Well, this would only exacerbate the bandwidth issues that make up your own objection, but enterprising providers could offer an encryption option for the privacy minded -- just stack OTFE or TrueCrypt drivers on top of whatever virtual filesystem drivers they use. That's about as secure as remote data on third party servers is gonna get. What's more, by encrypting the data without storing the keys, the provider reduces their legal exposure to subpoeanas, etc., since they have no means of knowing the contents of a user's store.
In my locale, I get unmetered 8mb downstream and 756k upstream at pretty affordable prices relative to the global situation. I wouldn't start using this for DVR storage by any means, but it's servicable enough that I could definitely see integrating a remote drive into my daily life.
Amusing & sad is about right. I don't know about you or your group, but a few years ago my meetings would include a time to run down a list of recent Windows Updates and quickly ask if anyone knew of a reason why one shouldn't be released to the domain at large.
After some hard-learned lessons, Windows Update is now disabled throughout the organization. The meetings include a time to ask if any recent patches are so critical that we need to risk installing them. If so, each patch gets its own stability evaluation meeting. If it makes it through that meeting (which is not easy), we'll use our own tools to push it out to the test bench group, then to the domain a week later.
This would be so much easier if only MS would *robustly* test their patches before releasing them to the Auto Update queue. Better yet, they could add admin-definable "confidence level" & "criticality level" filters to the auto-update process. As it is, WUpd proved far too likely to take out critical functionality to let it run anywhere in our org.
In response to your questions, I'm only trying to hide the *document* from long term storage, buy I want any *decryption* key(s) completely unavailable to the server. So I want to offload *encryption* to Google's server, but decryption is exclusively within the client process. This would require a browser extension to generate key pairs, manage key rings, present the public key to the server, and decrypt the incoming data. How many keys (per user, per document, or somewhere in between) is arbitrary and need not be part of the spec, other than any facility for maintaining document / key pairings. Ditto for encrypting what's on the wire.
I explain my reasoning elsewhere in this thread, but I think this is better than non-existant security for casual use. Include certification and third-party inspection processes for cleartext handling in the spec; at least then any implementing organization would need to risk blatantly falsifying a certification contract in order to allow another party access to the temp data. And after all, there has to be some small amount of trust for you to be using a service in the first place, right? I think "trust but verify" works OK here. Can you imagine what would happen to Google's stock if they were found to be secretly mirroring the cleartext of all their HTTPS traffic somewhere else for some muckity muck agency to siphon? Sure, they *could* be doing it right now, but the PR nightmare would be unimaginable if they were caught at it.
What a scheme like this buys is moderate protection against mass data mining, secret searches, and privacy breaches arising out of mere carelessness. At the same time, it lets the server add some value to the transaction beyond dumb, opaque data storage. If it's opaque offsite data storage that you want, I'd think cobbling something together like [GmailFS / GDrive] + [TrueCrypt / OTFE / LUKS] would be more appropriate.
I'd say you could use your Google account password (along with a bunch of other data) to *seed* the key pair, but I wouldn't feel secure simply reusing it with a different hash function.
As to whether anyone from Google is listening, I don't understand why this sort of thing isn't already an open standard like HTTPS. When you're the responsible entity for many users' data you have legal liabilities, and you'll most likely have to deal with the tension between users' privacy and your own legal obligations at some point. Why even put yourself in that position?
This seems too obvious not to be in widespread use. Doesn't it strike anyone else as backwards that Google (for example) could not turn over a user's password even under federal pressure (they simply don't have it), but they can be forced to cough up all of that user's *data* (since they do)?
Done the way I suggested (see other responses to grandparent), fishing expeditions through user data en-masse are stultified. Sure, an agency could subpoena the encrypted data for some user and then proceed to get a warrant to pry the private key from the target, but that's the way it should be: secret searches and data mining are out the window, and law enforcement still has its normal discovery instruments available via warrants, same as if the data were on its creator's PC instead of a third-party server. Seems to make life a lot less complicated for data maintainers.
