data sovereignty  

Adobe has just given us a graphic demonstration of how not to handle security and privacy issues.A hacker acquaintance of mine has tipped me to a huge security and privacy violation on the part of Adobe. That anonymous acquaintance was examining Adobe’s DRm for educational purposes when they noticed that Digital Editions 4, the newest version of Adobe’s Epub app, seemed to be sending an awful lot of data to Adobe’s servers.My source told me, and I can confirm, that Adobe is tracking users in the app and uploading the data to their servers. Adobe was contacted in advance of publication, but declined to respond. Edit: Adobe responded Tuesday night.And just to be clear, I have seen this happen, and I can also tell you that Benjamin Daniel Mussler, the security researcher who found the security hole on Amazon.com, has also tested this at my request and saw it with his own eyes.

via Adobe is Spying on Users, Collecting Data on Their eBook Libraries – The Digital Reader.

NSA: Linux Journal is an “extremist forum” and its readers get flagged for extra surveillance

 

A new story published on the German site Tagesschau and followed up by BoingBoing and DasErste.de has uncovered some shocking details about who the NSA targets for surveillance including visitors to Linux Journal itself.

While it has been revealed before that the NSA captures just about all Internet traffic for a short time, the Tagesschau story provides new details about how the NSA’s XKEYSCORE program decides which traffic to keep indefinitely. XKEYSCORE uses specific selectors to flag traffic, and the article reveals that Web searches for Tor and Tails–software I’ve covered here in Linux Journal that helps to protect a user’s anonymity and privacy on the Internet–are among the selectors that will flag you as “extremist” and targeted for further surveillance. If you just consider how many Linux Journal readers have read our Tor and Tails coverage in the magazine, that alone would flag quite a few innocent people as extremist.

While that is troubling in itself, even more troubling to readers on this site is that linuxjournal.com has been flagged as a selector! DasErste.de has published the relevant XKEYSCORE source code, and if you look closely at the rule definitions, you will see linuxjournal.com/content/linux* listed alongside Tails and Tor. According to an article on DasErste.de, the NSA considers Linux Journal an “extremist forum”. This means that merely looking for any Linux content on Linux Journal, not just content about anonymizing software or encryption, is considered suspicious and means your Internet traffic may be stored indefinitely.

 

via NSA: Linux Journal is an “extremist forum” and its readers get flagged for extra surveillance | Linux Journal.

netzpolitik.org: Are you breaking any laws?

Jotunbane: Several :)

netzpolitik.org: Do you care? Why (not)?

Jotunbane: Sure I care. But what can I do? The laws are wrong on several different levels (the copyright monopoly have been extended 16 times in my lifetime alone, and will continue to be extended every time Mickey Mouse is getting close to the public domain). There will always be consequences when you decide to break the law and the risk of punishment is clearly part of the equation. Under US law I could get fined $150.000 for each infringement, but this is not a question of money, it’s a question of doing the right thing. Sharing is caring, so of course I care.

 

Interviews with E-Book-Pirates: “The book publishing industry is repeating the same mistakes of the music industry”.

 

The error message that launched this whole investigation.

Darrell Whitelaw / Twitter

For years now, Internet users have accepted the risk of files and content they share through various online services being subject to takedown requests based on the Digital Millennium Copyright Act (DMCA) and/or content-matching algorithms. But users have also gotten used to treating services like Dropbox as their own private, cloud-based file storage and sharing systems, facilitating direct person-to-person file transfer without having to worry.

This weekend, though, a small corner of the Internet exploded with concern that Dropbox was going too far, actually scanning users’ private and directly peer-shared files for potential copyright issues. What’s actually going on is a little more complicated than that, but it shows that sharing a file on Dropbox isn’t always the same as sharing that file directly from your hard drive over something like e-mail or instant messenger.

The whole kerfuffle started yesterday evening, when one Darrell Whitelaw tweeted a picture of an error he received when trying to share a link to a Dropbox file via IM. The Dropbox webpage warned him and his friend that "certain files in this folder can’t be shared due to a takedown request in accordance with the DMCA."

