Yes there were several exploits, but they were all patched with good success up until the very last round, I think. A lot of them were based on glitching attacks and similar. Quite advanced stuff.
It does not matter. Console security systems are designed to sandbox code written with the SDKs, game developers are seen as adversaries for the purposes of security because otherwise a hacked game makes it too easy to "level up" to full control and then piracy. For example an early Xbox 360 exploit was based on replacing an unsigned shader file in a specific game, which allowed arbitrary shader execution and from that control over the CPU.
The Xbox 360 security system was very impressive and only encountered truly serious problems right at the very end of the consoles much extended lifespan. I've got an interest in computer security so I'm eagerly awaiting talks on how the Xbox One is done, but given the general success of the 360 architecture I suspect the One is very similar, with some tweaks and additional defence in depth.
Anyway at least for germany I support the regulation and uber being forced to obey it.
And I suspect that eventually they will, for things like that, unless they are forced out by explicit bans. As you say, most of those regulations are not particularly bothersome..... although unfortunately trying to fix problems with laws can go wrong so easily. For example if there's a regulation about a working money counter (meter), and Uber drivers don't use meters because the app is doing the calculations instead, then a detail as trivial as that can easily end up causing the whole thing to collapse.
The problem Uber has is that it's a global brand. When Uber and their drivers do things like ignoring medallion systems in the USA, and get slated for ignoring the law, that impacts their brand in other parts of the world where maybe they aren't ignoring it or are coming into compliance. On the other hand, a global brand gives great economies of scale. I suspect they can't win.
To be fair, either Uber needs to meet the same requirements as traditional taxi companies, or the conditions need to be lifted for all firms wishing to offer cars and drivers for hire.
Well, let's face it, the latter isn't going to happen. Last time Uber came up we were discussing India where the regulations spell out how many phone lines you need going to your (New Delhi based) HQ. The people running taxi licensing there hadn't even heard of Uber before some local media blowup. Taxi licensing is so sclerotic, so fragmented and so beholden to the existing taxi companies that the chances of the system reforming itself appear to be zero.
That leaves option (1), Uber complying with the existing regulations. There are two different issues here.
One is, do Uber customers get the same protections that customers of existing taxi companies do? Although I've never used Uber, from what I can tell the answer seems to be yes... at least in that Uber polices their drivers for scamming and other poor service. The commercial insurance issue seems still unresolved, but I read conflicting things about this. But I see no evidence that local government regulators can do a better job of policing drivers than Uber, and frequent evidence that they cannot.
Two is, do the regulations Uber ignore even make sense? Frequently the main regulation they're violating is lack of a license, which is not itself any consumer protection at all. In a lot of American cities licensing seems to have become some kind of horribly corrupt and utterly unreformable racket. To get upset about Uber drivers ignoring the New York medallion system for example, you would have to believe that law is the same as morality and that driving without a medallion is ipso facto unethical, as opposed to "just" illegal.
It's not quite that easy. You need multiple sources of evidence, you need up to date feeds of VAT changes from every EU authority, and then you need to (unless your local government does it for you) fill out tax returns for every EU country, assuming you have customers all over the place.
I am not yet aware of equivalents to the UK VAT MOSS in other countries, though I'm sure they'll get it together. But bear in mind by registering with the MOSS you forfeit your "too small to matter" VAT registration exemption. And you still have to collect all the evidence. There are other catches too that I don't remember. But mostly it doesn't help anyone not in the UK.
They have fake certificates from trusted authorities for some major sites
I believe at this point I have read all Snowden documents, especially all that are relevant to SSL. Only one of them has even mentioned fake certificates, and that was a GCHQ presentation saying that they spotted the Iran attack using the hacked DigiNotar certs in their metadata databases.
So far there is zero evidence that western IC's are compromising certificate authorities. I know that this was the favourite conspiracy theory of the last ten years, but Snowden happened, and it turned out to be false.
What there is LOTS of, is talk about stealing the private keys through hacking and decrypting TLS intercepts that way.
We know that GCHQ loves doing the latter, so it's a question of working out which certificate authorities have been compromised and deleting them.
You are referring to QUANTUM INSERT. There is no requirement to break SSL for this system to work, because it relies on browser exploit kits. It just waits until you visit a non-SSLd protected website (any will do) and redirects you to an exploitation server.
