InfoTech & Public Policy

More on VoIP and wiretapping ..

My (perhaps incorrect) impression from class was that people seemed generally ok with Canivore so long as it was well controled, there was some checks and balaces, the source code was published, etc. I’d like to take this time to argue why I believe it’s a bad and likely dangerous idea.

The first thing that strikes me particularly hard, is the idea that this system will even work. The argument was made in class that the NSA has really big computers and can do this. I’m willing to accept on faith that the NSA can do some very basic matching on every email sent across the US, but I’m firmly of the belief that doing anything remotely intelligent, such as running a learning or decoding algorithm, takes significantly more time and is unfeasible to do on that large a scale. On top of that, technologies for encrypting email and easily available and more and more popular. Beyond even that, didn’t we see in one of our previous classes that terrorists were found to have been communicating by sharing a yahoo account? One person would write something, save it as a draft, and then the next person would read, delete and write something back. ALREADY, terrorists are avoiding sending information via email. This seems like one more of countless ideas the government has had on limiting the bad guys, that in fact only affect average citizens (ex: they used to add an error into GPS). In the end, all this would do is make a platform for spying on citizens.

Even with all that overlooked. Are we really willing to just give up on targeted search warrents? We’ve found that the police cannot drive down the street with infra-red sensors to catch drug dealers, but we’ve ok with some code reading through our e-mail? What happens when it turns out that the code they ran is too stupid to catch terrorists? Clearly the next argument to make is that we need to beef up the code, and obviously the reason it doesn’t work is because terrorists how it works, so we should really hide that too.

Finally, the whole idea seams short sighted to me. E-mail in its current form is liekly to not exist just a few years out. We’ll be using text messaging, instant messaging and video conferencing. There are so many communication technologies, deciding to tap one seems pointless. We’re moving into a world where the medium of communication is no longer important. Cable, telephone line and cellular phone networks are all interconnected. To expect to be able to tap every techonology going forward to look for terrorists seem ludicrous.

In class we recently talked about the current and future state of television. We summarized their busines model as selling TV service in combination with selling targeted advertising. Various technologies are eating away at this model in various ways.

Tivo and various recording devices are allowing users to time-shift programming so the notion of prime time television is loosing meaning.

Sligbox is allowing users to place-shift their programming. This makes advertising for local businesses less appealing.

Various methods for skipping commercials are available. While the most automated version of this (ReplayTV) was sued out of existance, various other techinologies give you ways to fairly easily not watch commercials.

Recording TV and movies and distributing it via the internet is becoming more and more common with the increase in people connected to broadband

In general I believe technology will force for content providers and the cable networks to rethink their model. I believe the trend will be for content producers to adobt some method of distribution similar to iTunes. There are a number of indicators that this may happen. MLB TV has already gone the route of distributing content via streaming media rather than TV. NBC is releasing some of its most popular shows via torrent and, in fact, some shows are already avaialble via iTunes. The article we read quoted a TV executive saying that they are well aware of the problems the music industry has had with new technology and they are not going to make the same mistakes. I think the video industry would have to be pretty blind to not see themselves as being in the same exact boat as the recording industry. The difference is only in bandwidth, which gives them a few years to prepare.

Assuming for a second that content providers will opt to distribute their content via the internet, what other implications does this have? I imagine that cable TV providers will move completely into the business of selling broadband. You can imagine a service that works just like TV, but that is completely internet based. Very likely the main difference would be that you would have many more options for content. You would see the same concept of free/very cheap programming with commercials, or premium TV wthout. I wonder though what would become of the FCC? It seems that content censorship would simply go away. Is this a good thing? I imagine that as long as parents have some control over what comes to their home it is. With radio and TV being pushed out by internet, what would we use for emergency broadcasting? What would become of the local programming that we seem to value? It seems to me that this shift will, on the whole, take money away from the film industry. (Mostly because I believe we are getting ripped off for cable TV) Are we going to see a decline in content quality? I believe that this shift is not iminent. Big industry is going to fight hard to maintain the status quo, but it will happen. Perhaps it makes sense to think about the features we like in our current system and how to preserve them.

