Saturday, April 15, 2006

No buy list

This I hadn't heard about before, a no buy list in the US. Surely you mean a no fly list - CAPPSII, Secure Flight etc. Nope, a no buy list.

" The so-called "Bad Guy List" is hardly a secret. The U.S. Treasury's Office of Foreign Assets Control maintains its "Specially Designated Nationals and Blocked Persons List" to be easily accessible on its public Web site.

Wanna see it? Sure you do. Just key OFAC into your Web browser, and you'll find the 224-page document of the names of individuals, organizations, corporations and Web sites the feds suspect of terrorist or criminal activities and associations...

The Bad Guy List's relevance to the average American consumer? What's not widely known about it is that by federal law, sellers are supposed to check it even in the most common and mundane marketplace transactions.

"The OFAC requirements apply to all U.S. citizens. The law prohibits anyone, not just car dealers, from doing business with anyone whose name appears on the Office of Foreign Assets Control's Specially Designated Nationals list," says Thomas B. Hudson, senior partner at Hudson Cook LLP...

Compliance is also a big problem. Think eBay sellers are checking the list for auction winners? Or that the supermarket checkout person is thanking you by name while scanning a copy of The List under the counter? Not likely.

Even most car dealerships come up short on compliance, despite harsh penalties that include 30 years in jail and fines up to $10 million against corporations, and $5 million against individuals, and civil penalties of up to $1 million per incident. "Laws like this that are so ridiculous that no one obeys them do nothing to inspire respect in our legal system," says Hudson."

Schneier's movie plot contest

Bruce Schneier is offering a signed copy of his terrific book Beyond Fear in a movie plot threat contest. He did announce the contest on April 1 but promises it's not an April fools joke.

" Movie-Plot Threat Contest

NOTE: If you have a blog, please spread the word.

For a while now, I have been writing about our penchant for "movie-plot
threats": terrorist fears based on very specific attack
scenarios. Terrorists with crop dusters, terrorists exploding baby
carriages in subways, terrorists filling school buses with explosives
-- these are all movie-plot threats. They're good for scaring people,
but it's just silly to build national security policy around them.

But if we're going to worry about unlikely attacks, why can't they be
exciting and innovative ones? If Americans are going to be scared,
shouldn't they be scared of things that are really scary? "Blowing up
the Super Bowl" is a movie plot to be sure, but it's not a very good
movie. Let's kick this up a notch.

It is in this spirit I announce the (possibly First) Movie-Plot Threat
Contest. Entrants are invited to submit the most unlikely, yet still
plausible, terrorist attack scenarios they can come up with.

Your goal: cause terror. Make the American people notice. Inflict
lasting damage on the U.S. economy. Change the political landscape, or
the culture. The more grandiose the goal, the better.

Assume an attacker profile on the order of 9/11: 20 to 30 unskilled
people, and about $500,000 with which to buy skills, equipment, etc.

Post your movie plots here on this blog.

Judging will be by me, swayed by popular acclaim in the blog comments
section. The prize will be an autographed copy of Beyond Fear. And if
I can swing it, a phone call with a real live movie producer.

Entries close at the end of the month -- April 30.

This is not an April Fool's joke, although it's in the spirit of the
season. The purpose of this contest is absurd humor, but I hope it
also makes a point. Terrorism is a real threat, but we're not any
safer through security measures that require us to correctly guess what
the terrorists are going to do next.

Good luck.

Post your entries, and read the others, here:
http://www.schneier.com/blog/archives/2006/04/announcing_movi.html

Movie-plot threats:
http://www.schneier.com/essay-087.html

http://www.time.com/time/nation/article/0,8599,175951,00.html
http://www.schneier.com/blog/archives/2005/10/exploding_baby.html
http://www.schneier.com/blog/archives/2006/02/school_bus_driv.html
http://www.imdb.com/title/tt0075765

There are hundreds of ideas here:
http://cockeyed.com/citizen/terror/plans/terrorwatch.html"

Friday, April 14, 2006

EFF: 7 Years Under the DMCA Report

The EFF have released version 4 of Unintended Consequences: 7 Years Under the DMCA.

