Slashdot Mirror

Frequent contributor Bennett Haselton is still thinking about prediction markets, and giving away money. He writes: "In an article last December I described a problem with prediction markets, where even markets with cap on betting limits could be manipulated by a single trader willing to spend a lot of money to distort the marketplace odds. So I offered a $100 cash prize to be split between readers who collectively came up with the best solution to the problem. Here's an idea that I think would work." Read on for the rest.

In November I wrote an article arguing that prediction markets like Intrade -- where users can bet on the odds of, say, Obama or Romney becoming president -- were a useful tool for aggregating the wisdom of crowds, but could be manipulated by someone placing a large bet in order to create the illusion that "the markets" were favoring their candidate. If the fake "market odds" were reported in the news, it could have the effect of causing more supporters to switch to that candidate, thus increasing the true odds of their victory and creating a self-fulfilling prophecy before the markets had the chance to correct themselves. The solution, I thought at first, was to have a cap on the amount that individual users could bet (which is one of the rules at the Iowa Electronic Markets), and make it illegal for a single mastermind to pay large numbers of third parties to make bets in order to circumvent the single-bettor limit.

As I admitted in a follow-up article, it turns out this regulation would not work after all. The problem is that as long as long as overseas betting markets like Intrade have no limit on wagers, a market manipulator could place a huge bet on Intrade to cause the odds to shift on that market -- for example, changing the odds of Obama-to-win from 4:1 to 6:1. Meanwhile, the odds in a domestic prediction market with a betting limit -- call it CappedEx -- would initially stay at their non-manipulated value of 4:1. But then "arbitrage players" could spot the difference in the odds being offered, and make opposing bets in the two markets in a way that would be guaranteed to make a net profit. (The details are spelled out in my last article, but basically, any time two markets are offering different odds of an event happening, you can pick appropriate amounts to bet in the two markets so that you're guaranteed a profit whether the event occurs or not.) These arbitrage players would continue making opposing bets in the two markets until the odds being offered in the two markets converged onto the same value -- at which point, the market manipulator has successfully manipulated the odds in the capped market, even without ever placing a bet there. Essentially, the market manipulator has hired all of those arbitrage players and paid them to make bets on his behalf, but done so indirectly to avoid violating laws against hiring an army of bet-placers.

I should be clear about the two different time frames being discussed here. If a manipulator places a large bet on Intrade, causing the odds on Intrade to diverse significantly from the odds on CappedEx, then the arbitrage players should cause the odds on the two markets to converge to the same value very rapidly -- plausibly in less than one minute. (Whoever spots the difference first, gets guaranteed free money. It would be easy to write a bot that could watch for any divergence in the odds in the two markets, and place guaranteed-profit bets as soon as a gap appeared.) Then, as political observers noticed that the odds have shifted (without any real-world event in the news that could plausibly explain the shift), another wave of bettors would take advantage of the distorted odds, to bet on the side of the event whose odds had been artificially lowered by the market manipulation. (The odds favor making such a bet, although it's not as good as a guaranteed profit.) As enough people made these opportunistic bets, the market odds would correct themselves to their original values. However, this second wave of betting would probably take a few hours, because it requires humans to think critically about the events. (One likely case of manipulation managed to shift the odds for a few minutes for just $20,000, so it's not unreasonable to think that a million dollars or two -- still small change by the standards of presidential candidates, especially when it's not subject to spending limits -- could distort the market for several hours.) The danger is that the market manipulation could cause the odds to shift in the capped market almost instantly, but the market correction would not take place until several hours later, and in that time the damage (in altering people's perceptions, and possibly creating a self-fulfilling prophecy) would already be done.

It didn't seem like there was any obvious solution to this problem. The U.S. government could ban its citizens from betting on foreign uncapped markets, but it would be too easy for a U.S. citizen to coordinate with an overseas partner to place the arbitrage bets together and split the profits. Or the U.S. could try to ban prediction markets entirely (capped or uncapped), but many economists argue that they're a useful tool for assessing the wisdom of crowds to assess the odds of an event. You could ban media reporting on the odds given by prediction markets (to try and avoid the self-fulfilling-prophecy problem), but that would probably be unconstitutional in the U.S., and unenforceable anyway if people could get their news from overseas.

So in my last article I offered up to $100 to be split between readers who came up with the best arguments for how to stop prediction markets, even markets with individual betting limits, from being shifted by manipulators who place large bets on foreign markets and then count on arbitrage players to pass on the effects to the capped markets. (I've offered cash prizes to readers who submit winning ideas before, and it usually doesn't take this long to get to the follow-up and pay out the prizes. Some follow-up articles that I submitted got lost in the editors' spam filters, sigh, and then there were some other articles in the pipeline that had to go out first. If I offer prize money for ideas and you submit a winning idea, normally you'll get your money much faster.)

Before reading any further, you might want to stop and try to think of what you would consider to be the best solution to this problem (even if the prize money has already been allocated), and then compare it to what we came up with.

... And, welcome back. Here's what I think is the best answer so far: For each event that the capped markets allow users to bet on, the capped market should also be required to monitor the odds that any overseas uncapped markets are offering on the same event. Then if there has been any recent time period where the odds on the overseas markets differed significantly from the odds on the domestic market (significantly enough to indicate manipulation -- and, similarly, significantly enough that the difference probably motivated arbitrage players to place bets to close the gap), then the reported odds should appear with a disclaimer saying, "There was a recent divergence in the odds on capped vs. uncapped markets, so the odds displayed here may have been manipulated, and should be regarded skeptically." This would help to avoid the self-fulfilling prophecy problem, if people are less likely to regard the manipulated odds as a reflection of reality.

The key assumption here is that if a real-world event happens that changes the probability of, say, an Obama victory, then the market odds in both the capped and uncapped markets should shift at about the same time to reflect that new probability. On the other hand, if the odds have shifted significantly in only one of those markets, that could be taken as a sign that that market was being manipulated. Arbitrage players would still be free to make opposing bets in the two markets to narrow the gap, so the odds in both the capped and uncapped marketplaces would still change in the short term, but in the regulated capped market, the odds would be reported with a disclaimer that they're not reliable. After a few more hours, opportunistic bettors would make bets taking advantage of the distorted odds, and the market would correct itself.

This idea did not come from any particular reader but came up as the result of the back-and-forth I had with several people.

A few readers also had interesting ideas for regulations that could fix the problem if they could be applied to all markets. For example, Nathan Dykman suggested that in order to wager larger amounts, you would have to wager that your candidate would win by a larger margin (e.g. if you can bet $1,000 that Romney would win by 1 million votes or more, or you could bet $10,000 that Romney would win by 10 million votes or more -- so that large "manipulative" bets would stand out more obviously). Andy Jobe suggested "staggering" bets so that high rollers could only bet large amounts by placing lots of small bets in sequence, paced slowly enough that the market would probably detect the manipulation attempt and start correcting for it, before all of your bets went through. Jonathan Pearson suggested mandating that markets report the number of people making particular bets as well as the market odds, so that single large manipulative bets could be easily spotted. Ben Griffin suggested simply requiring disclosure of large bets by certain people (as he put it, the headline "Saudi Prince believes that Romney will win the election. What does he know that we don't?!" contains more useful information than "Romney's odds of victory looking better at Intrade").

I think these points are all correct, but the problem with all of these ideas is that they only work if all of the relevant markets are regulated. And if you allow that assumption, then the problem becomes trivial -- because you can just require an individual betting cap in all of the markets. On the other hand, if there's at least one market anywhere in the world that is beyond the reach of your regulations, then they don't have to disclose any statistics about their bettors or follow any other rules that you make. Then when a manipulator places a large bet in that unregulated market, when the arbitrage players place their many small corresponding bets in your domestic regulated market, the detection mechanisms described above, won't do anything to stop that -- those bets in your regulated market look like real bets because they are real bets.

By contrast, if you require domestic capped markets to monitor the overseas uncapped markets, and disclose if the uncapped odds have diverged recently from the capped odds, this still works even if the regulations only apply to your domestic capped market. People can still place manipulative bets on foreign markets, but if the media reports the current "market odds" by looking at the capped market, those odds will be harder to manipulate without getting caught, because they'll run a disclaimer if manipulation has been detected recently. (Of course if the media gets their "odds" from the overseas uncapped market, and reports those odds as literal truth even when the domestic capped markets are running a disclaimer saying that those same odds have recently been manipulated, we can't do anything about that. The hope is that news agencies, no matter how lazy they may be, will at least choose to report accurate information if it takes the same effort as reporting inaccurate information, and thus would prefer getting their information from the domestic capped market, where they can easily check if there's a disclaimer saying the odds have been manipulated recently.)

Some interesting points made by other readers:

• Carl Pearson mentioned that if campaigns had to start diverting attention to prediction market manipulation in addition to all of their other business, this might hurt small third-party candidates more than big campaigns -- because smaller campaigns have fewer available resources to put towards handling new kinds of problems. (True, I think, but only if the markets can be manipulated. If they can't be manipulated, and they're just a barometer of what people are thinking will happen, then you don't need to waste campaign time fighting on that front.)

• Michael Mendenhall pointed out that even in a capped market, the cap should be high enough to create a high "signal-to-noise" ratio. If the cap is too low, the market odds will reflect the betting of more uninformed people who use the betting as a low-cost opportunity to cheer for what they think should happen instead of what they think will happen. (On the other hand, if the cap is too high, then the market is too easily to manipulate.)

• Marc Beaupré argued that prediction markets can probably never be stamped out anyway, because anonymous payment protocols like Bitcoin make it possible for crypto-anarchists to place best on unregulated darknets where they can ignore caps and disclosure requirements all they want. I'm not sure that's true (how do you place a bet in an anonymous peer-to-peer market -- who enforces the payment from the loser to the winner, depending on the outcome?) but it actually doesn't change the main thrust of my argument -- you can still have a regulated, capped domestic market, which is where the media could go for accurate information about the current market odds. So a manipulator could throw their Bitcoin money away on an unregulated peer-to-peer betting network, but it wouldn't do them any good.

Splitting the $100 in prize money, all 7 of the readers credited here get $15. There may be a simpler idea that we missed, or a different reason why this proposed idea would not work. Either way, I'm always grateful for the high quality of the comments that get emailed to me as part of these contests. Eventually I'd like to run some article contests for people to email ideas for a follow-up article, but without offering prize money, to see if that affects the quality of the submissions. It would be impossible to run a precisely controlled experiment (because you can't write a single article where half of your readers are eligible to submit ideas for prize money, and the other half are expected to submit ideas for free), but if we run contests for a large number of articles, and about half of those contests involve cash prizes while the other half offer only acknowledgement, it should eventually become clear if there's a difference in the quality of submissions. It may be that, unlike prediction markets, idea-improvement contests work just as well when there's no money involved.

