Just because I don't trust the government, doesn't mean I'm part of, or sympathetic to, the radical right and the racists
No, just a "patriot," I suppose. The sort of patriot that hears the word "government" and immediately thinks "barcode tattoos." Who needs to bother with actually understanding what's being talked about, when you can tell folktales about black helicopters, Tacmars, security checkpoints, and the "fascism" of the United States government? Your hyperbole was one step too far, friend.
Then why'd you even mention source code? And how does this conclusion differentiate any phone from any other?
However, insofar as source code can be trusted, which is to say that it can at least be partially trusted, or at least more trusted than a binary with no available source code
Uh, how? Do the lines that are open source rub off magical user-self-interest pixie dust on the lines that aren't? What's going on here is typical lazy, muddle-headed open source fanboyism: yes, this code isn't trustable and I don't know what it does, but the brand name it's sold under claims to be open source, even when it isn't, and I think Google is just super, even though I bought my phone from someone else and they just silkscreened Google's logo on the back, so it should get brownie points!
"Please provide all of the information for the following IDs, and it's national security, so you can't tell anybody".
Is the system now really such an impediment? Does the fact that you login as shubniggurath34 on one site by joewilsonATgmail on another really give you any measure of security or compartmentalization? If you want to prevent the government from taking data without a warrant you have to pass a law forbidding that; relying on the complexity of the internet login system to obfuscate your identity is just that, security through obscurity. The fact that the government abuses its powers, and the fact that any crook can steal your credit report if they know your SSN and mother's maiden name are unrelated issues, and I personally am not willing to tolerate the latter in the (basically illusory) hope of frustrating the former.
And, of course, when it's illegal to have an account on one of those sites which isn't tied to this ID, then it will be impossible/illegal to have an ID with which the government can't track you nice and easily. Line up and get a tattoo for them to make it easier to track you as you go through the checkpoints, citizen.
There already are, and they're shared amongst all big players. This is just intended to make it easier to link them together.
But you're doing business with Amazon, somebody you're doing business with has a right to record what you buy. I'm talking about companies that have no right to this data collecting it anyways, because they manage to make their authentication platforms defacto standards without any regulation over what they're allowed to collect. A rule that says Google has no access to your purchases through it's authentication platform is a good rule; if they want this data they should have to buy it from Amazon in a free exchange like anything else, instead of using it's gatekeeper power to dictate terms onto counterparties.
My local LDAP server does not look at my amazon recommendations before letting me log in, it just checks the password. So.. revamping the detailed procedures of the authentication department will affect the market analysis and targeted advertising departments exactly how?
This is for mapping a login to a human being; your LDAP is for mapping a login to privileges. It's two different problems; nobody was ever able to open a credit card account with an LDAP record. As long as you aren't bothered with mapping something to a particular human, this has nothing to do with you.
So, rather than logging in locally and then freely trading marketing data, we'll have a complicated authentication system after which we'll freely trade marketing data.
Why is it wrong to buy and sell marketing data? It's a free exchange -- instead of the current trajectory, where you simply won't be able to do business without incumbent authentication systems, wether they are Verisigns, Googles, or Facebooks, using their clout to force counterparties to share their data.
This does not solve the problem, only multi-lateral web of trust does that, ie PGP or X509 keys signed by your counterparties
Nobody will ever accept this system unless you force it on them with laws, the power of laziness is just too strong.
Google "Swiss Sign" to see how to it right, respecting citizens privacy
I did. You have to buy your identification from the Swiss post office for 65 francs, the post office digitally signs your cert after you bring your government ID card to a post office for visual inspection, and then they issue you a PIN-locked USB key. This is your "multi-lateral web of trust"?
So what, exactly, is the societal benefit of the governments new ability to directly compile a secret list of everyone whom purchased Noam Chomsky's "Manufacturing Consent" from Amazon, over the current system where they merely order Amazon to do it for them, or buy the info from commercial marketing databases?
What are you talking about? Under the NSTIC proposal nobody keeps this data except for the person you bought the book from. There is no central database, there is no government database, there is no private database -- someone who wants to make that connection has to ask the person who sold the book to disclose the information, and if they want to bind it to a credit card they have to ask the credit card company to disclose their map of accounts to names.