True, ad selection algorithms would need reworking to accomodate the brief nature of content visibility on the server, but if Google doesn't do this, I'm sure some challenger will. Hell, if some challenger doesn't, *I* will - who wants to help me with the XPI for Firefox?;-)
As to my understanding of public key encryption, you're ultimately right: I understand *that* it works, but it beats the hell out of me how. Seems kinda like magic.;-)
My goal is to offload some of the crypto workload to the server, while minimizing the security risks that introduces. This calls for server-persisted data to be low-value, and server temp data to be medium-value at most. A single document's content is one thing, but a symmetric key is quite another.
A good design would keep the processing simple for any browser extensions it called for. In this case, it'd be pretty trivial to implement a modified HTTPS scheme using one or more persistent, server-side public keys. This could be in lieu of or in addition to encrypting the wire transmissions.
This scheme's main vulnerability would be to an insider or man in the middle attack on an individual document, by inspecting or siphoning off your session data. This is a pretty casual security implementation, so I think that's an acceptable risk. The alternatives are to do everything on the client side, or to make your symmetric key available to the server during the session. Those are both unacceptable situations to me. My scheme may be less secure than doing everything on the client, but the trade-offs here feel about right to me.
Of course, I'm open to other implementation ideas if you have them.
Nah, the difference will be that Microsoft will bloat their offerings so much they won't fit through the office door. Google keeps `em down to the most utilized features -- those worth cramming into an Ajax app.
Privacy issues are a legitimate concern no doubt, but let me tell you: I'm a full time developer on the MS stack - including SharePoint - and the last thing in the world I'd ever want to have to use on a regular basis is a SharePoint portal. I've seen plenty of abandoned SP implementations, mainly over complexity, learning curve and sluggishness of navigation. I've seen none fully utilized.
If Google realizes how many concerns they'd ease by offering strong crypto, I think they'd win over that fraction of the market who, like you, are holding out over privacy conerns. For example, if they offered encrypted storage whereby they had only the public and not the private keys to the stored documents, I'd be fine with storing just about anything on their servers.
Don't organizations who iconize slogans like this mainly just want to distill a sense of future into their identity? Frankly, I doubt many really internalize the sense of commitment to an ideal. Still, all else being equal I'd rather work for an organization with an underdeveloped version of that attitude, as opposed to one operating under a "how can you preserve or expand market share for our stockholders today?" imperative.
Look on the bright side - laptops & gadgets are pretty ineffective against snakes anyway (unless you open the laptop flat & use it as a bite shield, I suppose). A pillow or blanket would make a more agile of an implement, IMO.
Hopefully, DRM will become a higher & higher bullet point item on big-name reviewers' bullet point lists. If that happens, let the most unencumbered player win, and you can bet that won't be Microsoft's.
(Although, I wonder what the economic impact will be for the explosion of new sites devoted to Zune hacking....)
No, really... the *government*? If that ain't the height of naïveté. I get glazed over looks from the same people whose iPod / iTunes setups I have to [cough] "fix" whenever they change computers, but unless you're giving 'em other reasons to peg you as a tin-foiler, that's pretty cold.
Just remember, Jack Sparrow is a Good Man, and will likely prove more useful in skin-saving than the Queen's henchmen or the East India Trading Company, right?
Politics makes interesting bedfellows, eh? I probably believe a higher percentage than you of what you spewed as malarkey, but here's to your (hopeful) ability to do it articulately & persuasively. On the flip side, I suppose I've turned a phrase or two about selling the working man out to behemoth corporate interests, depending on the stripe of legislating commodity item I'm writing to.
Then again, I acutally think these legislative vending machines *are* selling Joe Average out to behemoth corporate interests. Where's a con to go who still yearns for a free enterprise system as unfettered by government as possible, yet thinks the current crop of gargantuan, stockholder-owned organizations are verging on being more of a social ill than their economies of scale can justify? The tension is harder to resolve than most flip answers can appreciate.
