#eucd article 6
Explore tagged Tumblr posts
Text
Antiusurpation and the road to disenshittification
THIS WEEKEND (November 8-10), I'll be in TUCSON, AZ: I'm the GUEST OF HONOR at the TUSCON SCIENCE FICTION CONVENTION.
Nineties kids had a good reason to be excited about the internet's promise of disintermediation: the gatekeepers who controlled our access to culture, politics, and opportunity were crooked as hell, and besides, they sucked.
For a second there, we really did get a lot of disintermediation, which created a big, weird, diverse pluralistic space for all kinds of voices, ideas, identities, hobbies, businesses and movements. Lots of these were either deeply objectionable or really stupid, or both, but there was also so much cool stuff on the old, good internet.
Then, after about ten seconds of sheer joy, we got all-new gatekeepers, who were at least as bad, and even more powerful, than the old ones. The net became Tom Eastman's "Five giant websites, each filled with screenshots of the other four." Culture, politics, finance, news, and especially power have been gathered into the hands of unaccountable, greedy, and often cruel intermediaries.
Oh, also, we had an election.
This isn't an election post. I have many thoughts about the election, but they're still these big, unformed blobs of anger, fear and sorrow. Experience teaches me that the only way to get past this is to just let all that bad stuff sit for a while and offgas its most noxious compounds, so that I can handle it safely and figure out what to do with it.
While I wait that out, I'm just getting the job done. Chop wood, carry water. I've got a book to write, Enshittification, for Farar, Straus, Giroux's MCD Books, and it's very nearly done:
https://twitter.com/search?q=from%3Adoctorow+%23dailywords&src=typed_query&f=live
Compartmentalizing my anxieties and plowing that energy into productive work isn't necessarily the healthiest coping strategy, but it's not the worst, either. It's how I wrote nine books during the covid lockdowns.
And sometimes, when you're not staring directly at something, you get past the tunnel vision that makes it impossible to see its edges, fracture lines, and weak points.
So I'm working on the book. It's a book about platforms, because enshittification is a phenomenon that is most visible and toxic on platforms. Platforms are intermediaries, who connect buyers and sellers, creators and audiences, workers and employers, politicians and voters, activists and crowds, as well as families, communities, and would-be romantic partners.
There's a reason we keep reinventing these intermediaries: they're useful. Like, it's technically possible for a writer to also be their own editor, printer, distributor, promoter and sales-force:
https://pluralistic.net/2024/02/19/crad-kilodney-was-an-outlier/#intermediation
But without middlemen, those are the only writers we'll get. The set of all writers who have something to say that I want to read is much larger than the set of all writers who are capable of running their own publishing operation.
The problem isn't middlemen: the problem is powerful middlemen. When an intermediary gets powerful enough to usurp the relationship between the parties on either side of the transaction, everything turns to shit:
https://pluralistic.net/2022/06/12/direct-the-problem-of-middlemen/
A dating service that faces pressure from competition, regulation, interoperability and a committed workforce will try as hard as it can to help you find Your Person. A dating service that buys up all its competitors, cows its workforce, captures its regulators and harnesses IP law to block interoperators will redesign its service so that you keep paying forever, and never find love:
https://www.npr.org/sections/money/2024/02/13/1228749143/the-dating-app-paradox-why-dating-apps-may-be-worse-than-ever
Multiply this a millionfold, in every sector of our complex, high-tech world where we necessarily rely on skilled intermediaries to handle technical aspects of our lives that we can't – or shouldn't – manage ourselves. That world is beholden to predators who screw us and screw us and screw us, jacking up our rents:
https://www.thebignewsletter.com/p/yes-there-are-antitrust-voters-in
Cranking up the price of food:
https://pluralistic.net/2023/10/04/dont-let-your-meat-loaf/#meaty-beaty-big-and-bouncy
And everything else:
https://pluralistic.net/2023/11/06/attention-rents/#consumer-welfare-queens
(Maybe this is a post about the election after all?)
