InfoTech and Public Policy

Threat Level on Wired.com (cite) reports that a nonpartisan group in Durham, NC by the name of “Women’s Voices, Women Vote” has used a voice recording to telephone numerous black voters throughout North Carolina and remind them to register to vote.  While normally this would be considered of net benefit to society, they fail to mention that the deadline for registration was almost a month ago, and many of the phone calls were to citizens who have already registered to vote.  With such a contentious presidential primary season coming up, it seems as though this may be an attempt to confuse and intimidate black voters into not showing up to the North Carolina primary.  While a bill submitted by Illinois representative Rahm Emanuel in 2007 would make such misdirection obviously a crime, of utmost concern here is the extent of damage that may be caused by such fraud.  To see the exact extent to which fraud can quickly change the face of an election, look no further than the allegations of fraud against Swift Boat Veterans For Truth in 2004 (cite).

While voter intimidation has always been a serious crime in the United States, only with the advent of recent communications technology has the need for prevention begun to outstrip the need for enforcement.  Whereas in previous decades, the criminality of voter suppression was enough to keep most politicians and their surrogates from intimidating voters, in recent years it has now become possible for one person to suppress a large number of votes before being caught, allowing them to get their candidate elected and then “take a fall.”  Thus, rather than only being concerned with voter suppression detection and prosecution, it may be wise to look into voter suppression prevention as well.

Much of this would depend upon the medium through which the suppression is being communicated, however, there may be some bundle solutions.  One might be to require that any political organization registered with the government provide a degree of transparency about their actions, such as agreeing to be wiretapped.  This would help to focus the fraud prevention efforts of the FEC, giving them time to catch such things as the voter registration phone calls soon after they begin.

Another possibility would be to create a committee for the sole purpose of electoral fraud detection (separate from the FEC).  While this is a very cost-ineffective option, allowing a committee the ability to aggressively detect and block certain specific behaviors without a court order could dramatically decrease the amount of damage those behaviors could do.

One final way would be to dramatically increase the penalty for election fraud, so that it would be more of a deterrent to individuals who may be prepared to take a fall for their candidate.  In particular, there should be no situation in which intentional voter fraud could be found a misdemeanor.

By increasing the penalty for election fraud, creating a committee not within the FEC but with the power to detect and block certain fraudulent behaviors upon seeing them, and requiring that political organizations commit to having their communications with the outside world revealed and scrutinized before things go public, it may be possible to create a fraud prevention scheme that will work in the information age.

While standardization of security software would allow users to know what they are buying when they buy it, many arguments can be made that standardization leads to an inferior product. When given a standard to fulfill, companies tend to fulfill that standard and little else. Further, standardization is difficult from a workload point of view. The federal government alone cannot evaluate the security of every internet log-in in even a moderately rigorous fashion without taking years to do so. In fact, so much standardization is needed that standards companies have popped up all over the globe, each one providing a unique standard for security.

While both these problems are legitimate, placing the federal government in a role that allows them to standardize standardizations would allow them to manage a complex system in a simple and easy to achieve way, and to create a program that only certifies security systems that not only meet the minimum standard, but can move beyond it.
The idea is this: the federal government’s security standards committee would license security standards providers. The providers would be able to leverage this by providing security programs the ability to stamp their systems with a government seal recognizing that they have achieved a certification from a government-issued certifier. To be given certification from the government, security standards providers must be able to show that the following are a part of their business process:

1.) Prove that an adequate level of security is available before the user is accesses any part of the internet other than the security provider’s servers.
2.) Prove that security updates made by providers are created and distributed in a timely and effective manner when new viruses are discovered, or that the infrastructure is in place for doing so for new software
3.) Prove that software from security providers does not do damage to a user’s computer
4.) Show a willingness to update their standards based on both new viruses and an advance in virus detection, quarantine, or removal.

By certifying standardization businesses that adhere to these four principles, the federal government can ensure the manpower is available to certify security programs while still keeping businesses from playing to the minimum standard. The key to eliminating play to the minimum standard is the second part of #4 – if standards can change based on new technology, it is in a businesses’ favor to make inroads in that technology in the hope of getting other companies to lose their certification until they can catch up. Rule number 4 in fact lets this policy promote innovation, rather than stifling it.