You're right about throwing their arguments back in their face, but fact is, those who buy legislators really don't care what fashion the arguments are dressed up in. Conservative & liberal ideals alike are being sold down the river; Feinstein can wrap 'em in organic paisley sackcloth that never needs washing, and Frist can put 'em in navy polyester pinstripe with an overstarched white oxford. The arguments have nothing to do with anything. The legislation exists, and pragmatic interests move on to finding arguments that support the next item on the agenda.
The next revolution will be pseudonymous. The one after that will enable secure financial transactions among the participants in aforementioned revolution. After that, Atlas shrugs, and the relevancy of government to daily living steepens its inexorable drive towards zero. Funny that something as "trivial" as copyright law is what's ultimately spurring the technology here. For some kid in Seattle, it's about being able to share Green Day tracks without fear of financial ruin for his parents. For some kid in China, it's about being able to get to Wikipedia without fear of his family being organ-farmed.
I would love to see all that come to pass, but come on... how on earth could such a lobbying agenda ever get funded at the requisite levels? Remember "Rock the Vote," where an entire generation was going to wake like a sleeping giant & give Washington what for? Even with exposure to the saturation point, voter turnout was anemic at best for Rock the Vote's target demographic.
Turning your laudable agenda into reality takes more than tip-jar money - it takes soul-owning money. The other side has quite an inventory of legislators already. For crying out loud, look at the excrable piece of legislation that got Feinstein (D) & Frist (R) cooperating!
I would be *thrilled* to be wrong on this, but I don't think the war can realisticly be won at the grassroots, political action level. Various viral marketing tactics for alternative media is one helpful strategy, and frankly, rogue technology is the other. If those who would control every exposure to media products are swiftly defeated by technological liberators every time the two face off, then all the laws in the US Code won't help the restrictors put the toothpaste back in the tube.
Using free software, people can already share data anonymously, store data invisibly, and view and copy just about any extant media without difficulty. Cobble all that into a single dashboard / portal interface & make it portable, extensible, and a no-brainer for the unsavvy to use, and you have quite a strong weapon against DRM: its own futility. Of course IANAL and I don't recommend anyone do anything illegal; just keep in mind that technology can secure certain liberties when governments fail to.
But how do TrueCrypt volumes look to a forensic tool with regard to the mere *amount* of data they contain?
If a 16GB volume reveals only ~1mb of racy pics after you meet their decryption demands, you can bet they'll apply some force towards determining the probability of hidden contents being present after the outer container is revealed. How strong is the deniability of having further data present?
Torpark is really just a convenient flavor of Firefox with Tor-circuit proxy connectivity built in. Prolly Windows only because it's Windows users that need the extra help.
What I want to know is (a) what traffic info is logged in the first place, given that "For Swedish authorities to force RELAKKS to hand over `traffic data including your RELAKKS IP at a specific point in time, they will have to prove a case with the minimum sentence of two years imprisonment," and (b) how are the details of your payment method related to "what you entered yourself when signing up for the RELAKKS Safe Surf service"?
Your comment about a big label breaking ranks & forsaking the dark side gives me an interesting idea (well at least I think it's interesting...)
Some RIAA-free outlets like mp3tunes & such already exist, and presumably one could assemble a list of RIAA & non-RIAA labels without extraordinary effort. So how about a dot-org like "RIAAfree"? The main products of said dot-org is a logo -- a mere seal, plus a brochure, some window stickers, some audio spots for radio advertising, and a "quid pro quo" license.
Artists voluntarily allow their work to be used in limited ways under the quid pro quo license, and they get some RIAAfree press in return. Now, various sorts of merchants are interested in ways to participate in viral & orgainc marketing, and to cast themselves as less "corporate" and more "hip." So, the independent new "Starbucks Sucks" coffee shop orders an "RIAAfree" window sticker kit & a counter display for brochures. So long as they display the window sticker & keep the brochure holder stocked & visible, they get the right to no-charge overhead music in their establishment, via custom generated playlists. Patrons who ask what the cool tunage is on the overhead are referred to The Brochure, which informs them how to look up said playlist & purchase said music.
