Your assessment of the people I know is incorrect.
I know plenty of computer-illiterate people. Yet when it comes to Kazaa, I know two kinds of people:
1) Those who have never heard of it (and do not run it) 2) Those who know what it is; they may or may not run it, but they know what it does.
It is possible that it runs on your computer even though you're in group (1) because someone else put it there; that would be a matter for the jury (or, in a case with no jury, the judge I suppose) to sort out. If the jury consists of people like me (who think you have a certain responsibility for a machine you place on the Internet), don't expect a surplus of sympathy.
Meanwhile, your offer to "name names" is, as you assuredly already know, worthless since your claim would be unverifiable.
Your access to someone's p2p share might have some of the same limitations as a library copier (cost of download, for example), and indeed that doesn't make it legal. Your university might also have an anti-piracy policy to which your access to someone's p2p share would be subject. But those things are not characteristic of the p2p share itself.
The limits I talked about are "built in" to the setup of a library's copier (not merely a small population's access to said copier). That doesn't mean that every possible use of such a copier is legal; but it is relevant in identifying the resonable uses and purposes of the copier. The same cannot be said for a p2p share.
The law just isn't as black-and-white or as simple on this point as a lot of people think it "should" be. Two things "can" be used to infringe copyright -- that's not enough to say that they're equivalent in the eyes of the law. Fuzzy concepts like "significant non-infringing uses" can make a difference.
If you say "filesharing networks have significant non-infringing uses", I agree; I think Napster got a raw deal. But if you say "placement of a copyrighted work in a p2p share has significant non-infringing uses", I disagree, and that's really the subject at hand.
You seem to be reading my arguments to mean that library photocopiers cannot be used for copyright infringement. That is not my argument.
My argument is that (1) library photocopiers are not, as the previous poster suggests, the ideal setup for copyright infringement, and (2) they in fact serve a different significant purpose that is completely legal. This is in contrast to a share containing copyrighted material on a filesharing service, which clearly and ideally serves the purpose of infringing copyright on that material.
"Let's say you decide to copy an entire book using library photocopiers, at $0.10 per page. You'll typically pay more than a new copy would cost, True in some cases, not in others. Kids books like "The Pigeon Finds a Hot Dog!" is some $12.00. Probably cost under $2.00 to copy at.10c/page."
That's why I said "typically". Yes, there are some works you could copy, and that would be illegal. That's not what the copiers are set up for, though.
Then again, while kids books are less affected by this previous point (about cost of the copy), they're more affected by the next one (about the quality of the copy), since they tend to have a lot of color. (Perhaps your library has color copiers, but if so I bet they charge more than $0.10 per color page...)
"and the copy you get will be pretty low quality That doesn't make them somehow legal."
No, but it again calls into question the claim that the library has given you the perfect setup to violate copyright.
"You'll also need quite a bit of time for this project, and may be told to stop and/or kicked out of the library before you can complete it Only if i were to attempt to copy the entire library"
You must be more patient than I am if you don't consider the time to copy each page of a book (without destroying the book) to be "quite a bit of time". Again it depends on the specific book, of course; and again that's beside the point.
"(You might also notice signs around the copier that put you on notice that you're supposed to obey copyright law, though that detail depends on the library.) It wouldn't be hard to add to the kazaa protocal a message that says 'please respect copyright' when someone connects. Would that some change anything?"
That alone would not change anything. I mentioned the signs as an indicator of the library's poilcy. If kazaa had a policy of policing against copyright infringement, that might change things; and a message like you suggest would be a good indicator to go along with such a policy. But simply printing the message with no real anti-infringement policy behind it would have no meaning.
"What if I put copywritten files in there so that someone who stepped on their copy of the CD can download a new copy from me?"
What if I yell my credit card number across the store so that the clerk can run my transaction? Don't be absurd.
"Or to save people from having to tediously rip their own CD's?"
You can certainly try to be coy, and that's why we have juries. If you can fool 12 people into believing you're just helping people legally format-shift songs they purchased, more power to you. If I'm on that jury, good luck convincing me that the preponderance of evidence suggests such when you have neither the motive nor the means to ensure that's how the share is being accessed. In fact, good luck convincing me that downloading the song is "less tedious" than ripping it.
"What if I don't put copyprotected files in my Kazaa share?"
Then that has nothing to do with the discussion at hand. I'm talking about the purpose of a kazaa share that contains copyrighted materials. I appologize if I wasn't explicit enough in my previous message, but frankly I would've expected you to pick it up from context.
"For example, copying a few pages of a reference book for academic purposes is legal.
"it was a reasonable assumption that anyone making multiple copies of a book or vinyl album or even a CD was doing so to sell them. Copyright law is all about stopping that from happening"
I'd argue that copyright law isn't so much about keeping someone other than the copyright holder from making money, but rather it's about keeping someone other than the copyright holder from preventing the copyright holder from making money.
Anyhow, the idea of non-profit copyright violation isn't new or unique to digital media. Consider that physical distribution isn't the only way to infringe on a copyright. What about a free public performances, for example?
I must admit, you have me at a disadvantage, as I am not a lawyer and am working from an amateur perspective.
And don't get me wrong; I'm a fan of the work you're doing, even though on a few points I think the line you take is a bit one-sided. (But then, I suppose that's as it should be...)
In any case, do you mean that you can envision a case where a person could engage in activity that is not infringing, but if he charged someone while engaging in otherwise-identical activity it would be infringing?