More and more frequently, the issues of free speech, commerce, and security have appeared in this class and in this blog in direct opposition to anonymity. One thing has become apparent to me in the last few weeks: while the anonymity of the internet protects numerous freedoms, it is also frequently too anonymous for its own good. From the ability to post libelous information about a classmate (see http://www.juicycampus.com) to the desire to keep terrorists from exchanging large sums of money via Second Life (cite), it only makes sense that certain information be required to register and use the Internet.

In this blog I will not discuss the reasons behind wanting to implement a policy to require authenticated internet use, but rather the feasibility of implementing it. The discussion of whether or not it would be useful could be a book unto itself.

The major issue with respect to implementing such a policy would be the ability to guarantee that a given computer was not stealing the information being used to identify the individual. Imagine, if you will, going to an internet cafe in your hometown and then three days later being charged with libel because your account was hacked. While this is not necessarily an everyday situation, it may well be a frequent one, and the ease with which one might get such information from a public computer is a paramount concern.

There are ways to protect your information even with a public computer, however. Many companies and even the US Department of Defense have begun to use “smart cards” that cycle through passwords for you based on criteria such as the date and time (cite). As long as you have the card, all you have to do is look at the current password, type it in, and it identifies you.

The problem with such a system is twofold: on the one hand, it would be very difficult to institute a change in software to allow for personal identification overnight. On the other, such a system may be prohibitively expensive for many people who would use the internet in, say, public high schools, public libraries, or other public places. To lighten the load of infrastructure issues, it seems to me that the best defense may be to require that the government have a central authentication server.

A central authentication server allows users to log in to websites using a third party. In the case of national personal authentication, users would log on to a government website using information such as their name, home address, SSN, or other identifiable information. When they next tried to access a web page, the page would ask the government servers to provide a verification that the computer is logged in. When the server responded yes, the website would begin accepting correspondence.

This would effectively share the burden of privacy. The government would be able to tag IP addresses to specific individuals at specific times, and private hosts would be able to tell what those IP addresses were doing on the internet. Without the government’s control over session variables, it would be difficult to determine who was who, but government involvement could provide accountability in the event of disorderly conduct.

One possible issue with might be the scale of such a system. A database with 600 million entries would be bad enough – imagine a database with 600 million entries, personal information, and session variable records for each internet access! Not only that, but the act of government servers verifying users would require that the government be able to keep track of which websites a user was visiting. There are, of course, ways to make such a system more appealing to internet users (for example, provide a private buffer that routes these session variables to and from the government without saving any records), but such a prospect is difficult and would take time.

The moral of the story, as I see it, is that it is possible to get nearly the same level of authentication over the internet as you would from a driver’s license, given the time and money to create the infrastructure. The question of whether everyone who uses the internet should be authenticated, however, I leave to you.

As noted in my response to “Is SL really changing the world?” (cite) Second Life has a large, insulated economy, in that most of the property that is created and traded in Second Life cannot be exported or imported.  Not only is this an explanation for Second Life’s effect on the US economy not being extraordinarily large, but it is also, according to our forefathers, a legitimate reason to keep the US government from taxing transactions that occur in Second Life.

In the 18th century, around the time of the Boston Tea Party, and the Stamp Tax, the issue of taxing such an insular economy became prevalent in our very own United States of America.  In essence, the argument made by the American rebels was that they were paying taxes disproportionately to English citizens and were receiving negligible benefit from those taxes.  In essence, the Americans were arguing that because that big gap called the Atlantic Ocean limited their imports and exports (including human capital and personal interest) to and from Britain (among other reasons), the American Colonies had a legitimate right to rebel.

