blog.katsbits.com

Although this has been known about for a few weeks, the Queens Speech made the "Draft Communications Bill" (DCB) official in terms of an announcement that is it being put through consideration by the UK Government. In a nutshell, the Communication Bills framework makes it the UK's equivalent to America's CISPA legislation (mentioned in a previous post). Is essentially has the same provisions that 'require' UK Communication Service Providers (CSP) to hold communication data for a given period (12 months is cited in the draft), and that they (the CSP) are to be required to do this as part of their service provision (the implication is that refusing to do this could mean licenses being revoked/fines/criminal charges levied where appropriate).

The data being captured is demographic in nature, "who", "when", "where" but not "why" or "what". It's effectively 'metadata', and information that would allow anyone authorised to access it, the ability to mine and profile said captured data. An investigation and/or Probable Cause do not appear to be requirements for access. Nor is access restricted to 'authorities' (police, military, courts, medical etc.) but instead to authorised agencies ("public authorities"), i.e. anyone granted permission (presumably the Communication Commission is the watchdog for that, although the Interception of Communications Commissioner is listed as the agency of oversight of the system).

Some Key points;

[...]
• An updated framework for the collection, retention and acquisition of communications data which enables a flexible response to technological change.
[...]
• Establish an updated framework for the collection and retention of communications data by communications service providers (CSPs) to ensure communications data remains available to law enforcement and other authorised public authorities.
[...]

Additional Reading

• The Draft Communications Bill (scribd) [scanned doc]
• Law Society's response to the Queen's Speech: Communication Bill [alt Bill source]
• ICO statement on the Draft Communications Data Bill
• The Queens Speech

Partial Background & Origins

• UK Counter Terrorism and Communications Data (homeoffice.gov.uk)
• Strategic Defence and Security Review (SDSR) (mod.uk)
• "Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review" - PDF (Oct 2010 - direct.gov.uk)

CISPA, or H.R. 3523 the "Cyber Intelligence Sharing and Protection Act of 2011", to give it its full ('Short') title has passed the House. You can see the voting record for H.R. 3523 on GovTrack.us. If you don't know what CISPA is, it's not quite the same as SOPA/PIPA, particular with regards to context (what it's for, so be mindful/wary of those comparisons), but it does have some similarities with respect to the collection, control, use and dissemination of Personally Identifiable Information (PII) data, in this instance for [sic]"Security... and other purposes". MSNBC is the only major outlet carrying this at time of writing.

Additional Reading/Resources

• Bill Text - 112th Congress (2011-2012), H.R.3523.RH
• Cyber Intelligence Sharing and Protection Act of 2011
• H.R. 3523 on Thomas
• Committee Reports 112th Congress (2011-2012) House Report 112-445
• House.gov voting record on H.R. 3523
• CISPA Voting record on GovTrack.us

Long post warning again.

Summery: there's a private agreement between Copyright holders and network service providers coming into force in July that will mean what you do is to be monitoring with respect to copyright infringements. P2P networks are of particular interests. In affect, users will be regarded in principle as being guilty of infringement by the very act that they are being actively monitored for it. You have no say in this as a user except to switch providers to an ISP that has not signed up to the Memorandum of Understanding - this isn't public policy so there is no political recourse, no member of Parliament/Congress that can be called.

---

Apparently, on July 1st this year, Internet Service Providers, in North America at least, will 'switch on' the active tracking of network traffic for the purposes of monitoring Copyright infringement.

There was, apparently, no need for SOPA, PIPA the ACTA or indeed any other such 'public policy', because behind closed doors an agreement was made between the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA) and various network carriers - Comcast, Cablevision, Verizon, Time Warner and other service providers. Penned as the "Memorandum of Understanding", the basic gist of the document is for ISP's to actively monitor traffic flowing around their respective networks for Copyright infringement. Upon discovery ("... notifications of allegations of Online Infringement made via P2P networks and applications"), end-users are to be presented with 'educational warnings' and/or 'prompted' to seek out legitimate sources of the content they are looking for.

