Although New Zealand's decision not to allow patents for programs "as such" was welcome, other moves there have been more problematic. For example, after it became clear that the New Zealand intelligence service, the Government Communications Security Bureau (GCSB), illegally wiretapped and spied on Kim Dotcom, the New Zealand government announced that it would change the law so as to make it legal in the future to snoop on New Zealanders as well as on foreigners. Judging by a major new bill that has been unveiled, that was just the start of a thoroughgoing plan to put in place the capability to spy on every New Zealander's Internet activity at any moment. Here's an excellent analysis of what the bill proposes, from Thomas Beagle, co-founder of the New Zealand digital rights organization Tech Liberty:

The TICS [Telecommunications (Interception Capability and Security)] Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.

However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.

As Beagle goes on to explain, this will have a number of implications, including a requirement to build backdoors into all telecoms networks:

From the Bill:

A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.

Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.

Here's one way that could dramatically impact Internet users in New Zealand:

It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.

Another clause could have major implications for Megaupload:

Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.

What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?

One deeply troubling aspect is the following:

There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant's lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person.

As Beagle notes:

particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can't even find out the evidence presented against you?

He concludes with an important point:

One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.

That's a question that needs to be put to the governments of other countries, like the US and UK, that are also seeking to extend massively their ability to spy on their own citizens. What evidence do they have that such extreme, liberty-threatening powers are actually necessary, and will make the public safer, rather than simply being a convenient way for governments to identify whistleblowers who expose their incompetence and corruption, say, or to spy on those who dare to oppose them?

Follow me @glynmoody on Twitter or identi.ca, and on Google+

My goodness. Yesterday we posted about Rep. Louis Gohmert's incredible, head-shakingly ignorant exchange with lawyer Orin Kerr during a Congressional hearing concerning "hacking" and the CFAA. In that discussion, Gohmert spoke out in favor of being able to "hack back" and destroy the computers of hackers -- and grew indignant at the mere suggestion that this might have unintended consequences or lead people to attack the wrong targets. Gohmert thought that such talk was just Kerr trying to protect hackers.

I thought perhaps Rep. Gohmert was just having a bad day. Maybe he's having a bad month. In a different hearing, held yesterday concerning ECPA reform, Gohmert opened his mouth again, and it was even worse. Much, much worse. Cringe-inducingly clueless. Yell at your screen clueless. Watch for yourself, but be prepared to want to yell. The short version of this is that he seems to think that when Google has advertisements on Gmail, that's the same thing as selling all of the information in your email to advertisers. And no matter how many times Google's lawyer politely tries to explain the difference, Gohmert doesn't get it. He thinks he's making a point -- smirking the whole time -- that what Google does is somehow the equivalent of government snooping, in that he keeps asking if Google can just "sell" access to everyone's email to the government. I'm going to post a transcript below, and because I simply cannot not interject how ridiculously uninformed Gohmert's line of questioning is, I'm going to interject in the transcript as appropriate.

Rep. Gohmert: I was curious. Doesn't Google sell information acquired from emails to different vendors so that they can target certain individuals with their promotions?

Google lawyer whose name I didn't catch: Uh, no, we don't sell email content. We do have a system -- similar to the system we have for scanning for spam and malware -- that can identify what type of ads are most relevant to serve on email messages. It's an automated process. There's no human interaction. Certainly, the email is not sold to anybody or disclosed.

Gohmert: So how do these other vendors get our emails and think that we may be interested in the products they're selling.

Okay, already we're off to a great start in monumental ignorance. The initial question was based on a complete falsehood -- that Google sells such information -- and after the lawyer told him that this is not true, Gohmert completely ignores that and still asks how they get the emails. It never seems to occur to him that they don't get the emails.

Google lawyer: They don't actually get your email. What they're able to do is through our advertising business be able to identify keywords that they would like to trigger the display of one of their ads, but they don't get information about who the user is or any...

Gohmert: Well that brings me back. So they get information about keywords in our emails that they use to decide who to send promotions to, albeit automatically done. Correct?

NO. Not correct. In fact, that's the exact opposite of what the lawyer just said. Gohmert can't seem to comprehend that Google placing targeted ads next to emails has NOTHING to do with sending any information back to the advertiser. I wonder, when Rep. Gohmert turns on his television to watch the evening news, does he think that the TV station is sending his name, address, channel watching info, etc. back to advertisers? That's not how it works. At all. The advertisers state where they want their ads to appear, and Google's system figures out where to place the ads. At no point does any information from email accounts go back to anyone. And yet Gohmert keeps asking.

