Glyn Moody’s Techdirt Profile

glynmoody

About Glyn MoodyTechdirt Insider




Posted on Techdirt - 11 December 2017 @ 7:40pm

Why Does China Love The 'Sharing Economy'? Not Because Of Communism...

from the if-you-rent-a-cheap-bike,-you-may-be-the-product dept

Something strange has been happening in China. People have been going nuts about bicycles. Specifically, investors have gone crazy over startups that allow people to rent bikes for a fraction of a dollar per hour, and then leave them anywhere, rather than only at special bike stations -- what is known as "dockless" bike-sharing. And now that sector is in trouble, as Bloomberg reports:

In the space of 18 months, dockless bike-sharing has become one of the hottest investment trends in China, with the two biggest players each having raised over $1 billion in venture funds, respectively. That money has funded a revolution on the traffic-choked streets of Chinese cities, giving urbanites a low-cost, carbon-free means to get around quickly. What it hasn't produced is a viable business model. A little over a year into China's bike-sharing boom, the industry's future looks precarious.

Given the extremely low margins, that's no surprise. What is more surprising is that billions of dollars have been invested in these startups, and in similar ones based on renting out everyday objects for short periods of time, letting people pay by using smartphones to scan in QR codes. Other examples include companies offering umbrellas, basketballs, refrigerators, luxury handbags, phone chargers, and even sex dolls (that one didn't last long). An illuminating article in the New York Times has a plausible explanation for China's fascination with the so-called "sharing economy", even though it has nothing to do with real sharing:

None of China's bike-sharing companies are turning a profit yet. But even as they fight for market share, the data is the destination. "Collecting data is the first goal of the sharing economy," says William Chou, the head of Deloitte's telecoms, media and technology practice in China. Every time consumers scan the QR code on a bicycle -- or basketball, handbag, umbrella -- they provide information about habits, locations, behaviors and payment histories. That's invaluable not just to [Chinese Internet giants] Tencent and Alibaba but also to city planners seeking precise information about where to build roads, bridges and subways.

In other words, these "sharing" services are conceptually similar to Facebook or Google: they are provided (nearly) free of charge, but you pay with detailed information about what you do. In the case of Facebook and Google, it's data about your online activities; for the "sharing economy", it's about what you do in the physical world. That's highly prized by companies that want to sell something to people. In China, it's also of great interest to someone else -- the government:

what happens as this data filters into China's new social-credit system, which promises to rate every individual by her financial, social and political worth? In fact, Beijing has authorized Tencent and Alibaba to conduct social-credit pilot testing, and their bikes serve as the perfect vehicles. There are no walls of privacy. The government has the ability to access company data, good or bad, faster than you can scan a QR code.

The ability of "sharing" companies to capture, and governments to access, highly-personal data is an important issue for potential customers in the West, which currently lags behind China in the uptake of these kinds of services. However convenient some of them seem, it's worth considering whether you may be paying more than just the attractively-low fees when you use them.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

14 Comments | Leave a Comment..

Posted on Techdirt - 8 December 2017 @ 7:39pm

Top EU Data Protection Body Asks US To Fix Problems Of 'Privacy Shield' Or Expect A Referral To Region's Highest Court

from the please-don't-make-us-do-this dept

The Privacy Shield framework is key to allowing personal data to flow legally across the Atlantic from the EU to the US. As we've noted several times this year, there are a number of reasons to think that the EU's highest court, the Court of Justice of the European Union (CJEU), could reject Privacy Shield just as it threw out its predecessor, the Safe Harbor agreement. An obscure but influential advisory group of EU data protection officials has just issued its first annual review of Privacy Shield (pdf). Despite its polite, bureaucratic language, it's clear that the privacy experts are not happy with the lack of progress in dealing with problems pointed out by them previously. As the "Article 29 Data Protection Working Party" -- the WP29 for short -- explains:

Based on the concerns elaborated in its previous opinions ... the WP29 focused on the assessment of both the commercial aspects of the Privacy Shield and on the government access to personal data transferred from the EU for the purposes of Law Enforcement and National Security, including the legal remedies available to EU citizens. The WP29, assessed whether these concerns have been solved and also whether the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.

As far as the commercial aspects of Privacy Shield are concerned, the WP29 is unhappy about a number of important "unresolved" issues such as "the lack of guidance and clear information on, for example, the principles of the Privacy Shield, on onward transfers [of personal data] and on the rights and available recourse and remedies for data subjects." The issue of US government access to the personal data of EU citizens is even thornier. Although the WP29 welcomed efforts by the US government to become more "transparent on their use of their surveillance powers", the collection of and access to personal data for national security purposes under both section 702 of FISA and Executive Order 12333 were still a problem. On the former, WP29 suggests:

Instead of authorizing surveillance programs, section 702 should provide for precise targeting, along with the use of the criteria such as that of "reasonable suspicion", to determine whether an individual or a group should be a target of surveillance, subject to stricter scrutiny of individual targets by an independent authority ex-ante.

As regards the Executive Order 12333, WP29 wants the Privacy and Civil Liberties Oversight Board (PCLOB) "to finish and issue its awaited report on EO 12333 to provide information on the concrete operation of this Executive Order and on its necessity and proportionality with regard to interferences brought to data protection in this context." That's likely to be a bit tricky, because the PCLOB is understaffed due to unfilled vacancies, and possibly moribund. In conclusion, the WP29 "acknowledges the progress of the Privacy Shield in comparison with the invalidated Safe Harbor Decision", but underlines that the EU group has "identified a number of significant concerns that need to be addressed by both the [European] Commission and the U.S. authorities." It spells out what will happen if they aren't sorted out:

In case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.

That is, it will ask the EU's highest court to rule on the so-called "adequacy decision" of the European Commission, where it decided that Privacy Shield offered enough protection for EU personal data moving to the US. There's a clear implication that WP29 doubts the CJEU's ruling will be favorable unless all the changes it has requested are made soon. And without the Privacy Shield framework, it will be much harder to transfer personal data legally across the Atlantic. Moreover, the EU's data protection laws are about to become even more stringent next year, when the new General Data Protection Regulation (GDPR) is enforced. Organizations in breach of the GDPR can be fined up to 4% of annual global turnover, which means even the biggest Internet companies will have a strong incentive to comply.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

11 Comments | Leave a Comment..

Posted on Techdirt - 8 December 2017 @ 1:23pm

Did A Non-Existent Eatery In A Shed Become TripAdvisor's Top-Rated Restaurant In London?

from the can-you-trust-anything-you-read-online-these-days? dept

A key feature of e-commerce sites is the reviews from people who have used them previously. Such recommendations or warnings are even more important online than in the physical world, because it is much easier to set up a virtual shop than a real one, which makes scams a far greater risk online. However, the enhanced importance of site reviews also increases the incentive to create false ones. A cautionary tale about just how misleading reviews can be is provided by an entertaining post on Vice. In it, the journalist Oobah Butler describes how he turned a non-existent eatery into TripAdvisor's top-rated London restaurant. Or at least that's what he claimed. We should admit, up front, that since this story is about faking stuff on the internet, we should at least be open to the idea that the story of this faked restaurant review might also be... fake.

Butler had the idea after earning money writing fake positive TripAdvisor reviews for restaurants he'd never been to. He started to wonder how many of the other positive reviews on TripAdvisor were similarly bogus. He idly considered whether it was possible for an entire restaurant to be fake -- that is, non-existent despite all the positive reviews. And then:

one day, sitting in the shed I live in, I had a revelation: within the current climate of misinformation, and society's willingness to believe absolute bullshit, maybe a fake restaurant is possible? Maybe it's exactly the kind of place that could be a hit?

