Domain: theinternetpatrol.com
Stories and comments across the archive that link to theinternetpatrol.com.
Stories · 8
-
Hotmailers Hawking Hoax Hunan Half-Offs
Frequent Slashdot contributor Bennett Haselton writes "An estimated 200,000 Hotmail users currently have their auto-reply set to a message spamming an advertisement for Chinese scam websites, which sell "discounted" electronics. Presumably the spammers compromised a large number of Hotmail accounts to pull this off, but wouldn't it be pretty easy for Hotmail to query for which users have that set as their auto-reply, and turn the auto-reply off for them?" Read below for Bennett's thoughts.After a recent mailing that I sent out to a subset of my proxy mailing list, I got back 18 auto-replies from Hotmail users, all substantially similar to this:
Dear friend:
We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.
Please visit our website: www.wedosale.com
Email: wedosale@vip.188.com .
MSN: wedosale@hotmail.com .
Looking forward to your contact and long cooperation with us!
Our mainly products such the phones, PSP, display TV, notebook, video, computers, Mp4, GPS, xbox 360, digital cameras and so on.
Welcome to visit our website!Some of the spam auto-replies advertised different websites, and the wording varied between the different auto-responses, but they were all similar advertisements for Chinese electronics "retailers." (And so, I assume, the websites are all fronts for the same company -- if multiple spammers had independently hacked Hotmail users' accounts to set their auto-replies, it would be vanishingly unlikely that those spammers would all happen to be electronics hawkers.) This was from a mailing that I sent to a set of subscribers that included about 26,000 users with "hotmail.com" e-mail addresses. If 18 out of 26,000 users in my sample have had their accounts hacked to send spam auto-replies, then this must be happening to a large number of Hotmail users -- not a large proportion (only one in 1,500, in my sample), but with about 300 million Hotmail users, that would still be a large absolute number.
The same spammers have apparently been spamming through Hotmail auto-replies for at least 11 months, according to this post in the Windows Live Help community forum from January 2009. At first, some pundits seemed to have assumed that spammers had created these accounts themselves and subscribed the accounts to people's lists, in order to spam the list owners (and, if it's a list that accepts subscriber posts, broadcast the spam to the other list readers). However, looking at the addresses in my proxy mailing list that were sending the spam auto-replies, I noticed that (1) our records show that the auto-reply-spamming subscribers joined the mailing list by various means, signing up through different Circumventor websites, not indicative of how a spammer would have joined the list by automated means, and (2) many of their email addresses are associated with legitimate-looking Myspace and Facebook accounts. Thus it looks as if these were real users who joined the list legitimately, and then got their accounts hacked by the spammers, who set those users' accounts to send the spam as an auto-response.
(If you happened to look at the spammers' www.wedosale.com website, at this point you might be thinking: I don't want to give money to spammers, but can I really get a Blackberry for only $295? Couldn't I just order from the website, and then if the goods don't show up or they're not as advertised, I can dispute the charge on my credit card? Well, I signed up for a dummy account on the www.wedosale.com page and got as far as the order page, and the only payment types that they accept are wire transfer, Western Union, and Moneygram -- precisely those types where you cannot get the money back or dispute fraudulent charges. If you've already gone and ordered a Blackberry, don't hold your breath.)
If my 26,000 users were a representative sample of the 300 million current Hotmail users, then with 1 out of 1,500 users in my sample being "infected," I could estimate that about 200,000 Hotmail users (1/1500 times 300 million) are currently set to send spam auto-replies. Hotmail claims to process 3 billion non-spam e-mails per day, for an average of about 10 non-spam e-mails per Hotmail user. That's the average for all users; what's the average for the infected users? Some factors would tend to lead to a lower average for infected users -- if they have lots of friends sending them mail, it's more likely that one of their friends would have told them about the auto-reply spam and told them to turn it off, so perhaps the users still sending the spams are the ones who don't receive a lot of messages from their friends. On the other hand, some of the infected accounts may be receiving more (non-spam) e-mail than average; one reason people sometimes abandon webmail accounts is that they're getting too much mail, even from newsletters like the Circumventor list that they had legitimately subscribed to. So, figuring that factors in both directions roughly cancel out, if each infected user is receiving the average number of 10 emails per day and sending 10 auto-reply spams in response, that's still a total of 2 million outgoing spams per day shilling for nonexistent Chinese iPhones.
These are just back-of-the-envelope calculations, but even I'm overestimating by a whole order of magnitude, that's still 0.2 million auto-reply spams per day, or about 70 million spams that will be sent by this one company through Hotmail's servers in the coming year, if Hotmail doesn't stop it. (And closer to a billion spams in the coming year if I'm not overestimating.)
And it's actually worse than that, because these spams are less likely than average to be filtered, since they're coming from Hotmail's servers. Normally you'd think that the content-based module of a spam filter would have no problem catching a message like the one at the top of this article, especially if millions of similar messages have been spewed out over the past year. However, messages from Hotmail's servers, regardless of content, are less likely to be blocked, since their network has a good reputation for sending little spam overall (due to measures such as requiring users to fill out a CAPTCHA when signing up, blocking each account from sending more than 500 messages per day, etc.). When I sent messages to the infected Hotmail users from my Gmail account, to see if the auto-responses would get through Gmail's spam filter, Gmail's blocked only half of the replies. When I mailed all the users again from my Hotmail account, the results were strange -- most of the users' accounts sent back no auto-reply at all, not even a reply that got routed to my junk folder. (Why would Hotmail accounts not send an auto-reply in response to a message from a Hotmail user? Please post if you have any idea what's going on there.) However, of the infected Hotmail accounts that did send a spam auto-reply, 100% of those auto-reply spams were delivered to my inbox. (Apparently, Hotmail's spam filter usually assumes that messages from other Hotmail users can't possibly be spam.) Only Yahoo Mail's spam filter, when I sent a test message to the infected users from my Yahoo Mail account, blocked all of the auto-replies as junk mail.
For the infected users on my mailing list, I sent them a link to a set of instructions I'd written about how to set and un-set their Hotmail auto-reply and how to change their Hotmail password, with the hopes that they'd eventually see the message and follow the steps. 18 users rescued, 200,000 to go.
So this is basically what's happening, but it still leaves some unanswered questions, such as: Why Hotmail accounts, but not Yahoo Mail, GMail, or AOL accounts? I've never noticed any auto-reply spam sent from any accounts at any of those other services. Whatever the spammers did to gain control of so many Hotmail accounts, if it was profitable for them, why didn't they do the same thing for Yahoo Mail? And, why did only one spammer do this? If they're sending between 1 and 10 million spams per day for free, they're probably making money at it. Whatever they did to hack those accounts, why wouldn't other spammers figure out the same method and copy them?
Presumably the Chinese spammers stole large numbers of passwords from Hotmail users either via a huge phishing attack, or through a security hole in Hotmail or some other part of the Windows Live service. If it was done via a security hole in Hotmail that the spammers discovered, then that would explain why the spammer's methods only worked for Hotmail accounts, and also why no other spammers have copied their techniques. (A phishing attack, on the other hand, would be easy to modify for other webmail services, and would also be easy for other spammers to emulate, so that's not consistent with the observed evidence so far.) I also found this post from blogger Stuart Shelton describing how his account was hacked by Chinese spammers -- and from the blog post, it's clear that he's very tech-savvy and would have been unlikely to fall for a run-of-the-mill password phish. If the attack happened even to people who know what they're doing, that seems to make the security hole explanation more likely.
Perhaps others can come up with some theories about what happened. It's easy to come up with guesses, but the hard part is to reconcile them with the fact that it has only affected Hotmail users so far, and no other spammer seems to have figured out how to copy the same technique yet.
But there's a much simpler question too: Why doesn't Microsoft just turn off the auto-replies for these users' accounts? They can query to see exactly which users have these messages in their auto-replies, and then un-set the auto-reply automatically. Yes, I know that even for a simple database operation like that, there's always more to it when you're managing hundreds of millions of accounts across multiple servers -- but if it will stop this one sender from sending between 50 million and 500 million spams (that in many cases will bypass people's spam filters) from Hotmail's servers in the coming year, isn't it probably worth it?
And even if it wasn't a phishing attack this time, sooner or later some other spammer will probably capture tens or hundreds of thousands of Hotmail accounts using a phish or some other method, and try spamming through auto-replies as well. So if Hotmail "fixes" this batch of auto-reply spam for practice, then the next time it happens, they'll know exactly what to do to take care of it.
I've written some columns where I strongly believed every word but expected a lot of opposition, some where I wasn't sure if I was right and just wanted to see what people thought, and . But I rarely argue something that I think is a no-brainer. Hotmail should un-set the auto-replies for those users whose accounts are spamming for nonexistent Chinese electronics knockoffs, before those accounts send another several hundred million spams in the coming year. Am I smoking crack?
Then again, maybe expectations for Hotmail shouldn't be set too high. I use SpeakEasy for my mail provider, and on about November 19th I found that all messages sent to hotmail.com addresses from SpeakEasy's servers were being bounced with an error message rejecting them for "spam-like characteristics."I called SpeakEasy and they confirmed that they knew Hotmail was blocking all mail from their users (although for "security reasons," SpeakEasy couldn't tell me what they were trying to do about it). The block wasn't lifted until about November 28th, when my messages started getting through again.
If SpeakEasy, which has been in business for 15 years, has annual revenues of $60 million, and was bought in 2007 by Best Buy, can't even get through to Microsoft in less than 10 days to tell them to stop blocking all mail from their servers, then Microsoft should first fix their postmaster trouble ticket system, so that people are not blocked from writing to their friends and family members at Hotmail for a week and a half. Then get to work on the spam auto-responders.
-
R.I.P. FTP
Slashdot contributor Bennett Haselton says "Using FTP to administer a website is insecure -- but not for the reasons that you probably think. You yourself can stop using FTP any time you want, but how do we change the landscape Net-wide, to reduce the number of breakins using stolen FTP credentials?" You know what to click on if you want to read the rest.On July 1st I found that one of my less important websites, hosted on a low-cost shared Web hosting service, had been broken into. A friend emailed me to say that the site was showing up in Google's search results with the Google "This site may harm your computer" warning listed next to it. I found that on one of the pages, about 1,500 HTML script tags had been inserted, loading JavaScript files from pseudo-random Russian hostnames like "www.chk06.ru" and "www.errghr.ru", none of which are currently resolving. Usually, when such script tags are maliciously inserted into a page on a website, the script tags attempt to install spyware on the machines of people who visit the site.
