Sony's awesome freakout over folks "hacking" their PS3 product to return the functionality they originally advertised, but then retroactively took away, has been a long and often times hilarious saga. That said, all that freaking out occurred when the PS3 was still in its prime. Now that the console, while still the latest generation of Sony gaming console on the market, is clearly in its twilight years, it will be interesting to see how they react to what Sophos is reporting -- the Playstation 3 being "hacked for good".

The PS3 has been hacked before, but Sony was able to inhibit the hack with an update to its own firmware. This is much like the history of jailbreaking on Apple's iOS, where hackers typically uncover a security vulnerability and exploit it, whereupon Apple patches the hole and suppresses the jailbreak.

But the latest PS3 break is being dubbed unpatchable and the final hack. That's because this hack isn't giving you an exploit to use against a programming hole. It's giving you Sony's so-called LV0 (level zero) cryptographic keys.

If true, the war is over and Sony lost. Hacker collective, the Three Musketeers, reportedly figured this all out some time ago, but now the LV0 keys have been leaked and it's open season on jailbreaking your PS3 (assuming you're technical enough to implement it). And, while it would be very easy to sit back and comment gleefully on the wonderful spirit of curiosity that propels this kind of work, and to likewise point out the futility of stopping people from tinkering with the products they legally bought, I find a different point more compelling.

Quite simply, this war that Sony lost did not need to be fought. They advertised a feature and it was only the subsequent and unilateral removal of that feature, which many customers very much wanted, that created all of this controversy. Without that removal, how much litigation money does Sony save? Without being anti-consumer, how much ill-will do they avoid? And all of that to fight a battle that, not only did they lose, but that they had to know they were overwhelmingly likely to lose over the long haul. Sophos touches on this point in hoping for a different approach in the future.

Let's hope, when the PS4 comes out, that Sony will give up on trying to lock out jailbreakers permanently, and instead provide a way for those who want to run alternative software to do so in official safety.

When King Cnut famously ordered the tide back and failed, he wasn't an arrogant absolute ruler trying to show off. He knew he would fail, and thereby demonstrated that to hold back the tide was impossible - and, in any case, unnecessary - even for a king.

Once I got done snickering at the name King Cnut, I found the analogy perfectly fitting. Hopefully Sony will avoid this war entirely the next go around, though with their track record, I won't be holding my breath.

Science fiction about bionics grossly underestimated how much advanced prosthetics actually cost to develop. The Six Million Dollar Man was off by at least a couple orders of magnitude. But bionic limbs have been getting a lot better over the years, and more Paralympic athletes are becoming famous for their achievements all the time. Here are just a few inspiring links about people and technology making awesome advances in bionics.

• Aimee Mullins has turned her prosthetic legs into a possibly desirable advantage -- prosthetics can make people taller and potentially super-abled instead of disabled. Mullins is a a champion sprinter in the Paralympics, and she has over a dozen different prosthetic legs -- and is having fun with the improving technologies of prosthetic limbs. [url]
• This American Life covered how people can totally miss seeing a one-armed woman. Mary Archbold is a professional dancer who has become incredibly good at concealing her missing appendage. [url]
• An exoskeleton called eLegs was developed with some Pentagon funding and could sell to the general public for about $50,000. Bionics are getting cheaper, but they're not quite ready to make anyone into Iron Man just yet. [url]

If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post.

It's that time again, when the Librarian of Congress and the Register of Copyright announce their triennial "rulemaking" on DMCA exemptions for the anti-circumvention clause. Just the fact that they have to do this every three years should show how ridiculous the anti-circumvention clause of the DMCA is. Basically, it's so screwed up that, every three years, the Librarian of Congress gets to randomly decide when the law can be ignored. Maybe... instead of doing that, you fix the law? There are some interesting exemptions, though they're limited. For example, people making "noncommercial" remix videos can apparently use clips from DVDs with specific limitations.

Motion pictures, as defined in 17 U.S.C. § 101, on DVDs that are lawfully made and acquired and that are protected by the Content Scrambling System, where the person engaging in circumvention believes and has reasonable grounds for believing that circumvention is necessary because reasonably available alternatives, such as noncircumventing methods or using screen capture software as provided for in alternative exemptions, are not able to produce the level of high-quality content required to achieve the desired criticism or comment on such motion pictures, and where circumvention is undertaken solely in order to make use of short portions of the motion pictures for the purpose of criticism or comment in the following instances: (i) in noncommercial videos; (ii) in documentary films; (iii) in nonfiction multimedia ebooks offering film analysis; and (iv) for educational purposes in film studies or other courses requiring close analysis of film and media excerpts, by college and university faculty, college and university students, and kindergarten through twelfth grade educators. For purposes of this exemption, "noncommercial videos" includes videos created pursuant to a paid commission, provided that the commissioning entity's use is noncommercial.

