is a minimal solution, in the sense that if you remove any part of it, it no longer solves the problem. For example, if you remove the part about complaints having to cite the anti-impersonation law, then you no longer have an effective means for these complaints to get to the top of the pile. And if you remove the part about civil penalties for filing phony complaints, then you no longer have any disincentive for people to tie up the system with crank complaints trying to get their enemies' accounts cancelled. Perhaps others can come up with an alternative solution that meets the logical requirements of enabling real complaints while discouraging fake ones. Meanwhile, the civil libertarian in me doesn't get a queasy feeling from it right away. It seems that it could only be used to stop cases of actual impersonation, and even as a free speech advocate I don't think that you have the moral right to impersonate someone else in a non-satirical manner for the purpose of actually deceiving or harassing people.

But even the absence of such a law is hardly an excuse for what Yahoo did. All they had to do is go to the page, look at the phone number, call the number and hear her say, "Yes, this is me and no that's not my page", and shut it down. The fact that they couldn't do this, shows a contempt for the process of handling legitimate complaints. Apart from the harm caused to Cecilia Barnes directly, incidents such as these might lead to Congress narrowing the scope of the immunity given to providers for hosting content posted by their users. Of course I'm technically suggesting a law that would narrow the scope of that immunity too, but only in a very narrowly prescribed way. If, on the other hand, Congress or the courts ever adopt the vague principle that providers can be held "jointly responsible" for whatever their users say once they've been "made aware" of it, it's going to get a lot harder for people to find Web hosting who have anything controversial to say.

Frequent Slashdot contributor Bennett Haselton writes with his idea for mass adoption of anti-virus software: "If the US government did more to encourage people to keep their computers secure — by buying TV ads to publicize free private-sector anti-virus programs, or subsidizing the purchase of anti-virus software — we'd all be better off, on average. That's not just idealistic nanny-statism, but something you can argue mathematically, to the point where even some libertarians would agree." Read on for the rest of Bennett's thoughts.

This requires a discussion of "positive externalities," which may seem pedantic to you if you remember the concept from econ class, in which case you can skim the next five paragraphs. When you buy anti-virus software, some of the benefits accrue to you — less risk of your data being lost to a virus, or of annoying spyware infecting your computer with pop-up ads — but some of the benefits also accrue to other people. Prior to anti-virus software being installed on your computer, your machine might have been infected and taken over by criminals who used it to send spam. Or it might have helped to propagate the virus to other people. (Note: I am using "virus" to incorporate related things like "worms" and not worrying about the distinction.) Or you might have thought there was a problem with your computer, not realizing the problem was caused by a virus, and wasted time calling the tech support line for your computer manufacturer or for some other product on your computer. (If the company charges for tech support, then you're paying the cost of your call rather than passing those costs on to others, but if the call is free, then the costs have to be passed on to the company and hence indirectly to their other customers.) When you install anti-virus software, the chances of all these things happening are reduced, and those are the benefits that accrue to others — positive externalities, in economics jargon.

The key assumption is that you can put a price on all of the positive externalities generated by a given person installing the anti-virus software. It's different for every person, but it always adds up to some value, something that is not microscopic, but also not fantastically larger than the purchase price of the anti-virus program. It's on the order of adding 1/100,000th of a penny's worth of value to the lives of 100 million other people, for a total positive externality of $10.

To see that this is a reasonable assumption, suppose that if I had a choice between living in a world where all 100 million other Internet users in the US had no anti-virus software installed (using round numbers to make things simpler), and living in a world where all of the other users in the US had anti-virus software installed, I would pay $10 more per year to live in the latter, counting only the benefits to me and not factoring in any altruistic desire to help protect fellow citizens. (I personally would pay a lot more than $10 because I use the Internet so much, but the average might be closer to $10. Also, what I'd really like is for more people in certain other countries to install anti-virus software — China comes to mind — but I'm leaving them out of this discussion because it would be harder for the US government to encourage that.) When everyone else in the US is using anti-virus software, the benefits are returned to me in various ways, such as it being easier for me to send and receive e-mail because there aren't so many botnet-infected machines sending spam. (This is independent of my decision as to whether to buy anti-virus software for myself or not.)

Now, once I've decided I'd pay $10 more to have all my fellow Americans install anti-virus software, I could draw a graph (while my friends are out snowboarding with their girlfriends) with "how many other US users have hypothetically installed anti-virus software" on the x-axis, and "how much would I pay to live in that world" on the y-axis. At the point on the graph where no other people have anti-virus software, I'm willing to pay $0 to live in that world. (Well, of course I'd pay a lot more than $0 to be alive in any world, but I'm comparing other worlds to that one, so I'm just using $0 as my baseline.) At the point on the x-axis where all 100 million other users have installed anti-virus software, I'm willing to pay $10 to live in that world instead. What does the graph look like in between those points? Well, I can assume it's upward-sloping — the more other people install anti-virus software, the better it is for me. I could also adopt the simplifying assumption that it's a straight line — so I would pay $3 to live in a world where 30 million other people have anti-virus software installed, $6 to live in a world where 60 million other people have it installed, etc. It's not really a straight line, because when the first 50 million Americans install anti-virus software, that still leaves 50 million others to get infected and do damage, but when the next 50 million install it, that has eliminated all the unguarded computers in the US, and made it a lot harder for viruses to spread, at least within our borders. In other words, the line representing the quality of life to me as a function of how many other people installed anti-virus software, would rise more slowly in the range 0-50 million than it would rise in the range 50-100 million. But as long as the curve doesn't make any sudden jumps — for example, I know that the 30-millionth person installing anti-virus software isn't suddenly going to make my quality of life go up by $1 — I know the curve generally has to rise smoothly. So for a really rough approximation I'll treat it as a straight line.

If the graph is a straight line with the value $0 when nobody else installs anti-virus software, and $10 when everybody else installs anti-virus software, then each additional user installing anti-virus software creates an additional benefit to me of 1/100,000th of a penny (so 1/100,000th of a penny, times 100 million, comes out to $10).

You may think it's ridiculous or meaningless to say that someone else installing anti-virus software can benefit me to the tune of 1/100,000th of a penny. I myself can't wrap my head around it. But I can use the necessary properties of the graph — that it starts at $0, ends at $10, must curve upward, and doesn't make any sudden jumps — to reason that it should be approximately true.

And then, if each other US Internet user derives an average of 1/100,000th of a penny's worth of benefit when you install anti-virus software, then the total benefit that you confer on other people by installing the software, comes out to 1/100,000th of a penny times 100 million, or $10. And that's not even counting all the spillover benefits to users in other countries each time an American installs anti-virus software, something that we could consider a kind of off-the-books foreign aid. (Even if we would really like for it to be reciprocated by all users in countries like China installing anti-virus software as well.)

This is actually not hard to reconcile with people's attitudes toward installing anti-virus software. It's recommended as something you should do not only for your own protection, but also as something you should do to be a "good Netizen" so as not to impose inconveniences on other people. If your installing anti-virus software only conferred about 1 penny's worth of total benefit on the rest of the world, nobody would bother exhorting you to do it as a kind of civic duty. On the other hand, if your installing anti-virus software conferred thousands of dollars' worth of good on the world (or, equivalently, not installing anti-virus software exposed the rest of the world to thousands of dollars' worth of risk or damage), then people would not only be exhorted to install it, it would probably be required by law, like functioning car brakes. The kind of pressure that we see today to install anti-virus software — gentle prodding but not outright compulsion — feels commensurate with a value between $1 and $100 of the benefits that a person confers on the rest of the world by installing it.

But this logic also means is that we are missing an opportunity to make everybody better off on average, by actually subsidizing the purchase of anti-virus software for some people who otherwise would not have bought it. Suppose each user confers $10 worth of positive externalities on other American Internet users when they install anti-virus software. Now first consider the case of an a program like Norton Anti-Virus which costs $40.

For anybody who personally values their own anti-virus protection at $40 or more, great — they'll buy the software, they get the value they want from it, and everybody else gets the positive externalities of that person's virus protection, for free. But consider the people who value the anti-virus software at somewhere between $35 and $40. With no government rebate, they won't buy the software.

But now suppose the government offers a $5 rebate (funded by a tax on all 100 million Internet users) to anyone who buys anti-virus software. Everybody who would have bought the software before, will obviously still buy it now that the government rebate has effectively lowered the price to $35, and now, all the people who value the software between $35 and $40 will buy it as well. For each person who purchases the software at the new price of $35, the following is true:

• The person who bought the anti-virus software is better off — they valued the software at at least $35, and they got it for $35. (Otherwise, they wouldn't have bought it.)
• The taxpayers who subsidized the purchase are better off. Each rebate cost the taxpayer one-hundred-millionth of $5. But when that user installed the anti-virus software, they conferred $10 worth of total benefit on all other Internet users in the US, so that benefits each Internet-using taxpayer one-hundred-millionth of $10. So they're ahead.

If this seems fanciful, we're still in the domain of standard economics textbook stuff. When positive externalities are involved, the free market by itself will usually not reach the optimal outcome; by adding in some government subsidies, you can achieve an outcome that leaves everyone better off than they were before (even after subtracting the cost of the taxes to fund the subsidies). Call them "subsidies even a libertarian could love." Steven Landsburg's books The Armchair Economist and More Sex Is Safer Sex, and Tim Harford's books The Undercover Economist and The Logic Of Life, explain the logic of externalities probably better than I can, and give other interesting examples. When I say "subsidies even a libertarian could love," consider that Landsburg once wrote that George W. Bush's tax plan was unfairly burdensome to the rich, because "it seems patently unfair to ask anyone to pay over 30 times as much as his neighbors." That's pretty, uh, libertarian. But even Landsburg has argued, in More Sex Is Safer Sex, that LoJack anti-car-theft devices should be heavily subsidized by the government, because they create positive externalities — when more people buy LoJacks, thieves are deterred from stealing everyone's cars, because there's no way to tell whether a particular car has a LoJack installed or not. To the extent that anti-virus software creates positive externalities, it should be subsidized as well.

A modified version of this logic applies even to free anti-virus programs like AVG Anti-Virus. AVG is only "free" if you don't count the costs of finding out about it in the first place, then downloading it, installing it, and leaving it running. All of these add up to costs that, for whatever reason, have led to many people choosing to run nothing at all, rather than to run AVG even though it's free. If the government ran a campaign announcing the rebates for purchasers of anti-virus software, they could also use the campaign to recommend certain free programs -- thus effectively offsetting the "costs" by providing a "subsidy" for those programs in the form of free advertising.

When I ran this past some people for comment, two respondents, Steven Landsburg and Esther Dyson, independently recommended versions of a popular alternative idea, which was to penalize people directly for spreading computer virus infections. Landsburg commented:

I certainly think there are huge externalities here, and they derive from the fact that idiots who don't know what they're doing insist on administering their own mail clients. I don't have a mail client on my machine precisely because I am one of those idiots and I don't want to be responsible for a virus grabbing my address book and running with it.

So I have long thought that mail clients should be taxed and/or (if it were technologically feasible) that individual users should be fined heavily if viruses spread from their machines (or send spam from their machines).

Esther Dyson suggested something similar:

One method to consider is — rather than subsidy — requiring the ISPs to post a bond for their customers and assume responsibility for their actions. They can ask their customers in turn either to buy an antivirus package, to sell one that the ISP will offer for free, or to post a bond guaranteeing that they know what they're doing and will do no harm. The ISP is then liable for the misbehavior of its customers and may forfeit the bond if some specified level of disruption is caused by its customers.