I immediately replaced the infected file on the website with the backed-up clean copy from my machine, and changed the password on the website in case the attacker had gotten in by using the old one. (The original file with the script tags inserted is here if you want to examine it, but use with caution -- if the .ru hostnames in the script tags start resolving again, then opening the file could cause the JavaScript on the pages to be loaded, which might infect your machine.) Then I started investigating (a) how this probably happened; (b) whether future similar attacks could be prevented, by changing some defaults in the way that hosting accounts are set up; and (c) whether the incentives for hosting providers are such that these changes are likely to happen by themselves, or whether it will require some third-party advocacy to change what we think of as "best practices".
Denis Sinegubko, the webmaster of Unmask Parasites, a free service that scans websites on demand for signs of break-ins, says:
The majority of web site compromises happen because of:
- Stolen FTP credentials. Spyware on webmasters' computers: key-loggers, traffic sniffers (FTP protocol sends username/password as plain text), trojans that steal credentials from various programs' configuration files (FTP clients, DreamWeaver, etc).
- Security holes in popular web software: CMS (Joomla, Drupal, etc), Forums (phpBB, vBulletin, Simple Machines, etc), Blogs (WordPress). Once a vulnerability discovered, hackers configure their automated tools to search the web for websites running vulnerable versions of the software and exploit them. This can be done easily and at almost no cost when they have an army of zombie computers.
- Security hole in "in-house" web software. Many novice (and even many experienced) web developers don't properly sanitize user input making various attacks possible (SQL injections, XSS, etc)
- Poor security practices (Something that should be manually configured by site/server admins and cannot be fixed with automated security updates): Weak passwords, open ports, insufficiently strict permissions for limited accounts, files and directories with world write permissions, etc.
I didn't have any third-party web software or custom-made software installed on the PublicEditorMyAss.com site, the password was a seven-letter meaningless mix of letters and numbers, and I didn't have permission to change most of the things like open ports and file permissions. That left the possibility of stolen FTP credentials. This is in fact what Sinegubko says is the most common cause of such break-ins:
I guess 90% of attacks use stolen FTP credentials this year. Check this Google's graph that shows the top 10 malware sites as counted by the number of compromised web sites that referenced it:
http://googleonlinesecurity.blogspot.com/2009/06/top-10-malware-sites.html
I reviewed 4 most widespread of them (Gumblar, Martuz, Goooogleadsense, Googleanalytlcs). All four used stolen FTP credential to penetrate web sites and upload malicious content. The chances are the rest used this vector too.When the PublicEditorMyAss.com site was set up, the default setting was for pages to be edited over FTP. Even though FTP sends and receives passwords without encrypting them (in contrast with alternatives like SFTP or "secure FTP", which encrypts passwords), for a long time I had assumed that this was not a major security problem, because in order for an attacker to intercept the passwords in transit, they would have to control a machine somewhere on the path between my home computer and the PublicEditorMyAss.com server. I figured this wasn't worth worrying about, because it was much more likely that an attacker would attempt to steal the password by installing spyware on my home computer. And if an attacker managed to do that, then I assumed that the risk of passwords being stolen by spyware was about the same whether I used FTP or SFTP -- because either way, the spyware could just steal my password by reading it out of a configuration file where the password was stored. (Even though FTP and SFTP programs both store passwords in an encrypted format, the programs have to be able to decrypt the passwords in order to use them whenever the user wants to open a connection. So the spyware could just mimic whatever steps the client programs use to decrypt the stored passwords, in order to steal one of my passwords stored in a file.) So, I assumed it made no difference whether I used FTP or SFTP.
But according to what Sinegubko told me, this reasoning was probably wrong. The problem is that even though spyware installed on your machine could read passwords that are stored in configuration files, it would be a lot of work to write a spyware program that could do this, because every FTP program and SFTP program stores passwords according to a different algorithm. It's much simpler for spyware to simply watch the traffic sent and received from your machine, so that any unencrypted passwords will be spotted:
[Passwords can be stolen by] sniffers that read all TCP traffic on local computers. Like personal firewalls but malicious. They can easily intercept FTP credentials since they are sent as a plain text.
Sinegubko describes how one of his contacts obtained evidence that a common spyware program was doing exactly this:
One of them even infected a spare WinXP computer (with Gumblar) to test the consequences. On the infected computer he created a new account in a popular FTP client and saved it. The server address was correct (his server) and the username/password pair was not valid. A few hours later in FTP logs, he discovered login attempts that used that invalid username/password pair from a Singapore IP, then from a Florida IP, the some other country's IP. Apparently the FTP credentials were somehow stolen from that infected computer.
I know of only two instances where I've ever definitely been infected with spyware. I don't do stupid things like downloading and running strange programs from third-party sites, so I think both infections were probably caused by a site exploiting a security hole in Internet Explorer, or in a plug-in like Adobe Acrobat or the Flash player. Both times, once I noticed I was infected, I got rid of the infection with Malwarebytes, but I don't know how much damage the spyware did in the meantime.
So this was a case where a little knowledge can be a dangerous thing. If I had known nothing about Internet architecture, and someone told me "FTP is less secure than SFTP," I would have found a way to switch to administering the site via SFTP. But because I knew that the main reason FTP was considered "insecure" was because it transmitted passwords unencrypted, but I also knew that most of of the machines relaying those passwords in transit were secure and trustworthy, I thought it didn't matter. Now it seems that is probably how my password got compromised after all.
In that case, why don't more people switch to administering their sites via SFTP instead of FTP? Here are the steps it took me to enable SFTP on my GoDaddy hosting account. Feel free to use this as a reference, but the obvious point is that as long as this many steps are required, it's safe to say that most users won't be switching:
- Go to the "Hosting" menu and pick "My Hosting Account."
- Next to the name of your website, pick "Manage Account." This will open the Hosting Control Center.
- In Hosting Control Center, click to expand the "Settings" options.
- In the "Settings" control panel, click the "SSH" icon.
- You will see a page saying "SSH is not set up", and prompting you to enter a phone number so that their automated service can call you with a PIN number. After you enter your phone number, the phone rings a second later, and you enter the PIN in a form on the GoDaddy website.
-
You will then see a page which says:
Current Hosting Account Status: Pending Account Change
Your request to enable SSH is being processed. This upgrade may take up to 24 hours.
In fact, even if only one step were required to switch, most users probably wouldn't change from the default setting to use FTP, due to the eternal, unchangeable fact that most people do not change their default settings, ever. (What percent of users ever change the default set of toolbars that are displayed at the top of their Web browser window?)
If more Web hosting companies made SFTP the default, then the number of websites that were compromised by stolen login credentials, would probably go down. Spyware authors might start to make their programs smarter at that point, enabling them to read the passwords stored by popular FTP and SFTP programs, so that it would make no difference whether the passwords were transmitted in the clear or not. However, this would be harder for spyware authors to do correctly, so it would at least raise the bar for a successful malware attack, and the number of compromised websites would be reduced.
Unfortunately, Web hosting companies don't have much incentive to make users switch to the more secure SFTP protocol. This isn't necessarily true of all security risks; sometimes the hosting company has a strong incentive to pass on the right wisdom (and select the right default settings) for their customers. From the hosting company's point of view, you could divide risks into three categories:
-
Risks where the hosting company pays a large part of the price for a customer's machine being compromised. For example, if a cyber-criminal takes over a customer's machine and uses it to launch a denial-of-service attack by sending it a flood of traffic, the hosting company will see that traffic spike on their network. The hosting company has the most incentive to help prevent these types of attacks.
-
Risks where the hosting company doesn't directly pay a price for the customer's machine being compromised, but they may have to deal with complaints sent in by third parties. For example, a customer's website could get broken into, and script tags could be inserted into the pages that cause visitors' machines to be infected with spyware. Those visitors might complain to the webmaster of the infected site, or they might complain to the hosting company, which then forwards the complaint to the webmaster. The hosting company may have to provide a few minutes of tech support to the customer, advising them to change their password and scan their own machine for spyware, but they probably won't incur any other material costs.
-
Risks where neither the hosting company nor the customer pays a price for the machine being infected, but the price is paid by "Internet users as a whole." The only attack that I can think of in this category, is an attack where a cyber-criminal inserts key words into your web page and links them to his site, in order to increase his Google ranking for searches for those key words. Neither the website owner, nor any visitors to the website, are victimized directly; the harm being done is that the quality of Google search results is reduced for everybody. The only reports of the attack would probably come from "good Samaritan" Web surfers, who tell the hosting company or the webmaster that one of their pages has been vandalized.
When a customer's FTP credentials are stolen, the price paid by the hosting company lies somewhere in the middle. An attacker who stole my current PublicEditorMyAss.com credentials would only be able to deface the content on the site, but they wouldn't be able to launch an attack against a third-party network (my PublicEditorMyAss.com hosting account doesn't have the ability to initiate an outgoing connection to a third-party site).
Weighing in the other direction are the costs of switching to SFTP. If existing customers are forcibly switched over, phone lines will be clogged by customers wanting to know why their old method of logging in to their site has suddenly stopped working. A better choice would be to allow existing customers to stay with FTP while making SFTP the default for new customers. But there is a time and money cost of changing anything, even a default setting.
So GoDaddy doesn't have much incentive to make SFTP their new default. Indeed, I've used many different shared hosting companies before I started running proxies exclusively on dedicated servers, and none of the shared hosting companies ever used anything but FTP as the default method for customers to administer their websites. So who can blame them? They're not making the choice that makes the most sense for their customers or for Internet security as a whole, they're making the choice that makes the most sense in terms of costs and benefits for themselves, and I'm not being judgmental about that. We shouldn't expect most companies to ever behave in any other way.
That's why I think that glib "solutions" to security problems, like "Everybody install anti-virus software", or "Everybody stop using Windows", aren't helpful, because regardless of whether these ideas would work if everybody actually followed them, the fact is that most people won't. The problems have to be addressed in terms of changing incentives for the choices people make.
What's an idea for reducing the risks of FTP credentials stolen by malware, that addresses the incentives problem? Maybe give tax breaks to Web hosting companies that set up customer accounts to use SFTP instead of FTP by default? Or ask more computer vendors to include a desktop link to pre-installed SFTP software, so that when Web hosting companies present options to their customers, it's easier for users to choose the SFTP option since they have a client already installed? (I was tempted to recommend that Microsoft include a universal SFTP client pre-installed in Windows with a prominent desktop link, but the problem with that is that if almost everybody used the same SFTP client, malware authors would have greater incentive to reverse-engineer the algorithm that the client used to store saved passwords -- and then passwords would be just as easily accessible to spyware, as if the user were using FTP all along. So a good mix of SFTP clients is safer for this purpose.)
