November 26, 2007 (Computerworld) I can't find much difference between the Motion Picture Association of America (MPAA) members' business model and a band of large-scale ticket scalpers, but lately they and their music-industry cousins in the Recording Industry Association of America (RIAA) are exhibiting the collective gall of a bank robber demanding change for the getaway car's parking meter.
During the past few weeks, the MPAA has asked both for Congress to pay for enforcement of their dubious and withering business model as if it were law (as, unfortunately, it is in some cases now), and for universities to conduct discovery for them by running the MPAA's privacy-busting monitoring systems.
While I understand the frustration of artists and performers whose recorded works are taken and distributed without consent or compensation, the MPAA and RIAA seem to be doing as much for the rights of those artists as the media consumers -- that is to say, not much. In fact, there's every indication that these trade federations are doing a whole lot more harm than good, ensuring short-term profits for their members at the expense of both their own longevity and the U.S. legal system as it concerns intellectual works.
Worse, it's misusing information security technology to breed a generation of cynics, whose dim view of security, privacy and information governance puts us on the road to lost opportunity (via way stations of mistrust and apathy). It's worth setting aside the legal minutiae, and the moral debate as RIAA and the MPAA are attempting to frame it, to consider the messages this mess sends the kids.
"You're all thieves"
Breathes there a child or teenager who never stole a candy bar from his aunt or the local store? Misappropriating an item of trivial value, having to return it and facing stern words from a parent or store owner is an essential rite of passage into adulthood. I remember hearing reruns of late night golden-age AM radio lamenting the fate of children whose lax moral training and forgiving parents led to a life of crime and premature demise.
But in real life, we teach kids the difference between theft and borrowing, and between pilfering a candy bar and stealing an ambulance (as a relative of mine once did) based on the action and its consequences.
We also teach a sense of presumed innocence until a preponderance of evidence indicates guilt. Through primary and middle school, we might maintain this idealism, but presumed guilt is creeping downward in age, from college to high school. Not content with having Internet service providers monitor individuals users to track them down at home and school, a few weeks ago the MPAA sent letters (PDF format) to U.S. universities and colleges, requesting that they download and install an MPAA-accessible monitoring and tracking system on their internal networks.
Instead of following instances of infringing use, the constant monitoring makes it plain that criminal intent is assumed on the part of students at these universities. Like an overzealous store detective following a band of kids from the moment they enter an establishment, this approach always backfires: Inevitably one or more otherwise well-intended subject is offended and thinks "Well, if you're going to treat me like a thief, then I'll..." One campus full of kids thinking this way is serious trouble, but we're on the verge of having an entire age group turn down this path.
"Only organizations own information"
It used to be that you could hold a book in your hand and it was yours -- really yours. Sure, you weren't supposed to duplicate and sell the copies, but you could read it again and again, even out loud in front of an audience. You could make a copy of a few pages for a report or presentation, make notes in margins, and even tear the covers off to make it fit in your travel bag or give interesting pages to your friends if you were so inclined.
But no more: Play music in a public place? Better get a performance license. Copy an image or make an audio sample? Not without explicit permission. Make notes or commentary? Not permitted by the license in some software. Trans-code media to take with you on a trip? "Fair use" is under attack. Split a paid-for "CD" into individual songs and give them away? That's asking for big trouble.
The lesson is that ownership of information is a corporate right, and that people are only licensors. Stories from the likes of Courtney Love about the abuse artists and performers suffer at the hands of RIAA and MPAA members are legion, and only serve to reinforce the idea that current laws reserves ownership and control of information for organizations, not individuals.
Even more innocuous (but not harmless) control of information sourced from individual contributors furthers this notion. For example, the popular Facebook site was recently the subject of discussion concerning its "Hotel California"-style data retention policy wherein it retains and keeps rights to all contributions of personal data in perpetuity -- as well as recent use of personal content for targeted marketing purposes.
For older students starting to produce their own serious written compositions, research papers, music, designs and other intellectual works, it's inevitable that they ponder the transition from their own "work" into "property." If the omnipresent media businesses appear to tromp on the rights of individuals as producers and consumers, then the futile and frustrating choice is either to be a sell-out/obedient consumer, or to throw a Bittorrent- or Tor-shaped wrench in the system.
"Security is not for you"
Recent legal developments in the U.S. have included criminalization of tools: From bongs to slim-Jims, items that might be used for a criminal act are termed paraphernalia and possessing them is criminal in its own right. Recently, the use of encryption software to hide criminal activity was deemed a criminal act itself, and current opinions are leaning toward the mere presence of encryption software or encrypted data as probable cause -- the standard used by law enforcement to justify an on-the-spot search of person or property, obtain a warrant, or make an arrest based on the notion that a crime has probably been committed.