The retail stores were never the "victim" as you put it; this is about copyright violation, and the copyright doesn't belong to the retail store. Hence the law suits come from record labels (Sony, etc.); not retail stores (Best Buy, etc.).
Your scenario of putting copyrighted material on a web page to be later discovered by others is interesting (but very different from the typical p2p examples IMO). It may come down to inferred intent; the typical reason to put a file on a publicly viewable web page -- especially without protections to prevent, say, Google from indexing it -- is to distribute that file.
My point, though, is really that the digital world today creates a vast grey area that's untested. The lines need to be drawn. The laws haven't kept up with technology, and that cuts both ways. Of the things you can do today that you couldn't feasably do ten years ago, some shouldn't be illegal and others should -- it's not all going to go to one side.
The RIAA's "making available" theory seems like laziness -- why go to the trouble of proving out all these little details if they can find a way to make a sweeping claim over every "shared" folder?
But meanwhile, the extreme opposite position -- that nothing short of proving individual downloads should constitute infringement -- sounds like a five-year-old's "I'm not touching you" B.S. (with more of a "you can't prove I'm touching you" spin).
1) I don't really buy the "user doesn't know" argument; it doesn't take a 4-year degree to know what kazaa is doing with the files you put in its share folders, and at some level a user is responsible for knowing something about the tools he or she employs. At best, I'd say that would come down to a case-by-case jury decision.
2) The library analogy is seriously flawed. Let's say you decide to copy an entire book using library photocopiers, at $0.10 per page. You'll typically pay more than a new copy would cost, and the copy you get will be pretty low quality; so I don't really see how the library has given you "everything you need" to get illegal copies of their books.
You'll also need quite a bit of time for this project, and may be told to stop and/or kicked out of the library before you can complete it. Oh, the staff might not bother -- librarians don't always feel like they're paid enough for that kind of confrontation -- but if you check the library's policy, you'll probably find that they're supposed to. (You might also notice signs around the copier that put you on notice that you're supposed to obey copyright law, though that detail depends on the library.)
See, unlike kazaa shares, the purpose of library photocopiers isn't copyright violation. The purpose of library copiers includes things like "fair use", which is legal (though the RIAA would love for you to forget that fact). For example, copying a few pages of a reference book for academic purposes is legal. The copiers are well suited to this purpose (in much the way that they are not well suited to wholesale copyright violation).
Copyright law does not distinguish, in defining "distribute", between copies paid for vs. copies given away for free; so while arguing that "not charging" is a difference makes a nice bit of sophistry, it's really nothing more than that; not charging isn't a relevant difference for this conversation.
As for the user not "knowing much about computers"... There's a lot that could be said about that, but for now I'll leave it at "that'd be up to the jury to decide".
Except that depends. If "shared folder" means "folder shared and indexed by a p2p service, such that said service's other users are made aware of the track's availability upon request", then it's more like the GP's example than yours.
Actually it's like the GP's example with a much more effective marketing budget.
I do agree in a literal sense that "merely making available" should not be enough to get a judgement; but I don't agree if you're saying that putting a track on kazaa is "merely making it available".
Right now, it is hard to "prove" that it was you that downloaded their material -- it could be anyone from your ISP with that IP, right?
Not exactly. Yes, the IP may change hands among all users of your ISP; however, at any given point in time, it is in one person's hands, and the ISP knows who that one person is.
IP + time does accurately identifiy the subscriber account used to obtain internet access by the computer being used to, in your example, download copyrighted material. That's not the problem with it -- the problem is that knowing what subscriber account was used doesn't prove who actually infringed the copyright (unless you buy into the idea that TOS can assign all civil and criminal liability with language like 'you are responsible for how your connection is used', which I don't).
Not every digital phone has a camera. Not even every new phone has a camera.
If your old phone meets your needs and you're happy with it, then that's great. It's about to stop meeting your needs, though, so you might as well get over the assumption that nothing new will be able to meet your needs. If you shop around a bit (and it probably won't even take much of that), you'll find that assumption to be false.
If it were done in response to a subpeona and/or in contradiction of the University's normal data retention policies, then probably it would be obstruction of some form.
The university could, as a matter of policy, not keep track of IP-to-student mappings. As soon as an IP address is released, forget it was ever assigned, that kind of thing. They could... but they'd be fools if they did.
What happens if someone uses their network connection to hack other university systems? The logs might show the IP from which an attack originated, but if you're not tracking your IP leases, that's a dead end.
What if someone sends threatening or otherwise harassing messages over the university network? Oh, sure, depending on other aspects of the university's security policy (like how lab computers are configured) it may be possible to do untracably, or maybe not... but if you don't track the IP assignments to students' own computers, you can bet it will be.
On the differences between our government and China's, I agree.
So sue the government. Filing a lawsuit with the aim of outing information about a third party -- or indeed with any aim other than solely to impose just sanctions agains the defense -- is an abuse of the court system.
and losing a ton of it would have caused the shareholders to demand future adheriance to the law
What makes you think the shareholders had (or in future cases would have) any influence whatsoever over a situation like this? Do you imagine a proxy went out saying 'The board recommends you vote in favor of a proposal to comply with an illegal wiretapping program'?
A number of reasons, but I'll stick with the simplest:
You're expecting that punishment creates negative feedback which will change behavior. Whose behavior? "The corporation's behavior?" If you think that, you've bought way too far into the idea of "corporation as an entity". A corporation doesn't act with one will. It also doesn't spend time in prison, and it doesn't pay judgements -- it merely collects them from real entities, like customers or shareholders.