With his trademark hat and beard, Dr. Robert Bakker is one of the most recognized paleontologists working today. Bakker was among the advisers for the movie Jurassic Park, and the character Dr. Robert Burke in the film The Lost World: Jurassic Park is based on him. He was one of the first to put forth the idea that some dinosaurs had feathers and were warm-blooded, and is credited with initiating the ongoing "dinosaur renaissance" in paleontology. Bakker is currently the curator of paleontology for the Houston Museum of Natural Science and the Director of the Morrison Natural History Museum in Colorado. He is also a Christian minister, who contends that there is no real conflict between religion and science, citing the writings and views of Saint Augustine as a guide on melding the two. Dr. Bakker has agreed to take some time from his writing and digging in order to answer your questions. As usual, ask as many questions as you'd like, but please, one question per post.

An anonymous reader writes with news from Mersenne.org, home of the Great Internet Mersenne Prime Search: "On January 25th at 23:30:26 UTC, the largest known prime number, 257,885,161-1, was discovered on GIMPS volunteer Curtis Cooper's computer. The new prime number, 2 multiplied by itself 57,885,161 times, less one, has 17,425,170 digits. With 360,000 CPUs peaking at 150 trillion calculations per second, GIMPS — now in its 17th year — is the longest continuously-running global 'grassroots supercomputing' project in Internet history."

theodp writes "Back in Biblical times, creating abundance was considered innovative. That was then. Last Tuesday, GeekWire reports, the USPTO awarded Amazon.com a broad patent on reselling and lending 'used' digital goods for an invention that Amazon boasts can be used to 'maintain scarcity' of digital objects, including audio files, eBooks, movies, apps, and pretty much anything else."

mask.of.sanity writes "Security researchers have shown how to raid Africa micro-finance bank accounts en masse using fake audio one time passwords. The banks use audio one-time passwords to authenticate users logging into their accounts, but failed to implement properly security controls across numerous systems. Crucially, the researchers did not reveal how they cracked the encryption in order to protect users."

An anonymous reader writes "Iran has unveiled a new home-made combat aircraft, which officials say can evade radar. The single-seat Qaher F313 (Dominant F313) is the latest design produced by Iran's military since it launched the Azarakhsh (Lightning), in 2007. President Mahmoud Ahmedinejad said it had 'almost all the positive features' of the world's most sophisticated jets.Footage from state TV showed the jet in flight, but not its take-off or landing."

FatLittleMonkey writes "My mind to your mind... my thoughts to your thoughts... Researchers at the University of Essex have shown that combining the output from two non-invasive 'brain-computer interfaces,' computer-interpreted EEG signals, led to a much clearer signal of the subjects' intention than the output from a single subject. To test this idea, they had two subjects try to steer a simulated space-ship at a target planet, by thinking of one of eight possible directions. While a single user could achieve 67% accuracy, this jumped to 90% when two minds were combined. Researchers believe the technique also compensates for individual lapses in attention, and thus may have applications in real-world space missions."

FatLittleMonkey writes "Researchers in Germany have developed a device that allows users of portable devices, such as smartphones, experience force-feedback from games using just their own muscles... and a small EMS device. When stimulated by a painless electric pulse, the player's arm moves the device in whichever direction the game commands. The player then fights the movement with their other muscles, creating a strong sensation that the device itself is bucking in their hands. According to the developers, users found the sensation much more realistic than traditional vibrotactile feedback. (Should make PvP more interesting too.)"

JerkyBoy writes "RunRev maintains the proprietary LiveCode programming environment. Those familiar with HyperCard on the Mac would feel quite at home using the environment to produce simple applications, and possibly more, although the programming language it incorporates has a few significant shortcomings (e.g., true object orientation). But it is a very versatile environment, currently claiming support for Windows, Mac, Linux, iOS, Android, and server-side scripting. For us NOOBs who could never find the time to learn C++ and something like the wxWidgets or QT toolkits, it seems like a pretty good deal. Recently RunRev has done something interesting, however, and that is to create a Kickstarter campaign to move the environment to open source (~500K lines of code, ~700 files). The way that they describe it, it sounds like there will be a commercial version and an open-source version of the environment (hopefully not cripple-ware), and they are asking for money to do this. But I want to know: what are their chances of success with this model? How in the world can they make enough money to maintain their programmers and overhead while giving the environment away? In other words, if a company like RunRev announces that they are moving to an open-source model, should you become more interested or less interested in their product?"

redletterdave points out work from Japanese researchers who produced an incredible visualization of how a brain perceives its environment. Studying zebrafish larvae, the scientists were able to observe neuronal signals in real time as the zebrafish saw and identified is prey, a paramecium. The results are illustrated in a brief video posted to YouTube, and in a longer video abstract hosted at Current Biology. (Direct download). The work is important because it demonstrates direct mapping of external stimuli to internal neuron activity in the optic tectum.

the_newsbeagle writes "Chinese aerospace engineers have revealed, for the first time, details about their Chang'e-2 spacecraft's encounter with the asteroid Toutatis last month. They have plenty to boast: The asteroid flyby wasn't part of the original flight plan, but engineers adapted the mission and navigated the satellite through deep space (PDF). Exactly how close Chang'e-2 came to Toutatis is still unclear. The article states that the first reports 'placed the flyby range at 3.2 km, which was astonishingly—even recklessly—tight. Passing within a few kilometers of an asteroid only 2 to 3 km in diameter at a speed of 10,730 meters per second could be described as either superb shooting or a near disaster.' If the Chinese spacecraft did pass that near, it could provide a "scientific bonanza" with data about the asteroid's mass and composition."

the_newsbeagle writes "Chinese aerospace engineers have revealed, for the first time, details about their Chang'e-2 spacecraft's encounter with the asteroid Toutatis last month. They have plenty to boast: The asteroid flyby wasn't part of the original flight plan, but engineers adapted the mission and navigated the satellite through deep space (PDF). Exactly how close Chang'e-2 came to Toutatis is still unclear. The article states that the first reports 'placed the flyby range at 3.2 km, which was astonishingly—even recklessly—tight. Passing within a few kilometers of an asteroid only 2 to 3 km in diameter at a speed of 10,730 meters per second could be described as either superb shooting or a near disaster.' If the Chinese spacecraft did pass that near, it could provide a "scientific bonanza" with data about the asteroid's mass and composition."

Diamonddavej writes "Leading privacy expert Caspar Bowden warned European citizens not to use cloud services hosted in the U.S. over spying fears. Bowden, former privacy adviser to Microsoft Europe, explained at a panel discussion hosted at the recent Computers, Privacy and Data Protection conference in Brussels, that a section in the Foreign Intelligence Surveillance Act Amendments Act 2008 (FISAAA) permits U.S. intelligence agencies to access data owned by non-U.S. citizens on cloud storage hosed by U.S. companies, if their activity is deemed to affect U.S. foreign policy. Bowden claimed the Act allows for purely political spying of activists, protesters and political groups. Bowden also pointed out that amendments to the EU's data protection regulation proposal introduce specific loopholes that permit FISAAA surveillance. The president of Estonia, Toomas Hendrik Ilves (at a separate panel discussion) commented, 'If it is a U.S. company it's the FBI's jurisdiction and if you are not a U.S. citizen then they come and look at whatever you have if it is stored on a U.S. company server.' The European Data Protection Supervisor declined to comment but an insider indicated that the authority is looking into the matter."

Diamonddavej writes "Leading privacy expert Caspar Bowden warned European citizens not to use cloud services hosted in the U.S. over spying fears. Bowden, former privacy adviser to Microsoft Europe, explained at a panel discussion hosted at the recent Computers, Privacy and Data Protection conference in Brussels, that a section in the Foreign Intelligence Surveillance Act Amendments Act 2008 (FISAAA) permits U.S. intelligence agencies to access data owned by non-U.S. citizens on cloud storage hosed by U.S. companies, if their activity is deemed to affect U.S. foreign policy. Bowden claimed the Act allows for purely political spying of activists, protesters and political groups. Bowden also pointed out that amendments to the EU's data protection regulation proposal introduce specific loopholes that permit FISAAA surveillance. The president of Estonia, Toomas Hendrik Ilves (at a separate panel discussion) commented, 'If it is a U.S. company it's the FBI's jurisdiction and if you are not a U.S. citizen then they come and look at whatever you have if it is stored on a U.S. company server.' The European Data Protection Supervisor declined to comment but an insider indicated that the authority is looking into the matter."

Diamonddavej writes "Leading privacy expert Caspar Bowden warned European citizens not to use cloud services hosted in the U.S. over spying fears. Bowden, former privacy adviser to Microsoft Europe, explained at a panel discussion hosted at the recent Computers, Privacy and Data Protection conference in Brussels, that a section in the Foreign Intelligence Surveillance Act Amendments Act 2008 (FISAAA) permits U.S. intelligence agencies to access data owned by non-U.S. citizens on cloud storage hosed by U.S. companies, if their activity is deemed to affect U.S. foreign policy. Bowden claimed the Act allows for purely political spying of activists, protesters and political groups. Bowden also pointed out that amendments to the EU's data protection regulation proposal introduce specific loopholes that permit FISAAA surveillance. The president of Estonia, Toomas Hendrik Ilves (at a separate panel discussion) commented, 'If it is a U.S. company it's the FBI's jurisdiction and if you are not a U.S. citizen then they come and look at whatever you have if it is stored on a U.S. company server.' The European Data Protection Supervisor declined to comment but an insider indicated that the authority is looking into the matter."

Okian Warrior writes "As a followup to yesterday's article detailing 50 Million Potentially Vulnerable To UPnP Flaws, this video shows getting root access on a Belkin WeMo remote controlled wifi outlet. As the discussion notes, remotely turning someone's lamp on or off is not a big deal, but controlling a [dry] coffeepot or space heater might be dangerous. The attached discussion also points out that rapidly cycling something with a large inrush current (such as a motor) could damage the unit and possibly cause a fire." In the style of Bruce Schneier's movie-plot threat scenarios, what's the most nefarious use you can anticipate such remote outlet control being used for?

New submitter TheRedWheelbarrow writes "The singularity looms as the Human Brain Project gets up to $1.34 billion in funding. 'The challenge in AI is to design algorithms that can produce intelligent behavior and to use them to build intelligent machines. It doesn't matter whether the algorithms are biologically realistic — what matters is that they work — the behavior they produce. In the HBP, we're doing something completely different...we will base the technology on what we actually know about the brain and its circuitry.'"

Better known by his stage name "The Amazing Randi", James Randi has made it his quest to "debunk psychic nonsense, disprove paranormal fakers, and squash claims of pseudoscience in order to bring the truth to the forefront." Randi worked as a popular magician most of his life and earned international fame in 1972 when he accused the famous psychic Uri Geller of being a fraud and challenged him to prove otherwise. In 1996 Randi founded The James Randi Educational Foundation (JREF) a non-profit organization whose mission includes "educating the public and the media on the dangers of accepting unproven claims, and to support research into paranormal claims in controlled scientific experimental conditions." He began offering $1000 in 1964 to anyone who could demonstrate proof of the paranormal. That amount has grown over the years, and the foundation's prize for such proof is now $1M. Around 1000 people have tried to claim the prize so far without success. Randi has agreed to take a break from busting ghostbusters and giving psychic healers a taste of their own medicine in order to answer your questions. As usual, you're invited to ask as many questions as you'd like, but please divide them, one question per post.