And not understanding the rather basic answers. Unfortunately, the lawyer tries to actually explain reality to Gohmert in a professional and detailed manner, when it seems clear that the proper way to answer his questions is in shorter, simpler sentences such as: "No, that's 100% incorrect."

Lawyer: The email context is used to identify what ads are most relevant to the user...

Gohmert: And do they pay for the right or the contractual ability to target those individuals who use those keywords?

Lawyer: I might phrase that slightly differently, but the gist is correct, that advertisers are able to bid for the placement of advertisements to users, where our system has detected might be interested in the advertisement.

Gohmert: Okay, so what would prevent the federal government from making a deal with Google, so they could also "Scroogle" people, and say "I want to know everyone who has ever used the term 'Benghazi'" or "I want everyone who's ever used... a certain term." Would you discriminate against the government, or would you allow the government to know about all emails that included those words?

Okay, try not to hit your head on your desk after that exchange. First, he (perhaps accidentally) gets a statement more or less correct, that advertisers pay to have their ads show up, but immediately follows that up with something completely unrelated to that. First, he tosses in "Scroogled" -- a term that Microsoft uses in its advertising against Gmail and in favor of Outlook.com -- suggesting exactly where this "line" of questioning may have originated. Tip to Microsoft lobbyists, by the way: if you want to put Google on the hot seat, it might help to try a line of questioning that actually makes sense.

Then, the second part, you just have to say huh? The lawyer already explained, repeatedly, that Google doesn't send any information back to the advertiser, and yet he's trying to suggest that the government snooping through your email is the same thing... and Google somehow not giving the government that info is Google "discriminating" against the government? What? Really?

Lawyer [confounded look] Uh... sir, I think those are apples and oranges. I think the disclosure of the identity...

Gohmert: I'm not asking for a fruit comparison. I'm just asking would you be willing to make that deal with the government? The same one you do with private advertisers, so that the government would know which emails are using which words.

Seriously? I recognize that there are no requirements on intelligence to get elected to Congress, but is there anyone who honestly could not comprehend what he meant by saying it's "apples and oranges"? But, clearly he does not understand that because not only does he mock the analogy, he then repeats the same question in which he insists -- despite the multiple explanations that state the exact opposite -- that advertisers get access to emails and information about email users, and that the government should be able to do the same thing.

Lawyer: Thank you, sir. I meant by that, that it isn't the same deal that's being suggested there.

Gohmert: But I'm asking specifically if the same type of deal could be made by the federal government? [some pointless rant about US government videos aired overseas that is completely irrelevant and which it wasn't worth transcribing] But if that same government will spend tens of thousands to do a commercial, they might, under some hare-brained idea like to do a deal to get all the email addresses that use certain words. Couldn't they make that same kind of deal that private advertisers do?

Holy crap. Gohmert, for the fourth time already, nobody gets email addresses. No private business gets the email addresses. No private business gets to see inside of anyone's email. Seeing inside someone's email has nothing to do with buying ads in email. If the government wants to "do the same deal as private advertisers" then yes it can advertise on Gmail... and it still won't get the email addresses or any other information about emailers, because at no point does Google advertising work that way.

Lawyer: We would not honor a request from the government for such a...

Gohmert: So you would discriminate against the government if they tried to do what your private advertisers do?

No. No. No. No. No. The lawyer already told you half a dozen times, no. The government can do exactly what private advertisers do, which is buy ads. And, just like private advertisers, they would get back no email addresses or any such information.

Lawyer: I don't think that describes what private advertisers...

Gohmert: Okay, does anybody here have any -- obviously, you're doing a good job protecting your employer -- but does anybody have any proposed legislation that would assist us in what we're doing?

What are we doing, here? Because it certainly seems like you're making one of the most ignorant arguments ever to come out of an elected officials' mouth, and that's saying quite a bit. You keep saying "private advertisers get A" when the reality is that private advertisers get nothing of the sort -- and then you ignore that (over and over and over and over again) and then say "well if private advertisers get A, why can't the government get A." The answer is because neither of them get A and never have.

Gohmert: I would be very interested in any phrase, any clauses, any items that we might add to legislation, or take from existing legislation, to help us deal with this problem. Because I am very interested and very concerned about our privacy and our email.