In that moment, it became my mission. With the help of fake reviews, mystique and nonsense, I was going to do it: turn my shed into London's top-rated restaurant on TripAdvisor.

There was nothing particularly sophisticated about Butler's methodology: he simply used lots of fake positive reviews, posted by real people on different computers so as to fool TripAdvisor's anti-scammer tools, to drive up the venue's ranking. He bolstered the plausibility of "The Shed at Dulwich" by creating a Web site -- theshedatdulwich.com -- and a suitably pretentious menu:

Instead of meals, our menu is comprised of moods. You choose which fits your day, and our Chef interprets that. We can also tailor dishes for special occasions and at extra cost.

For example:

Contemplation

A deconstructed Aberdeen stew; all elements of the dish are served to the table as they would be in the process of cooking. Served with warm beef tea.

Butler included a few photos of dishes, still visible on the home page of the Web site. They look appetizing enough, but in his Vice post describing the project, he reveals that they are made out of things like bleach tablets, and plastic sponges covered in paint. One image shows a poached egg resting on a slice of bacon -- except that the bacon is actually Butler's naked foot.

The Shed started out in April this year with a TripAdvisor ranking of 18,149, the worst restaurant in London, according to the site. So Butler piled on the reviews, and watched his ranking rise. The phone began to ring: people wanted to reserve tables at this non-existent restaurant. Butler told them it was booked up for weeks. Emails begging for bookings arrived, as did job applications to work at the business, and free samples from companies in the food industry. After just a few months, The Shed at Dulwich becomes London's top-rated restaurant on TripAdvisor, with 89,000 search result views in a single day. As Butler writes in his Vice post:

A restaurant that doesn't exist is currently the highest ranked in one of the world’s biggest cities, on perhaps the internet's most trusted reviews site.

He then did two things. First, he told TripAdvisor that he had managed to game its ranking system completely. Here's TripAdvisor's reply:

"Generally, the only people who create fake restaurant listings are journalists in misguided attempts to test us," replies a representative via email. "As there is no incentive for anyone in the real world to create a fake restaurant it is not a problem we experience with our regular community -- therefore this 'test' is not a real world example."

Well, maybe it isn't a "real world example", but it still shows how unreliable an online review system can be. In the case of The Shed, it wasn't that a few of the opinions for the restaurant were bogus, but that every single one was, and that nonetheless the venue ended up as the top-rated eatery in London according to TripAdvisor. Not surprisingly, the restaurant's page has been removed from the service, but there's an archived version to give you an idea of what it looked like at the height of its fake glory.

The other action taken by Butler was that he opened The Shed for real. You can find out on Butler's Vice post what happened when customers were served microwaved ready meals, surrounded by actors at other tables loudly praising the food, and a DJ playing restaurant sounds in the background to create the right ambience. It's a great story, and a warning that we shouldn't take at face value what we find online -- or what we eat in the physical world. Assuming it's all true, of course....

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

12 Comments | Leave a Comment..

Posted on Techdirt - 8 December 2017 @ 3:22am

Russia Says Disconnecting From The Rest Of The Net 'Out Of The Question', But Wants Alternative DNS Servers For BRICS Nations

from the think-global,-act-local dept

At the start of the year, we wrote about a call for Russia to make its Internet infrastructure resistant to external attempts to shut it down, and able to work in isolation if need be. It looks like the authorities are moving ahead with the idea:

The Russian Security Council has asked the country's government to develop an independent internet infrastructure for BRICS nations, which would continue to work in the event of global internet malfunctions.

The RT news story has some details on how the BRICS subnet will work:

They decided that the problem should be addressed by creating a separate backup system of Domain Name Servers (DNS), which would not be subject to control by international organizations. This system would be used by countries of the BRICS bloc -- Brazil, Russia, India, China and South Africa.

The plan has evidently developed from a purely Russian intranet system to one that includes the other BRICS nations. Creating additional DNS servers will be easy, so there's no reason why it shouldn't happen -- not least because Putin has "personally set a deadline of August 1, 2018 for the completion of the task". Perhaps the most interesting aspect of the story is the following comment by Putin's Press Secretary, Dmitry Peskov:

"Russia’s disconnection from the global internet is of course out of the question," Peskov told the Interfax news agency. However, the official also emphasized that "recently, a fair share of unpredictability is present in the actions of our partners both in the US and the EU, and we [Russia] must be prepared for any turn of events."

That offers a pragmatic recognition that disconnection from the global Internet is no longer an option for a modern state, even if Iran begs to differ. It's true that local DNS servers provide resilience, but they also make it much easier for a government to limit access to foreign sites by ordering their IP addresses to be blocked -- surely another reason for the move.

This latest proposal is part of a long-running campaign by Russia to wrest control of key aspects of the Internet -- such as the DNS system -- from international bodies, for example during the ITU's World Conference on International Communications (WCIT) in 2012. Russia already had the support of other BRICS governments back then, which suggests they will back the new approach.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

34 Comments | Leave a Comment..

Posted on Techdirt - 7 December 2017 @ 7:48pm

UK Court Says Company Is Innocent In Massive Data Breach Caused By Vindictive Employee, But Must Nonetheless Pay Compensation

from the who-said-life-is-fair? dept

It's well known that the EU has laws offering relatively strong protection for personal data -- some companies say too strong. Possible support for that viewpoint comes from a new data protection case in the UK, which follows EU law, where the judge has come to a rather surprising conclusion. Details of the case can be found in a short post on the Panopticon blog, or in the court's 59-page judgment (pdf), but the basic facts are as follows.

In 2014, a file containing personal details of 99,998 employees of the UK supermarket chain Morrisons was posted on a file-sharing Web site. The file included names, addresses, gender, dates of birth, phone numbers (home or mobile), bank account numbers and salary information. Public links to the file were placed elsewhere, and copies of the data sent on a CD to three local newspapers, supposedly by someone who had found it on the Internet. In fact, all the copies originated from Andrew Skelton, a Senior IT Auditor in Morrisons, as later investigations discovered. According to the court, Skelton had a grudge against the company because of a disciplinary process that took place in 2013. As a result of the massive data breach in 2014, Skelton was sentenced to eight years in prison.

The current case was brought by some 5,500 employees named in the leaks, who sought compensation from Morrisons. There were two parts to the claim. One was that Morrisons was directly to blame, and the other that it had "vicarious liability" -- that is, liability for the actions or omissions of others. The UK judge found that Morrisons was not directly liable, since it had done everything it could to avoid personal data being leaked. However, as the Panopticon blog explains:

having concluded that Morrisons was entirely legally innocent in respect of Skelton's misuse of the data, the Judge held that it was nonetheless vicariously liable for Skelton's misdeeds

That is a legal bombshell as far as UK privacy law is concerned, since it means that a company that does everything it reasonably can to prevent personal data being revealed can nonetheless be held vicariously liable for the actions of an employee, even a malicious one. That clearly offers an extremely easy -- if potentially self-damaging -- route for disgruntled employees who want to harm their employers. All they need to do is intentionally leak personal data, and the company they work for will have vicarious responsibility for the privacy breach. In fact, even the judge was worried by the implications of his own decision:

The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.

As a result, the judge granted leave for Morrisons to appeal against his judgment that it was vicariously liable. Hundreds of thousands of companies around the UK will now be hoping that a higher court, either nationally or even at the EU level, overturns the ruling, and sets a limit on those super-strong data protection laws.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Read More | 26 Comments | Leave a Comment..