That said, I anticipate that NSA/GCHQ might be tempted to start using forged certificates in future as strong TLS becomes more widespread and they keep losing visibility into consumer web traffic. There wasn't much incentive until now because most encrypted traffic they cared about is VPN traffic where there are no CAs anyway, it's all pre-shared keys. But this is what certificate transparency is for. It forces CAs to make public logs of all certificates that can then be data mined by anyone.
Speak for yourself. Hating on HTML and web tech because you're bad at it is the lamest of the lame excuses. My users much prefer our HTML GUI over our shitty old desktop apps
Sounds like you're hating on desktop apps because you're bad at them.... though certainly that's a common problem.
Upper management are making these arguments because they're afraid of exactly that - if they can't hire the best people, their competitors will and their company will lose out (i.e. they will lose out).
You're probably unaware that the GP specifically used 'HSBC' because they were caught laundering trillions of dollars of drug money and nobody was indicted.
He probably isn't unaware of that. He may well have actually read the indictment itself or a detailed summary of it, which made clear that the US case was very weak to the point of hardly working at all. In particular, not only did they fail to clearly establish that drug money was really moving (their case was "there is so much cash, some of it must be from cartels") but in particular they failed to show intent by HSBC execs to help drug cartels. Actually their case boiled down to HSBC didn't try hard enough, they weren't suspicious enough, etc. (I'm ignoring the Iranian transactions here which gets into issues of international jurisdiction, as you only brought up drugs).
The reason you think the are guilty is twofold. Firstly US anti money laundering laws are unbelievably extreme. The PATRIOT Act removed the need to have intent to be found guilty of money laundering. Bankers can now be found guilty of AML violations even if they genuinely tried hard and had no intent to break the law. Hence the accusations from the DoJ that were of the form "HSBC should have designated Mexico as high risk", etc. Secondly as part of the plea agreement HSBC had to act guilty and accept whatever the DoJ said about them. So you only heard one side of the story, the prosecutions side (except there was no court case). No surprises that you think the whole thing is cut and dried.
It's no crime to be ignorant of such things, but just try not to hold any policy positions on the subject.
Given that there was never any court case and HSBC was never able to defend themselves, pretty much everyone is ignorant in this case because we never heard the full story. But I'm pretty sure if DoJ had emails from HSBC execs that looked like the ones from BitInstant there would indeed have been prosecutions.
No but if you got a government request for your keys you'd know about it.
The government "request" would come in form of customised malware and you'd never even know you got hacked.
If google gets such a request you wouldn't know you were compromised.
You aren't gonna know, no matter what.
It isn't like they are sending l33t hackers to break in and get the data.
Schmidt isn't an idiot, despite how the press like to portray him via selective quoting (note that TFA does not provide much context for this quote). When he says Google is the safest place to put your data, he's probably comparing Google to other companies that provide similar services, not some hypothetical fully self hosted system - bearing in mind self hosting of email is rapidly going the way of the dodo even in business situations (it died for home email a long time ago).
Given that Yahoo still have not fully deployed SSL everywhere let alone encrypted their internal datacenter links, and if Microsoft have a similar effort they aren't talking about it, there's some evidence that he might be right. After all, if you get a government warrant for your data you're just as stuck as Google is: not much you can do about it. On the other hand, you are unlikely to secure your infrastructure as well as Google does.
Google makes significant sums of dough from paying corporate customers who use Google Apps. These clients can switch off advertising if they like. These are also the places where some of the most sensitive data is stored.
So Google have both the financial means and incentive to solve the end to end crypto problem for such clients. The difficulty is not financial. It's technological. Matching even just the feature set of Gmail with end to end crypto is insanely hard, and that's before you hit the "everything is a web app" problem.
The point of forward secrecy is there are no such keys to seize. The "master keys" are only used for identification, not encryption. So whilst a gov could theoretically seize Google's keys, this does not help them decrypt wire traffic. They'd have to do a large MITM attack, and to get everything? They'd have to decrypt and forward ALL Google's traffic. Not feasible.
Good use of applied cryptography means that realistically the only way for a government to get data out of it means requesting it specifically from the providers. In places where the warrant system has been vapourised (which certainly includes the USA and UK), this might not seem like much, but it does help prevent fishing expeditions.