Zothecula writes "Taking a two-month-old in for vaccination shots and watching them get stuck with six needles in rapid succession can be painful for child and parent alike. If the work of an MIT team of researchers pans out, those needles may be thing of the past thanks to a new dissolvable polymer film that allows the vaccination needle to be replaced with a patch. This development will not only make vaccinations less harrowing, but also allow for developing and delivering vaccines for diseases too dangerous for conventional techniques." The patch was designed with delivering DNA-based vaccines in mind. Thus far efforts to use DNA to generate more robust and safe vaccines has failed thanks to the immune system destroying them; the polymer film embeds itself in your skin and slowly dissolves, protecting the DNA in the process.

Frequent contributor Bennett Haselton writes "With the announcement of Verizon's "six strikes plan" for movie pirates (which includes reporting users to the RIAA and MPAA), and content companies continuing to sue users en masse for peer-to-peer downloads, I think it's inevitable that we'll see the rise of p2p software that proxifies your downloads through other users. In this model, you would not only download content from other users, but you also use other users' machines as anonymizing proxies for the downloads, which would make it impossible for third parties to identify the source or destination of the file transfer. This would hopefully put an end to the era of movie studios subpoenaing ISPs for the identities of end users and taking those users to court." Read below for the rest of Bennett's thoughts.

Now, I'm not advocating the creation of software that enables piracy. And I don't mean that in a nudge-wink kind of a way, I'm serious: I think people should reward movie studios for making content that they like, if only because that means studios will make more of that type of content. For my last cross-country flight I paid an honest-to-God four dollars to download a movie from Amazon Unbox to watch on the plane, even though I fondly like to think of myself as smart enough that I could have figured out how to find and download the movie for free. (Well, not all that smart; the movie was Lockout.)

However, the idea of users anonymizing each others' downloads is so elementary, that I literally mean it's inevitable that we will see the rise of such software. Whether I'm in favor of it or not, it's going to happen. In fact, under certain assumptions, there's really only one logical direction that it can evolve in.

First, some background. Under the current BitTorrent protocol -- with no built-in support for anonymization -- some server S makes a large file available for download. When the first downloader, say user D1, requests a copy of the file, they have to begin the process of downloading it from S. But when the next downloader, say user D2, requests a copy of the same file while user D1 is still downloading, the BitTorrent server S tells D2 to start downloading the file from D1 instead of from S directly. (D1 is required at this point to share out the file for download, in order to earn enough "credits" to continue downloading from S.) Subsequent downloaders are similarly told to download from other downloaders instead of from the original server S. In this way, the server S avoids incurring massive bandwidth charges (since S only actually served the file one time), and each user on average only has to share out the file once in return for downloading it themselves.

Note that this still means that in order to initiate the download, the server S has to serve out the whole file at least once, to the first downloader -- and if the file is being distributed without the copyright owner's permission, then the operators of server S can be taken to court. This legal pressure was the reason that the Pirate Bay switched from serving BitTorrent files to serving magnet links, which enable users to download content purely from each other, without the Pirate Bay ever actually serving the content themselves. But with both BitTorrent and magnet links, users who are downloading content from other users, can see those other users' IP addresses -- and they know that those other users are serving the content from files stored on their own hard drives. This means that if you're the copyright owner of that content, you can subpoena the identities of the users behind those IP addresses, and taken them to court for unauthorized possession and distribution of copyrighted material.

So what would a protocol look like with built-in support for anonymization? In my first draft of an idea, I thought that each download could take place using one intermediate user as a proxy, so that instead of server S telling D2 to download from D1, the server would tell D2 to use download D3 as a proxy, and tell D3 to proxy the connection from D1. (As with BitTorrent, the downloader D3 would be required to allow their machine to be used as a proxy, in order to earn credits to continue with their own download.) So D1 would not be able to see the IP address of user D2 downloading from them, and D2 would not be able to see the IP address of user D1 that they were downloading from. Both of them would be able to see the IP address of user D3 which is acting as the proxy between them, but as long as it's not against the law to simply proxy a connection for someone else, that would not be grounds to subpoena the user D3's identity. And D3 would be able to see the IP address of D1 and D2, but if the D1 and D2 are communicating using a shared encryption key, then D3 would have no idea what content is flowing between D1 and D2, even as it proxies the connection between them. So even if one of D1, D2 or D3 were an "adversary" (i.e. a copyright holder intent on suing illegal file sharers), none of the three would be able to see the IP address of another user that they knew was either downloading particular content, or serving it out.

Of course you could also argue that if D3 is among the users that server S is making available to others as an anonymizing proxy, then that constitutes proof that D3 must be downloading something else from S (otherwise, D3 wouldn't need to earn credits by acting as an anonymizing proxy), and if either D1 or D2 is an adversary, they can see D3's IP address and reason that D3 must be guilty of some copyright violation. Similarly, if D3 is the adversary, they can see D1 and D2's IP addresses and reason that both of them are probably guilty of some copyright infraction, even if D3 can't actually see what they're trading. Basically, anybody could be considered "guilty by association" simply by virtue of being in the community of users being coordinated by server S. But (1) that accusation could be deflected if some of the files being served by S were in fact legal and being distributed with the copyright holder's permission; and (2) in any case, the Digital Millennium Copyright Act requires you to claim that your specific copyrighted content is being distributed by a user, before you can unmask that user's identity; it's not enough to claim that the user is part of a network that distributes "some" copyrighted content illegally. D3 may be proxying a connection between D1 and D2 in order to earn credits so that D3 can download some content for themselves, but even though D1 and D2 can both see D3's IP address, there's no way for them to know what D3 could be downloading.

Unfortunately, this three-user-chain idea is not secure, because an adversary could still create a large number of users co-ordinated through server S, and sooner or later, a chain would arise where both the proxy and the downloader controlled by the adversary, and at that point, they would know the IP address of the user serving out the copyrighted content. In other words, eventually you'll get a situation where D2 is downloading content from D1 by going through proxy D3 -- but where D2 and D3 are both controlled by the adversary. So D2 knows the content that's being downloaded via D3, and D3 knows the IP address of D1 that's actually serving out the content -- at which point they can subpoena the identity of user D1, and sue them.

So consider this idea instead: When user D1 sends a request to server S to download a file, server S gives them the IP address of another user, D2, from which they can download the file. Now, 40% of the time, user D2 actually does have the file on their hard drive and is serving it to user D1, with no proxying. The other 60% of the time, user D2 is told by S to proxy the connection from D1 and connect to a third user, D3. Now in 40% of these cases, D3 actually does have the file and is serving it out directly; the other 60% of the time, D3 is proxying the connection for yet another user, D4...

So you end up with chains of varying length, with longer chains having a progressively smaller probability of forming:

40% of chains will be of length 1 (one user downloads directly from another)
60% x 40% of chains (24%) will be of length 2
60% x 60% x 40% of chains (14.4%) will be of length 3
60% x 60% x 60% x 40% of chains (8.64%) will be of length 4 etc.

These proportions of course sum to 1, and a little math shows that the length of the average chain is 3.5 nodes. The number of downloads in a chain -- the connections between users -- is one less than the number of nodes in the chain, so this means that to complete one download, the content will have to be transferred an average of 2.5 times -- compared to being transferred only once, when one user downloads from another directly. In order to ensure that users contribute enough to the system as they take from it, that means that in order to download a file, users would be required to provide enough "proxying" to support the equivalent of 2.5 full downloads of that same file.

These chains have a useful property: any time you're downloading content "from" another user, there's only a 40% chance that user is serving content off of their own hard drive, and a 60% chance that they're proxying the connection from somewhere else (another node that may in turn be proxying the connection from yet another node, etc.). So even if the adversary controls three nodes D1, D2, and D3, and D1 is downloading from D2 who is downloading from D3 who is downloading from D4 (and D4 is not controlled by the adversary), from the adversary's point of view there's only a 40% chance that D4 is actually originating the content. This is always true no matter how many nodes in the chain the adversary controls -- in the end, if they want to nail someone for serving out copyrighted content, they have to download the content from some node that they don't control, and there will only be a 40% that user is actually serving the content from their hard drive.

And the 40% number was deliberately chosen in order to weaken the adversary's legal grounds for subpoenaing the identity of the user they're downloading from -- even if they can show that they downloaded content from another user's IP address, it's more likely than not that the other user was not actually hosting the content. (Of course, there might be other details in context that render that probability calculation useless. For example, if the server S only links to one downloadable file, then all users coordinated by that server S are presumably downloading that same file, and anybody that server S connects you to, can be presumed guilty of downloading and sharing that file, 40% figure be damned.)

At this point you might also wonder: Why not just connect over a protocol like Tor, which provides secure anonymity for all transactions, and then use BitTorrent or some other file-sharing system on top of that? The answer is that Tor's connection is likely to be much slower, for at least two reasons. First, Tor servers are a limited resource, and the more people use them (especially for large file trading), the slower they are likely to become. (By contrast, in the peer-to-peer proxying model outlined above, every new downloader can also be made to act as a proxy for other users, so additional users don't slow down the system because they contribute as much as they take out of it.) Second, Tor always routes your connection through multiple servers to guarantee secure anonymity, which means it would be slower on average than the variable-length chains described above, where only about 20% of chains are of length 4 or more.

The key difference is that Tor provides true anonymity whereas the protocol above only provides plausible deniability. In high-risk settings where Tor is often used, it would not be acceptable if there were a 40% chance of your IP address being revealed to your adversary. But for file sharing, the 40% figure might be acceptable if it's just low enough to stave off a subpoena. This trade-off makes it possible to use shorter chains, resulting in faster downloads and less total bandwidth consumption.

You also already have the option today of using a VPN service to download files through an anonymous third-party connection, which renders the rest of these issues moot. But users have to jump through several hoops (and pay some money) to set this up as an option, which means that most users will not be using VPNs any time soon, leaving plenty of naive users for the RIAA and MPAA to go after. The use of peer-proxying links would mean that all users downloading through the system would be protected.

At the moment, the major impediment to a peer-proxying system like this would be that the chained downloads would still consume an average of 2.5 as much bandwidth as direct peer-to-peer downloads. Even with today's high-speed connections, this increase in inconvenience is great enough that some users might just prefer to use plain old BitTorrent to download files directly from peers, and run the (admittedly small) risk of getting in trouble. But as bandwidth speeds continue to grow literally exponentially, eventually the difference in inconvenience will be so small, that users would be foolish not to use proxified downloads if it provided free legal protection.