Extend this to the local gym, to the guitar shop down the street, and to radio programs at small / college stations etc., lather, rinse, repeat.
Now, when people whine about how crappy manufactured pop music is, the response is "All the good, independent stuff is on RIAAfree, dude. Where have you been?"
How is the philosophy of community-produced products at odds with lassez-faire capitalism? "Leave it alone" means just that - the market is free to say "effyall, I'll make my own." Taking a "hands on" approach to prevent that could be characterized as many things, but lassez-faire isn't one of them.
Voluntary, self-organized community production makes capitalism much stronger (and purer) than corporate competition alone could. Now if it's *involuntary* community production you're talking about, well then that *is* communism, at which point it has little to do with what consumers really want anymore.
Right you are, and they've created yet another situation where you can only get quality, interoperabe media with *stolen* content; they won't sell it to you at any price.
This is exactly why I think it's so critical to evangelize with regard to using privacy measures. I want my mother, Aunt Sally, and 8-year old neice to be using TrueCrypt and Tor at a minimum (or, something providing similar functionality). Privacy / anonymity suites need to become as commonplace as antivirus, firewall and anti-spam software.
Helping strong privacy measures become the status-quo serves other important goals too. It makes it more politically costly to try to legislate them out of use, and it reduces the usefulness of developing new data mining programs that require person:transaction relationships - both for the government and for private industry.
In short, when everyone's Aunt Sally can be expected to have countermeasures against activity monitoring running on her home PC, the world will have become a safer place for all of us.
Slashdot Mirror
Well, this would only exacerbate the bandwidth issues that make up your own objection, but enterprising providers could offer an encryption option for the privacy minded -- just stack OTFE or TrueCrypt drivers on top of whatever virtual filesystem drivers they use. That's about as secure as remote data on third party servers is gonna get. What's more, by encrypting the data without storing the keys, the provider reduces their legal exposure to subpoeanas, etc., since they have no means of knowing the contents of a user's store.
In my locale, I get unmetered 8mb downstream and 756k upstream at pretty affordable prices relative to the global situation. I wouldn't start using this for DVR storage by any means, but it's servicable enough that I could definitely see integrating a remote drive into my daily life.
Amusing & sad is about right. I don't know about you or your group, but a few years ago my meetings would include a time to run down a list of recent Windows Updates and quickly ask if anyone knew of a reason why one shouldn't be released to the domain at large.
After some hard-learned lessons, Windows Update is now disabled throughout the organization. The meetings include a time to ask if any recent patches are so critical that we need to risk installing them. If so, each patch gets its own stability evaluation meeting. If it makes it through that meeting (which is not easy), we'll use our own tools to push it out to the test bench group, then to the domain a week later.
This would be so much easier if only MS would *robustly* test their patches before releasing them to the Auto Update queue. Better yet, they could add admin-definable "confidence level" & "criticality level" filters to the auto-update process. As it is, WUpd proved far too likely to take out critical functionality to let it run anywhere in our org.
In response to your questions, I'm only trying to hide the *document* from long term storage, buy I want any *decryption* key(s) completely unavailable to the server. So I want to offload *encryption* to Google's server, but decryption is exclusively within the client process. This would require a browser extension to generate key pairs, manage key rings, present the public key to the server, and decrypt the incoming data. How many keys (per user, per document, or somewhere in between) is arbitrary and need not be part of the spec, other than any facility for maintaining document / key pairings. Ditto for encrypting what's on the wire.
I explain my reasoning elsewhere in this thread, but I think this is better than non-existant security for casual use. Include certification and third-party inspection processes for cleartext handling in the spec; at least then any implementing organization would need to risk blatantly falsifying a certification contract in order to allow another party access to the temp data. And after all, there has to be some small amount of trust for you to be using a service in the first place, right? I think "trust but verify" works OK here. Can you imagine what would happen to Google's stock if they were found to be secretly mirroring the cleartext of all their HTTPS traffic somewhere else for some muckity muck agency to siphon? Sure, they *could* be doing it right now, but the PR nightmare would be unimaginable if they were caught at it.