Posted on Techdirt - 4 December 2017 @ 7:35pm

Top EU Privacy Campaigner Says He Wants Lots Of Money For 'None Of Your Business'

from the noyb-is-no-newb dept

We've just written about the Austrian privacy activist Max Schrems, and his continuing battle with Facebook. But it seems Schrems now wants to take things up a notch. He's hoping to found a new privacy organization called the "European Center for Digital Rights", with the domain name of noyb.eu - "none of your business":

The focus of noyb will be on commercial data processing by corporations. Corporate practices are rarely transparent. Internet users are commonly confronted with unlawful practices, agreements and terms and conditions. Their data is linked and sold behind the back of these consumers. Phenomena like big data, profiling and selective targeting are common practice today and will only grow in the future.

Noyb's weapon of choice will be a new EU privacy law:

In May 2018, the new EU General Data Protection Regulation (GDPR) comes into force. It includes massive improvements in the area of privacy enforcement for users. NGOs like noyb will be able to directly take actions for consumers with the relevant authorities and in court, e.g. through class action suits or strategic group action.

It's not all legal actions. Noyb also plans to publish guidelines and best practices to give advice to businesses on how to follow the new GDPR rules to avoid being sued. It also plans to create new digital tools for privacy complaints and privacy inquiries, as well as whistleblowing tools. In the short term, these are some possible goals (pdf):

TECHNICAL: Testing Environment for Apps. As an initial technical research project the organization could review the actual data use by the most popular smartphone apps and thereby develop a testing environment for consistent testing of apps. Existing research have e.g. shown that some apps access GPS locations or contacts beyond what is strictly necessary for the function used [an important aspect of the GDPR]. The generated evidence could lead to rankings, complaints or legal procedures.

LEGAL: Smartphone Operating Systems. Apple and Google dominate the smartphone market. Their policies are based on a "take it or leave it" basis and allow these companies significant access to the most personal device of most consumers. Enforcement actions in this area could have a substantial impact in the daily life of almost every citizen.

By the end of 2018 noyb hopes to have achieved the following:

Cooperation with at least five major privacy NGOs, five consumer rights organizations, five universities or research institutions and five hacker institutions/spaces.

Basic network of lawyers at least in Austria, Germany, Ireland, Luxembourg and the US.

Support of 10 small external enforcement actions through the enforcement fund.

In the long-term, it has even more ambitious plans. For example, widening the scope of the noyb organization from privacy to other digital rights such as net neutrality, or related consumer rights, and to set up national NGOs in countries that currently lack local initiatives. Of course, this all requires money. Noyb estimates that it needs a minimum of €250,000 in the start-up period of 2018, while the regular operating costs will be around €500,000 per year. It is hoping a combination of sponsorship and crowdfunding will provide those amounts.

Raising money will probably be the organization's biggest challenge. After all, Schrems has shown more than once that he can take on the biggest Internet companies and win. As with those victories, it's important to note that the legal framework that noyb intends to use may be purely European, but the global nature of the Internet and the companies that serve it means the impacts of any successful legal actions are likely to be felt worldwide.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

9 Comments | Leave a Comment..

Posted on Techdirt - 1 December 2017 @ 11:59am

Australian State Wants To Let Tech Companies Ignore Laws And Regulations

from the everyone-is-equal-before-the-law,-but-some-are-more-equal-than-others dept

Here on Techdirt, we are big fans of technology and innovation -- provided, of course, they are not abused. That means we always happy to see ways of promoting research and development. The state of South Australia (SA) has come up with a rather novel approach to doing just that, spotted by Computerworld:

SA's lower house last month passed the Research, Development and Innovation Bill 2017. The proposed legislation is currently being considered by the state's Legislative Council.

The bill would allow a minister -- via a recommendation to the state's governor -- to suspend the application of laws or regulations to research and development projects or activities in the state.

The logic of the proposed legislation (pdf) seems to be that since technology generally moves much faster than legislation, there may be outdated laws and regulations preventing innovative new products or services from being developed. Rather than trying to repeal or modify those laws -- a process that is invariably long, and often impossible in practice -- they are put into abeyance for up to 18 months, with a possible further 18 months' extension, in order to allow research and development to proceed immediately. However, as the Law Society of South Australia points out in an open letter to the state's attorney-general (pdf):

The Bill confers broad unfettered powers to the Government to override any existing legislation by way of declaration. The Society is concerned that the Bill lacks appropriate safeguards and does not support the Bill.

There is one exception to that "unfettered power": the Aboriginal Heritage Act 2006, which protects Aboriginal cultural heritage in the state, may not be ignored by anyone at any time. Although there may be good reasons for that exemption, the Law Society notes that the Bill does not explain why only this law is mentioned, nor why key criminal laws, and legislation relating to environmental protection, health and safety are not excluded from the scope of the Research, Development and Innovation Bill 2017. For her part, a local politician from the Greens party, Tammy Franks, is worried about the lack of public consultations on the new Bill:

SA attorney-general and Deputy Premier John Rau indicated during lower house debate on the legislation that he had sent copies of the bill to local executives at Google, Amazon, Apple, Tesla, Hill Ltd, Microsoft Australia, Samsung and Facebook.

"That he has consulted with Amazon, Google and Facebook over [this bill] but not the public of South Australia is extraordinary," Franks said.

Many local citizens agreed, and have just succeeded in stopping the Bill in its present form from progressing further:

The Research, Development and Innovation Bill moved through the lower house without opposition but was set aside today in the upper house in the face of questions from Ms Franks and an online petition that garnered over 10,000 signatures within 24 hours.

However, as Franks warns on her website:

"We've stopped this bill for the moment, but I suspect it will be back with a vengeance next year. We'll be keeping our eyes on this one," she concluded.

Franks says her party wants to see the tech industry flourish in South Australia, but not at the expense of legal protection and civil liberties, which seems a reasonable approach.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

25 Comments | Leave a Comment..

Posted on Techdirt - 27 November 2017 @ 7:50pm

Yet Another Legal Action By Dogged Privacy Activist Brings Good News And Bad News For Facebook In EU's Highest Court

from the Max-Schrems-strikes-again dept

The Austrian privacy activist Max Schrems has appeared a few times on Techdirt, as he conducts his long-running campaign to find out what Facebook is doing with his personal data, and to take back control of it. In 2011, he obtained a CD-ROM (remember those?) containing all the information that Facebook held about him at that time. More dramatically, in 2015 Schrems persuaded the Court of Justice of the European Union (CJEU) that the Safe Harbor framework for transferring personal data from the EU to the US was illegal under EU laws because of the NSA's spying, as revealed by Edward Snowden. As Schrem's detailed commentary (pdf) on that CJEU judgment explains, the case was specifically about Facebook, although it applied much more generally. Last month, we wrote about another case, currently being referred to the CJEU, concerning Facebook's use of standard contractual clauses (SCCs) (pdf), also known as "model clauses". It's an alternative legal approach for transferring data across the Atlantic, and if the CJEU rules against Facebook again, it could make things rather difficult for the big US Internet companies (but ordinary businesses won't be affected much.)

You might think that all these Facebook cases would be more than enough for any privacy activist, but not for Schrems, apparently. He is engaged in yet another legal action that involves Facebook (pdf). As Schrems explains:

[he] has sued Facebook over his private Facebook account at his home court in Vienna, Austria. Schrems accuses Facebook to massively violate strict European privacy laws. The lawsuit includes claims from invalid privacy policies all the way to data sharing with US intelligence services. In addition to bringing his personal claims, he also invited other users to sign over their rights to him, to form a so-called "Austrian style class action" against Facebook, in which he represents other users on a pro bono basis.