Note that the viability of this system does depend on the ISP's attitude towards it. In particular, if your ISP only goes after pirates because of legal pressure from content holders, then if the ISP's users are using this peer-proxying protocol instead of a direct download protocol like BitTorrent, then the ISP can quite truthfully claim that they don't have any hard evidence to disconnect any particular users or turn over their identities (because the ISP doesn't know which users are actually storing pirated files and which users are just acting as proxies). On the other hand, if your ISP sincerely wants to stop piracy because your ISP is also a content company (Comcast, for example), then they might also try to squelch the use of any protocol that enables piracy, even if they can't prove that any particular users are using it for anything illegal. Thus Comcast might try to slow the use of the peer-proxy protocol. But in that case they could be forced by Net Neutrality regulations to stop throttling it, in the same way that the FCC ordered Comcast to stop throttling BitTorrent.

As long as those conditions hold true -- content owners continue cracking down on file sharers, but proxying remains legal and bandwidth keeps getting cheaper, and ISPs are restrained from blocking the protocols themselves -- I think that p2p will have to evolve into something like the chained-download system described above, to provide plausible deniability to users, without resorting to the long chains (and subsequently slower downloads) provided by full-anonymity systems like Tor.

But again, I'm just saying it's inevitable, not that it's right. I actually do wish that people would pay the studios' prices for the movies that they watch; part of it is that I think most blockbusters are actually pretty good and deserve to make money. When you refuse to pay for movies, you're casting a vote against fun, big-budget movies that are made for the purpose of getting lots of people to come see them and enjoy them, and instead voting in favor of excruciatingly boring low-budget films that are made primarily so that the director could whine that the cheese-puff-snarfing American public wouldn't know great art if it bit them on their big bloated behind and subsequently didn't even buy enough tickets for the director to pay off the lien he took out on his Honda Civic to get the movie produced. Forget prosecution and civil suits; just make movie pirates sit through The Brown Bunny.

Frequent contributor Bennett Haselton writes "With the announcement of Verizon's "six strikes plan" for movie pirates (which includes reporting users to the RIAA and MPAA), and content companies continuing to sue users en masse for peer-to-peer downloads, I think it's inevitable that we'll see the rise of p2p software that proxifies your downloads through other users. In this model, you would not only download content from other users, but you also use other users' machines as anonymizing proxies for the downloads, which would make it impossible for third parties to identify the source or destination of the file transfer. This would hopefully put an end to the era of movie studios subpoenaing ISPs for the identities of end users and taking those users to court." Read below for the rest of Bennett's thoughts.

Now, I'm not advocating the creation of software that enables piracy. And I don't mean that in a nudge-wink kind of a way, I'm serious: I think people should reward movie studios for making content that they like, if only because that means studios will make more of that type of content. For my last cross-country flight I paid an honest-to-God four dollars to download a movie from Amazon Unbox to watch on the plane, even though I fondly like to think of myself as smart enough that I could have figured out how to find and download the movie for free. (Well, not all that smart; the movie was Lockout.)

However, the idea of users anonymizing each others' downloads is so elementary, that I literally mean it's inevitable that we will see the rise of such software. Whether I'm in favor of it or not, it's going to happen. In fact, under certain assumptions, there's really only one logical direction that it can evolve in.

First, some background. Under the current BitTorrent protocol -- with no built-in support for anonymization -- some server S makes a large file available for download. When the first downloader, say user D1, requests a copy of the file, they have to begin the process of downloading it from S. But when the next downloader, say user D2, requests a copy of the same file while user D1 is still downloading, the BitTorrent server S tells D2 to start downloading the file from D1 instead of from S directly. (D1 is required at this point to share out the file for download, in order to earn enough "credits" to continue downloading from S.) Subsequent downloaders are similarly told to download from other downloaders instead of from the original server S. In this way, the server S avoids incurring massive bandwidth charges (since S only actually served the file one time), and each user on average only has to share out the file once in return for downloading it themselves.

Note that this still means that in order to initiate the download, the server S has to serve out the whole file at least once, to the first downloader -- and if the file is being distributed without the copyright owner's permission, then the operators of server S can be taken to court. This legal pressure was the reason that the Pirate Bay switched from serving BitTorrent files to serving magnet links, which enable users to download content purely from each other, without the Pirate Bay ever actually serving the content themselves. But with both BitTorrent and magnet links, users who are downloading content from other users, can see those other users' IP addresses -- and they know that those other users are serving the content from files stored on their own hard drives. This means that if you're the copyright owner of that content, you can subpoena the identities of the users behind those IP addresses, and taken them to court for unauthorized possession and distribution of copyrighted material.

So what would a protocol look like with built-in support for anonymization? In my first draft of an idea, I thought that each download could take place using one intermediate user as a proxy, so that instead of server S telling D2 to download from D1, the server would tell D2 to use download D3 as a proxy, and tell D3 to proxy the connection from D1. (As with BitTorrent, the downloader D3 would be required to allow their machine to be used as a proxy, in order to earn credits to continue with their own download.) So D1 would not be able to see the IP address of user D2 downloading from them, and D2 would not be able to see the IP address of user D1 that they were downloading from. Both of them would be able to see the IP address of user D3 which is acting as the proxy between them, but as long as it's not against the law to simply proxy a connection for someone else, that would not be grounds to subpoena the user D3's identity. And D3 would be able to see the IP address of D1 and D2, but if the D1 and D2 are communicating using a shared encryption key, then D3 would have no idea what content is flowing between D1 and D2, even as it proxies the connection between them. So even if one of D1, D2 or D3 were an "adversary" (i.e. a copyright holder intent on suing illegal file sharers), none of the three would be able to see the IP address of another user that they knew was either downloading particular content, or serving it out.

Of course you could also argue that if D3 is among the users that server S is making available to others as an anonymizing proxy, then that constitutes proof that D3 must be downloading something else from S (otherwise, D3 wouldn't need to earn credits by acting as an anonymizing proxy), and if either D1 or D2 is an adversary, they can see D3's IP address and reason that D3 must be guilty of some copyright violation. Similarly, if D3 is the adversary, they can see D1 and D2's IP addresses and reason that both of them are probably guilty of some copyright infraction, even if D3 can't actually see what they're trading. Basically, anybody could be considered "guilty by association" simply by virtue of being in the community of users being coordinated by server S. But (1) that accusation could be deflected if some of the files being served by S were in fact legal and being distributed with the copyright holder's permission; and (2) in any case, the Digital Millennium Copyright Act requires you to claim that your specific copyrighted content is being distributed by a user, before you can unmask that user's identity; it's not enough to claim that the user is part of a network that distributes "some" copyrighted content illegally. D3 may be proxying a connection between D1 and D2 in order to earn credits so that D3 can download some content for themselves, but even though D1 and D2 can both see D3's IP address, there's no way for them to know what D3 could be downloading.

Unfortunately, this three-user-chain idea is not secure, because an adversary could still create a large number of users co-ordinated through server S, and sooner or later, a chain would arise where both the proxy and the downloader controlled by the adversary, and at that point, they would know the IP address of the user serving out the copyrighted content. In other words, eventually you'll get a situation where D2 is downloading content from D1 by going through proxy D3 -- but where D2 and D3 are both controlled by the adversary. So D2 knows the content that's being downloaded via D3, and D3 knows the IP address of D1 that's actually serving out the content -- at which point they can subpoena the identity of user D1, and sue them.

So consider this idea instead: When user D1 sends a request to server S to download a file, server S gives them the IP address of another user, D2, from which they can download the file. Now, 40% of the time, user D2 actually does have the file on their hard drive and is serving it to user D1, with no proxying. The other 60% of the time, user D2 is told by S to proxy the connection from D1 and connect to a third user, D3. Now in 40% of these cases, D3 actually does have the file and is serving it out directly; the other 60% of the time, D3 is proxying the connection for yet another user, D4...

So you end up with chains of varying length, with longer chains having a progressively smaller probability of forming:

40% of chains will be of length 1 (one user downloads directly from another)
60% x 40% of chains (24%) will be of length 2
60% x 60% x 40% of chains (14.4%) will be of length 3
60% x 60% x 60% x 40% of chains (8.64%) will be of length 4 etc.

These proportions of course sum to 1, and a little math shows that the length of the average chain is 3.5 nodes. The number of downloads in a chain -- the connections between users -- is one less than the number of nodes in the chain, so this means that to complete one download, the content will have to be transferred an average of 2.5 times -- compared to being transferred only once, when one user downloads from another directly. In order to ensure that users contribute enough to the system as they take from it, that means that in order to download a file, users would be required to provide enough "proxying" to support the equivalent of 2.5 full downloads of that same file.

These chains have a useful property: any time you're downloading content "from" another user, there's only a 40% chance that user is serving content off of their own hard drive, and a 60% chance that they're proxying the connection from somewhere else (another node that may in turn be proxying the connection from yet another node, etc.). So even if the adversary controls three nodes D1, D2, and D3, and D1 is downloading from D2 who is downloading from D3 who is downloading from D4 (and D4 is not controlled by the adversary), from the adversary's point of view there's only a 40% chance that D4 is actually originating the content. This is always true no matter how many nodes in the chain the adversary controls -- in the end, if they want to nail someone for serving out copyrighted content, they have to download the content from some node that they don't control, and there will only be a 40% that user is actually serving the content from their hard drive.

And the 40% number was deliberately chosen in order to weaken the adversary's legal grounds for subpoenaing the identity of the user they're downloading from -- even if they can show that they downloaded content from another user's IP address, it's more likely than not that the other user was not actually hosting the content. (Of course, there might be other details in context that render that probability calculation useless. For example, if the server S only links to one downloadable file, then all users coordinated by that server S are presumably downloading that same file, and anybody that server S connects you to, can be presumed guilty of downloading and sharing that file, 40% figure be damned.)

At this point you might also wonder: Why not just connect over a protocol like Tor, which provides secure anonymity for all transactions, and then use BitTorrent or some other file-sharing system on top of that? The answer is that Tor's connection is likely to be much slower, for at least two reasons. First, Tor servers are a limited resource, and the more people use them (especially for large file trading), the slower they are likely to become. (By contrast, in the peer-to-peer proxying model outlined above, every new downloader can also be made to act as a proxy for other users, so additional users don't slow down the system because they contribute as much as they take out of it.) Second, Tor always routes your connection through multiple servers to guarantee secure anonymity, which means it would be slower on average than the variable-length chains described above, where only about 20% of chains are of length 4 or more.

The key difference is that Tor provides true anonymity whereas the protocol above only provides plausible deniability. In high-risk settings where Tor is often used, it would not be acceptable if there were a 40% chance of your IP address being revealed to your adversary. But for file sharing, the 40% figure might be acceptable if it's just low enough to stave off a subpoena. This trade-off makes it possible to use shorter chains, resulting in faster downloads and less total bandwidth consumption.