In theory, this works better than my idea because it precisely targets the undesirable behavior: We don't really want to penalize people for not running anti-virus software, we want to penalize people for not running anti-virus software and imposing costs on others as a result. It's not possible for 100 million people to charge one person 1/100,000th of a penny each for the inconvenience and risk that person creates by not installing anti-virus software, but it might be possible for one recipient of the virus to seek to punish the person who gave it to them.

However, I think this scheme would have more practical problems:

1. You can only penalize the virus spreader if you know exactly who was responsible for passing it on to you. This works for old-school viruses that spread as e-mail attachments, but not for worms like Code Red that probe the network looking for other machines to infect — if you're infected as a result of a remote IP address probing your machine, it's unlikely that you would ever find out exactly when or how it happened, much less the owner of the IP address that infected you.
2. If you found out that a friend spread a computer virus to your machine, you'd probably be under a lot of pressure from your friend not to turn them in.
3. For people who did get taken to court for spreading viruses, there would be overhead costs associated with processing the case, over and above the actual fine that may be levied against the individual. (If the penalty happens outside the court system — for example by ISPs keeping the bond posted to them by a customer — at least some of those customers will probably feel wronged and sue the ISP, generating court costs either way.)
4. If someone accidentally spread a virus to a large number of other machines, that could make their total liability far greater than what they could actually pay.

The idea of fining or otherwise punishing people for accidentally spreading viruses is something I've thought about too, but usually in a moment of venting. As Steven Landsburg dryly says, "Your solution (subsidized antivirus software) might be more effective, but mine would be more satisfying (to me)." I think the option of punishing people for propagating viruses is something that should be explored in more detail, but I can't offhand think of any solutions that would avoid the problems listed above. The fact is that anybody with an Internet connection has the potential to do enormous damage if their machine gets infected, and in most cases it would be too hard to track the harm back too them, and too harsh to make them pay the real cost of the damage.

On the other hand, the option of a government publicity campaign to get people to install anti-virus software — at least the free ones, which should be a no-brainer — is something that seems like it should start bringing benefits right away. Government advertisements for free programs would require the least amount of paperwork to set up, because all the government would have to do would be to produce the TV ads and buy the airtime. (Other proposals, such as subsidies for non-free anti-virus software, or paying people outright to install anti-virus software, would require more overhead to implement. That doesn't mean they shouldn't be tried, but go for the low-hanging fruit first.) Now, what the ads should look like would be a question for advertising experts, but I would really hammer home the point: "Go to this government website and we have a list of recommended FREE anti-virus programs. These are not 'free trials' for something you have to pay for later. They are FREE. If you're not using anything at all, at least go get one of these." Along a list of the non-free programs for people who want even more protection, and links to third-party reviews of those.

More generally, I think that government-funded action to encourage better computer security is something that has not been given enough consideration. I think this is partly due to hostility to anything that smacks of government intervention (because of, among other things, numerous times the US government has attempted to censor the Internet), and partly because of an assumption that the free market will provide the best solution by itself. But if the government is actually on the right side of an issue — the side of promoting better computer security — then there's no reason to be petty and foul up their campaign just because we're still resentful that they once tried to make the Internet into a no-cussing zone. Hey, if the government thugs start to care more about computer viruses than about Internet porn, then they're learning! Give them a pat on the head and help them get the word out! And meanwhile, economic theory predicts that because of the externalities problem, the free market by itself won't lead to the optimal number of people using anti-virus software or keeping their computers secure. That's precisely the situation where a government-funded push toward more computer security can bring everyone more benefits than it costs. If you wear a Ron Paul t-shirt, but you found out about free anti-virus software software from a state-sponsored TV ad, nobody has to know.

Nicolas Dawson points out coverage in Mother Jones of the early stages of a new cybersecurity bill that conveys sweeping powers on the President. Quoting: "The Cybersecurity Act of 2009 (PDF) gives the president the ability to 'declare a cybersecurity emergency' and shut down or limit Internet traffic in any 'critical' information network 'in the interest of national security.' The bill does not define a critical information network or a cybersecurity emergency. That definition would be left to the president. The bill ... also grants the Secretary of Commerce 'access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access.' This means he or she can monitor or access any data on private or public networks without regard to privacy laws."

Hugh Pickens writes "As companies collect, use, and disseminate data regarding online users, there is concern that tracking individuals' Internet activity and gathering information from online users violates their expectations of privacy. The Senate Commerce Committee will hold a hearing Wednesday to look at the policy issues, and the hottest topic will be proposed systems by which ISPs can watch users and sell information about their surfing habits to advertising companies. The Center for Democracy and Technology has issued a report suggesting that these systems may violate federal law (PDF). 'Advertising per se is not the evil here,' says Leslie Harris from CDT. 'It's the collection of individuals' information, usually without their knowledge, always without their consent, creation of profiles and the complete inability of people to make choices about that.' On the other side NebuAd, the most active ad-targeting company, says its profiles are interest-based, and not personally identifiable. 'We have designed our entire company to make sure that we stay on the opt-out side of those laws and policies,' says NebuAd CEO Robert Dykes. Charter Communications announced last month that it would suspend a trial of NebuAd due to customer concerns about privacy."

Ars Technica reports that Comcast has been hit with three new class-action lawsuits due to the company's traffic-shaping practices. "The lawsuits ... ask that Comcast be barred from continuing to violate various state laws, in addition to unspecified damages." Meanwhile, members of the US House Telecommunications Subcommittee have asked Charter Communications' president to stop testing a program which uses Deep Packet Inspection to track the habits of its customers. A number of privacy groups have voiced their support (PDF). As if that weren't enough, it seems the City of Los Angeles is suing Time Warner for fraud and deceptive business practices. The Daily News notes, "... the City Attorney is seeking $2,500 in civil penalties for each violation of the Unfair Competition law as well as an additional $2,500 civil penalty for each violation described in the complaint perpetrated against one or more senior citizens or disabled persons."

An anonymous reader writes "The folks on wikileaks have published a new interesting and shocking report: FBI Electronic Surveillance Needs for Carrier-Grade Voice over Packet (CGVoP) Service. The 88 paged document, which is part of the CALEA Implementation Plan was published in January 2003 and describes in detail all needs for surveillance of phone calls made via data services like the internet. Wikileaks has not published any analysis yet, so maybe some of the techies hanging around this end of the internet are interested in taking that one on."

Regular Slashdot contributor Bennett Haselton has cyber-bullying on his mind; that and the laws proposed to deal with it. His article begins: "The authors of most of the recently proposed anti-cyberbullying laws have been invoking the tragic case of Megan Meier, the 13-year-old girl who committed suicide in 2006 after being harassed online by an adult neighbor posing as a cute 16-year-old boy. Unlike the bluster of politicians grandstanding to outlaw swearing on the Internet, the outrage and frustration of lawmakers in this case is at least understandable, especially after the FBI announced that the family that created the phony profile and caused Megan's suicide could not be charged with any crime. But the focus on Megan's case raises two questions: (a) whether it is fair to invoke Megan in the name of passing the laws, and (b) whether the laws are a good idea in general." Read more below.
For once, the invoking of the teenage victim of online stalking is probably not completely cynical. Sometimes, it is. In 2002, after 13-year-old cheerleader Christina Long was apparently killed by someone she met online, politicians purported to honor her memory by passing the "Dot Kids Implementation and Efficiency Act" to create the .kids.us domain space exclusively for content aimed at children 12 and under. Nobody with an ounce of sense could have truly believed that the existence a .kids.us domain would have prevented Christina Long's death (and certainly not the people who knew the facts of her case, since the police found that she had been actively looking for older sex partners online). In Megan Meier's case, at least the proposed laws are on-topic, and the authors probably really believe they will help. But will they?

Consider two laws proposed by state senators in Megan's home state of Missouri. Senate Bill 762, introduced by Sen. Yvonne Wilson, would require schools to adopt anti-cyberbullying policies. Sen. Scott Rupp has introduced Senate Bill 818, which would prohibit "cyber harassment" defined as conduct which "serves no legitimate purpose, that would cause a reasonable person to suffer substantial emotional distress, and that actually causes substantial emotional distress to that person", with increased penalties if committed by an adult over 21 against a minor under 17. Obviously the Wilson bill would not have applied in the Meier case, since the harassment was not committed by a real school student, but the bill could have still been inspired by an attempt to prevent future incidents caused by real students. The Rupp bill could apply to any teen-on-teen or even adult-on-adult harassment. So what actual effect would they have?

The Wilson bill punts the question by simply requiring school districts to set up anti-cyberbullying policies, but not specifying what would be prohibited or what the consequences would be. This is not to say that the state legislature should have micro-managed what school districts should prohibit, but there's no way to find fault with a bill that leaves the decisions up to someone else. However, any policy that attempts to regulate off-campus conduct would run into constitutional problems, as most cyber-bullying occurs outside of school (since Facebook and MySpace remain blocked to most students).

That leaves the Rupp bill, which is far more detailed, but still less than specific as far as people being able to read it and know in advance what kind of conduct is prohibited. Would it really criminalize any messages sent between teenagers that led to hurt feelings? The bill says that it does not apply to "constitutionally protected activity", falling into the general category of bills that say "This bill prohibits XYZ except that anything protected by the First Amendment isn't prohibited", supposedly so that people can't say the bill violates the First Amendment, but which really means that nobody knows what's allowed. The bill helpfully explains that "such constitutionally protected activity includes picketing or other organized protests", but since most cyberbullying does not take the form of tormentors sending their targets pictures of picket signs reading "ERIC IS GAY", this still doesn't help to determine what is permitted.

But there's something much more worrisome here. The conduct prohibited in the bill doesn't depend entirely on the message itself; it is restricted to content "that actually causes substantial emotional distress". Presumably this seemed like a good way to target the kinds of messages that caused Megan Meier to kill herself, without also outlawing all the other thousands of "You suck and I don't want to be your friend any more" sent between teenagers every day. But consider from the point of view of a message's recipient: At some point in the future, a victim of cyberbullying might know that other cases of cyberbullying have been prosecuted, but only in cases where they caused the victim "substantial emotional distress". So the law says to the victim: You can strike back against your tormentors, you can ruin their lives and let the world know what they did to you, but only if you harm yourself to prove they really hurt you.

And that's the basic Catch-22 of cyberbullying legislation: You can't prohibit meanness that causes someone to harm themselves, without also prohibiting the basic meanness that many teenagers put up with every day — unless you make the crime contingent on the victim actually harming themselves, in which case you've created hugely perverse incentives for them to do so.

I admit I don't have an easy answer either. The National Crime Prevention Center lists tips for teens to deal with cyberbulling: "(1) Refuse to pass along cyberbullying messages; (2) Tell friends to stop cyberbullying; (3) Block communication with cyberbullies; (4) Report cyberbullying to a trusted adult." Sorry, I'm sure they don't mean well, but if you're a teen and your problem is people saying hurtful things about you online to your friends, this is so unhelpful as to probably leave the victim feeling worse. 1 through 3 don't even address the problem, and "report it to an adult"? Most cyberbullying is not illegal.