While we have rejected this proposition numerous times since, it does bear repeating in the context of Second Life.  Unlike the United States or any colony that has ever been a part of any country, many of the devices that are created and used in Second Life in fact CANNOT be used anywhere else.  And while the Linden Dollar may be currency in the most general sense of the word, you cannot hold it or otherwise trade it outside of Second Life.  In the sense that things created in Second Life cannot be used outside, Second Life is its own economy, and avatars receive little to no benefit from the United States government other than the land on which the servers currently sit and the fact that many avatars are owned by American citizens.

Since we have already argued that the benefit of Second Life to the US economy is negligible, and we also recognize that converse is also negligible, under what authority would the United States justify taxing the residents of an imaginary world based on trades in a currency that is not legal American tender and producing goods that no American will ever be able to use outside of the constraints of this game?

Is it fair to tax transactions in the currency market between the Linden Dollar and the American Dollar?  Yes.  However, the US Government taxing transactions inside of Second Life would be roughly equivalent to taxing a version of Egypt that just happened to have its leadership located within the United States – except there is less incentive because the government actually trades with Egypt.

A number of earlier posts to this blog have shown what appears to be a very disturbing trend.  From  KT’s comment that applications such as Second Life can be used to transfer money between terrorist cells (cite) to E’s claim that the United States government needs to cede some control of the internet to the rest of the globe (cite) to the numerous posts recognizing the emergence of anonymous free speech, there appears to be a general shift in the transfer of information, funds, products and services to a global and more anonymous scale.  While the laws of sovereign nations do and must still apply, the need to recognize that the internet renders those barriers somewhat useless is growing ever greater, and the need for an international, policy based solution to the internet “problem” needs attention before the whole thing gets out of hand.

Second Life itself provides an excellent example, for in many ways, Second Life is as much a sovereign nation as any other.  It has citizens (its users), an economy and a currency exchange market, property (in the form of bits on a server that represent your character and its possessions), and a governing body (its programmers) that has nearly absolute control over creating and maintaining laws for its citizens, with only the right to quit as recourse.  Indeed, in many ways, it could be said that the only thing that keeps Second Life from being a sovereign nation in its own right is the lack of a real distinction between user and avatar and between server farms and virtual world.  People who use Second Life are still citizens of and legal residents in the country in which they reside, and the code base and data that allow the nation to exist are still stored in the great state of California.

It seems to me that before we can begin to solve complicated problems like governance in Second Life and the question of anonymous free speech, we first must answer the question of what, exactly, should be the limits on the internet’s role in the lives of its users.  Is the internet merely a supplement to a user’s daily life?  Is it in fact a “Second Life”, in which users may assume an alter ego completely separate from themselves?  And is the internet part of places that have already been created, or is it in fact a different place, a new frontier, which should have rules and regulations completely different from those that have come before it?  Should the web have its own government, and if so, how could that be enforced?

The answer to these questions, obviously, lies between these extremes, especially given the dynamic uses for global networking.  However, the questions themselves seem to demand a head-to-toe reformation of internet goals, standards, policies, and practices, in that order.  What is needed is not a set of solutions to specific problems, but rather a great debate, an even greater overhaul, and an implementation of the internet that, from the ground up, solves the large-scale questions of ownership, anonymity, and governance.