You also already have the option today of using a VPN service to download files through an anonymous third-party connection, which renders the rest of these issues moot. But users have to jump through several hoops (and pay some money) to set this up as an option, which means that most users will not be using VPNs any time soon, leaving plenty of naive users for the RIAA and MPAA to go after. The use of peer-proxying links would mean that all users downloading through the system would be protected.

At the moment, the major impediment to a peer-proxying system like this would be that the chained downloads would still consume an average of 2.5 as much bandwidth as direct peer-to-peer downloads. Even with today's high-speed connections, this increase in inconvenience is great enough that some users might just prefer to use plain old BitTorrent to download files directly from peers, and run the (admittedly small) risk of getting in trouble. But as bandwidth speeds continue to grow literally exponentially, eventually the difference in inconvenience will be so small, that users would be foolish not to use proxified downloads if it provided free legal protection.

Note that the viability of this system does depend on the ISP's attitude towards it. In particular, if your ISP only goes after pirates because of legal pressure from content holders, then if the ISP's users are using this peer-proxying protocol instead of a direct download protocol like BitTorrent, then the ISP can quite truthfully claim that they don't have any hard evidence to disconnect any particular users or turn over their identities (because the ISP doesn't know which users are actually storing pirated files and which users are just acting as proxies). On the other hand, if your ISP sincerely wants to stop piracy because your ISP is also a content company (Comcast, for example), then they might also try to squelch the use of any protocol that enables piracy, even if they can't prove that any particular users are using it for anything illegal. Thus Comcast might try to slow the use of the peer-proxy protocol. But in that case they could be forced by Net Neutrality regulations to stop throttling it, in the same way that the FCC ordered Comcast to stop throttling BitTorrent.

As long as those conditions hold true -- content owners continue cracking down on file sharers, but proxying remains legal and bandwidth keeps getting cheaper, and ISPs are restrained from blocking the protocols themselves -- I think that p2p will have to evolve into something like the chained-download system described above, to provide plausible deniability to users, without resorting to the long chains (and subsequently slower downloads) provided by full-anonymity systems like Tor.

But again, I'm just saying it's inevitable, not that it's right. I actually do wish that people would pay the studios' prices for the movies that they watch; part of it is that I think most blockbusters are actually pretty good and deserve to make money. When you refuse to pay for movies, you're casting a vote against fun, big-budget movies that are made for the purpose of getting lots of people to come see them and enjoy them, and instead voting in favor of excruciatingly boring low-budget films that are made primarily so that the director could whine that the cheese-puff-snarfing American public wouldn't know great art if it bit them on their big bloated behind and subsequently didn't even buy enough tickets for the director to pay off the lien he took out on his Honda Civic to get the movie produced. Forget prosecution and civil suits; just make movie pirates sit through The Brown Bunny.

Frequent contributor Bennett Haselton writes "With the announcement of Verizon's "six strikes plan" for movie pirates (which includes reporting users to the RIAA and MPAA), and content companies continuing to sue users en masse for peer-to-peer downloads, I think it's inevitable that we'll see the rise of p2p software that proxifies your downloads through other users. In this model, you would not only download content from other users, but you also use other users' machines as anonymizing proxies for the downloads, which would make it impossible for third parties to identify the source or destination of the file transfer. This would hopefully put an end to the era of movie studios subpoenaing ISPs for the identities of end users and taking those users to court." Read below for the rest of Bennett's thoughts.

Now, I'm not advocating the creation of software that enables piracy. And I don't mean that in a nudge-wink kind of a way, I'm serious: I think people should reward movie studios for making content that they like, if only because that means studios will make more of that type of content. For my last cross-country flight I paid an honest-to-God four dollars to download a movie from Amazon Unbox to watch on the plane, even though I fondly like to think of myself as smart enough that I could have figured out how to find and download the movie for free. (Well, not all that smart; the movie was Lockout.)

However, the idea of users anonymizing each others' downloads is so elementary, that I literally mean it's inevitable that we will see the rise of such software. Whether I'm in favor of it or not, it's going to happen. In fact, under certain assumptions, there's really only one logical direction that it can evolve in.

First, some background. Under the current BitTorrent protocol -- with no built-in support for anonymization -- some server S makes a large file available for download. When the first downloader, say user D1, requests a copy of the file, they have to begin the process of downloading it from S. But when the next downloader, say user D2, requests a copy of the same file while user D1 is still downloading, the BitTorrent server S tells D2 to start downloading the file from D1 instead of from S directly. (D1 is required at this point to share out the file for download, in order to earn enough "credits" to continue downloading from S.) Subsequent downloaders are similarly told to download from other downloaders instead of from the original server S. In this way, the server S avoids incurring massive bandwidth charges (since S only actually served the file one time), and each user on average only has to share out the file once in return for downloading it themselves.

Note that this still means that in order to initiate the download, the server S has to serve out the whole file at least once, to the first downloader -- and if the file is being distributed without the copyright owner's permission, then the operators of server S can be taken to court. This legal pressure was the reason that the Pirate Bay switched from serving BitTorrent files to serving magnet links, which enable users to download content purely from each other, without the Pirate Bay ever actually serving the content themselves. But with both BitTorrent and magnet links, users who are downloading content from other users, can see those other users' IP addresses -- and they know that those other users are serving the content from files stored on their own hard drives. This means that if you're the copyright owner of that content, you can subpoena the identities of the users behind those IP addresses, and taken them to court for unauthorized possession and distribution of copyrighted material.

So what would a protocol look like with built-in support for anonymization? In my first draft of an idea, I thought that each download could take place using one intermediate user as a proxy, so that instead of server S telling D2 to download from D1, the server would tell D2 to use download D3 as a proxy, and tell D3 to proxy the connection from D1. (As with BitTorrent, the downloader D3 would be required to allow their machine to be used as a proxy, in order to earn credits to continue with their own download.) So D1 would not be able to see the IP address of user D2 downloading from them, and D2 would not be able to see the IP address of user D1 that they were downloading from. Both of them would be able to see the IP address of user D3 which is acting as the proxy between them, but as long as it's not against the law to simply proxy a connection for someone else, that would not be grounds to subpoena the user D3's identity. And D3 would be able to see the IP address of D1 and D2, but if the D1 and D2 are communicating using a shared encryption key, then D3 would have no idea what content is flowing between D1 and D2, even as it proxies the connection between them. So even if one of D1, D2 or D3 were an "adversary" (i.e. a copyright holder intent on suing illegal file sharers), none of the three would be able to see the IP address of another user that they knew was either downloading particular content, or serving it out.

Of course you could also argue that if D3 is among the users that server S is making available to others as an anonymizing proxy, then that constitutes proof that D3 must be downloading something else from S (otherwise, D3 wouldn't need to earn credits by acting as an anonymizing proxy), and if either D1 or D2 is an adversary, they can see D3's IP address and reason that D3 must be guilty of some copyright violation. Similarly, if D3 is the adversary, they can see D1 and D2's IP addresses and reason that both of them are probably guilty of some copyright infraction, even if D3 can't actually see what they're trading. Basically, anybody could be considered "guilty by association" simply by virtue of being in the community of users being coordinated by server S. But (1) that accusation could be deflected if some of the files being served by S were in fact legal and being distributed with the copyright holder's permission; and (2) in any case, the Digital Millennium Copyright Act requires you to claim that your specific copyrighted content is being distributed by a user, before you can unmask that user's identity; it's not enough to claim that the user is part of a network that distributes "some" copyrighted content illegally. D3 may be proxying a connection between D1 and D2 in order to earn credits so that D3 can download some content for themselves, but even though D1 and D2 can both see D3's IP address, there's no way for them to know what D3 could be downloading.

Unfortunately, this three-user-chain idea is not secure, because an adversary could still create a large number of users co-ordinated through server S, and sooner or later, a chain would arise where both the proxy and the downloader controlled by the adversary, and at that point, they would know the IP address of the user serving out the copyrighted content. In other words, eventually you'll get a situation where D2 is downloading content from D1 by going through proxy D3 -- but where D2 and D3 are both controlled by the adversary. So D2 knows the content that's being downloaded via D3, and D3 knows the IP address of D1 that's actually serving out the content -- at which point they can subpoena the identity of user D1, and sue them.

So consider this idea instead: When user D1 sends a request to server S to download a file, server S gives them the IP address of another user, D2, from which they can download the file. Now, 40% of the time, user D2 actually does have the file on their hard drive and is serving it to user D1, with no proxying. The other 60% of the time, user D2 is told by S to proxy the connection from D1 and connect to a third user, D3. Now in 40% of these cases, D3 actually does have the file and is serving it out directly; the other 60% of the time, D3 is proxying the connection for yet another user, D4...

So you end up with chains of varying length, with longer chains having a progressively smaller probability of forming:

40% of chains will be of length 1 (one user downloads directly from another)
60% x 40% of chains (24%) will be of length 2
60% x 60% x 40% of chains (14.4%) will be of length 3
60% x 60% x 60% x 40% of chains (8.64%) will be of length 4 etc.

These proportions of course sum to 1, and a little math shows that the length of the average chain is 3.5 nodes. The number of downloads in a chain -- the connections between users -- is one less than the number of nodes in the chain, so this means that to complete one download, the content will have to be transferred an average of 2.5 times -- compared to being transferred only once, when one user downloads from another directly. In order to ensure that users contribute enough to the system as they take from it, that means that in order to download a file, users would be required to provide enough "proxying" to support the equivalent of 2.5 full downloads of that same file.

These chains have a useful property: any time you're downloading content "from" another user, there's only a 40% chance that user is serving content off of their own hard drive, and a 60% chance that they're proxying the connection from somewhere else (another node that may in turn be proxying the connection from yet another node, etc.). So even if the adversary controls three nodes D1, D2, and D3, and D1 is downloading from D2 who is downloading from D3 who is downloading from D4 (and D4 is not controlled by the adversary), from the adversary's point of view there's only a 40% chance that D4 is actually originating the content. This is always true no matter how many nodes in the chain the adversary controls -- in the end, if they want to nail someone for serving out copyrighted content, they have to download the content from some node that they don't control, and there will only be a 40% that user is actually serving the content from their hard drive.

And the 40% number was deliberately chosen in order to weaken the adversary's legal grounds for subpoenaing the identity of the user they're downloading from -- even if they can show that they downloaded content from another user's IP address, it's more likely than not that the other user was not actually hosting the content. (Of course, there might be other details in context that render that probability calculation useless. For example, if the server S only links to one downloadable file, then all users coordinated by that server S are presumably downloading that same file, and anybody that server S connects you to, can be presumed guilty of downloading and sharing that file, 40% figure be damned.)

At this point you might also wonder: Why not just connect over a protocol like Tor, which provides secure anonymity for all transactions, and then use BitTorrent or some other file-sharing system on top of that? The answer is that Tor's connection is likely to be much slower, for at least two reasons. First, Tor servers are a limited resource, and the more people use them (especially for large file trading), the slower they are likely to become. (By contrast, in the peer-to-peer proxying model outlined above, every new downloader can also be made to act as a proxy for other users, so additional users don't slow down the system because they contribute as much as they take out of it.) Second, Tor always routes your connection through multiple servers to guarantee secure anonymity, which means it would be slower on average than the variable-length chains described above, where only about 20% of chains are of length 4 or more.