So I would take the efforts that schools put into preventing cyberbullying — which may not deter the worst bullies, and which could be unconstitutional as applied to off-campus activity anyway — and reinvest them into teaching kids to deal with it: the self-esteem building programs which are much derided as political correctness run amok, but which can be judged a success if they help build resistance to bullying. Above all, put as much emphasis on tracking the results of esteem building programs, as on tracking the results of regular academic programs, so that statistics can be used to determine after the fact what kinds of programs are working best, rather than going in with preconceived notions. Learning how to deal with catty bitches ought to be treated as at least as important as learning the date when the Treaty of Ghent was signed. Out in the real world, there are still catty bitches, but nobody ever asks you about the Treaty of Ghent.

The Register noticed that a senior US Department of Homeland Security official has floated the idea of requiring citizens to produce federally compliant identification before purchasing some over-the-counter medicines — specifically, pseudophedrine. The federal ID standard spelled out by the REAL ID act has been sold as applying only to air travel and entry to federal buildings and nuclear facilities. A blogger on the Center for Democracy and Technology site said, "[The] suggested mission creep pushes the REAL ID program farther down the slippery slope toward a true national ID card." Speaking of federal buildings, CNet has a state-by-state enumeration of what will happen on May 11, when REAL ID comes into effect, to citizens who attempt to enter, say, the Washington DC visitors bureau.

We have another essay from Bennett Haselton for you to peruse. "Last week's coverage of AT&T's newly announced "anti-piracy initiative" mostly downplayed the key part of AT&T's proposal, which is filtering what their end users can access in the first place, not finding pirates or suing them after the fact. Friday's Associated Press article, which was reprinted on many news sites with headlines like "AT&T to Help Hollywood Track Down Internet Pirates" and "AT&T to ID Offshore Web Pirates", actually said only that "the effort is primarily aimed at pirates who set up operations in other countries" -- and since you can't really "aim" at pirates in Russia and China with anything except missiles, the statement suggests not identifying pirates or tracking them down, but pre-emptively blocking people from connecting to their servers. Only the Red Herring nailed it with their article title, "AT&T to Block Pirated Content"." Follow the magical URL to read the rest of Bennett's words on the matter.

I think this is a crucial distinction, because efforts to filter end users' connections (as opposed to making them pay consequences for their actions after the fact) have always been controversial, even when the content is illegal. The Center for Democracy and Technology successfully overturned a Pennsylvania law that required ISPs to block overseas child pornography sites, partly on the grounds that the filtering included many third-party Web sites as collateral damage. I've argued that a similar private-sector initiative called Canada Cleanfeed, where Canadian ISPs attempt to block child pornography Web sites, would do more harm than good. On the other hand, nobody's fighting very hard for the cause of child pornography downloaders who were caught and arrested. Web sites get sued and shut down all the time, but it was bigger news when Canadian ISP Telus blocked the Web site of a Telus labor union for three days. So it's a big deal whether we're talking about "pre-emptive" filtering, or fighting piracy "reactively" by going after violators.

AT&T Senior VP James Cicconi said in e-mail that "discussion about what the technology will or won't do is premature until we can invent it", but most of the hints so far have been that the anti-piracy technology will be "pre-emptive", i.e. filtering users' connections. Cicconi said on a conference panel that AT&T has to spend billions on network maintenance to carry illegal pirated traffic -- which they probably couldn't recoup by suing people, so the only way to prevent that would be to block it. And Cicconi has referred to the technology several times as a "network-based solution" -- but what else could that mean, except filtering?

So let's assume that's what's on the horizon. Interestingly, Cicconi said that AT&T did not plan to block actual Web sites. However, he said in e-mail, "If one could, with a high degree of certainty, spot and isolate illegal traffic from an offshore site, would you not think the copyright holders would have a reasonable argument for a court order to block that traffic (as opposed to the site itself)?" Presumably this could refer to a Web page with an index of links to BitTorrent files -- so they'd be willing to block the BitTorrent links, but not the Web page? But from that point of view, why not just block Web sites too? If an overseas webpage has a list of links to pirated content, and that content is served over http from the same Web server, wouldn't they want to block it?

But I doubt this would stem much piracy in the long run, because connection filtering to fight piracy became more commonplace, then the next generation of p2p file-trading programs would all just have circumvention capabilities built into them, that let you route your connection through a friend at an unfiltered ISP. You're on AT&T, you upload a file to your friend on Verizon which earns you some "credits" with his node in the p2p network, and instead of redeeming those credits to download a file from him, you use his node as a proxy to download a file indirectly from a site in Russia that AT&T is blocking you from accessing. Advanced users can do this already with tools like Virtual Private Networks and Tor, and some tweaks in a p2p program would just bring it within the range of the casual user.

On the other hand, if AT&T starts filtering traffic, it could set a bad precedent that any time a party in a legal proceeding wants a site declared "illegal", they can demand that AT&T (or other ISPs) block the site. It could be a site libeling a person, or a site hosting a decryption tool that breaks some company's poorly-designed code, or pretty much anything that some powerful person wanted to go away. Meanwhile, if an AT&T customer did get accused of downloading pirated content, now they could invoke the "AT&T didn't stop me" defense -- they thought that AT&T was filtering illegal content, and if they could get to it, then that meant it was legal! In both cases the problem comes from someone using the argument that once AT&T started doing any filtering at all, they should have gone further.

So I would watch the situation closely, even if you're not an AT&T user, and don't assume the situation will take care of itself. Cicconi said, "If a company like ours does dumb things and upsets our customers, we will lose them to someone else," which is something I'm skeptical of whenever I hear it used to defend various draconian anti-spam measures, but in this case I think it's even less applicable. When you're talking about spam filters, at least they always bring some benefit to the user (less spam), and the question is whether the free market weighs those benefits properly against the costs (more lost mail). On the other hand, if an ISP filters the user's connection, that brings no benefit to the user, and in a truly efficient market, all customers of such an ISP would just switch to an unfiltered one -- if that doesn't happen, it simply means the market in that case is not efficient. Is your ISP filtering your connection right now? Probably not, but how could you tell if they were? Right now we assume that ISPs don't filter connections because generally it's "just not done" (except when it is). In a few years we might not be so sure.

We have another essay from Bennett Haselton for you to peruse. "Last week's coverage of AT&T's newly announced "anti-piracy initiative" mostly downplayed the key part of AT&T's proposal, which is filtering what their end users can access in the first place, not finding pirates or suing them after the fact. Friday's Associated Press article, which was reprinted on many news sites with headlines like "AT&T to Help Hollywood Track Down Internet Pirates" and "AT&T to ID Offshore Web Pirates", actually said only that "the effort is primarily aimed at pirates who set up operations in other countries" -- and since you can't really "aim" at pirates in Russia and China with anything except missiles, the statement suggests not identifying pirates or tracking them down, but pre-emptively blocking people from connecting to their servers. Only the Red Herring nailed it with their article title, "AT&T to Block Pirated Content"." Follow the magical URL to read the rest of Bennett's words on the matter.

I think this is a crucial distinction, because efforts to filter end users' connections (as opposed to making them pay consequences for their actions after the fact) have always been controversial, even when the content is illegal. The Center for Democracy and Technology successfully overturned a Pennsylvania law that required ISPs to block overseas child pornography sites, partly on the grounds that the filtering included many third-party Web sites as collateral damage. I've argued that a similar private-sector initiative called Canada Cleanfeed, where Canadian ISPs attempt to block child pornography Web sites, would do more harm than good. On the other hand, nobody's fighting very hard for the cause of child pornography downloaders who were caught and arrested. Web sites get sued and shut down all the time, but it was bigger news when Canadian ISP Telus blocked the Web site of a Telus labor union for three days. So it's a big deal whether we're talking about "pre-emptive" filtering, or fighting piracy "reactively" by going after violators.

AT&T Senior VP James Cicconi said in e-mail that "discussion about what the technology will or won't do is premature until we can invent it", but most of the hints so far have been that the anti-piracy technology will be "pre-emptive", i.e. filtering users' connections. Cicconi said on a conference panel that AT&T has to spend billions on network maintenance to carry illegal pirated traffic -- which they probably couldn't recoup by suing people, so the only way to prevent that would be to block it. And Cicconi has referred to the technology several times as a "network-based solution" -- but what else could that mean, except filtering?

So let's assume that's what's on the horizon. Interestingly, Cicconi said that AT&T did not plan to block actual Web sites. However, he said in e-mail, "If one could, with a high degree of certainty, spot and isolate illegal traffic from an offshore site, would you not think the copyright holders would have a reasonable argument for a court order to block that traffic (as opposed to the site itself)?" Presumably this could refer to a Web page with an index of links to BitTorrent files -- so they'd be willing to block the BitTorrent links, but not the Web page? But from that point of view, why not just block Web sites too? If an overseas webpage has a list of links to pirated content, and that content is served over http from the same Web server, wouldn't they want to block it?

But I doubt this would stem much piracy in the long run, because connection filtering to fight piracy became more commonplace, then the next generation of p2p file-trading programs would all just have circumvention capabilities built into them, that let you route your connection through a friend at an unfiltered ISP. You're on AT&T, you upload a file to your friend on Verizon which earns you some "credits" with his node in the p2p network, and instead of redeeming those credits to download a file from him, you use his node as a proxy to download a file indirectly from a site in Russia that AT&T is blocking you from accessing. Advanced users can do this already with tools like Virtual Private Networks and Tor, and some tweaks in a p2p program would just bring it within the range of the casual user.

On the other hand, if AT&T starts filtering traffic, it could set a bad precedent that any time a party in a legal proceeding wants a site declared "illegal", they can demand that AT&T (or other ISPs) block the site. It could be a site libeling a person, or a site hosting a decryption tool that breaks some company's poorly-designed code, or pretty much anything that some powerful person wanted to go away. Meanwhile, if an AT&T customer did get accused of downloading pirated content, now they could invoke the "AT&T didn't stop me" defense -- they thought that AT&T was filtering illegal content, and if they could get to it, then that meant it was legal! In both cases the problem comes from someone using the argument that once AT&T started doing any filtering at all, they should have gone further.

So I would watch the situation closely, even if you're not an AT&T user, and don't assume the situation will take care of itself. Cicconi said, "If a company like ours does dumb things and upsets our customers, we will lose them to someone else," which is something I'm skeptical of whenever I hear it used to defend various draconian anti-spam measures, but in this case I think it's even less applicable. When you're talking about spam filters, at least they always bring some benefit to the user (less spam), and the question is whether the free market weighs those benefits properly against the costs (more lost mail). On the other hand, if an ISP filters the user's connection, that brings no benefit to the user, and in a truly efficient market, all customers of such an ISP would just switch to an unfiltered one -- if that doesn't happen, it simply means the market in that case is not efficient. Is your ISP filtering your connection right now? Probably not, but how could you tell if they were? Right now we assume that ISPs don't filter connections because generally it's "just not done" (except when it is). In a few years we might not be so sure.

Bennett Haselton has another article on offer for us today, this time looking at the implications of a Canadian initiative to protect children online. Bennet writes: "Cybertip.ca, a Canadian clearinghouse for providing information to law enforcement about online child luring and child pornography, has announced that a group of major ISPs will begin blocking access to URLs on Cybertip's list of known child pornography sites. A Cybertip spokesperson says that the list fluctuates between 500 and 800 sites at any given time." Read on for the rest of his analysis. The system is named after a similar filtering system used by service provider BT in the UK. It is also reminiscent of a law passed in Pennsylvania in 2002 requiring ISPs to block URLs on a list of known child pornography sites; the law was struck down in 2004 on First Amendment grounds. Although child pornography is of course not protected by the First Amendment, the law was struck down partly because the ISPs were blocking entire servers and IP address ranges, hundreds of thousands of non-child-pornography sites were also being blocked.

