Read it and weep

A lack of creases and coffee stains is NOT the problem with e-book readers. DRM is

By Habib Kadiri on Dec 22, 2011. Comments (2)

Ok, first things first. At this time of year, I hate being told about "must-have" gadgets; usually some shiny flashing be-all-end-all game-changer that will spice up my life in ways I'd never have previously imagined. After all, how could I possibly know what I want? This year it's the e-book reader, the newest saviour of the publishing industry (or was that last year? I don't know, I don't think I was paying enough attention back then). Evidently, stories are no fun unless they can be read off a battery-powered glass plate. If I had a pound for every time I saw, heard or read about it, I might have actually bought one by now. Except that I won't, because I don't want one. Not now, not for Christmas, not ever. So there. Bah humbug.

But I've been stunned by some of the arguments made against the e-reader coming from fellow naysayers. The same comments have been made by members of my family, my friends, on radio and on television, in an almost identical manner from one person to the next. It goes something like this:

"Why would I want something that stores all of my books? I mean, unless I have difficulty lugging them around, like on holiday, what's the point? It's killing the printed word, y'know. But books in print are so much better because I like to feel what I'm reading; it adds to the experience... I like touching the creases and rough edges, I like the coffee stains on my battered copy of 1984... ah, the smell... ah, the physicality..."

Golly... a device that saves bookshelf space? And is crease-free? All that convenience is such a massive burden, isn't it? Well, you're welcome to your crumbling spines and your scribbled margins and your paper cuts, you Luddites. Yes, you who rambles on about craving the physicality of the printed word, but has not bought a "proper" copy of a music album for eight years, because it's easier to carry your entire audio collection around on your iPod. Try explaining that must-have gadget purchase to an audiophile while he sniffs the vinyl cover of his James Brown Live at the Apollo album like a cocaine addict, proclaiming how the scratches in the grooves of the record that cause it to skip abruptly add to its authenticity.

But you know there's no point, because your perversity is redundant in the shadow of the ever looming technological juggernaut that is the e-reader. Like most grievances with the e-book reading experience, they will almost inevitably be addressed with every successive invention aimed at indulging our personal preferences. Hell, we're already at the point where a bespoke paperback novel can be printed afresh at bookstore – coffee stains'n'all, if you so wish – in the same amount of time it takes to make an espresso!

Yet there is still one very important reason why I refuse to buy into this phenomenon; one which has quietly slipped into the e-book's very DNA without warning, almost completely unnoticed to the literary consumer. It is called Digital Rights Management [DRM]. Problem is, when arguments break out between my friends over e-readers, I still find myself having to explain what DRM is and how it works. And that's not a good sign, because by the time all is understood, DRM will have already locked us all out from fully owning the keys to that experience.

For instance, I say, you're free to lend your physical copy of War & Peace to whomever you please, sort of. In the US, it is your right of first sale; here, it is usually just too difficult to enforce otherwise in a second-hand market. But Amazon's Terms of Use clearly states that the content you purchase from the Kindle Store is 'licensed, not sold' and that 'unless specifically indicated otherwise, you may not... assign any rights to the Digital Content or any portion of it to any third party'. So, you will never own the e-book you bought from the Kindle Store because it was never sold to you in the first place! The same applies to Sony and Barnes & Noble; they also limit the number of different devices that can read the e-book in question (why six? Who thought that was appropriate?). Oh, and they must all be registered to the same account.

I tell them that e-book use relies on the principle of anti format-shifting: 'You may not transfer, copy or export Content from one device to another or to any media of any kind without maintaining the applicable digital rights management solution', meaning you can only convert an e-book's file format into one that is compatible with the device you want to read it on.

Which is what you would have to do if you had, say, an EPUB file of a novel you wanted to share on a friend's Kindle. Imagine that; the most popular instrument in its class does not support the most widely recognised e-book standard. Absurd, non? But it is the way of the world now; e-reader and publishing companies conspire to use DRM as a kind of vice grip on our balls.

And while you're squealing for mercy, can you really trust these businesses not to take advantage? If you want proof, google Amazon's Orwellian scandal, I say. If they can do it once to correct their own "honest" mistakes, they can do it again, for less honest reasons. Of course, they said they wouldn't. But what are the promises of someone who has you by the balls really worth?

Of course, Amazon, Sony, Barnes & Noble, Kobo et al are under no obligation to change their business models to suit me. I understand that. I just fear that there are many keen e-book readers who don't. I have seen far too many eyes glaze over when I explain the threat of DRM not to know this. So, as a word of warning to that growing legion that I won't be joining any time soon, I believe you deserve to read books any way you want. Just make sure that the company you bought your e-reader from allows you to do that.

Merry Christmas!

Image: READERS AGAINST DRM on a CC BY-NC-SA 2.0 licence

Location, location, location

Data... it's about who knows you.

By Wendy Grossman on Dec 19, 2011. Comments (0)

In the late 1970s, I used to drive across the United States several times a year (I was a full-time folksinger), and although these were long, long days at the wheel, there were certain perks. One was the feeling that the entire country was my backyard. The other was the sense that no one in the world knew exactly where I was. It was a few days off from the pressure of other people.

I've written before that privacy is not sleeping alone under a tree but being able to do ordinary things without fear. Being alone on an interstate crossing Oklahoma wasn't to hide some nefarious activity (like learning the words to "There Ain't No Instant Replay in the Football Game of Life"). Turn off the radio and, aside from an occasional billboard, the world was quiet.

Of course, that was also a world in which making a phone call was a damned difficult thing to do, which is why professional drivers all had CB radios. Now, everyone has mobile phones, and although your nearest and dearest may not know where you are, your phone company most certainly does, and to a very fine degree of "granularity".

I imagine normal human denial is broad enough to encompass pretending you're in an unknown location while still receiving text messages. Which is why this year's A Fine Balance focused on location privacy.