If you were either interested or concerned then you would know that no such information goes back to advertisers before you stepped into the room (hell, before you got elected, really). But, even if you were ignorant of that fact before the hearing, the fact that the lawyer tried half a dozen times, in a half a dozen different ways to tell you that the information is not shared should have educated you on that fact. So I'm "very interested" in what sort of "language" Gohmert is going to try to add to legislation that deals with a non-existent problem that he insists is real.

Gohmert: And just so the simpletons that sometimes write for the Huffington Post understand, I don't want the government to have all that information.

Rep. Sensenbrenner: For the point of personal privilege, my son writes for the Huffington Post.

Gohmert: Well then maybe he's not one of the simpletons I was referring to.

Sensenbrenner: He does have a Phd.

Gohmert: Well, you can still be a PHUL.

Har, har, har... wait, what? So much insanity to unpack. First of all, Gohmert seems to think that people will be making fun of him for suggesting that the government should "buy" access to your email on Google. And, yes, we will make fun of that, but not for the reasons that he thinks they will. No one thinks that Gohmert seriously wants the government to buy access to information on Google. What everyone's laughing (or cringing) at is the idea that anyone could buy that info, because you can't. No private advertiser. No government. It's just not possible.

But, I guess we're all just "simpletons."

Seriously, however, we as citizens deserve better politicians. No one expects politicians to necessarily understand every aspect of technology, but there are some simple concepts that you should at least be able to grasp when explained to you repeatedly by experts. When a politician repeatedly demonstrates no ability to comprehend a rather basic concept -- and to then granstand on their own ignorance -- it's time to find better politicians. Quickly.

As you're probably aware since it's "the big story" right now, General David Petreaus stepped down last week after an FBI investigation turned up an affair he'd been having. It seems that every few hours more news "breaks" on the story, and it keeps getting more involved, with a growing number of players (and with each new revelation the story gets more and more bizarre). However, some have started wondering how and why the FBI was snooping on various emails. The original story was that it came about after Petreaus' mistress allegedly sent threatening (anonymous) emails to another woman, who reported them to the FBI. From that came a wider investigation, which supposedly may involve another General and a variety of other players. But some are realizing that this seems to show how the FBI has pretty free rein in terms of snooping on email accounts hosted online:

Under the 1986 Electronic Communications Privacy Act, federal authorities need only a subpoena approved by a federal prosecutor — not a judge — to obtain electronic messages that are six months old or older. To get more recent communications, a warrant from a judge is required. This is a higher standard that requires proof of probable cause that a crime is being committed.

But even that isn't entirely clear. Folks like Julian Sanchez have been puzzling through the timeline of events and wondering how a simple investigation into a small number of "rude" (but not illegal) emails then uncovered thousands of questionable emails involving a different general as alleged in the news that broke last night. It feels like the FBI may have taken a simple report of misconduct (which may have been driven by another love triangle issue involving an FBI agent who seemed to take the whole thing a lot more personally than makes sense) and turned it into a massive fishing expedition.

Given how fast new parts of this story keep breaking, I'm sure there are still a number of other dominoes to fall, but hopefully this actually gets people to pay attention to just how easy it is for law enforcement to snoop on people's emails these days based on next to nothing.

The draft bill of the UK's "Snooper's Charter", which would require ISPs to record key information about every email sent and Web site visited by UK citizens, and mobile phone companies to log all their calls, was published back in July. Before it is debated by politicians, a Joint Committee from both the House of Commons and House of Lords is conducting "pre-legislative scrutiny."

As the list of questions on the Joint Committee's Web page makes clear, it seems to be doing a thorough job, exploring every aspect of the proposed legislation. As well as a public consultation (now closed), it is also taking oral evidence from a wide range of interested parties, both for and against the plans. Yesterday, one of the people who spoke before the Committee was Jimmy Wales, who did not mince his words:

Jimmy Wales, the founder of Wikipedia, has sharply criticised the government's "snooper's charter", designed to track internet, text and email use of all British citizens, as "technologically incompetent".

He said Wikipedia would move to encrypt all its connections with Britain if UK internet companies, such as Vodafone and Virgin Media, were mandated by the government to keep track of every single page accessed by UK citizens.

He went on to suggest that other Internet companies would do the same, forcing the UK authorities to resort to what he called "black arts" to break the encryption. As he pointed out: "It is not the sort of thing I'd expect from a western democracy. It is the kind of thing I would expect from the Iranians or the Chinese."