What a scheme like this buys is moderate protection against mass data mining, secret searches, and privacy breaches arising out of mere carelessness. At the same time, it lets the server add some value to the transaction beyond dumb, opaque data storage. If it's opaque offsite data storage that you want, I'd think cobbling something together like [GmailFS / GDrive] + [TrueCrypt / OTFE / LUKS] would be more appropriate.
I'd say you could use your Google account password (along with a bunch of other data) to *seed* the key pair, but I wouldn't feel secure simply reusing it with a different hash function.
;-)
As to whether anyone from Google is listening, I don't understand why this sort of thing isn't already an open standard like HTTPS. When you're the responsible entity for many users' data you have legal liabilities, and you'll most likely have to deal with the tension between users' privacy and your own legal obligations at some point. Why even put yourself in that position?
This seems too obvious not to be in widespread use. Doesn't it strike anyone else as backwards that Google (for example) could not turn over a user's password even under federal pressure (they simply don't have it), but they can be forced to cough up all of that user's *data* (since they do)?
Done the way I suggested (see other responses to grandparent), fishing expeditions through user data en-masse are stultified. Sure, an agency could subpoena the encrypted data for some user and then proceed to get a warrant to pry the private key from the target, but that's the way it should be: secret searches and data mining are out the window, and law enforcement still has its normal discovery instruments available via warrants, same as if the data were on its creator's PC instead of a third-party server. Seems to make life a lot less complicated for data maintainers.
True, ad selection algorithms would need reworking to accomodate the brief nature of content visibility on the server, but if Google doesn't do this, I'm sure some challenger will. Hell, if some challenger doesn't, *I* will - who wants to help me with the XPI for Firefox?
As to my understanding of public key encryption, you're ultimately right: I understand *that* it works, but it beats the hell out of me how. Seems kinda like magic. ;-)
My goal is to offload some of the crypto workload to the server, while minimizing the security risks that introduces. This calls for server-persisted data to be low-value, and server temp data to be medium-value at most. A single document's content is one thing, but a symmetric key is quite another.
A good design would keep the processing simple for any browser extensions it called for. In this case, it'd be pretty trivial to implement a modified HTTPS scheme using one or more persistent, server-side public keys. This could be in lieu of or in addition to encrypting the wire transmissions.
This scheme's main vulnerability would be to an insider or man in the middle attack on an individual document, by inspecting or siphoning off your session data. This is a pretty casual security implementation, so I think that's an acceptable risk. The alternatives are to do everything on the client side, or to make your symmetric key available to the server during the session. Those are both unacceptable situations to me. My scheme may be less secure than doing everything on the client, but the trade-offs here feel about right to me.
Of course, I'm open to other implementation ideas if you have them.
Nah, the difference will be that Microsoft will bloat their offerings so much they won't fit through the office door. Google keeps `em down to the most utilized features -- those worth cramming into an Ajax app.
Privacy issues are a legitimate concern no doubt, but let me tell you: I'm a full time developer on the MS stack - including SharePoint - and the last thing in the world I'd ever want to have to use on a regular basis is a SharePoint portal. I've seen plenty of abandoned SP implementations, mainly over complexity, learning curve and sluggishness of navigation. I've seen none fully utilized.
If Google realizes how many concerns they'd ease by offering strong crypto, I think they'd win over that fraction of the market who, like you, are holding out over privacy conerns. For example, if they offered encrypted storage whereby they had only the public and not the private keys to the stored documents, I'd be fine with storing just about anything on their servers.
Guess that nixes the folks who say "Asp" instead of "ASP" too. Who knows if this first movie really scales that well anyway.
Well said; should I credit you if I rework it into a numbered list & append it to my development plan documents in the future?
A: Question authority! ...
B: Says who?!