Whitelaw freely admits that the content he was sharing was a copyrighted video, but he still expressed surprise that Dropbox was apparently watching what he shared for copyright issues. "I treat [Dropbox] like my hard drive," he tweeted. "This shows it’s not private, nor mine, even though I pay for it."

In response to follow-up questions from Ars, Whitelaw said the link he sent to his friend via IM was technically a public link and theoretically could have been shared more widely than the simple IM between friends. That said, he noted that the DMCA notice appeared on the Dropbox webpage "immediately" after the link was generated, suggesting that Dropbox was automatically checking shared files somehow to see if they were copyrighted material rather than waiting for a specific DMCA takedown request.

Dropbox did confirm to Ars that it checks publicly shared file links against hashes of other files that have been previously subject to successful DMCA requests. "We sometimes receive DMCA notices to remove links on copyright grounds," the company said in a statement provided to Ars. "When we receive these, we process them according to the law and disable the identified link. We have an automated system that then prevents other users from sharing the identical material using another Dropbox link. This is done by comparing file hashes."

Dropbox added that this comparison happens when a public link to your file is created and that "we don’t look at the files in your private folders and are committed to keeping your stuff safe." The company wouldn’t comment publicly on whether the same content-matching algorithm was run on files shared directly with other Dropbox users via the service’s account-to-account sharing functions, but the wording of the statement suggests that this system only applies to publicly shared links.

We should be clear here that Dropbox hasn’t removed the file from Whitelaw’s account; they just closed off the option for him to share that file with others. In a tweeted response to Whitelaw, Dropbox Support said that "content removed under DMCA only affects share-links." Dropbox explains its copyright policy on a Help Center page that lays out the boilerplate: "you do not have the right to share files unless you own the copyright in them or have been given permission by the copyright owner to share them." The Help Center then directs users to its DMCA policy page.

Dropbox has also been making use of file hashing algorithms for a while now as a means of de-duplicating identical files stored across different users’ accounts. That means that if I try to upload an identical copy of a 20GB movie file that has already been stored in someone else’s Dropbox account, the service will simply give my account access to a version of that same file rather than allowing me to upload an identical version. This not only saves bandwidth on the user’s end but significant storage space on Dropbox’s end as well.

Some researchers have warned of security and privacy concerns based on these de-duplication efforts in the past, but the open source Dropship project attempted to bend the feature to users’ advantage. By making use of the file hashing system, Dropship effectively tried to trick Dropbox into granting access to files on Dropbox’s servers that the user didn’t actually have access to. Dropbox has taken pains to stop this kind of "fake" file sharing through its service.

In any case, it seems a similar hashing effort is in place to make it easier for Dropbox to proactively check files shared through its servers for similarity to content previously blocked by a DMCA request. In this it’s not too different from services like YouTube, which uses a robust ContentID system to automatically identify copyrighted material as soon as it’s uploaded.

In this, both Dropbox and YouTube are simply responding to the legal environment they find themselves in. The DMCA requires companies that run sharing services to take reasonable measures to make sure that re-posting of copyrighted content doesn’t occur after a legitimate DMCA notice has been issued. Whitelaw himself doesn’t blame the service for taking these proactive steps, in fact. "This isn’t a Dropbox problem," he told Ars via tweet. "They’re just following the laws laid out for them. Was just surprised to see it."

via Dropbox clarifies its policy on reviewing shared files for DMCA issues | Ars Technica.

The beauty of P2P and BitTorrent is that it’s a distributed system. Indeed, as far as sites are concerned bandwidth between users (and of course content) are both available for free and running in basic mode requires only a few dollars a month on top to pay for a server. Trading in the big gas guzzler for a something a little more frugal should be a survival option.

Of course, in many cases this could potentially mean file-sharing backing up in sophistication to 2004, to what may as well be the stone age to many of today’s younger enthusiasts. That said, ask anyone who was around at the time if it was so bad. Yes, at times Suprnova required 30 refreshes until a page actually loaded and yes, initial seeders uploaded at a snail’s pace, but the scene was buzzing and people were having fun. And if it’s not about having fun anymore, something has gone wrong along the way.