What this is trying to head off is a completely private single sign-on, like Facebook or Google's OpenID platform, which would want nothing more than to become your one-stop shop for personal authentication on websites and for financial transactions, because under current law it means they are permitted to track and record all of that information and use it to market services to you. If the government is able to mandate a system where this information is unavailable to authentication providers, it will improve privacy by keeping your personal data OUT of third-party "authentication brokerages" and databases.
this baroque byzantine proposal
It's forty pages, big type, and no math. It's far shorter, and much more readable, than the PGP RFC. I guess this sort of lazy argument is typical around here, though -- simply assert your desired truth with a glibertarian eye-roll, and do it loudly enough, and that which you wish to be true will eventually become the CW.
...Where a link to an article about computer credentials can become an 800-count thread where people don't talk about the article, and prefer to spin yarns about Hangar 18 conspiracies all the while claiming the exact opposite of what's actually going on.
“That’s what a lot of people feared — that the government was going to take REAL ID and put it on the Internet and be able to track everybody’s Internet activity,” Stepanovich said.
That is not what’s contained in the NSTIC proposal, to the relief of privacy advocacy groups.
The government has set out principles — chief among them “choice, efficiency, security and privacy” — more than mechanics. But the basic idea is that you could have your offline identity verified online by a company of your choosing. That company would then provide you with a single credential you could then present (when you don’t want to be anonymous online) to Amazon, or VA.gov, instead of having to re-establish that you are who you say you are with every online transaction.
The device carrying your credential — a flash drive, a cellphone, a smart card of some kind — would authenticate itself, rather than referring Amazon to the company that vouches for you. Amazon would know the buyer was secure, and the credential would know it was communicating with a bookseller, but the authentication provider would never learn that you just bought Bob Woodward’s new book.
You can see why private industry would hate this proposal: it robs third parties of the ability to collect advertising and customer data through user authentication. So naturally they'll use scaremongering and useful idiots civil libertarians to claim this isn't what it is, and that we're much better off with a completely private system with no rules as to who can collect what data about what.
Derp. The key that encrypts an iPhone backup isn't on the system; you have the option to keep it in your user Keychain, but that's encrypted by your login password.
In the case of Android, there's also the source code itself.
Unless you compiled the code yourself, or are running a binary signed by someone in trust, having some source code that purports to be what you're running is no defense, and the Android vendors are at liberty to add this kind of behavior if it suits them, and they are under no requirement to publish the source of their changes.
That's a little naive. It was non-voting shares, at a time when Apple was basically dying and had very little to give MS in return, aside from merely existing as a useful argument for Microsoft to use in its anti-trust case.
Apple kept their suit going until the war was long over, but Apple only dropped the case after Microsoft gave them $150 million and MS gave assurances that they would continue to develop Office on the Mac (both companies had their own reasons for this arrangement, granted).
Because nobody is going to force you to use a bank, shop on-line, or send email that will actually make it to somebody else's inbox. Sorry about all those on-line government services that you won't be able to use. You can always hike to one of the brick-and-mortar offices and present your papers in person.
Freedom isn't free. If you really want to live a life unfettered by a verifiable identity, that choice has real consequences for the sort of lifestyle you can enjoy, the sort of trust others will be willing to grant you, and the sort of financial transactions people will be willing to make with you.
"the organizational/economic incentives side of this is pretty much certain to be totally, utterly fucked"
The two ways you can approach incentives are (1) make the penalties for data breaches much more severe, to the extent that private companies that keep personal data must safeguard it, and (2) make a bunch of rules that govern how personal data can be collected and used, how much information you need in order to consider a transaction bona fide. Both have their limits -- make (1) too strong and you'll scare companies off the Internet, because data breaches are unavoidable. Get too crafty with (2) and you might make compliance so complicated you'll also scare companies out of offering services.