The key difference is that Tor provides true anonymity whereas the protocol above only provides plausible deniability. In high-risk settings where Tor is often used, it would not be acceptable if there were a 40% chance of your IP address being revealed to your adversary. But for file sharing, the 40% figure might be acceptable if it's just low enough to stave off a subpoena. This trade-off makes it possible to use shorter chains, resulting in faster downloads and less total bandwidth consumption.

You also already have the option today of using a VPN service to download files through an anonymous third-party connection, which renders the rest of these issues moot. But users have to jump through several hoops (and pay some money) to set this up as an option, which means that most users will not be using VPNs any time soon, leaving plenty of naive users for the RIAA and MPAA to go after. The use of peer-proxying links would mean that all users downloading through the system would be protected.

At the moment, the major impediment to a peer-proxying system like this would be that the chained downloads would still consume an average of 2.5 as much bandwidth as direct peer-to-peer downloads. Even with today's high-speed connections, this increase in inconvenience is great enough that some users might just prefer to use plain old BitTorrent to download files directly from peers, and run the (admittedly small) risk of getting in trouble. But as bandwidth speeds continue to grow literally exponentially, eventually the difference in inconvenience will be so small, that users would be foolish not to use proxified downloads if it provided free legal protection.

Note that the viability of this system does depend on the ISP's attitude towards it. In particular, if your ISP only goes after pirates because of legal pressure from content holders, then if the ISP's users are using this peer-proxying protocol instead of a direct download protocol like BitTorrent, then the ISP can quite truthfully claim that they don't have any hard evidence to disconnect any particular users or turn over their identities (because the ISP doesn't know which users are actually storing pirated files and which users are just acting as proxies). On the other hand, if your ISP sincerely wants to stop piracy because your ISP is also a content company (Comcast, for example), then they might also try to squelch the use of any protocol that enables piracy, even if they can't prove that any particular users are using it for anything illegal. Thus Comcast might try to slow the use of the peer-proxy protocol. But in that case they could be forced by Net Neutrality regulations to stop throttling it, in the same way that the FCC ordered Comcast to stop throttling BitTorrent.

As long as those conditions hold true -- content owners continue cracking down on file sharers, but proxying remains legal and bandwidth keeps getting cheaper, and ISPs are restrained from blocking the protocols themselves -- I think that p2p will have to evolve into something like the chained-download system described above, to provide plausible deniability to users, without resorting to the long chains (and subsequently slower downloads) provided by full-anonymity systems like Tor.

But again, I'm just saying it's inevitable, not that it's right. I actually do wish that people would pay the studios' prices for the movies that they watch; part of it is that I think most blockbusters are actually pretty good and deserve to make money. When you refuse to pay for movies, you're casting a vote against fun, big-budget movies that are made for the purpose of getting lots of people to come see them and enjoy them, and instead voting in favor of excruciatingly boring low-budget films that are made primarily so that the director could whine that the cheese-puff-snarfing American public wouldn't know great art if it bit them on their big bloated behind and subsequently didn't even buy enough tickets for the director to pay off the lien he took out on his Honda Civic to get the movie produced. Forget prosecution and civil suits; just make movie pirates sit through The Brown Bunny.

First time accepted submitter aNonnyMouseCowered writes "One of my favorite freeware Android applications has been pulled from the Google Play app store. While I found a replacement for the app, I've decided to install only apps that won't become obsolete merely because of the developer's whim or lack of interest. With the exception of games, which I don't deem essential for work, I don't want to install potential abandonware even if they cost the pauperly sum of $0.00. My decision has thus far meant installing a relatively crude text editor like BusyBox's version of vi, rather than any one of those full-blown mobile office suites. I've found a short list of open source Android apps at Wikipedia, including the usual suspects, Firefox and the VLC media player. There are also links to two other sites at the end of the article. But even the more comprehensive listings have large gaps in them even when compared 'merely' to the programs available in a typical GNU/Linux repository. So can anyone recommend useful or even just fun Free, Libre and Open Source Software for an Android smartphone or tablet? Free virtual beer to those that can find links for FLOSS programs for editing audiovisual media (Blender for Android?) and documents more sophisticated than HTML."

theodp writes "On Saturday, questions for MIT's Aaron Swartz investigation were posted on Slashdot with the hope that MIT'ers might repost some to the MIT Swartz Review site. So it's good to see that MIT's Hal Abelson, who is leading the analysis of MIT's involvement in the matter, is apparently open to this workaround to the ban on questions from outsiders. In fact, on Sunday Abelson himself reposted an interesting question posed by Boston College Law School Prof. Sharon Beckman: 'What, if anything, did MIT learn from its involvement in the federal prosecution of its student David LaMacchia back in 1994?' Not much, it would appear. LaMacchia, an apparent student of Abelson's whose defense team included Beckman, was indicted in 1994 and charged with the 'piracy of an estimated million dollars' in business and entertainment computer software after MIT gave LaMacchia up to the FBI. LaMacchia eventually walked from the charges, thanks to what became known as the LaMacchia Loophole, which lawmakers took pains to close. 'MIT collaborated with the FBI to wreck LaMacchia's life,' defense attorney Harvey Silverglate charged in 1995 after a judge dismissed the case. 'I hope that this case causes a lot of introspection on the part of MIT's administration. Unfortunately, I doubt it will.'"

Numerous news outlets are reporting the findings of a study from the Research Council of Norway — a government agency — which concludes that (in Bloomberg's version) "After the planet's average surface temperature rose through the 1990s, the increase has almost leveled off at the level of 2000, while ocean water temperature has also stabilized." The New York Times' Dot Earth blog offers some reasons to be skeptical of the findings.

ananyo writes "The proton, a fundamental constituent of the atomic nucleus, seems to be smaller than was previously thought. And despite three years of careful analysis and reanalysis of numerous experiments, nobody can figure out why. An new experiment published in Science only deepens the mystery. The proton's problems started in 2010, when research using hydrogen made with muons seemed to show that the particle was 4% smaller than originally thought. The measurement, published in Nature, differed from those obtained by two other methods by 4%, or 0.03 femtometers. That's a tiny amount but is still significantly larger than the error bars on either of the other measurements. The latest experiment also used muonic hydrogen, but probed a different set of energy levels in the atom. It yielded the same result as the Nature paper — a proton radius of 0.84 fm — but is still in disagreement with the earlier two measurements. So what's the problem? There could be a problem with the models used to estimate the proton size from the measurements, but so far, none has been identified. The unlikely but tantalizing alternative is that this is a hint of new physics."

ananyo writes "The proton, a fundamental constituent of the atomic nucleus, seems to be smaller than was previously thought. And despite three years of careful analysis and reanalysis of numerous experiments, nobody can figure out why. An new experiment published in Science only deepens the mystery. The proton's problems started in 2010, when research using hydrogen made with muons seemed to show that the particle was 4% smaller than originally thought. The measurement, published in Nature, differed from those obtained by two other methods by 4%, or 0.03 femtometers. That's a tiny amount but is still significantly larger than the error bars on either of the other measurements. The latest experiment also used muonic hydrogen, but probed a different set of energy levels in the atom. It yielded the same result as the Nature paper — a proton radius of 0.84 fm — but is still in disagreement with the earlier two measurements. So what's the problem? There could be a problem with the models used to estimate the proton size from the measurements, but so far, none has been identified. The unlikely but tantalizing alternative is that this is a hint of new physics."

mask.of.sanity writes "Github has killed its search function to safeguard users who were caught out storing keys and passwords in public repositories. 'Users found that quite a large number of users who had added private keys to their repositories and then pushed the files up to GitHub. Searching on id_rsa, a file which contains the private key for SSH logins, returned over 600 results. Projects had live configuration files from cloud services such as Amazon Web Services and Azure with the encryption keys still included. Configuration and private key files are intended to be kept secret, since if it falls into wrong hands, that person can impersonate the user (or at least, the user's machine) and easily connect to that remote machine.' Search links popped up throughout Twitter pointing to stored keys, including what was reportedly account credentials for the Google Chrome source code repository. The keys can still be found using search engines, so check your repos."

John "Jack" R. Horner is the Curator of Paleontology at the Museum of the Rockies, adjunct curator at the National Museum of Natural History, and one of the most famous paleontologists in the world. Known in the scientific community for his research on dinosaur growth and whether or not some species lived in social groups, he is most famous for his work on Jurassic Park and being the inspiration for the character of Alan Grant. Horner caused quite a stir with the publication of his book, How to Build a Dinosaur: Extinction Doesn't Have to Be Forever, in which he proposes creating a "chickensaurus" by genetically "nudging" the DNA of a chicken. Jack has agreed to step away from the genetics lab and put down the bones in order to answer your questions. As usual, you're invited to ask as many questions as you'd like, but please divide them, one question per post.

An anonymous reader writes "Linux kernel developer veteran Alan Cox has lashed out at Red Hat's recent release of Fedora 18. Cox posted comments to his Google+ page saying 'Fedora 18 seems to be the worst Red Hat distro I've ever seen.' He encountered numerous problems with Fedora 18 and then decided to switch to Ubuntu."

Wayne Rasanen's Decatxt chording keyboard may be new and exciting to him, and he says has a patent on it so apparently the USPTO found it novel and original, but it's not the first chording keyboard by many long shots. The idea has been around (at least) since 1968. And let's not forget Braille chording keyboards, as described in a 1992 IEEE paper. And if you have an iPhone and want to experiment with a virtual Braille chording keyboard, there's an app for that. Maybe we're just jaded. Or maybe we've known a lot of blind people who used one-handed Braille chording keyboards to type as fast with one hand as a sighted person using a QWERTY keyboard and two hands. So it's hard for us to get excited about a chording keyboard. Be that as it may, we wish Wayne Rasanen all the luck in the world as he brings his invention to market.

Wayne Rasanen's Decatxt chording keyboard may be new and exciting to him, and he says has a patent on it so apparently the USPTO found it novel and original, but it's not the first chording keyboard by many long shots. The idea has been around (at least) since 1968. And let's not forget Braille chording keyboards, as described in a 1992 IEEE paper. And if you have an iPhone and want to experiment with a virtual Braille chording keyboard, there's an app for that. Maybe we're just jaded. Or maybe we've known a lot of blind people who used one-handed Braille chording keyboards to type as fast with one hand as a sighted person using a QWERTY keyboard and two hands. So it's hard for us to get excited about a chording keyboard. Be that as it may, we wish Wayne Rasanen all the luck in the world as he brings his invention to market.