This legal action is rather different from the others discussed above, and involves Schrems personally suing Facebook in Austria using civil law. Unusually, he also gathered 25,000 people to join him in a class action against Facebook, each asking for €500 damages. Because of the importance of the legal questions under discussion, Austria's supreme court referred them to the CJEU for a definitive ruling. As is usual, before the CJEU judges themselves rule, one of the court's Advocates General offered a legal opinion, which has just been published. Two questions were considered: whether Schrems could bring a case at all, and whether a class action was possible. Here's Schrems' explanation of what the Advocate General (AG) said for the first issue:

Facebook tried to argue that Mr Schrems cannot bring a lawsuit at his home court, as he would not qualify as a consumer, but as a business. This is despite the fact that the courts have found, that the lawsuit is organized on a pro bono basis and he never used his Facebook account in any commercial way.

The strategy of Facebook was to force Schrems to bring his lawsuit at Facebook's home court in Dublin -- where a single case of €500 could cost Millions in legal fees. This was clearly rejected by the AG, just like previously by the Higher Regional Court in Vienna: Individuals that fight for their rights as volunteers are not 'businesses' and can enjoy their consumer rights. The AG confirmed: Mr Schrems can bring a 'model case' in Vienna.

On the second question:

the advocate general accepted Facebook's point of view: An "Austrian style class action" is only admissible against an Austrian company -- but not if an Austrian consumer sues a company in another EU member state [Facebook's EU operations have their headquarters in Ireland].

Schrems spends some time explaining why he thinks the Advocate General is wrong, and it's worth reading his thoughts here, since Schrems is naturally something of an expert in this domain after all these years. But as he also points out, what counts is what the five judges who will consider the case at the CJEU decide. Although they usually accept the reasoning of the Advocate General, they don't have to and sometimes disagree. Schrems thinks their judgment will be handed down in January 2018, after which the case will go back to the Austrian courts to make a final ruling based on the CJEU's findings.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

9 Comments | Leave a Comment..

Posted on Techdirt - 20 November 2017 @ 7:44pm

Top German Judges Slam EU Plans To Create Global Court To Enforce Corporate Sovereignty

from the let's-just-make-up-the-laws-as-we-go-along dept

A few weeks ago, we wrote how many -- even the US Trade Representative, Robert Lighthizer -- seem to think it's time for corporate sovereignty, also called "investor-state dispute settlement" (ISDS), to go. For some reason the European Commission disagrees. As Techdirt readers may recall, after receiving a bloody nose in a public consultation about corporate sovereignty, the Commission announced to great fanfare that it was "replacing" ISDS with something called the Investment Court System (ICS). In fact, this amounted to little more than putting lipstick on the ISDS pig, since ICS suffered from the same fundamental flaw: it gave companies unique rights to sue countries in a supra-national court. The EU is still plugging away at the ICS idea, and it now wants to go further by creating a truly global corporate sovereignty system enforced by a new Multilateral Investment Court (pdf), an initiative formally launched a couple of months ago:

the [EU's] approach since 2015 has been to institutionalise the system for the resolution of investment disputes in EU trade and investment agreements through the inclusion of the Investment Court System (ICS). However, due to its bilateral nature, the ICS cannot fully address all the aforementioned problems. Moreover, the inclusion of ICSs in [EU] agreements has costs in terms of administrative complexity and budgetary impact.

The multilateral investment court initiative aims at setting up a framework for the resolution of international investment disputes that is permanent, independent and legitimate; predictable in delivering consistent case-law; allowing for an appeal of decisions; cost-effective; transparent and efficient proceedings and allowing for third party interventions (including for example interested environmental or labour organisations).

When the ICS was first proposed, the German Association of Judges, which Wikipedia describes as "the largest professional organization of judges and public prosecutors in Germany", ripped it to shreds. The same august body has just meted out similar treatment to the Multilateral Investment Court, and has asked the German government "to deny the European Commission the required mandate to negotiate the establishment of a Multinational Investment Court (MIC)."

The document, originally in German, and available in an unofficial translation by EuroMinds Linguistics (pdf), contains a devastating analysis of the MIC and its flaws. For example, it points out that international investment protection law is characterized by a "lack of substantive law principles". That is, there are no global investment laws that the MIC could apply when deciding cases. The MIC would effectively be making it up as it went along. The German Association of Judges points out why the situation would be even worse for the MIC than for the ICS or ISDS tribunals:

Because of [the arbitration courts'] position, they can override decisions of national administrations and courts in favour of an investor. This exercise of power, exercised by an arbitral tribunal, has thus far been limited to the enforcement of individual arbitral awards. However, it would be considerably strengthened if the arbitral tribunals were upgraded to an MIC with permanent jurisdiction, which would operate under an international convention. Together with the investment protection agreements, as part of European law, the MIC Convention will be recognised by international law and can thus bind national courts. This will make the MIC a standard-setting organization.

In other words, the MIC would be able to create what amount to global laws, without any democratic input or scrutiny. The document also explains -- as many have before -- why special investor courts are unnecessary:

The protection of individual goods, including those of investors, is the daily work of the judges of all judicial courts and instances. In principle, these rights can also be claimed by foreign investors.

...

the best investor protection is a functioning, uncorrupted administration and jurisdiction and a democratic legislative process. It is the task of every investor to determine this; they can avoid investments in countries that do not fulfil these standards. If they, nonetheless, take the risk, no special protection is necessary.

Obvious really.

Recognizing that the German government and European Commission will probably try to go ahead with the MIC initiative anyway, the German Association of Judges makes a number of sensible suggestions for improving the idea, and limiting the possible damage. However, the real solution would be for the EU to join other, wiser nations and abolish the system completely.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

14 Comments | Leave a Comment..

Posted on Techdirt - 15 November 2017 @ 3:43pm

Professor Says Threats Of Retaliation By China Stopped Publication Of His Book Revealing Chinese Influence In Australia

from the expect-much-more-of-this dept

We've just written about how the Chinese government wanted to censor articles published by two academic publishers, Cambridge University Press (CUP) and Springer. After an initial wobble, CUP ultimately refused, while Springer by contrast decided to kowtow to the authorities. Those incidents concerned the publication in China of articles the Chinese didn't like. Now it seems the latter are extending their campaign against inconvenient facts to other countries, in this case Australia:

Prominent Charles Sturt University academic Clive Hamilton said Allen & Unwin was ready to publish his manuscript Silent Invasion, but last week informed him it could no longer proceed because it was worried about defamation action.

"Allen & Unwin said that they were worried about retaliation from Beijing through a number of possible avenues including legal threats, orchestrated by Beijing, and they decided it was too big a risk and so therefore pulled the plug and returned the rights to me," Professor Hamilton said.

As the article on ABC News explains, "Silent Invasion" is about the Chinese Communist Party's activities and growing influence in Australia -- obviously a highly sensitive topic for China. In an email to the company, obtained by ABC News, Professor Hamilton's former publishers, Allen & Unwin, wrote about what it saw as "potential threats" if it published his book:

The most serious of these threats was the very high chance of a vexatious defamation action against Allen & Unwin, and possibly against you personally as well.