Since the difference between SFTP and FTP usually only matters in cases where a customer's machine has been infected with malware, obviously the best solution is to avoid malware altogether, but that's much harder problem to solve, as long as malware authors can keep finding security holes in Internet Explorer and other popular programs. Making SFTP the new standard for Web hosting accounts is something that we know how to do, right now. The incentives aren't currently right for Web hosting companies to make it happen. But there may be ways to change that, and I'll bet some people can think of better ideas than the ones I've suggested. I'm just saying that the incentives problem is where attention should be focused.
-
MySpace Verdict a Danger To Depressed Kids
Slashdot regular Bennett Haselton summarizes his essay this way: "Debate over the Lori Drew verdict has focused overwhelmingly on whether the ruling was technically correct, but there is another serious issue: the perverse incentives that this ruling creates for victims of online harassment." Read on for his essay.
Since a jury convicted Lori Drew of three misdemeanors for harassing Megan Meier on MySpace and causing her to commit suicide, most of the debate has focused on the question of whether proper legal procedure was followed in an attempt to punish someone for their obviously evil actions, when it wasn't clear that an actual crime had been committed. Emily Bazelon has argued that the rule of law is too important to convict someone for a crime for what was essentially a violation of the MySpace Terms of Service. Anne Mitchell has argued that the slippery slope is nowhere near as dangerous as the backlash is making it sound, because the doctrine of prosecuting people for violating a site's TOS is almost certainly only going to be used against people who commit horrific acts in the process, as Lori Drew did.
I'm more inclined toward the rule of law argument, but hang on — both sides seem to be assuming that it was a desirable outcome to punish Lori Drew publicly and severely. Hell yes she deserved it, but there is more at stake here. What about the consequences for kids who are current victims of harassment and who hear about the case and the verdict?
When anti-cyber-bullying laws were proposed in response to the original news of Megan Meier's suicide, I argued that the laws would be a terrible idea, especially if the criminal provisions of the law were conditional on the bullying victim harming themselves — because then you've created told victims of harassment: You can have your tormentors publicly vilified and even arrested, but only if you make it look like you tried to injure or kill yourself (and at which you might succeed in the process, intentionally or not).
What would be true of a cyber-bulling law is also true for the pseudo-caselaw created by the verdict. Surely there are other Megan Meiers out there who should not be led to believe that they can ruin their harasser's lives by committing suicide.
Now you might argue that by my reasoning, existing harassment laws which are contingent on the victim showing signs of emotional distress, could lead to the same problem — victims either consciously faking distress, or trying to fake distress so convincingly that they actually harm themselves, or subconsciously absorbing the fact that they can only get justice if they actually show harm. I had actually assumed that existing harassment laws governed only the conduct of the harasser, and did not depend on how the victim felt, but I was wrong — here in Washington State for example, RCW 10.14 states that harassing conduct is conduct that"shall be such as would cause a reasonable person to suffer substantial emotional distress,
and shall actually cause substantial emotional distress to the petitioner." [emphasis added]Reading that literally means that no matter how bad the harassment is, you still have to feel distressed in order to have them prosecuted, and the more distressed you "act," the more likely you are to succeed! But hang on — in order for that law to create incentives for victims of harassment to fake distress in order to have their personal enemies prosecuted, they would have to actually know that the law says that. I doubt that most people walking around Washington know the exact wording of the harassment law. More likely, they already realize that if they were to ever try and have someone prosecuted for harassment who didn't actually deserve it, a little tears and shaking would probably influence the judge, whether or not their feelings had any technical relevance under the law. And even if they were to exaggerate the effects of the harassment, all they would have to do would be to claim that they threw up or lost sleep from anxiety — they wouldn't have to show evidence of trying to harm or kill themselves.
On the other hand, everybody has heard about the Lori Drew and Megan Meier case, and it seems likely that the fact that Megan killed herself did contribute to the conviction. (At one point Judge George H. Wu had said that he would probably exclude evidence from the trial that Megan Meier had committed suicide as a result of the harassment, but later changed his mind and did allow it to be mentioned, saying "It's impossible to get a jury that doesn't know.") If Megan Meier had merely lost sleep, or suffered from panic attacks, or cut herself as a result of the harassment she endured from Lori Drew, would Drew have been convicted? Or even arrested?
These perverse incentives — "rewarding" Megan Meier for her suicide by vicariously exacting her revenge on Lori Drew — have been present ever since the wall-to-wall coverage of the case first started. Many news outlets have a policy of not publishing the names of suicide victims, not only to protect the privacy of grieving families but to avoid "rewarding" suicides by giving them the attention they may have wanted. The Associated Press Statement of News Values and Principles does not list any policy against printing the names of suicides. Maybe they should. (They do have a policy against printing the names of sexual assault victims, for example.) But it's a slippery journalistic slope to go down once you start deciding not to publish certain elements of a story, even for what seem to be compelling reasons. For example, take the policy of not publishing the names of alleged rape victims. If the rationale is that the AP doesn't want to cause unfair embarrassment to the alleged victims in case their story is true, why wouldn't the AP also avoid publishing the name of the defendant, to avoid causing them vastly greater unfair embarrassment in case the victim's story is false? So any decision to leave someone's name out of a story can lead to sticky "but-then-what-about" scenarios.
Perhaps the story should not have been covered at all, or anywhere near as much as it was. (I realize I may be contributing to the problem here, but my penance is that I'm calling for less coverage in the future, and I would never be writing about this if the mainstream media hadn't covered it so extensively.) What about all the other people who committed suicide during the same year, also as a result of vicious harassment, but with the only difference being that their suicides did not involve the Internet? Don't they deserve the same justice, and don't their tormentors deserve the same vilification?
Defenders of Internet civil liberties have for years been disgusted with the fact that crimes involving the Internet — from simple identity theft to rape and murder — have always gotten disproportionately more attention than the same or similar crimes committed without the aid of a computer. In the Megan Meier case, the effect of the coverage is even worse: Leading potential suicides to believe that they can have the sympathy they always wanted, and revenge on those they hate, if they kill themselves. -
Hostile ta Vista, Baby
Frequent Slashdot contributor Bennett Haselton adds his experience to the litany of woes with Microsoft Vista. Unlike most commentators who have a beef with the operating system, Bennett does a bit of surveying to bolster his points. Read his account by clicking on the magic link.
My brand-new-out-of-the-box Windows Vista machine could not access www.facebook.com. A nearby XP machine could, but the Vista machine couldn't. I went back to Circuit City to try out the other Vista demo machines, and they could access other sites but not Facebook, either. And that honeymoon feeling that you get when you buy a new computer and expect it to solve all your problems, was over for me. Having built my latest career on helping people access Facebook where they were blocked from it, by some cosmic joke was Vista now blocking me from getting to Facebook on my own machine?
I know, another article bashing Vista, what could be more banal. (Kids! That word, meaning "trite" or "unoriginal", is pronounced "ba-NAHL". If you say it the wrong way like I did in an interview, it sounds naughty and you sound stupid.) But in my own random survey of 30 Vista users on Amazon's Mechanical Turk service (a handy way to check these things), three quarters (23) said the only reason they were using Vista was that the PC store they went to didn't sell XP machines any more, and about half of all respondents (14) said that they would go back to Windows XP if they could. So I don't want to get a bunch of e-mails with Ron Paul links in the signature saying "Nobody has to use Vista if they don't want to!" (I'm aware that a survey of 30 people is too small to be scientific, but it's enough to get a ballpark figure for about $5 on Mechanical Turk.) Besides, the more people write testimonials to what they found frustrating about Vista, the more likely it is that some future version will keep what is good about the new OS, while providing a less frustrating interface (suggested name: "Vista 98").
It turns out the Facebook issue was not really Microsoft's fault -- www.facebook.com had a broken IPv6 record, and Vista defaults to using IPv6 where XP used IPv4, so that's why the host wasn't working. (In case you run into this with any other Web sites on Vista, I fixed the problem by disabling IPv6 in network settings and rebooting.) But it was one more example of something that used to work pre-Vista and then stopped working, and every case like that adds up to the overall frustration of switching to a new system, regardless of whose fault it is.
I hasten to add that I am not some partisan Microsoft basher. I like XP just fine, never more than when I went back to it after a few days on Vista, and I still think for that matter that Vista would be easier to switch to than Linux. Having been involved for years with free speech activism, I run into a lot of people in the same circles who are strong Linux advocates, apparently because the concept of "freedom of speech" is closely aligned with "making every file search as simple and stress-free as a Hamas hostage negotiation". So every year or two I'll try out the latest version of some Linux distro to see how long it would take to get used to it. In 2005, full of optimism, I cheerfully booted up the latest version of Shrike, then tried to find a directory and discovered I could not right-click on the hard drive root dir and specify the name of a directory I wanted to search for (that only worked for files, not directories). I posted a query to a Linux newsgroup, and a respondent told me that the solution was to open a command prompt and type "man find", which I am aware is a polite way of saying "screw you, newbie", but which I dutifully followed anyway and got an output screen of which the first paragraph was:
find searches the directory tree rooted at each given file name by evaluating the given expression from left to right, according to the rules of precedence (see section OPERATORS), until the outcome is known (the left hand side is false for and operations, true for or), at which point find moves on to the next file name.
and that was all my Linux for that year. Maybe I'm overdue to try it again. (Microsoft gives away their Virtual PC program that makes it easy to try other operating systems; I think it's a ploy to make us appreciate Windows more.) Now, I love the concept of a freely-distributable, freely-modifiable operating system, and I've recommended Linux to people when you need it to do something cool that Windows can't do, like bypassing Windows security by booting a PC from a CD. And it's done a lot of good for organizations like the One Laptop Per Child program, which can keep their costs down by using a free operating system. But to this day I've never heard an answer to one question: Since even Linux advocates admit that it's harder to use, what can you do with Linux that you can't do with Windows, to make it worth switching over to? If I was nervous about Vista because some of the interface had changed and some of my old programs no longer worked, it wasn't helpful to tell me to switch to a system where all of the interface would change and none of my old programs would work.
