Topic: Telecom, Internet & Information Policy

Gannett to Use Peer Production

News outlets are fascinated with the news business, so quite a few stories have been flying around the last few days about the Gannett newspaper chain’s decision to use citizen journalists.

Writes the Washington Post, for example:

Gannett is attempting to grab some of the Internet mojo of blogs, community e-mail groups and other ground-up news sources to bring back readers and fundamentally change the idea of what newspapers have been for more than a century… . 

The most intriguing aspect of Gannett’s plan is the inclusion of non-journalists in the process, drawing on specific expertise that many journalists do not have. In a test at Gannett’s newspaper in Fort Myers, Fla., the News-Press, from readers such as retired engineers, accountants and other experts was solicited to examine documents and determine why it cost so much to connect new homes to water and sewer lines. The newspaper compiled the data and wrote a number of reader-assisted articles. As a result, fees were cut and an official resigned.

It’s all quite reminiscent of Friedrich Hayek’s articulation of how the price system turns local knowledge into a useful form and thus better organizes human action than any centrally planned system.

The blogosphere (writ large) can and often does surface relevant knowledge better than any group of reporters, no matter how smart or dedicated. Gannett is wise to recognize this and incorporate superior local knowledge-gathering into its business model.

Legal Process Is Good Business

I’ve written here a couple of times about how government access to data threatens many new and forthcoming business models.

TechDirt, a favorite tech-business blog, writes today about some ISPs’ perceived lack of cooperation with law enforcement.  That ‘lack of cooperation’ is asking for a warrant before revealing customer data.  “But requiring a warrant is a check against abuse; without them it’s hard for ISPs to judge the legitimacy and seriousness of a request. By valuing privacy, they better serve their customers, and ensure that law enforcement is only pursuing cases within the scope of the law.”

Very nice to see a business-oriented blog showing how privacy protection nests with commercial interests and good government.

CAN-SPAM Didn’t - Not By a Long Shot

Every once in a while, it’s useful to go back and look at how Congress has done with past regulatory efforts.  The exercise might help determine whether to embrace, or be skeptical about, future efforts.

Congress passed the CAN-SPAM Act in late 2003, and it became effective January 1, 2004.  Here’s the Federal Trade Commission’s summary of the law, which tells us that CAN-SPAM bans false or misleading header information, prohibits deceptive subject lines, requires that commercial e-mails give recipients an opt-out method, makes it illegal for commercial e-mailers to sell or transfer the email addresses of people who choose not to receive their e-mails, and requires that commercial e-mail be identified as an advertisement and include the sender’s valid physical postal address.

And here’s the result:  3 out of 4 e-mails are spam, and 0.27 percent of e-mails comply with CAN-SPAM.  That’s 27 in every 10,000 e-mails.

The regulation is a failure.  It provided consumers with zero benefit.  Most people are seeing less spam in their Inboxes because of improved filtering technology, a product of commercial ISPs working to serve their customers.

Should Congress or the FTC ramp up enforcement?  Increase penalties to bring spammers to heel?  No.  They should abandon the enterprise entirely and confess their incompetence to regulate the Internet and technology.

Despite its failure, consumers continue to bear the costs of the tedious regulations CAN-SPAM imposed on legitimate businesses.  They pay just a little more taxes, a little more for everything they buy online, and they forgo the benefits of that tiny margin of innovation lost as businesses divert their efforts to compliance. 

(Hat tip: TechDirt)

On Media and Habeas Corpus

TV.  People call it the “boob tube.”  People banish it from their homes to demonstrate how smart and superior they are (oh, and elitist).  People argue endlessly about who should be able to own TV stations because, with too much media in too few hands, other people might hear or learn the wrong things.

The inferiority of TV.  Its subjection to the control of media titans, who play footsie with political power.  These things are demonstrated to be absurd by things like this: a former sportscaster on a throwaway cable news channel imploring his audience and the President about habeas corpus, the Military Commissions Act, and American history - for nearly nine minutes.  This is the kind of thing that happens in our supposedly vapid, short-attention-span media world.

Now, I’m not a fan of Keith Olbermann, nor an opponent of the current administration (though I criticize policies unreservedly when I think they’re wrong).  I make these disclaimers to encourage you to consider the arguments Olbermann makes, looking past some of his personal invective.  He states quite strongly things that our careful scholars are suggesting and exploring here, here, here, here, and here

People, when you’re not reading Levy, Moller, or Lynch - watch TV!

Kahn on ‘Net Neutrality

Venerated deregulator Alfred Kahn weighs in on “ ‘net neutrality” - the proposal to have Congress and the Federal Communications Commission decide the terms on which ISPs could provide service, and whom they could charge for what. Net neutrality regulation is advanced primarily by the political left. Here’s Kahn on his bona fides:

I consider myself a good liberal Democrat. I played a leading role under President Carter in the deregulation of the airlines (as Chairman of the Civil Aeronautics Board) and trucking (as Advisor to the President on Inflation), against the almost unanimous opposition of the major airlines and trucking companies and–let’s be frank about it–their strongest unions. Among our strongest allies were Senator Ted Kennedy, Stephen (now Supreme Court Justice) Breyer, and such organizations as Common Cause, Public Citizen, the Consumer Federation of America and Southwest Airlines.