The difference between a helpmeet and a parasite is power. If we want to enjoy the benefits of intermediaries without the risks, we need policies that keep middlemen weak. That's the opposite of the system we have now.
Take interoperability and IP law. Interoperability (basically, plugging new things into existing things) is a really powerful check against powerful middlemen. If you rely on an ad-exchange to fund your newsgathering and they start ripping you off, then an interoperable system that lets you use a different exchange will not only end the rip off – it'll make it less likely to happen in the first place because the ad-tech platform will be afraid of losing your business:
https://www.eff.org/deeplinks/2023/05/save-news-we-must-shatter-ad-tech
Interoperability means that when a printer company gouges you on ink, you can buy cheap third party ink cartridges and escape their grasp forever:
https://www.eff.org/deeplinks/2020/11/ink-stained-wretches-battle-soul-digital-freedom-taking-place-inside-your-printer
Interoperability means that when Amazon rips off audiobook authors to the tune of $100m, those authors can pull their books from Amazon and sell them elsewhere and know that their listeners can move their libraries over to a different app:
https://pluralistic.net/2022/09/07/audible-exclusive/#audiblegate
But interoperability has been in retreat for 40 years, as IP law has expanded to criminalize otherwise normal activities, so that middlemen can use IP rights to protect themselves from their end-users and business customers:
https://locusmag.com/2020/09/cory-doctorow-ip/
That's what I mean when I say that "IP" is "any law that lets a business reach beyond its own walls and control the actions of its customers, competitors and critics."
For example, there's a pernicious law 1998 US law that I write about all the time, Section 1201 of the Digital Millennium Copyright Act, the "anticircumvention law." This is a law that felonizes tampering with copyright locks, even if you are the creator of the undelying work.
So Amazon – the owner of the monopoly audiobook platform Audible – puts a mandatory copyright lock around every audiobook they sell. I, as an author who writes, finances and narrates the audiobook, can't provide you, my customer, with a tool to remove that lock. If I do so, I face criminal sanctions: a five year prison sentence and a $500,000 fine for a first offense:
https://pluralistic.net/2022/07/25/can-you-hear-me-now/#acx-ripoff
In other words: if I let you take my own copyrighted work out of Amazon's app, I commit a felony, with penalties that are far stiffer than the penalties you would face if you were to simply pirate that audiobook. The penalties for you shoplifting the audiobook on CD at a truck-stop are lower than the penalties the author and publisher of the book would face if they simply gave you a tool to de-Amazon the file. Indeed, even if you hijacked the truck that delivered the CDs, you'd probably be looking at a shorter sentence.
This is a law that is purpose-built to encourage intermediaries to usurp the relationship between buyers and sellers, creators and audiences. It's a charter for parasitism and predation.
But as bad as that is, there's another aspect of DMCA 1201 that's even worse: the exemptions process.
You might have read recently about the Copyright Office "freeing the McFlurry" by granting a DMCA 1201 exemption for companies that want to reverse-engineer the error-codes from McDonald's finicky, unreliable frozen custard machines:
https://pluralistic.net/2024/10/28/mcbroken/#my-milkshake-brings-all-the-lawyers-to-the-yard
Under DMCA 1201, the Copyright Office hears petitions for these exemptions every three years. If they judge that anticircumvention law is interfering with some legitimate activity, the statute empowers them to grant an exemption.
When the DMCA passed in 1998 (and when the US Trade Rep pressured other world governments into passing nearly identical laws in the decades that followed), this exemptions process was billed as a "pressure valve" that would prevent abuses of anticircumvention law.
But this was a cynical trick. The way the law is structured, the Copyright Office can only grant "use" exemptions, but not "tools" exemptions. So if you are granted the right to move Audible audiobooks into a third-party app, you are personally required to figure out how to do that. You have to dump the machine code of the Audible app, decompile it, scan it for vulnerabilities, and bootstrap your own jailbreaking program to take Audible wrapper off the file.