So, I wanted to like Vista. I knew that eventually everyone would have to upgrade anyway, so, not wanting to be left behind, I wanted to switch to Vista because of the same factor that spammers use to get your attention: "Other guys are improving themselves, why aren't you?" But there were some things I ran into almost immediately:-
Windows Explorer and Internet Explorer no longer have the "File / Edit / View" menu bars across the top of the window. Was this a big problem under XP? When the menus gave quick, two-click access to most actions that you could take within the application, was there a grassroots movement to have them removed? I did eventually find that you can hit the "Alt" key to bring the menus back, but why put people through that frustration? The most annoying feeling while using a computer is being yanked out of thinking about what you're doing with the computer to having to concentrate on how to use it.
Perhaps the idea was to steer users towards using the buttons on the toolbar, but there aren't enough buttons to cover all the options located under the menus. If the UI designers wanted to steer users gently towards using the buttons, my suggestion would have been: Whenever the user picks something under a menu that corresponds to something accessible from the toolbar, display a dialog box which says for example, "In the future, you can print faster by clicking the printer button on the toolbar", along with a picture (and a "Do not show this message again" checkbox -- important!).
- Windows Explorer also did away with the "Up" button that lets you browse from the current directory to the higher-level directory. Again, probably not in response to a groundswell of users demanding for that button to be removed, when it took up about one square centimeter of screen space. Supposedly Windows Explorer makes up for this by displaying the entire path to the current directory in the address bar, so that if the path is "C:\Financial Records\Chris Pirillo\ Pectoral Real Estate\", you can click on "Chris Pirillo" to go one directory higher. The trouble is that I frequently give my directories extremely long and descriptive names like (this is a real example) "Flash-Player-8.5.0.246-beta2.downloaded-2006-03-20-from-labs.macromedia.com" so that I can keep track of where and when I got each piece of downloaded software, in case I ever need to go back to a previous version that the software maker no longer makes available because they're trying to steer me away from it (ironically, "Vista syndrome"). With a directory that has a long name like that, the higher-level directories aren't visible in the address bar, so I had to locate it manually in the left-hand tree view panel. OK, knock off the violins, the point is that I didn't have to do that in XP.
- I have an older monitor, so I wanted to turn ClearType off. The IE7 help file describes how to do this in IE, but that didn't work for me no matter how many times I tried, and my eyes were aching by the time I found out that in Vista it's a default system-wide setting that overrides IE's setting until you change the system-wide one. I would have suggested putting one line in the IE7 help file: "Note: if your operating system such as Windows Vista is set to use ClearType system-wide, you must disable this as well to disable ClearType in IE."
- Virtual PC, which worked on all versions of Windows XP, is not supported on Vista Home Premium. I need Virtual PC (for reasons other than Linux-bashing), so this was a deal-breaker.
- Telnet no longer installed by default. Even though I use a different telnet program for regular use, telnet.exe was handy to test whether a remote machine was reachable on a given port. (For example, in a command prompt, type "telnet www.yahoo.com 80" and when the command prompt screen goes blank, that means the machine www.yahoo.com is accepting responses on port 80, the standard port for Web traffic. Try connecting to port 81 instead, and you get no response on that port. This can be useful when diagnosing problems with Web servers and other programs.) Even though it's not hard to get telnet back, why would they go to the trouble of removing it?
-
The aforementioned Facebook problem. This seemed so startling at the time that I almost stopped everything to write an article just about that, musing on Microsoft having so much power that all PC stores were now exclusively stocking computers running an OS that, at the time anyway, couldn't access Facebook. But then I asked another bunch of users on Mechanical Turk, and all respondents using Vista said they could access Facebook after all. Of course, this wasn't a random sample, since users who bought Vista and couldn't access Facebook, probably would have returned their machines a long time ago, but I'm still not sure what caused it to work on some machines and not others -- all I know is that Facebook was inaccessible until I disabled IPv6.
I know Facebook is reading these articles, since in November I wrote about how you could circumvent Facebook's system of verifying that users were real high school students, by doing the following: "(1) create a profile of a non-overweight girl and sign up as a member of a high school network, pending confirmation; (2) search for several boys in that network and send them friend requests; and (3) wait for at least one of them to confirm you back". Shortly afterwards, Facebook changed the verification system, so that now, if you're confirming someone who is a pending member of a high school network but no one else has confirmed them yet, Facebook warns you, "Only check this box if you're absolutely sure that you know this person." So, whichever of Mark Zuckerberg's friends is reading my articles: Clever idea, and, keep the IPv6 records working.
That was as far as I got before I stopped trying to get used to Vista and started taking notes for this article (working title: "Vist Vucked"). From the Mechanical Turk users who responded to my survey, the other most common reported problems were: software compatibility, hardware compatibility, difficulty with the UI, and running too slowly. Presumably the first two problems will improve over time, but the UI will always be hard to switch to as long as users can't find functions that were easy locatable in the old interface, and if it runs slower than XP, that will always be a factor no matter how fast your computer is. (However fast it runs Vista, you'd always be able to make it run even faster with XP instead!)
The best things I've heard about Vista have been that (a) it is the most secure Windows ever (which Dave Barry says is like calling asparagus the "most articulate vegetable ever"), and (b) it features better multimedia integration. To which my responses were: (a) the number of incomprehensible warnings that Vista flashes at a user whenever they look at the computer funny, does not make it more secure, because users will condition themselves to just ignore those warnings, and (b) I hate watching TV on my computer anyway.
Since TV/PC integration is a major selling point for Vista, I thought this last issue was worth looking harder at: Do people really want to use their computers to watch TV? My computer monitor is in an office where I sit up close when I'm working; but TV feels more comfortable to watch from several feet away, and in my office I can't even scoot my chair back that far. (And if I lived with family, I doubt they'd want to crowd into my office to watch a movie.) In fact, I like the psychological separation of the TV set in the living room from the distractions of the computer in the office: I go in there when I'm done with everything in here. The only way I'd regularly download and watch movies would be if I had a way to send them wirelessly to my TV, but a wireless PC-to-TV converter and the corresponding receiver together cost about $200.
Seeking more validation of my opinions from strangers, I did another survey of 30 Mechanical Turk users, asking if they would rather drive to a movie rental store or download a movie online for the same price. Almost half (14) said they'd rather drive to the movie store, citing the comfort of watching the movie on their TV as opposed to on the computer. Another fourth of the respondents (8) said they'd download the movie but only if they could send the content to their TV to watch, and only the last fourth (8) said they'd actually watch it on their computer monitor. So the future of convergence between PC and TV will probably be not in all-in-one systems but in devices that link the PC in your study with the TV in your living room, and since there's no household name yet for PC-to-TV linkage, the field is wide open for some lucky company to make a product that becomes synonymous with the concept, the way "TiVo" is easier to say than "Digital Video Recorder". Maybe that will be a boost for systems like Vista. If that happens at about the same time that a Vista successor is released that makes the interface easier to switch to from XP, I'll bet that will be the tipping point that gets people switching voluntarily. (Of course many people will switch by then just because they need a new computer and they couldn't find one with anything but Vista on it.)
Anyway, I was only trying a new Vista machine because the hard drive on my old computer died, but after all the data had been recovered, I just installed a new drive in the old machine and went back to XP, while my Vista machine was returned to its perch, gargoyle-like, on the shelves at Circuit City, waiting to pounce on the next unsuspecting wretch with dreams of self-improvement through newer computer purchases. The only remnant of Vista that I have left is IE7, which was installed by my Windows XP restore disk and can't be removed, and which is incompatible with some sites and programs that I need, so I've been using Firefox more and getting to like it. That's lucky, since I've already offended the loyal software-logo-wearing constituencies of Vista and Linux, and wouldn't want to deal with the Firefox crowd too. As my friend Anne Mitchell says, "Admitting you hate Firefox is almost as bad as admitting to being Republican." (Except that when Firefox screws with a page, the chat logs don't end up on national television. Ba-dump-bump!) -
Windows Explorer and Internet Explorer no longer have the "File / Edit / View" menu bars across the top of the window. Was this a big problem under XP? When the menus gave quick, two-click access to most actions that you could take within the application, was there a grassroots movement to have them removed? I did eventually find that you can hit the "Alt" key to bring the menus back, but why put people through that frustration? The most annoying feeling while using a computer is being yanked out of thinking about what you're doing with the computer to having to concentrate on how to use it.
-
Is Flixster Using Deceptive Viral Practices?
Talaria writes "The social networking movie review site Flixster is requesting their users' AOL, Gmail, Yahoo and Hotmail passwords, and then using them to access users' address books and send 'invitations' to join Flixster, making them appear to come from the user. The password prompt screen includes the ISP's logo right next to the password prompt. Rather than hiding this little 'feature,' Flixster brags about it in an interview after receiving $2 million in venture funding earlier this year." American Venture Magazine notes: "...such practices are becoming increasingly... common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget." -
Yes Virginia, ISPs Have Silently Blocked Web Sites
Slashdot contributor Bennett Haselton writes "A recurring theme in editorials about Net Neutrality -- broadly defined as the principle that ISPs may not block or degrade access to sites based on their content or ownership (with exceptions for clearly delineated services like parental controls) -- is that it is a "solution in search of a problem", that ISPs in the free world have never actually blocked legal content on purpose. True, the movement is mostly motivated by statements by some ISPs about what they might do in the future, such as slow down customers' access to sites if the sites haven't paid a fast-lane "toll". But there was also an oft-forgotten episode in 2000 when it was revealed that two backbone providers, AboveNet and TeleGlobe, had been blocking users' access to certain Web sites for over a year -- not due to a configuration error, but by the choice of management within those companies. Maybe I'm biased, since one of the Web sites being blocked was mine. But I think this incident is more relevant than ever now -- not just because it shows that prolonged violations of Net Neutrality can happen, but because some of the people who organized or supported AboveNet's Web filtering, are people in fairly influential positions today, including the head of the Internet Systems Consortium, the head of the IRTF's Anti-Spam Research Group, and the operator of Spamhaus. Which begs the question: If they really believe that backbone companies have the right to silently block Web sites, are some of them headed for a rift with Net Neutrality supporters?" Read on for the rest of his story.In the aforementioned instance, AboveNet and TeleGlobe were not selling "parental filters" or other common types of filtered Internet access; the users being blocked from our Web sites were adults paying for what they thought were unfiltered Internet connections. What had happened was that AboveNet and TeleGlobe signed up to block Web sites on the Realtime Blackhole List, a list which was widely (but inaccurately) thought to be a list of "spammers", put out by a group called the Mail Abuse Prevention System. (MAPS and the RBL still exist, but under new management and in a form that bears little resemblance to their late-90's forerunners.) Most ISPs that used the RBL used it to filter only incoming e-mail, but AboveNet went all-out and blocked users from even viewing RBL'ed web sites, presumably because two of MAPS's founders, Paul Vixie and Dave Rand, were on the AboveNet board of directors. And it turned out that the RBL not only included spammers, but also Web sites that were not sending mail at all but were blocked because of their content -- in our case, our ISP got blocked because some other customers were selling mailing list software that MAPS believed could be too easily abused by spammers.