The travel privacy campaigner Edward Hasbrouck has often noted that travel data is particularly sensitive and revealing in a way few realize. Travel data indicate your religion (special meals), medical problems, and life style habits affecting your health (choosing a smoking room in a hotel). Travel data also shows who your friends are, and how close: who do you travel with? Who do you share a hotel room with, and how often?

Location data is travel data on a steady drip of steroids. As Richard Hollis, who serves on the ISACA Government and Regulatory Advocacy Subcommittee, pointed out, location data is in fact travel data - except that instead of being detailed logging of exceptional events it's ubiquitous logging of everything you do. Soon, he said, we will not be able to opt out - and instead of travel data being a small, sequestered, unusually revealing part of our lives, all our lives will be travel data.

Location data can reveal the entire pattern of your life. Do you visit a church every Monday evening that has an AA meeting going on in the basement? Were you visiting the offices of your employer's main competitor when you were supposed to have a doctor's appointment?

Research supports this view. Some of the earliest work I'm aware of is of Alberto Escudero-Pascual. A month-long experiment tracking the mobile phones in his department enabled him to diagram all the intra-departmental personal relations. In a 2002 paper, he suggests how to anonymize location information (PDF). The problem: no business wants anonymization. As Hollis and others said, businesses want location data. Improved personalization depends on context, and location provides a lot of that.

Patrick Walshe, the director of privacy for the GSM Association, compared the way people care about privacy to the way they care about their health: they opt for comfort and convenience and hope for the best. They - we - don't make changes until things go wrong. This explains why privacy considerations so often fail and privacy advocates despair: guarding your privacy is like eating your vegetables, and who except a cranky person plans their meals that way?

The result is likely to be the world that Microsoft UK's director of Search, advertising, and online UK, Dave Coplin, outlined, arguing that privacy today is at the turning point that the Melissa virus represented for security 11 years ago when it first hit.

Calling it "the new battleground," he said, "This is what happens when everything is connected." Similarly, Blaine Price, a senior lecturer in computing at the Open University, had this cheering thought: as humans become part of the Internet of Things, data leakage will become almost impossible to avoid.

Network externalities mean that the number of people using a network increase its value for all other users of that network. What about privacy externalities? I haven't heard the phrase before, although I see it's not new (PDF). But I mean something different than those papers do: the fact that we talk about privacy as an individual choice when instead it's a collaborative effort. A single person who says, "I don't care about my privacy" can override the pro-privacy decisions of dozens of their friends, family, and contacts. "I'm having dinner with @wendyg," someone blasts, and their open attitude to geolocation reveals mine.

In his research on tracking, Price has found that the more closely connected the trackers are the less control they have over such decisions. I may worry that turning on a privacy block will upset my closest friend; I don't obsess at night, "Will the phone company think I'm mad at it?"

So: you want to know where I am right now? Pay no attention to the geolocated Twitterer who last night claimed to be sitting in her living room with "wendyg". That wasn't me.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

Image: JohnDBritton on Flickr.com CC BY-SA 2.0 licence

Reversal of government fortunes

Transform government IT projects from expensive white elephants into open, collaborative innovations, but without compromising our right to privacy.

By Wendy Grossman on Dec 13, 2011. Comments (0)

What if – I say, what if? – a country in which government IT projects have always been marked as huge, expensive, lengthy failures could transform itself into a country where IT genuinely works for both government and the people? What if the cheeky guys who founded MySociety and made communicating with your MP or looking up his voting record as easy as buying a book from Amazon were given the task of digitizing government? The guys (which I use as a gender-neutral term) who made e-petitions, PledgeBank, and FixMyStreet? Who embarrassed dozens of big, fat, failed government IT projects? What would that look like?

Government IT in Britain has been an expensive calamity for so long that it's become generally accepted that it will fail, and the headlines describing the latest billions lost in taxpayers' money have become a national joke on a par with losing at sports. People complain that Andy Murray hasn't won anything big, but the near-miss is thoroughly ingrained in the British national consciousness; the complaints are as familiar and well-worn a track as the national anthem. No one is happy about it – but it's like comfort food.

It was gently explained to me this week – in a pub, of course – that my understanding of how the UK government operates, based as it is on a mish-mash of single readings of Anthony Trollope's Palliser novels, repeated viewings of the 1980s sitcom Yes, Minister, and the occasional patient explanation from friends and acquaintances needs to be updated. The show was (and remains) a brilliant exposé of the inner workings of the civil service of the day, something that until then was completely obscure. Politicians repeatedly said it was a documentary, not fiction – and then they began to change in response to it. Who saw that coming? The Blair government bypassed the civil service by hiring outside consultants – who were expensive and, above all, not disinterested. The coalition has reacted by going the other way, thinking small, and hiring people who are good at doing things with all this fancy, new technology. Cheap things. Effective things. Even some of the MySociety people. I know, right?

The fact that people like Mike Bracken, who masterminded the Guardian's open platform and who is a founder of MySociety, are working in government is kind of astonishing. And not just him: also Tom Loosemore, whom I first met editing the mid-1990s version of Wired UK, and who has gone on to work for the BBC and advise Ofcom on digital strategy and Richard Pope, another of the MySociety guys.

The question is, can a small cohort of clever people succeed in turning a lumbering ship like a national government, let alone one running a country so wedded to the traditional way of doing things as Britain is? This week, the UK government has seemed to embrace both the dysfunctional old, in the form of promising the nation's public health data to life sciences companies, and the new, in the form of launching the Government Digital Service. You almost want to make one of those old Tired/Wired tables. Tired: centralisation, big databases, the British population as assets to be sold off or given away to "users", who are large organisations. Wired: individual control, personal data stores, users who are citizens in charge of their own destinies.

Yesterday, Bracken was the one to announce the new Government Data Service. William Heath, who founded the government consultancy Kable (since sold and now Guardian Government Computing) and, in 2004, the Ideal Government blog in pursuit of something exactly like this, could scarcely contain his excitement.