A real question is, do people actually need secure online identities that map to real humans? It's pretty clear that you absolutely need secure ways to map information to checking account numbers, credit cards, facebook profiles, host logins, all that good stuff, but do you need something that ultimately points to a person? If you do then there's a huge potential for rent-seeking, since the identity and your sole right to use it is a kind of patent, a created and indefeasible proprietary interest, something you can't do without, and is only useful insofar as protected by state power. Whenever you're forced to use something that must be maintained and cannot be disposed of or sold, you're in rent territory.
The best way to avoid these is with localism and webs of trust. It'd be great if our credit card companies all staged keysigning parties and only corresponded with us in signed emails, but most people don't understand the technology, and most people don't really understand how *trust* works. They just want something simple and for someone else to make it safe for them, thus the government has gotten involved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin)
What he fails to mention is that only 11% of that 8.1 million were internet or technology related while over 43% were due to theft of purse or wallet, another large chunk were the result of dumpster diving or other unsavory methods.
It works both ways though: you can create an online account or forge the identity of someone else with nothing more than what is in a wallet. People dumpster dive or steal wallets, and then use the Internet to create false accounts with the information in a wallet or discarded credit application. The problems with validating identity allow a thief to turn a stolen wallet into a stolen identity, this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers, or requiring three-factor auth for credit transactions.
The document in the TFA proposes no central repository or government database, and proposes a private system that's only regulated by the government to prevent fraud and set minimum standards. Your characterization of the proposal is a strawman.
After reading the document, there really aren't any system requirements, specific technology or any kind of actual implementation, all it really does is set out some goals and establish a certain vocabulary. It's utterly anodyne and will probably die before being considered because it sets out concrete goals for private companies that handle identifying data:
Limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements;
Limit the use of the individual’s data that is collected and transmitted to specified purposes; Be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification; and Provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused
Surely this is the thin end of the wedge of tyranny.
Uh, people own those shares, it isn't like they just hand them over to whoever offers money that moment. Any attempt to purchase would drive up the price of the shares; if holding your shares in the face of the proxy fight would eventually mean you'd be converted to a Google shareholder, the price could be driven up significantly.
Vision of things to come: Google A&R guy brings $85,000 check to local garage band, tells them to spend it as they please to promote their band, but to make sure to remind their audiences that their band is only "in beta" and that their presence at the event has already been reported to Google Buzz and AdSense.
The notional value would probably be in the hundreds of millions of dollars, at least. You can be certain the contracts will be valued at their strict letter-of-the-law value, and not the customary we-lost-the-radio-logsheets-in-the-mail-and-you-owe-us-surprise-touring-expenses value.
And maybe you won't be able to buy them -- you're not just taking away their money, you're taking away the prospect that them or anyone who does what they do will be able to make that sort of money again. That's a pretty awful precedent for even a craven hack to countenance.
Host a completely free website for artists. They can post new songs that the artists own the copyright, sell them on the site, 100% revenue go back to the artists.
Behold, it will be called MYSPACE 2.0!
If Google doesn't offer some sort of marketing enhancement they aren't really bringing much to the table that people can't also get at BandCamp, Cdbaby etc.
And as long as the dictator remains benevolent, he can allocate resources in a way that makes sure the problem stays solved.
I'm for planning for things like health care provision and military expenditure, bridge building, public goods, all that stuff. But this is about deciding how musicians get paid -- that's what record labels do, they're negotiating for on behalf of the rights holders and royalty beneficiaries.
Do we really want to pay artists through a command economy? Are music consumers really so stupid they need to be "protected" from paying high prices for a CD by a paternalistic super-distributor? I mean, if Google owned "all" of the record labels this would be the result, and if you didn't agree to Google's rates your music would not be sold.
This is just a bad solution to a bad problem, and would make Google the biggest benefactor and advocate of copyright extension. Copyright extension is the problem, solve that.
The libraries aren't broken, that's what Google wants. The good music is stuff that's older and established, and for Google to stream that they have to make a deal with the labels, who aggregate the key rights holders.
All Google has to do is BECOME a music label, by offering better contracts, more royalties, better artists rights, world wide reach, world wide digital distribution.