Under the implementation of the Cleanfeed system, representatives from Sasktel, Bell Canada, and Telus claim that only exact URLs will be filtered, not sites hosted at the same IP address. (Although conventional Internet filtering programs sold to parents and schools have also made the same claims, only to turn out to be filtering sites by IP address after all, so we'll have to wait until the filtering is implemented before we know for sure.) The other difference of course is that the Cleanfeed system is not the law, so there's nothing to "strike down" in court. Cybertip did acknowledge that this means customers can get around the filtering for now by switching to a non-participating service provider, although they are encouraging more providers to sign up. Cybertip declined to say whether any providers had simply refused to participate. But of course it's much easier than that to get around the filter, since filter circumvention sites like Anonymouse and StupidCensorship will not be blocked.

So, if it's that easy to circumvent, does it do any good? Even respected Canadian academic and columnist Michael Geist, hardly a friend of censorship in other forms, has spoken out in favor of the plan. I'm going to go out on a limb and say that it doesn't accomplish anything meaningful, and may set a horrible precedent that could make it much easier to block other content in the future.

First of all, it seems that it obviously won't stop anyone who is deliberately looking for child porn. Empirically there's no way to tell -- we don't whether systems like Cleanfeed in the UK have prevented people from accessing child pornography on purpose. Even if the providers are counting the number of blocked accesses to known child porn sites, nobody knows what people have been looking at instead through proxy sites like Anonymouse. All we can do is ask, logically, whether it is likely to work. I think purely logical arguments are frustrating when there is no empirical data to act as a referee, but let's face it, users are not going to self-report on their success at finding child pornography, and there's no way to see what users are accessing through encrypted circumvention sites. Logic is all we have.

So, consider people who are deliberately looking for child pornography. Such people are likely to be resourceful to begin with (since real child porn -- remember, non-sexual pictures of naked children do not count -- is vastly less common than regular porn; Cybertip claims after all that they "only" have about 800 sites on their list, compared to millions of regular porn sites). Virtually all such people would be aware of circumvention sites like Anonymouse, or of peer-to-peer networks, which Cybertip says they have no plans to block. So nothing is blocked from people who want to get around the filter.

The only scenario where the filters could make a difference is the case where someone accidentally accesses a child porn site. Now when I first read the Cybertip press release announcing that the filter would aim to stop "accidental" exposure to child porn, I thought that was just a tactfully sarcastic way of referring to the people who get caught accessing child porn and claim it was just a mistake. But Cybertip.ca claims they've received over 10,000 reports since January 2005 from people who accessed child porn by accident. Even though that only works out to about 15 per day, I have to concede in those cases it almost certainly was a bona fide mistake, for the simple reason that nobody would voluntarily report accessing a child pornography URL that they visited on purpose. But even so, there's the question: What have you accomplished by blocking accidental exposure?

I would argue that the harm done by child pornography is to the minors coerced into the production of it, not to the people who view it. (This, by the way, corresponds with current U.S. jurisprudence; the U.S. Supreme Court ruled in 2002 that a law banning fake child porn was unconstitutional, even when the viewer can't tell the difference.) Obviously you prevent the most damage by stopping child porn at the production stage, but if it's too late for that, you can try to stop people from obtaining it willfully. This lowers the demand and decreases the incentive for people to produce more in the future.

But how would it lower demand if you block people from accessing it accidentally? If those people weren't going to proceed to buy or download more pictures anyway, then they're not fueling the demand. You can block them from accessing the pictures, but the pictures are still out there, and the people who really are fueling the demand can still access them.

So it seems that by blocking someone from accidentally viewing child porn, all you've really accomplished is to avoid offending their sensibilities. Now I don't mean that mockingly, I'm certainly not disagreeing with anyone whose sensibilities are offended by child porn. But there are lots of graphic pictures on the Internet that could offend someone's sensibilities, which are outside of Cleanfeed's mandate. Consider a photo of a 16-year-old having sex, versus a photo of an adult woman fellating a horse; even though the former is illegal to possess and the latter isn't, I think most people would be more grossed out by the second one. (I would even argue that there was more harm to the participants in the making of the second one, and in this case the law's priorities are a bit screwed up. Poor horse!)

So, why block 1% of the content that would offend someone's sensibilities, when 99% of the content that would still offend that person would still be out there? The fact that the 1% is illegal doesn't answer the question; even if it's illegal, you don't have to block it, so what have you accomplished if you do?

Possibly law enforcement is sick of people using the "I accidentally clicked on it" excuse when they get caught accessing child pornography, and wants to remove that as a defense. But couldn't someone just as easily claim that they "accidentally" accessed child pornography through a circumvention site like Anonymouse? They could claim that they thought they were accessing a regular porn site, they were using a circumventor to protect their privacy, and they didn't know that the site carried child porn and didn't find out until they'd already accessed it. So it doesn't seem like the filtering would remove the "accidental" defense.

So, I don't think the filtering accomplishes much at all, but it could set a very bad precedent once the filters are in place. Once Internet users have accepted the precedent that ISPs should block content that is "probably" illegal, what's to stop organizations and lawmakers from demanding that ISPs block access to overseas sites that violate copyright, for example, as the RIAA did in 2002? The technical means will already be in place, and more importantly, people will have gotten used to the idea that legally "questionable" content should be blocked. And with lobbyists claiming that 90% of content on peer-to-peer networks violates copyright laws, wouldn't it follow logically to block peer-to-peer traffic as well?

In a legislative climate where lawmakers have proposed everything from jail time for p2p developers to letting the RIAA hack people's PCs for distributing copyrighted files, we should resist any kind of content-based blocking that would let them get their foot in the door. That includes even well-intentioned efforts like Cleanfeed.

securitas writes "Total Information Awareness is alive and thriving. eWEEK's Caron Carlson reports on a new General Accounting Office study that says TIA-style data mining programs are rampant in federal agencies with 199 projects at 52 of 128 agencies. The Defense Intelligence Agency/DoD is the single largest user of these data mining projects (eg. Verity K2 Enterprise). The story was first reported by Reuters' Andy Sullivan (ZDNet UK mirror) and the NYT's Robert Pear, who wrote that at least 122 projects used personally identifying information like names, e-mail addresses, Social Security and driver's license numbers. The 'actual numbers are likely to be much higher' because the report excludes classified projects. Wired News' Kim Zetter writes that, in addition to government databases, federal agencies mine private databases of credit rating agencies, bank account numbers, student loan applications, etc. This week the Center for Democracy and Technology (CDT) released a report with privacy guidelines for data mining technology (PDF) development and use. Guidelines include data anonymization, government data access authorization and audit trails. Cynthia (Cindy) Webb's 'Total Information Dilemma' at the Washington Post is an excellent survey of media coverage of TIA, MATRIX and the GAO report 'Data Mining: Federal Efforts Cover a Wide Range of Uses' (mirror, both in PDF format). More at GCN, GovExec and the Guardian/AP."

Aaron writes "The Center for Democracy and Technology offers up an interesting point for point rebuttal to the the claims made via the 'rah-rah-esque' DOJ's website, part of the PR campaign (including Ashcroft speaking tours) to convince the public the Act is good for them. I think this Broadband Reports article also brings up a good point: among the groups attacking the Act, why do so few of them bring up Echelon? It already gives the government much of the surveillance ability they claim they're lacking, and without congressional oversight. The UN this year even launched an investigation into the use of the system to spy on UN diplomats without much fanfare."

rocketjam writes "In a letter to U.S. Representatives Lamar S. Smith and Howard L. Berman, the Center for Democracy and Technology has raised the issue of privacy problems with the Whois Database. Acknowledging the database is uncontroversial for commercial registrations, the letter points that private individuals who register a domain name expose their names, home addresses, home phone numbers, and home e-mail addresses to the world. The letter warns, 'The current Whois regime is on a collision course with public sensitivities and international law. In an era of concern about identity theft and online security, it is unwise to require millions of individual registrants to place their home phone numbers, home addresses, and personal email accounts into a publicly available database that places no restrictions on the use of that data.' Additionally, the letter points out the current policy violates the privacy laws of some nations."

rocketjam writes "In a letter to U.S. Representatives Lamar S. Smith and Howard L. Berman, the Center for Democracy and Technology has raised the issue of privacy problems with the Whois Database. Acknowledging the database is uncontroversial for commercial registrations, the letter points that private individuals who register a domain name expose their names, home addresses, home phone numbers, and home e-mail addresses to the world. The letter warns, 'The current Whois regime is on a collision course with public sensitivities and international law. In an era of concern about identity theft and online security, it is unwise to require millions of individual registrants to place their home phone numbers, home addresses, and personal email accounts into a publicly available database that places no restrictions on the use of that data.' Additionally, the letter points out the current policy violates the privacy laws of some nations."

securitas writes "The President's Commission on the U.S. Postal Service's final report (PDF) has recommended that the USPS and the Department of Homeland Security develop sender identification technology for all U.S. mail. The commission said Intelligent Mail could bolster security and let consumers track the progress of all mail they send, which has been a top consumer demand in surveys. The report released July 31 reads, "Each piece of Intelligent Mail will carry a unique, machine-readable barcode (or other indicia) that will identify, at a minimum, the sender, the destination, and the class of mail... Intelligent Mail will allow the real-time tracking of individual mail pieces." Privacy advocates like the EFF and Center for Democracy & Technology are understandably concerned. The Final Recommendations are available in PDF format. More at Direct Marketers News and pro-privacy/civil liberties magazine Counterpunch." Jamie adds: This confuses me, because I read a news story in late 2001 which matter-of-factly explained that authorities would be contacting recipients of letters which went through a particular post office around the same time as an anthrax envelope. The implication, which I haven't seen any discussion of then or since, is that records are kept of every letter's travels through every post office. Anyone know anything about that? Update: mec does.

jnazario writes "The Center for Democracy and Technology has recently put together a really neat paper studying the methods by which spammers get your email addresses. The report posted otherwise unused email addresses in a variety of locations, using different techniques for visibility (ie HTML encoding vs plaintext) and then watched what accumulated after six months. They generated some interesting results into the methods by which spammers can track you (with publicly available websites containing your bare email address being the most popular method) and even some techniques to stop spam, such as HTML encoding your email address. A very interesting read."

jnazario writes "The Center for Democracy and Technology has recently put together a really neat paper studying the methods by which spammers get your email addresses. The report posted otherwise unused email addresses in a variety of locations, using different techniques for visibility (ie HTML encoding vs plaintext) and then watched what accumulated after six months. They generated some interesting results into the methods by which spammers can track you (with publicly available websites containing your bare email address being the most popular method) and even some techniques to stop spam, such as HTML encoding your email address. A very interesting read."