Maybe a fresh start and a resurgence of some old fashioned non-monetary gain values is what is needed. The money can’t be targeted if there isn’t any.

via Bombing BitTorrent and File-Sharing Websites Back to the Stone Age | TorrentFreak.The beauty of P2P and BitTorrent is that it’s a distributed system. Indeed, as far as sites are concerned bandwidth between users (and of course content) are both available for free and running in basic mode requires only a few dollars a month on top to pay for a server. Trading in the big gas guzzler for a something a little more frugal should be a survival option.

Of course, in many cases this could potentially mean file-sharing backing up in sophistication to 2004, to what may as well be the stone age to many of today’s younger enthusiasts. That said, ask anyone who was around at the time if it was so bad. Yes, at times Suprnova required 30 refreshes until a page actually loaded and yes, initial seeders uploaded at a snail’s pace, but the scene was buzzing and people were having fun. And if it’s not about having fun anymore, something has gone wrong along the way.

Maybe a fresh start and a resurgence of some old fashioned non-monetary gain values is what is needed. The money can’t be targeted if there isn’t any.

via Bombing BitTorrent and File-Sharing Websites Back to the Stone Age | TorrentFreak.

The United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression has released an important new report that examines freedom of expression on the Internet. The report is very critical of rules such as graduated response/three strikes, arguing that such laws may violate the International Covenant on Civil and Political Rights Canada became a member in 1976. Moreover, the report expresses concerns with notice-and-takedown systems, noting that it is subject to abuse by both governments and private actors.On the issue of graduated response, the report states:he is alarmed by proposals to disconnect users from Internet access if they violate intellectual property rights. This also includes legislation based on the concept of “graduated response”, which imposes a series of penalties on copyright infringers that could lead to suspension of Internet service, such as the so-called “three strikes-law” in France and the Digital Economy Act 2010 of the United Kingdom.Beyond the national level, the Anti-Counterfeiting Trade Agreement ACTA has been proposed as a multilateral agreement to establish international standards on intellectual property rights enforcement. While the provisions to disconnect individuals from Internet access for violating the treaty have been removed from the final text of December 2010, the Special Rapporteur remains watchful about the treaty’s eventual implications for intermediary liability and the right to freedom of expression.In light of these concerns, the report argues that the Internet disconnection is a disproportionate response, violates international law and such measures should be repealed in countries that have adopted them

via Michael Geist – UN Report Says Internet Three Strikes Laws Violate International Law.

Anti-censorship campaigners compared the plan to China’s notorious system for controlling citizens’ access to blogs, news websites and social networking services.The proposal emerged an obscure meeting of the Council of the European Union’s Law Enforcement Work Party LEWP, a forum for cooperation on issues such as counter terrorism, customs and fraud.“The Presidency of the LEWP presented its intention to propose concrete measures towards creating a single secure European cyberspace,” according to brief minutes of the meeting.

via Alarm over EU ‘Great Firewall’ proposal – Telegraph.

New paper draft. please comment. PDF version here: bodo Sovereignty in the cloud_3_0

Wikileaks represents a new type of (h)activism, which shifts the source of potential threat from a few, dangerous hackers and a larger group of mostly harmless activists — both outsiders to an organization — to those who are on the inside. For insiders trying to smuggle information out, anonymity is a necessary condition for participation. Wikileaks has demonstrated that the access to anonymity can be democratized, made simple and user friendly.

Being Anonymous in the context of Wikileaks has a double promise: it promises to liberate the subject from the existing power structures, and in the same time it allows the exposure of these structures by opening up a space to confront them.  The Wikileaks coerced transparency, however,  is nothing more than the extension of the Foucauldian disciplinary power to the very body of state and government. While anonymity removes the individual from existing power relations, the act of surveillance puts her right back to the middle.

The ability to place the state under surveillance limits and ultimately renders present day sovereignty obsolete. It can also be argued that it fosters the emergence of a new sovereign in itself.  I believe that Wikileaks (or rather, the logic of it) is a new sovereign in the global political / economic sphere. But as it stands now, Wikileakistan shares too much with the powers it wishes to counter. The hidden power structures and the inner workings of these states within the state are exposed by another imperium in imperio, a secretive organization, whose agenda is far from transparent, whose members, resources are unknown, holding back an indefinite amount of information both on itself and on its opponents.