Will the individual(s) who authorized these activities suffer if judgements are leveled against the company? No. It's not coming out of their paycheck. In general if the lawsuit is brought against the corporation the individual actors are shielded from liability. That's a big part of what a corporation (as a legal structure) is for -- it's a liability shield.
Will the government officials who actually initiated the program suffer? No. They're the ones whose behavior you really have to worry about, by the way. Resistance from the telecoms would only have bought time.
1) why you believe you know what I think (beyond what I actually wrote), or
2) why you think it matters whether the program was connected to the war on terror or whether it dates back to a 30-year-old government conspiracy...
Perhaps those points would be clearer if you were actually to make an argument instead of just karma-whoring by making vague disagreement with anyone who posts an unpopular view.
Your personal opinion of me is fascinating. If you'd like to debate the substance of my arguments, you're welcome to try again.
"At a time where corporate law suits against single citizen's is at an all time high, you suggest that we (the people) should have no recorse against illegal activities of corporations? Just becuase 'someone else' asked them to do it."
I suggest no such thing. Why not debate my specific propositions instead of trying to water them down into over-generalized garbage of your own imagining?
I do suggest (1) that the government isn't just "somebody else" (but I'm sure if the government showed up at your doorstep to spy on your neighbor from your house, you'd put up one hell of a fight against them), and (2) that the corporate entity "AT&T" isn't the legally responsible party given these specific circumstances.
"Absolutely not sir."
Oooh, he called me "sir". That lends great credibility to his statements.
"this is proven they knew it to be illegal, as some companies REFUSED on the grounds of it being illegal"
So if Bob refuses to do something because it's illegal, this proves that Joe knows it to be illegal? Interesting. Far from the truth, but interesting.
Doesn't matter, though; whether any party knew the action to be illegal is immaterial, as ignorance of the law is no excuse. Which is why none of my arguments have anything to do with whether those making the decisions believed they were acting legally or not.
Punishing the telecom companies for cooperating with the government wouldn't actually protect anyone's rights anyway. The grant of immunity is a corollary problem; the root problem is that the government would engage in a warrantless wiretap program to begin with, and until that is addressed we will continue to be short-changed on our rights as citizens.
Simply withholding immunity really just moves the problem around a bit. Now the shareholders of (for example) AT&T bear the cost of decisions they didn't make, approve, or know about. Perhaps they could turn around and file a shareholder suit (on the grounds that AT&T worked against shareholder interests by cooperating with and being held liable for the wiretap program), though I'm told those types of suits aren't very common these days.
While we do hold that "just following orders" isn't a suitable defense for war crimes, I wonder if the balance between the moral/ethical breach of compliance vs. pressure applied by the government is the same in this case. (Do we actually know how much pressure or threat, if any, was used to get the telecoms to cooperate?) I'd see some merit to the argument that liability should be pushed back onto the government itself.
At any rate, I find it surprising that we would expect more backbone out of corporations dealing with the American government than we expect out of them when dealing with, say, the Chinese government. If we tolerate Google "playing by China's rules" when all they stand to lose is their entry into the Chinese market, then why would we expect better of AT&T when they would be running afoul of their home country's government?
What I'd like to see -- and you'll have to forgive me for any imprecision in the details here, as IANAL -- is a John Doe suit filed against the individual(s) within (for example) AT&T who actually made and authorized the decisions to compromise customers' privacy. Naturally those individuals would try to hide behind the shield of corporate liability; I would hope (though I can't remember if it's the case) that taking actions outside of -- and even contrary to -- the corporation's interests would make a case for PCV.
And even when that happens, it's still an organic molecule.
"700 degrees Celsius...why are we so sure this completely precludes the possibility of life?"
That may depend on how we define "life". In the sense that life could vary widely from what we know and understand, maybe you're right. Of cousre, if it's not a bit closer to "life as we know it" than that, then we don't know what to look for anyway. Would such life depend on water? Well, not liquid water. It wouldn't be made up of combustable carbon chains, either.
So within the limits of "life based on processes we understand", "life we have a clue how to look for", "life we have a reason to believe is possible", etc., it is safe to assume it couldn't exist in those conditions.
As for the scenario of a company wanting to censor MP3 attachments, they can do so already just by looking for the MIME attachments
Yes, but today for the RIAA to ask for such a concession they have to cut off their own constituants' ability to distribute MP3's in that manner. (And while they aren't doing it today, that doesn't mean they'll never want the option.) Similarly, even without DKIM eBay could ask ISP's to block all messages from eBay, but tehy wouldn't want to do that, would they?
More to the point, today when an ISP blocks content (*cough* comcast *cough*) people notice and get up in arms about it, because it's not a normal and accepted practice. Get the consumer used to the idea that the ISP is "protecting" him or her by blocking "harmful" emails, and suddenly you can get by with a lot more.
It has everything to do with DKIM if filtering is implemented on the network instead of the client.
This article is fine news for non-nerds... but somehow that's not what I hope for around here.
So there's a standard (or collection of standards) coming together to combat phishing. Good, good. How does it work? TFA mentions documents describing how a company signs its messages and how a recipient checks the signature, but no link?
Is it a technically sound signature, with a secret key that can be reasonably protected and no reasonable means to modify a signed message without breaking the signature? Does the verification process involve checking for the latest information from the alleged signer in case a signature has been compromised?