To a certain extent, this is just bluster: Wales has no formal power to instruct Wikipedia to encrypt its connections, and even assuming that happened, it's not certain that companies like Google and Facebook would risk fines or imprisonment for their staff by refusing to hand over encryption keys. But Wales' intervention had a big symbolic importance: he's not only the co-founder of Wikipedia -- which even politicians have heard of and probably use -- he's also one of the UK government's own special tech advisers, appointed back in March.

His comments are, therefore, a real slap in the face, and a useful reminder that by pushing for this kind of total surveillance the UK government is not only making itself look oppressive, but stupid too.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Back in 2008, we wrote about how the Indian government was demanding that RIM let it snoop on encrypted messages from Blackberry users. RIM's response was that it was simply impossible to snoop on its enterprise customers' messages, since they set their own encryption keys. A few months later, the government claimed to have cracked RIM's encryption, though the whole claim was sketchy. In 2010, the government again demanded the right to spy on Blackberry users (raising more questions about that encryption cracking claim). RIM apparently offered up a "solution" that the Indian government rejected, because it didn't let them snoop enough (basically it allowed snooping on consumers, but not corporate accounts).

Now, however, there are reports that RIM has come up with a "solution" to let the Indian government spy on enterprise users as well:

RIM recently demonstrated a solution developed by a firm called Verint that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies, according to an exchange of communications between the Canadian company and the Indian government.

If you're a RIM Blackberry customer, and you bought into it because of the security features, now would be the point where you get pretty pissed off and start seeking alternatives. The report from the Economic Times suggests RIM did this because of the "importance" of the Indian market. RIM is clearly in trouble. Its failure to keep up on the innovation front means that the company is clearly struggling. But kowtowing to a government by allowing it to spy on users is hardly the sort of thing that's likely to get you more customers. It seems like it should do exactly the opposite.

As the old joke goes, standards are wonderful things, that's why we have so many of them. But who would have thought that ETSI, the European Telecommunications Standards Institute, has already produced a draft standard on how European governments can snoop on cloud-based services like Facebook and Gmail -- even when encrypted connections are used?

ETSI DTR 101 567, to give it the full title, was pointed out to us by Erich Moechel, who has written an excellent exploration of its elements (original in German). Here's the summary from the draft standard (Microsoft Word format):

The present document provides an overview on requests for handover and delivery of real-time information associated with cloud/virtual services. The report identifies Lawful Interception needs and requirements in the converged cloud/virtual service environment, the challenges and obstacles of complying with those requirements, what implementations can be achieved under existing ETSI LI [Lawful Interception] standards, and what new work may be required to achieve needed Lawful Interception capabilities. Cloud Services in whichever forms they take (Infrastructure, Software, Platform or combinations of these) are often trans border in nature and the information required to maintain Lawful Interception (LI) capability or sufficient coverage for LI support may vary in different countries, or within platforms of different security assurance levels. This work aims to ensure capabilities can be maintained while allowing business to utilise the advantages and innovations of Cloud Services and was undertaken cooperatively with relevant cloud security technical bodies.

As that makes clear, this is being presented as "maintaining" interception capabilities in a world where cloud computing makes previous approaches inapplicable. The new standard specifically mentions social networking, file sharing and video conferencing as new areas that need to be addressed.

One key section spells out how this is to be achieved:

If the traffic is encrypted, the entity responsible for key management must ensure it can be decrypted by the CSP [Communication Service Provider] or LEA [Law Enforcement Agency].

In order to maintain LI coverage the cloud service provider must implement a Cloud Lawful Interception Function (CLIF). This can be by way of Applications Programming Interface (API) or more likely ensuring presentation of information in a format recognisable to interception mechanisms. Deep packet inspection is likely to be a constituent part of this system.

As this makes clear, along with the intercepted information, the standard envisages encryption keys being handed over routinely. Just to make things complete, DPI -- deep packet inspection -- is also regarded as a likely element of the system.

Since this is currently a draft, the threat it represents might be seen as purely theoretical; but a recent article in the Guardian confirms that the UK government "quietly agreed to measures that could increase the ability of the security services to intercept online communication" -- a reference to the ETSI draft. The Guardian also provides us with some explanation of why this draft just happens to be available at precisely the moment when the UK government is announcing a plan that seems likely to use it:

Etsi has faced criticism in the past for the pre-emptive inclusion of wiretapping capabilities, a decision that critics say encouraged European governments to pass their wiretapping laws accordingly. According to Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, the institute has strong links with the intelligence agencies and has a significant British contingent, along with a number of US government advisers.