On telecommunications competition:

In telecommunications, cable and telephone companies compete increasingly with one another, and while the two largest wireless companies, Cingular and Verizon, are affiliated with AT&T and Verizon, respectively, some 97 percent of the population has at least a third one competing for their business as well; and Sprint and Intel have recently announced their plan to spend 3 billion dollars on mobile Wi-Max facilities nationwide. Scores of municipalities led by Philadelphia and San Francisco, are building their own Wi-Fi networks. And on the horizon are the electric companies, already beginning to use their ubiquitous power lines to offer broadband–to providers of content, on the one side, and consumers, on the other.

His conclusion: “There is nothing ‘liberal’ about the government rushing in to regulate these wonderfully promising turbulent developments.”

Google (et al.) and Government Surveillance

Ars Technica reports here on the “provocative claim that Google is currently cooperating with secret elements in the US government, including the CIA.”  This is a possibility I blogged about here a couple of weeks ago.

It’s something people should be concerned about, and people’s concern is something Google should be concerned about.  

People averse to the risk of exposing their online activities to government surveillance should take Google’s studious silence as confirmation. 

Fake Boarding Pass Generator Underscores ID Woes

Yesterday, the blogosphere crackled with news that ‘net surfers could use a website to generate fake boarding passes that would enable them to slip past airport security and gain access to airport concourses. The news provides a good opportunity to illustrate a credentialing (and identity) system, how it works, and how it fails.

It’s very complicated, so I’m going to try to take it slowly and walk through every step.

The Computer Assisted Passenger Prescreening System (CAPPS) separates commercial air passengers into two categories: those deemed to require additional security scrutiny — termed “selectees” — and those who are not. When a passenger checks in at the airport, the air carrier’s reservation system uses certain information from the passenger’s itinerary for analysis in CAPPS. This analysis checks the passenger’s information against the CAPPS rules and also against a government-supplied “watch list” that contains the names of known or suspected terrorists.

Flaws in the design and theory of the CAPPS system make it relatively easy to defeat. A group with any sophistication and motivation can test the system to see which of its members are flagged, or what behaviors cause them to be flagged, then adjust their plans accordingly.

A variety of flaws and weaknesses inhabit the practice of watch-listing. Simple name-matching causes many false positives, as so many Robert Johnsons will attest. But the foremost weakness is that a person who is not known to be a threat will not be listed. Watch-listing does nothing about people or groups acting for the first time.

In addition, a person who is known and listed can elude the system by using an alias. The use of a false or synthetic identity (and thus an inaccurate boarding card) could assist in this. But the simplest wrongful use of this fake boarding card generator would be to make a boarding card that allows a known bad person to receive no more security scrutiny than all the good people.

When CAPPS finds that a passenger should be given selectee status, this is transmitted to the check-in counter where a code is printed on the passenger’s boarding pass. At the checkpoint, the boarding pass serves as a credential indicating that the person is entitled to enter the concourse, and also indicating what kind of treatment the person should get — selectee or non-selectee. The credential is tied to the person bearing it by also checking a government-issued ID.

In a previous post, I included a schematic showing how identification cards work (from my book Identity Crisis). This might be helpful to review now because credentials like the boarding pass work according to the same three-step process: First, an issuer (the airline) collects information, including what status the traveler has. Next, the issuer puts it onto a credential (the boarding pass). Finally, the verifier or relying party (the checkpoint agent) checks the credential and accords the traveler the treatment that the credential indicates.

Checking the credential bearer’s identification, a repeat of this three-step process, and comparing the names on both documents, ties the boarding pass to the person (and in the process imports all the weaknesses of identification cards).

Each of these steps is a point of weakness. If the information is bad, such as when a malefactor is not known, the first step fails and the system does not work. If the malefactor is using someone else’s ticket and successfully presents a fake ID, the third step has failed and the system does not work.

The simple example we’re using here breaks the second step. A person traveling under his own name may present a boarding pass for the flight for which he has bought a ticket — but the false boarding pass he presents does not indicate selectee status. He has eluded the CAPPS system and the watch list.

The fake boarding pass generator does not create a new security weakness. It reveals an existing one. Though some people may want to, it’s important not to kill the messenger (who, in this case, is a Ph.D. student in security infomatics at Indiana University who created the pass generator to call attention to the problem). As I’ve said before, identity-based security is terribly weak. Its costs — in dollars, inconvenience, economic loss, and lost privacy — are greater than its security benefit.

Hopefully, the revelation that people can use fake boarding passes to elude CAPPS and watch-lists is another step in the long, slow process of moving away from security systems that don’t work well, toward security systems that do. Good security systems address tools and methods of attack directly. They make sure all passengers on an airplane lack the capacity to do significant harm.