In short, I'd like enough information to judge for myself whether a DKIM-signed message is trustworthy.
Speaking of deciding for myself -- I understand the rationale for ISP-level filtering of unsigned email, but I don't think it's a great idea. At most, I think this should be an end-user-configurable service (and sure, filter by default if you want). When I sign up for service, my base expectation is that messages will be delivered and I can decide what to do with them. Client-side support (conspicuous notification to the user of whether a message is signed and, if so, whether the signature validates and, if so, who signed it) are the way to handle this.
That way, the user can spot any attempt to impersonate eBay (not just instances where the filter decided that the message was trying to look like it came from eBay). Who sets those criteria, anyway? Do you just block messagse with an eBay return address? You'd miss a lot. Do you actually evaluate the content? That borders on giving each DKIM-using company the ability to censor for certain content. ("If it contains an MP3 attachment and we didn't sign it, filter it out!")
"you're nothing but a bunch of sulky bullies spouting trash talk from a safe distance?"
So, the theme of your post isn't bad, but it would be stronger if not for the irony of making the above statement while inviting them to sue someone other than yourself.
My next round of questions and comments would revolve around the proposition that "the user is generally not a threat". I'd divide the world into two types of system:
The Easy Cases: For some systems, I'd say it's clearly and demonstrably true that programs, not users, are the threat. For example, the WinXP desktop sitting in my office at home isn't under threat from any malicious users (and indeed I don't have it set up to take a password), while systems like it are forever being compromised by malicious programs; so that would seem to be the ideal example for the type of system you describe.
The Interesting Cases: I'm guessing that multi-user networked systems probably present the most interesting (and complicated) discussion. These would include a wide range of cases, from sensitive government/military, to business of various sorts, to research and other university systems. Part of the challenge (at least on the surface) is that in the case of an incoming network connection, the distinction between a "user" and a "program" seems a bit abstract.
I wno't try to go too far into those questions without first checking through the resources you've pointed to, which will take me some time. I would note, though, that many industries operate under regulations that require authentication. This may partially be due to bad assumptions on the part of regulators. However, it also points toward a second reason why people use authentication: Sometimes it's not enough to know that an action is authorized; sometimes you have to keep track of who took each action.
In the simplest case, an employer might grant capabilities to a group of employees so that they can do their jobs. But sometimes trust is misplaced, and maybe one of the employees abuses those capabilities for personal gain (some sort of fraud or theft, etc.). You may not be able to stop him from doing it whether by authentication or by controlling capabilities; the question is, how do you investigate after the fact? The traditional answer is to keep an audit trail -- log that Employee X performed actions A, B, and C at such-and-such time.
So, while you can decouple authentication from authorization to a point, I would still think you'd sometimes have to state "user has provided accurate identification" as a prerequisite of authorization (even if the authorization process isn't looking for any particular identity).
Initially, I was going to call out ATM's as an example of a third category in which the user simply couldn't be trusted; but on reflection, I think this is a matter of perspective. Arguably in the age of electronic transactions PIN's, CC#'s, account/routing numbers, etc. are somewhere between authentication instruments and capabilities as it is; the real question then seems to be what form(s) the authorizing information should take and what means should be used to protect it.
That said, I do think these make up a third category in this sense: Although they may be good candidates for a capability-based system, it remains true that I wouldn't generally "trust" a user as far as I could throw him.
In any case, I plan to look into some of the systems you mention, time permitting.
1) It provides a limited degree of authentication of the machine to the user. This is lacking in, say, ATM transactions today (in the U.S. at least), which is one of the concerns the article talks about. However, while this system has the "side effect" of providing the user with some chance of noticing a fake machine (depending on details of how the system were implemented and deployed), it would be better to approach a design with the specific goal of validating the machine.
2) The point they advertise -- it makes it hard to learn anything by watching the person enter the "password".
I see some challenges, and there are definitely some things it doesn't prevent.
Where do the images come from? Each bank (or other institution using this system) has to come up with a library of images for its users, with each image clearly distinct from the others? But wait -- sometimes I use another bank's ATM. So either (1) the machine will have to start by identifying which bank to use and downloading the appropriate images, which reduces the protection against fake machines; or (2) there will have to be a single library of images for all banks.
In a large-scale deployment, there are additional usability questions that aren't captured by a small-scale trial. If someone sets up different passwords for different systems, will they be able to reliably remember which pictures to use where? What if the systems have similar but different images in their libraries? Keep in mind, human associative memory and visual processing interact in very strange ways sometimes.
How will the visually impaired interact with this system? I think I could use it in spite of my eyesight (barring a really poor implementation), but there are others who can't. I expect that to pretty much end the discussion for me.
This is interesting material, and I'm hoping to find time to research the concepts further.
I have to say, though, that this article doesn't answer such questions as "when I approach a machine, how do I establish the capabilities I need for my tasks to be performed?"
In other words, I can see how this would reduce the roll of authentication during a session of activity, but I do not see in most common use cases how you could start a session without an authentication step. If you can persist your system's capabilities in a way that is portable (with the user) and maintains integrity, that would allow your "session" to be arbitrarily long, but:
1) It would still seem that the decision to initially hand the capability to the user has to be made with knowledge of who the user is, and
2) I'm curious how you would go about restoring security were such a persisted capability stolen.
Slashdot Mirror
Your assessment of the people I know is incorrect.