In practice, a certificate is nothing more than a long password
Fail. A certificate contains a public key. This is nothing like a password. You're thinking of a private key. The whole point of a certificate is that you can prove your identity to someone without sending them your password.
Unlike the password in somebody's head or even on a sticky note behind the monitor, these certificate files can often be stolen remotely!
Double fail. Firstly, nobody actually steals certificates. Certificates are public. When someone says something was signed with a "stolen cert", what they actually mean is "stolen private key the public part of which is contained in a certificate signed by a trusted third party", but that's a mouthful, so we simply and say "stolen cert".
Secondly, private keys can and absolutely should be protected with a password! Or they can be kept in special hardware. However, as you may have noticed, Sony got pwned pretty hard so presumably whatever private key was stolen either had no password, or they were able to just keylog the password when it was used.
These people are a joke.
The joke is on you..... certificates are not a replacement for passwords and if you think they are, you didn't understand what they're used for.
More news (seems this story is unfolding right now) - apparently the driver did NOT have a prior conviction for rape at all, but in fact had only been arrested due to an accusation. So it seems that the first possibility was the correct one, and there's really nothing that could have been done here (unless you believe anyone should be able to ban anyone else from being a taxi driver for life with nothing more than an accusation).
If that is the case, and the guy came up clean but yet still went on to do X, how is Uber any more culpable than a taxi company hiring a cabbie with no record, who subsequently goes out and does X, or a tour company hiring a bus driver with a spotless background, who nonetheless does X?
They aren't. But it seems like there's a new trend in town - when a foreign tech company could potentially have guessed that someone using their service might potentially have done something bad, they're automatically at fault. See: Facebook and Lee Rigby in the UK.
In this case, the logic seems fairly simple - the guy apparently had a prior conviction for rape, thus, should not be allowed to be a taxi driver. If Uber had checked then the rape wouldn't have happened (assuming it did). The problem is the guy's prior conviction was also for raping someone in a taxi cab, so obviously this isn't a solution to all such problems because there's always a first time. Another problem is that I've read India doesn't actually have a national conviction database system, indeed they barely have a coherent national identity scheme at all (I remember reading about programmes to try and introduce biometric identity nationwide to fix this but it's a huge job). Apparently the way you do a background check is walking in to the local police district office and asking. If the crime happened elsewhere, tough luck. For anyone who knows the real situation in India, I'd be interested to know if this is true.
Anyway, even with reliable background checks, you can quickly end up in a situation like the USA where former felons cannot get jobs anywhere (see recent/. story about this problem), and then you get rules like in Europe where former convictions get wiped from the record after a few years to stop that happening, so there are no solutions that make everyone happy.
you think they put in the caps because they dont have enough bandwidth coming from their towers? you, sir, are sadly mistaken. they do it for one reason. PROFIT.
Do you think radio spectrum is an infinite resource?
Mobile networks absolutely have capacity constraints, often very complicated ones that exist in multiple dimensions or vary by region. But that'd be too complicated for people to deal with, so we end up with an approximation of 1 or 2 GB/month. Which by the way is very standard across the developed world. In Switzerland most carriers are also providing this sort of quota and there are several competing, with a new (UPC) just entering the market now. They are all doing roughly the same thing, although I'm sure they could hoover up customers by offering a lot more bandwidth for the same price. For what most users are doing on the move 1G is currently enough and giving everyone lots more quota would simply result in a small number of people doing craploads of torrenting or downloading multi-gigabyte operating system updates over the air instead of over wires.
You can sum up this situation as "PROFIT!!!1!" if you like, but in reality the market is just optimising for resource usage - building more towers and more backhaul and more core routing capacity so a tiny number of users can chew up 10 GB/month instead of 1 GB/month is just not a good use of limited resources.
Still, bandwidth quotas have gone up over time as technology improved. Remember the days when 3G was new? I wrote a J2ME app back then and we counted every last byte.
If there was a public blacklist, then it'd be easy to build a search engine specifically for blocked content that ran outside the EU, and thus the entire scheme would work even less well than it already does.
What the EU court has set in motion here leads, eventually, to either a Great Firewall of Europe, or the EU getting to perform global censorship against everyone. Neither outcome seems plausible, so, what next?
What's going through their mind is this - we are politicians and regulators. We are in charge. If our power is being challenged by a corporation, we need to slap them down as hard as possible, as fast as possible, so we remain the top dogs. We are not concerned with minor technical details that boffins like to witter about: we are the Democratic Representatives of The People and that means we must be obeyed!