"1. Executive Summary

Since they were enacted in 1998, the “anticircumvention”
provisions of the Digital Millennium
Copyright Act (“DMCA”), codified in section 1201
of the Copyright Act, have not been used as Congress
envisioned. Congress meant to stop copyright
infringers from defeating anti-piracy protections
added to copyrighted works and to ban the “black
box” devices intended for that purpose.1
In practice, the anti-circumvention provisions have
been used to stifle a wide array of legitimate
activities, rather than to stop copyright infringement.
As a result, the DMCA has developed into a serious
threat to several important public policy priorities:

The DMCA Chills Free Expression and
Scientific Research.


Experience with section 1201 demonstrates
that it is being used to stifle free speech and
scientific research. The lawsuit against 2600
magazine, threats against Princeton
Professor Edward Felten’s team of
researchers, and prosecution of Russian
programmer Dmitry Sklyarov have chilled
the legitimate activities of journalists,
publishers, scientists, students, programmers,
and members of the public.

The DMCA Jeopardizes Fair Use.

By banning all acts of circumvention, and all
technologies and tools that can be used for
circumvention, the DMCA grants to
copyright owners the power to unilaterally
eliminate the public’s fair use rights.
Already, the movie industry’s use of
encryption on DVDs has curtailed
consumers’ ability to make legitimate,
personal-use copies of movies they have
purchased.

The DMCA Impedes Competition and
Innovation.


Rather than focusing on pirates, many
copyright owners have wielded the DMCA
to hinder their legitimate competitors. For
example, the DMCA has been used to block
aftermarket competition in laser printer
toner cartridges, garage door openers, and
computer maintenance services. Similarly,
Apple invoked the DMCA to chill
RealNetworks’ efforts to sell music
downloads to iPod owners.

The DMCA Interferes with Computer
Intrusion Laws.


Further, the DMCA has been misused as a
general-purpose prohibition on computer
network access which, unlike most computer
intrusion statutes, lacks any financial harm
threshold. As a result, a disgruntled
employer has used the DMCA against a
former contractor for simply connecting to
the company’s computer system through a
VPN."

Highly recommended. All the important overreaching DMCA cases are covered with neat summaries.

Thursday, April 13, 2006

US want access to retained EU data

From the latest EDRI-gram:

"US wants access to retained traffic data

Unites States has indicated in a recent meeting with the EU Council that it
will be interested in accessing the traffic data collected by the European
countries according with the recent Directive on Data Retention. Also the US
officials expressed concerns over the draft Framework Decision on Data
Protection.

During the EU-US informal High Level meeting on Freedom, Security and
Justice on 2-3 March 2006, in Vienna, the US officials mentioned in the
context of fighting terrorist use of Internet that they were "considering
approaching each Member State to ensure that the data collected on the basis
of the recently adopted Directive on data retention be accessible to them."
The Presidency and the Commission replied that these data were accessible
like any other data on the basis of the existing MLA agreements (bilateral
as well as EU/US agreement). The Commission would convene an expert meeting
on this subject.

During the same meeting the US officials lobbied against the provisions in
article 15 of the proposal for a framework decision on the protection of
personal data processed in the third pillar. " US side expressed serious
concerns about the negative impact that the draft Framework Decision on data
protection would have on its bilateral relations with Member States if it
was to be adopted in its present form (see in particular Article 15 of the
draft). The Presidency indicated that agreements already concluded would not
be affected by the new legislation. In addition, Member States were divided
on the need for such a provision." Article 15 refers to Transfer to
competent authorities in third countries or to international bodies.

The Proposal for a Council Framework Decision on the protection of personal
data processed in the framework of police and judicial co-operation in
criminal matters was initiated in October 2005 when a draft version was sent
to the Council. Opinions on the draft have been received from the European
Data Protection Supervisor, Conference of European Data Protection
Authorities and European member countries. A new version of the Decision,
still under discussion within the Multidisciplinary group on organised crime
(MDG) - Mixed Committee, was published by Statewatch at the end of March
2006.