These two distinctions -- (1) the distinction between blocking incoming e-mail from spammers, versus blocking Web sites; and (2) the distinction between blocking traffic due to spam activity, versus blocking sites because of their content -- both go to the heart of what Net Neutrality is, and isn't, about. Net Neutrality is about user preferences -- not meaning that as a buzzword, but as an actual guiding principle to figure out what is and is not covered by the cause. If an ISP filters incoming mail from known spammers, that generally improves the user experience, and is something many users would expect an ISP to do anyway. But if an ISP blocks users from reaching Web sites (even, for the sake of argument, the Web sites of actual spammers), then that's generally counteracting the user's wishes -- if the user didn't want to go there, they wouldn't have typed it in. (After all, I visit spammers' Web sites all the time, usually right before I sue them.) Similarly, if an ISP blocks traffic from sites because of spam or other network abuse, that serves to protect their own users. But if an ISP blocks users from viewing sites because of their content, that's generally not expected by users, unless they've specifically signed up for something like parental controls. The Snowe Net Neutrality amendment proposed last year recognized both of these distinctions, and stated that nothing in the amendment would be interpreted to prohibit spam filtering, parental control services, or measures to protect network security.
The MAPS incident thus shaped most of my opinions about Net Neutrality 6 years before the debate even had a name. When I first found out in August 2000 that our ISP was blacklisted, like most people I believed that the RBL really was a list of spammers; after all the MAPS web page said that the RBL was a list of networks that "originate or relay spam". So I called my ISP screaming at them for being incompetent spam-enablers (the culmination of many frustrating issues with them), and saying that if they really were letting customers send spam, or running an insecure server that spammers were hijacking, I would leave on principle, if the cretins managing our server didn't drop it in the lake first. The ISP owner then told me what happened: that the ISP was not blacklisted for spamming customers, but because of the content of the other sites. (Buried in the list of RBL criteria on MAPS's site was the statement that sites could be blacklisted for providing "spam software", although the criteria did not define how they distinguished between spam software and regular mailing list software, which is how our ISP got caught in the net. And the criteria did not disclose anywhere the most controversial feature of the RBL, which is that if an ISP didn't comply, MAPS would start blacklisting other unrelated sites at the same ISP to put more pressure on them.) I agreed that this seemed to be absurd, and said I wouldn't leave the ISP if they were being blackballed just because of the content of hosted pages.
I don't know exactly what the mail software in question did or where MAPS thought the line should be drawn, but I am a purist about content -- it's a long-standing principle among the Internet security community that if a tool exists which exploits a security hole, you don't try to make the software disappear, you fix the hole. And besides, since MAPS and their supporters wanted to blackball ISPs that hosted spamming software (however you defined that), but the same people had never advocated blackballing ISPs that hosted network break-in tools and other cracking programs, for example, then what were they really saying? That spamming someone more unethical than breaking into their network?
But by far the most common objection to my complaint about AboveNet blocking Web sites was, "Hey, if a private company blocks things, as long as they're being honest to their users about it, who cares?" Well, true, but the fact that AboveNet blocked Web sites was not widely known even within the company; when I once called AboveNet feigning ignorance and asking them if they blocked RBL'ed Web sites, the technician who spoke to me said, "No, that wouldn't make any sense." (Well, half right.) Their AUP mentioned "protecting users from spam" but said nothing about blocking Web sites. In fact, other than "family-filtered" ISPs and similar services, I've never heard of any company blocking Web sites that actually did try to make their users aware of it. (On the other hand, even if AboveNet had fully disclosed their filtering, they were still a backbone company selling connectivity mainly to ISPs -- and I think if you sell something wholesale that can only be re-sold to the public by fraudulent means, then you're at least partly complicit in that fraud as well.)
If you're tempted to argue that backbone providers should be allowed to block whatever they want as long as they bury it in their AUP (although AboveNet and TeleGlobe didn't even do that much), just consider: When you access Google from your home computer, have you read the AUP of every network that the packets pass through, to check whether they reserve the right to block or even modify your traffic? Without doing a traceroute, could you even name all the networks that the traffic passes through? Do you really want the burden to be on you to check with all of them every time there's a problem reaching a Web site? Or do you feel like there's an understanding that as long as you pay your bill, they should let you go wherever you want?
Some have argued that if an ISP blocks the user from reaching a Web site, then even if the ISP is defrauding the user, that's still strictly an issue between the user and the ISP. But if a user is trying to reach your Web site, the user is trying to give you something of value: their attention, their eyeballs on your advertisements, sometimes even their money (with the expectation that you will provide them with something in return, of course, like some content worth reading). If the ISP steps in and blocks that, then the ISP has taken something of value that the user was attempting to give to you, and diverted it to serve their own interests. To me that doesn't seem ethically much different from the FedEx driver swiping the chocolates that someone tried to send you for Valentine's Day. Is that just between the sender and FedEx? Or do you have a beef because you didn't get the present that was intended for you, and you had to eat last week's chocolates to cheer up?
The modern-day threats to Net Neutrality are different: slowing access to Web sites unless the site owners pay a "toll", instead of blocking access to sites because of the content of other sites hosted at the same ISP. But they both boil down to the same thing: not giving end users what they have already paid for. If a user buys Internet access, they almost always buy it with the understanding that if they access a site, the content will download as quickly as their connection allows.
Thus the most common misconception about Net Neutrality is that the proponents are fighting against "capitalism" -- ISPs just charging more for different delivery speeds. But ISPs are already charging users for those delivery lines -- including different tiers for different prices. That's capitalism, and it works, with prices falling all the time in a fairly competitive market. But charging publishers for those higher delivery speeds to the user's house, is really more like double-billing, because the user has already been charged once for the lines that the content is coming over, so the ISP is trying to charge the content publisher again for the same service. Of course, if you charge party A for doing X, and then you try to charge party B for the same instance of doing X, and party B doesn't pay up so you don't do X, you're also breaking your deal with A. Brad Templeton of the EFF stated as much on his blog in 2006:
The pipes start off belonging to the ISPs but they sell them to their customers. The customers are buying their line to the middle, where they meet the line from the other user or site they want to talk to. The problem is generated because the carriers all price the lines at lower than they might have to charge if they were all fully saturated, since most users only make limited, partial use of the lines. When new apps increase the amount a typical user needs, it alters the economics of the ISP. They could deal with that by raising prices and really delivering the service they only pretend to sell, or by charging the other end, and breaking the cost contract. They've rattled sabres about doing the latter.
And I think the same is clearly true if, instead of trying to extract money from the content publisher, the ISP tries to extract something else, like an agreement to shut down certain Web sites before the ISP will let their users view other sites hosted at the same company. You can talk all day about how evil those Web sites are, but the ISP has already sold the user a connection with the implied ability to access them.Anyway, this all came out in 2000 when a Slashdot article revealed that AboveNet had been blocking Web sites, and AboveNet stopped doing it two hours after the article came out. (TeleGlobe stuck with it for a few more months.) But from the hostility of the reaction, you'd think that we had published cartoons in a Danish newspaper showing Paul Vixie with a bomb in his turban. I got more e-mails than I could count arguing that AboveNet had the right to block whatever Web sites they felt like, regardless of whether the end users knew it was happening. To those people, I'd be sincerely interested in their answer to this question: Does that mean they've have no problem if they found out their ISP was silently blocking sites for political reasons? There is a clear line between following user preferences by blocking spam, and countermanding user preferences by blocking sites because of their content -- and once you've crossed that line, where's the logical stopping point? Seriously, I would have liked to have known how they would answer that, if I could have gotten any meaningful dialog going with them, which most of the time I couldn't. At the time, I'd just spent four years telling people that kids looking at porn was a non-issue, and that by the way if their kids came to my Web site I'd even help them get around their blocking software, and I still got more angry e-mails for disclosing the fact that AboveNet blocked Web sites based on their content, than I'd gotten in all the previous four years combined. (A few even accused us of moving into a blacklisted address block on purpose. This was because the actual move happened after the blacklisting was in place, even though I told them all that our ISP had announced the coming move two months before -- repeat, before -- they ever heard from MAPS. Some people were so in love with that "smoking gun" that they didn't believe me; that's their prerogative. But don't take my word for it -- when one supporter wrote to MAPS to ask about un-blocking our site, MAPS officer Kelly Thompson replied:
>Would it be possible to
It was MAPS's decision, not ours or our ISP's, to have our site blocked. That should settle that once and for all, just as soon as there is peace in the Middle East and a black lesbian in the White House.)
>selectively unblock peacefire.org (209.211.253.169)?
Technically? Yes, it is. It's a violation of our policy, though, so I can't do so.
I would be willing to help you find other free or reduced cost hosting, however.
But what do all these people think about Net Neutrality, 6 years later? I tried to track down the influential people who had spoken out supporting AboveNet's blocking of Web sites, or at least their right to block Web sites. My position was, we can agree to disagree on that, but if they really feel that way, why haven't they been speaking out against Net Neutrality? The proposed Snowe amendment was pretty clear:
SEC. 12. INTERNET NEUTRALITY
(a) Duty of Broadband Service Providers- With respect to any broadband service offered to the public, each broadband service provider shall--
(1) not block, interfere with, discriminate against, impair, or degrade the ability of any person to use a broadband service to access, use, send, post, receive, or offer any lawful content, application, or service made available via the Internet.John Levine, webmaster of Abuse.Net, head of the IRTF's Anti-Spam Research Group, and one of the most vocal critics of Peacefire's campaign against AboveNet's Web filtering, said that he would have opposed the bill but didn't bother because it didn't have much chance of passing. Well, it didn't, but the bill was significant not because of its likelihood of passage, but because it articulated the principles that the Net Neutrality coalition had rallied around, and with the momentum behind the movement, it's likely to achieve at least some of its goals, by legislation or otherwise.