In explaining this, they specifically call out the examples of remix videos as to why this should be allowed:

Creators of noncommercial videos provided the most extensive record to support the need for higher-quality source material. Based on the video evidence presented, the Register is able to conclude that diminished quality likely would impair the criticism and comment contained in noncommercial videos. For example, the Register is able to perceive that Buffy vs Edward and other noncommercial videos would suffer significantly because of blurring and the loss of detail in characters' expression and sense of depth.

Of course, it's not all good news. Public Knowledge had put forth a request for an exemption for being able to rip legally purchased DVDs for the sake of watching them on a computer or tablet. This is something that a ton of people already do, but which technically violates the anti-circumvention part of the DMCA. Unfortunately, this request was rejected -- even though it's already acknowledged as legal to do the same thing with CDs -- and, as PK's Michael Weinberg points out, even movie studio bosses seem to recognize that it should be legal to rip your own movies:

And the RIAA and the MPAA agree with you. In 2005, their lawyer (now the Solicitor General of the United States) assured the Supreme Court that "The record companies, my clients, have said, for some time now, and it's been on their Website for some time now, that it's perfectly lawful to take a CD that you've purchased, upload it onto your computer, put it onto your iPod."

Movie executives agree as well. Mitch Singer, the Chief Technology Officer of Sony Pictures Entertainment explained to author Robert Levine that the idea for the movie industry's UltraViolet program evolved out of Singer's own frustration with transferring movies between PCs in his home.

So do members of Congress. Earlier this year, Representative Darrell Issa did a IAmA on Reddit. Rep. Issa told Redditors that it was already perfectly legal to make personal copies of DVDs for their own use.

So what is the reasoning for the rejection? Well, they argue that space shifting might not be legal after all, despite all of the above. They claim that key cases involving the VCR and the mp3 player -- both of which were found to be legal -- do not "provide the legal basis for a broad declaration that space shifting of audiovisual works is a noninfringing use." Think about that for a second.

Also troubling: phone unlocking -- which was an exemption for the past few rounds -- will no longer be an exemption:

In 2006 and 2010, the Librarian of Congress had permitted users to unlock their phones to take them to a new carrier. Now that's coming to an end. While the new rules do contain a provision allowing phone unlocking, it comes with a crippling caveat: the phone must have been "originally acquired from the operator of a wireless telecommunications network or retailer no later than ninety days after the effective date of this exemption." In other words, phones you already have, as well as those purchased between now and next January, can be unlocked. But phones purchased after January 2013 can only be unlocked with the carrier's permission.

And politicians wonder why no one respects copyright any more.

Torrentfreak reports on a really scary ruling coming out of the Netherlands, in which a court found hosting company XS Networks liable and ordered it to pay up because it hosted a torrent site. We've discussed issues of secondary liability, but this goes well beyond what we've seen elsewhere. As TorrentFreak explains, super-aggressive Dutch anti-piracy organization BREIN was trying to shut down the site SumoTorrent and get information about its operators. XS Networks, who briefly hosted the site, pointed out that it required a court order to turn over any info. This is a perfectly reasonable stance. However, it later backed down and reached an "agreement" with BREIN to hand over some info. By that time SumoTorrent had moved on to another host, and the info that XS Networks had to give to BREIN was incorrect or useless. BREIN then claimed that XS Networks was responsible for this situation and sued for damages.

This is the point that any reasonable court would laugh at BREIN and tell its boss Tim Kuik to learn a little something about suing the proper party, rather than a tool provider (especially one who simply asked for a court order before coughing up private info and who later was clearly willing to negotiate in good faith). Instead, the court went in the other direction, and said that SumoTorrent "is clearly facilitating copyright infringement" and that XS Networks should have magically known that to be the case, and shut the site down when BREIN first asked. Even if you're a copyright system supporter, this ruling should scare you. It takes away any sort of due process. Most reasonable people admit that whether or not a site is illegal should require at least a basic adversarial trial in which the site is able to make its case. But here the court ignores all of that, and the fact that it hadn't yet proved SumoTorrent guilty of infringement, and just insists that XS Networks should have magically accepted that BREIN must be right. Talk about a recipe for abuse by BREIN and other copyright holders.