The conclusions of the G6 of interior ministers of the EU call for a rapid
adoption of the framework decision on the sharing of information under the
availability principle in police and judicial cooperation in criminal
matters, i.e. without waiting for the third pillar data protection framework
decision. This would constitute a serious unbalance with regard to the
processing of personal information under the third pillar. Tony Bunyan,
Statewatch editor, commented " in other words state agencies should be
allowed to exchange information and "intelligence" without any data
protection rights for the individual being in place."

EU Council: Report of the EU-US informal High Level meeting on
Freedom, Security and Justice on 2-3 March 2006 in Vienna (27.03.2006)
http://www.statewatch.org/news/2006/apr/eu-us-jha-7618-06.pdf

Data Protection, EU doc no 6450/1/06, REV 1 (23.03.2006)
http://www.statewatch.org/news/2006/mar/eu-dp-coun-draft-pos-6450-rev1-06.pdf

EDRI-gram : Draft directive data protection in EU police co-operation
(21.09.2005)
http://www.edri.org/edrigram/number3.19/dataprotection

Conclusions of the Meeting of the Interior Ministers of France, Germany,
Italy, Poland, Spain and the United Kingdom, Heiligendamm (23.03.2006)
http://www.statewatch.org/news/2006/mar/06eu-interior-minister-conclusions.htm"

Archives Kept a Secrecy Secret

From the Washington Post, Archives Kept a Secrecy Secret

"The National Archives helped keep secret a multi-year effort by the Air Force, the CIA and other federal agencies to withdraw thousands of historical documents from public access on Archives shelves, even though the records had been declassified.

In a 2002 memorandum, obtained through a Freedom of Information Act request and released yesterday by the National Security Archive, a nonprofit research library housed at George Washington University, Archives officials agreed to help pull the materials for possible reclassification and conceal the identities of anyone participating in the effort. The Associated Press reported yesterday that it had requested a copy of the memo three years ago...

Independent historian Matthew M. Aid uncovered the reclassification program last summer when his requests for documents formerly available at the Archives were delayed or denied. In February, the Archives acknowledged that about 9,500 records totaling more than 55,000 pages had been withdrawn and reclassified since 1999. The memo released yesterday says some records "may have been improperly marked as declassified" and their release "would harm the national security interests of the United States by revealing sensitive sources and methods of intelligence collection."

But historians who previously obtained copies of records have said many date to the 1940s and 1950s and pose no conceivable security risk."

Tuesday, April 11, 2006

Maine Governor supports open access

In an unusual move for a US governor, Maine Gov. John E. Baldacci has asked the US government to exclude the state from the General Agreement on Trade in Services (GATS) treaty obligations specifically related to libraries, archives, and museums.

Proposed changes to GATS could potentially make it difficult for governments to pursue open access policies such as that implemented in the UK last Autumn i.e. the results of publicly funded research in the UK have to be made freely available on the Web. Traditional journal publishers have complained that this amounts to unfair competition and the proposed changes to GATS could enshrine these complaints in international law, making them very difficult to counteract. The WTO have denied there are any such proposals.

Given the way international rules in intellectual property generally get agreed, however, (TRIPS, WIPO treaties of 1996, proposed WIPO broadcasting treaty, any one of numerous EU directives etc.) this is one situation which merits close monitoring.

IS Academics raise concerns about NHS IT system

I heard on the BBC news this morning that 23 leading computer scientists have written an open letter to MPs expressing serious concerns about the UK government's £6 billion NHS IT project. There are articles in various broadsheets and Computer Weekly too.

Ross Anderson and FIPR have been warning of the privacy problems as well as the likely technical problems with the scheme for years. From Computer Weekly:

"Their open letter to the House of Commons Health Select Committee echoes a call last year by Computer Weekly for an independent audit of the project.

The letter is unprecedented. Suppliers say they have been warned off speaking about the NPfIT, and IT directors in the NHS fear being victimised if they openly express critical views. Academics, who are independent of the NHS, can express their concerns without fear of repercussions.

The letter said, "Concrete, objective information about NPfIT's progress is not available to external observers. Reliable sources within NPfIT have raised concerns about the technology itself.