Wayne Rasanen's Decatxt chording keyboard may be new and exciting to him, and he says has a patent on it so apparently the USPTO found it novel and original, but it's not the first chording keyboard by many long shots. The idea has been around (at least) since 1968. And let's not forget Braille chording keyboards, as described in a 1992 IEEE paper. And if you have an iPhone and want to experiment with a virtual Braille chording keyboard, there's an app for that. Maybe we're just jaded. Or maybe we've known a lot of blind people who used one-handed Braille chording keyboards to type as fast with one hand as a sighted person using a QWERTY keyboard and two hands. So it's hard for us to get excited about a chording keyboard. Be that as it may, we wish Wayne Rasanen all the luck in the world as he brings his invention to market.

lukej writes "Over eleven years ago, the possibility of using the retired Homestake Mine as an underground science laboratory was first proposed. Today the local newspaper gives a science-filled tour of that facility, along with a short photo tour, and decent descriptions of some of the experiments it hosts (Majorana, LUX, Long Baseline Neutrino Experiment). Some fairly interesting deep, dirty, and real physical science!"

lukej writes "Over eleven years ago, the possibility of using the retired Homestake Mine as an underground science laboratory was first proposed. Today the local newspaper gives a science-filled tour of that facility, along with a short photo tour, and decent descriptions of some of the experiments it hosts (Majorana, LUX, Long Baseline Neutrino Experiment). Some fairly interesting deep, dirty, and real physical science!"

lukej writes "Over eleven years ago, the possibility of using the retired Homestake Mine as an underground science laboratory was first proposed. Today the local newspaper gives a science-filled tour of that facility, along with a short photo tour, and decent descriptions of some of the experiments it hosts (Majorana, LUX, Long Baseline Neutrino Experiment). Some fairly interesting deep, dirty, and real physical science!"

lukej writes "Over eleven years ago, the possibility of using the retired Homestake Mine as an underground science laboratory was first proposed. Today the local newspaper gives a science-filled tour of that facility, along with a short photo tour, and decent descriptions of some of the experiments it hosts (Majorana, LUX, Long Baseline Neutrino Experiment). Some fairly interesting deep, dirty, and real physical science!"

dstates writes "The Department of Health and Human Services has released newly revised rules for the Health Information Privacy and Accountability Act (HIPAA) to ensure patient access to electronic copies of their electronic medical records. Several years ago, there was a great deal of excitement about personalized health information management (e.g. Microsoft HealthVault and Google Health). Unfortunately, patients found it difficult to obtain their medical records from providers in formats that could easily be imported. Personalized health records were time consuming and difficult to maintain, so these initiatives have not lived up to their expectations (e.g. Google Health has been discontinued). The new rules should address this directly and hopefully will revitalize interest in personal health information management. The new HIPAA rules also greatly strengthen patient privacy, the ability of patients to control who sees their medical information, and increases the penalties for leaking medical records information. 'Much has changed in health care since HIPAA was enacted over fifteen years ago,' said HHS Secretary Kathleen Sebelius. 'The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age.'"

dstates writes "The Department of Health and Human Services has released newly revised rules for the Health Information Privacy and Accountability Act (HIPAA) to ensure patient access to electronic copies of their electronic medical records. Several years ago, there was a great deal of excitement about personalized health information management (e.g. Microsoft HealthVault and Google Health). Unfortunately, patients found it difficult to obtain their medical records from providers in formats that could easily be imported. Personalized health records were time consuming and difficult to maintain, so these initiatives have not lived up to their expectations (e.g. Google Health has been discontinued). The new rules should address this directly and hopefully will revitalize interest in personal health information management. The new HIPAA rules also greatly strengthen patient privacy, the ability of patients to control who sees their medical information, and increases the penalties for leaking medical records information. 'Much has changed in health care since HIPAA was enacted over fifteen years ago,' said HHS Secretary Kathleen Sebelius. 'The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age.'"

FBeans writes "In a story at the end of last year, it was reported that up to 124 lost WWII Spitfires could be buried in Burma at various locations. A team sponsored by Wargaming.net and led by David Cundall, who says he witnessed one such burial of planes, have been investigating a site that was thought to have up to 36 planes buried in crates near the end of the war. However, based on the evidence they have obtained recently, it seems there are no Spitfires buried at this location, and no substantial evidence supporting any other location, possibly leading to the end of the hunt. Over 20,000 Spitfires were made between 1938 and 1948, at a cost of around £12,000 each. Cundall has spent 17 years of his life and around $200,000 hunting the Supermarine planes; presumably, the lack of evidence will not stop him from continuing to search."

patiwat writes "A Thai court has convicted a man for censoring himself. In a 2010 anti-government rally, Yossawarit Chuklom said several people were against the dissolution of Abhisit Vejjajiva's government. He mentioned a few names, and then put his hand over his mouth and said he wasn't brave enough to continue. A court ruled that he would have mentioned King Bhumibol Adulyadej — thus earning him a conviction for insulting the King, who is constitutionally banned from any political role."

patiwat writes "A Thai court has convicted a man for censoring himself. In a 2010 anti-government rally, Yossawarit Chuklom said several people were against the dissolution of Abhisit Vejjajiva's government. He mentioned a few names, and then put his hand over his mouth and said he wasn't brave enough to continue. A court ruled that he would have mentioned King Bhumibol Adulyadej — thus earning him a conviction for insulting the King, who is constitutionally banned from any political role."

Frequent contributor Bennett Haselton writes with some strong cautions on a Facebook "feature" that lets you search for random phone numbers and find the accounts of users who have registered that number on their Facebook profile. This has privacy implications that are more serious than searching by email address. Especially in light of the expanding emphasis that Facebook is putting both on search qua search and on serving as a VoIP intermediary (not to mention the stream of robocalls that the FCC is unable to stop), this might make you think twice about where your phone number ends up. Read on for Bennett's description of the problem and some possible solutions.

A few weeks ago a friend of mine said she was getting harassing text messages from a particular phone number, which she didn't recognize and which didn't appear in any of her own records. On a whim, I suggested entering the number into the Facebook search box, whereupon we found the guy's profile (even though he had no friends in common with the account we were logged in under), realized who he was, and ratted the thirty-something out to his Mom.

Then I thought: Is it really a good idea, for this to be possible? I tried entering consecutive phone numbers (starting with a random valid number, and varying the last 2 digits from 00 to 99) into Facebook's search box, and 13 of them came up with valid matches. None of those matches had any friends in common with the account we were searching from; as far as I can tell, anybody could enter any phone number into Facebook's search box and find the account associated with it, if there is one.

I think this has non-trivial privacy implications. (I repeatedly contacted Facebook explaining why I think this is a problem, but they haven't responded.) I'm not talking about the ability to find the account associated with a particular phone number — I think relatively few people have a legitimate need to send text messages from a truly anonymous phone number, and if they do, it's their own fault if they're dumb enough to put that number on their Facebook profile. And it wouldn't be a practical way to unmask the phone number associated with a particular account, either — even if you knew the person's area code, and narrowed down the list of possible exchange numbers following the area code, you'd still have to try tens of thousands of possibilities.

Rather, the problem is that you could use this technique to build up a database of phone numbers and associated accounts without targeting any specific phone number or account. Not only would you know the names associated with each of the numbers, you could associate the phone number with anything else that was discoverable from the person's Facebook profile &mdash which usually includes their location, their interests, and the names of their other friends. (By default, all such information is visible on your Facebook profile — even to users who aren't your Facebook friends and have no friends in common with you — but your contact information is supposed to be hidden from other users unless you've confirmed them as friends.)

An attacker could do this with email addresses too, of course, if they had a long list of email addresses known to be valid, by searching to see which ones were associated with Facebook accounts. Or they could supplement it with a list of automatically generated email addresses like john001@hotmail.com, john002@hotmail.com, similar to what spammers use in a dictionary harvest attack, and hope that some of those would map to valid accounts as well. The difference is that because the space of possible email addresses is effectively infinite, and because many people use email addresses on Facebook that aren't on any publicly circulating databases, an email search would probably not hit more than a small portion of Facebook accounts that were searchable by email address. On the other hand, since the space of possible phone numbers is finite, with enough patience you could uncover every Facebook account that had an associated phone number. As my short experiment above showed (13 out of 100 random numbers mapping to accounts), you could start building up a list of valid hits pretty quickly.

Similarly, it's already trivially possible for an attacker to build up a long list of other users' Facebook accounts - start with one person's account, go through their friends list, then visit the profile of each of those users and index their friends list, etc., like a search engine recursively spidering the Web. However, you'd be left with a large list of Facebook accounts but no way to contact them — you wouldn't have their email addresses or phone numbers, and if you send a message to a non-friend on Facebook, it goes into a subfolder of their Inbox marked "Other", which most users never check. The phone number dictionary attack described above, is the only loophole I can think of that lets you harvest a large list of Facebook users and a means to contact them in a way that they will actually see.

What could somebody do with such a database? Well, even if you only had a small list of a few thousand people, you could try spamming or scamming the numbers via text message. SMS scams are nothing new, of course, but they would probably be more effective if supplemented with the details you could get from a person's Facebook profile. (For straight-up spam, you can target it based on the interests listed in a person's profile. For scams, remember that you can use names taken from a person's friends list: "Hi, this is Jessica Smith. I have to pay off a parking ticket online or my car will get towed; can I borrow your credit card number and then I'll pay you tomorrow?")

Or if you spidered so many accounts that you built up a database which included a significant portion of all Facebook users with phone numbers on their profile, you could even launch your own publicly searchable website, splattered with grey-market pop-up advertisements: "Look up any Facebook user's phone number! If they've got their number on their Facebook profile, we have it here!" (While this would certainly raise awareness of the problem, I think it's more likely that the data harvester would decide they could make more money trading the data on the black market.)

I haven't seen this issue raised anywhere else, but lest you accuse me of "giving the bad guys ideas", I do think it's sufficiently obvious that some people on the dark side have probably discovered it, or would have, even if I hadn't brought it up. And even if any of these outcomes is unlikely, it would only have to be done once, to put the users' data permanently in the hands of the attackers, with Facebook unable to put the cat back into the bag. (Although they could at least rectify the problem for new users going forward.)

Balanced against this, what is the upside of being able to search for someone's profile on Facebook using their phone number? In my Facebook-using days, I never did it, since it was always easier to find someone using their email address, or by searching for their name, or by finding them in the friends list of one of our mutual friends. But even in a case where all you had was the person's phone number, is it too much to text them and ask for their first and last name, or their email address, so you can add them on Facebook?

Although Facebook did not respond to my inquiries, it's true that the existing behavior doesn't technically look like a violation of their Privacy Policy ("To make it easier for your friends to find you, we allow anyone with your contact information (such as email address or telephone number) to find you through the Facebook search bar..."). And I verified with a new test account that by default, in your privacy settings, under "How You Connect", the setting "Who can look you up using the email address or phone number you provided?" is set to "Everyone." The problem is that this setting casually lumps the two together, and users — as well as Facebook itself — might not realize that the implications of being findable by your phone number, are different from being findable by your email address.