I know plenty of computer-illiterate people. Yet when it comes to Kazaa, I know two kinds of people:
1) Those who have never heard of it (and do not run it)
2) Those who know what it is; they may or may not run it, but they know what it does.
It is possible that it runs on your computer even though you're in group (1) because someone else put it there; that would be a matter for the jury (or, in a case with no jury, the judge I suppose) to sort out. If the jury consists of people like me (who think you have a certain responsibility for a machine you place on the Internet), don't expect a surplus of sympathy.
Meanwhile, your offer to "name names" is, as you assuredly already know, worthless since your claim would be unverifiable.
Your access to someone's p2p share might have some of the same limitations as a library copier (cost of download, for example), and indeed that doesn't make it legal. Your university might also have an anti-piracy policy to which your access to someone's p2p share would be subject. But those things are not characteristic of the p2p share itself.
The limits I talked about are "built in" to the setup of a library's copier (not merely a small population's access to said copier). That doesn't mean that every possible use of such a copier is legal; but it is relevant in identifying the resonable uses and purposes of the copier. The same cannot be said for a p2p share.
The law just isn't as black-and-white or as simple on this point as a lot of people think it "should" be. Two things "can" be used to infringe copyright -- that's not enough to say that they're equivalent in the eyes of the law. Fuzzy concepts like "significant non-infringing uses" can make a difference.
If you say "filesharing networks have significant non-infringing uses", I agree; I think Napster got a raw deal. But if you say "placement of a copyrighted work in a p2p share has significant non-infringing uses", I disagree, and that's really the subject at hand.
You seem to be reading my arguments to mean that library photocopiers cannot be used for copyright infringement. That is not my argument.
.10c/page. "
My argument is that (1) library photocopiers are not, as the previous poster suggests, the ideal setup for copyright infringement, and (2) they in fact serve a different significant purpose that is completely legal. This is in contrast to a share containing copyrighted material on a filesharing service, which clearly and ideally serves the purpose of infringing copyright on that material.
"Let's say you decide to copy an entire book using library photocopiers, at $0.10 per page. You'll typically pay more than a new copy would cost,
True in some cases, not in others. Kids books like "The Pigeon Finds a Hot Dog!" is some $12.00. Probably cost under $2.00 to copy at
That's why I said "typically". Yes, there are some works you could copy, and that would be illegal. That's not what the copiers are set up for, though.
Then again, while kids books are less affected by this previous point (about cost of the copy), they're more affected by the next one (about the quality of the copy), since they tend to have a lot of color. (Perhaps your library has color copiers, but if so I bet they charge more than $0.10 per color page...)
"and the copy you get will be pretty low quality
That doesn't make them somehow legal. "
No, but it again calls into question the claim that the library has given you the perfect setup to violate copyright.
"You'll also need quite a bit of time for this project, and may be told to stop and/or kicked out of the library before you can complete it
Only if i were to attempt to copy the entire library "
You must be more patient than I am if you don't consider the time to copy each page of a book (without destroying the book) to be "quite a bit of time". Again it depends on the specific book, of course; and again that's beside the point.
"(You might also notice signs around the copier that put you on notice that you're supposed to obey copyright law, though that detail depends on the library.)
It wouldn't be hard to add to the kazaa protocal a message that says 'please respect copyright' when someone connects. Would that some change anything? "
That alone would not change anything. I mentioned the signs as an indicator of the library's poilcy. If kazaa had a policy of policing against copyright infringement, that might change things; and a message like you suggest would be a good indicator to go along with such a policy. But simply printing the message with no real anti-infringement policy behind it would have no meaning.
" What if I put copywritten files in there so that someone who stepped on their copy of the CD can download a new copy from me? "
What if I yell my credit card number across the store so that the clerk can run my transaction? Don't be absurd.
" Or to save people from having to tediously rip their own CD's? "
You can certainly try to be coy, and that's why we have juries. If you can fool 12 people into believing you're just helping people legally format-shift songs they purchased, more power to you. If I'm on that jury, good luck convincing me that the preponderance of evidence suggests such when you have neither the motive nor the means to ensure that's how the share is being accessed. In fact, good luck convincing me that downloading the song is "less tedious" than ripping it.
" What if I don't put copyprotected files in my Kazaa share? "
Then that has nothing to do with the discussion at hand. I'm talking about the purpose of a kazaa share that contains copyrighted materials. I appologize if I wasn't explicit enough in my previous message, but frankly I would've expected you to pick it up from context.
"For example, copying a few pages of a reference book for academic purposes is legal.
"it was a reasonable assumption that anyone making multiple copies of a book or vinyl album or even a CD was doing so to sell them. Copyright law is all about stopping that from happening"
I'd argue that copyright law isn't so much about keeping someone other than the copyright holder from making money, but rather it's about keeping someone other than the copyright holder from preventing the copyright holder from making money.
Anyhow, the idea of non-profit copyright violation isn't new or unique to digital media. Consider that physical distribution isn't the only way to infringe on a copyright. What about a free public performances, for example?
I must admit, you have me at a disadvantage, as I am not a lawyer and am working from an amateur perspective.
And don't get me wrong; I'm a fan of the work you're doing, even though on a few points I think the line you take is a bit one-sided. (But then, I suppose that's as it should be...)
In any case, do you mean that you can envision a case where a person could engage in activity that is not infringing, but if he charged someone while engaging in otherwise-identical activity it would be infringing?
In any case, thanks for your response.