It's a little hard to see how an entire nation might sue successfully for defamation, but that's not the point. Once again, the mere threat of litigation was enough to cause someone -- in this case a publisher -- to self-censor. Interestingly, the ABC News article notes that the Australian government is expected to unveil soon new legislation to counter foreign interference in the country, which suggests that it is becoming a serious problem. We can expect more such attempts to censor overseas sources of information it doesn't like from the increasingly self-confident and intransigent China.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

7 Comments | Leave a Comment..

Posted on Techdirt - 15 November 2017 @ 3:23am

A Great Use For Artificial Intelligence: Scamming Scammers By Wasting Their Time

from the I,-for-one,-welcome-our-new-AI-chatbot-overlords dept

As artificial intelligence (AI) finally begins to deliver on the field's broken promises of the last forty years, there's been some high-profile hand-wringing about the risks, from the likes of Stephen Hawking and Elon Musk, among others. It's always wise to be cautious, but surely even AI's fiercest critics would find it hard not to like the following small-scale application of the technology to tackle the problem of phishing scams. Instead of simply deleting the phishing email, you forward it to a new service called Re:Scam, and the AI takes over. The aim is to waste the time of scammers by engaging them with AI chatbots, so as to reduce the volume of phishing emails that they can send and follow up:

When you forward an email, you believe to be a scam to me@rescam.org a check is done to make sure it is a scam attempt, and then a proxy email address is used to engage the scammer. This will flood their inboxes with responses without any way for them to tell who is a chat-bot, and who is a real vulnerable target. Once you've forwarded an email nothing more is required on your part, but the more you send through, the more effective it will be.

Here's how the AI is applied:

Re:scam can take on multiple personas, imitating real human tendencies with humour and grammatical errors, and can engage with infinite scammers at once, meaning it can continue an email conversation for as long as possible. Re:scam will turn the table on scammers by wasting their time, and ultimately damage the profits for scammers.

When you send emails to Re:Scam, it not only ties up the scammers in fruitless conversations, it also helps to train the underlying AI system. The service doesn't require any sign-up -- you just forward the phishing email to me@rescam.org -- and there's no charge. Re:Scam comes from Netsafe, a well-established non-profit online safety organization based in New Zealand, which is supported by government bodies there. It's a nice idea, and it would be interesting to see it applied in other situations. That way we could enjoy the benefits of AI for a while, before it decides to kill us all.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

76 Comments | Leave a Comment..

Posted on Techdirt - 9 November 2017 @ 10:44pm

Recent Intel Chipsets Have A Built-In Hidden Computer, Running Minix With A Networking Stack And A Web Server

from the what-could-possibly-go-wrong? dept

One way of looking at the history of computing is as the story of how the engineering focus rose gradually up the stack, from the creation of the first hardware, through operating systems, and then applications, and focusing now on platform-independent Net-based services. Underneath it all, there's still the processor, even if most people don't pay much attention to it these days. Unregarded it may be, but the world of the chip continues to move on. For example, for some years now, Intel has incorporated something called the Management Engine into its chipsets:

Built into many Intel Chipset–based platforms is a small, low-power computer subsystem called the Intel Management Engine (Intel ME). The Intel ME performs various tasks while the system is in sleep, during the boot process, and when your system is running. This subsystem must function correctly to get the most performance and capability from your PC.

That is, inside recent Intel-based systems, there is a separate computer within a computer -- one the end user never sees and has no control over. Although a feature for some time, it's been one of Intel's better-kept secrets, with details only emerging slowly. For example, a recent article on Network World pointed out that earlier this year, Dmitry Sklyarov (presumably, that Dmitry Sklyarov) worked out that Intel's ME is probably running a variant of the Minix operating system (yes, that Minix.) The Network World article notes that a Google project has found out more about the ME system:

According to Google, which is actively working to remove Intel's Management Engine (MINIX) from their internal servers (for obvious security reasons), the following features exist within Ring -3:

Full networking stack
File systems
Many drivers (including USB, networking, etc.)
A web server

That’s right. A web server. Your CPU has a secret web server that you are not allowed to access, and, apparently, Intel does not want you to know about.

Why on this green Earth is there a web server in a hidden part of my CPU? WHY?

The "Ring-3" mentioned there refers to the level of privileges granted to the ME system. As a Google presentation about ME (pdf) explains, operating systems like GNU/Linux run on Intel chips at Ring 0 level; Ring-3 ("minus 3") trumps everything above -- include the operating system -- and has total control over the hardware. Throwing a Web server and a networking stack in there too seems like a really bad idea. Suppose there was some bug in the ME system that allowed an attacker to take control? Funny you should ask; here's what we learned earlier this year:

Intel says that three of its ME services -- Active Management Technology, Small Business Technology, and Intel Standard Manageability -- were all affected [by a critical bug]. These features are meant to let network administrators remotely manage a large number of devices, like servers and PCs. If attackers can access them improperly they potentially can manipulate the vulnerable computer as well as others on the network. And since the Management Engine is a standalone microprocessor, an attacker could exploit it without the operating system detecting anything.

As the Wired story points out, that critical bug went unnoticed for seven years. Because of the risks a non-controllable computer within a computer brings with it, Google is looking to remove ME from all its servers, and there's also an open source project doing something similar. But that's difficult: without ME, the modern systems based on Intel chipsets may not boot. The problems of ME have led the EFF to call on Intel to make a number of changes to the technology, including:

Provide a way for their customers to audit ME code for vulnerabilities. That is presently impossible because the code is kept secret.

Offer a supported way to disable the ME. If that's literally impossible, users should be able to flash an absolutely minimal, community-auditable ME firmware image.

Those don't seem unreasonable requests given how serious the flaws in the ME system have been, and probably will be again in the future. It also seems only fair that people should be able to control fully a computer that they own -- and that ought to include the Minix-based computer hidden within.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

131 Comments | Leave a Comment..

Posted on Techdirt - 9 November 2017 @ 4:25pm

Algorithmic Videos Are Making YouTube Unsuitable For Young Children, And Google's 'Revenue Architecture' Is To Blame

from the so-how-do-we-fix-it? dept

There's an interesting article on Medium by James Bridle that's generating plenty of discussion at the moment. It has the title "Something is wrong on the internet", which is certainly true. Specifically, what the article is concerned about is the following:

Someone or something or some combination of people and things is using YouTube to systematically frighten, traumatise, and abuse children, automatically and at scale, and it forces me to question my own beliefs about the internet, at every level.

I recommend reading the article so that you can decide whether it is a perspicacious analysis of what's wrong with the Internet today, or merely another of the hyperbolic "the Internet is corrupting innocent children" screeds that come along from time to time. As an alternative -- or in addition -- you might want to read this somewhat more measured piece from the New York Times, which raises many similar points:

the [YouTube Kids] app contains dark corners, too, as videos that are disturbing for children slip past its filters, either by mistake or because bad actors have found ways to fool the YouTube Kids algorithms.

In recent months, parents like Ms. Burns have complained that their children have been shown videos with well-known characters in violent or lewd situations and other clips with disturbing imagery, sometimes set to nursery rhymes.

The piece on Medium explores a particular class of YouTube Kids videos that share certain characteristics. They have bizarre, keyword-strewn titles like "Bad Baby with Tantrum and Crying for Lollipops Little Babies Learn Colors Finger Family Song 2 " or "Angry Baby vs Spiderman vs Frozen Elsa BABY DROWNING w/ Maleficent Car Pink Spidergirl Superhero IRL". They have massive numbers of views: 110 million for "Bad Baby" and 75 million for "Angry Baby". In total, there seem to be thousands of them with similar, strange titles, and similar, disturbing content, which collectively are racking up billions of views.