The way this stupid "right" will play out was clear from the first moment the ruling was made. Lots of people with things to hide will try and get their misdeeds erased (check). Google will try and keep its results as uncensored as possible (check). EU will get pissed off that circumvention is easy and try to force them to perform global censorship (check). IP address based filtering will be implemented (not yet). Then people in America set up dedicated proxy sites so people in Europe can search uncensored (not yet). Then the EU will get mad and tell Google to drop the results from all search results, everywhere (not quite yet). And then there's going to be a big fucking showdown and we'll learn who needs who more. Or perhaps the UK will beat the EU to it with their parliament's retarded "Facebook should implement Minority Report" policies.
Whatever happens, it's looking more and more like there's going to be a big fight, either over this or spying, or both. Politicians are running scared because they suspect when forced to make the choice, a significant number of their citizens would side with Google/Facebook/WhatsApp/Apple over them.... and if you're a politician, that attacks the core of your power and identity. They won't be able to tolerate that.
Here's the tricky thing about privacy and social networks: Facebook's privacy support is actually pretty good. Whilst people might tell you in the abstract that they want more privacy from Facebook, figuring out what they would change in concrete terms is very hard. For example, they might say "I don't want to see ads" - but given the choice, they don't want to pay for anything either. So this feedback ends up being pretty useless, equivalent to hearing "I want everything and a pony". It's not a basis for a product.
Google learned this one the hard way with Google+. The original way Google+ tried to differentiate itself from Facebook was with circles. The idea is, Facebooks relatively singular notion of "friend" doesn't reflect the way real people work, this means it doesn't respect people's privacy and so people use the product less.... therefore by giving them better tools, they'd win a lot of users. Facebook responded that they'd tried the same thing, it turns out people don't like making lists of friends and controlling their sharing at a fine grained level, so it wouldn't work. And guess what? Facebook were right. Sure, you interview people in focus groups and they say one thing. In reality they might do something else.
So - decentralised open source social networks. Not gonna work. People might sound enthusiastic when you pitch it to them in the abstract, but actually Facebook works fine for them, and the kind of privacy that matters to them (can people see who views their profile?! Can my parents see my drunken party pics?) is already well supported and tuned.
Ultimately what will do off Facebook, eventually, is a change in how people use social networking that for whatever reason they cannot replicate in their main product.
Slashdot Mirror
Yes there were several exploits, but they were all patched with good success up until the very last round, I think. A lot of them were based on glitching attacks and similar. Quite advanced stuff.
It does not matter. Console security systems are designed to sandbox code written with the SDKs, game developers are seen as adversaries for the purposes of security because otherwise a hacked game makes it too easy to "level up" to full control and then piracy. For example an early Xbox 360 exploit was based on replacing an unsigned shader file in a specific game, which allowed arbitrary shader execution and from that control over the CPU.
The Xbox 360 security system was very impressive and only encountered truly serious problems right at the very end of the consoles much extended lifespan. I've got an interest in computer security so I'm eagerly awaiting talks on how the Xbox One is done, but given the general success of the 360 architecture I suspect the One is very similar, with some tweaks and additional defence in depth.
And I suspect that eventually they will, for things like that, unless they are forced out by explicit bans. As you say, most of those regulations are not particularly bothersome ..... although unfortunately trying to fix problems with laws can go wrong so easily. For example if there's a regulation about a working money counter (meter), and Uber drivers don't use meters because the app is doing the calculations instead, then a detail as trivial as that can easily end up causing the whole thing to collapse.
The problem Uber has is that it's a global brand. When Uber and their drivers do things like ignoring medallion systems in the USA, and get slated for ignoring the law, that impacts their brand in other parts of the world where maybe they aren't ignoring it or are coming into compliance. On the other hand, a global brand gives great economies of scale. I suspect they can't win.
Well, let's face it, the latter isn't going to happen. Last time Uber came up we were discussing India where the regulations spell out how many phone lines you need going to your (New Delhi based) HQ. The people running taxi licensing there hadn't even heard of Uber before some local media blowup. Taxi licensing is so sclerotic, so fragmented and so beholden to the existing taxi companies that the chances of the system reforming itself appear to be zero.