If you're a hosting company in the Netherlands, your legal liability just shot way, way up. Apparently, if you don't magically kick off every site that might be enabling someone to break the law, you yourself may be liable for any illegal actions done on the site (even without such illegality ever being proved). That seems like a great recipe to get a bunch of Dutch hosting companies to reconsider even being in business.

There have been a bunch of stories over the past month or so about how Kim Dotcom is supposedly getting ready to launch a new service called Megabox. We've purposely avoided such stories, mainly because they're pure hype and speculation for vaporware. If he actually launches something then perhaps there's a story there. Also, we're somewhat amazed (or possibly just amused) at Megaupload supporters who seem to already think that Megabox is an amazing idea, since the details reported about it certainly appear to be little different from garden variety malware, injecting ads into other sites. Either way, in a recent profile of Dotcom in Wired, he talks a little more about the new plans, suggesting that it was something to keep them busy while fighting the lawsuit.

That said, it appears that the Justice Department has seen the PR reports about the new vaporware and are effectively pre-warning Dotcom not to go forward with the plan.

A new filing from the DOJ in the US side of the lawsuit (embedded below), is really a response to Megaupload's recent request to have the charges against the company temporarily dismissed until such time as the individual defendants are extradited. As we've explained, this is mostly a procedural fight, over whether or not the company itself can be charged, despite not having a US presence. None of that directly impacts the individuals who have been charged, but certainly could impact the company's ability to launch a new business.

The DOJ filing mostly argues that there is no legal or practical reason to allow the case to be dismissed, even temporarily, as the individuals are still charged, and re-charging the company at a later date will just waste resources. It also argues that Dotcom's US-based lawyers are the real problem here, as they had offered to accept service of the lawsuit in exchange for some sort of deal early on (which the DOJ refused).

What's interesting about the filing is that, without directly addressing the new effort to launch Megabox or whatever Dotcom is calling the new thing, they appear to be warning him that doing so may lead to additional charges against him. The argument as it relates to the procedural question is that, in his push to be allowed to post bail in New Zealand, Dotcom clearly indicated that he would not and could not restart Megaupload or a similar business, because the government had so completely shut him down. As that relates to the procedural question, the DOJ is arguing that there can be no "harm" to the company Megaupload because Dotcom has already said he won't relaunch the company. So if he won't relaunch, what does it matter if the company is charged now or later?

But then the DOJ goes a little further. After it uses all those quotes of him promising not to relaunch anything while out on bail, the DOJ tosses the following into a footnote:

Defense Counsel’s claim that the corporate defendant can and should be allowed to operate undermines the sworn statements of Dotcom that he has no plans or ability to continue to operate or fund the businesses in the Indictment during pendency of the extradition process. If defendant Dotcom intentionally misled the court in New Zealand about his intentions and capabilities in order to obtain his release from pre-extradition confinement, it seems Defense Counsel’s representation might endanger Dotcom’s bail situation or even subject him to additional charges.

In other words, beyond this procedural question, the DOJ is hinting that if Dotcom launches something new, they may say he violated the conditions for getting bail.

The DOJ also uses this as an opportunity to (once again) try to block Megaupload from using its law firm, claiming that because the lawyers are arguing for the case against Megaupload to be dismissed, and this might lead Dotcom to launch something new, that there's a conflict of interest:

The issue raised by the claim of Defense Counsel is particularly awkward since defendant Dotcom is also their client. As the government has pointed out repeatedly, there are a number of conflicts in Defense Counsel’s representations of the various defendants in this matter, of which this is only the most recent example, that have yet to be reviewed by the Court

None of that actually makes much sense. Whether or not they have a legitimate claim for getting the case against Megaupload dismissed, that is a separate issue from whether or not Dotcom launches something new. While I'm guessing the procedural fight is a dead end, the fact that the DOJ is even using that to toss additional threats at Dotcom should he launch his new project shows that they'll leave no stone unturned in trying to hit back at Dotcom.

You would think, given that "Security" is literally the organization's middle name, that the Transportation Security Administration (TSA) would actually have some sort of clue about the basics of security. Apparently not. This week, someone noticed a ridiculous security flaw in the TSA's pre-screening process for "expedited" lines. This is the program where frequent travelers can pay extra to get them in special faster security lines, and where they can skip some of the worst aspects of airport screening: they don't have to take their laptop out, or take off their shoes or belt, and they can bring more liquid than mere peons.