No one is allowed to help you with this. You aren't allowed to discuss any of this publicly, or share a tool that you make with anyone else. Doing any of this is a potential felony.
In other words, DMCA 1201 gives intermediaries power over you, but bans you from asking an intermediary to help you escape another abusive middleman.
This is the exact opposite of how intermediary law should work. We should have rules that ban intermediaries from exercising undue power over the parties they serve, and we should have rules empowering intermediaries to erode the advantage of powerful intermediaries.
The fact that the Copyright Office grants you an exemption to anticircumvention law means nothing unless you can delegate that right to an intermediary who can exercise it on your behalf.
A world without publishing intermediaries is one in which the only writers who thrive are the ones capable of being publishers, too, and that's a tiny fraction of all the writers with something to say.
A world without interoperability intermediaries is one in which the only platform users who thrive are also skilled reverse-engineering ninja hackers – and that's an infinitesimal fraction of the platform users who would benefit from interoperabilty.
Let this be your north star in evaluating platform regulation proposals. Platform regulation should weaken intermediaries' powers over their users, and strengthen their power over other middlemen.
Put in this light, it's easy to see why the ill-informed calls to abolish Section 230 of the Communications Decency Act (which makes platform users, not platforms, responsible for most unlawful speech) are so misguided:
https://www.techdirt.com/2020/06/23/hello-youve-been-referred-here-because-youre-wrong-about-section-230-communications-decency-act/
If we require platforms to surveil all user speech and block anything that might violate any law, we give the largest, most powerful platforms a permanent advantage over smaller, better platforms, run by co-ops, hobbyists, nonprofits local governments, and startups. The big platforms have the capital to rig up massive, automated surveillance and censorship systems, and the only alternatives that can spring up have to be just as big and powerful as the Big Tech platforms we're so desperate to escape:
https://pluralistic.net/2024/03/23/evacuate-the-platforms/#let-the-platforms-burn
This is especially grave given the current political current, where fascist politicians are threatening platforms with brutal punishments for failing to censor disfavored political views.
Anyone who tells you that "it's only censorship when the government does it" is badly confused. It's only a First Amendment violation when the government does it, sure – but censorship has always relied on intermediaries. From the Inquisition to the Comics Code, government censors were only able to do their jobs because powerful middlemen, fearing state punishments, blocked anything that might cross the line, censoring far beyond the material actually prohibited by the law:
https://pluralistic.net/2024/02/22/self-censorship/#hugos
We live in a world of powerful, corrupt middlemen. From payments to real-estate, from job-search to romance, there's a legion of parasites masquerading as helpmeets, burying their greedy mouthparts into our tender flesh:
https://www.capitalisnt.com/episodes/visas-hidden-tax-on-americans
But intermediaries aren't the problem. You shouldn't have to stand up your own payment processor, or learn the ins and outs of real-estate law, or start your own single's bar. The problem is power, not intermediation.
As we set out to build a new, good internet (with a lot less help from the US government than seemed likely as recently as last week), let's remember that lesson: the point isn't disintermediation, it's weak intermediation.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
https://pluralistic.net/2024/11/07/usurpers-helpmeets/#disreintermediation
Image: Cryteria (modified) https://commons.wikimedia.org/wiki/File:HAL9000.svg
CC BY 3.0 https://creativecommons.org/licenses/by/3.0/deed.en (Image: Cryteria, CC BY 3.0, modified)
#pluralistic#comcom#competitive compatibility#interoperability#interop#adversarial interoperability#intermediaries#enshittification#posting through it#compartmentalization#farrar straus giroux#intermediary liability#intermediary empowerment#delegation#delegatability#dmca 1201#1201#digital millennium copyright act#norway#article 6#eucd#european union copyright act#eucd article 6#eu#usurpers#crad kilodney#fiduciaries#disintermediation#dark corners#self-censorship
575 notes
·
View notes
Text
I liked a @YouTube video http://bit.ly/2PL2mkJ How Article 13 Could Ruin The Internet And Why You Should Care About The EUCD...