I unfortunately missed out on last class and what was said, at the risk of restating what may have already been pointed out, I’d like to respond to some of the comments posted.

Avi mentioned that we found it difficult to pinpoint how computer security affects our lives and businesses and pointed to loss of productivity as an obvious candidate. I certainly agree that this is often mentioned and I believe it is a reasonable argument though it is difficult to quantify accurately. However, there are many other problems that stem from computer security, the problem (or blessing) is that they happen rarely. Identity theft is a serious problem that is becoming more and more prevalent for instance. Hacking a person’s computer is an easy method of obtaining all kinds of sensitive data. Also, once you have control, it is trivial to sniff for passwords and log into any website visited. I personally do my banking, school related administrative tasks, taxes and even pay parking tickets online. Finally, there is the issue of all the data I might lose if my computer was suddenly wiped. This is just a small subset of problems, the list goes on and on and as more of our lives are managed online, the list will only grow.

It was also mentioned that large corporations are affected differently by the sort of problems common on the Internet. I agree that it is different and “macro” but not that it is easier. It is true that large corporations employ IT departments and have the resource to construct more secure networks. The can buy more hardware employ levels of firewalls and pay people to monitor patches full-time. However, they deal with a few different problems:

Scale: We find it a pain to keep up with one computer, imagine you have 30,000 servers (and many more clients) If you get 95% of machines patched in the first week, you’d be doing a great job .. and that would leave only 1,500 machines vulnerable. (I did not make up these numbers)

Risk: Some companies can get away with having large portions of their network down. When you’re talking about a financial company though, several hours of outage while the stock market is open is unacceptably costly.

Continuity: For the same reason as above, companies can’t afford to suddenly bring down their network for a patch, they also can’t risk that a patch will break their systems. (Yes, patches have bugs too. Yes, there are patches for patches)

Laptops: This is a newer problem. Most companies now have employees that use laptops regularly. When someone takes their laptop home and gets infected, they can then bring that laptop inside the network and bypass many of those expensive countermeasures big companies employ.

Internal attack: Whether disgruntled or simply stupid, employees have knowledge of the internal network and access.

There are more, these are off the top of my head. I also don’t agree that no one cares about security. For a large company it is simply a business decision. Risk is assessed as well as the cost of security and a decision is reached. But recent add campaigns by AOL, Earthlink and AT&T stressing the security of their networks, leads me to believe that at least they think users care. (Though the content of these ads makes me gag) There was also a comment about how companies protect their own problems while the little guy gets stuck. I think that’s only partially true. In many cases, companies use the same products we do (though maybe the enterprise version) and in many cases, problems with the users computer are blamed on them.

The difficulty in selling security is that it is much like selling insurance. People pay for something they don’t “get” anything for and, if it’s working properly, nothing happens. Furthermore, when something does go wrong, it’s not easy to figure out whether it was your computer that got hacked, your online bank that had a bug in their software, your hard drive had a physical defect, etc.

So why is windows so buggy? Why aren’t people protesting in the streets? I could probably write another blog entry just on windows, but the fundamental problems are that windows is very large, supports nearly everything, is the target of most attacks (if you’re going to write malware, might as well do it for the product that is 98% of the market) and has no real competitors. In general though, I think most computer users don’t realize that things could be better, hence they don’t push for it.

The problem is that security is hard. Unlike most problems facing computers, security has the problem of dealing with an “adversary”. For whatever you build, there is human being on the other side thinking up ways of subverting it. While you pay lots of money for a team of people to think about how to make your product secure, there are tens of thousands of people looking for holes (or just stumbling onto them). Even employing best practices filters out 99% of holes… and it only takes 1.

In the last week or two we’ve spent a lot of time talking about network neutrality, the fundamental issues therein and the recent pushes in congress by both sides. The divide is primarily between the telecommunications companies on one sides and the companies providing web services on the other. A recent speaker Susan Crawford came to speak on the subject and her view is that things are generally heading in the direction of the telecom companies, at least on Capitol Hill. Major reasons for this include a congress that seems to favor the telecom companies and much more lobby strength. While Google, Ebay and Microsoft are large companies, they are relatively new to the game.