The retail stores were never the "victim" as you put it; this is about copyright violation, and the copyright doesn't belong to the retail store. Hence the law suits come from record labels (Sony, etc.); not retail stores (Best Buy, etc.).
Your scenario of putting copyrighted material on a web page to be later discovered by others is interesting (but very different from the typical p2p examples IMO). It may come down to inferred intent; the typical reason to put a file on a publicly viewable web page -- especially without protections to prevent, say, Google from indexing it -- is to distribute that file.
My point, though, is really that the digital world today creates a vast grey area that's untested. The lines need to be drawn. The laws haven't kept up with technology, and that cuts both ways. Of the things you can do today that you couldn't feasably do ten years ago, some shouldn't be illegal and others should -- it's not all going to go to one side.
The RIAA's "making available" theory seems like laziness -- why go to the trouble of proving out all these little details if they can find a way to make a sweeping claim over every "shared" folder?
But meanwhile, the extreme opposite position -- that nothing short of proving individual downloads should constitute infringement -- sounds like a five-year-old's "I'm not touching you" B.S. (with more of a "you can't prove I'm touching you" spin).
1) I don't really buy the "user doesn't know" argument; it doesn't take a 4-year degree to know what kazaa is doing with the files you put in its share folders, and at some level a user is responsible for knowing something about the tools he or she employs. At best, I'd say that would come down to a case-by-case jury decision.
2) The library analogy is seriously flawed. Let's say you decide to copy an entire book using library photocopiers, at $0.10 per page. You'll typically pay more than a new copy would cost, and the copy you get will be pretty low quality; so I don't really see how the library has given you "everything you need" to get illegal copies of their books.
You'll also need quite a bit of time for this project, and may be told to stop and/or kicked out of the library before you can complete it. Oh, the staff might not bother -- librarians don't always feel like they're paid enough for that kind of confrontation -- but if you check the library's policy, you'll probably find that they're supposed to. (You might also notice signs around the copier that put you on notice that you're supposed to obey copyright law, though that detail depends on the library.)
See, unlike kazaa shares, the purpose of library photocopiers isn't copyright violation. The purpose of library copiers includes things like "fair use", which is legal (though the RIAA would love for you to forget that fact). For example, copying a few pages of a reference book for academic purposes is legal. The copiers are well suited to this purpose (in much the way that they are not well suited to wholesale copyright violation).
Copyright law does not distinguish, in defining "distribute", between copies paid for vs. copies given away for free; so while arguing that "not charging" is a difference makes a nice bit of sophistry, it's really nothing more than that; not charging isn't a relevant difference for this conversation.
As for the user not "knowing much about computers"... There's a lot that could be said about that, but for now I'll leave it at "that'd be up to the jury to decide".
Except that depends. If "shared folder" means "folder shared and indexed by a p2p service, such that said service's other users are made aware of the track's availability upon request", then it's more like the GP's example than yours.
Actually it's like the GP's example with a much more effective marketing budget.
I do agree in a literal sense that "merely making available" should not be enough to get a judgement; but I don't agree if you're saying that putting a track on kazaa is "merely making it available".
Right now, it is hard to "prove" that it was you that downloaded their material -- it could be anyone from your ISP with that IP, right?
Not exactly. Yes, the IP may change hands among all users of your ISP; however, at any given point in time, it is in one person's hands, and the ISP knows who that one person is.
IP + time does accurately identifiy the subscriber account used to obtain internet access by the computer being used to, in your example, download copyrighted material. That's not the problem with it -- the problem is that knowing what subscriber account was used doesn't prove who actually infringed the copyright (unless you buy into the idea that TOS can assign all civil and criminal liability with language like 'you are responsible for how your connection is used', which I don't).
Not every digital phone has a camera. Not even every new phone has a camera.
If your old phone meets your needs and you're happy with it, then that's great. It's about to stop meeting your needs, though, so you might as well get over the assumption that nothing new will be able to meet your needs. If you shop around a bit (and it probably won't even take much of that), you'll find that assumption to be false.
If it were done in response to a subpeona and/or in contradiction of the University's normal data retention policies, then probably it would be obstruction of some form.
The university could, as a matter of policy, not keep track of IP-to-student mappings. As soon as an IP address is released, forget it was ever assigned, that kind of thing. They could... but they'd be fools if they did.
What happens if someone uses their network connection to hack other university systems? The logs might show the IP from which an attack originated, but if you're not tracking your IP leases, that's a dead end.
What if someone sends threatening or otherwise harassing messages over the university network? Oh, sure, depending on other aspects of the university's security policy (like how lab computers are configured) it may be possible to do untracably, or maybe not... but if you don't track the IP assignments to students' own computers, you can bet it will be.
On the differences between our government and China's, I agree.
So sue the government. Filing a lawsuit with the aim of outing information about a third party -- or indeed with any aim other than solely to impose just sanctions agains the defense -- is an abuse of the court system.
and losing a ton of it would have caused the shareholders to demand future adheriance to the law
What makes you think the shareholders had (or in future cases would have) any influence whatsoever over a situation like this? Do you imagine a proxy went out saying 'The board recommends you vote in favor of a proposal to comply with an illegal wiretapping program'?
A number of reasons, but I'll stick with the simplest:
You're expecting that punishment creates negative feedback which will change behavior. Whose behavior? "The corporation's behavior?" If you think that, you've bought way too far into the idea of "corporation as an entity". A corporation doesn't act with one will. It also doesn't spend time in prison, and it doesn't pay judgements -- it merely collects them from real entities, like customers or shareholders.