As Bridle rightly notes, the sheer scale and downright oddness of the videos suggests that some are being generated, at least in part, by automated algorithms that churn out increasingly-deranged variations on themes that are already popular on the YouTube Kids channel. The aim is to garner as many views as possible, and to get children to watch yet more of the many similar videos. More views means more revenue from advertising: alongside the video, before it, or even in it -- some feature blatant product placement. Young children are the perfect audience for this kind of material: they are inexperienced, and therefore are less likely to dismiss episodes as poor quality; they are curious, and so will probably watch closely to see what happens, no matter how absurd and vacuous the storyline; and they probably don't use ad blockers. As Bridle says in his Medium post:

right now, right here, YouTube and Google are complicit in that system [of psychological abuse]. The architecture they have built to extract the maximum revenue from online video is being hacked by persons unknown to abuse children, perhaps not even deliberately, but at a massive scale.

That may be overstating it, but it is certainly true that YouTube's "revenue architecture", based on how many views videos achieve, tends to produce a race to the bottom in terms of quality, and a shift to automated production of endless variations on a popular themes -- both with the aim of maximizing the audience.

YouTube has just announced that it will try to restrict access by young children to this type of video, a move that it rather improbably claims has nothing to do with the recent articles. But given the potential harm that inappropriate material could produce when viewed by young children, there's a strong argument that Google should apply other criteria in order to de-emphasize such offerings. A possible approach would be to allow adults to rate the material their children see, using a mechanism separate from the current "like" and "dislike". Google could then use adverse parental ratings to scale back payments it makes to channels, while good ratings from adults would cause income to be boosted. Parents would need to sign up before rating material, but that's unlikely to be a significant barrier to participation for those who care about what their children watch.

Although there is always a risk of such systems being gamed, the sheer scale of the audience involved -- millions of views for a video -- makes it much harder than for material that has smaller reach, where bogus votes skew results more easily. Google would anyway need to develop systems that can detect attempts to use large-scale bots to boost ratings. The fact that the company has become quite adept at spotting and blocking spam at scale on Gmail suggests it could create such a system if there were enough pressure from parents to do so.

If Google adopted such a reward system, Darwinian dynamics are likely to lead to better-quality content for children, where "better" is defined by the broad consensus of what adults want their children to see. Other ways that Google could encourage such content to be produced would be to allow parents to boost further what they regard as valuable content with one-off donations or regular subscriptions. Techdirt readers can doubtless come up with other ways of providing incentives to YouTube channels to move away from the automated and often disturbing material many are increasingly filled with.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

59 Comments | Leave a Comment..

Posted on Techdirt - 6 November 2017 @ 3:23am

Top Academic Publisher Kowtows To China: Censors Thousands Of Papers, Denies It Is Censorship

from the comments-that-insult-our-intelligence dept

It's no secret that the Chinese authorities wish to have control over every aspect of life in China, including what people say and do online. Here they are laying down what academic papers people can read, as reported by a new story in the New York Times:

One of the world's largest academic publishers was criticized on Wednesday for bowing to pressure from the Chinese government to block access to hundreds of articles on its Chinese website.

Springer Nature, whose publications include Nature and Scientific American, acknowledged that at the government's request, it had removed articles from its mainland site that touch on topics the ruling Communist Party considers sensitive, including Taiwan, Tibet, human rights and elite politics.

The publisher defended its decision, saying that only 1 percent of its content was inaccessible in mainland China.

And if you think that its comment is ridiculous -- "only" one percent is over 7000 articles -- wait till you read what Springer said in its official statement on the move, reported by the Fresno Bee:

"This action is deeply regrettable but has been taken to prevent a much greater impact on our customers and authors and is in compliance with our published policy," the statement said. "This is not editorial censorship and does not affect the content we publish or make accessible elsewhere in the world."

According to Springer, it is not really censoring articles in China, because people outside can still read them. That insults both Chinese researchers, whom Springer clearly thinks don't count, and our intelligence.

What makes Springer's pusillanimity even more reprehensible is that another leading academic publisher was also told to censor articles in China, but took a different course of action. Back in August, Cambridge University Press (CUP) was ordered by the Chinese authorities to censor 300 articles from its journal China Quarterly. Initially, like Springer, it complied, but came to its senses a couple of days later:

It said the academic leadership of the university had reviewed the publisher's decision and agreed to reinstate the blocked content with immediate effect to "uphold the principle of academic freedom on which the university’s work is founded".

If Springer fails to do the same, researchers will be justified in concluding that, unlike CUP, it does not uphold that principle of academic freedom. In which case, they may decide to publish their future work elsewhere.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

24 Comments | Leave a Comment..

Posted on Techdirt - 1 November 2017 @ 3:24am

Time To Get Rid Of Corporate Sovereignty? USTR Robert Lighthizer Seems To Think So

from the you-either-are-in-the-market,-or-you're-not-in-the-market dept

As we noted a couple of months ago, the topic of corporate sovereignty -- also known as investor-state dispute settlement (ISDS) -- has rather dropped out of the public eye. One post on the subject from earlier this year pointed out that an editorial in the Financial Times had called for ISDS to be "ditched". That was welcome but surprising. At the time, it seemed like an outlier, but it now looks more as if it was simply ahead of the field, as many more have started to call for the same. For example 230 law and economics professors are urging President Trump to remove corporate sovereignty from NAFTA and other trade deals (pdf). From a rather different viewpoint, here's Dan Ikenson, a director at the Cato Institute, calling for ISDS to be absent from a re-negotiated NAFTA:

U.S. negotiators should offer to drop their rules-of-origin and sunset provision demands in exchange for agreement to expunge the controversial dispute settlement provisions under Chapters 11 and 19. These provisions are unnecessary, raise fundamental questions about sovereignty and constitutionality, and fuel trade agreement opposition on both the political left and right.

It's all very well for professors and pundits to call for corporate sovereignty to go, but what do the people who have the power -- the politicians -- think? Well, here's the newly-elected prime minister of New Zealand, Jacinda Ardern, speaking on the topic:

We remain determined to do our utmost to amend the ISDS provisions of TPP. In addition, Cabinet has today instructed trade negotiation officials to oppose ISDS in any future free trade agreements.

Finally, and arguably most importantly, this is what the US Trade Representative, Robert Lighthizer, said recently (reported on Forbes):

It's always odd to me when the business people come around and say, 'Oh, we just want our investments protected.' … I mean, don't we all? I would love to have my investments guaranteed. But unfortunately, it doesn't work that way in the market. … I've had people come in and say, literally, to me: 'Oh, but you can't do this: you can't change ISDS. … You can't do that because we wouldn't have made the investment otherwise.' I’m thinking, 'Well, then why is it a good policy of the United States government to encourage investment in Mexico?' … The bottom line is, business says: 'We want to make decisions and have markets decide. But! We would like to have political risk insurance paid for by the United States' government.' And to me that's absurd. You either are in the market, or you're not in the market.

Whether that extraordinarily sensible analysis is ultimately converted into action remains to be seen: there will be plenty of lobbying against the idea. But the fact that so many are now making the call for corporate sovereignty to be dropped from existing and future trade deals does, at least, make it much more likely that it will happen soon.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

9 Comments | Leave a Comment..

Posted on Techdirt - 30 October 2017 @ 7:53pm

Move By Top Chinese University Could Mean Journal Impact Factors Begin To Lose Their Influence

from the and-no-bad-thing,-either dept

The so-called "impact factors" of journals play a major role in the academic world. And yet people have been warning about their deep flaws for many years. Here, for example, is Professor Stephen Curry, a leading advocate of open access, writing on the topic back in 2012:

I am sick of impact factors and so is science.