Big G could care less about new music, artists have to be found, promoted, and then once they finally get popular they just start their own labels and sell the music themselves. Nobody wants to get into the recording industry now, all of this wrangling is over music that the record companies hold the key distro rights to. Because of utterly destructive copyright extensions in the US, the music business is now 95% about controlling library rights and 5% developing new acts. Occasionally there are co-branding deals with retail outlets a la Paul McCartney and Starbucks, but these are just for sales, not for distribution, no "big acts" worth their beans ever signs away rights, let alone to a Google.
What does Google know about entertainment promoting? That's what production is now; it isn't just as easy as putting up a ton of music on YouTube, 90% of music promotion is telling people what to like, and Google has shown very little skill at consumer marketing or trendsetting; just because they know how to get millions of people to use free stuff doesn't mean they can figure out how to sell people coolness, hipness or identity. You suggested they market music, and "selling cool" is what marketing music is.
Yes, they treat advertisers quite well. They treat cellular providers quite well, too; maybe you have to jailbreak Android phones, and maybe they use OHA membership as a kudgel to restrict competition in the handset market, but that's what the customers, the Samsungs, HTCs, and Verizons, want. Protip: Google's free services don't have customers, they have users; it's a critical distinction. Search Google's help documetns and you will never find a Gmail account holder referred to as a "customer."
Slashdot Mirror
No, just a "patriot," I suppose. The sort of patriot that hears the word "government" and immediately thinks "barcode tattoos." Who needs to bother with actually understanding what's being talked about, when you can tell folktales about black helicopters, Tacmars, security checkpoints, and the "fascism" of the United States government? Your hyperbole was one step too far, friend.
Then why'd you even mention source code? And how does this conclusion differentiate any phone from any other?
Uh, how? Do the lines that are open source rub off magical user-self-interest pixie dust on the lines that aren't? What's going on here is typical lazy, muddle-headed open source fanboyism: yes, this code isn't trustable and I don't know what it does, but the brand name it's sold under claims to be open source, even when it isn't, and I think Google is just super, even though I bought my phone from someone else and they just silkscreened Google's logo on the back, so it should get brownie points!
Is the system now really such an impediment? Does the fact that you login as shubniggurath34 on one site by joewilsonATgmail on another really give you any measure of security or compartmentalization? If you want to prevent the government from taking data without a warrant you have to pass a law forbidding that; relying on the complexity of the internet login system to obfuscate your identity is just that, security through obscurity. The fact that the government abuses its powers, and the fact that any crook can steal your credit report if they know your SSN and mother's maiden name are unrelated issues, and I personally am not willing to tolerate the latter in the (basically illusory) hope of frustrating the former.
Turner Diaries much?
But you're doing business with Amazon, somebody you're doing business with has a right to record what you buy. I'm talking about companies that have no right to this data collecting it anyways, because they manage to make their authentication platforms defacto standards without any regulation over what they're allowed to collect. A rule that says Google has no access to your purchases through it's authentication platform is a good rule; if they want this data they should have to buy it from Amazon in a free exchange like anything else, instead of using it's gatekeeper power to dictate terms onto counterparties.
This is for mapping a login to a human being; your LDAP is for mapping a login to privileges. It's two different problems; nobody was ever able to open a credit card account with an LDAP record. As long as you aren't bothered with mapping something to a particular human, this has nothing to do with you.
Why is it wrong to buy and sell marketing data? It's a free exchange -- instead of the current trajectory, where you simply won't be able to do business without incumbent authentication systems, wether they are Verisigns, Googles, or Facebooks, using their clout to force counterparties to share their data.
Nobody will ever accept this system unless you force it on them with laws, the power of laziness is just too strong.
I did. You have to buy your identification from the Swiss post office for 65 francs, the post office digitally signs your cert after you bring your government ID card to a post office for visual inspection, and then they issue you a PIN-locked USB key. This is your "multi-lateral web of trust"?
What are you talking about? Under the NSTIC proposal nobody keeps this data except for the person you bought the book from. There is no central database, there is no government database, there is no private database -- someone who wants to make that connection has to ask the person who sold the book to disclose the information, and if they want to bind it to a credit card they have to ask the credit card company to disclose their map of accounts to names.