This sort of "pre-crime" prosecution is an expression of fear on the part of potential plaintiffs or prosecutors, an excuse for bad evidence-gathering, and a tool ripe for misuse. We already have laws that distinguish between the expression of intent to hit someone with a baseball bat (threatening qualifies as assault, even if no one is injured) and actually hitting them with said bat (battery). Why does possession of a baseball bat when you're not wearing a baseball uniform need to be criminalized as well? The answer, it seems, is only in capricious cases where the evidence of intent is weak.
What this does accomplish is a double standard whereby organizations use borderline or obviously illicit tools (e.g., Sony's rootkits), engage in monitoring without informed consent, and encrypt content without question or fear of prosecution. These same items are currently or soon will be probable cause for arrest and detainment of individuals -- if not on campus or in high-schoolers' living rooms, then surely at a customs checkpoint or in any setting already under scrutiny by law enforcement.
But resource-rich kids will not capitulate, and removing their resources makes them unsuitable as customers. They look at every instance of "Digital Rights Management" control and monitoring software foisted upon them by record and movie companies and see it as justification for cracking. Encrypted content justifies encrypted volumes for storage. Monitoring justifies evasion. And as the crowd gets bigger, evasion gets easier and easier.
"Privacy is dead"
Privacy is not dead, even if some kids are starting to believe it's so. Last year, I read yet another recent graduate blithering, in one of the local alt-weeklies about how privacy is an outmoded notion that old people cling to. Even financial data came up in the conversation, and I thought, "Oh, you poor thing -- I'll be here with a blanket and some hot cocoa when you wake up, your violated financial data barely identifiable as your own, while Mom peruses the details of the viral gift your ex gave you splayed across your hacked MySpace page."
Some things are better kept private -- passwords, for example. And it's a fine line between waving access to one's data in the wind and losing control of it, yet the distinction is often lost on the less astute kids. Getting another MySpace account is easy, but getting another Social Security number is not. The more-cynical kids might have a look at the state of internet monitoring, marketing campaigns based on personal financial data and the use of medical data for dubious research and adopt the idea that personal privacy is a granted by public and private service providers, not inherent right.
How is it that one arrives at such a naive or deeply cynical position? And how could such a person hack it in the modern workplace? Even a pancake-house cashier needs to understand the consequences of logging in and out of his Squirrel system; do you really want your next generation of employees to operate on the assumption that all data should be treated as public information?
"Justice is purchased"
Mentioned earlier, enforcement of the ailing media industry business model -- where artists are subject to predatory contracts, and consumers to predatory conditions and pricing -- has been propped up by changes to copyright law that withhold material from the public domain far longer than could have been imagined until recently. Worse, enforcement of what would have been civil actions is now conducted with disproportionate assistance by law enforcement, or even by RIAA rent-a-cops impersonating law enforcement officials.
The aftermath of discovery and media raids has left thousands of people facing lawsuits filed by companies with vast legal and financial resources, with the vast majority of those consumers bullied into revolving-door settlements as an alternative to ruinously long court proceedings. If the kids weren't cynical by now, this demonstrates clearly that money and power can buy laws and enforcement, and that due process is meaningless.
If the civil courts can't support a defense of a business model, then the business model needs to die. We don't need more laws, just enforcement of the ones we have -- or had, before the MPAA and RIAA started to monkey with them. Even some of the positive news in this regard is tarnished. For example, the French audio recording industry association intends to force Internet service providers to identify specific illicit file-sharers and their specific actions -- at the expense of user privacy.
Still hopeful
You couldn't pay me to be in college again, facing a choice between being a coward for complying with this downward spiral of data security, privacy rights and legal protections, or being a criminal for resisting and asserting what was until recently fair use and an acceptable level of misbehavior.
But one of the classic mistakes in information security programs is the treatment of end users as cattle. Just as RIAA and the MPAA underestimate the power of their consumer and compliance targets, don't underestimate the kids' capacity for understanding and reasoned response.
More are learning that personal data is theirs to control. While the concept that their own self-published data lingers is obscure to them, even many younger preteen (and hopefully pre-MySpace) kids do understand that others' personal, medical or financial data is not theirs and is ethically off-limits. In some cases, there is encouraging legal news to nudge kids in the right direction, if perhaps in a ham-handed fashion.
At the same time, kids inevitably will form a personal ethic about what data is not theirs but ought to be obtainable. However, impossible terms for information access will be met with resistance and eventual defeat as they grow older and put some sense back in this badly broken system. Vox populi, vox Dei.
Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He manages information governance reform for a refugee aid organization and continues to have his advice ignored by CEOs, auditors and sysadmins alike.
Posts
No comments:
Post a Comment