"The National Audit Office report about NPfIT is delayed until this summer, at the earliest; the report is not expected to address major technical issues. As computer scientists, engineers and informaticians, we question the wisdom of continuing NPfIT without an independent assessment of its basic technical viability." "

The BBC presenter talking about the scheme said the minister concerned has promised today that taxpayers won't be asked to pay for it if it doesn't work, at which point I have to admit verbalised my skepticism.

Monday, April 10, 2006

Campaign to reform the Inspire Directive Proposal

From the campaign to reform the proposed INSPIRE directive at Public Geo Data:

On 23 January 2006, the Council of European Union has formally adopted a common position on the Inspire Directive, which stipulates that Geographic Data collected by National Mapping Agencies all over Europe should be owned by such agencies and not by the Public. While a lot of datasets are available in the United States under a public domain licence, little geographic data is available under open access terms in Europe but is instead made available at monopoly prices by national mapping agencies. Restricted access to geographic data for the public and businesses due to high costs and narrow licenses means fewer services and fewer jobs in Europe.

If the European Parliament does not adequately amend or, failing that, reject this directive proposal, INSPIRE will entrench a policy of charging citizens for information they have already paid to collect, enforced by state copyright over geographic information.

What to do?

By order of priority:

" * [WWW] Lobby your Member of European Parliament about INSPIRE.
* [WWW] Sign the Petition to promote open access to public geodata in Europe through INSPIRE
* [WWW] Find out more about INSPIRE, and [WWW] help develop this campaign platform.
* [WWW] Tell other people about INSPIRE, and about how they can help oppose it."

Digital Trend Challenging Camera Makers

From Findlaw (via AP) Digital Trend Challenging Camera Makers

"They are some of the most legendary names in photography.

Minolta scored the world's first successful auto-focus, single-lens reflex camera. Fuji invented 1600-speed film, once the industry's fastest. Nikon's fabled F-series made the 35 mm camera the picture-taking workhorse for the last half-century.
Click here to find out more!

Now the companies share a more dubious distinction: abandoning part of the business that made them famous.

Camera makers have battled to adapt to the digital revolution for the last 10 years, but recent retreats by leading brands underline how the industry has turned upside-down."

5 Short Arguments Against DRM

Kevin Marks has a nice list of 5 short arguments against DRM.

" Computer Users: DRM turns your computer against you...

Computer Scientists: DRM will fail through emulation...

Corporations: DRM has to be undone to be used...

Lawyers: DRM makes machines judge, jury and executioner...

Media Companies: DRM destroys value."

Read the original to fill in the gaps.

Boeing fined $15 million for selling chip to China

From the Washington Post:

"The Boeing Co. has agreed to pay $15 million to settle federal allegations that it broke the law by selling commercial airplanes equipped with a small chip that has military applications."

A bit ironic given what I was saying about Airbus and BAE yesterday.

Sunday, April 09, 2006

Ban the Net?

The Observer is reporting "The official inquiry into the 7 July London bombings will say the attack was planned on a shoestring budget from information on the internet"

Here we go again. The cue for more idiotic political and media speculation about how to ban or control the Internet...

Problems with D-Link

Poul-Henning Kamp has been having problems with his NTP server, apparently due to poorly designed D-Link products. Richard Clayton has written about the case too.

It's a classic case of economic externalities. The damage is not affecting the company causing it, so they have no incentive to sort it out. The way to solve the problem is for the vendor to fix their products but they will not do so because it is not in their own financial interest. This is not a technical problem. It is an economic problem. The way to fix it is to fix the economics by making tech cos, whose products cause this kind of damage, liable for the damage caused.

Cameron promises to kill ID cards

Spy Blog says David Cameron has promised to get rid of ID cards, though doubts his sincerity.

"We hope that this means that the abolition of the entire centralised biometric database National Identity Register scheme, and not just the "ID Cards" aspect of it. is to become a firm Conservative Party election manifesto committment.

We will be seeking clarification to see if that really is what the official Tory party policy is currently.

