SOPA, H.R.3261, The Stop Online Piracy Act, is a long and complicated act. While I am not a lawyer, I flatter myself that I am literate. However, I do not pretend to fully appreciate this law.
A cursory reading suggests that it pretends to be aimed at "foreign (DMCA) infringing (internet) sites." It burdens and punishes US enterprises directly with the intent of indirectly punishing the so-called "foreign infringing sites. Since most of the sales of these foreign sites are to parties outside the US, they are not likely to be punished very much.
The television advertising that urges support of this law, suggests that it is about resisting "international piracy." It even suggests that on-line piracy is the moral equivalent of piracy on the high seas. One is led to conclude that this is a national, or at least cyber, security issue, justifying a dramatic increase in the police powers of the state.
If you are an Internet service provider (ISP), an Internet search engine provider, a payment network service, or an internet advertising service, the law requires you to identify agents to accept legal orders on your behalf and to provide both controls and operators to filter access or revenue to "foreign infringing sites." As users of all of these services, American citizens will be forced to bear the cost. If you use a foreign site, so censured, for any purpose, you may be unable to access it.
Surprise! This law is sponsored, written, and supported by the publishing industry, the RIAA and the MPAA, Sony, and Nintendo, in a last ditch effort, a futile attempt, to shore up their broken business model.
Throughout history, every time there was an advance in technology that reduced the cost of copying, the authorities have used it to reduce their own cost while attempting to maintain their prices and control. When the end-users of their content have used the same technology to force a change in prices, the authorities have cried foul. They have "screamed like stuck pigs," which is, I suggest, an apt metaphor.
Of course, that has happened many times throughout history and multiple times in the last century. It happened with movable type, the linotype, and the photo-offset press. It happened with magnetic tape recording. It happened with the plain-paper dry-process photo copiers and scanners. It happened with the general purpose digital computer. Let's not forget VHS and MP3 players. The publishers have tried to outlaw all of these. Each time, the publishers have exploited the technology but tried to use the law to resist its use by others.
Every time, their strategy has failed. Every time the price of their product has fallen to the point where it approximates the marginal cost of using the technology to exploit them. That is why one no longer pays $20- for an album but $0.99 for the tracks that one wants. The irony is that the value of their rights actually increase because their sales increase and the illegal copying decreases.
Said another way, Piracy is a service and pricing problem. For example, I stopped looking for free down-loads the day I got iTunes. I use bitTorrent and FrostWire because they are fast, as much as 30 times as fast as ftp, not to access illegal content. Quite candidly, I think that it is a tragedy that collaborative networking has been so tainted by its abuse and misuse that we do not use it for legitimate purposes.
To the extent that this law and these controls, are used to enforce court orders and injunctions they would be limited in their potential for abuse. However, the Department of Justice, the Attorney General. is authorized to use them as part of his police powers.
Of course, it is appropriate that this expansion of power is really to the publishers under the DMCA. After all, they wrote the law, and they have paid for it. As citizens, we should be very suspicious when the interest of the money coincides with those of the politicians, the "control freak" politicians, those who believe that legislation can ensure that hammers hit only nails.
Is it reasonable to believe that this increase in power will not be abused by those who have already abused the power that they have? Not only have the publishers used their power to punish arbitrarily and capriciously, but they have used their power to "take down" pages that they have no rights over but whose content offended them. Noting that they have abused their power to take down pages, do we really want to empower them to take down entire domains.
Note that the role of domain registrars is merely to create the bind between a name and an address, a role similar to that of the Post Office or the publisher of the phone directory. Why not pass a law that the Post Office cannot accept mail that contains DMCA contraband.
The proposed law transfers the burden of proof from the state to the citizen. Penalize first, decide, if at all, later. The law provides no defenses from and remedies for such abuses by either the state or the copyright holder. According to the MPAA and the RIAA, there is no such right as "fair use" merely a defense of fair use.
To the extent that the cost and burdens of this law was to be borne by the publishers and their customers, it might be defensible. However, the law places the cost and burdens on the providers of unrelated services and their customers.
Like the USA Patriot Act, this law, the intended purposes of this law are likely to be dwarfed by the unintended consequences. Law is a blunt instrument, one that we should resort to only when all else fails. Moreover, this specific law is particularly blunt. Without due process, it permits entire sites to be taken down because of any infringing use.
The House Committee with jurisdiction has published a list of tens of industry supporters of the Bill. While roughly half are publishers, there are some that would be subjects of the law. There is also a great deal of popular opposition. I went to YouTube to find the ad promoting the bill but found only videos opposing it. However, while the race is not always to the swift and the legislation is not always to the RIAA and the MPAA, that is how the smart money bets.
I have tried to be measured in my response to this proposed law, I have tried not to "view with alarm." That said, I am much less sanguine now then when I began my research. If you think that I have failed, I invite you to visit YouTube where the proposal is covered with vitriol. I particularly commend to you the speech by Cory Doctorow at the Chaos Computer Conference.
As a citizen, I find this law obnoxious and its sponsors greedy and corrupting. As an information security professional, I expect some, not to say much of its burden to fall on us. But, of course, that is why we are called professionals and are paid the big bucks.