I liked a @YouTube video https://t.co/fujnZ3xnhp How Article 13 Could Ruin The Internet And Why You Should Care About The EUCD...
— Darren Lock (@darren_lock) September 6, 2018
from Twitter https://twitter.com/darren_lock September 06, 2018 at 01:52PM via IFTTT
0 notes
Text
EFF says it's resigning from W3C after the standards org voted for browser DRM, a move hostile to archiving, accessibility, security research, more (Cory Doctorow/Electronic Frontier ...)
Dear Jeff, Tim, and colleagues,
In 2013, EFF was disappointed to learn that the W3C had taken on the project of standardizing “Encrypted Media Extensions,” an API whose sole function was to provide a first-class role for DRM within the Web browser ecosystem. By doing so, the organization offered the use of its patent pool, its staff support, and its moral authority to the idea that browsers can and should be designed to cede control over key aspects from users to remote parties.
When it became clear, following our formal objection, that the W3C's largest corporate members and leadership were wedded to this project despite strong discontent from within the W3C membership and staff, their most important partners, and other supporters of the open Web, we proposed a compromise. We agreed to stand down regarding the EME standard, provided that the W3C extend its existing IPR policies to deter members from using DRM laws in connection with the EME (such as Section 1201 of the US Digital Millennium Copyright Act or European national implementations of Article 6 of the EUCD) except in combination with another cause of action.
This covenant would allow the W3C's large corporate members to enforce their copyrights. Indeed, it kept intact every legal right to which entertainment companies, DRM vendors, and their business partners can otherwise lay claim. The compromise merely restricted their ability to use the W3C's DRM to shut down legitimate activities, like research and modifications, that required circumvention of DRM. It would signal to the world that the W3C wanted to make a difference in how DRM was enforced: that it would use its authority to draw a line between the acceptability of DRM as an optional technology, as opposed to an excuse to undermine legitimate research and innovation.
More directly, such a covenant would have helped protect the key stakeholders, present and future, who both depend on the openness of the Web, and who actively work to protect its safety and universality. It would offer some legal clarity for those who bypass DRM to engage in security research to find defects that would endanger billions of web users; or who automate the creation of enhanced, accessible video for people with disabilities; or who archive the Web for posterity. It would help protect new market entrants intent on creating competitive, innovative products, unimagined by the vendors locking down web video.
Despite the support of W3C members from many sectors, the leadership of the W3C rejected this compromise. The W3C leadership countered with proposals — like the chartering of a nonbinding discussion group on the policy questions that was not scheduled to report in until long after the EME ship had sailed — that would have still left researchers, governments, archives, security experts unprotected.
The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew — and the large corporate members continued to reject any meaningful compromise — the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. In essence, a core of EME proponents was able to impose its will on the Consortium, over the wishes of a sizeable group of objectors — and every person who uses the web. The Director decided to personally override every single objection raised by the members, articulating several benefits that EME offered over the DRM that HTML5 had made impossible.
But those very benefits (such as improvements to accessibility and privacy) depend on the public being able to exercise rights they lose under DRM law — which meant that without the compromise the Director was overriding, none of those benefits could be realized, either. That rejection prompted the first appeal against the Director in W3C history.
In our campaigning on this issue, we have spoken to many, many members' representatives who privately confided their belief that the EME was a terrible idea (generally they used stronger language) and their sincere desire that their employer wasn't on the wrong side of this issue. This is unsurprising. You have to search long and hard to find an independent technologist who believes that DRM is possible, let alone a good idea. Yet, somewhere along the way, the business values of those outside the web got important enough, and the values of technologists who built it got disposable enough, that even the wise elders who make our standards voted for something they know to be a fool's errand.
We believe they will regret that choice. Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. They give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities. They side against the archivists who are scrambling to preserve the public record of our era. The W3C process has been abused by companies that made their fortunes by upsetting the established order, and now, thanks to EME, they’ll be able to ensure no one ever subjects them to the same innovative pressures.