The current situation is fairly grim. The US does not even rank in the top 10 as far as broadband coverage and ideas like gigabit to the home are a distant memory. The telecom companies don’t really feel any incentive to do the costly upgrades to their networks, and it seems like they have chosen not to compete in the area. Their claim is that if they were guaranteed the ability to charge for the network in a discriminatory way, they would have incentive to upgrade. I for one, don’t see any reason since they seem to have divided up the network anyway and no competition means little incentive to provide better service. If the push in congress goes in the way that Ms. Crawford suggests, not only would the network not get better, it may actually regress.

However, I do have some hope for the future, even if telecom companies win in congress. It stems from my belief that it is Google’s intention to take over the internet by providing a better version of everything on it. Put together the following:

It’s widely speculated that Google is interested and has start to buy up the dark fiber in the US. “Dark fiber” refers to fiber optic cable that has been laid in the ground but remains unused due to the high cost of getting it operational (and perhaps the lack of incentive I spoke of earlier). Google made several job postings looking for specialists in the field both technically and from the business side over a year ago. At the time, most were simply confused as to what possible use they could have for it. Google refused to comment on whether they were interested in entering the telecom business, so we don’t know for sure, but it raises some eyebrows. A thing worth noting is that fiber optic cable has significantly higher bandwidth than traditional copper wire.

Separately, San Francisco has recently approved Google and Earthlink to jointly provide WiFi to the city. The plan is to provide parts of the city with “free-ish” internet access. It’s not completely how it will work but forced ads are likely. This would certainly not be broadband, though it would be faster than traditional dial-up connections. The reason it’s interesting is that it covers the so-called “last-mile” in an extremely cost effective way. Telecom companies have maintained that building high-speed backbone connections is cheap but providing the local wiring is where huge costs are incurred. San Francisco is not the only city considering doing this, but there are fights in local legislatures wherever it’s tried.

My conspiracy theory is that Google is hedging its bets. They have the plans in place, that if the wrong laws are passed in congress, they will build their own network based on fiber and WiFi and begin competing directly with the telecom companies. Ironically, once that happens and there is competition, the network neutrality fight becomes a moot point.

Our recent discussions about the value of virtual possessions and the economic and social effects that these virtual worlds have on our real lives have generally focused around the monetary value of the in game items and how that relates to taxation, responsibility of the carriers and the like. I’ve maintained that I firmly believe that legislating responsibility on companies for the items people earn or create in game is a dead end. I believed that in game markets, even if they interact with the real world markets are inherently very unstable and subject to everything from rampant inflation/deflation to simply disappearing due to a software glitch or the game company going out of business. Therefore, choosing to invest in such a “market” is simply a mistake on the part of the user, even if the game seems to be designed towards such a use. Moreover I believe that if we were to go the route of giving real value to virtual possessions, we would quickly proceed down a difficult path. Consider the following:

Theft/Vandalism
We’ve already touched on this in class and Avi took the point further. If there possessions have real value then it seems that we are obligated to legislate rules about what happens when other players steal or destroy things in game. It may not be something as simple as stealing it. Maybe I built a virtual landfill next to your virtual home. Furthermore, it seems that we would need to hold game companies responsible for the cost of and glitches that cause monetary loss for you. It’s already happened in several cases where items have been lost or perhaps the last hour of activity has been lost due to computer failure. In addition, should the game companies have to keep strict tabs on items and their value for tax purposes?

Devaluation by Game Designers
I mentioned in class that a fundamental difference between tradition games where you pay a fixed initial cost and ones where you pay a monthly fee is that the game designers have the opportunity and the incentive to constantly update the game and make improvements. The market is such now that this is in fact absolutely necessary. In some cases these are sweeping changes that drastically change the nature of the game. Are we planning on holding game designers responsible for the fact that a change they brought to the game negatively affects your assets? Perhaps they decided up the cost of materials you use to build your product and now your business is infeasible. Or they added a bigger sword so the one you have in the bank is not the largest anymore.