What's less encouraging is seeing health data mixed in with the Autumn Statement's open data provisions (PDF). As Heath wrote when the news broke, open data is about things, not people. Open data is: transport schedules, mapping data, lists of government assets, national statistics, and so on. This kind of data we want published as openly and in as raw a form as possible, so that it can be reused and form the basis for new businesses and economic growth. This is the process that Data.gov started.

But anything that is personally identifiable information (PII) – such as NHS patient records – is not the kind of data we want to open. Yes, there are many organisations that would like access to it: life sciences companies, researchers of all types, large pharmaceutical companies, and so on. This is a battle that has been going on in Europe for more than ten years and for a somewhat shorter amount of time in the US, where the lack of nationalized health insurance means that it's taken longer for the issue to come to the front. In the UK, Ross Anderson (see also here) and Fleur Fisher are probably the longest-running campaigners against the assembling of patient records into a single national database. As the case of Wikileaks and the diplomatic cables showed, it is hopeless to think that a system accessible by 800,000 people can keep a secret.

But let's wait to see the details before we get mad. For today, enjoy the moment. Change may happen! In a good way!

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

Image: DATABASE at Postmasters, March 2009 by Michael Mandiberg/CC BY-SA 2.0

VODO Interview

VODO founder and CEO Jamie King speaks to ORGZine about the company's operations as a distributor of films under the "Freemium" model.

By Habib Kadiri on Dec 08, 2011. Comments (0)

According to its website, VODO "helps to promote and distribute new creative works all over the world" as a free-to-share distributor of video. It also enables creators looking for effective ways to distribute their work with file-sharing sites willing to help promote it and consumers willing to fund them. We called up VODO boss Jamie King to ask how VODO came about, how the company's Freemium model is faring in the film industry and what plans VODO has for the future.

Jamie King on ORGZine by ORGZine

Transcript below.

Interviewer: So, if you could tell us a little bit about how VODO came into being?

Jamie King [JK]: I was part of a group of people who in 2006 made a film called Steal This Film, that was concerned with intellectual property and how regimes in intellectual property were changing in the context of the digital environment, so how did it affect creators and how did peer-to-peer distribution affect people's ability to exert property rights over their work, so it was a question of saying in this new environment, what is the appropriate way of understanding how we should remunerate creators… what are the advantages of being able to distribute using peer-to-peer for ordinary creators? And the cool thing about Steal This Film was it was downloaded loads of times; we distributed it using peer-to-peer, so it was available to anybody to download free, share with their friends, and so on. And we solicited donations from people and we received quite a lot of pounds, dollars and support from audiences worldwide… so we started to iterate versions of VODO and gradually refined it as a system which both helps filmmakers distribute their work online in a free-to-share format and then helps them engage online audiences to receive some financial support and get those audiences helping them to redistribute their work to any other potential audience members.

Interviewer: So, as VODO faciltates the distribution of filmmakers' content webwide, the purveyors of the traditional model of distribution might be forgiven for asking how you can make any money from this venture?

JK: You probably noticed that there are some quite strong earnings figures against various work from VODO. The way that we do it is that essentially the idea is to engage a very large audience through free-to-share distribution, so we'll often reach audiences of millions using our various distribution partnerships and then once we've got that audience, create really nice incentives for them to support the filmmaker if they want to, or support the content creator if they want to. For example, limited edition products associated with the film or with the work, or credits in the next episode. These kinds of incentives then give people a reason to support the work, to throw down some money and that's how we create the revenue.

Interviewer: So how strong would you say these incentives are in helping to promote and advertise the films?

JK: Well, the incentives are not there really as a form of marketing. The marketing, in essence in this model, is a freemium model in which the free-to-share distribution of the films itself, is the marketing, so the fact that the film is available freely and the fact that people can share that as they like, whether they've paid or not, whether they supported the filmmaker or not, allows us to bring in all sorts of partners associated with the free sharing of the work - p-2-p partners and so on - and those create a very large audience organically, becauase there are millions of people out there who are hungry for new stuff to watch and who are quite willing and keen to engage with free-to-share content from content creators. So that's how we handle marketing; what we do is we offer them free-to-share content from filmmakers who want to share and that takes care of the marketing part. And then after that what we do is try to engage the audience in supporting the filmmaker monetarily.

Interviewer: And VODO's continuing growth may attract attention from other distributors... so do you fear a takeover approach?

JK: Obviously the advantage of what we're doing is enacting the possibilities that are latent within the the technology as it exists, in the sense that anybody is able to distribute a film massively in a free-to-share fashion, utilising open source Bittorrent protocol. Anybody is able to then offer donation incentives or support incentives to their audience. That's all we're doing. There's no magic in it, although of course a lot of expertise resides in the software we're developing. So, in one sense, I hope we're developing a model that can be utilised by other people and that may include larger distributors, larger studios, but it should also include smaller creators, people with less advantages and options available to them in terms of distribution, so whatever happens to VODO - and there are certainly no plans to sell out to anybody now - the possibilities that it enacts and points out will continue to be available to anybody.

The second part of the answer to that is that what I see happening is that there are more and more small-medium creators, creating works which traditionally would have been undistributed anonymous smaller works that can't or couldn't be distributed within the mainstream distribution systems... in terms of the larger studios, what I see happening is that by and large, people are more and more interested in the large budget films with very large marketing budgets - the Avatars, the Spidermans, the Dark Knights - that are going to make a significant amount of revenue. The middle ground, as it were, is losing out because it's very difficult to make any money with the traditional distribution system on a budget of less than $8 million, and what that means is that there may be some gravitation towards a service like ours once we're making hundreds of thousands of dollars for a film. I don't see any problem with that. If small indies want to use VODO, in the end they'll be engaging a model which is much truer to the architecture of the internet and the way distribution of information works today and it's important that we update our attitudes to fit this new environment. If larger studios want to do that, there should be no issue; it certainly doesn't prevent smaller creators using the system as well.