Of course, security experts long ago pointed out that any such system now becomes a target for terrorists, who can focus on getting into that special line and use that lesser security to cause trouble. One response to this is that, even for passengers who qualify for such a program, they're still subject to "random" conventional screenings. However, aviation blogger John Butler realized that the bar code printing on your boarding pass reveals whether or not you'll be "selected" for further scrutiny, and that it's not difficult to check ahead of time to see if you'll have to go through stricter security because the TSA has apparently never heard of encryption.

As Chris Soghoian pointed out, knowing this info ahead of time could allow plotters to plan accordingly:

“If you have a team of four people [planning an attack], the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who’ll take potentially problematic items through security,” said Soghoian, now a senior policy analyst at the American Civil Liberties Union. “If you know who’s getting screened before you walk into the airport, you can make sure the right guy is carrying the right bags.

“The entire security system depends on the randomness,” he said. “If people can do these dry runs, the system is vulnerable."

I guess, when you've always been in the business of "security theater" rather than actual security, it shouldn't come as a surprise that you don't know the first thing about basic security.

In the various Presidential debates, no one seems to want to bring up President Obama's near complete about-face on his promises concerning civil liberties. It's so ridiculous that the Democratic party simply removed the issue from their platform -- and that's because he hasn't just continued former President Bush's abuses of civil liberties, he's gone even further with them. And no one seems to want to ask the candidates about it... except a comedian. When President Obama appeared on The Daily Show recently, Jon Stewart actually asked him about this:

STEWART: I think people have been surprised to see the strength of the Bush era warrantless wiretapping laws and those types of things not also be lessened—That the structures he put in place that people might have thought were government overreach and maybe they had a mind you would tone down, you haven’t.

OBAMA: The truth is we have modified them and built a legal structure and safeguards in place that weren’t there before on a whole range issues.

However, as the EFF explains in great detail, President Obama's answer is simply not true. It's not even close to true.

To the contrary, there’s no indication that the still-active warrantless wiretapping program—which includes a warrantless dragnet on millions of innocent Americans’ communications—has significantly changed from the day Obama took office. With regard to the FISA Amendments Act, the Obama Administration has actively opposed all proposed safeguards in Congress. All the while, his Administration has been even more aggressive than President Bush in trying to prevent warrantless wiretapping victims from having their day in court and has continued building the massive national security infrastructure needed to support it. 

They then go on to look more closely at all of these different promises from President Obama related to this, all of which he's fallen down on. Unfortunately, Stewart doesn't push back on this point, as they then go straight to a joke, before moving on to another topic. Of course, for those of us who aren't shackled to a party and, instead, find civil liberties to be a key issue, we're left with two major candidates who don't seem to care about massive abuses by the federal government.

Copyright troll to the (porn) stars John Steele is no stranger to the pages of Techdirt. His m.o. combines the subtlety of a Mafia shakedown with the careful targeting of a Publishers' Clearinghouse mass mailing. Simply put, Steele tracks IP addresses, then leans on the court system to get ISPs to cough up names and physical addresses of alleged infringers to whom he sends letters full of vague legal threats and potentially embarrassing porn titles.

For a guy with a dubious legal strategy and an ever-growing list of judges who aren't willing to humor his fishing expeditions, he sure talks a big game. Confidence can be an admirable trait, but generally not when it's combined with a Lionel Hutz-esque grasp of any legal matter outside the "shakedown letter" arena.

On the subject of IP addresses not actually equaling a person, Steele offers up this non sequitur:

“Just because wrong person arrested for murder doesn’t mean murder shouldn’t be a crime.”

Innocent people getting arrested for crimes they didn't commit happens way more often than it should. It doesn't nullify the criminal act. It just punishes the wrong person while allowing the guilty party to roam free. There are very real consequences to "arresting the wrong person." Lives get ruined. Civil suits are filed. Careers end. Thousands, if not millions of dollars, are paid out to the victims. And at no point does any normal human suggest that criminal activity should be legalized in order to prevent the innocent from being accused.

If anything, false accusations generally lead toward calls for better investigative work and punishment of those responsible for the miscarriage of justice. However, if Steele falsely accuses someone, he'll likely just move on to the next name on the list. After all, he's got thousands of other targets. Whatever collateral damage results from a porn shakedown is just a problem for the falsely accused to deal with. It's highly unlikely that Steele will ever have to write out a large settlement check to any innocents caught in the crossfire. He may be dealing with some judicial setbacks here and there but, for the most part, he seems to be operating without fear of reprisal.

Steele expounds further on the IP address issue, attempting to tackle the "open wi-fi" issue :

“Don’t let people commit criminal acts on your network,” he says. “If you lend your gun to someone who commits a crime, you’re responsible.”