That leaves option (1), Uber complying with the existing regulations. There are two different issues here.
One is, do Uber customers get the same protections that customers of existing taxi companies do? Although I've never used Uber, from what I can tell the answer seems to be yes ... at least in that Uber polices their drivers for scamming and other poor service. The commercial insurance issue seems still unresolved, but I read conflicting things about this. But I see no evidence that local government regulators can do a better job of policing drivers than Uber, and frequent evidence that they cannot.
Two is, do the regulations Uber ignore even make sense? Frequently the main regulation they're violating is lack of a license, which is not itself any consumer protection at all. In a lot of American cities licensing seems to have become some kind of horribly corrupt and utterly unreformable racket. To get upset about Uber drivers ignoring the New York medallion system for example, you would have to believe that law is the same as morality and that driving without a medallion is ipso facto unethical, as opposed to "just" illegal.
Medium doesn't have ads, so I'm not sure where you're going with that ...
What's wrong with Medium? It's essentially just a blogging platform, right?
It's not quite that easy. You need multiple sources of evidence, you need up to date feeds of VAT changes from every EU authority, and then you need to (unless your local government does it for you) fill out tax returns for every EU country, assuming you have customers all over the place.
I am not yet aware of equivalents to the UK VAT MOSS in other countries, though I'm sure they'll get it together. But bear in mind by registering with the MOSS you forfeit your "too small to matter" VAT registration exemption. And you still have to collect all the evidence. There are other catches too that I don't remember. But mostly it doesn't help anyone not in the UK.
I believe at this point I have read all Snowden documents, especially all that are relevant to SSL. Only one of them has even mentioned fake certificates, and that was a GCHQ presentation saying that they spotted the Iran attack using the hacked DigiNotar certs in their metadata databases.
So far there is zero evidence that western IC's are compromising certificate authorities. I know that this was the favourite conspiracy theory of the last ten years, but Snowden happened, and it turned out to be false.
What there is LOTS of, is talk about stealing the private keys through hacking and decrypting TLS intercepts that way.
You are referring to QUANTUM INSERT. There is no requirement to break SSL for this system to work, because it relies on browser exploit kits. It just waits until you visit a non-SSLd protected website (any will do) and redirects you to an exploitation server.
That said, I anticipate that NSA/GCHQ might be tempted to start using forged certificates in future as strong TLS becomes more widespread and they keep losing visibility into consumer web traffic. There wasn't much incentive until now because most encrypted traffic they cared about is VPN traffic where there are no CAs anyway, it's all pre-shared keys. But this is what certificate transparency is for. It forces CAs to make public logs of all certificates that can then be data mined by anyone.
Sounds like you're hating on desktop apps because you're bad at them .... though certainly that's a common problem.
Upper management are making these arguments because they're afraid of exactly that - if they can't hire the best people, their competitors will and their company will lose out (i.e. they will lose out).
Silk Road did a spinoff where guns were being sold as the primary goods (the Armory) and they closed it because it wasn't profitable enough.
He probably isn't unaware of that. He may well have actually read the indictment itself or a detailed summary of it, which made clear that the US case was very weak to the point of hardly working at all. In particular, not only did they fail to clearly establish that drug money was really moving (their case was "there is so much cash, some of it must be from cartels") but in particular they failed to show intent by HSBC execs to help drug cartels. Actually their case boiled down to HSBC didn't try hard enough, they weren't suspicious enough, etc. (I'm ignoring the Iranian transactions here which gets into issues of international jurisdiction, as you only brought up drugs).
The reason you think the are guilty is twofold. Firstly US anti money laundering laws are unbelievably extreme. The PATRIOT Act removed the need to have intent to be found guilty of money laundering. Bankers can now be found guilty of AML violations even if they genuinely tried hard and had no intent to break the law. Hence the accusations from the DoJ that were of the form "HSBC should have designated Mexico as high risk", etc. Secondly as part of the plea agreement HSBC had to act guilty and accept whatever the DoJ said about them. So you only heard one side of the story, the prosecutions side (except there was no court case). No surprises that you think the whole thing is cut and dried.
Given that there was never any court case and HSBC was never able to defend themselves, pretty much everyone is ignorant in this case because we never heard the full story. But I'm pretty sure if DoJ had emails from HSBC execs that looked like the ones from BitInstant there would indeed have been prosecutions.