Interviewer: Is there any stuff you reject from filmmakers?

JK: What we're doing is developing a three-tier approach to how we deal with submissions. At the top level, is what we call 'Releases', films that we've worked with the creator to release as part of our distribution system via partners... those are the ones you see featured on the site once or twice a month. And then there's a layer that will exist below that and that's called 'Spotlight' and spotlight content is content that has been uploaded to the site and that we've picked out as being noteworthy, at least in our opinion. And then what we'll have is an open list system where more or less anyone who has a film above a certain length can use our distribtuion system as a free tool. So those three layers more or less deal with pretty much all the content we've received.

Interviewer: Tell me a bit about your most successful film?

JK: I think to date the most successful film we've done really has been Pioneer One, which is a science fiction show we developed... we signed on to distribute it before it had been created, so it was a kind of made-for-VODO show... and I think to date that's raised $100,000 in revenue and been downloaded over 2,500,000 times. They're just about to distribute their sixth and final episode of the season through us and that's been funded entirely from user donations raised by VODO. They won the [2010] New York TV Festival Best [Drama] Pilot for their first episode and it really went on to have a very strong audience; they really liked it and have helped it to become the success it is now.

Interviewer: And what are VODO's plans for the future?

JK: We're working on an entirely new update of VODO which will be available some time in the next four to five months... we're going to be doing a VODO player which can enable many people to play VODO content from installable software on their machine which will update them about new content available and make it an easier experience for people to use peer-to-peer distribution who are not into using BIttorrent. We're going to spend some time developing our distribtuion system through widgets, so basically audience members will be able to download or install widgets to their own website blogs and so on, which will let them distribute VODO content right from their own site. So with a site like yours, for example, you can pick four or five films you're interested in on VODO, you can advertise them to your audience and display them in an easy to download way so one can get them right from your page and you earn dough every time someone downloads a film via you, because in the end you've added value to that filmmaker; you've helped distribute their film and the idea is that you'll be able to use the dough that you've earned to play premium content [and] get discounts against incentives you might want to engage with and so on... so the idea is to create a large network of audience distributors... we're collapsing the distinction between being an audience member, being a consumer, being a distributor and being a content creator.

Interviewer: Jamie King from VODO, thank you for speaking to ORGZine.

Image: VODO

Debating the robocalypse

"This House fears the rise of artificial intelligence."

By Wendy Grossman on Dec 02, 2011. Comments (0)

This was the motion up for debate at Trinity College Dublin's Philosophical Society (Twitter: @phil327) last night (December 1, 2011). It was a difficult one, because I don't think any of the speakers – neither the four students, Ricky McCormack, Michael Coleman, Cat O'Shea, and Brian O'Beirne, nor the invited guests, Eamonn Healy, Fred Cummins, and Abraham Campbell – honestly fear AI all that much. Either we don't really believe a future populated by superhumanly intelligent killer robots is all that likely, or, like Ken Jennings, we welcome our new computer overlords.

But the point of this type of debate is not to believe what you are saying – I learned later that in the upper levels of the game you are assigned a topic and a position and given only 15 minutes to marshal your thoughts – but to argue your assigned side so passionately, persuasively, and coherently that you win the votes of the assembled listeners even if later that night, while raiding the icebox, they think, "Well, hang on…" This is where politicians and Dail/House of Commons debating style come from, As a participatory sport it was utterly new to me, and it explains a *lot* about the derailment of political common sense by the rise of public relations and lobbying.

Obviously I don't actually oppose research into AI. I'm all for better tools, although I vituperatively loathe tools that try to game me. As much fun as it is to speculate about whether superhuman intelligences will deserve human rights, I tend to believe that AI will always be a tool. It was notable that almost every speaker assumed that AI would be embodied in a more-or-less humanoid robot. Far more likely, it seems to me, that if AI emerges it will be first in some giant, boxy system (that humans can unplug) and even if Moore's Law shrinks that box it will be much longer before AI and robotics converge into a humanoid form factor.

Lacking conviction on the likelihood of all this, and hence of its dangers, I had to find an angle, which eventually boiled down to Walt Kelly and We have met the enemy and he is us.  In this, I discovered, I am not alone: a 2007 ThinkArtificial poll found that more than half of respondents feared what people would do with AI: the people who program it, own it, and deploy it.

If we look at the history of automation to date, a lot of it has been used to make (human) workers as interchangeable as possible. I am old enough to remember, for example, being able to walk down to the local phone company in my home town of Ithaca, NY, and talk in person to a customer service representative I had met multiple times before about my piddling residential account. Give everyone the same customer relationship database and workers become interchangeable parts. We gain some convenience – if Ms Jones is unavailable anyone else can help us – but we pay in lost relationships. The company loses customer loyalty, but gains (it hopes) consistent implementation of its rules and the economic leverage of no longer depending on any particular set of workers.

I might also have mentioned automated trading systems, which are making the markets swing much more wildly much more often. Later, Abraham Campbell, a computer scientist working in augmented reality at University College Dublin, said as much as 25 percent of trading is now done by bots. So, cool: Wall Street has become like one of those old IRC channels where you met a cute girl named Eliza…

Campbell had a second example: the Siri, which will tell you where to hide a dead body but not where you might get an abortion. Google's removal of torrent sites from its autosuggestion/Instant feature didn't seem to me egregious censorship, partly because there are other search engines and partly (short-sightedly) because I hate Instant so much already. But as we become increasingly dependent on mediators to help us navigate our overcrowded world, the agenda and/or competence of the people programming them are vital to know. These will be transparent only as long as there are alternatives.

Simultaneously, back in England in work that would have made Jessica Mitford proud, Privacy International's Eric King and Emma Draper were publishing material that rather better proves the point. Big Brother Inc lays out the dozens of technology companies from democratic Western countries that sell surveillance technologies to repressive regimes. King and Draper did what Mitford did for the funeral business in the late 1960s (and other muckrakers have done since): investigate what these companies' marketing departments tell prospective customers.