Wrong. Completely wrong. A person cannot be held criminally responsible for the actions of others, no matter whose weapon it is. With the right lawyer, it's conceivable that the weapon lender might find himself on the losing end of a civil lawsuit (like a wrongful death suit, for example), but these are two very different things. I'm sure Steele feels an open wi-fi connection makes someone an accessory to the illegal act, if not actually aiding and abetting. But the legal stipulations tied to these charges require evidence that the person lending the weapon knew that it would be used in the commission of a crime, or actively aided in the criminal activity. At the very most, lending out a gun would violate the conditions of your permit, which is hardly the same as handing someone a gun/wi-fi connection and inviting them to do bad things.

As much as Steele (and other copyright trolls) would like to believe that not securing your wi-fi should be considered at the very least "negligent," if not actually making the accused responsible for the actions of others, the courts aren't willing to entertain this argument. The latest rejection, courtesy of the California district courts, points out that "negligence" requires a "duty to protect," and your average internet user simply does not have the legal responsibility to protect porn producers from acts of infringement.

On Comcast refusing to turn over subscriber information:

“It’s a business decision for them. They don’t want to lose their clients. But if you step into shoes of your subscribers, you become responsible. Comcast is sheltering people so they can make money."

Wrong again. ISPs are not responsible for the actions of their customers. This is more wishful thinking from copyright trolls who wish to hold someone, anyone, responsible for their clients' woes. ISPs can certainly attempt to regulate their customers' internet usage (if they don't mind angering those customers) and, as the "Six Strikes" plan draws closer, it appears they're going to do exactly that. But under no circumstance should Comcast be held responsible for supplying the connection that allowed John Q. IPAddress to torrent some porn. Not only that, but the accusation that Comcast shelters file sharers in order to "make money" has no factual basis. It's a myth that copyright maximalists draw on again and again, assuming that internet users only pay for a connection in order to pirate content and would instantly disconnect their service if piracy was no longer an option.

“At least my wife loves me."

Well, bully for you, John. Do you suppose she'd love you as much if a threatening letter appeared out of the ether accusing you (perhaps falsely) of downloading a variety of pornographic titles? Would that make any unwelcome waves? Because if you, in any small way, feel that indiscriminately accusing people of downloading porn and relying on the threat of public shaming to expedite payment might possibly be damaging the personal relationships of others, maybe, just maybe, your chosen line of "work" is more "problem" than "solution."

We are often told that we need mega-media news organizations because they, unlike their smaller internet bretheren, are more trustworthy because they fact-check. This is a repeated premise (despite example after example after example showing that it just isn't true), which is why some folks may still be surprised when an organization like CBS can botch their reporting so horrifically. Witness their reporting of a new study put out by the Internet Watch Foundation concerning explicit images that end up on so-called parasite websites.

Eighty-eight percent of homemade pornography, including videos and still images, finds its way onto porn sites, often without the owners’ knowledge, a new study from Britain’s Internet Watch Foundation (IWF) has found.

The study analyzed more than 12,000 sexually explicit images uploaded by young people and found that the great majority of images had been stolen and published to what the organization calls, “parasite” websites.

If you read that first sentence, the one that says that 88% of all homemade pornography ends up online, and didn't immediately begin laughing at the sheer silliness of that number, you're a stronger person than I am. Now, granted, being both a horribly ugly pasty white and being, at best, mildly attractive, I'm not someone prone to taking pictures of my man-junk, nor mid-coitus. But what the hell? Eighty-eight percent? There's no way that could possibly be true.

And, of course, it isn't true. Nor is it even what the report concluded. What it actually concluded was that 88% of explicit images uploaded to the internet end up on parasitic websites. Now, that claim may still be inflated, but it isn't as outlandishly inflated as CBS made it sound. This isn't to say that major media should be 100% accurate all the time, but to claim that journalism will die if this kind of reporting goes away is the kind of over-exaggerated false claim that you would expect...well...I guess CBS to make.

So keep this story in your back pocket for the next time someone tells you how much we need mega-media news because they fact-check. Also make sure you throw some random made up statistics at that person. Hell, if they love major news media so much, there's a 43% chance that they'll believe them one-half of the time. Every time.

We hear the refrain from the entertainment industry all the time, about how they are fighting against modern technology because without it, people don't get paid, and how unfair is that? The RIAA's Cary Sherman keeps talking about all those lost jobs (even though his math doesn't add up), and talking about all the people the movie industry "employs" (exaggerated by an order of magnitude) has become a key part of the MPAA boss Chris Dodd's stump speech.