The impact factor might have started out as a good idea, but its time has come and gone. Conceived by Eugene Garfield in the 1970s as a useful tool for research libraries to judge the relative merits of journals when allocating their subscription budgets, the impact factor is calculated annually as the mean number of citations to articles published in any given journal in the two preceding years.

The rest of that article and the 233 comments that follow it explain in detail why impact factors are a problem, and why they need to be discarded. The hard part is coming up with other ways of gauging the influence of people who write in high-profile publications -- one of the main reasons why many academics cling to the impact factor system. A story in Nature reports on a bold idea from a top Chinese university in this area:

One of China's most prestigious universities plans to give some articles in newspapers and posts on major social-media outlets the same weight as peer-reviewed publications when it evaluates researchers.

It will work like this:

articles have to be original, written by the researcher and at least 1,000 words long; they need to be picked up by major news outlets and widely disseminated through social media; and they need to have been seen by a large number of people. The policy requires an article to be viewed more than 100,000 times on WeChat, China's most popular instant-messaging service, or 400,000 times on news aggregators such as Toutiao. Articles that meet the criteria will be considered publications, alongside papers in peer-reviewed journals.

The university has also established a publication hierarchy, with official media outlets such as the People's Daily considered most important, regional newspapers and magazines occupying a second tier, and online news sites such as Sina, NetEase or Sohu ranking third./blockquote>

One of the advantages of this idea is that it recognizes that publishing in non-academic titles can be just as valid as appearing in conventional peer-reviewed journals. It also has the big benefit of encouraging academics to communicate with the public -- something that happens too rarely at the moment. That, in its turn, might help experts learn how to explain their often complex work in simple terms. At the same time, it would allow non-experts to hear about exciting new ideas straight from the top people in the field, rather than mediated through journalists, who may misunderstand or distort various aspects.

However, there are clear risks, too. For example, there is a danger that newspapers and magazines will be unwilling to accept articles about difficult work, or from controversial academics. Equally, mediocre researchers that hew to the government line may benefit from increased exposure, even resulting in them being promoted ahead of other, more independent-minded academics. Those are certainly issues. But what's interesting here is not just the details of the policy itself, but the fact that it was devised and is being tried in China. That's another sign that the country is increasingly a leader in many areas, and no longer a follower.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

10 Comments | Leave a Comment..

Posted on Techdirt - 30 October 2017 @ 3:39am

European Parliament Agrees Text For Key ePrivacy Regulation; Online Advertising Industry Hates It

from the how-dare-people-refuse-to-be-tracked-online dept

Techdirt has mentioned a couple of times the EU's important ePrivacy Regulation that is currently working its way through the legislative process. It's designed to complement the EU's new General Data Protection Regulation (GDPR), which comes into force next year, and which is likely to have far-reaching effects. Where the GDPR is concerned with personal data "at rest" -- how it is stored and processed -- the ePrivacy Regulation can be thought of as dealing with personal data in motion. That is, how it is gathered and flows across networks. Since that goes to the heart of how the Internet works, it will arguably have an even bigger impact than the GDPR on the online world -- not just in the EU, but globally too.

That's led to lobbying on an unprecedented scale. A recent report on the Regulation by Corporate Europe Observatory quoted a source in the European Parliament as saying it was "one of the worst lobby campaigns I have ever seen". Despite that pressure, and a last-minute attempt to derail proceedings, the European Parliament has just agreed a text for the ePrivacy Regulation. That's not the end of the story -- the other parts of the European Union legislative machine will weigh in with their views, and seek to make changes, but it's an important milestone.

The European Parliament has produced an excellent briefing on the background to the ePrivacy Regulation (pdf), and on its main elements. A key feature is that it will apply to every business supplying Internet-based services, not just telecom companies. It will also regulate any service provided to end-users in the EU, no matter where the company offering it may be based. There are strict new rules on tracking services -- including, but not limited to, cookies. Consent to tracking "must be freely given and unambiguous" -- it cannot be assumed by default or hidden away on a Web page that no one ever reads. Cookie walls, which only grant access to a site if the visitor agrees to be tracked online, will be forbidden under the new ePrivacy rules.

IAB Europe, the main European-level association for the digital media and advertising industry, says giving the public the right to refuse to be tracked amounts to "expropriation":

"The European Parliament's text on the ePrivacy Regulation would essentially expropriate advertising-funded businesses by banning them from restricting or refusing access to users who do not agree to the data collection underpinning data-driven advertising," warned Townsend Feehan, CEO of IAB Europe.

The press release then goes to make the claim that online advertising simply must use tracking, and that visitors to a site are somehow morally obliged to give up their privacy in order to preserve the advertiser's "fundamental rights":

"Data-driven advertising isn't an optional extra; it is online advertising," explained Feehan. "Forcing businesses to grant access to ad-funded content or services even when users reject the proposed advertising value exchange, basically deprives ad-funded businesses of their fundamental rights to their own property. They would be forced to give something in return for nothing."

However, IAB Europe graciously goes on to say it "will continue to engage constructively with the EU institutions in hopes of meaningfully improving the draft law in the remaining legislative process." Translated, that means it will lobby even harder to get the cookie wall ban removed from the text during the final negotiations. IAB Europe is naturally most concerned with the issues that affect its members. But the European Parliament's text -- not the final one, remember, so things could still change -- includes some other extremely welcome elements. For example, the Regulation in its present form would require EU Member States to promote and even make mandatory the use of end-to-end encryption. Moreover, crypto backdoors would be explicitly banned:

In order to safeguard the security and integrity of networks and services, the use of end-to-end encryption should be promoted and, where necessary, be mandatory in accordance with the principles of security and privacy by design. Member States should not impose any obligation on encryption providers, on providers of electronic communications services or on any other organisations (at any level of the supply chain) that would result in the weakening of the security of their networks and services, such as the creation or facilitation of "backdoors".

As the above extracts indicate, the European Parliament's text offers strong support for the user's right to both encryption and privacy online. For that reason, we can expect it to be attacked fiercely from a number of quarters as haggling over the final text take place within the EU. Unfortunately, unlike the European Parliament's discussions, these negotiations will take place behind closed doors.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

53 Comments | Leave a Comment..

Posted on Techdirt - 26 October 2017 @ 3:23am

The Good News: You Can Download Hawking's PhD For Free; The Bad News: It Took 50 Years To Make It Happen

from the why-are-we-waiting? dept

Techdirt has been writing about the (slow but steady) rise of open access for a decade. That's as long as the Annual International Open Access Week has been running. Cambridge University came up with quite a striking way to join in the celebrations:

Stephen Hawking's PhD thesis, 'Properties of expanding universes', has been made freely available to anyone, anywhere in the world, after being made accessible via the University of Cambridge's Open Access repository, Apollo.

The 1966 doctoral thesis by the world's most recognisable scientist is the most requested item in Apollo with the catalogue record alone attracting hundreds of views per month. In just the past few months, the University has received hundreds of requests from readers wishing to download Professor Hawking's thesis in full.

The idea has been quite a hit -- literally, since the demand for Hawking's thesis was so great on Monday, that it hit the Apollo server hard enough to take it offline for a while. The Guardian reported:

A University of Cambridge spokesperson said: "We have had a huge response to Prof Hawking's decision to make his PhD thesis publicly available to download, with almost 60,000 downloads in less than 24 hours.