I argue that it is not more secretive, one sided transparency which will subvert and negate the control and discipline of secretive, one sided transparency, it is anonymity. The subject’s position of being “a multiplicity that can be numbered and supervised”, its state of living in a “sequestered and observed solitude” (Foucault 1979) can only be subverted if there is a place to hide from surveillance. I argue that maybe less, and not more transparency is the path that leads to the aims of Wikileaks.

New paper draft. please comment. PDF version here: bodo Sovereignty in the cloud_3_0

Wikileaks represents a new type of (h)activism, which shifts the source of potential threat from a few, dangerous hackers and a larger group of mostly harmless activists — both outsiders to an organization — to those who are on the inside. For insiders trying to smuggle information out, anonymity is a necessary condition for participation. Wikileaks has demonstrated that the access to anonymity can be democratized, made simple and user friendly.

Being Anonymous in the context of Wikileaks has a double promise: it promises to liberate the subject from the existing power structures, and in the same time it allows the exposure of these structures by opening up a space to confront them.  The Wikileaks coerced transparency, however,  is nothing more than the extension of the Foucauldian disciplinary power to the very body of state and government. While anonymity removes the individual from existing power relations, the act of surveillance puts her right back to the middle.

The ability to place the state under surveillance limits and ultimately renders present day sovereignty obsolete. It can also be argued that it fosters the emergence of a new sovereign in itself.  I believe that Wikileaks (or rather, the logic of it) is a new sovereign in the global political / economic sphere. But as it stands now, Wikileakistan shares too much with the powers it wishes to counter. The hidden power structures and the inner workings of these states within the state are exposed by another imperium in imperio, a secretive organization, whose agenda is far from transparent, whose members, resources are unknown, holding back an indefinite amount of information both on itself and on its opponents.

I argue that it is not more secretive, one sided transparency which will subvert and negate the control and discipline of secretive, one sided transparency, it is anonymity. The subject’s position of being “a multiplicity that can be numbered and supervised”, its state of living in a “sequestered and observed solitude” (Foucault 1979) can only be subverted if there is a place to hide from surveillance. I argue that maybe less, and not more transparency is the path that leads to the aims of Wikileaks.

Read the rest of this entry »

LibraryGoblin sez, “HarperCollins has decided to change their agreement with e-book distributor OverDrive. They forced OverDrive, which is a main e-book distributor for libraries, to agree to terms so that HarperCollins e-books will only be licensed for checkout 26 times. Librarians have blown up over this, calling for a boycott of HarperCollins, breaking the DRM on e-books–basically doing anything to let HarperCollins and other publishers know they consider this abuse.”

I've talked to a lot of librarians about why they buy DRM books for their collections, and they generally emphasize that buying ebooks with DRM works pretty well, generates few complaints, and gets the books their patrons want on the devices their patrons use. And it's absolutely true: on the whole, DRM ebooks, like DRM movies and DRM games work pretty well.

But they fail really badly. No matter how crappy a library's relationship with a print publisher might be, the publisher couldn't force them to destroy the books in their collections after 26 checkouts. DRM is like the Ford Pinto: it's a smooth ride, right up the point at which it explodes and ruins your day.

HarperCollins has some smart and good digital people (they're my UK/Australia/South Africa publisher, and I've met a ton of them). But batshit insane crap like this is proof that it doesn't matter how many good people there are at a company that has a tool at its disposal that is as dangerous and awful as DRM: the gun on the mantelpiece in act one will always go off by act three.

And that's why libraries should just stop buying DRM media for their collections. Period. It's unsafe at any speed.

I mean it. When HarperCollins backs down and says, “Oh, no, sorry, we didn't mean it, you can have unlimited ebook checkouts,” the libraries' answers should be “Not good enough. We want DRM-free or nothing.” Stop buying DRM ebooks. Do you think that if you buy twice, or three times, or ten times as many crippled books that you'll get more negotiating leverage with which to overcome abusive crap like this? Do you think that if more of your patrons come to rely on you for ebooks for their devices, that DRM vendors won't notice that your relevance is tied to their product and tighten the screws?