So, isn't it interesting that the entertainment industry may be facing a potentially big class action problem... for not paying interns? Apparently, it's quite common for entertainment industry heavyweights to take on unpaid interns, usually eager kids hoping to "break into" the business. But, federal law (and the key state laws) are pretty explicit in noting that "free" internships are almost always illegal for for-profit companies.

Now, to be clear, I actually don't think free internships -- entered into willingly -- should be illegal (just as I don't think there's anything wrong with people volunteering to do stuff for free). But if Hollywood is running around whining about getting more people paid... it seems pretty hypocritical to then not pay people working for you.

The demonization of file sharing by copyright maximalists blinds many companies to the fact that it is marketing in its purest form. That's because people naturally only share stuff they think is good, and thus everything on file sharing networks comes with an implicit recommendation from someone. Not only that, but those works that appear on file sharing networks the most are, again by definition, those that are regarded mostly highly by the filesharing public as a whole, many of whom are young people, a key target demographic for most media companies.

What this means is that file sharing is providing some of the most reliable market research you could hope for, because it is totally unprompted -- research, moreover, that is being made freely available to anyone who takes the trouble to gather it. Remarkably few companies seem to have cottoned on to this fact, but one that has is the Australian media giant Fairfax, as reported by TorrentFreak:

At a government broadband conference in Sydney, Fairfax's head of video Ricky Sutton admitted that in a country with one of the highest percentage of BitTorrent users worldwide, his company determines what shows to buy based on the popularity of pirated videos online.

"One of our major ways to get content is going to BitTorrent, and other BitTorrent sites, and find what people are illegally downloading to then go to the content owner and say, 'hey, I watched this last night it's going awesome on BitTorrent' and then say 'how about giving it to us?"

This is such an obviously smart thing to do, you can only wonder at the self-imposed obtuseness of other companies that don't follow suit. And Fairfax's cluefulness doesn't stop there:

Fairfax says it also advertises to BitTorrent users, sharing the revenue they generate from converted pirates with the BitTorrent platforms.

"We then bring [the video content] over here and we advertise on BitTorrent that it’s legally available on our platform, and then pay some revenue share based on it. That’s worked quite effectively," Sutton says.

Again, this is so obvious -- catching people at the point where they are thinking of downloading unauthorized files and converting them into paying users -- that it's crazy that it's not standard practice. If they weren't so prejudiced against such file-sharing sites, media companies would probably be beating a path to their door for the incredible commercial opportunities they offer. Instead, they keep lobbying for harsher enforcement laws that not only penalize current and potential customers -- never a good idea in the long term -- but that will throttle this flow of unique market research.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

We're highly critical of most government cybersecurity efforts for a number of reasons. One is that they are often pushed with totally overblown rhetoric about power grids going down and planes falling from the sky. That said, it's not as though we want our governments to be completely ignorant about security issues online — more realistic threats like data breaches are something we expect them to be protected against, especially as they struggle to bring more and more government services online. Which brings us to another big reason we are critical of new cybersecurity powers for the government: they usually aren't very good at it, and fail to make smart use of the powers and resources they already have. In the US, federal agencies are demanding more information sharing powers without identifying the obstacles they claim to face. In Canada, a public audit reveals that they have made little effort to start sharing security information at all:

Seven years after the Canadian Cyber Incident Response Centre was created to collect, analyse and share information about threats among various levels of government and the private sector, many were "still unclear" about the centre's role and mandate, says the report.

"Some private sector critical infrastructure owners and operators that we interviewed told us they were not sure whether cyber events should be reported to the Government of Canada and, if so, to which agency."

As a result, the centre "cannot fully monitor" Canada's cyber-threat environment, hampering its ability to provide timely advice.

An ineffectual bureaucracy is nothing new, and it can often be fixed by finding the right people to whip it into shape. But you face a much bigger problem when the core culture of your government still fails to comprehend how the internet works or what cybersecurity means — which is where this tidbit comes in:

Further, the centre was still not operating on a 24-hour-a-day, 7-day-a-week basis, as originally intended, shutting down weekdays at 4 p.m. Ottawa time and closing for the weekend.

Yes, that's right — the response center for monitoring cyber threats isn't even open around the clock. It has shorter hours than the brunch menus at most restaurants. Recognizing that this could be a problem, but still completely failing to understand the fundamental stupidity of being "closed for the night" online, the government has plans to extend the hours to 9pm, seven days a week.