Formatting wars may not take lives, but they can easily take pieces of our livelihoods.  Take the formatting war between Blu Ray and HD DVD, for example.  While the technology behind HD DVD and Blu Ray is very similar, as both standards are based off the original DVD standard, subtle differences led to them being completely incompatible.  The result: hundreds of thousands of users disenfranchised when HD DVD went off the market, and multiple studios whose risk in supporting HD DVD for their products failed, losing them money and possibly in some cases consumers.
While wars over implementation are certainly valid, one could say that competing by offering mutually exclusive products is anticompetitive.  As put so eloquently by Carl Shapiro (http://faculty.haas.berkeley.edu/shapiro/comppolicy.htm), compatible products compete “in” the market, while incompatible products compete “for” the market.  In most cases, incompatible competition not only supports but REQUIRES an eventual winner, and thus an eventual monopoly.
In many cases, that monopoly cannot be avoided by trying to standardize.  Look at the Operating System market as a primary example.  Microsoft’s ability to dominate the market is largely because Windows and Macintosh are incompatible – application that will work in Windows will not necessarily work on a Macintosh, and vice versa.  Further, the OSes are not compatible to users – someone who knows how to operate a Windows computer, fix a Windows computer, or really do anything with Windows does not necessarily have any knowledge of how to do almost anything with a Macintosh.  Even more beneficial incompatible competition comes from new technologies – imagine, for example, if the iPod had been required to play cassette tapes.  Incompatible competition is in fact the core of innovation.
We cannot stop incompatible competition, nor would we want to.  The question, however, is whether or not we might be able to encourage standardization in a way that makes companies want to compete in the market without playing favorites between companies.  Something as simple as an independent standardization organization may have been able to make the difference to the hundreds of thousands of HD DVD users – indeed, HD DVD and Blu Ray discussed standards in 2005, coming close but never quite reaching a decision (http://www.ft.com/cms/s/0/8e6df286-c670-11d9-b69b-00000e2511c8.html?nclick_check=1).  The war between Internet Explorer and Mozilla Firefox, as another example, would not have resulted in both sides being unable to view adequately formatted websites if they had reached a standard formatting agreement.
Here are some things I believe our government could do to help encourage standardization in a positive way without discouraging innovation:

1.)    Provide limited funding for independent organizations to create standards at the request of two major competitors in an industry
2.)    Create a concept of a limited monopoly that holds companies more responsible for their actions in a situation where they are the only competitors able to develop their own standard. (in the case of Blu Ray and HD DVD, both could be considered limited monopolies and held responsible for attempts to abuse monopoly power when it relates to blocking someone else from using THEIR standard)
3.)    Providing a clear and concise definition of a “standard” that excludes innovation, so that technological achievements can be rewarded while standards, barring patent claims on the technology, are open to public use.

This could still allow the selling of services – for example, in the cellular phone market, as long as a service was standard enough to connect to any phone, it could still require the permission of a provider to use the system.  However, naming refusal to allow standardization as anticompetitive would allow businesses to compete without having to “fight for the market.”

Wired.com reports that earlier this week, the site ratemycop.com, which allows users to rate law enforcement officers online, was taken down by its licensee, GoDaddy.com, under suspicious circumstances.  While most likely this is merely an issue of bandwidth and feasibility of hosting, it raises a number of important questions about the duties of a service provider or registrar to allow for freedom of speech.

Soon after a backlash by police officers concerned about their privacy drew attention to RateMyCop.com, its owner, Gino Sesto, found that his domain had been taken off the internet.  In its place, GoDaddy.com had left an “Oops” message.  No E-mail, no phone notification, just a message saying that the site had violated the terms of service.

Subsequent phone calls to GoDaddy.com were met with two conflicting explanations.  The first was that there was “suspicious activity” on the site, but soon after, GoDaddy began to take their official line – that RateMyCop.com had been taken down because too many people were trying to access it.

Say what you will about GoDaddy’s reasons for shutting the website down – while the overconnection business could be corrected, it could also be a legitimate problem for certain servers.  What’s disturbing here, however, is the lack of notification given by GoDaddy before removing the website.  If this was not enough, though, GoDaddy has a history of closing websites with inadequate notification, including an entire site of 250,000 pages that was shut down with one hour’s notice because it contained one page with a list of myspace.com user passwords that had been leaked.

There are two questions that immediately arise in these cases.  One is whether GoDaddy.com even has a right to take down the domain, for whatever reason, and the other is what duty it has to notify the owners in the event that a domain is taken down.

The first question is relatively easy in the case of RateMyCop.com.  While GoDaddy.com acts as the registrar in accordance with ICANN policies, it also hosts the site, and therefore has to have every right to limit it in whatever way specified in the hosting contract.  There may be a lot GoDaddy could do to keep the site online, but this is definitely something that needs to be settled contractually, as the servers could not operate without restrictions on the bandwidth and number of connections.