Paul Vixie, Dave Rand, and Steve Linford did not respond to requests for comment on Net Neutrality. But Paul Vixie wrote something very interesting in a May 2006 blog post:
Second, there's network neutrality. In telephone service, the government mandates that all companies providing voice-grade telephony interconnect with eachother at preset rates, thus ensuring that any phone can call any other phone and that new phone companies can enter the field to help ensure competition. In Internet service, the government mandates nothing. Recently SBC (I mean AT&T, I think, is it Wednesday?) rattled its sabre and said that Google and other content supplying companies should be paying for the use of SBC's backbone to reach SBC's eyeballs. Most of us said, uh, what? "Aren't SBC's own customers paying SBC to carry that traffic?" Some of us even said "I am not an eyeball, I am a person!" But anyway, from time to time these Internet companies shut down interconnects in hopes of creating new cash flows among eachother, and until the government regulates this, we're all at risk of higher prices or lower service with zero notice. Some well meaning democrats are trying to challenge this with "network neutrality" legislation, but this probably isn't their year. Or their decade.
San Francisco has a government, though. And if San Francisco owned and operated its own wireless Internet plant, we could mandate that any Internet company wishing to do business in this city interconnect at fair and reasonable cost to all other Internet companies wishing to do business in this city.
"Until the government regulates this"? "Government mandates"? "Fair and reasonable cost"? Quick, call the anti-socialist intervention squad! How long does it take those San Francisco hippies to suck the new arrivals' brains out anyway? Of course, I agree with everything he said. It's just that if you replace "create new cash flows" with "try to get ISPs to remove content from their servers", this describes exactly what Vixie and AboveNet were doing a few years earlier. He's a smart guy, and I'm sure this didn't escape his sense of irony, so perhaps this confirms something I'd suspected all along, which is that Vixie understood the subtleties of the issue better than most of his cheerleaders, and may be having second thoughts about AboveNet's Web-blocking misadventure. From the beginning, in a 1997 interview with Sun World, he sounded like someone trying to at least keep an open mind:
Concentration of power into a single individual: It's very true that power has corrupted every individual in whom it has ever been concentrated in the history of mankind. I do not feel that I am necessarily above whatever elements of human nature give rise to that. I worry about it. Probably other people worry about it more than I do.
Although, he didn't get to making any such frank statements during the controversy over AboveNet's Web site blocking. (Perhaps MAPS's lawyers were worried that he was a little too unfiltered and advised him not to comment; at the time, the MAPS Web site had a "How to sue MAPS" link on the front page.)Speaking of which, Anne Mitchell, Director of Legal and Public Affairs for MAPS during the time when AboveNet was blocking Web sites, was the only MAPS adherent from the era that I could find who has since clearly and publicly come out against Net Neutrality. In May 2006 she wrote:
Here's the thing that the 3Ns (Net Neutrality Nuts) don't get: bandwidth costs money. And if you can't charge those who use the majority of it accordingly, then you are going to have to amortize it across everybody.
And then again in February 2007 in another blog post titled "Towards A Nanny Internet", she wrote, "Network neutrality is the idea that ISPs should be forced to charge everybody the same for their Internet use", grouping it together with proposed anti-bullying and anti-anonymity laws.
So, if a net neutrality law passes, don't be surprised when your costs to have an Internet account skyrocket.
Because somebody has to pay those bills, and if the law says that the ISPs can't charge the big guys - the big users - differently, it means that they have to charge them the same rate that they charge everyone else. And that means not that their rate will go down, but that everybody else's rate will go up.Well, points to Anne for being consistent, and for publicly declaring her views in no uncertain terms, which is all I'm asking of the other supporters of AboveNet's website blocking policy. (Although she's coming at it from a different angle this time, "How do we work out who pays for the traffic" rather than "ISPs should be allowed to block whatever they want without telling anybody".) But this is also a textbook example of what I think are the three major fallacies of opposition to Net Neutrality:
First, lumping it together with other examples of unpopular regulation and calling it one more example of Big Government -- an argument also tried in other editorials ("Politicians and public figures alike should realize the absurdity of advocating more red tape to keep the Internet free"). This meme has never really caught on, possibly because groups like the ACLU and the EFF that have traditionally opposed true Internet censorship, have lined up in favor of Net Neutrality. All the proposed "red tape" and "regulation" really says is that if a user attempts to access a Web site over a connection that they've paid for, the ISP may not block or slow down their access, a law which most people would hardly consider tyrannical.
Second, asserting that "Network neutrality is the idea that ISPs should be forced to charge everybody the same for their Internet use." I've never actually heard anyone advocate anything close to that, but a common question among skeptics is why different "tiers" for Internet traffic are really any different from different-tiered pricing for dial-up vs. DSL, or for different levels of Web hosting. The difference is that when users and Web site owners pay for those connections, they are paying for their respective connections to the rest of the Internet. But an ISP charging a Web site owner to carry their traffic the last mile to the user's house, is not charging for a product or service, but really charging a fee not to break a service that they've already agreed to provide to the user.
Which leads to the third misconception: "Here's the thing that the 3Ns (Net Neutrality Nuts) don't get: bandwidth costs money... So, if a net neutrality law passes, don't be surprised when your costs to have an Internet account skyrocket." But it's not about how much a service costs, but about the ethics of double-billing for it. We know that ISP pricing models can already support the total traffic that people consume today, and ISPs do already follow net neutrality principles most of the time, so nobody's costs will "skyrocket" just because a neutrality law passes. If vastly more people start trying to stream CNN over the Internet 24/7, and fully using the services that ISPs have "only been pretending to sell" as Brad Templeton put it, then ISPs may have to charge more for users who consume too much bandwidth, encouraging people to stay at today's average levels by rationing themselves and perhaps watching 24 on their $5,000 TV sets sometimes instead of downloading it off of BitTorrent to their laptop every week because it makes them feel like a haX0r. Much as we all love our unmetered connections, it wouldn't be a violation of Net Neutrality for ISPs to charge users for bandwidth hogging, to keep everyone from going too far above today's levels. What ISPs should not do is charge users for implied full-throttle connections, and then turn around to charge publishers for moving bits over those same lines, or block the connection for any other reason.
So, yes, Virginia, blocking of Web sites does happen -- and by "Virginia", I mean FTC Chairman Deborah Platt Majoras, who said in a speech in August 2006: "I have to say, thus far, proponents of net neutrality regulation have not come to us to explain where the market is failing or what anticompetitive conduct we should challenge; we are open to hearing from them." This was echoed in an editorial later that month from Sonia Arrison of the Pacific Research Institute:
Internet service providers have voluntarily upheld content-neutral practices without the need for government intervention, and consumers would never stand for blocked Web sites... If the loss of net neutrality principles was really a problem, advocates wouldn't need to scare Americans in order to win their support. Using government regulation preemptively to shortchange business partners is a reckless abuse of the public policy process. New laws should be based on facts and reality, not fear and hypothetical situations.
I guess both of those ladies' ISPs must be blocking access to the SaveTheInternet.com Web site, so I e-mailed both of them the coalition's list of examples, and added a note about the AboveNet/TeleGlobe incident as well. No personal response from either of them yet, but I'm sure they just got lost in the shuffle while they were so busy sending out corrections. (On the other hand, I did get a courteous response from Randolph J. May of the Free State Foundation, when I wrote to him about an editorial he penned which also argued that violations have not happened: "It is generally agreed that except for a few isolated and quickly remedied incidents, neither the cable operators nor the telephone companies providing broadband Internet services have blocked, impaired or otherwise restricted subscriber access to the content of unaffiliated entities." He said he hadn't known about the AboveNet/TeleGlobe incident either.)Another theme in some anti-Net-Neutrality editorials is that existing laws are enough to deal with the problem. In Majoras's speech, she said, "We should not forget that we already have in place an existing law enforcement and regulatory structure." Arrison's echoed that "Numerous federal agencies already have set a basic legal framework in place to preserve fair competition and business practices on the Internet". Well, as Yogi Berra says, in theory, there is no difference between theory and practice, but in practice, there is. After I found out AboveNet and TeleGlobe were blocking my Web site, I called about twenty lawyers in the Bellevue phone book, figuring: I wasn't greedy, but surely there would be financial damages for deceiving users and blocking our site, enough to pay a lawyer in return for handling the case? I think about two lawyers called me back, and they both said that even though what the backbone companies were doing clearly looked like fraud, it would take tens of thousands of dollars just to get started, and even if we ever got to court, the judge could call it however they wanted. Whatever laws exist now, they may help the slightly smaller big guy against the bigger big guy, but are not much use to the little or medium-sized guy.
So, any informed debate about Net Neutrality has to include the fact that, yes, some providers have blocked Web sites on purpose, for long periods of time, and no, the free market didn't fix it by itself. Even if something on that scale never happens again, if the free market and the anti-trust laws didn't automatically correct a case where Web sites were being blocked outright, then it's wishful thinking to think that those forces will prevent ISPs from merely slowing down Web access to sites that haven't paid a "toll", as they have made noises about doing. One AboveNet customer, Sam Knutson, said when he found out about the Web site blocking, "This type of behavior on the part of an ISP is reprehensible. I pay for a pipe and don't expect this type of monkey business." Well, I agree that it's reprehensible; whether we should "expect" more of it or not, depends on how much the Net Neutrality movement achieves its goals.