How did they get to this ridiculous place, and where are they going? Five years ago the government allocated some money for cybersecurity. Nobody really checked to see if it was accomplishing anything until now, with the Auditor General's report. The audit revealed all these flaws and criticized "limited progress", so as the report came out... the government allocated some more money. Hurray! But not. Because what they still lack is an actual road map — a clear identification of the real cybersecurity threats that exist, a strategy to combat them, some evidence that it will actually work, and a way to check and see if it does. Then they can figure out how much money it will cost, and they can figure out if there are any acceptable new laws that are actually necessary to make it happen. If governments in Canada, the US or anywhere else can't get the basics of cybersecurity right with their existing resources, and can't communicate intelligently about the problems, then neither more money nor more laws will fix anything.

Whether or not you believe that CCTV surveillance makes the world a safer place, there's a big problem with deploying it more widely: you still need someone to look at that footage and pick out the things of interest, and it's much harder adding new personnel than adding new cameras.

Techdirt has already reported on one attempt to get around this problem, based on smartphones and crowdsourcing. The other obvious approach is to automate the process. That is, to develop systems that can be trained to analyze CCTV streams -- perhaps in real time -- in order to try to spot activities that look "suspicious" in some sense, which can then be passed on to human operators for further evaluation and possibly action.

That's exactly the aim of the European Commission's INDECT research project -- short for the rather unwieldy "Intelligent information system supporting observation, searching and detection for security of citizens in urban environment." Here's how it describes itself:

The aim of INDECT is to develop a platform for: the registration and exchange of data associated with threat recognition, acquisition of multimedia content, inteligent processing of information related to automatic threat detection and especially terroristic threats as well as recognition of serious criminal behaviour or violence. New techniques for intelligent analysis of data will allow recognizing such situations, and giving alert before it is too late. The obiective is also to recognise danger events that could lead to terrorist attacks (e.g. left luggage at an airport, automatic recognition of dangerous tools). The definitions of situations and their parameters will be provided by police department.

As this makes clear, the emphasis is very much on analyzing data quickly enough to act on it before crimes are committed or attacks are carried out. However, that last sentence about "parameters" being provided by the police will naturally raise concerns that this is simply a chance for the latter to deploy yet more technology in ways that will be harmful to things like privacy and civil liberties.

To its credit, the INDECT project seems well aware that its work raises important ethical questions:

All of the research activities within INDECT project are carried out so as to ensure the appropriate balance between the protection of the rights of the individual and the protection of society. INDECT research project has an Ethics Board, which was established to ensure strict compliance of research outcomes with already established rules concerning privacy, data protection, to ensure genuine informed consent of all those participating in the project, and to ensure that information is only used for its intended research purpose. It is also responsible for managing and monitoring all ethical aspects of the project. These aspects include the promotion of gender equality.

That comes from a page on INDECT's Web site devoted entirely to ethical issues. The closing paragraph of that section is as follows:

The sentence: "if you have done nothing wrong, you have nothing to fear" is only true if every aspect of the criminal justice system works perfectly, on every occasion. Tools based on INDECT project research outcomes will provide EU Member States with the technology to ensure that decisions around public safety are based on the maximum amount of relevant information available.

This suggests that the project's participants believe that having even more information available about members of the public is not only justified by the deeply-flawed logic "if you have done nothing wrong, you have nothing to fear", but that governments have what amounts to a duty to gather that information in order to make that argument true. It's a wonderfully circular piece of reasoning that totally overlooks the possibility that a better solution might be to gather less information about people in public spaces.

Sadly, it seems that, alongside the copyright ratchet, which only ever allows this intellectual monopoly to get stronger and longer, we now have a surveillance ratchet, which can only envisage large-scale snooping become ever-more pervasive and intrusive.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

In something of a follow up to This American Life's famous episode about the horrors of software patents, the Planet Money team brought on Mark Lemley to talk about how to fix the patent system. If you're aware of Lemley (or read Techdirt) what he talks about isn't all that surprising. He does note that, even if software patents are particularly silly, he doesn't agree with trying to carve them out specifically. Instead, he's still mostly focused on fixing the patent system by properly enforcing the laws already on the books. That means having the USPTO and the courts actually recognize that too many software patents are on general ideas ("functional claiming") when that's not allowed.

Next, the courts and the USPTO need to get much better at rejecting patents for obviousness. He doesn't quite get into how to do this, though I'm still a big fan of using independent invention as a sign of obviousness. He does note that the KSR case (which isn't named in the story) helped move the needle just slightly in the right direction. In that case, the court noted that merely combining two existing inventions is obvious. From there, he suggests recognizing how many patents stack up into an existing innovation -- and what that means. So, using the 250,000 patents in a smartphone as an example, he notes that it's ridiculous for any one patent to hold up innovation in such a scenario, pointing to the MercExchange ruling (again, not named) that said the courts shouldn't issue automatic injunctions for infringement. In other words, when you have 250,000 patents in a smartphone, infringing on one shouldn't hold up the entire device.