Zoomer writes "Every day, millions of people receive dozens of unsolicited commercial e-mails (UCE), known popularly as 'spam.' Some users see spam as a minor annoyance, while others are so overwhelmed with spam that they are forced to switch e-mail addresses. This has led many Internet users to wonder: How did these people get my e-mail address? In the summer of 2002, CDT embarked on a project to attempt to determine the source of spam. To do so, we set up hundreds of different e-mail addresses, used them for a single purpose, and then waited six months to see what kind of mail those addresses were receiving. The results offer Internet users insights about what online behavior results in the most spam. The results also debunk some of the myths about spam." Update: 04/12 15:47 GMT by CN : About a minute after this went live, I found that michael posted this earlier. Mea culpa.

Carnth writes "CDT has released a new report based on a six month project entitled "Why Am I Getting All This Spam?" The results offer Internet users insights about what online behavior results in the most unsolicited commercial email and also debunk some of the myths about spam." A very good report - read it. There's also a story about yet another sleazy spammer in Ohio.

Carnth writes "CDT has released a new report based on a six month project entitled "Why Am I Getting All This Spam?" The results offer Internet users insights about what online behavior results in the most unsolicited commercial email and also debunk some of the myths about spam." A very good report - read it. There's also a story about yet another sleazy spammer in Ohio.

Judg3 writes " My most recent newsletter from the Center for Democracy and Technology included a link to the newly unveiled Regulations.Gov site that allows individuals to more easily find and comment on proposed rules being considered by federal agencies. Comment on proposed rules ranging from the Secretary of Defense, Coast Guard, Veteran Affairs Admission, to even the Post Office." Here's a newsletter about the site.

The House Subcommittee on Telecommunications and the Internet held a hearing in my home town yesterday: "Chatting On-Line: A Dangerous Proposition for Children." Six witnesses came to Kalamazoo, Michigan and described the perils of on-line chat to Rep. Fred Upton (R-Michigan) and Rep. Charles Bass (R-New Hampshire). The most surprising and welcome news of the afternoon was that, despite the alarmist title, there was not a panicked call for additional legislation.

The hearing launched with Congressman Upton touting his internet record -- notably the .kids domain, now .kids.us. Personally, I like the idea of .kids.us, though some disagree.

The witnesses were Katie Tarbox, who in 1995, at age 13, had been inadequately briefed on the "rules of the net" and disasterously agreed to meet a child predator she'd chatted with online; two local law enforcement personnel, John Karraker and Jim Gregart; Ruben Rodriguez, the Director of the Exploited Child Unit for the National Center for Missing and Exploited Children; Caroline Curtin, the Director of Children's Policy for AOL; and Kathleen Tucker, the Director of Curriculum Development for I-Safe America.

Everyone was concerned about keeping children safe online. It goes without saying that this is a desirable goal, as long as it's done in accordance with the Constitution and doesn't interfere with everyone else's legal use of the internet.

The problem is a serious one. Real kids are being lured into dangerous relationships over the internet; charges were filed in one more case here in Kalamazoo County just last week.

The preferred pickup method for child molesters nowadays is the internet: chat, instant-messaging, and email. The old tricks of "would you like some candy?" and "your parents were in an accident, I'll drive you to the hospital" -- those are yesterday's news. Kids growing up now need to be aware of different dangers, ones involving formation of long-term relationships, questions about online identity, and trust.

I wasn't able to find any reliable statistics on how often children are victimized using the internet. The best numbers I found were from a phone survey of 1,501 children, ages 10 to 17, who used the internet regularly. Of them, 19% had "received an unwanted sexual solicitation" (imprecisely defined) but only 3% had been solicited with "attempts or requests for offline contact" or actual offline contact.

And precisely 0 of the 1,501 children said they had been sexually contacted or assaulted due to online solicitations. This seems significant to me, given that 21% of all children -- statistically, hundreds of the children in the phone survey -- are sexually abused (by some definition of the term) before age 18. Unfortunately, 0 is not a number that extrapolates well to estimate how many of the United States's 70 million children will be physically victimized with help from the internet. But if I understand the numbers, it seems the internet is not the most likely source of danger.

A study called JOVIS is in the works and should provide some concrete numbers. According to Mr. Rodriguez, we can expect data from it in four to five months.

In any case, the message our lawmakers heard yesterday was not that we need more laws.

All six witnesses said, using almost the same words, that there is no substitute for parental involvement. Three called for more money and training for law enforcement, to give existing laws teeth. It sounds like law enforcement, especially at the state and local level, is still coming up to speed on this issue. And Ms. Curtin, for AOL, emphasized that ISPs were already taking steps, and suggested patience to allow them to develop an industry standard.

The testimony and discussion was so removed from proposing new legislation, in fact, that Rep. Bass seemed a little bored and annoyed. He had to remind everyone twice that he and his colleague were lawmakers: "As a member of Congress, I would like to hear what recommendations you have for what we might do -- I haven't heard anything about that so far. ... If I could reiterate: we make policy. This is a very interesting problem, but precisely what suggestions would you have for us as policymakers? If you could draft the bill, what would it say?"

Proposals were hesitant. Our local prosecutor suggested mandated inclusion of a CD with every new computer sale, which would explain how to keep children safe online. I'm not sure why existing explanations (here's one) are insufficient; why not just link? And Kathleen Tucker of I-Safe suggested standardizing on "digital certificates," client-side certs issued by an authority which confirms your identity using proof ranging from photo ID up to DNA (!) -- thus allowing children to verify that screen name BritneyRulez333 does not actually belong to a 45-year-old man.

That excepted, Ms. Tucker's testimony was refreshingly sound. She squarely faced the problem of child predators, and quoted Judith Krug of the American Library Association's Office of Intellectual Freedom: children "need to be taught the skills to cope in the virtual world just as they are taught skills to cope in the physical world."

Parents aren't there to watch over kids every minute. Just as they learn to cross the street without holding an adult's hand, so they need to learn how to wander the internet safely. "The value of empowering our children, through education," she concluded, "with the knowledge and critical-thinking skills that they need to be able to independently assess the every-day situations they will encounter while online cannot be overstressed... Education and empowerment are key."

In my opinion, that's exactly right.

But I wonder how effectively government will be able to help alleviate the problem. Knowledge is key, but kids are, as usual, embracing and understanding change, while bored Congressmen sit behind tables and listen to prepared speeches. Last week, I contacted three students, ages 14 to 17, and asked them about their experiences chatting online.

What they thought, and what they reported their friends thought, was pretty savvy. They understand the dangers, are well aware of the internet's advantages, and know how to stay safe. One student reported:

If kids know not to give out their personal information, and what could happen if they do, then there is really no danger. I would feel like I was missing out on a lot if I didn't have the opportunities to communicate online. It gives me a chance to stay in touch with my current friends, make new friends, meet interesting people, and find a group where I feel like I belong.

Another student reported:

I chat to other people almost every night, or whenever I get the chance to. I do not see chatting on-line as being dangerous, or otherwise harmful. Sure you always hear those stories about 12 year old girls chatting with 45 year old men, but I see online chatting as a way for people with similar interests to discuss and debate interesting topics. ...I strongly believe that if you chat online with people that you do not know personally, you should figure out what this person is really like, and if you can trust them or not.

Finally, I traded several emails with one girl who had chatted online extensively for years, and has met in person "at least 10 or so" other kids whom she first found on AOL -- including a meeting with some boys from another state.

This might seem like a recipe for disaster. But, not only was her protocol for establishing trust detailed and thorough -- paranoid even -- but she readily explained to me her reasoning for each step along the way. She's a poster child for "education and empowerment." And I doubt she's unique:

How did I know to be careful about creeps on the internet? It would be hard not to know nowadays. With an Oprah special about it practically every week, and news documentaries and polls, the facts are pretty much right out there for you. It's like taking candy from a stranger, it's common sense I guess... The types who would fall prey to an online creep would just as easily be a victim to a creep in real life... If the topic of internet chat comes up in school, teachers will almost always preach about safety and weirdos and such. So pretty much the topic of internet safety is inescapable -- it just depends on how well you listen to it.

I hope that's true for every young person.

hillct writes: "The ACLU has a very good comparison chart of anti-terrorism provisions in legislation currently being considered by congress. It covers the Combating Terrorism Act of 2001, the House Bill (PATRIOT Act) and the Senate Bill (USA Act), comparing it all to current law. We've all seen pieces of this information but the ACLU staffers did a great job consolidating it all." CDT also has a very good pdf guide to these about-to-be-passed laws. But the Onion has the best commentary.

securitas writes: "CNET reports that Microsoft is defending Passport as safe and secure in a presentation to the Center for Democracy and Technology. Other organizations such as the Electronic Privacy Information Center, Junkbusters and even the U.S. government may be lobbied by MS this week to fend off a Federal Trade Commission complaint filed by 15 consumer and privacy groups that charges unfair and deceptive practices."

It was supposed to be done by September 30, but Congress finally finished its budget for this year. Because it works best with our sometimes-bizarre legislative system, this year, like every year, hundreds of unrelated measures were rolled up into one massive package and crammed through the door. Your grandchildren may look up at you with a puzzled expression, fifty years from now, and say "grampa" (or gramma), "did you really use an unfiltered internet, back in the olden days? Wasn't that scary? How did you ever survive with all that porn jumping out at you?" If that happens, just sigh, and think back to the olden days -- December2000 -- before censorware became mandatory in public institutions nationwide.

The massive spending bill has been passed by the House and Senate, and President Clinton is expected to sign it soon. Despite some noises from the Clinton administration mildly protesting censorware, the small amendment making it mandatory is not considered to be an important enough issue to veto an entire appropriations bill.

Sen. John McCain (R-Ariz.), a longtime proponent of censorware, introduced the amendment.

As the ACLU says,

Earlier this year, an 18-member commission appointed by Congress rejected the idea of mandating the use of blocking software, which is notoriously clumsy and inevitably restricts access to valuable, protected speech. A wide spectrum of organizations have opposed blocking software mandates, including the American Library Association, the Society of Professional Journalists, the conservative Free Congress Foundation and state chapters of the Eagle Forum and the American Family Association.

"There was an Alice in Wonderland quality to this debate," said Marvin Johnson, a Legislative Counsel with the ACLU's Washington National Office. "With its vote, Congress rejected the advice it asked for from the panel it appointed."

The "wide spectrum of organizations" extends from educators to The New York Times to strongly conservative political/religious groups. For more on the COPA Commission and its recommendations, see our stories from July and August.

Essentially it says that any school or library which receives federal funds to build its network must install censorware. Since these funds are the chief way that poor and middle-income areas bring the internet into public institutions, effectively this means that only rich counties will have the option of an uncensored internet.

The text of the self-declared "Children's Internet Protection Act" is available from CDT. It uses the term "technology protection measure" to describe the software.

In related news, Peacefire, an advocacy group for youth free-speech rights, released a tool to provide one-click disabling of some popular censorware programs.

Meanwhile, the ACLU will be suing to stop this bill from taking effect. This is not a slam-dunk like the CDA was. They're in for a tough fight. Here are three reasons why:

1. The CDA's language was very broad. This bill targets its material precisely: obscenity, child pornography, and "harmful to minors" material. Of course there is no "technology protection measure" in existence which can censor only this material, or even claim to censor only this material.

2. The CDA covered speech. This bill addresses the right to read that speech in a public institution.

3. This bill regulates institutions which are taking public money and how they may use it. Legally, and also in many people's minds, it is more permissable to enact regulations which go against the grain of the Constitution if they are tied to acceptance of public funds.

(The classic example is that the Fourth Amendment protects our homes from unreasonable search and seizure, but when the government provides public housing, it sometimes tries to say that the 4th Amendment does not apply. Same situation, different Amendment.)