The government "request" would come in form of customised malware and you'd never even know you got hacked.
You aren't gonna know, no matter what.
Schmidt isn't an idiot, despite how the press like to portray him via selective quoting (note that TFA does not provide much context for this quote). When he says Google is the safest place to put your data, he's probably comparing Google to other companies that provide similar services, not some hypothetical fully self hosted system - bearing in mind self hosting of email is rapidly going the way of the dodo even in business situations (it died for home email a long time ago).
Given that Yahoo still have not fully deployed SSL everywhere let alone encrypted their internal datacenter links, and if Microsoft have a similar effort they aren't talking about it, there's some evidence that he might be right. After all, if you get a government warrant for your data you're just as stuck as Google is: not much you can do about it. On the other hand, you are unlikely to secure your infrastructure as well as Google does.
Google makes significant sums of dough from paying corporate customers who use Google Apps. These clients can switch off advertising if they like. These are also the places where some of the most sensitive data is stored.
So Google have both the financial means and incentive to solve the end to end crypto problem for such clients. The difficulty is not financial. It's technological. Matching even just the feature set of Gmail with end to end crypto is insanely hard, and that's before you hit the "everything is a web app" problem.
The point of forward secrecy is there are no such keys to seize. The "master keys" are only used for identification, not encryption. So whilst a gov could theoretically seize Google's keys, this does not help them decrypt wire traffic. They'd have to do a large MITM attack, and to get everything? They'd have to decrypt and forward ALL Google's traffic. Not feasible.
Good use of applied cryptography means that realistically the only way for a government to get data out of it means requesting it specifically from the providers. In places where the warrant system has been vapourised (which certainly includes the USA and UK), this might not seem like much, but it does help prevent fishing expeditions.
Thus spake sexconker, on advertising-supported Slashdot, which he has been reading and posting to for five years.
Fail. A certificate contains a public key. This is nothing like a password. You're thinking of a private key. The whole point of a certificate is that you can prove your identity to someone without sending them your password.
Double fail. Firstly, nobody actually steals certificates. Certificates are public. When someone says something was signed with a "stolen cert", what they actually mean is "stolen private key the public part of which is contained in a certificate signed by a trusted third party", but that's a mouthful, so we simply and say "stolen cert".
Secondly, private keys can and absolutely should be protected with a password! Or they can be kept in special hardware. However, as you may have noticed, Sony got pwned pretty hard so presumably whatever private key was stolen either had no password, or they were able to just keylog the password when it was used.
The joke is on you ..... certificates are not a replacement for passwords and if you think they are, you didn't understand what they're used for.
More news (seems this story is unfolding right now) - apparently the driver did NOT have a prior conviction for rape at all, but in fact had only been arrested due to an accusation. So it seems that the first possibility was the correct one, and there's really nothing that could have been done here (unless you believe anyone should be able to ban anyone else from being a taxi driver for life with nothing more than an accusation).
W.R.T background checks, someone on Twitter has found a photo of a notarised police certificate stating the guy has no criminal record. So either whoever reported he has one is lying, or the police verification process in India is as unreliable as people say it is.
Regardless, I expect it will make little difference in the court of public opinion.
If that is the case, and the guy came up clean but yet still went on to do X, how is Uber any more culpable than a taxi company hiring a cabbie with no record, who subsequently goes out and does X, or a tour company hiring a bus driver with a spotless background, who nonetheless does X?
They aren't. But it seems like there's a new trend in town - when a foreign tech company could potentially have guessed that someone using their service might potentially have done something bad, they're automatically at fault. See: Facebook and Lee Rigby in the UK.
In this case, the logic seems fairly simple - the guy apparently had a prior conviction for rape, thus, should not be allowed to be a taxi driver. If Uber had checked then the rape wouldn't have happened (assuming it did). The problem is the guy's prior conviction was also for raping someone in a taxi cab, so obviously this isn't a solution to all such problems because there's always a first time. Another problem is that I've read India doesn't actually have a national conviction database system, indeed they barely have a coherent national identity scheme at all (I remember reading about programmes to try and introduce biometric identity nationwide to fix this but it's a huge job). Apparently the way you do a background check is walking in to the local police district office and asking. If the crime happened elsewhere, tough luck. For anyone who knows the real situation in India, I'd be interested to know if this is true.