I doubt businesses will ever, without coercion, behave like humans with consciences; it's why they should not be legally construed as people. During last night's debate, the prospective robots were compared to women and "other races", who were also denied the vote. Yes, and they didn't get it without a lot of struggle. In the "Robocalypse" (O'Beirne), they'd better be prepared to either a) fight to meltdown for their rights or b) protect their energy sources and wait patiently for the human race to exterminate itself.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

Image: By billrdio @fotopedia.com: CC BY-NC-SA 2.0 licence

Paul Revere's printing press

Is security technology user-friendly or should users know better? Wendy Grossman investigates.

By Wendy M Grossman on Nov 27, 2011. Comments (0)

There is nothing more frustrating than watching smart, experienced people reinvent known principles. Yesterday's Westminster Forum on cybersecurity was one such occasion. I don't blame them, or not exactly: it's just maddening that we have made so little progress, while the threats keep escalating. And it is from gatherings like this one that government policy is made.

Rephrasing Bill Clinton's campaign slogan, "It's the people, stupid," said Philip Virgo, chairman of the security panel of the IT Livery Company, to kick off the day, a sentiment echoed repeatedly by nearly every other speaker. Yes, it's the people – who trust when they shouldn't, who attach personal devices to corporate networks, who disclose passwords when they shouldn't, who are targeted by today's Facebook-friending social engineers. So how many people experts on the program? None. Psychologists? No. Nor any usability experts or people whose jobs revolve around communication, either (Or women, but I'm prepared to regard that as a separate issue).

Smart, experienced guys, sure, who did a great job of outlining problems and a few possible solutions. Somewhere toward the end of the proceedings, someone allowed in passing that yes, it's not a good idea to require people to use passwords that are too complex to remember easily. This is the state of their art? It's 12 years since Angela Sasse and Anne Adams covered this territory in Users Are Not the Enemy. Sasse has gone on to help found the field of security economics, which seeks to quantify the cost of poorly designed security – not just in data breaches and DoS attacks but in the lost productivity of frustrated, overburdened users. Sasse argues that the problem isn't so much the people as user-hostile systems and technology.

"As user-friendly as a cornered rat," Virgo says he wrote of security software back in 1983. Anyone who's looked at configuring a firewall lately knows things haven't changed that much. In a world of increasingly mass-market software and devices, security software has remained resolutely elitist: confusing error messages, difficult configuration, obscure technology. How many users know what to do when their browser says a Web site certificate is invalid? Or how to answer anti-virus software that asks whether you want to authorise HIPS/RegMod-007?

"The current approach is not working," said William Beer, director of information security and cybersecurity for PriceWaterhouseCoopers. "There is too much focus on technology, and not enough focus from business and government leaders." How about academics and consumers, too?

There is no doubt, though, that the threats are escalating. Twenty years ago, the biggest worry was that a teenaged kid would write a virus that spread fast and furious in the hope of getting on the evening news. Today, an organized criminal underground uses personal information to target a small group of users inside RSA, leveraging that into a threat to major systems worldwide (Trend Micro CTO Andy Dancer said the attack began in the real world with a single user befriended at their church. I can't find verification, however).

The big issue, said Martin Smith, CEO of The Security Company, is that "There's no money in getting the culture right." What's to sell if there's no technical fix? Like when your plane is held to ransom by the pilot, or when all it takes to publish 250,000 US diplomatic cables is one alienated, low-ranked person with a DVD burner and a picture of Lady Gaga? There's a parallel here to pharmaceuticals: one reason we have few weapons to combat rampaging drug resistance is that for decades developing new antibiotics was not seen as a profitable path.

Granted, you don't, as Dancer said afterwards, want to frame security as an issue of "fixing the people" (but we already know better than that). Nor is it fair to ban company employees from social media lest some attacker pick it up and use it to create a false sense of trust. Banning the latest new medium, said former GCHQ head John Bassett, is just the instinctive reaction in a disturbance; in 1775 Boston the "problem" was Paul Revere's printing press stirring up trouble. 

Nor do I, personally, want to live in a trust-free world. I'm happy to assume the server next to me is compromised, but "Trust no one" is a lousy way to live.

Since perfect security is not possible, Dancer advised, organizations should plan for the worst. Good advice. When did I first hear it? Twenty years ago and most months since, by Peter Neumann in his RISKS Forum. It is depressing and frustrating that we are still having this conversation as if it were new – and that we will have it all over again over the next decade as smart meters roll out to 26 million British households by 2020, opening up the electrical grid to attacks that are already being predicted and studied.

Neumann – and Dancer – is right. There is no perfect security because it's in no one's interest to create it. Plan for the worst.

To quote Gene Spafford, 1989: "The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room protected by armed guards – and even then I have my doubts."

For everything else, there's a stolen Mastercard.

Wendy M. Grossman’s Website has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

Image: By sfslim @flickr.com: CC BY 2.0 licence

Shanking the Messenger

MP Heidi Alexander’s proposal to ban internet videos glorifying gang crime is a stab in the dark

By Habib Kadiri on Nov 22, 2011. Comments (0)

The most recent episode of the Politics Show London [available on BBC iPlayer until Sunday 27 November] included a debate on the topic of knife crime videos on the internet. The report that preceded it showed films displaying a frightening vision of the culture plaguing particular communities in urban Britain and although efforts are continually being made to tackle the issue - there was a representative from the Boyhood to Manhood Foundation whose work invariably involves children for whom gang culture is a potentially dangerous influence - there appeared to be a general consensus that more needs to be done to deal with the messages that the videos send to others.