Copyright
This one is interesting because Second Life makes the claims that you have enforceable copyright to any items you create within their game. I can’t see this could ever be enforced internationally or even just in the US. It seems that if my items have real world value, than so should my creations or ideas. Perhaps we should set up a virtual patent office? What if I take a real world item and make a virtual replica in game? It seems Mercedes should be able to sue me if I use their logo on my virtual car. Perhaps I could make and sell virtual Fords in game that break down all the time just to hurt Fords reputation.

Reputation/Slandering
If we’re going to assign value to items in the virtual world, than certainly avatars should have some rights as well. It was mentioned that part of what the people running these virtual businesses relied on was their reputation; the fact the people trusted them. If the virtual paper begins to run fake stories slandering the virtual merchant, are they liable? Are virtual companies subject to false advertisement laws? Certainly this should be addressed.

Privacy
Oh yes. What of the privacy rights of my avatar? I lead a quiet virtual life and would hate it if the local newspaper started posting my personal information. Information about my virtual enhancement operation should certainly be protected.

I’m taking things a bit far, but I think the fundamental argument is sensible. Destroying the boundaries between gaming and the real world via legislature is not a good path to head down. Leave the virtual world virtual. Certainly there will be markets surrounding these worlds and people will lose money when they lose the ability to differentiate and prioritize between the real and virtual world, but it’s better than enforcing the idea that these world are intimately linked.

In our last discussion of Microsoft and the issues of network effect and barrier of entry we touched on the fact that it’s difficult for a new vendor to enter into the operating systems market. In my view the difficulty lies in two main realms, technical and behavioral. The behavioral is basically that people resist change and learning new technologies, interfaces, etc. Even if presented with a slightly better product, they tend to remain with what they know. This is not the issue I hope to address. The other issue warrants more detail.

As a little background, the function of an operating system is the management of resources. Resources in this context refer to the physical attributes of a computer. While it may appear as a solid box to most, your computer is in many ways modular. There is a separate component that does computation (CPU), stores information for fast access (RAM), provides permanent storage (disk), allows input and output of information (mouse, monitor,etc) and so on. The applications running on your computer ask for these resources to do their work and the OS is responsible for managing this. That’s it. While operating systems do employ very complicated techniques to maximize usage of these resources, the fundamental task is actually not that complicated. More importantly, even though you are used to windows providing a web browser, a media player, an email client and any number of other applications, these are NOT fundamental to the OS.

You might ask “how do the application know how to ask the OS for resources?” and the answer is that the OS publishes a known interface. It might say “in order to send data across the network, call the ‘foo’ cammand with attributes x,y and z”. This interface is very specific to the operating system and taking an application written to one OSs interface and porting it to another OS is generally non trivial. This is where the barrier to entry arises for new OS vendors. It is very costly for application vendors to write multiple copies of their applications to different interfaces, so they will only do so for the OSs that have high market share (in many cases just windows). Conversely, customers want to buy an operating system that supports the application they need. In short no one wants to deal with new vendors.

The same thing happens from the “other side” with hardware vendors. The OS publishes an interface for “this is how I will access you” and it is the burden of the hardware vendor to write software (drivers) that makes their hardware accessible in the way the interface defines.

I think there is light at the end of the tunnel ..

We have long dealt with a product that is in many ways inferior (windows) because of a lack of choice. Two technologies are emerging that I think might shake this state. Java began the idea of realistic portable code. The idea is basically that you install a piece of software on your computer that serves as a middleman between the interface of the OS and that of you application. That way you have to write only one piece of software per OS and code written to your middleman will run on that OS. This has been around for a long time with limited success, but I believe that computers have become fast enough (adding a middleman always slows things down) and the technology understood enough that it is becoming feasible. I believe the .NET move by Microsoft is evidence that they believe this type of shift is inevitable and they want to control it.