Anyway, even with reliable background checks, you can quickly end up in a situation like the USA where former felons cannot get jobs anywhere (see recent /. story about this problem), and then you get rules like in Europe where former convictions get wiped from the record after a few years to stop that happening, so there are no solutions that make everyone happy.
Do you think radio spectrum is an infinite resource?
Mobile networks absolutely have capacity constraints, often very complicated ones that exist in multiple dimensions or vary by region. But that'd be too complicated for people to deal with, so we end up with an approximation of 1 or 2 GB/month. Which by the way is very standard across the developed world. In Switzerland most carriers are also providing this sort of quota and there are several competing, with a new (UPC) just entering the market now. They are all doing roughly the same thing, although I'm sure they could hoover up customers by offering a lot more bandwidth for the same price. For what most users are doing on the move 1G is currently enough and giving everyone lots more quota would simply result in a small number of people doing craploads of torrenting or downloading multi-gigabyte operating system updates over the air instead of over wires.
You can sum up this situation as "PROFIT!!!1!" if you like, but in reality the market is just optimising for resource usage - building more towers and more backhaul and more core routing capacity so a tiny number of users can chew up 10 GB/month instead of 1 GB/month is just not a good use of limited resources.
Still, bandwidth quotas have gone up over time as technology improved. Remember the days when 3G was new? I wrote a J2ME app back then and we counted every last byte.
If there was a public blacklist, then it'd be easy to build a search engine specifically for blocked content that ran outside the EU, and thus the entire scheme would work even less well than it already does.
What the EU court has set in motion here leads, eventually, to either a Great Firewall of Europe, or the EU getting to perform global censorship against everyone. Neither outcome seems plausible, so, what next?
What's going through their mind is this - we are politicians and regulators. We are in charge. If our power is being challenged by a corporation, we need to slap them down as hard as possible, as fast as possible, so we remain the top dogs. We are not concerned with minor technical details that boffins like to witter about: we are the Democratic Representatives of The People and that means we must be obeyed!
The way this stupid "right" will play out was clear from the first moment the ruling was made. Lots of people with things to hide will try and get their misdeeds erased (check). Google will try and keep its results as uncensored as possible (check). EU will get pissed off that circumvention is easy and try to force them to perform global censorship (check). IP address based filtering will be implemented (not yet). Then people in America set up dedicated proxy sites so people in Europe can search uncensored (not yet). Then the EU will get mad and tell Google to drop the results from all search results, everywhere (not quite yet). And then there's going to be a big fucking showdown and we'll learn who needs who more. Or perhaps the UK will beat the EU to it with their parliament's retarded "Facebook should implement Minority Report" policies.
Whatever happens, it's looking more and more like there's going to be a big fight, either over this or spying, or both. Politicians are running scared because they suspect when forced to make the choice, a significant number of their citizens would side with Google/Facebook/WhatsApp/Apple over them .... and if you're a politician, that attacks the core of your power and identity. They won't be able to tolerate that.
Here's the tricky thing about privacy and social networks: Facebook's privacy support is actually pretty good. Whilst people might tell you in the abstract that they want more privacy from Facebook, figuring out what they would change in concrete terms is very hard. For example, they might say "I don't want to see ads" - but given the choice, they don't want to pay for anything either. So this feedback ends up being pretty useless, equivalent to hearing "I want everything and a pony". It's not a basis for a product.
Google learned this one the hard way with Google+. The original way Google+ tried to differentiate itself from Facebook was with circles. The idea is, Facebooks relatively singular notion of "friend" doesn't reflect the way real people work, this means it doesn't respect people's privacy and so people use the product less .... therefore by giving them better tools, they'd win a lot of users. Facebook responded that they'd tried the same thing, it turns out people don't like making lists of friends and controlling their sharing at a fine grained level, so it wouldn't work. And guess what? Facebook were right. Sure, you interview people in focus groups and they say one thing. In reality they might do something else.
So - decentralised open source social networks. Not gonna work. People might sound enthusiastic when you pitch it to them in the abstract, but actually Facebook works fine for them, and the kind of privacy that matters to them (can people see who views their profile?! Can my parents see my drunken party pics?) is already well supported and tuned.
Ultimately what will do off Facebook, eventually, is a change in how people use social networking that for whatever reason they cannot replicate in their main product.