One politician in particular believes the videos themselves play a significant role in perpetuating the problem. Labour MP Heidi Alexander has a more acute experience of gang culture than most of her Parliamentary peers; many rival gangs operate for dominance of the housing estates in her constituency of Lewisham East. So in tabling the Ten Minute Rule Bill calling for the law courts to intervene in the release of videos appearing to glorify criminal activity - aka the Internet Regulation of Material Inciting Gang Violence - Ms Alexander hopes to curb gang violence from spreading any further. The idea is that if the law can make internet service providers and/or multimedia hosting websites remove such inappropriate content, then fewer people will be exposed to - and therefore at risk of being affected by - gang culture in general. However, while her intentions are honourable - driven by a quest to satisfy the safety concerns of residents in her constituency - there are several problems with her approach to the situation.

Firstly, what concrete proof is there that videos influence more young people to join gangs? During the debate, Uanu Seshmi, co-founder of the Boyhood to Manhood Foundation who has considerable hands-on experience of dealing with gang culture, said that internet videos are ‘not the main cause of gang violence’. So what influence do videos have on children and can it be considered strong enough to warrant a mass takedown of films glorifying criminal behaviour? Ms Alexander couched her concerns in woolly language, claiming that even if the link is not made by the children who view these videos themselves, it was all part of ‘the context’. But this does not amount to clear-cut evidence of a significant causal link between carrying a knife and watching a clip of people committing violent crimes. I can’t claim for certain that it doesn’t happen at all, but I do know that I personally have never been driven to carry a weapon because one has been brandished in a YouTube film. Or joined a mob, taken drugs, run someone over, betrayed someone, or robbed a business, for similar reasons. And I could get all those inferences from watching the trailer to Pulp Fiction. I also do not know of anyone that is scared enough by a video pertaining non-specific threats of violence to start arming themselves in self-defence. This would lead me to believe that YouTube, Vimeo, SpiffTV et al were neither recruitment mechanisms for child footsoldiers, nor a rarefied take on cyber-bullying. Ms Alexander’s Ten Minute Rule Bill speech did not provide any examples to the contrary.

Another problem is her failure to be specific on what she means by ‘Inciting Gang Violence’. What constitutes a gang and not a group, collective, clan, gathering, etc? And how does one qualify for inciting violence? Many an internet video can be taken for loosely assuming either or both of these characteristics, especially rap ones. When asked directly by Tim Donovan just what exactly she was against, factual videos depicting violence, or the description of acts of violence in rap songs, this was her reply:

'Well, what I’ve come across... has been a whole load of videos on the internet, filmed in the hearts of our town centres, on our housing estates, groups of young men, stood around, often rapping, sometimes carrying weapons, rapping about knives, about stabbing, about gangs and I just think it's unacceptable.'

She may well think so and she is entitled to her opinion. But, having been invited to pinpoint the problematic material she wants removed from our computer screens, she did exactly the opposite. She instead referred to films in which actors stand about proclaiming things she simply does not want to hear. Her (lack of) choice material implies that her argument is actually based on the whims of what she and some of her constituents find offensive, not reason. If I were to do the same, I might find a video where a celebrity sits on a sofa boasting about their latest autobiographical release unacceptable, but it is no grounds for requesting a ban on all chatshow programmes.

It also opens up a can of worms about the problem of enforcing law regarding factors such as obscenity and hate speech. This legal minefield will not be cleared up easily by cases brought before the law based on Ms Alexander’s proposal. Ultimately, any further revisions to the law in this regard will inevitably play in favour of greatly increasing censorship; hence her claim that the 2003 Communications Act ‘does not seem to me to be of any use’.

But supposing the Bill did become law. Would it actually reduce knife-led gang-related crime? In the report accompanying the debate, a journalist asked two kids whether Ms Alexander was ‘on the right track’ demanding the removal of such threatening material from the internet. They disagreed, effectively saying that the Bill would be would be impossible to enforce in practice because they [the gang members] would find other ways to showcase their films and that although they did glorify gang violence, this had no bearing on the kids as viewers. Ironically, despite Heidi’s implied charge of naivety on the kids’ part during the debate, their answers offer precisely the kind of pragmatism that her proposal lacks, which will render a well-meaning Bill ineffective where it wishes to make an impact and potentially devastating where it intends not to.

The desire to try and act upon constituents’ concerns is understandable, but Ms Alexander’s actions are in fact symptomatic of a value-effort fallacy, which assumes that because she is trying a new approach to solving the issue at stake, it will yield success. It may satisfy her constituents to know that she cares enough about the problem of gang culture to do something about it, but that does not mean that her proposed Bill is the right path to take. It rather manifests a desire to conceal the dilemma from view, instead of addressing it face-to-face.

Image: the justified sinner @flickr on a CC BY-NC-SA 2.0 licence

God help us... the revolution runs on Windows!

Milena Popova laments the lack of open, free-to-use software endorsed by the Occupy LSX protest movement.

By Milena Popova on Nov 15, 2011. Comments (9)

Last weekend, I found myself at a loose end in London for a couple of hours so thought I'd look in on Occupy LSX. I pottered about, had a few chats, helped put up some posters and headed over to the tech tent. I only had a brief chat with the guys there, but was dismayed to discover that most of their kit was running on Windows XP. The reason, they said, was that Windows was what most people were familiar with. They had one Ubuntu box which was currently not around, and were toying with the idea of maybe putting Linux Mint on a couple of the machines, but it wasn't a high priority. My jaw was on the floor.

But why should we care? A computer is a computer, regardless of what operating system it runs, and if it will get you on the Internet and enable you to do whatever it is you want to do with it - run your website, provide people with a live stream of what's going on, or update Twitter - then surely that's all that matters? Well, here are just a few good reasons why Windows and the revolution don't mix.

Security

Possible conspiracy theories aside, security is a major point of difference between proprietary software (and the Windows ecosystem in particular) and free (as in speech, not beer) software. It takes about 2.5 hours for a freshly-installed Windows 7 machine to get infected with all sorts of malware and spyware. Admittedly this assumes users who don't know what they're doing, but given the Occupation tech guys' main argument was that those were precisely the kinds of users they were serving, this is even more of a reason to run an operating system that doesn't come with malware guaranteed. Free software also offers better protection against deliberate backdoors and other vulnerabilities because the code can be audited by anyone. While not all of us may have the skills or desire to audit the code of every single application we use, enough people do so to ensure a robust, secure code base and rapid fixes for any vulnerabilities identified.