Brock Meeks is more optimistic, saying the bill is "doomed." The key issue, I think, will be whether censorware can work. If it does not work, if it cannot work, then the language of the bill is irrelevant; our Congress might as well have demanded a "technology protection measure" to give all our kids 200 IQs and an lifetime supply of free donuts.

When I get in the mood to be optimistic, I think about all the stories we hear from students who are already forced to use this software. It seems like everyone has an anecdote about how they were blocked from doing legitimate research for school.

So maybe if this legislation survives, in ten years, all the kids who grew up with first-hand experience with censorware will start to vote. That's about the only bright side I can see.

For now, Brown v. Board of Education is the example I'm keeping in mind. The Supreme Court, after a half-century of segregated schools, decided that "separate educational facilities are inherently unequal" -- the theory might be OK, but it had failed in practice.

The courts should evaluate the "technology protection measures" by what they do, not by what the law demands they do. The theory might be OK, but in practice, all the technology that I've looked at blocks much more than it should. I'll be hoping for a verdict that reads: "technology protection measures are inherently censorship."

And, hopefully, now -- not after a half-century.

It was supposed to be done by September 30, but Congress finally finished its budget for this year. Because it works best with our sometimes-bizarre legislative system, this year, like every year, hundreds of unrelated measures were rolled up into one massive package and crammed through the door. Your grandchildren may look up at you with a puzzled expression, fifty years from now, and say "grampa" (or gramma), "did you really use an unfiltered internet, back in the olden days? Wasn't that scary? How did you ever survive with all that porn jumping out at you?" If that happens, just sigh, and think back to the olden days -- December2000 -- before censorware became mandatory in public institutions nationwide.

The massive spending bill has been passed by the House and Senate, and President Clinton is expected to sign it soon. Despite some noises from the Clinton administration mildly protesting censorware, the small amendment making it mandatory is not considered to be an important enough issue to veto an entire appropriations bill.

Sen. John McCain (R-Ariz.), a longtime proponent of censorware, introduced the amendment.

As the ACLU says,

Earlier this year, an 18-member commission appointed by Congress rejected the idea of mandating the use of blocking software, which is notoriously clumsy and inevitably restricts access to valuable, protected speech. A wide spectrum of organizations have opposed blocking software mandates, including the American Library Association, the Society of Professional Journalists, the conservative Free Congress Foundation and state chapters of the Eagle Forum and the American Family Association.

"There was an Alice in Wonderland quality to this debate," said Marvin Johnson, a Legislative Counsel with the ACLU's Washington National Office. "With its vote, Congress rejected the advice it asked for from the panel it appointed."

The "wide spectrum of organizations" extends from educators to The New York Times to strongly conservative political/religious groups. For more on the COPA Commission and its recommendations, see our stories from July and August.

Essentially it says that any school or library which receives federal funds to build its network must install censorware. Since these funds are the chief way that poor and middle-income areas bring the internet into public institutions, effectively this means that only rich counties will have the option of an uncensored internet.

The text of the self-declared "Children's Internet Protection Act" is available from CDT. It uses the term "technology protection measure" to describe the software.

In related news, Peacefire, an advocacy group for youth free-speech rights, released a tool to provide one-click disabling of some popular censorware programs.

Meanwhile, the ACLU will be suing to stop this bill from taking effect. This is not a slam-dunk like the CDA was. They're in for a tough fight. Here are three reasons why:

1. The CDA's language was very broad. This bill targets its material precisely: obscenity, child pornography, and "harmful to minors" material. Of course there is no "technology protection measure" in existence which can censor only this material, or even claim to censor only this material.

2. The CDA covered speech. This bill addresses the right to read that speech in a public institution.

3. This bill regulates institutions which are taking public money and how they may use it. Legally, and also in many people's minds, it is more permissable to enact regulations which go against the grain of the Constitution if they are tied to acceptance of public funds.

(The classic example is that the Fourth Amendment protects our homes from unreasonable search and seizure, but when the government provides public housing, it sometimes tries to say that the 4th Amendment does not apply. Same situation, different Amendment.)

Brock Meeks is more optimistic, saying the bill is "doomed." The key issue, I think, will be whether censorware can work. If it does not work, if it cannot work, then the language of the bill is irrelevant; our Congress might as well have demanded a "technology protection measure" to give all our kids 200 IQs and an lifetime supply of free donuts.

When I get in the mood to be optimistic, I think about all the stories we hear from students who are already forced to use this software. It seems like everyone has an anecdote about how they were blocked from doing legitimate research for school.

So maybe if this legislation survives, in ten years, all the kids who grew up with first-hand experience with censorware will start to vote. That's about the only bright side I can see.

For now, Brown v. Board of Education is the example I'm keeping in mind. The Supreme Court, after a half-century of segregated schools, decided that "separate educational facilities are inherently unequal" -- the theory might be OK, but it had failed in practice.

The courts should evaluate the "technology protection measures" by what they do, not by what the law demands they do. The theory might be OK, but in practice, all the technology that I've looked at blocks much more than it should. I'll be hoping for a verdict that reads: "technology protection measures are inherently censorship."

And, hopefully, now -- not after a half-century.

It was supposed to be done by September 30, but Congress finally finished its budget for this year. Because it works best with our sometimes-bizarre legislative system, this year, like every year, hundreds of unrelated measures were rolled up into one massive package and crammed through the door. Your grandchildren may look up at you with a puzzled expression, fifty years from now, and say "grampa" (or gramma), "did you really use an unfiltered internet, back in the olden days? Wasn't that scary? How did you ever survive with all that porn jumping out at you?" If that happens, just sigh, and think back to the olden days -- December2000 -- before censorware became mandatory in public institutions nationwide.

The massive spending bill has been passed by the House and Senate, and President Clinton is expected to sign it soon. Despite some noises from the Clinton administration mildly protesting censorware, the small amendment making it mandatory is not considered to be an important enough issue to veto an entire appropriations bill.

Sen. John McCain (R-Ariz.), a longtime proponent of censorware, introduced the amendment.

As the ACLU says,

Earlier this year, an 18-member commission appointed by Congress rejected the idea of mandating the use of blocking software, which is notoriously clumsy and inevitably restricts access to valuable, protected speech. A wide spectrum of organizations have opposed blocking software mandates, including the American Library Association, the Society of Professional Journalists, the conservative Free Congress Foundation and state chapters of the Eagle Forum and the American Family Association.

"There was an Alice in Wonderland quality to this debate," said Marvin Johnson, a Legislative Counsel with the ACLU's Washington National Office. "With its vote, Congress rejected the advice it asked for from the panel it appointed."

The "wide spectrum of organizations" extends from educators to The New York Times to strongly conservative political/religious groups. For more on the COPA Commission and its recommendations, see our stories from July and August.

Essentially it says that any school or library which receives federal funds to build its network must install censorware. Since these funds are the chief way that poor and middle-income areas bring the internet into public institutions, effectively this means that only rich counties will have the option of an uncensored internet.

The text of the self-declared "Children's Internet Protection Act" is available from CDT. It uses the term "technology protection measure" to describe the software.

In related news, Peacefire, an advocacy group for youth free-speech rights, released a tool to provide one-click disabling of some popular censorware programs.

Meanwhile, the ACLU will be suing to stop this bill from taking effect. This is not a slam-dunk like the CDA was. They're in for a tough fight. Here are three reasons why:

1. The CDA's language was very broad. This bill targets its material precisely: obscenity, child pornography, and "harmful to minors" material. Of course there is no "technology protection measure" in existence which can censor only this material, or even claim to censor only this material.

2. The CDA covered speech. This bill addresses the right to read that speech in a public institution.

3. This bill regulates institutions which are taking public money and how they may use it. Legally, and also in many people's minds, it is more permissable to enact regulations which go against the grain of the Constitution if they are tied to acceptance of public funds.

(The classic example is that the Fourth Amendment protects our homes from unreasonable search and seizure, but when the government provides public housing, it sometimes tries to say that the 4th Amendment does not apply. Same situation, different Amendment.)

Brock Meeks is more optimistic, saying the bill is "doomed." The key issue, I think, will be whether censorware can work. If it does not work, if it cannot work, then the language of the bill is irrelevant; our Congress might as well have demanded a "technology protection measure" to give all our kids 200 IQs and an lifetime supply of free donuts.

When I get in the mood to be optimistic, I think about all the stories we hear from students who are already forced to use this software. It seems like everyone has an anecdote about how they were blocked from doing legitimate research for school.

So maybe if this legislation survives, in ten years, all the kids who grew up with first-hand experience with censorware will start to vote. That's about the only bright side I can see.

For now, Brown v. Board of Education is the example I'm keeping in mind. The Supreme Court, after a half-century of segregated schools, decided that "separate educational facilities are inherently unequal" -- the theory might be OK, but it had failed in practice.

The courts should evaluate the "technology protection measures" by what they do, not by what the law demands they do. The theory might be OK, but in practice, all the technology that I've looked at blocks much more than it should. I'll be hoping for a verdict that reads: "technology protection measures are inherently censorship."

And, hopefully, now -- not after a half-century.

ICANN's At-Large Elections are now underway. If you were lucky enough to be able to get through during the registration process, and then lucky enough to actually receive your PIN in the mail, congratulations, you can vote. Click through for your FREE Slashdot voter's guide... :)

There is actually a great deal of information available about these elections and the candidates - it puts the U.S. presidential elections to shame, quite frankly.

Where to Vote: ICANN's online voting site

When to Vote: Now until midnight (GMT), Oct. 10.

Who to Vote For: That's a little less straightforward. Here's some resources to help you decide.

• CDT's Election Guide - CDT mailed a questionnaire to the candidates asking a variety of questions, their answers are online: North American thumbnail guide - North American detailed guide
• Internet Democracy Project - They also sent out a questionnaire, and the answers from all candidates have been posted. These are good questions.
• Association for Progressive Communications voting recommendations
• Berkman Center candidate forum - The Berkman Center sponsored a debate between all seven candidates (not just the ones with more than 15% of the vote, heh), Webcast it, and recorded it for your viewing pleasure. Archives are available here. While the discussion is lengthy, there's no better way to see the candidates in action.
• Dan Gillmor, columnist
• Brian Livingston, columnist - Livingston has a good summary of what is wrong with ICANN.

The groups above recommend a voting slate of Lessig first, followed by Simons, followed by Auerbach, for the North American seat (you get to rank all seven candidates in order of your preference). Here's my recommendation, slightly different from the above:

1. Auerbach - Auerbach understands DNS, and he understands the civil liberty issues, and he has paid a LOT of attention to ICANN, and he understands - right now - how to fix its main problems. The other recommended candidates (Simons and Lessig) have the potential to understand ICANN as well as he does, but he has already put in the study time! I picked Auerbach as my first choice.
2. Simons - Simons understands the civil liberty issues, and has spent a lot of time in this sort of political environment, and has the potential to understand ICANN inside and out, but she hasn't put the time in yet. I picked her second.
3. Lessig - Lessig is a smart guy. I don't think he comes with as solid a commitment to civil liberties as the others, and I don't think he has any special understanding of DNS issues. Of course he's bright enough to understand anything he puts his mind to, but why distract him from the 20 other things he's undertaking (such as joining EFF as a board member recently). Lessig gets my third choice.
4. Tiller - Tiller is sort of a wildcard. From what he says, he would be a civil-liberties oriented candidate, but I had never heard of him before the elections, so he's a bit of a dark horse to me. Still, he beats the remaining candidates hands-down.
5. Langenberg - Langenberg seems like he would be a fairly ineffective candidate, no civil liberties focus, not (obviously) captured by IP interests or anything else. But we don't need an ineffective candidate.
6. Chapin - Chapin earns the second-to-last spot. He works for Verizon and can be expected to promote policies that would benefit the major telcos, as if they didn't have enough representation already.
7. Miller - Miller is dead last. President of the ITAA, he represents all that is wrong with ICANN right now, and states flat out that he thinks they've done a great job to date and he would continue the path taken so far. If you think ICANN is right on track, vote for Miller. Bleh.