The last bit, which still needs work, is fixing damages. Again, using the smartphone example, he points out that when you have 250,000 patents, you can't claim that each patent deserves 5% of the revenue. Otherwise, you don't have smartphones anymore. Of course, fixing damages is still a work in progress. Congress tried to do it with the patent reform bill that was debated for about seven years -- and patent system supporters hit back hard on damages reform, such that the real fixes didn't make it into the final bill. The hope is that the courts will take care of it, but that still seems like a crapshoot.

It's a cliché that we live in a world increasingly awash with digital data. Even though it all comes down to 1s and 0s, not all data is equally important or valuable. Data about clinical trials, for example, is literally a matter of life and death, since it is used to determine whether new drugs should be approved and how they should be used. That gives clinical data a critical role in the approval process: results that support the use of a new drug can lead to big profits, while negative results can mean years of expensive research and development have to be discarded.

Unfortunately, things aren't always clear cut, as an article in PLoS Medicine about Tamiflu makes clear:

Prior to the global outbreak of H1N1 influenza in 2009, the United States alone had stockpiled nearly US$1.5 billion dollars worth of the antiviral. As the only drug in its class (neuraminidase inhibitors) available in oral form, Tamiflu was heralded as the key pharmacologic intervention for use during the early days of an influenza pandemic when a vaccine was yet to be produced. It would cut hospitalizations and save lives, said the US Department of Health and Human Services (HHS).

If it could save lives and reduce complications, spending billions on stockpiling Tamiflu was a reasonable thing to do. But could it do either? Opinion seemed divided:

In contrast, the Food and Drug Administration (FDA), which approved Tamiflu in 1999 and was aware of these same clinical trials [used to support this large-scale stockpiling], concluded that Tamiflu had not been shown to reduce complications, and required an explicit statement in the drug's label to that effect. FDA even cited Roche, Tamiflu's manufacturer, for violation of the law for claims made to the contrary.

That is, even using the same figures from the same set of clinical trials, equally reputable organizations could come to different conclusions. Against that background, it's perhaps no surprise that the question of how much data must be released by drug companies during the approvals process, and in what form, is becoming an area of contention, because even small differences can tip the balance between a drug being approved and widely used -- and hugely profitable -- or barely used at all, and turning into a costly flop.

One battleground is Europe, where clinical trials data is covered by the Clinical trials Directive from 2001. It's currently being revised, not least because compliance costs have increased greatly in recent years:

Compared to the situation prior to the application of the Directive 2001/20/EC, the staff needs for industry sponsors to handle the clinical trial authorisation process have doubled (107 %); with small companies facing an even sharper increase. For non-commercial sponsors, the increase in administrative requirements due to the Directive 2001/20/EC has led to a 98% increase in administrative costs. In addition, since implementation of the Directive 2001/20/EC, insurance fees have increased by 800 % for industry sponsors.

That comes from the opening section of the proposed update to the regulations (pdf). Reducing costs in order to increase the number of drugs that are submitted for authorization is perfectly reasonable: everybody wants additional medicines to be approved that can both help people and support jobs in the pharmaceutical industry. But concerns are being raised that the new EU regulations would cut too many corners in doing so.

David Hammerstein, of the Transatlantic Consumer Dialogue (TACD) forum of US and EU consumer organizations, has the following concerns about the new Directive:

1. Lowers requirements and insurance for so-called "low risk" and "on market" drugs.

2. Easier industry manipulation of methodology to get results they want.

3. Ambiguous on Transparency: no clarity on what databases should be accessible.

4. Little transparency: Allows pharmaceutical industry to present only a summary of their data for EU database.

5. Destruction of valuable clinical data: Allows industry to destroy master files of clinical trial data after five years.

6. Tricky wording to avoid reporting negative results.

7. Whose benefit? Whose risk?

His blog post has more detailed explanations, which is just as well, as the proposed Directive runs to over 100 pages of fairly impenetrable bureaucrat-speak. But assuming his fears are well founded, it certainly seems that the European Commission is going in precisely the wrong direction by providing "Less dependable data, fewer safety requirements and little transparency," as Hammerstein puts it. That would be bad news for any domain, but is especially worrisome when the health of 500 million Europeans is at stake.

Follow me @glynmoody on Twitter or identi.ca, and on Google+