It's very clever stuff really. Have a read of this entire section and see if it makes sense (this section deals specifically with P2P networks).

sec.A. The Content Owner Representatives will develop and maintain written methodologies, which shall be adopted by the applicable Content Owner Representative, for identifying instances of P2P Online Infringement that are designed to detect and provide evidence that the identified content was uploaded or downloaded or copied and offered on a P2P network to be downloaded through a bit torrent or other P2P technology. Each Participating ISP will develop and maintain methodologies, which shall be adopted by the applicable Participating ISP, to match Internet Protocol (“IP”) addresses identified by the Content Owner Representatives to the Participating ISP Subscribers’ accounts, to keep a record of repeat alleged infringers, and to apply Mitigation Measures (as defined in Section 4(G)(iii) below). Such Content Owner Representative and Participating ISP methodologies are collectively referred to herein as the “Methodologies”. The goal of these Methodologies shall be to ensure that allegations of P2P Online Infringement, related records, and the application of any Mitigation Measures are based on reliable, accurate, and verifiable processes and information.

What the above means in real money is that the Center for Copyright Information ("CCI") wants ISP's to actively collect data on what users are doing, the kicker being that in doing so, liability with respect to the 'correctness' and 'accuracy' of any such information is quite firmly dropped into the laps of an ISP (collecting agent); in effect they are being 'tasked' with finding "methodologies" that tie IP addresses to particular account holders in such a way as to be irrefutable evidence of infringement, whilst at the same time washing their (CCI) hands of any wrong-doing if the data turns out to be incorrect - this is, not so incidentally, why the new IPv6 technology is being pushed so hard, it has very little to do with "running out of IP4 numbers". Rather it's about tagging an IPv6 'fingerprint' to all connected devices (IP4 and IP6 numbers differ in that the latter is supposed to act more akin to a permanent and locked identifier or network address, similar to a house or property number - the occupants may change but the number is always the same). Talk about having your cake and eating it and the cherry sat atop the one inch thick icing. The really, really, clever 'lawyer speak' is this, the document itself (and by extension the CCI) never once mention how data is to be collected, it just says that it should. This again gets the CCI off-the-hook with respect to the associated privacy issues that type of data collection would entail.

To make sure everyone is playing ball and by the same rules a, not exactly, "Independent Expert" is employed by the CCI who reports, in confidence, with respect to the effectiveness of the aforementioned "methodologies" - ones says "not exactly" because this so called "Independent Expert" is approved by the committee (sec.B "The selection of the Independent Expert shall require approval by a majority of the members of the Executive Committee.") which makes the position more akin to that of a person playing a role in a rigged jury - if the CCI approve the appointment, then all they need do is appoint someone to play along with the role. The same is to be said with respect to consulting "privacy experts"; only those meeting approval will be sought (sec.B "In addition, the Independent Expert will (i) review the Methodologies with recognized privacy experts agreed to by a majority of the Executive Committee"). All of this is carried out under the auspices of an NDA so the public would never know anything with regards to the experts findings.

Your ISP Terms of Service and/or Acceptable Use Policy will change to the following;

sec.F: ... (i) copyright infringement is conduct that violates the Participating ISP’s AUP or TOS and for which a Subscriber may be legally liable; (ii) continuing and subsequent receipt of Copyright Alerts (as defined in Section 4(G) below) may result in the Participating ISP taking action by the application of Mitigation Measures (as defined in Section 4(G)(iii) below); and (iii) in addition to these Mitigation Measures, the Participating ISP may also adopt, in appropriate circumstances, those measures specifically authorized by section 512 of the Digital Millennium Copyright Act (“DMCA”) and/or actions specifically provided for in the Participating ISP’s AUP and/or TOS including temporary suspension or termination, except that nothing in this Agreement alters, expands, or otherwise affects any Participating ISP’s rights or obligations under the DMCA.

Which again puts the liabilities of implementing the Memorandum of Understanding firmly into the hands of ISP's, they will be solely responsible for enacting 'policy' with regards to infringements and not the CCI, effectively removing their need to submit evidential based DMCA requests. In fact, if ISP's are 'policing' their networks, one could certainly argue the case that there's no need for DMCA at all, thus removing yet another protection against arbitrary and summery 'justice'.