Will the individual(s) who authorized these activities suffer if judgements are leveled against the company? No. It's not coming out of their paycheck. In general if the lawsuit is brought against the corporation the individual actors are shielded from liability. That's a big part of what a corporation (as a legal structure) is for -- it's a liability shield.
Will the government officials who actually initiated the program suffer? No. They're the ones whose behavior you really have to worry about, by the way. Resistance from the telecoms would only have bought time.
I'm not sure which makes less sense to me --
...
1) why you believe you know what I think (beyond what I actually wrote), or
2) why you think it matters whether the program was connected to the war on terror or whether it dates back to a 30-year-old government conspiracy
Perhaps those points would be clearer if you were actually to make an argument instead of just karma-whoring by making vague disagreement with anyone who posts an unpopular view.
"You Sir are a corporate shill."
Your personal opinion of me is fascinating. If you'd like to debate the substance of my arguments, you're welcome to try again.
"At a time where corporate law suits against single citizen's is at an all time high, you suggest that we (the people) should have no recorse against illegal activities of corporations? Just becuase 'someone else' asked them to do it."
I suggest no such thing. Why not debate my specific propositions instead of trying to water them down into over-generalized garbage of your own imagining?
I do suggest (1) that the government isn't just "somebody else" (but I'm sure if the government showed up at your doorstep to spy on your neighbor from your house, you'd put up one hell of a fight against them), and (2) that the corporate entity "AT&T" isn't the legally responsible party given these specific circumstances.
"Absolutely not sir."
Oooh, he called me "sir". That lends great credibility to his statements.
"this is proven they knew it to be illegal, as some companies REFUSED on the grounds of it being illegal"
So if Bob refuses to do something because it's illegal, this proves that Joe knows it to be illegal? Interesting. Far from the truth, but interesting.
Doesn't matter, though; whether any party knew the action to be illegal is immaterial, as ignorance of the law is no excuse. Which is why none of my arguments have anything to do with whether those making the decisions believed they were acting legally or not.
Punishing the telecom companies for cooperating with the government wouldn't actually protect anyone's rights anyway. The grant of immunity is a corollary problem; the root problem is that the government would engage in a warrantless wiretap program to begin with, and until that is addressed we will continue to be short-changed on our rights as citizens.
Simply withholding immunity really just moves the problem around a bit. Now the shareholders of (for example) AT&T bear the cost of decisions they didn't make, approve, or know about. Perhaps they could turn around and file a shareholder suit (on the grounds that AT&T worked against shareholder interests by cooperating with and being held liable for the wiretap program), though I'm told those types of suits aren't very common these days.
While we do hold that "just following orders" isn't a suitable defense for war crimes, I wonder if the balance between the moral/ethical breach of compliance vs. pressure applied by the government is the same in this case. (Do we actually know how much pressure or threat, if any, was used to get the telecoms to cooperate?) I'd see some merit to the argument that liability should be pushed back onto the government itself.
At any rate, I find it surprising that we would expect more backbone out of corporations dealing with the American government than we expect out of them when dealing with, say, the Chinese government. If we tolerate Google "playing by China's rules" when all they stand to lose is their entry into the Chinese market, then why would we expect better of AT&T when they would be running afoul of their home country's government?
What I'd like to see -- and you'll have to forgive me for any imprecision in the details here, as IANAL -- is a John Doe suit filed against the individual(s) within (for example) AT&T who actually made and authorized the decisions to compromise customers' privacy. Naturally those individuals would try to hide behind the shield of corporate liability; I would hope (though I can't remember if it's the case) that taking actions outside of -- and even contrary to -- the corporation's interests would make a case for PCV.
"Methane can be formed by inorganic processes"
And even when that happens, it's still an organic molecule.
"700 degrees Celsius...why are we so sure this completely precludes the possibility of life?"
That may depend on how we define "life". In the sense that life could vary widely from what we know and understand, maybe you're right. Of cousre, if it's not a bit closer to "life as we know it" than that, then we don't know what to look for anyway. Would such life depend on water? Well, not liquid water. It wouldn't be made up of combustable carbon chains, either.
So within the limits of "life based on processes we understand", "life we have a clue how to look for", "life we have a reason to believe is possible", etc., it is safe to assume it couldn't exist in those conditions.
As for the scenario of a company wanting to censor MP3 attachments, they can do so already just by looking for the MIME attachments
Yes, but today for the RIAA to ask for such a concession they have to cut off their own constituants' ability to distribute MP3's in that manner. (And while they aren't doing it today, that doesn't mean they'll never want the option.) Similarly, even without DKIM eBay could ask ISP's to block all messages from eBay, but tehy wouldn't want to do that, would they?
More to the point, today when an ISP blocks content (*cough* comcast *cough*) people notice and get up in arms about it, because it's not a normal and accepted practice. Get the consumer used to the idea that the ISP is "protecting" him or her by blocking "harmful" emails, and suddenly you can get by with a lot more.
It has everything to do with DKIM if filtering is implemented on the network instead of the client.
This article is fine news for non-nerds... but somehow that's not what I hope for around here.
So there's a standard (or collection of standards) coming together to combat phishing. Good, good. How does it work? TFA mentions documents describing how a company signs its messages and how a recipient checks the signature, but no link?
Is it a technically sound signature, with a secret key that can be reasonably protected and no reasonable means to modify a signed message without breaking the signature? Does the verification process involve checking for the latest information from the alleged signer in case a signature has been compromised?