"As a result, visitors to our Open Access site may find that it is performing slower than usual and may at times be temporarily unavailable."

Popular as the 1966 PhD has proved, the point of the exercise was to spread the word about open access. Hawking is quoted as saying:

Anyone, anywhere in the world should have free, unhindered access to not just my research, but to the research of every great and enquiring mind across the spectrum of human understanding.

Cambridge University made a further announcement to mark Open Access Week. Dr Arthur Smith, Deputy Head of Scholarly Communication, said:

From October 2017 onwards, all PhD students graduating from the University of Cambridge will be required to deposit an electronic copy of their doctoral work for future preservation. And like Professor Hawking, we hope that many students will also take the opportunity to freely distribute their work online by making their thesis Open Access. We would also invite former University alumni to consider making their theses Open Access, too.

That's great, as is the free availability of Hawking's PhD. But the question for both has to be: why has it taken so long -- 50 years in the case of the thesis? Even allowing for the fact that the Internet was not a mass medium for 30 of those 50 years, there was nothing stopping Cambridge University putting PhDs online from the mid-1990s. Similarly, why make depositing theses as open access optional? The University would be quite justified in requiring the thesis of any PhD it grants to be online and freely downloadable immediately under a suitable CC license. The moment to make that happen is now, not in another 10 years' time.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

17 Comments | Leave a Comment..

Posted on Techdirt - 23 October 2017 @ 3:31pm

How To Avoid Future Krack-Like Failures: Create Well-Maintained 'Fat' Protocols Using Initial Coin Offerings

from the blockchain-cryptocurrency-fashionable-moi? dept

It came as something of a shock to learn recently that several hugely-popular security protocols for Wi-Fi, including WPA (Wireless Protected Access) and WPA2, were vulnerable to a key re-installation attack (pdf). A useful introduction from the EFF puts things in context, while more technical details can be found on the krackattacks.com site, and in a great post by Matthew Green. As well as the obvious security implications, there's another angle to the Krack incident that Techdirt readers may find of note. It turns out that one important reason why what is a fairly simple flaw was not spotted earlier is that the main documentation was not easily accessible. As Wired explains:

The WPA2 protocol was developed by the Wi-Fi Alliance and the Institute of Electrical and Electronics Engineers (IEEE), which acts as a standards body for numerous technical industries, including wireless security. But unlike, say, Transport Layer Security [TLS], the popular cryptographic protocol used in web encryption, WPA2 doesn't make its specifications widely available. IEEE wireless security standards carry a retail cost of hundreds of dollars to access, and costs to review multiple interoperable standards can quickly add up to thousands of dollars.

The obvious way to avoid this issue is to ensure that key protocols are all freely available so that they can be scrutinized by the greatest number of people. But the Wired article points out that there's a different problem in that situation:

Even open standards like TLS experience major, damaging bugs at times. Open standards have broad community oversight, but don't have the funding for deep, robust maintenance and vetting

It's another well-known concern: just because protocols and software are open doesn't necessarily mean that people will find even obvious bugs. That's because they may not have the time to look for them, which in turn comes down to incentives and rewards. Peer esteem only goes to far, and even hackers have to eat. If they receive no direct reward for spending hours searching through code for bugs, they may not bother.

So if we want to avoid major failures like the Krack vulnerability, we need to do two things. First, key protocols and software should be open and freely available. That's the easy part, since openness is now a well-accepted approach in the digital world. Secondly, we need to find a way to reward people for looking at all this stuff. As Krack shows, current incentives aren't working. But there's a new approach that some are touting as the way forward. It involves the fashionable idea of Initial Coin Offerings (ICO) of cryptocurrency tokens. A detailed article on qz.com explains how ICOs can be used to fund new software projects by encouraging people to buy tokens speculatively:

The user would pay for a token upfront, providing funds for coders to develop the promised technology. If the technology works as advertised and gains popularity, it should attract more users, thus increasing demand for the token offered at the start. As the token value increases, those early users who bought tokens will benefit from appreciating token prices.

It's that hope of future investment gains that would encourage people to buy ICO tokens from a risky venture. But it's not just the early users who benefit from a technology that takes off. A key idea of this kind of ICO is that the coders behind the technology would own a sizable proportion of the total token offering; as the technology becomes popular, and tokens gain in value, so does their holding.

This novel approach could be applied to protocol development. The hope is that by creating "fat" protocols that can capture more of the value of the ecosystem that is built on top of them, there would be funds available to pay people to look for bugs in the system, which would be totally open. It's an intriguing idea -- one that may be worth trying given the problems with today's approaches.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

26 Comments | Leave a Comment..

Posted on Techdirt - 19 October 2017 @ 8:01pm

A Tale of Two Transparencies: Why The EU And Activists Will Always Disagree Over Trade Deal Negotiations

from the TTIP,-remember-that? dept

Although the Transatlantic Trade and Investment Partnership (TTIP) has dropped off the radar completely since Donald Trump's election, for some years it was a key concern of both the US and European governments, and a major theme of Techdirt's posts. One of the key issues was transparency -- or the lack of it. Eventually, the European Commission realized that its refusal to release information about the negotiations was seriously undermining its ability to sell the deal to the EU public, and it began making some changes on this front, as we discussed back in 2015. Since then, transparency has remained a theme of the European Commission's initiatives. Last month, in his annual State of the Union address, President Jean-Claude Juncker unveiled his proposals for trade policy. One of them was all about transparency:

the Commission has decided to publish as of now all its recommendations for negotiating directives for trade agreements (known as negotiating mandates). When they are submitted to the European Parliament and the Council, those documents will in parallel be sent automatically to all national Parliaments and will be made available to the general public. This should allow for a wide and inclusive debate on the planned agreements from the start.

An interesting article on Borderlex explores why moves to open up trade policy by the European Commission did not and probably never will satisfy activists who have been pushing for more transparency, and why in this area there is an unbridgeable gulf between them and the EU politicians. In contrast to Juncker's limited plan to publish negotiating directives in order to allow "a wide and inclusive debate on the planned agreements", this is what activists want, according to the article:

timely release of textual proposals on all negotiating positions, complete lists and minutes of meetings of Commission officials with third parties, consolidated texts, negotiating mandates, and all correspondence between third parties and officials.

Activists are keen to see what is happening in detail throughout the negotiations, not just some top-level view at the start, or the initial textual proposals for each chapter, but nothing afterwards. The article suggests that this is not simply a case of civil society wanting more information for its own sake, but rather reflects completely different conceptions of what transparency means. Transparency is intimately bound up with accountability, which raises the key question of: accountability to whom?

These two different views reflect a seminal academic distinction between 'delegation' and 'participation' models of accountability in international politics. In a 'delegation' model, an organisation (such as the Commission) is accountable to those who have granted it a mandate (in the EU: the Council, the [European Parliament] and national parliaments). Transparency and participation should first and foremost be directed to them. Extending managed transparency to the wider public can be instrumentally used to increase trust.

In a 'participation model', in contrast, organisations are accountable to those who bear the burden of the decisions that are taken. If contemporary trade policy impacts people's daily lives, the people -- directly or through civil society organisations that claim to represent them -- should be able to see what is going on, and be able to influence the process. Therefore, there is a presupposition for openness, disclosure, and close participation.

The article's authors suggest that for activists, transparency is a means to an end -- gaining influence through participation -- and it is the European Commission's refusal to allow civil society any meaningful role in trade negotiations that guarantees that token releases of a few policy documents will never be enough.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

4 Comments | Leave a Comment..

More posts from Glyn Moody >>