Don't organizations who iconize slogans like this mainly just want to distill a sense of future into their identity? Frankly, I doubt many really internalize the sense of commitment to an ideal. Still, all else being equal I'd rather work for an organization with an underdeveloped version of that attitude, as opposed to one operating under a "how can you preserve or expand market share for our stockholders today?" imperative.
Look on the bright side - laptops & gadgets are pretty ineffective against snakes anyway (unless you open the laptop flat & use it as a bite shield, I suppose). A pillow or blanket would make a more agile of an implement, IMO.
Hopefully, DRM will become a higher & higher bullet point item on big-name reviewers' bullet point lists. If that happens, let the most unencumbered player win, and you can bet that won't be Microsoft's.
(Although, I wonder what the economic impact will be for the explosion of new sites devoted to Zune hacking....)
No, really... the *government*? If that ain't the height of naïveté. I get glazed over looks from the same people whose iPod / iTunes setups I have to [cough] "fix" whenever they change computers, but unless you're giving 'em other reasons to peg you as a tin-foiler, that's pretty cold.
Just remember, Jack Sparrow is a Good Man, and will likely prove more useful in skin-saving than the Queen's henchmen or the East India Trading Company, right?
Politics makes interesting bedfellows, eh? I probably believe a higher percentage than you of what you spewed as malarkey, but here's to your (hopeful) ability to do it articulately & persuasively. On the flip side, I suppose I've turned a phrase or two about selling the working man out to behemoth corporate interests, depending on the stripe of legislating commodity item I'm writing to.
Then again, I acutally think these legislative vending machines *are* selling Joe Average out to behemoth corporate interests. Where's a con to go who still yearns for a free enterprise system as unfettered by government as possible, yet thinks the current crop of gargantuan, stockholder-owned organizations are verging on being more of a social ill than their economies of scale can justify? The tension is harder to resolve than most flip answers can appreciate.
You're right about throwing their arguments back in their face, but fact is, those who buy legislators really don't care what fashion the arguments are dressed up in. Conservative & liberal ideals alike are being sold down the river; Feinstein can wrap 'em in organic paisley sackcloth that never needs washing, and Frist can put 'em in navy polyester pinstripe with an overstarched white oxford. The arguments have nothing to do with anything. The legislation exists, and pragmatic interests move on to finding arguments that support the next item on the agenda.
The next revolution will be pseudonymous. The one after that will enable secure financial transactions among the participants in aforementioned revolution. After that, Atlas shrugs, and the relevancy of government to daily living steepens its inexorable drive towards zero. Funny that something as "trivial" as copyright law is what's ultimately spurring the technology here. For some kid in Seattle, it's about being able to share Green Day tracks without fear of financial ruin for his parents. For some kid in China, it's about being able to get to Wikipedia without fear of his family being organ-farmed.
I would love to see all that come to pass, but come on... how on earth could such a lobbying agenda ever get funded at the requisite levels? Remember "Rock the Vote," where an entire generation was going to wake like a sleeping giant & give Washington what for? Even with exposure to the saturation point, voter turnout was anemic at best for Rock the Vote's target demographic.
Turning your laudable agenda into reality takes more than tip-jar money - it takes soul-owning money. The other side has quite an inventory of legislators already. For crying out loud, look at the excrable piece of legislation that got Feinstein (D) & Frist (R) cooperating!
I would be *thrilled* to be wrong on this, but I don't think the war can realisticly be won at the grassroots, political action level. Various viral marketing tactics for alternative media is one helpful strategy, and frankly, rogue technology is the other. If those who would control every exposure to media products are swiftly defeated by technological liberators every time the two face off, then all the laws in the US Code won't help the restrictors put the toothpaste back in the tube.
Using free software, people can already share data anonymously, store data invisibly, and view and copy just about any extant media without difficulty. Cobble all that into a single dashboard / portal interface & make it portable, extensible, and a no-brainer for the unsavvy to use, and you have quite a strong weapon against DRM: its own futility. Of course IANAL and I don't recommend anyone do anything illegal; just keep in mind that technology can secure certain liberties when governments fail to.