Values

Occupy LSX claims a "mission to create a more just society, address social and economic inequalities and fight for real democracy". In the 21st century, technology is an increasingly important driver of social change. The Occupy movement itself would not exist in the form it does without technology such as the internet. The internet enables us to reach out, speak out, participate in politics and society like never before. It can flatten the barriers of class, race, gender, sexuality, ability and any number of other diversity characteristics. Yet our access to technology is still often determined by our income. Last year, the Equality and Human Rights Commission found that:

Cost remains a significant barrier for some and it seems likely that the limits of market-driven provision in securing increased levels of access and use has been reached: the so-called final third of the population, within which age and socio-economic status are key drivers, looks likely to remain more digitally excluded. Those with incomes of over £40,000 are more than twice as likely to be online compared with those earning less than £12,000. 65% of those who are not online are in the D and E socio-economic groups.

Between Windows XP (released 2001) and Windows 7 (released 2009), the minimum processor requirements went from 233 MHz to 1 GHz, the RAM needed rose from 64MB to 1GB, and the required space on your hard drive quadrupled from somewhere around 4GB for XP and all its Service Packs to 16GB for the 32-bit version of Windows 7. While the price of the required hardware has dropped correspondingly, so that a computer meeting the Windows 7 requirements now is probably cheaper than a machine meeting the XP spec back in 2001, hardware can still represent a significant capital outlay that poorer households cannot afford. At the same time, older hardware in perfectly good working condition is being made obsolete by bloated software.

By using software made by people whose sole motivation isn't to shift more copies by piggy-backing on Moore's Law, you can extend the useful life of a piece of hardware by at least five if not ten years. A machine struggling to run Windows will happily run Linux and meet most of your end user needs for a good three to five years more; and once it no longer does, it can still perform useful functions as a low-end server in a cupboard somewhere for a while longer.

James Wallbank, founder of Sheffield-based open digital arts space Access Space, has for years known that the Zero-Dollar Laptop is out there. "[Access Space's] technology budget is zero", he says, "but somehow we have managed to build an advanced and reliable computer network that runs the very latest software. (Why doesn't everyone do this?)" Why indeed? Free software makes computing more sustainable as hardware remains in productive use for longer, and more financially accessible, allowing us to address social and economic inequalities in a constructive way.

Skills

Finally, Occupy LSX is clearly an organisation dedicated to educating and empowering people. Tent City University runs events ranging from highly theoretical lectures on international law, to radical poetry workshops and hands-on skills sessions like knitting and crochet. So why not equip people with the skills to use and run free software? There are flavours of Linux available these days which are as usable and intuitive as Windows or MacOS. Even better, there are supportive communities out there, online and off, that will help you get started, answer any questions you might have, and help you get unstuck if you do hit a problem. Introducing people to the world of free software would give them skills for life, make them less dependent on corporations life Apple and Microsoft, and enable them to access technology at a much lower cost. There are worse legacies I could think of.

Image: By Loz Flowers @flickr.com on a CC BY-SA 2.0 licence

The Wisdom of Crowds

How useful is technology in gauging public sentiment? It depends on the context, says Wendy Grossman.

By Wendy M Grossman on Nov 13, 2011. Comments (0)

Context is king.

Say to a human, "I'll meet you at the place near the thing where we went that time," and they'll show up at the right place. That's from the 1987 movie Broadcast News: Aaron (Albert Brooks) says it; cut to Jane (Holly Hunter), awaiting him at a table.

But what if Jane were a computer and what she wanted to know from Aaron's statement was not where to meet but how Aaron felt about it? This is the challenge facing sentiment analysis.

At Wednesday's Sentiment Analysis Symposium, the key question of context came up over and over again as the biggest challenge to the industry of people who claim that they can turn Tweets, blog postings, news stories, and other mass data sources into intelligence.

So context: Jane can parse "the place", "the thing", and "that time" because she has expert knowledge of her past with Aaron. It's an extreme example, but all human writing makes assumptions about the knowledge and understanding of the reader. Humans even use those assumptions to implement privacy in a public setting: Stephen Fry could retweet Aaron's words and still only Jane would find the cafe.  If Jane is a large organization seeking to understand what people are saying about it and Aaron is 6 million people posting on Twitter, Tom can use sentiment analyzer tools to give a numerical answer. And numbers always inspire confidence...

My first encounter with sentiment analysis was this summer during Young Rewired State, when a team wanted to create a mood map of the UK comparing geolocated tweets to indices of multiple deprivation. This third annual symposium shows that here is a rapidly engorging industry, part PR, part image consultancy, and part artificial intelligence research project.

I was drawn to it out of curiosity, but also because it all sounds slightly sinister. What do sentiment analyzers understand when I say an airline lounge at Heathrow Terminal 4 "brings out my inner Sheldon? What is at stake is not precise meaning – humans argue over the exact meaning of even the greatest communicators – but extracting good-enough meaning from high-volume data streams written by millions of not-monkeys.

What could possibly go wrong? This was one of the day's most interesting questions, posed by the consultant Meta Brown to representatives of the  Red Cross, the polling organization Harris Interactive, and Paypal. Failure to consider the data sources and the industry you're in, said the Red Cross's Banafsheh Ghassemi. Her example was the period just after Hurricane Irene, when analyzing social media sentiment would find it negative. "It took everyday disaster language as negative," she said. In addition, because the Red Cross's constituency is primarily older, social media are less indicative than emails and call center records. For many organizations, she added, social media tend to skew negative.