It's a classic case of policy laundering; here's how it will probably work.

The British government insists now that it will "only" gather communications data, and not content. At the same time, it will require that ISPs adopt the new ETSI cloud interception standard (once it's been finalized) in the "black boxes" that they must install under the proposed snooping legislation. That will put in place all the capabilities needed for accessing encrypted streams -- since those providing cloud services will be required to hand over the encryption keys -- and hence the content. The UK government may not intend accessing content today, but thanks to the wonders of function creep, when it decides to do it tomorrow the facility will be there waiting for it.

Meanwhile, European governments will be able to point to the UK's adoption of the ETSI standard as just "good practice"; they will ask their own ISPs to implement it, while insisting that they too have no intention of accessing the contents of people's Internet streams either. Until, that is, the day comes -- probably in the wake of some terrorist attack or pedophile scandal -- when the governments will note that since the capability is available, it would be "irresponsible" not to use it to tackle these terrible crimes. The US government will then bemoan the fact that Europe is taking better care of its citizens than it can, and will therefore pass laws requiring US ISPs to install similar real-time access to their systems, and for cloud-based services to hand over the encryption keys. Luckily, there will be a well-tried European standard that can serve as a model....

Follow me @glynmoody on Twitter or identi.ca, and on Google+

They say that a lie is halfway around the world before the truth has got its boots on, and the same seems to be true about Internet policy: the bad ideas spread like wildfire, while the good ones languish in obscurity. Snooping on the Net activity of an entire population is the latest example: now Australia wants to join the club that currently consists of the US and UK, with Canada waiting in the wings. Here's part of the EFF's excellent summary of what the Australian government is proposing:

Last week, Australian Attorney General Nicola Roxon submitted to Parliament a package of proposals intended to advance a National Security Inquiry in an effort to expand governmental surveillance powers. In a 60-page discussion paper, Roxon calls for making it easier for law enforcement and intelligence agencies to spy on Twitter and Facebook users, which would likely be achieved by compelling companies to create backdoors to enable surveillance. The proposals also revive a controversial data retention regime. And an especially problematic proposal would go so far as to establish a new crime: failure to assist law enforcement in the decryption of communications.

That last part is clearly modeled on a similar provision requiring encryption keys to be handed to the police on demand found in the UK's Regulation of Investigatory Powers Act. Surprisingly, that was passed back in 2000, but it is only now that most people are waking up to the ridiculous nature of its measures. As Rick Falkvinge explained in a recent post:

You’re not going to be sent to jail for refusal to give up encryption keys. You’re going to be sent to jail for an inability to unlock something that the police think is encrypted. Yes, this is where the hairs rise on our arms: if you have a recorded file with radio noise from the local telescope that you use for generation of random numbers, and the police asks you to produce the decryption key to show them the three documents inside the encrypted container that your radio noise looks like, you will be sent to jail for up to five years for your inability to produce the imagined documents.

In that same column, Falkvinge makes a crucial point:

The next step, of course, is that the citizens protect themselves from snooping -- at which point some bureaucrat will confuse the government’s ability to snoop on citizen’s lives for a right to snoop on citizen’s lives at any time, and create harsh punishments for any citizens who try to keep a shred of their privacy.

This is precisely what is happening in the countries that are bringing in blanket surveillance of their entire populations: just because this is now becoming technically possible, so the argument goes, we must implement such schemes because otherwise terrorists and pedophiles will take advantage of technology in ways that will make their discovery and arrest harder.

But just because something can be done, doesn't mean that it should. Exactly the same argument could be made about installing CCTV in everyone's home: with the falling cost of cameras, and the availability of the Internet, that's now a realistic option. It would also ensure that those same terrorists and pedophiles couldn't use advanced technology like curtains to thwart the forces of law and order.

And yet nobody would seriously suggest bringing in such a scheme, because it is recognized as a step too far, and that there are other ways of catching criminals without recourse to such extreme measures -- using traditional police and intelligence techniques that aren't dependent on deploying technology, but build on basic human skills and professional experience. So why is it suddenly acceptable to bring in the digital equivalent of CCTVs that record our every online move?