You have exactly one weapon in your arsenal to keep yourself from being caught in this leg-hold trap: your collections budget. Stop buying from publishers who stick time-bombs in their ebooks. Yes, you can go to the Copyright Office every three years and ask for a temporary exemption to the DMCA to let your jailbreak your collections, but that isn't Plan B, it's Plan Z. Plan A is to stop putting dangerous, anti-patron technology into your collections in the first place.

The publisher also issued a short statement: “HarperCollins is committed to the library channel. We believe this change balances the value libraries get from our titles with the need to protect our authors and ensure a presence in public libraries and the communities they serve for years to come.”

Josh Marwell, President, Sales for HarperCollins, told LJ that the 26 circulation limit was arrived at after considering a number of factors, including the average lifespan of a print book, and wear and tear on circulating copies.

As noted in the letter, the terms will not be specific to OverDrive, and will likewise apply to “all eBook vendors or distributors offering this publisher's titles for library lending.” The new terms will not be retroactive, and will apply only to new titles. More details on the new terms are set to be announced next week.

For the record, all of my HarperCollins ebooks are also available as DRM-free Creative Commons downloads. And as bad as HarperCollins' terms are, they're still better than Macmillan's, my US/Canadian publisher, who don't allow any library circulation of their ebook titles.

via HarperCollins to libraries: we will nuke your ebooks after 26 checkouts – Boing Boing.

 | TorrentFreak

 

Operation Payback has been without a doubt the longest and most widespread attack on anti-piracy groups, lawyers and lobbyists. Despite the massive media coverage, little is known about the key players who coordinate the operation and DDoS attacks. A relatively small group of people, they are seemingly fuelled by anger, frustration and a strong desire to have their voices heard.

operation paybackIn the last two months, dozens of anti-piracy groups, copyright lawyers and pro-copyright outfits have been targeted by a group of Anonymous Internet ‘vigilantes’ under the flag of Operation Payback.

Initially DDoS assaults were started against the MPAA, RIAA and anti-piracy company AiPlex Software because these outfits had targeted The Pirate Bay. Those DDoS attacks were later replicated against many other targets that have spoken out against piracy or for copyright, resulting in widespread media coverage.

Even law enforcement agencies showed interest in the operation recently. Last week CNET reported that an FBI probe is underway, and TorrentFreak personally knows of at least one court case against a person that was associated with the operation.

Besides covering the results of the DDoS attacks and website hacks, very little is known about the people who are part of the operation. Who are they? What do they want, and what are their future plans? In this article we hope to solve a few pieces of the puzzle.

After numerous talks with people who are actively involved in Operation Payback, we learned that there are huge differences between the personal beliefs of members.

We can safely conclude that this Anonymous group doesn’t have a broad shared set of ideals. Instead, it is bound together by anger, frustration and the desire to be heard. Their actions are a direct response to the anti-piracy efforts of pro-copyright groups.

Aside from shared frustration, the people affiliated with the operation have something else in common. They are nearly all self-described geeks, avid file-sharers and many also have programming skills.

When Operation Payback started most players were not looking to participate in the copyright debate in a constructive way, they simply wanted to pay back the outfits that dared to target something they loved: file-sharing.

Many of the first participants who set the DDoS actions in motion either came from or were recruited on the message board 4Chan. But as the operation developed the 4Chan connection slowly disappeared. What’s left today are around a dozen members who are actively involved in planning the operation’s future, and several dozen more who help to execute the DDoS attacks.

An Anonymous spokesperson, from whose hand most of the manifestos originated, described the structure of the different groups to us.

“The core group is the #command channel on IRC. This core group does nothing more than being some sort of intermediary between the people in that IRC channel and the actual attack. Another group of people on IRC (the main channel called #operationpayback) are just there to fire on targets.”