Facebook should probably just go ahead and block searches by phone number — or, at least, make you fill out a CAPTCHA every time you do a phone number search, to make it harder to harvest them in bulk. There's no way to know if scammers are trying this already, but at least we can prevent it going forward. That would require a small edit to Facebook's privacy policy, but luckily for them, they can now do that without even calling a vote.

- - - - - - - - - - - - - - - - - - - - - - - - - - Do you have a feature idea for Slashdot? Contact us at feedback@slashdot.org, and give us a heads-up!

Frequent contributor Bennett Haselton writes with some strong cautions on a Facebook "feature" that lets you search for random phone numbers and find the accounts of users who have registered that number on their Facebook profile. This has privacy implications that are more serious than searching by email address. Especially in light of the expanding emphasis that Facebook is putting both on search qua search and on serving as a VoIP intermediary (not to mention the stream of robocalls that the FCC is unable to stop), this might make you think twice about where your phone number ends up. Read on for Bennett's description of the problem and some possible solutions.

A few weeks ago a friend of mine said she was getting harassing text messages from a particular phone number, which she didn't recognize and which didn't appear in any of her own records. On a whim, I suggested entering the number into the Facebook search box, whereupon we found the guy's profile (even though he had no friends in common with the account we were logged in under), realized who he was, and ratted the thirty-something out to his Mom.

Then I thought: Is it really a good idea, for this to be possible? I tried entering consecutive phone numbers (starting with a random valid number, and varying the last 2 digits from 00 to 99) into Facebook's search box, and 13 of them came up with valid matches. None of those matches had any friends in common with the account we were searching from; as far as I can tell, anybody could enter any phone number into Facebook's search box and find the account associated with it, if there is one.

I think this has non-trivial privacy implications. (I repeatedly contacted Facebook explaining why I think this is a problem, but they haven't responded.) I'm not talking about the ability to find the account associated with a particular phone number — I think relatively few people have a legitimate need to send text messages from a truly anonymous phone number, and if they do, it's their own fault if they're dumb enough to put that number on their Facebook profile. And it wouldn't be a practical way to unmask the phone number associated with a particular account, either — even if you knew the person's area code, and narrowed down the list of possible exchange numbers following the area code, you'd still have to try tens of thousands of possibilities.

Rather, the problem is that you could use this technique to build up a database of phone numbers and associated accounts without targeting any specific phone number or account. Not only would you know the names associated with each of the numbers, you could associate the phone number with anything else that was discoverable from the person's Facebook profile &mdash which usually includes their location, their interests, and the names of their other friends. (By default, all such information is visible on your Facebook profile — even to users who aren't your Facebook friends and have no friends in common with you — but your contact information is supposed to be hidden from other users unless you've confirmed them as friends.)

An attacker could do this with email addresses too, of course, if they had a long list of email addresses known to be valid, by searching to see which ones were associated with Facebook accounts. Or they could supplement it with a list of automatically generated email addresses like john001@hotmail.com, john002@hotmail.com, similar to what spammers use in a dictionary harvest attack, and hope that some of those would map to valid accounts as well. The difference is that because the space of possible email addresses is effectively infinite, and because many people use email addresses on Facebook that aren't on any publicly circulating databases, an email search would probably not hit more than a small portion of Facebook accounts that were searchable by email address. On the other hand, since the space of possible phone numbers is finite, with enough patience you could uncover every Facebook account that had an associated phone number. As my short experiment above showed (13 out of 100 random numbers mapping to accounts), you could start building up a list of valid hits pretty quickly.

Similarly, it's already trivially possible for an attacker to build up a long list of other users' Facebook accounts - start with one person's account, go through their friends list, then visit the profile of each of those users and index their friends list, etc., like a search engine recursively spidering the Web. However, you'd be left with a large list of Facebook accounts but no way to contact them — you wouldn't have their email addresses or phone numbers, and if you send a message to a non-friend on Facebook, it goes into a subfolder of their Inbox marked "Other", which most users never check. The phone number dictionary attack described above, is the only loophole I can think of that lets you harvest a large list of Facebook users and a means to contact them in a way that they will actually see.

What could somebody do with such a database? Well, even if you only had a small list of a few thousand people, you could try spamming or scamming the numbers via text message. SMS scams are nothing new, of course, but they would probably be more effective if supplemented with the details you could get from a person's Facebook profile. (For straight-up spam, you can target it based on the interests listed in a person's profile. For scams, remember that you can use names taken from a person's friends list: "Hi, this is Jessica Smith. I have to pay off a parking ticket online or my car will get towed; can I borrow your credit card number and then I'll pay you tomorrow?")

Or if you spidered so many accounts that you built up a database which included a significant portion of all Facebook users with phone numbers on their profile, you could even launch your own publicly searchable website, splattered with grey-market pop-up advertisements: "Look up any Facebook user's phone number! If they've got their number on their Facebook profile, we have it here!" (While this would certainly raise awareness of the problem, I think it's more likely that the data harvester would decide they could make more money trading the data on the black market.)

I haven't seen this issue raised anywhere else, but lest you accuse me of "giving the bad guys ideas", I do think it's sufficiently obvious that some people on the dark side have probably discovered it, or would have, even if I hadn't brought it up. And even if any of these outcomes is unlikely, it would only have to be done once, to put the users' data permanently in the hands of the attackers, with Facebook unable to put the cat back into the bag. (Although they could at least rectify the problem for new users going forward.)

Balanced against this, what is the upside of being able to search for someone's profile on Facebook using their phone number? In my Facebook-using days, I never did it, since it was always easier to find someone using their email address, or by searching for their name, or by finding them in the friends list of one of our mutual friends. But even in a case where all you had was the person's phone number, is it too much to text them and ask for their first and last name, or their email address, so you can add them on Facebook?

Although Facebook did not respond to my inquiries, it's true that the existing behavior doesn't technically look like a violation of their Privacy Policy ("To make it easier for your friends to find you, we allow anyone with your contact information (such as email address or telephone number) to find you through the Facebook search bar..."). And I verified with a new test account that by default, in your privacy settings, under "How You Connect", the setting "Who can look you up using the email address or phone number you provided?" is set to "Everyone." The problem is that this setting casually lumps the two together, and users — as well as Facebook itself — might not realize that the implications of being findable by your phone number, are different from being findable by your email address.

Facebook should probably just go ahead and block searches by phone number — or, at least, make you fill out a CAPTCHA every time you do a phone number search, to make it harder to harvest them in bulk. There's no way to know if scammers are trying this already, but at least we can prevent it going forward. That would require a small edit to Facebook's privacy policy, but luckily for them, they can now do that without even calling a vote.

- - - - - - - - - - - - - - - - - - - - - - - - - - Do you have a feature idea for Slashdot? Contact us at feedback@slashdot.org, and give us a heads-up!

Timothy ran into these NSD people at CES. If we were giving out a "best huckster" award, NSD booth dude Doug Lo would surely be a finalist for it. He's one heck of a talker. The exercise balls he's pushing? A number of companies have been making and selling similar products for many years. They seem to have some medical benefit as physical therapy aids for people with wrist or carpal tunnel problems, and may also be useful exercise devices for people who want to strengthen their hands and fingers. Have you used a gyroscope exercise ball? If so, did it help cure a wrist problem or help strengthen your hands and fingers? And which of these brands (if any) did you try?

Lasrick writes "The Bulletin of the Atomic Scientists announces whether their Doomsday Clock has been moved with this open letter to President Obama, outlining progress on a number of fronts, but also detailing what still needs to be done to avoid various threats to humanity." From the article: "2012 was a year in which the problems of the world pressed forward, but too many of its citizens stood back. In the U.S. elections the focus was "the economy, stupid," with barely a word about the severe long-term trends that threaten the population's well-being to a far greater extent: climate change, the continuing menace of nuclear oblivion, and the vulnerabilities of the world's energy sources."

Hugh Pickens writes "A burglar gets stuck in a chimney, a truck driver in a head on collision is thrown out the front window and lands on his feet, walks away; a wild antelope knocks a man off his bike; a candle at a wedding sets the bride's hair on fire; someone fishing off a backyard dock catches a huge man-size shark. Now Kevin Kelly writes that in former times these unlikely events would be private, known only as rumors, stories a friend of a friend told, easily doubted and not really believed but today they are on YouTube, seen by millions. 'Every minute a new impossible thing is uploaded to the internet and that improbable event becomes just one of hundreds of extraordinary events that we'll see or hear about today,' writes Kelly. 'As long as we are online — which is almost all day many days — we are illuminated by this compressed extraordinariness. It is the new normal.' But when the improbable dominates the archive to the point that it seems as if the library contains only the impossible, then the 'black swans' don't feel as improbable. 'To the uninformed, the increased prevalence of improbable events will make it easier to believe in impossible things,' concludes Kelly. 'A steady diet of coincidences makes it easy to believe they are more than just coincidences.'"

An anonymous reader writes "A group of geothermal power engineers have created three reservoirs from a single well in a place where none existed previously. This is a breakthrough for Enhanced Geothermal System technology — people who need power often can't choose a spot where there happens to be a geothermal reservoir, and EGS could allow us to create them where needed. 'Last fall, engineers pumped cold water into the ground, cracking open fissures in the deep rock, a process known as hydroshearing. They then sealed one reservoir from the other using a new technology. They injected ground-up recycled plastic bottles, which plugged up the cracks in one reservoir while millions of gallons of cold water were being pumped in to create another. Then the plastic diffused, leaving behind three reservoirs. ... The U.S. Department of Energy, which is covering half the $43.8 million cost of the Newberry project, says if the initial indications hold up, the Newberry project would mark the first time in the world that multiple geothermal reservoirs have been created on purpose from a single well in a new area.'"

DeviceGuru writes "Although IE remains the one of the top browsers on desktops, it's being trounced on tablets and smartphones by browsers based on WebKit, including Safari, the Android Browser, and Google Chrome. Faced with this uphill battle on handheld mobile devices, Microsoft MVP Bill Reiss has suggested that it might be time for Microsoft to throw in the towel on Trident and switch to WebKit (though Reiss later decided he was wrong). But although there are lots of points in favor of doing so, there are also some good reasons not to, including security and a need for healthy competition to avoid having mobile developers begin to target WebKit rather than standards."

cervesaebraciator writes "Tim Lee over at Ars Technica recently interviewed Derek Khanna, a former staffer for the Republican Study Committee. As reported on Slashdot, Khanna wrote a brief suggesting the current copyright law might not constitute free market thinking. He was rewarded for his efforts with permanent time off of work. Khanna continues to speak out about the need for copyright reform as well as its potential as a winning electoral issue and, according to Lee, he's actually beginning to receive some positive attention for his efforts. 'I encourage Hill staffers to bring forth new ideas. Don't be discouraged by the potential consequences,' Khanna told Ars. 'You work for the American people. It's your job, your obligation to be challenging existing paradigms and put forward novel solutions to existing problems.' Would that more in both major parties thought like this."