One reason is probably because governments can point to each others' plans to show that "everyone" is doing it, which means it is "obviously" a reasonable thing to do. That makes the latest announcement of snooping plans bad not just for Australians, but for everyone else too, since it bolsters the argument that total Net surveillance is the new normal.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Before the SOPA mess heated up last year, we were just as worried about Rep. Lamar Smith's other ridiculous bill, in which he sought to hide massive data retention rules -- effectively requiring every online service provider to keep reams of data about users... and hid it all under a totally bogus claim that it was to "protect children from internet pornographers." This is the most cynical and obnoxious form of lawmaking: to pass something that is incredibly bad and dangerous and pretend that you're doing so to "protect the children from child porn" when the actual bill will do nothing of the sort. Rep. Zoe Lofgren, who saw through Smith's ruse (as she did with SOPA as well), actually offered up an amendment to more accurately call the bill the "Keep Every American's Digital Data for Submission to the Federal Government Without a Warrant Act of 2011," but that got rejected.

Unfortunately, the bill, HR 1981, has already been voted out of committee (something that was successfully stopped with SOPA), so it could come to the floor at any time. As he did with SOPA opposition, Smith's staff is dismissing the online criticism of the bill, insisting is not as big as people are making it out to be... and that the complaints about the bill are not accurate. Yet, Demand Progress says that it has already received over 90,000 signatures against the bill, and lots of others are speaking out against it. Just as with SOPA, the opposition to such a bad bill does not fall along traditional political lines. You've got DailyKos on the left speaking out against it as well as patriot groups and Ron Paul supporters. And, of course, Reddit has been active as well.

In many ways this bill is significantly worse than SOPA, in that it not only creates a massive new problem for all internet companies, in that they would need to retain all sorts of data, but that it tries to hide it behind a claim that this is for protection against child porn -- something no politician wants to vote against. The costs of maintaining all this info can be quite large, but more importantly, this is the exact opposite of a privacy bill. It's an anti-privacy bill, because the more data that a company has to collect and retain, the more likely it is to leak or be accessed by someone who shouldn't have it (including the government -- which was the point of Lofgren's attempted renaming). Furthermore, the bill does absolutely nothing about the problem it actually claims to be targeting. Nothing in the bill would actually slow or stop child pornographers. The whole name is a red herring to try to get the bill through.

Between this and SOPA, it seems that people should start asking: is Lamar Smith the most anti-internet elected official in the US right now? He's got to be up there if he's not at the top.

There have been plenty of cases where courts have said that it's okay for an employer to snoop on (employer-provided) employee email accounts. And now there's a case saying basically the same thing for colleges and universities. As long as they provided the email system, there's apparently no violation of anti-snooping or data privacy laws. I definitely understand the reasoning here, though one might argue that the relationship between a student and a university is quite different than an employee and employer. And I could see how students might have a much higher expectation of privacy. Still, do students really use university email addresses any more, or do they have their own primary email accounts that they had before heading off to school?

With the rise of smartphone apps, users don't always know what features and functionality those apps may be using. Reports are coming out about various apps that use the phone's microphone (and, sometimes, camera) in somewhat surreptitious ways to gather data. Now, of course, there are certain apps that people expect to use the microphone or a camera -- such as music or TV show identification products. But it's a bit of a surprise that apps such as the massively hyped (and then quickly panned) Color (which is a sort of photo sharing/location-based info service) is making use of your microphone and camera without most users realizing it:

Color uses your iPhone's or Android phone's microphone to detect when people are in the same room. The data on ambient noise is combined with color and lighting information from the camera to figure out who's inside, who's outside, who's in one room, and who's in another, so the app can auto-generate spontaneous temporary social networks of people who are sharing the same experience.

Another app discussed is, Shopkick, which gives people rewards for walking into certain stores. While you might think it could accomplish what it needs with GPS, apparently the stores in question have special devices that emit sounds that you can't hear, the microphone on your phone can pick up, thus "confirming" that you really entered the store.

While the reasoning behind these may be benign, my guess is that most people would feel pretty creeped out about apps turning on either the microphone or camera, without explicitly warning the user and making it clear what's going on (or letting them choose to turn on those features directly). Mike Elgan, who wrote the article linked above, notes (obviously) that surreptitiously turning on your microphone can provide marketers with all sorts of useful data (ya think?), so we should expect it to happen more and more often. Of course, all this is making me think that my Android phone needs an app that warns me whenever the microphone is turned on and lets me block it... Anyone writing that app?