Occasionally new people are invited to join the command to coordinate a specific attack, but a small group of people remains. The command group is also the place where new targets are picked, where future plans are discussed, and where manifestos are drafted. This self-appointed group makes most of the decisions, but often acts upon suggestions from bypassers in the main IRC channel.

Now let’s rewind a little and go back to the first attacks that started off the operation in September.

The operation’s command was ‘pleasantly’ surprised by the overwhelming media coverage and attention, but wondered where to go from there. They became the center of attention but really had no plan going forward. Eventually they decided to continue down the road that brought them there in the first place – more DDoS attacks.

What started as a retaliation against groups that wanted to take out The Pirate Bay slowly transformed into an attack against anyone involved in anti-piracy efforts. From trade groups, to lawyers, to dissenting artists. Since not all members were actively following the copyright debate, command often acted on suggestions from the public in the main IRC channel.

What followed was an avalanche of DDoS attacks that were picked up by several media outlets. This motivated the group to continue their strategy. Anonymous’ spokesperson admitted to TorrentFreak that the media attention was indeed part of what fuelled the operation to go forward. But not without some strategic mistakes.

As the operation continued more trivial targets were introduced and the group started to lose sympathy from parts of the public. While targeting the company that admittedly DDoSed The Pirate Bay could be seen as payback by some, trying to take out Government bodies such as the United States Copyright Office and UK’s Intellectual Property Office made less sense. In part, these targets were chosen by anarchistic influences in the operation.

“I fight with anonops because I believe that the current political system failed, and that a system based on anarchy is the only viable system,” one member told TorrentFreak. “I encouraged them to go after political targets just because I like Anarchy.”

The Anonymous spokesperson admitted to TorrentFreak that mistakes were made, and command also realized that something had to change. The targets were running out and the attacks weren’t gaining as much attention as they did in the beginning. It was a great way to gather attention, but not sustainable. In fact, even from within the operation not everyone was convinced that DDoS attacks were the best ‘solution’.

“I personally don’t like the concept of violence and attacking, but violence itself does raise attention,” Anonymous’ spokesperson told TorrentFreak.

“Attacking sites is one side of the story, but this operation would finally have to serve a purpose, otherwise it wouldn’t exist. We all agree that the way things [abuse of copyright] are currently done, is not the right way.”

Last week command decided to slow the DDoS attacks down and choose another strategy, mainly to regain the focus of attention. It was decided that they would make a list of demands for governments worldwide. In a move opposed to the desires of the anarchic influences, command decided to get involved in the political discussion.

Copyright/patent laws have to change, they argued, and from the bat they were willing to negotiate. They called for scrapping censorship, anti-piracy lawsuits and limiting copyright and patent terms, but not getting rid of copyright entirely. Interestingly, there is also no word in the demands about legalizing file-sharing.

To some this new and more gentle position taken by Anonymous came as a complete surprise. We asked the spokesman of the group about this confusing message and he said that there are actually several political parties that already adopt a similar position, like the Pirate parties and the Greens in Europe.

However, according to the spokesman (who wrote the latest manifesto with other members in Piratepad) they consciously chose this set of demands. “Some of us have the vision of actually getting rid of copyright/patents entirely, but we are at least trying to stay slightly realistic.”

“What we are now trying to do, is to straighten out ideals, and trying to make them both heard and accepted. Nobody would listen to us if we said piracy should be legal, but when we ask for copyright lifespan to be reduced to ‘fair’ lengths, that would sound a lot more reasonable,” the spokesman told TorrentFreak.

The demands have been published on the Operation Payback site for nearly a week, but thus far the media coverage hasn’t been as great as when they launched their first DDoS. Some have wondered whether this is the right path to continue in the first place, as it may get in the way of groups and political parties that have fought for similar ‘ideals’ for years already.

The spokesman disagreed and said that Operation Payback has “momentum” now.

So here we are nearly two months after Anonymous started Operation Payback. The initial anger and frustration seems to have been replaced by a more friendly form of activism for the time being. The group wanted to have their voice heard and they succeeded in that. However, being listened to by politicians and entertainment industry bosses might take more than that.

 

Older Posts »