In terms of the site with the myspace.com passwords, however, GoDaddy seems to have been out of line.  The site, SecLists.com, was run through its own server, and so there was no technical reason to take down the content – merely the accusation that Myspace’s rights were being violated.  By redirecting traffic away from the site, GoDaddy.com seems to me to be in clear violation of SecLists’ First Amendment rights, and further, it seems to me that there should be specific and clearly defined legal circumstances that allow a registrar to redirect traffic around a website.

When it comes to notice, GoDaddy also seems to have overstepped their bounds.  No matter what the contract, GoDaddy should be required to notify RateMyCop.com that its website was taken down – if RateMyCop.com is being accused of a breach of contract, they should be able to confront GoDaddy in a timely manner.

It seems to me that GoDaddy has seriously overstepped their bounds in a way that should necessitate action from either ICANN or the federal government itself.  In these cases, more regulation by the federal government is required to keep the internet open to all.

The American Presidential race is one of the longest, most in-depth interviews in the world, with many candidates coming into the public eye over a year in advance. Over that next year, candidates go through ad campaigns, debates, speeches, and grassroots campaigning, testing their history, their stance on the issues, and their ability to inspire their followers and win voters to their cause.

While these all give a great impression of how well a candidate can run a campaign, the best means of discovering how well a candidate can function as president would be to actually see them act as president. This is why incumbents tend to have a distinct advantage in presidential campaigns - we suspect that they will run the country the way they have run it in the past, whereas we have no idea how others will run it. Ideally, some sort of simulation that would place a presidential candidate (and perhaps a trusted advisor or two) in a series of short, middle, and long term decisions that was shown nationwide would be perhaps the best possible way to see a president perform without actually having them do the job itself. Such a simulation could be broadcast as television for the United States and the world to see.

This idea at first seems like a pretty radical change, and there are a number of questions that should arise about the thought of putting our presidential candidates on reality TV (which sounds ridiculous when you say it like that). First and foremost is the role that the government must play to ensure its impartiality. Providing commentary or visual aids during the scenario must be prohibited, otherwise the temptation to make snide, joking comments for entertainment value increases dramatically, and partiality takes effect. The choice of scenario, too, is a difficult one, in that it would be very easy to play to a particular candidate, like giving Bush and Gore a scenario about extreme acid rain in New York or Lincoln, Douglas, Breckenridge and Bell a scenario about having to quell a violent slave revolt.

Ensuring a somewhat impartial scenario and forbidding (or at least restricting) commentary are easy to do by requiring that a small, quiet, multi-partisan coalition decide the scenarios and making them the same for each candidate, but there would be other barriers as well. One is, in fact, national security. Should we allow the entire nation to see the mistakes our presidential nominees might make in a crisis? Should we show them what our response plans are for national tragedies? While one could easily do away with response plans and see what the president would do offhand, or provide a different plan for the sake of national security, the visibility of our future president’s reaction I leave open to debate.

Finally, there is the reaction of the candidates themselves. Would they buy into such a preposterously brilliant scheme? While the risks to their careers may be great, I think there may be a number of things they would require that could make such a plan easier. One is the guaranteed impartiality of the system. Another is an ability to respond and explain themselves to the public afterwards. A third is a mandate from the people.

Given these requirements, I think it would be possible to provide an even greater transparency to presidential candidates. But as to whether it’s a good thing, I leave that for you to discuss.

This essay is a response to “Does an IP address have a right to free speech?”

In perhaps the most raw display of human nature seen in a long time, JuicyCampus.com provides its users with an ability to post, completely anonymously, gossip about anyone and anything they feel like, true or untrue.  While this could easily be a great thing for free speech, often people use it to say things that at least appear to be untrue, and often slanderous.  However, because the speech is anonymous (and JuicyCampus claims to have no knowledge of who is posting) and unfiltered, by law there is no means by which to convict either JuicyCampus or an individual commenter with libel.  Hypothetically, a libelous statement could remain on JuicyCampus’s servers for eternity, with little recourse.

The first question, then, is whether or not anonymous free speech should be permissible.  If it is not, then JuicyCampus is providing an illegal activity and should be shut down.  Barring that, however, the question then becomes whether JuicyCampus should be responsible for what is posted on its site.