The warnings forming the 'educational' aspect of this entire process (sec.G) aren't warnings per-say. Instead they should be regarded as incremental steps which coerce users into admitting wrongdoing in the same/similar way to the TSA's policy of 'enhanced pat-downs' offer 'choice' and 'recourse to say 'no'' - "your Mortons Fork driving me towards a Hobson's Choice leaves me no alternative but to take position with Buridan's Ass" - either click this and admit wrongdoing (irrespective as to the factual basis of that - the appearance of the warning is implicit that the person receiving it has been summarily judged to be infringing), or go elsewhere.

User do have resource and remedy though. Done through the use of an online form, the 'accused' is provided a list of options;

• Misidentification of Account
• Misidentification of Account
• Authorization
• Fair Use
• Misidentification of File
• Work Published Before 1923

However, as with the above, users have to provide a "... defense [that] adequately and credibly demonstrates ..." not having done what is being accused. The only way to do this is to naturally self-incriminate ones self irrespective as to the truthfulness of the claim. In other words the provided options mean users are being asked to prove, to the Right holders (sec.H.i), a negative - in principle (although this would never happen *cough*), a user could be accused of infringement using the barest of 'evidence' (after-all, there is absolutely no defining criteria with regards to how much 'evidence' Right holders are required to have to make a claim - the agreement simply mentions the 'type') with the burden of proof being on the users head to disprove this rather than the accusers. That's right, users are appealing to the Right holders and not a fully independent Reviewer. The nomenclature is deliberately misleading. So to is the reference to not using the outcome of a review in a court of law. This doesn't mean evidence gather in the pursuit of a review won't be used.

So, if you've got this far down the page, first congratulations are in order, and second you may have started to notice that a lot of this seems familiar. It is. In principle SOPA, PIPA and the ACTA were all worded to be construed in pretty much the same way - Right holders given the 'force of law' to do what they're previously agreed to in private, business-to-business. So one has to wonder why SOPA, PIPA, et-al were needed except to bestow said 'Force of Law' into the hands of a corporation to wield as they see/saw fit (the law would allow them that ability - because it would authorise them to be accuser, jury, judge and executioner).

Additional Reading

• The “Graduated Response” Deal: What if Users Had Been At the Table?
• RIAA chief: ISPs to start policing copyright by July 1
• American ISPs to launch massive copyright spying scheme on July 12
• MEMORANDUM OF UNDERSTANDING
• Title 17, Chapter 5, Sec 512 - Limitations on Liability relating to Material Online

In the ongoing battle against unsolicited spam [previous episode here] a solution of sorts has been found. In a nut shell, most unsolicited mail sent through the Google Groups mailing system ("*@googlegroups.com", "gmr-mx.google.com", "mail-wi0-f195.google.com", "gmr-mx.google.com" et-al), is done without a users consent, because, Google group creators have always had the ability to add email addresses, usernames and Google Profiles to their listings without the express authorisation from the owners of said details. In effect users are forcibly subscribed to Google Groups they know nothing about.

Being able to do this is key to controlling it, whatever email, user account or Google profile has been used to subscribe a user without their knowledge has to be registered within, or to, the Google Groups system. As Google provides users the ability to list the group subscriptions associated with a particular identity, all the user needs to do is add the abused identity to their current Google Account to see what subs are ascribed to it, which then facilitates being able to manage, remove or report Groups.

So, here's how to 'manage' subscriptions to Google Groups and prevent the receipt of spam from *@googlegroups.com.

First sign-in or create a Google Account - https://accounts.google.com. Once done, to view all the services associated with the particular account being viewed, from "Accounts" (https://www.google.com/settings/) click the "Products" link to the left. In the page that opens click the "Google Groups" button which should be visible - if not, just go to https://groups.google.com/forum/ directly. This opens the 'home' page of Google Groups [illustration 1]. On this new page click "My Groups" to see the current list of Groups the Account email has been subscribed to (or is being used to subscribe to) [illustration 2]. Click the 'offending' listing to access the group and associated messages [illustration 3].