What this is trying to head off is a completely private single sign-on, like Facebook or Google's OpenID platform, which would want nothing more than to become your one-stop shop for personal authentication on websites and for financial transactions, because under current law it means they are permitted to track and record all of that information and use it to market services to you. If the government is able to mandate a system where this information is unavailable to authentication providers, it will improve privacy by keeping your personal data OUT of third-party "authentication brokerages" and databases.
It's forty pages, big type, and no math. It's far shorter, and much more readable, than the PGP RFC. I guess this sort of lazy argument is typical around here, though -- simply assert your desired truth with a glibertarian eye-roll, and do it loudly enough, and that which you wish to be true will eventually become the CW.
...Where a link to an article about computer credentials can become an 800-count thread where people don't talk about the article, and prefer to spin yarns about Hangar 18 conspiracies all the while claiming the exact opposite of what's actually going on.
You can see why private industry would hate this proposal: it robs third parties of the ability to collect advertising and customer data through user authentication. So naturally they'll use scaremongering and useful idiots civil libertarians to claim this isn't what it is, and that we're much better off with a completely private system with no rules as to who can collect what data about what.
Derp. The key that encrypts an iPhone backup isn't on the system; you have the option to keep it in your user Keychain, but that's encrypted by your login password.
Unless you compiled the code yourself, or are running a binary signed by someone in trust, having some source code that purports to be what you're running is no defense, and the Android vendors are at liberty to add this kind of behavior if it suits them, and they are under no requirement to publish the source of their changes.
That's a little naive. It was non-voting shares, at a time when Apple was basically dying and had very little to give MS in return, aside from merely existing as a useful argument for Microsoft to use in its anti-trust case.
Apple kept their suit going until the war was long over, but Apple only dropped the case after Microsoft gave them $150 million and MS gave assurances that they would continue to develop Office on the Mac (both companies had their own reasons for this arrangement, granted).
Freedom isn't free. If you really want to live a life unfettered by a verifiable identity, that choice has real consequences for the sort of lifestyle you can enjoy, the sort of trust others will be willing to grant you, and the sort of financial transactions people will be willing to make with you.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
"the organizational/economic incentives side of this is pretty much certain to be totally, utterly fucked"
The two ways you can approach incentives are (1) make the penalties for data breaches much more severe, to the extent that private companies that keep personal data must safeguard it, and (2) make a bunch of rules that govern how personal data can be collected and used, how much information you need in order to consider a transaction bona fide. Both have their limits -- make (1) too strong and you'll scare companies off the Internet, because data breaches are unavoidable. Get too crafty with (2) and you might make compliance so complicated you'll also scare companies out of offering services.
A real question is, do people actually need secure online identities that map to real humans? It's pretty clear that you absolutely need secure ways to map information to checking account numbers, credit cards, facebook profiles, host logins, all that good stuff, but do you need something that ultimately points to a person? If you do then there's a huge potential for rent-seeking, since the identity and your sole right to use it is a kind of patent, a created and indefeasible proprietary interest, something you can't do without, and is only useful insofar as protected by state power. Whenever you're forced to use something that must be maintained and cannot be disposed of or sold, you're in rent territory.
The best way to avoid these is with localism and webs of trust. It'd be great if our credit card companies all staged keysigning parties and only corresponded with us in signed emails, but most people don't understand the technology, and most people don't really understand how *trust* works. They just want something simple and for someone else to make it safe for them, thus the government has gotten involved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAk2rPe0ACgkQdILWxH wGqZeM4wCeOurkI4ysnyO3Avvab6vpoLkN
soIAn0ax1r4xkl5Xov2if7imOPlcA0o4
=fsi9
-----END PGP SIGNATURE-----
(spaces added to signature to appease slashdot's filter)
Depiction of "you" elided for brevity.
It works both ways though: you can create an online account or forge the identity of someone else with nothing more than what is in a wallet. People dumpster dive or steal wallets, and then use the Internet to create false accounts with the information in a wallet or discarded credit application. The problems with validating identity allow a thief to turn a stolen wallet into a stolen identity, this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers, or requiring three-factor auth for credit transactions.