But how do TrueCrypt volumes look to a forensic tool with regard to the mere *amount* of data they contain?
If a 16GB volume reveals only ~1mb of racy pics after you meet their decryption demands, you can bet they'll apply some force towards determining the probability of hidden contents being present after the outer container is revealed. How strong is the deniability of having further data present?
Torpark is really just a convenient flavor of Firefox with Tor-circuit proxy connectivity built in. Prolly Windows only because it's Windows users that need the extra help.
*nix and Mac users can just set up Tor itself and get the same privacy features:
http://tor.eff.org/
http://tor.eff.org/download.html.en
What I want to know is (a) what traffic info is logged in the first place, given that "For Swedish authorities to force RELAKKS to hand over `traffic data including your RELAKKS IP at a specific point in time, they will have to prove a case with the minimum sentence of two years imprisonment," and (b) how are the details of your payment method related to "what you entered yourself when signing up for the RELAKKS Safe Surf service"?
I've still not seen any blogging platform that overcomes my number one objection to using them: I haven't a damn thing to say.
Give me one that generates Markov-chain paragraphs based on Google Sets metacategories, and you'll have purchased my buy-in.
I think that was a "no drive" list, but even so, I'd somehow feel safer without him on my plane.
Your comment about a big label breaking ranks & forsaking the dark side gives me an interesting idea (well at least I think it's interesting...)
Some RIAA-free outlets like mp3tunes & such already exist, and presumably one could assemble a list of RIAA & non-RIAA labels without extraordinary effort. So how about a dot-org like "RIAAfree"? The main products of said dot-org is a logo -- a mere seal, plus a brochure, some window stickers, some audio spots for radio advertising, and a "quid pro quo" license.
Artists voluntarily allow their work to be used in limited ways under the quid pro quo license, and they get some RIAAfree press in return. Now, various sorts of merchants are interested in ways to participate in viral & orgainc marketing, and to cast themselves as less "corporate" and more "hip." So, the independent new "Starbucks Sucks" coffee shop orders an "RIAAfree" window sticker kit & a counter display for brochures. So long as they display the window sticker & keep the brochure holder stocked & visible, they get the right to no-charge overhead music in their establishment, via custom generated playlists. Patrons who ask what the cool tunage is on the overhead are referred to The Brochure, which informs them how to look up said playlist & purchase said music.
Extend this to the local gym, to the guitar shop down the street, and to radio programs at small / college stations etc., lather, rinse, repeat.
Now, when people whine about how crappy manufactured pop music is, the response is "All the good, independent stuff is on RIAAfree, dude. Where have you been?"
How is the philosophy of community-produced products at odds with lassez-faire capitalism? "Leave it alone" means just that - the market is free to say "effyall, I'll make my own." Taking a "hands on" approach to prevent that could be characterized as many things, but lassez-faire isn't one of them.
Voluntary, self-organized community production makes capitalism much stronger (and purer) than corporate competition alone could. Now if it's *involuntary* community production you're talking about, well then that *is* communism, at which point it has little to do with what consumers really want anymore.
Right you are, and they've created yet another situation where you can only get quality, interoperabe media with *stolen* content; they won't sell it to you at any price.
They *could* compete with free, you know.
"...it could *be* corrected slowly over time."
Sorry, couldn't stop myself.
You raise an important and oft-overlooked point.
This is exactly why I think it's so critical to evangelize with regard to using privacy measures. I want my mother, Aunt Sally, and 8-year old neice to be using TrueCrypt and Tor at a minimum (or, something providing similar functionality). Privacy / anonymity suites need to become as commonplace as antivirus, firewall and anti-spam software.
Helping strong privacy measures become the status-quo serves other important goals too. It makes it more politically costly to try to legislate them out of use, and it reduces the usefulness of developing new data mining programs that require person:transaction relationships - both for the government and for private industry.
In short, when everyone's Aunt Sally can be expected to have countermeasures against activity monitoring running on her home PC, the world will have become a safer place for all of us.