In short, I'd like enough information to judge for myself whether a DKIM-signed message is trustworthy.
Speaking of deciding for myself -- I understand the rationale for ISP-level filtering of unsigned email, but I don't think it's a great idea. At most, I think this should be an end-user-configurable service (and sure, filter by default if you want). When I sign up for service, my base expectation is that messages will be delivered and I can decide what to do with them. Client-side support (conspicuous notification to the user of whether a message is signed and, if so, whether the signature validates and, if so, who signed it) are the way to handle this.
That way, the user can spot any attempt to impersonate eBay (not just instances where the filter decided that the message was trying to look like it came from eBay). Who sets those criteria, anyway? Do you just block messagse with an eBay return address? You'd miss a lot. Do you actually evaluate the content? That borders on giving each DKIM-using company the ability to censor for certain content. ("If it contains an MP3 attachment and we didn't sign it, filter it out!")
"you're nothing but a bunch of sulky bullies spouting trash talk from a safe distance?"
So, the theme of your post isn't bad, but it would be stronger if not for the irony of making the above statement while inviting them to sue someone other than yourself.
Thanks for the reply; quite informative.
My next round of questions and comments would revolve around the proposition that "the user is generally not a threat". I'd divide the world into two types of system:
The Easy Cases: For some systems, I'd say it's clearly and demonstrably true that programs, not users, are the threat. For example, the WinXP desktop sitting in my office at home isn't under threat from any malicious users (and indeed I don't have it set up to take a password), while systems like it are forever being compromised by malicious programs; so that would seem to be the ideal example for the type of system you describe.
The Interesting Cases: I'm guessing that multi-user networked systems probably present the most interesting (and complicated) discussion. These would include a wide range of cases, from sensitive government/military, to business of various sorts, to research and other university systems. Part of the challenge (at least on the surface) is that in the case of an incoming network connection, the distinction between a "user" and a "program" seems a bit abstract.
I wno't try to go too far into those questions without first checking through the resources you've pointed to, which will take me some time. I would note, though, that many industries operate under regulations that require authentication. This may partially be due to bad assumptions on the part of regulators. However, it also points toward a second reason why people use authentication: Sometimes it's not enough to know that an action is authorized; sometimes you have to keep track of who took each action.
In the simplest case, an employer might grant capabilities to a group of employees so that they can do their jobs. But sometimes trust is misplaced, and maybe one of the employees abuses those capabilities for personal gain (some sort of fraud or theft, etc.). You may not be able to stop him from doing it whether by authentication or by controlling capabilities; the question is, how do you investigate after the fact? The traditional answer is to keep an audit trail -- log that Employee X performed actions A, B, and C at such-and-such time.
So, while you can decouple authentication from authorization to a point, I would still think you'd sometimes have to state "user has provided accurate identification" as a prerequisite of authorization (even if the authorization process isn't looking for any particular identity).
Initially, I was going to call out ATM's as an example of a third category in which the user simply couldn't be trusted; but on reflection, I think this is a matter of perspective. Arguably in the age of electronic transactions PIN's, CC#'s, account/routing numbers, etc. are somewhere between authentication instruments and capabilities as it is; the real question then seems to be what form(s) the authorizing information should take and what means should be used to protect it.
That said, I do think these make up a third category in this sense: Although they may be good candidates for a capability-based system, it remains true that I wouldn't generally "trust" a user as far as I could throw him.
In any case, I plan to look into some of the systems you mention, time permitting.
This seems to provide two thigns:
1) It provides a limited degree of authentication of the machine to the user. This is lacking in, say, ATM transactions today (in the U.S. at least), which is one of the concerns the article talks about. However, while this system has the "side effect" of providing the user with some chance of noticing a fake machine (depending on details of how the system were implemented and deployed), it would be better to approach a design with the specific goal of validating the machine.
2) The point they advertise -- it makes it hard to learn anything by watching the person enter the "password".
I see some challenges, and there are definitely some things it doesn't prevent.
Where do the images come from? Each bank (or other institution using this system) has to come up with a library of images for its users, with each image clearly distinct from the others? But wait -- sometimes I use another bank's ATM. So either (1) the machine will have to start by identifying which bank to use and downloading the appropriate images, which reduces the protection against fake machines; or (2) there will have to be a single library of images for all banks.
In a large-scale deployment, there are additional usability questions that aren't captured by a small-scale trial. If someone sets up different passwords for different systems, will they be able to reliably remember which pictures to use where? What if the systems have similar but different images in their libraries? Keep in mind, human associative memory and visual processing interact in very strange ways sometimes.
How will the visually impaired interact with this system? I think I could use it in spite of my eyesight (barring a really poor implementation), but there are others who can't. I expect that to pretty much end the discussion for me.
This is interesting material, and I'm hoping to find time to research the concepts further.
I have to say, though, that this article doesn't answer such questions as "when I approach a machine, how do I establish the capabilities I need for my tasks to be performed?"
In other words, I can see how this would reduce the roll of authentication during a session of activity, but I do not see in most common use cases how you could start a session without an authentication step. If you can persist your system's capabilities in a way that is portable (with the user) and maintains integrity, that would allow your "session" to be arbitrarily long, but:
1) It would still seem that the decision to initially hand the capability to the user has to be made with knowledge of who the user is, and
2) I'm curious how you would go about restoring security were such a persisted capability stolen.