From the other end I see hope in virtual machines. The most well known product in this field is probably VMware, which comes in several flavors and works differently in each. Notably, one of the flavors places itself as a middle layer in between the hardware and the operating system and can run multiple different (or the same) OSs at once. This is also not new techonology, but it is my feeling that the reason it has become popular again is (once again) that performance of PCs has gotten to the point where we don’t mind taking a small hit for the ability to run multiple OSs.

It is my hope that with more development in these two fields, eventually someone will come up with a lightweight, fast OS that runs on top of a virtual machine and supports a JVM or some next generating language machine. Application vendors will have motivation to write their apps in the portable language. Hardware vendors will want to make sure their product runs well on virtual machines. Once people have the option of getting their applications on any platform, they will stop caring about windows. This will allow for competition and force Microsoft to get their act together.

In light of our recent competition discussions I revisited some of our discussions with respect to the RIAA and copyright. A few discussions with friends later led me to a fairly extreme idea, which I hope to defend. The short version: “The RIAA and the current sales infrastructure in the music market is fundamentally flawed, archaic and should be allowed to simply die. The recording industry (and RIAA) is no longer serving the good of society, or at least the amount of utility they provide is far surpassed by their own greed.”

The incentive argument: “If piracy is not controlled, there will be no money in music and artists will have no incentive to create music. The total amount of music being produced will decline as will the quality.”

At the surface the argument seems compelling, but several parts do not ring true for me. For one, it seems that as long as you can put on concerts, there is money to be made in music. Furthermore, most of the money being made is not going to the artists, rather it is being consumed by the industry. If even a small fraction of this money were redirected to the artists, I believe it could end in surplus. Secondly, it is not clear to me that musicians are purely motivated by money, as opposed to for instance fame and a love of music. Music has not always been a lucrative business and yet we’ve always had musicians. I somehow doubt that the talented musicians of our day at one point sat down and did a cost-benefit analysis between becoming a rock star or a physicist. Finally, the claim that the recording industry provides a service to the public by filtering out bad music is dubious at best. I personally disagree with most of their choices and I suspect their motivation is purely in economics.

The services argument: “The recording industry provides a service in the form of distributing music (Cds, Radio, etc), providing music studios, organizing concerts and promotion.”

I’ll address distribution in a later paragraph. With respect to all of the others, it seems that with the advent of mass communication, most of the organizational burden of connecting people and services (concert halls, studios, etc) could be done more efficiently, on an open market and directly between artists and service providers. This is an example of how artists would still be able to make money and perhaps even more than they do now. The promotional aspect (I do realize how extreme I’m getting here) seems to do more evil than good in my opinion. It allows the recording industry a degree of control over what “become popular”. It seems that radio stations (internet or regular), trying to promote themselves by playing what they believe will get attention would be more fair and beneficial.

The fundamental flaw: “How long did the RI think they could make money selling music on plastic?”

The recording industry is wrapped up in a blind and relentless struggle to come out with the ultimate copyright protection encoding/software/hardware/law (and they are not alone). The value of the product is the music, not the medium. In an age where bandwidth is growing, everything is turning digital and the public is becoming increasingly tech-savvy, to remain steadfast in a method of operation that is crumbling all around them in hopes of winning the copyright/cracking arms race is short sighted. Their method distribution is simply obsolete (reverting back to the services argument). The solution is to change the business model. A simple example is Itunes, The general public will sell their soles for convenience. If you make a song $1 and a button click away, people will buy it. Paid Internet radio stations and satellite radio have proven themselves to be profitable. Getting millions to pay a small fee for lots of music will generate far greater profit than charging $20 a CD to a small subset.

Instead the RI chooses to prosecute 13 year olds and their parents, spend millions of dollars on copy protection software that opens computers to vulnerabilities and price fixes CDs (see the 2003 settlement by the four largest music distributors). The need to have a contract with a recording studio to be heard on the radio raises the barrier of entry for underground artists and as a result we get a small subset of music prefiltered for maximal profit. The recent legal actions by the RI are not to preserve music as a societal good but rather to maintain the status quo: four large distributors accounting for 95 percent of sales. It’s just hard for me to feel sorry for them ..