Vote!

ICANN's At-Large Elections are now underway. If you were lucky enough to be able to get through during the registration process, and then lucky enough to actually receive your PIN in the mail, congratulations, you can vote. Click through for your FREE Slashdot voter's guide... :)

There is actually a great deal of information available about these elections and the candidates - it puts the U.S. presidential elections to shame, quite frankly.

Where to Vote: ICANN's online voting site

When to Vote: Now until midnight (GMT), Oct. 10.

Who to Vote For: That's a little less straightforward. Here's some resources to help you decide.

• CDT's Election Guide - CDT mailed a questionnaire to the candidates asking a variety of questions, their answers are online: North American thumbnail guide - North American detailed guide
• Internet Democracy Project - They also sent out a questionnaire, and the answers from all candidates have been posted. These are good questions.
• Association for Progressive Communications voting recommendations
• Berkman Center candidate forum - The Berkman Center sponsored a debate between all seven candidates (not just the ones with more than 15% of the vote, heh), Webcast it, and recorded it for your viewing pleasure. Archives are available here. While the discussion is lengthy, there's no better way to see the candidates in action.
• Dan Gillmor, columnist
• Brian Livingston, columnist - Livingston has a good summary of what is wrong with ICANN.

The groups above recommend a voting slate of Lessig first, followed by Simons, followed by Auerbach, for the North American seat (you get to rank all seven candidates in order of your preference). Here's my recommendation, slightly different from the above:

1. Auerbach - Auerbach understands DNS, and he understands the civil liberty issues, and he has paid a LOT of attention to ICANN, and he understands - right now - how to fix its main problems. The other recommended candidates (Simons and Lessig) have the potential to understand ICANN as well as he does, but he has already put in the study time! I picked Auerbach as my first choice.
2. Simons - Simons understands the civil liberty issues, and has spent a lot of time in this sort of political environment, and has the potential to understand ICANN inside and out, but she hasn't put the time in yet. I picked her second.
3. Lessig - Lessig is a smart guy. I don't think he comes with as solid a commitment to civil liberties as the others, and I don't think he has any special understanding of DNS issues. Of course he's bright enough to understand anything he puts his mind to, but why distract him from the 20 other things he's undertaking (such as joining EFF as a board member recently). Lessig gets my third choice.
4. Tiller - Tiller is sort of a wildcard. From what he says, he would be a civil-liberties oriented candidate, but I had never heard of him before the elections, so he's a bit of a dark horse to me. Still, he beats the remaining candidates hands-down.
5. Langenberg - Langenberg seems like he would be a fairly ineffective candidate, no civil liberties focus, not (obviously) captured by IP interests or anything else. But we don't need an ineffective candidate.
6. Chapin - Chapin earns the second-to-last spot. He works for Verizon and can be expected to promote policies that would benefit the major telcos, as if they didn't have enough representation already.
7. Miller - Miller is dead last. President of the ITAA, he represents all that is wrong with ICANN right now, and states flat out that he thinks they've done a great job to date and he would continue the path taken so far. If you think ICANN is right on track, vote for Miller. Bleh.

Vote!

ICANN's At-Large Elections are now underway. If you were lucky enough to be able to get through during the registration process, and then lucky enough to actually receive your PIN in the mail, congratulations, you can vote. Click through for your FREE Slashdot voter's guide... :)

There is actually a great deal of information available about these elections and the candidates - it puts the U.S. presidential elections to shame, quite frankly.

Where to Vote: ICANN's online voting site

When to Vote: Now until midnight (GMT), Oct. 10.

Who to Vote For: That's a little less straightforward. Here's some resources to help you decide.

• CDT's Election Guide - CDT mailed a questionnaire to the candidates asking a variety of questions, their answers are online: North American thumbnail guide - North American detailed guide
• Internet Democracy Project - They also sent out a questionnaire, and the answers from all candidates have been posted. These are good questions.
• Association for Progressive Communications voting recommendations
• Berkman Center candidate forum - The Berkman Center sponsored a debate between all seven candidates (not just the ones with more than 15% of the vote, heh), Webcast it, and recorded it for your viewing pleasure. Archives are available here. While the discussion is lengthy, there's no better way to see the candidates in action.
• Dan Gillmor, columnist
• Brian Livingston, columnist - Livingston has a good summary of what is wrong with ICANN.

The groups above recommend a voting slate of Lessig first, followed by Simons, followed by Auerbach, for the North American seat (you get to rank all seven candidates in order of your preference). Here's my recommendation, slightly different from the above:

1. Auerbach - Auerbach understands DNS, and he understands the civil liberty issues, and he has paid a LOT of attention to ICANN, and he understands - right now - how to fix its main problems. The other recommended candidates (Simons and Lessig) have the potential to understand ICANN as well as he does, but he has already put in the study time! I picked Auerbach as my first choice.
2. Simons - Simons understands the civil liberty issues, and has spent a lot of time in this sort of political environment, and has the potential to understand ICANN inside and out, but she hasn't put the time in yet. I picked her second.
3. Lessig - Lessig is a smart guy. I don't think he comes with as solid a commitment to civil liberties as the others, and I don't think he has any special understanding of DNS issues. Of course he's bright enough to understand anything he puts his mind to, but why distract him from the 20 other things he's undertaking (such as joining EFF as a board member recently). Lessig gets my third choice.
4. Tiller - Tiller is sort of a wildcard. From what he says, he would be a civil-liberties oriented candidate, but I had never heard of him before the elections, so he's a bit of a dark horse to me. Still, he beats the remaining candidates hands-down.
5. Langenberg - Langenberg seems like he would be a fairly ineffective candidate, no civil liberties focus, not (obviously) captured by IP interests or anything else. But we don't need an ineffective candidate.
6. Chapin - Chapin earns the second-to-last spot. He works for Verizon and can be expected to promote policies that would benefit the major telcos, as if they didn't have enough representation already.
7. Miller - Miller is dead last. President of the ITAA, he represents all that is wrong with ICANN right now, and states flat out that he thinks they've done a great job to date and he would continue the path taken so far. If you think ICANN is right on track, vote for Miller. Bleh.

Vote!

MacRonin writes: "Electronic Privacy Information Center announces the DC Circuit Decision in USTA v. FCC (CALEA). The U.S. Court of Appeals for the DC Circuit has ruled that law enforcement agencies must meet the highest legal standard before using new surveillance capabilities. The court decision came in a legal challenge filed by EPIC, other privacy groups and the telecommunications industry to invalidate technical surveillance standards issued by the Federal Communications Commission last year. More details at: CDT Policy Post Volume 6. The court's decision is available."

Note that this case is fundamentally about money: the telecom carriers are suing the government because they feel that the government's desired surveillance abilities (mandated under the 1996 Communications Assistance for Law Enforcement Act; this is where Carnivore was born) are too expensive to implement. If the government provided more money (half a billion tax dollars were given to the phone companies when CALEA was passed, but the companies want more), these objections would evaporate.

So there weren't any principles of privacy involved, at least in the beginning. But some civil liberties groups have grabbed on the shirt-tails of this case to make principled arguments - that the surveillance requirements are too burdensome and intrusive in principle, not just too costly. So this is actually a good result where the Court mostly agreed with the civil liberties people that the surveillors should have to get warrants for some of the information they were seeking to get without warrants, and other information may be unavailable entirely. Note however that "call location" information (the ability of cellular carriers to report to the cops which cell phone tower your phone is registered with, and therefore, probably where you are) will still be available to law enforcement.

There's a boatload of censorware news today, enough for two or three Slashdot stories -- but to conserve electrons, we're bringing it to you all in one easy-to-download package. First, Peacefire has a report on the accuracy of intelligent skin-tone-scanning software, one month after its company said they'd have it working in a month. And since the CEO of ClickSafe spoke at the COPA Commission meeting yesterday, Peacefire ran a check to see how many COPA-related sites its AI blocks. Finally, Waldo Jaquith has a report from the meeting itself which should be sobering but cracked me up anyway. Pay attention, everyone, these are the folks who are going to censor your Internet.

The Child Online Protection Act, passed late last year and then struck down early this year, is still under appeal. Colloquially it's known as "CDAII." Part of what the Act does is establish a Commission that meets every so often -- the Commission's website has details on its mandate and so on.

(Update, a few minutes later: make that "injunctified," or whatever one says for a law against which an injunction has been applied, instead of "struck down." Sorry; IANAL.)

Speaking at the Commission meeting yesterday and today were the CEOs of several major censorware companies. Among them was Michael Stephani, whose company Exotrope makes a product called BAIR.

BAIR

BAIR checks images as they download onto your computer, and claims to be able to tell the difference between pornography and other types of images. The "AI" in its acronym stands for artificial intelligence, running on supercomputers.

When the Wired story on BAIR came out last month (a story "borrowed" from Peacefire -- I'm not going to get into it), Wired quoted the company as saying "they plan to fix the errors within the next month." What errors?

"BAIR incorrectly blocked photographs of Yellowstone, the Baltimore waterfront, Snoopy, boats, sunsets, dogs, vegetables and even a Wired News staff meeting.

"It rated as acceptable for minors -- even on the most restrictive setting -- explicit images of oral sex, anal sex, group sex, masturbation, and ejaculation."

That was one month ago. How's BAIR doing now?

Peacefire retested the same 50 pornographic images that they'd used last month (which presumably BAIR's programmers would have paid extra-special attention to). Their new report finds that, instead of zero, the number of blocked images is now: 34. I've got a great slogan for them: "now your children can only see 32% of the web's oral sex, anal sex, group sex, masturbation, and ejaculation."

One's respect for these programmers is dampened a little, though, because there's more to Peacefire's report. It seems, in a random sample of 50 photos of people's faces, BAIR blocked ... how many? ... 34.

Maybe that slogan should be: "now your children can only see 32% of the web," period.

It's wonderful to live in a world where artificial intelligence offers limitless possibilities. Its website suggests that "Because Artificial Intelligence can be taught to recognize a variety of patterns," -- oh, OK -- "our BAIR can be taught to evaluate other categories such as violence or illegal activities. The BAIR is currently undergoing training in these areas to provide additional filtration selections."

ClickSafe

Richard Schwartz, CEO of ClickSafe, also spoke yesterday at the COPA Commission meeting. Just for kicks, Peacefire decided to try out their spiffy AI software too.

Insert marketblurb here: "...by combining cutting-edge graphic, word and phrase-recognition technology, ClickSafe has achieved accuracy rates of over 99% (according to recent sample tests). ClickSafe can precisely distinguish between appropriate and inappropriate sites (e.g. sites related to issues such as breast cancer will not be blocked)."