Tuesday, January 10, 2012
Monday, January 2, 2012
His point was not simply that there is an essential level of safety for the acceptance and use of a technology but that there is a necessary level of public trust and confidence that must be sustained. Damage that trust and confidence and the technology will not be used.
Moreover, public trust and confidence is fragile and difficult to sustain. My favorite example is atomic energy. In the late forties and early fifties, proponents of atomic power argued that it would be too cheap to meter. It did prove to be more expensive than that but that is not the reason that we do not use more of it. It is not that it is not safe, or even that its safety is difficult to measure. We continue to burn fossil fuels though they are far more dangerous than atomic energy and we count the bodies in hundreds per year.
Rather it is that Three-Mile Island destroyed the necessary public trust and confidence. Three decades later we have still not succeeded in repairing it. We were getting close when a once in a thousand year event took place at Fukishima. As a result Germany, that gets 23% of its energy from nuclear power, shut down six plants and has announced that it will decommission all of its plants over the next decade. While Germany asserts that it can do this while becoming an energy exporter and reducing its carbon emissions, result of this decision, this, at least arguably disproportionate, response, is that its use of toxic fossil fuels would increase.
I have argued that information technology is different. First, the public does not see IT as being as intrinsically dangerous as energy or transportation. Second, because, just as they "feel" safer in an automobile than on an airplane, they "feel" safer in IT, in part because, as in the automobile, they enjoy some local control. We get a pass that we did not earn.
That said, both the government and the media clearly believe that the public is too complacent about IT. Every breach or compromise is widely reported. Both vulnerability and threat are expressed in hyperbolic, not to say alarming, terms like "Cyber War" and even "Cyber Pearl Harbor." While electronic transactions are demonstrably safer than the same transactions in paper, activity like identity theft, that originates mostly in paper, is blamed on IT. Security and safety are used to resist efficient, not to say necessary and urgent, automation of paper health care records. While the US spends more on international intelligence gathering than the rest of the world combined, activity of others is viewed with alarm and both capability and motive are inferred.
On the other hand, the financial condition of small business, non-profits, and municipalities is being damaged by fraudulent use of their on-line banking credentials. We continue to use mag-stripe and PIN for retail payments, an application for which they were never intended and clearly are not safe. We are spending billions of dollars per year to resist "spam" and malicious code. The software industry continues to ship code with implementation-induced vulnerabilities, doing it over and over rather than doing it right the first time. (Safe software is no more difficult than safe airliners; they do a better job.) The number of records reported breached exceeds the number of people. There is a consensus that controls between the public networks and other infrastructure make those controls vulnerable to misuse and abuse. All of these things erode public trust and confidence. Since we do not know where the breaking point is, we need to err on the safe side.
I do not expect a total melt-down like "Three-mile Island." (Pun intended.) Rather, I expect that use of IT will be resisted at the margins, used less than might be efficient. Health care is the "poster child" for this concern. While it is true that the organization of this industry makes automating it difficult, security and safety concerns, the public's lack of trust, have made it nigh impossible. Those responsible for automating it know that at least part of the public is fearful and would prefer that they fail.
Let me return to Jim Barksdale's analogy to aviation. Like the computer, the airplane began as an expensive toy for a few. They even had their hackers, amateurs who learned by experimentation, those who pushed the envelope of performance, safety, and ethics. As the computer grew up to be "information technology" the plane grew up to be "aviation." Boy did it grow up. My colleague, Dr. Peter Tippett, suggests that in the sixty years from 1937 to 1997, aviation safety improved one thousand fold. Planes are ten times safer than in 1937. Even those DC-3s still operating, and yes there are some, are ten times safer.
We got another ten-fold improvement from better flight procedures and pilot training. Peter says, think check-list. A 1937 pilot would say "Real pilots do not use check-lists." The 1997 pilot would say all pilots, professional or amateur, use check-lists. One might call this "professionalization." After only fifty years our hardware and software now have the controls that we need to resist leakage, preserve integrity, and provide transparency and accountability. Even though our professional associations develop and publish check lists, we are not as professional at using these controls as their existence would suggest.
Finally, we got a ten fold improvement from the timely reporting and sharing of intelligence. From weather to navigation, to traffic, to maintenance, to accident reports. We have a formal system in place, not only for sharing, but in some cases to ensure receipt and compliance. In part because we do not trust one another, and particularly because we do not trust government, in information assurance, we do not share well and question much of what we see.
I confess that I admire the air transport industry, I look to them when people tell me how difficult safe and secure IT is. I hold up their performance as a standard to which we should aspire. We should emulate engineering that produces planes that can be operated safely. In aviation, safety does not yield to schedule or even profit. Think B-787 and the 3 year slip.
We should emulate their training, experience, and professionalism, from pilots to mechanics to those who serve our comfort and safety in the cabin. They have earned and conserve our trust.
We should emulate their collection and use of timely intelligence, a use which manages to get safety information to everyone that can use it while not unnecessarily alarming the public.
As in efficiency, as in infrastructure, everything that we do, or fail to do, increases or decreases necessary public trust and confidence, fragile confidence, maintained at a cost, and which, if broken, we may not be able to repair or replace. It is for this that we are called professionals and are paid the big bucks.