The question of whether anonymous free speech should be permissible is a tricky one.  One could argue that anonymous speech has been permitted since the first time someone thought to write something down in the middle of the night and put it where everyone could see it.  On the flip side, however, were that to say something libelous or otherwise illegal, officers of the law could attempt to track down by any legal means the person who made that speech and prosecute them (take, for example, the requirement that newspapers release anonymous sources).  In fact, it is very rare that something is completely anonymous, and a site like JuicyCampus.com could face a requirement similar to one that would require newspapers to document anonymous sources so they could be reached in event of a legal dispute.  However, newspapers often attempt to fight for their sources, and reporters often choose jail time to revealing a source.

Perhaps a better option would be to require that a reporter bear responsibility for any anonymous comment made in a report, or, in JuicyCampus’s case, that they bear all responsibility for posts on their site.  This would allow sources to be truly anonymous while simultaneously placing pressure on the enabling person or company to vet any anonymous statements.  However, should a person be allowed to say whatever they want as long as they say it anonymously?  This could easily lead to reporters being held for libel merely because the anonymous source lied purposefully to get the reporter in trouble, and there would be little a reporter could do to prevent such an occurrence.

Another possible option would be to make an anonymous comment the fault of the reporter unless the reporter can prove that a specific person made a given comment.  This would hold allow sites such as JuicyCampus to provide anonymous postings, but would also keep them from being legally liable if they can track their sources.  Such a situation would make a site like JuicyCampus feasible, but has the downside that the postings would not be completely anonymous – if I wanted to determine who said something about me, all I would have to do is accuse the site of libel and hope JuicyCampus defers the charges to the individual.

With the internet allowing anonymous communication with greater and greater ease, something must be done about holding someone responsible.  A system in which both the reporter and the person who makes the statement can be held responsible would be an effective way to ensure that anonymous postings can occur while simultaneously holding someone responsible for any libel that should occur.

With the advent of information technology, it is becoming rapidly easier to copy and send any type of information you want in relatively any format you want.  While this facilitates a lot of great communication, it raises some particular issues in terms of copyright protection and other legal rights.

As we discussed in class yesterday, since World War II the United States government has attempted to control the export of cryptographic encryption.  One thing that struck me as funny about the conversation, however, was the fact that, while it would be illegal to send someone a copy of the algorithm via the internet, it would be fine to take the algorithm, write it on paper, and take it with you to another country.

Other questions arise as well.  What if I translate the seventh Harry Potter book into musical notes based on letters and send it as a .mp3 file?   Have I committed copyright infringement?  What if I just send static?  What if I change the file extension of a .pdf to a .mp3 and send it?  What if I just translate it into French instead and send that?  How should the government regulate copyright infringement when it is so easy to encrypt and decrypt the data?

One obvious answer would be to make it a crime to possess an illegally obtained copy of a work, as well as to provide such an illegally obtained copy.  If the government can catch me with an illegal copy of the seventh Harry Potter book or something recognizeably similar, they can prosecute me and anyone who may have provided me with any data that was transformed into the illegal copy (this gets a little dicey if I use a tool such as Mac OS X to change the file extension or something similar (say, bitTorrent), but that’s for another day).  The question then becomes what constitutes a recognizable copy.

By a US law that allows a non-exportable program to leave the country as a piece of paper, it seem as though restrictions with regards to translation of copyrighted material should be fairly lax.  We could say that as long as the data involves manipulation (other than merely opening in a viewer) to interpret as the original idea, it is not under copyright.  Note the use of the word idea: translating into French would still be copyright infringement.  If it can be interpreted, however, then it is under copyright, which makes sense even if value has been added to the idea: for example, a song or a movie that tells the Harry Potter story should be protected by J.K. Rowling’s copyright.

The treatment given here is fairly basic.  There needs to be a lot more work done on the issue of copyright infringement by transformation of data, but punishing possession of copyrighted material as well as providing data that is transformed into copyrighted material, and making sure that the copyrighted idea rather than merely the wording is restricted are worthy of discussion.