Given the ineffective Tory Opposition to Labour on many civil liberties issues in the past, we will be more likley to believe David Cameron if he affliates his party to support the cross party NO2ID Campaign, which does have the support of several of the smaller Opposition parties."

We don't need assassinations we need an ethical code

It seems that a former key Whitehall adviser to David Blunkett when he was in the Home Office was a lot smarter than his political masters.

"Bush's approach is all the more disturbing because, post 9/11, so much of his system of government depends on barely constrained executive authority.

A recent but, until now, unreported public speech at Chatham House by Sir David Omand, the former Cabinet Office security and intelligence coordinator, offers a very different prescription. Omand may not be the leader of the world's only superpower, but until last year he played a key role, with Tony Blair and small number of officials, in shaping Britain's response to 9/11. Like Bush, Omand sees a long-term challenge that requires strategic responses. Like Bush, he acknowledges that jihadist terrorism is something new in type and scale. But that is where the resemblance ends.

Where Bush seeks to redefine the world in the light of the terrorist threat, Omand's concern is to particularise the challenge from terrorism. As he says, he wants counter-terrorist operations - and, crucially, the pre-emptive secret intelligence work that goes with them - to enjoy support and legitimacy without disrupting the normal life of the community. In terms of state action, he says he wants the bludgeon to be replaced by the rapier. And, more challengingly still, he wants the security response to take place "within rights" rather than in opposition to them. In other words, his approach could not be more different from that taken in Washington.

Omand recognises what politicians are often afraid to admit, that the fight against terrorism carries actual, rather than hypothetical, costs - including the compromise of values, and the counter-productive, even radicalising, effect of security measures. He identifies four particular concerns: the use of British intelligence to guide pre-emptive military or covert action by ourselves or others against terrorists; the exchange of intelligence between countries with differing approaches to questioning, or to other forms of state action against, terrorists; the danger of disproportionate legislative responses that risk eroding fundamental aspects of the rule of law; and, finally, the growth of intrusive information technologies which allow access to personal emails and invade privacy.

His answer to these problems is for six explicit ethical guidelines to shape such operations. There must be "sufficient sustainable cause" for them to be needed; there must be "integrity of motive"; the methods used must be "in proportion" to the task; there must a proper authorisation and oversight process; there must be "reasonable prospect of success"; and there must be "no reasonable alternative" to recourse to such methods."

BAE sale of stake in Airbus

Will Hutton has called for BAE's sale of their share of Airbus to be stopped. I can't really see what grounds could be used for that, daft and all as the decision might seem. BAE apparently want to expand further into the US defence industry. I agree with Hutton that it's not a very bright strategic move. You've only got to look at the recent furore over the transfer of major operations in six US ports to a company outside the US to see that. Despite all the rhetoric about free trade and letting the market sort it out, the US, like most Western countries, has always taken a fiercely protectionist approach to its own commercial interests on the international stage. They're smarter about hiding it e.g. their subsidies to Boeing outstrip those of the EU to Airbus but they get there through a harder to trace paper trail. Hutton says:

"The US defence and political establishments do not want to share American defence technology with foreigners and that includes us. And they will do all in their power to stop American defence contractors falling into foreign hands. The US has been refusing Britain permission to adapt US technology in the 150 F-35s it is buying, despite the fact Britain contributed $2bn to the development costs. The reason: we are foreign.

Yet the BAE plan is to sell a stake in a successful civil aircraft manufacturer, with all the risks that implies, to concentrate on becoming a surrogate American defence contractor in a market that does not want foreigners. In effect, it is betraying a crucial part of the British industrial base and Europe - for what? Chief executive Dick Turner and his colleagues are handsomely rewarded for a rising share price and probably this deal will mean more share options. But Britain needs to think in rather longer terms than the next financial year end."

Latest excuse for ID cards

The latest new excuse trotted out by a Home Office official for ID cards is that they will help catch people who avoid speed camera fines by registering their cars at a mass mailing address.

Wouldn't it be a bit cheaper to have a police officer surreptitiously watch the anonymous PO box for a couple of days, until the offender comes to pick up the mail?