-
Yes Virginia, ISPs Have Silently Blocked Web Sites
Slashdot contributor Bennett Haselton writes "A recurring theme in editorials about Net Neutrality -- broadly defined as the principle that ISPs may not block or degrade access to sites based on their content or ownership (with exceptions for clearly delineated services like parental controls) -- is that it is a "solution in search of a problem", that ISPs in the free world have never actually blocked legal content on purpose. True, the movement is mostly motivated by statements by some ISPs about what they might do in the future, such as slow down customers' access to sites if the sites haven't paid a fast-lane "toll". But there was also an oft-forgotten episode in 2000 when it was revealed that two backbone providers, AboveNet and TeleGlobe, had been blocking users' access to certain Web sites for over a year -- not due to a configuration error, but by the choice of management within those companies. Maybe I'm biased, since one of the Web sites being blocked was mine. But I think this incident is more relevant than ever now -- not just because it shows that prolonged violations of Net Neutrality can happen, but because some of the people who organized or supported AboveNet's Web filtering, are people in fairly influential positions today, including the head of the Internet Systems Consortium, the head of the IRTF's Anti-Spam Research Group, and the operator of Spamhaus. Which begs the question: If they really believe that backbone companies have the right to silently block Web sites, are some of them headed for a rift with Net Neutrality supporters?" Read on for the rest of his story.In the aforementioned instance, AboveNet and TeleGlobe were not selling "parental filters" or other common types of filtered Internet access; the users being blocked from our Web sites were adults paying for what they thought were unfiltered Internet connections. What had happened was that AboveNet and TeleGlobe signed up to block Web sites on the Realtime Blackhole List, a list which was widely (but inaccurately) thought to be a list of "spammers", put out by a group called the Mail Abuse Prevention System. (MAPS and the RBL still exist, but under new management and in a form that bears little resemblance to their late-90's forerunners.) Most ISPs that used the RBL used it to filter only incoming e-mail, but AboveNet went all-out and blocked users from even viewing RBL'ed web sites, presumably because two of MAPS's founders, Paul Vixie and Dave Rand, were on the AboveNet board of directors. And it turned out that the RBL not only included spammers, but also Web sites that were not sending mail at all but were blocked because of their content -- in our case, our ISP got blocked because some other customers were selling mailing list software that MAPS believed could be too easily abused by spammers.
These two distinctions -- (1) the distinction between blocking incoming e-mail from spammers, versus blocking Web sites; and (2) the distinction between blocking traffic due to spam activity, versus blocking sites because of their content -- both go to the heart of what Net Neutrality is, and isn't, about. Net Neutrality is about user preferences -- not meaning that as a buzzword, but as an actual guiding principle to figure out what is and is not covered by the cause. If an ISP filters incoming mail from known spammers, that generally improves the user experience, and is something many users would expect an ISP to do anyway. But if an ISP blocks users from reaching Web sites (even, for the sake of argument, the Web sites of actual spammers), then that's generally counteracting the user's wishes -- if the user didn't want to go there, they wouldn't have typed it in. (After all, I visit spammers' Web sites all the time, usually right before I sue them.) Similarly, if an ISP blocks traffic from sites because of spam or other network abuse, that serves to protect their own users. But if an ISP blocks users from viewing sites because of their content, that's generally not expected by users, unless they've specifically signed up for something like parental controls. The Snowe Net Neutrality amendment proposed last year recognized both of these distinctions, and stated that nothing in the amendment would be interpreted to prohibit spam filtering, parental control services, or measures to protect network security.
The MAPS incident thus shaped most of my opinions about Net Neutrality 6 years before the debate even had a name. When I first found out in August 2000 that our ISP was blacklisted, like most people I believed that the RBL really was a list of spammers; after all the MAPS web page said that the RBL was a list of networks that "originate or relay spam". So I called my ISP screaming at them for being incompetent spam-enablers (the culmination of many frustrating issues with them), and saying that if they really were letting customers send spam, or running an insecure server that spammers were hijacking, I would leave on principle, if the cretins managing our server didn't drop it in the lake first. The ISP owner then told me what happened: that the ISP was not blacklisted for spamming customers, but because of the content of the other sites. (Buried in the list of RBL criteria on MAPS's site was the statement that sites could be blacklisted for providing "spam software", although the criteria did not define how they distinguished between spam software and regular mailing list software, which is how our ISP got caught in the net. And the criteria did not disclose anywhere the most controversial feature of the RBL, which is that if an ISP didn't comply, MAPS would start blacklisting other unrelated sites at the same ISP to put more pressure on them.) I agreed that this seemed to be absurd, and said I wouldn't leave the ISP if they were being blackballed just because of the content of hosted pages.
I don't know exactly what the mail software in question did or where MAPS thought the line should be drawn, but I am a purist about content -- it's a long-standing principle among the Internet security community that if a tool exists which exploits a security hole, you don't try to make the software disappear, you fix the hole. And besides, since MAPS and their supporters wanted to blackball ISPs that hosted spamming software (however you defined that), but the same people had never advocated blackballing ISPs that hosted network break-in tools and other cracking programs, for example, then what were they really saying? That spamming someone more unethical than breaking into their network?
But by far the most common objection to my complaint about AboveNet blocking Web sites was, "Hey, if a private company blocks things, as long as they're being honest to their users about it, who cares?" Well, true, but the fact that AboveNet blocked Web sites was not widely known even within the company; when I once called AboveNet feigning ignorance and asking them if they blocked RBL'ed Web sites, the technician who spoke to me said, "No, that wouldn't make any sense." (Well, half right.) Their AUP mentioned "protecting users from spam" but said nothing about blocking Web sites. In fact, other than "family-filtered" ISPs and similar services, I've never heard of any company blocking Web sites that actually did try to make their users aware of it. (On the other hand, even if AboveNet had fully disclosed their filtering, they were still a backbone company selling connectivity mainly to ISPs -- and I think if you sell something wholesale that can only be re-sold to the public by fraudulent means, then you're at least partly complicit in that fraud as well.)
If you're tempted to argue that backbone providers should be allowed to block whatever they want as long as they bury it in their AUP (although AboveNet and TeleGlobe didn't even do that much), just consider: When you access Google from your home computer, have you read the AUP of every network that the packets pass through, to check whether they reserve the right to block or even modify your traffic? Without doing a traceroute, could you even name all the networks that the traffic passes through? Do you really want the burden to be on you to check with all of them every time there's a problem reaching a Web site? Or do you feel like there's an understanding that as long as you pay your bill, they should let you go wherever you want?
Some have argued that if an ISP blocks the user from reaching a Web site, then even if the ISP is defrauding the user, that's still strictly an issue between the user and the ISP. But if a user is trying to reach your Web site, the user is trying to give you something of value: their attention, their eyeballs on your advertisements, sometimes even their money (with the expectation that you will provide them with something in return, of course, like some content worth reading). If the ISP steps in and blocks that, then the ISP has taken something of value that the user was attempting to give to you, and diverted it to serve their own interests. To me that doesn't seem ethically much different from the FedEx driver swiping the chocolates that someone tried to send you for Valentine's Day. Is that just between the sender and FedEx? Or do you have a beef because you didn't get the present that was intended for you, and you had to eat last week's chocolates to cheer up?
The modern-day threats to Net Neutrality are different: slowing access to Web sites unless the site owners pay a "toll", instead of blocking access to sites because of the content of other sites hosted at the same ISP. But they both boil down to the same thing: not giving end users what they have already paid for. If a user buys Internet access, they almost always buy it with the understanding that if they access a site, the content will download as quickly as their connection allows.
Thus the most common misconception about Net Neutrality is that the proponents are fighting against "capitalism" -- ISPs just charging more for different delivery speeds. But ISPs are already charging users for those delivery lines -- including different tiers for different prices. That's capitalism, and it works, with prices falling all the time in a fairly competitive market. But charging publishers for those higher delivery speeds to the user's house, is really more like double-billing, because the user has already been charged once for the lines that the content is coming over, so the ISP is trying to charge the content publisher again for the same service. Of course, if you charge party A for doing X, and then you try to charge party B for the same instance of doing X, and party B doesn't pay up so you don't do X, you're also breaking your deal with A. Brad Templeton of the EFF stated as much on his blog in 2006:
The pipes start off belonging to the ISPs but they sell them to their customers. The customers are buying their line to the middle, where they meet the line from the other user or site they want to talk to. The problem is generated because the carriers all price the lines at lower than they might have to charge if they were all fully saturated, since most users only make limited, partial use of the lines. When new apps increase the amount a typical user needs, it alters the economics of the ISP. They could deal with that by raising prices and really delivering the service they only pretend to sell, or by charging the other end, and breaking the cost contract. They've rattled sabres about doing the latter.
And I think the same is clearly true if, instead of trying to extract money from the content publisher, the ISP tries to extract something else, like an agreement to shut down certain Web sites before the ISP will let their users view other sites hosted at the same company. You can talk all day about how evil those Web sites are, but the ISP has already sold the user a connection with the implied ability to access them.Anyway, this all came out in 2000 when a Slashdot article revealed that AboveNet had been blocking Web sites, and AboveNet stopped doing it two hours after the article came out. (TeleGlobe stuck with it for a few more months.) But from the hostility of the reaction, you'd think that we had published cartoons in a Danish newspaper showing Paul Vixie with a bomb in his turban. I got more e-mails than I could count arguing that AboveNet had the right to block whatever Web sites they felt like, regardless of whether the end users knew it was happening. To those people, I'd be sincerely interested in their answer to this question: Does that mean they've have no problem if they found out their ISP was silently blocking sites for political reasons? There is a clear line between following user preferences by blocking spam, and countermanding user preferences by blocking sites because of their content -- and once you've crossed that line, where's the logical stopping point? Seriously, I would have liked to have known how they would answer that, if I could have gotten any meaningful dialog going with them, which most of the time I couldn't. At the time, I'd just spent four years telling people that kids looking at porn was a non-issue, and that by the way if their kids came to my Web site I'd even help them get around their blocking software, and I still got more angry e-mails for disclosing the fact that AboveNet blocked Web sites based on their content, than I'd gotten in all the previous four years combined. (A few even accused us of moving into a blacklisted address block on purpose. This was because the actual move happened after the blacklisting was in place, even though I told them all that our ISP had announced the coming move two months before -- repeat, before -- they ever heard from MAPS. Some people were so in love with that "smoking gun" that they didn't believe me; that's their prerogative. But don't take my word for it -- when one supporter wrote to MAPS to ask about un-blocking our site, MAPS officer Kelly Thompson replied:
>Would it be possible to
It was MAPS's decision, not ours or our ISP's, to have our site blocked. That should settle that once and for all, just as soon as there is peace in the Middle East and a black lesbian in the White House.)
>selectively unblock peacefire.org (209.211.253.169)?
Technically? Yes, it is. It's a violation of our policy, though, so I can't do so.
I would be willing to help you find other free or reduced cost hosting, however.