In the Google Group now being accessed click the "My membership" button to view the groups subscription options [illustration 4]. From here change the details as appropriate if membership is still desired - switch the email address associated with "Which address do you want to use for this group?", select the frequency of "How do you want to read this group?", and/or change "Display name". Finally click "Update settings". To leave the group simply click "Leave group", this should then prevent any further use/abuse of the address associated with the account.

As we're discussing spam here though the group will need to be appropriately flagged and reported [illustration 5] by clicking the "!" button at the top of the page and selecting an appropriate option form those thoughtfully provided by Google; "Spam" in this instance.

Now the problem with all this is may have been obvious from the get-go. If not, it's two-fold; (1) this is yet another service that has to be actively monitored, through no fault of ones own; and (2) because of the way this has to be done it essentially means 'giving' (*cough*volunteering*cough*) yet another piece of personal data to Google which can then be used for their own monitory purposes. That's for a separate discussion but they are important considerations.

Despite the above, there is a problem with Google Groups, or at least the new iteration of it. Previously when listing the groups an account was associated with, two additional "Invitation preferences" options were available to users; (1) "Do not allow group managers to invite me to their groups"; and (2) "Do not allow group managers to directly add me to their groups" [illustration 6]. Both these properties effectively, or rather are/were supposed to, prevent third parties specifically adding farmed emails to groups without the express permission of their owners - in other words, one might be able to unsubscribe from certain groups, but if an email remains available, there is nothing to stop future group starters adding the address and starting a new cycle. These options don't appear to be available in the new version of Google Groups. Whether this is an oversight, they are available but hidden somewhere, or a deliberate 'ploy' to force users to submit through the use of a "Morton's Fork", is anyone's guess. But there not being a mechanism 'outside' the system to manage this issue has always been one of Google's nagging issues, even more so with the new policy changes being launched where data-access is being unified across all Google Account services.


[1] Google Groups 'home' page - click "My groups" to see groups currently subscribed to


[2] If a particualr Account email is being used to subscribe to a group or any desciption it will appear in the 'group list'


[3] Click on the 'offending' groups to view it's contents and access the managment panel/section


[4] Click the "My membership" button to access the groups options and settings where the both the Google Account 'username' and 'email' will be listed


[5] To report the group, click the "!" button at the top of the page. In the view that opens select and option and submit


[6] the old Google Groups interface includes two additional options supposedly preventing Accounts being added to lists without the users knowledge

OK. There's something not quite right with this picture. First... BT and Talk Talk lost their appeal against the "three strikes" rule of the Digital Economy Act, as noted here (BBC) and here (PCPro) amongst others. This basically means that they technically can be held liable for the 'prosecution' of 'penalties' associated with that act (as in 'carrying out a judgement'). Lobbyists are naturally 'rejoicing' the fact that the "law" as been upheld.

Here's the problem. According to the Hargreaves Review of Intellectual Property (which was posted about previously here), the "decision to implement a “three strikes” rule and demand that ISP's play a role in internet censorship was based only on information supplied by copyright holder lobbyists" (the report actually says the following "Much of the data needed to develop empirical evidence on copyright and designs is privately held. It enters the public domain chiefly in the form of “evidence” supporting the arguments of lobbyists (“lobbynomics”) rather than as independently verified research conclusions." [ pg18: sec2.13, point 3]). So irrespective as to the position ISP's are now being put in, the basic premise of the entire Act is biased towards those supplying the evidence in support of it. One then has to ask the question as to wither those in opposition had a 'fair crack of the whip'.

By the way, I don't advise reading the report unless you want to make your blood boil, the Governments attitude to this whole affair can be summed up with the word "meh" whilst cashing-up the till.

Additional Reading

• Hargreaves Review of Intellectual Property [at the IPO]
• Hargreaves Review final report (IPReview_FinalReport.pdf)
• Digital Economy Bill [HL]
• Digital Economy Act 2010
• BT and Talk Talk lose file-sharing appeal
• ISPs lose appeal against cutting off file-sharers