The document in the TFA proposes no central repository or government database, and proposes a private system that's only regulated by the government to prevent fraud and set minimum standards. Your characterization of the proposal is a strawman.
After reading the document, there really aren't any system requirements, specific technology or any kind of actual implementation, all it really does is set out some goals and establish a certain vocabulary. It's utterly anodyne and will probably die before being considered because it sets out concrete goals for private companies that handle identifying data:
Surely this is the thin end of the wedge of tyranny.
Uh, people own those shares, it isn't like they just hand them over to whoever offers money that moment. Any attempt to purchase would drive up the price of the shares; if holding your shares in the face of the proxy fight would eventually mean you'd be converted to a Google shareholder, the price could be driven up significantly.
Vision of things to come: Google A&R guy brings $85,000 check to local garage band, tells them to spend it as they please to promote their band, but to make sure to remind their audiences that their band is only "in beta" and that their presence at the event has already been reported to Google Buzz and AdSense.
"Thank you, you've been incredible tonight! Check out our band's site! The address is double-u double-u double-u dot myspace dot com slash ..."
The notional value would probably be in the hundreds of millions of dollars, at least. You can be certain the contracts will be valued at their strict letter-of-the-law value, and not the customary we-lost-the-radio-logsheets-in-the-mail-and-you-owe-us-surprise-touring-expenses value.
And maybe you won't be able to buy them -- you're not just taking away their money, you're taking away the prospect that them or anyone who does what they do will be able to make that sort of money again. That's a pretty awful precedent for even a craven hack to countenance.
Behold, it will be called MYSPACE 2.0!
If Google doesn't offer some sort of marketing enhancement they aren't really bringing much to the table that people can't also get at BandCamp, Cdbaby etc.
I'm for planning for things like health care provision and military expenditure, bridge building, public goods, all that stuff. But this is about deciding how musicians get paid -- that's what record labels do, they're negotiating for on behalf of the rights holders and royalty beneficiaries.
Do we really want to pay artists through a command economy? Are music consumers really so stupid they need to be "protected" from paying high prices for a CD by a paternalistic super-distributor? I mean, if Google owned "all" of the record labels this would be the result, and if you didn't agree to Google's rates your music would not be sold.
This is just a bad solution to a bad problem, and would make Google the biggest benefactor and advocate of copyright extension. Copyright extension is the problem, solve that.
The libraries aren't broken, that's what Google wants. The good music is stuff that's older and established, and for Google to stream that they have to make a deal with the labels, who aggregate the key rights holders.
Big G could care less about new music, artists have to be found, promoted, and then once they finally get popular they just start their own labels and sell the music themselves. Nobody wants to get into the recording industry now, all of this wrangling is over music that the record companies hold the key distro rights to. Because of utterly destructive copyright extensions in the US, the music business is now 95% about controlling library rights and 5% developing new acts. Occasionally there are co-branding deals with retail outlets a la Paul McCartney and Starbucks, but these are just for sales, not for distribution, no "big acts" worth their beans ever signs away rights, let alone to a Google.
What does Google know about entertainment promoting? That's what production is now; it isn't just as easy as putting up a ton of music on YouTube, 90% of music promotion is telling people what to like, and Google has shown very little skill at consumer marketing or trendsetting; just because they know how to get millions of people to use free stuff doesn't mean they can figure out how to sell people coolness, hipness or identity. You suggested they market music, and "selling cool" is what marketing music is.
Yes, they treat advertisers quite well. They treat cellular providers quite well, too; maybe you have to jailbreak Android phones, and maybe they use OHA membership as a kudgel to restrict competition in the handset market, but that's what the customers, the Samsungs, HTCs, and Verizons, want. Protip: Google's free services don't have customers, they have users; it's a critical distinction. Search Google's help documetns and you will never find a Gmail account holder referred to as a "customer."
They aggregate all of your personal information, and think personal privacy is quaint and that people should change their name if they want to prevent people from tracking them on the Internet.
But none of this matters, after all: Gmail loads fast! And my Droid syncs my contacts!
Power corrupts... I've forgotten what absolute power does.
"Citation needed"