What Peacefire did was test this software against the website of the COPA Commission itself, and related sites such as those of speakers or Commission members. They found that blocked pages included:

• The Child Online Protection Act itself, in original and amended form;
• The COPA Commission FAQ;
• Biographies of Commission members Stephen Balkam and John Bastian;
• Bio of Commission member and famed anti-porn crusader Donna Rice Hughes, as well as AppendixA from her book Kids Online: Protecting Your Children in Cyberspace;
• A list of technologies the Commission examines;
• The scope of what the Commission is called upon to do;
• A service agreement from a little company called Network Solutions, whose rep chairs COPA's meetings;
• "About the ICRA" (the makers of RSACi, "a simple, yet effective rating system for web sites which both protected children and protected the rights of free speech");
• Bible study tools: "We hope these free resources foster a desire for Christians to learn more about the Bible, deepening their relationship with God" unless they're using censorware;
• The American Family Association (a conservative Christian group that is trying to force censorware into public libraries, including those surrounding the Slashdot Geek Compound);
• The ACLU, the EFF, and the Center for Democracy and Technology;

and so on.

When I spoke with Bennett about this, he commented that the strange thing was that these flaws are so easy to find; you'd think someone would have run these simple tests already. If anyone reading wants to get their name in Slashdot (and other news media too), censorware is a gold mine of untested misinformation. Buy a product, design a solid unbiased test for it, run the test, and send us what you find. Repeat until the whole world has a clue.

The COPA Commission Meeting

The following is an account of yesterday's COPA Commission meeting, by Waldo Jaquith. Keep in mind that this meeting's purpose, according to the Scope & Timeline Proposal which is blocked by ClickSafe, is to study filtering and blocking software to learn what to recommend in its report to Congress late this year.

Folks,

For more information on the COPA Commission, see http://www.copacommission.org/. (Unless your network has ClickSafe installed, in which case you shouldn't bother.) There is an agenda for this meeting, and there are bios for most people, as well as the prepared speeches for many of the below folks. I've tried to be objective.

Oh, screw that. There's nothing objective about it. But I've tried to give useful facts, quote accurately, etc.

The whole affair, which was scheduled to start at 9:30am, didn't actually start until 10:15am. Which was good, because I didn't get there until 9:45. Although the event was being held at the University of Richmond's Jepson Alumni Center, the room felt like your basic hotel meeting room. Bad carpet, ugly chairs, poor lighting. There were enough chairs to seat about 100 people, but only 35 people were in attendance. Directly in front of the two columns of chairs was a table with chairs, facing away from the audience. This table was for people asked to testify before the COPA Commission. On the other side of that table was a long table, at which was seated the commission, all sixteen members. The result was that the people testifying, who did most of the talking, could only be recognized by the backs of their heads by the audience.

Chairman Donald Telage called the meeting to order and introduced the first panel, who was to speak for approximately 45 minutes on the topic of client-side filters. This panel included Gordon Ross, the President and CEO of Net Nanny, Mark Smith, the President of BrowseSafe, Susan Getgood, the VP and General Manager of Cyber Patrol, and Richard Schwartz, the CEO of Opportunity-America (ClickSafe.com).

Gordon Ross kicked things off with a tremendously boring ten minute speech about how client-side filters work. The only interesting comment that he made was his belief that "consumers should have the ability to analyze each and every site in the database..." [...because his product Net Nanny is the only one of the 150 censorware packages on the market that allows oversight of its blacklist. -ed] He also kicked off the First Amendment references, which nearly every speaker throughout the day would spend some time talking about, but not really saying very much.

Mark Smith from BrowseSafe occupied the next few minutes, giving a rambling speech in which he discussed censorware as if it were some far-off and idyllic concept.

"Most products focus on either client-side- or server-side-based technology. What would happen if the benefits of each could be brought together to provide the user with a new, more flexible and powerful way of surfing the web? What if every sub domain of every site had been categorized and classified by its content? Wouldn't you agree that everyone could benefit from that combination of technology? Of course you would? Now let's walk across the street to the front porch of the family of the home and try to view it from the parent's perspective. What if parents were able to determine what the child sees? What would it be like if e-mail, instant messaging, chat and other computer tools could be also controlled?"

Then, although the topic was client-side filters, he rambled on for several minutes about PlanetGood, a website that was probably unfamiliar to many in the room. He used the site's name in every single sentence for several minutes. And, naturally, he closed talking about "our forefathers" and "these inalienable rights that our forefathers entrusted to us and many of them died for."

Susan Getgood from Cyber Patrol kept things short and sweet, and took the "I'm a new mother and want to protect my children" approach. She muddled the definition of censorship somewhat, saying that "[s]ome critics confuse censorship, which is imposed by the government, with technology that a family or school can choose to use and then set to implement an individual policy." Our school system isn't a part of the government?

Richard Schwartz of ClickSafe.com touted his product nearly as much as Mark Smith promoted the mysterious "PlanetGood." He also described a system that his company has developed that sounds very much like Exotrope's BAIR. "Fleshtone has a very unique set of features [...] Through a combination?of a set of sophisticated algorithms it can establish if something is pornographic. [...] Justice Potter Stewart lives within our system, because he knows it when he sees it. It works, it's been tested out, it's over 99% effective." "We can distinguish between chicken breast and sexy breast." "A consortium of Portuguese and Australian pornographers had been hijacking people off of different sites, including the Harvard Law Review site into their pornographic sites. And then you have to reboot your computer in order to get out."

After the four had testified, we moved into the commission Q&A session. (No questions would be allowed from the audience.) A few interesting questions, answers, and comments cropped up during this portion.

Richard Schwartz, only half kidding, proposed a tax on Internet pornography.

Commissioner Gregory L. Rohde asked Richard Schwartz if his image filter could tell the difference between art and pornography. Astoundingly, Schwartz replied that it could.

Commissioner Jerry Berman asked if there were any plans to create an organization that could provide objective reviews of censorware products to help parents decide what to buy. Gordon Ross said that this had been tried a few years back with SIFT (?), and that it didn't work out.

After a short break, we began the second panel, which addressed server side filtering. Testifying was Kevin Fink, N2H2's CTO; Sunil Paul, Chairman of Brightmail; Stephen Boyles of Library Guardian (Swifteye); Michael Stephani, President and CEO of Exotrope; Ginny Wydler, Director of Standards and Policy at AOL; and Tim Robertson, CEO of FamilyClick.

The first person to say anything interesting was Michael Stephani, who made some fairly interesting claims. He said that their blacklist of sites included four million sites, and that their image-recognition software, BAIR, is 99.8% percent effective. Stephani bragged that it blocked 1 out of 6 general images and 96 out of 100 pornographic images. He pointed out (perhaps rightly) that image filtering is the only real way to filter out pornography, and also that client-side filtering would so go the way of the dodo, given the proliferation of Internet appliances. It wasn't long before he got all 'God bless America' and 'think of the children,' and eyeballs could be heard rolling throughout the room.

As Commissioners asked questions of the panel, Chairman Donald Telage admitted that he wasn't aware that client-side filters were able to use a blacklist. He was under the impression that they could only filter. I had flashbacks from the Napster hearings last week ("Can't you track their intellectual property address?")

Out of the blue, Karen Talbert asked the panel for a show of hands regarding their respective products' ability to work with high-speed connections. Obviously, everybody's hands went up.

How do these people get on the commission?

When given half a chance, Stephani got all "think of the children, my god, won't somebody think of the children?" again. He also bragged that Exotrope has a new, not-yet-released product that filters IM [AOL Instant Messaging -ed.] and even detects innuendo. Stephani said that they just got a contract to install this program on 30,000 school servers. Continuing his spectacular Old Faithful of shit, he cheerfully envisioned a time in the future when there would be "photonic switches" that would maintain a complete blueprint of everything that every user had ever done on-line. Christ, that's frightening. Stephani said that they'd spent $6.5MUS developing BAIR, and went on to point out the coincidence that Peacefire released the report showing that BAIR was 0% effective on the same day that their servers went down. Perhaps he was implying that Peacefire members hacked the server, perhaps that we were taking advantage of them, or perhaps he was just laughing at the circumstances.

There was no promised audience Q&A. That's probably because the whole event ran well over when it was supposed to end. Lacking a better approach, I rushed up to the ebullient Stephani with a copy of the newest BAIR report in hand. Although he was already talking to a reporter, he stopped when he saw my nametag ("Waldo L. Jaquith, Peacefire") and looked a little surprised. He, as well as his sidekick PR guy, enthusiastically introduced themselves. We talked for a few minutes, during which time I said that BAIR appears to suck less than many other censorware programs. But I was still fundamentally opposed to all of them. Between this and the revised report, Stephani was my new best friend. Several other people came forward to read nametags and shake hands, but I continued to talk to Stephani and the reporter, Drew Clark from Technology Daily.

Ten minutes later, when I walked out, I felt a little baffled. Stephani behaved towards me as if Peacefire had just given him the most glowing review that BAIR had ever gotten. This, despite my repeatedly pointing out that Peacefire is fundamentally opposed to filters, always will be, and BAIR is simply rather effective at performing the task that we hate.

I was disappointed that a few major points were never brought up during the discussions:

• Server-side censorware (especially that which is housed with each website) will always be a severe privacy violation, because it needs data on the user in order to establish what information to provide.
• Client-side censorware is doomed to fail because children know more about computers than their parents. The parent has to trust that little Suzy won't uninstall Cyber Patrol. But if Suzy can be trusted, why bother with Cyber Patrol?
• Internet censorship is impossible. The Internet is so large that it's a waste of time, so let's all stop. Gated community models, like AOL, Compuserve and such, are a far better way to provide a "safe" experience for kids.
• The concerns about children's wellbeing presented during the meeting mirror those that parents, since the beginning of time, have always had for their children. How can I keep my child safe when I'm not watching him? How do I know what my child is doing if I'm not around? How do I keep my children from hearing / seeing / saying bad things? Censorware makes no more sense than installing a v-chip in little Suzy's head. Get over it.

In a nutshell, I'm not sure what, if anything, was established at this meeting. It's clear that most of the Commissioners knew every little to start off with, and their opinions are being formed on what amounts to a series of sales pitch sprinkled with god-and-country references, a la mega blowout carpet sales around Independence Day. I'm glad COPA was struck down. Let's get on with our lives.

Best,
Waldo

CharlieG points out this story at ABCNews.com. The White House wants to make law enforcement jump through the same hoops to intercept e-mail as it currently must to intercept phone calls. CDT approves of the plan. The ACLU is understandably focused on Carnivore (FBI: "trust us") and is "disappointed" that Clinton didn't take the opportunity to put the kibosh on it. I can't tell from the news reports whether the proposed legislation would only affect law enforcement, or whether the private sector would also be held to the same standard.

An AC writes "According to this CNET news.com article, AOL has started to remove ICQ accounts of anyone whose info states that they are under 13 years old to comply with the new Children's Online Privacy Protection Act (COPPA) Yahoo is now reportedly asking customers to provide credit card numbers to verify that they older than 13! Now, I am all for protecting kids online, but isn't this a bit over the line?"

The New York Times (free reg. req.) is reporting that the Federal Election Commission has heard a clear message from the internet community regarding regulation of political websites. That message: Don't! It seems likely that no new regulations will be passed at least before this year's election. Some thoughtful material urging the hands-off approach is at the Center for Democracy and Technology.