But what do all these people think about Net Neutrality, 6 years later? I tried to track down the influential people who had spoken out supporting AboveNet's blocking of Web sites, or at least their right to block Web sites. My position was, we can agree to disagree on that, but if they really feel that way, why haven't they been speaking out against Net Neutrality? The proposed Snowe amendment was pretty clear:
SEC. 12. INTERNET NEUTRALITY
(a) Duty of Broadband Service Providers- With respect to any broadband service offered to the public, each broadband service provider shall--
(1) not block, interfere with, discriminate against, impair, or degrade the ability of any person to use a broadband service to access, use, send, post, receive, or offer any lawful content, application, or service made available via the Internet.John Levine, webmaster of Abuse.Net, head of the IRTF's Anti-Spam Research Group, and one of the most vocal critics of Peacefire's campaign against AboveNet's Web filtering, said that he would have opposed the bill but didn't bother because it didn't have much chance of passing. Well, it didn't, but the bill was significant not because of its likelihood of passage, but because it articulated the principles that the Net Neutrality coalition had rallied around, and with the momentum behind the movement, it's likely to achieve at least some of its goals, by legislation or otherwise.
Paul Vixie, Dave Rand, and Steve Linford did not respond to requests for comment on Net Neutrality. But Paul Vixie wrote something very interesting in a May 2006 blog post:
Second, there's network neutrality. In telephone service, the government mandates that all companies providing voice-grade telephony interconnect with eachother at preset rates, thus ensuring that any phone can call any other phone and that new phone companies can enter the field to help ensure competition. In Internet service, the government mandates nothing. Recently SBC (I mean AT&T, I think, is it Wednesday?) rattled its sabre and said that Google and other content supplying companies should be paying for the use of SBC's backbone to reach SBC's eyeballs. Most of us said, uh, what? "Aren't SBC's own customers paying SBC to carry that traffic?" Some of us even said "I am not an eyeball, I am a person!" But anyway, from time to time these Internet companies shut down interconnects in hopes of creating new cash flows among eachother, and until the government regulates this, we're all at risk of higher prices or lower service with zero notice. Some well meaning democrats are trying to challenge this with "network neutrality" legislation, but this probably isn't their year. Or their decade.
San Francisco has a government, though. And if San Francisco owned and operated its own wireless Internet plant, we could mandate that any Internet company wishing to do business in this city interconnect at fair and reasonable cost to all other Internet companies wishing to do business in this city.
"Until the government regulates this"? "Government mandates"? "Fair and reasonable cost"? Quick, call the anti-socialist intervention squad! How long does it take those San Francisco hippies to suck the new arrivals' brains out anyway? Of course, I agree with everything he said. It's just that if you replace "create new cash flows" with "try to get ISPs to remove content from their servers", this describes exactly what Vixie and AboveNet were doing a few years earlier. He's a smart guy, and I'm sure this didn't escape his sense of irony, so perhaps this confirms something I'd suspected all along, which is that Vixie understood the subtleties of the issue better than most of his cheerleaders, and may be having second thoughts about AboveNet's Web-blocking misadventure. From the beginning, in a 1997 interview with Sun World, he sounded like someone trying to at least keep an open mind:
Concentration of power into a single individual: It's very true that power has corrupted every individual in whom it has ever been concentrated in the history of mankind. I do not feel that I am necessarily above whatever elements of human nature give rise to that. I worry about it. Probably other people worry about it more than I do.
Although, he didn't get to making any such frank statements during the controversy over AboveNet's Web site blocking. (Perhaps MAPS's lawyers were worried that he was a little too unfiltered and advised him not to comment; at the time, the MAPS Web site had a "How to sue MAPS" link on the front page.)Speaking of which, Anne Mitchell, Director of Legal and Public Affairs for MAPS during the time when AboveNet was blocking Web sites, was the only MAPS adherent from the era that I could find who has since clearly and publicly come out against Net Neutrality. In May 2006 she wrote:
Here's the thing that the 3Ns (Net Neutrality Nuts) don't get: bandwidth costs money. And if you can't charge those who use the majority of it accordingly, then you are going to have to amortize it across everybody.
And then again in February 2007 in another blog post titled "Towards A Nanny Internet", she wrote, "Network neutrality is the idea that ISPs should be forced to charge everybody the same for their Internet use", grouping it together with proposed anti-bullying and anti-anonymity laws.
So, if a net neutrality law passes, don't be surprised when your costs to have an Internet account skyrocket.
Because somebody has to pay those bills, and if the law says that the ISPs can't charge the big guys - the big users - differently, it means that they have to charge them the same rate that they charge everyone else. And that means not that their rate will go down, but that everybody else's rate will go up.Well, points to Anne for being consistent, and for publicly declaring her views in no uncertain terms, which is all I'm asking of the other supporters of AboveNet's website blocking policy. (Although she's coming at it from a different angle this time, "How do we work out who pays for the traffic" rather than "ISPs should be allowed to block whatever they want without telling anybody".) But this is also a textbook example of what I think are the three major fallacies of opposition to Net Neutrality:
First, lumping it together with other examples of unpopular regulation and calling it one more example of Big Government -- an argument also tried in other editorials ("Politicians and public figures alike should realize the absurdity of advocating more red tape to keep the Internet free"). This meme has never really caught on, possibly because groups like the ACLU and the EFF that have traditionally opposed true Internet censorship, have lined up in favor of Net Neutrality. All the proposed "red tape" and "regulation" really says is that if a user attempts to access a Web site over a connection that they've paid for, the ISP may not block or slow down their access, a law which most people would hardly consider tyrannical.
Second, asserting that "Network neutrality is the idea that ISPs should be forced to charge everybody the same for their Internet use." I've never actually heard anyone advocate anything close to that, but a common question among skeptics is why different "tiers" for Internet traffic are really any different from different-tiered pricing for dial-up vs. DSL, or for different levels of Web hosting. The difference is that when users and Web site owners pay for those connections, they are paying for their respective connections to the rest of the Internet. But an ISP charging a Web site owner to carry their traffic the last mile to the user's house, is not charging for a product or service, but really charging a fee not to break a service that they've already agreed to provide to the user.
Which leads to the third misconception: "Here's the thing that the 3Ns (Net Neutrality Nuts) don't get: bandwidth costs money... So, if a net neutrality law passes, don't be surprised when your costs to have an Internet account skyrocket." But it's not about how much a service costs, but about the ethics of double-billing for it. We know that ISP pricing models can already support the total traffic that people consume today, and ISPs do already follow net neutrality principles most of the time, so nobody's costs will "skyrocket" just because a neutrality law passes. If vastly more people start trying to stream CNN over the Internet 24/7, and fully using the services that ISPs have "only been pretending to sell" as Brad Templeton put it, then ISPs may have to charge more for users who consume too much bandwidth, encouraging people to stay at today's average levels by rationing themselves and perhaps watching 24 on their $5,000 TV sets sometimes instead of downloading it off of BitTorrent to their laptop every week because it makes them feel like a haX0r. Much as we all love our unmetered connections, it wouldn't be a violation of Net Neutrality for ISPs to charge users for bandwidth hogging, to keep everyone from going too far above today's levels. What ISPs should not do is charge users for implied full-throttle connections, and then turn around to charge publishers for moving bits over those same lines, or block the connection for any other reason.
So, yes, Virginia, blocking of Web sites does happen -- and by "Virginia", I mean FTC Chairman Deborah Platt Majoras, who said in a speech in August 2006: "I have to say, thus far, proponents of net neutrality regulation have not come to us to explain where the market is failing or what anticompetitive conduct we should challenge; we are open to hearing from them." This was echoed in an editorial later that month from Sonia Arrison of the Pacific Research Institute:
Internet service providers have voluntarily upheld content-neutral practices without the need for government intervention, and consumers would never stand for blocked Web sites... If the loss of net neutrality principles was really a problem, advocates wouldn't need to scare Americans in order to win their support. Using government regulation preemptively to shortchange business partners is a reckless abuse of the public policy process. New laws should be based on facts and reality, not fear and hypothetical situations.
I guess both of those ladies' ISPs must be blocking access to the SaveTheInternet.com Web site, so I e-mailed both of them the coalition's list of examples, and added a note about the AboveNet/TeleGlobe incident as well. No personal response from either of them yet, but I'm sure they just got lost in the shuffle while they were so busy sending out corrections. (On the other hand, I did get a courteous response from Randolph J. May of the Free State Foundation, when I wrote to him about an editorial he penned which also argued that violations have not happened: "It is generally agreed that except for a few isolated and quickly remedied incidents, neither the cable operators nor the telephone companies providing broadband Internet services have blocked, impaired or otherwise restricted subscriber access to the content of unaffiliated entities." He said he hadn't known about the AboveNet/TeleGlobe incident either.)Another theme in some anti-Net-Neutrality editorials is that existing laws are enough to deal with the problem. In Majoras's speech, she said, "We should not forget that we already have in place an existing law enforcement and regulatory structure." Arrison's echoed that "Numerous federal agencies already have set a basic legal framework in place to preserve fair competition and business practices on the Internet". Well, as Yogi Berra says, in theory, there is no difference between theory and practice, but in practice, there is. After I found out AboveNet and TeleGlobe were blocking my Web site, I called about twenty lawyers in the Bellevue phone book, figuring: I wasn't greedy, but surely there would be financial damages for deceiving users and blocking our site, enough to pay a lawyer in return for handling the case? I think about two lawyers called me back, and they both said that even though what the backbone companies were doing clearly looked like fraud, it would take tens of thousands of dollars just to get started, and even if we ever got to court, the judge could call it however they wanted. Whatever laws exist now, they may help the slightly smaller big guy against the bigger big guy, but are not much use to the little or medium-sized guy.
So, any informed debate about Net Neutrality has to include the fact that, yes, some providers have blocked Web sites on purpose, for long periods of time, and no, the free market didn't fix it by itself. Even if something on that scale never happens again, if the free market and the anti-trust laws didn't automatically correct a case where Web sites were being blocked outright, then it's wishful thinking to think that those forces will prevent ISPs from merely slowing down Web access to sites that haven't paid a "toll", as they have made noises about doing. One AboveNet customer, Sam Knutson, said when he found out about the Web site blocking, "This type of behavior on the part of an ISP is reprehensible. I pay for a pipe and don't expect this type of monkey business." Well, I agree that it's reprehensible; whether we should "expect" more of it or not, depends on how much the Net Neutrality movement achieves its goals.
-
Residential Wi-Fi Mapping Database Revealed
Talaria writes "An enormous database of home wifi routers and their locations has been revealed after the Internet Patrol did some digging following AOL's recent announcement of their new "Near Me" service, which allows AIM users to see which of their instant messenger buddies are geographically near them. The database, containing the unique IDs of more than 16 million wireless routers and their locations, has been compiled by AOL partner Skyhook Wireless, which claims to have mapped the majority of residences in the U.S. and Canada."