Earlier this year, Harris Interactive's Carol Haney, who has had to kill projects when they failed to produce sufficiently accurate results for the client, told a conference, "Sentiment analysis is the snake oil of 2011." Now, she said, "I believe it's still true to some extent. The customer has a commercial need for a dial pointing at a number – but that's not really what's being delivered. Over time you can see trends and significant change in sentiment, and when that happens I feel we're returning value to a customer because it's not something they received before and it's directionally accurate and giving information." But very small changes over short time scales are an unreliable basis for making decisions.

"The difficulty in social media analytics is you need a good idea of the questions you're asking to get good results," says Shlomo Argamon, whose research work seems to raise more questions than answers. Look at companies that claim to measure influence. "What is influence? How do you know you're measuring that or to what it correlates in the real world?" he asks. Even the notion that you can classify texts into positive and negative is a "huge simplifying assumption".

Argamon has been working on technology to discern from written text the gender and age – and perhaps other characteristics – of the author, a joint effort with his former PhD student Ken Bloom. When he says this, I immediately want to test him with obscure texts.

Is this stuff more or less creepy than online behavioral advertising? Han-Sheong Lai explained that Paypal uses sentiment analysis to try to glean the exact level of frustration of the company's biggest clients when they threaten to close their accounts. How serious are they? How much effort should the company put into dissuading them? Meanwhile Verint's job is to analyze those "This call may be recorded" calls. Verint's tools turn speech to text, and create color voiceprint maps showing the emotional high points. Click and hear the anger.

"Technology alone is not the solution," said Philip Resnik, summing up the state of the art. But, "It supports human insight in ways that were not previously possible." His talk made me ask: if humans obfuscate their data – for example, by turning off geolocation – will this industry respond by finding ways to put it all back again so the data will be more useful?

"It will be an arms race," he agrees. "Like spam."

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

Image: (nz)dave @flickr.com: CC BY-NC-ND 2.0 licence

The Identity Layer

Wendy Grossman discusses the dilemma users face in displaying their information to companies online.

By Wendy M Grossman on Nov 05, 2011. Comments (1)

This week, the UK government announced a scheme – Midata – under which consumers will be able to reclaim their personal information. The same day, the Centre for the Study of Financial Innovation assembled a group of experts to ask what the business model for online identification should be. And: whatever that model is, what the the government's role should be (For background, here's the previous such discussion).

My eventual thought was that the government's role should be to set standards; it might or might not also be an identity services provider. The government's inclination now is to push this job to the private  sector. That leaves the question of how to serve those who are not commercially interesting; at the CSFI meeting the Post Office seemed the obvious contender for both pragmatic and historical reasons.

As Mike Bracken writes in the Government Digital Service blog posting linked above, the notion of private identity providers is not new. But what he seems to assume is that what's needed is federated identity – that is, in Wikipedia's definition, a means for linking a person's electronic identity and attributes across multiple distinct systems. What I meant is a system in which one may have many limited identities that are sufficiently interoperable that you can make a choice which to use at the point of entry to a given system. We already have something like this on many blogs, where commenters may be offered a choice of logging in via Google, OpenID, or simply posting a name and URL.

The government gateway circa Year 2000 offered a choice: getting an identity certificate required payment of £50 to, if I remember correctly, Experian or Equifax, or other companies whose interest in preserving personal privacy is hard to credit. The CSFI meeting also mentioned tScheme – an industry consortium to provide trust services. Outside of relatively small niches it's made little impact. Similarly, fifteen years ago, the government intended, as part of implementing key escrow for strong cryptography, to create a network of trusted third parties that it would license and, by implication, control. The intention was that the TTPs should be folks that everyone trusts – like banks. Hilarious, we said *then*. Moving on.

In between then and now, the government also mooted a completely centralized identity scheme – that is, the late, unlamented ID card. Meanwhile, we've seen the growth a set of competing American/global businesses who all would like to be *the* consumer identity gateway and who managed to steal first-mover advantage from existing financial institutions. Facebook, Google, and Paypal are the three most obvious. Microsoft had hopes, perhaps too early, when in 1999 it created Passport (now Windows Live ID). More recently, it was the home for Kim Cameron's efforts to reshape online identity via the company's now-cancelled CardSpace, and Brendon Lynch's adoption of U-Prove, based on Stefan Brands' technology. U-Prove is now being piloted in various EU-wide projects. There are probably lots of other organizations that would like to get in on such a scheme, if only because of the data and linkages a federated system would grant them. Credit card companies, for example. Some combination of mobile phone manufacturers, mobile network operators, and telcos. Various medical outfits, perhaps.

An identity layer that gives fair and reasonable access to a variety of players who jointly provide competition and consumer choice seems like a reasonable goal. But it's not clear that this is what either the UK's distastefully spelled "Midata" or the US's NSTIC (which attracted similar concerns when first announced, has in mind. What "federated identity" sounds like is the convenience of "single sign-on", which is great if you're working in a company and need to use dozens of legacy systems. When you're talking about identity verification for every type of transaction you do in your entire life, however, a single gateway is a single point of failure and, as Stephan Engberg, founder of the Danish company Priway, has often said, a single point of control. It’s the Facebook cross-all-the-streams approach, embedded everywhere. Engberg points to a discussion paper) inspired by two workshops he facilitated for the Danish National IT and Telecom Agency (NITA) in late 2010 that covers many of these issues.

Engberg, who describes himself as a "purist" when it comes to individual sovereignty, says the only valid privacy-protecting approach is to ensure that each time you go online on each device you start a new session that is completely isolated from all previous sessions and then have the choice of sharing whatever information you want in the transaction at hand. The EU's LinkSmart project, which Engberg was part of, created middleware to do precisely that. As sensors and RFID chips spread along with IPv6, which can give each of them its own IP address, linkages across all parts of our lives will become easier and easier, he argues.

We've seen often enough that people will choose convenience over complexity. What we don't know is what kind of technology will emerge to help us in this case. The devil, as so often, will be in the details.

Image: 'Identity' by comzeradd @flickr.com: CC BY-SA 2.0 licence