So we'll keep fighting to fight to keep the web free and open. We'll keep suing the US government to overturn the laws that make DRM so toxic, and we'll keep bringing that fight to the world's legislatures that are being misled by the US Trade Representative to instigate local equivalents to America's legal mistakes.
We will renew our work to battle the media companies that fail to adapt videos for accessibility purposes, even though the W3C squandered the perfect moment to exact a promise to protect those who are doing that work for them.
We will defend those who are put in harm's way for blowing the whistle on defects in EME implementations.
It is a tragedy that we will be doing that without our friends at the W3C, and with the world believing that the pioneers and creators of the web no longer care about these matters.
Effective today, EFF is resigning from the W3C.
Thank you,
Cory Doctorow Advisory Committee Representative to the W3C for the Electronic Frontier Foundation
from Techmeme http://ift.tt/2ffUhrH
0 notes
Text
An open letter to the W3C Director, CEO, team and membership
Dear Jeff, Tim, and colleagues,
In 2013, EFF was disappointed to learn that the W3C had taken on the project of standardizing “Encrypted Media Extensions,” an API whose sole function was to provide a first-class role for DRM within the Web browser ecosystem. By doing so, the organization offered the use of its patent pool, its staff support, and its moral authority to the idea that browsers can and should be designed to cede control over key aspects from users to remote parties.
When it became clear, following our formal objection, that the W3C's largest corporate members and leadership were wedded to this project despite strong discontent from within the W3C membership and staff, their most important partners, and other supporters of the open Web, we proposed a compromise. We agreed to stand down regarding the EME standard, provided that the W3C extend its existing IPR policies to deter members from using DRM laws in connection with the EME (such as Section 1201 of the US Digital Millennium Copyright Act or European national implementations of Article 6 of the EUCD) except in combination with another cause of action.
This covenant would allow the W3C's large corporate members to enforce their copyrights. Indeed, it kept intact every legal right to which entertainment companies, DRM vendors, and their business partners can otherwise lay claim. The compromise merely restricted their ability to use the W3C's DRM to shut down legitimate activities, like research and modifications, that required circumvention of DRM. It would signal to the world that the W3C wanted to make a difference in how DRM was enforced: that it would use its authority to draw a line between the acceptability of DRM as an optional technology, as opposed to an excuse to undermine legitimate research and innovation.
More directly, such a covenant would have helped protect the key stakeholders, present and future, who both depend on the openness of the Web, and who actively work to protect its safety and universality. It would offer some legal clarity for those who bypass DRM to engage in security research to find defects that would endanger billions of web users; or who automate the creation of enhanced, accessible video for people with disabilities; or who archive the Web for posterity. It would help protect new market entrants intent on creating competitive, innovative products, unimagined by the vendors locking down web video.
Despite the support of W3C members from many sectors, the leadership of the W3C rejected this compromise. The W3C leadership countered with proposals — like the chartering of a nonbinding discussion group on the policy questions that was not scheduled to report in until long after the EME ship had sailed — that would have still left researchers, governments, archives, security experts unprotected.
The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew — and the large corporate members continued to reject any meaningful compromise — the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. In essence, a core of EME proponents was able to impose its will on the Consortium, over the wishes of a sizeable group of objectors — and every person who uses the web. The Director decided to personally override every single objection raised by the members, articulating several benefits that EME offered over the DRM that HTML5 had made impossible.
But those very benefits (such as improvements to accessibility and privacy) depend on the public being able to exercise rights they lose under DRM law — which meant that without the compromise the Director was overriding, none of those benefits could be realized, either. That rejection prompted the first appeal against the Director in W3C history.
In our campaigning on this issue, we have spoken to many, many members' representatives who privately confided their belief that the EME was a terrible idea (generally they used stronger language) and their sincere desire that their employer wasn't on the wrong side of this issue. This is unsurprising. You have to search long and hard to find an independent technologist who believes that DRM is possible, let alone a good idea. Yet, somewhere along the way, the business values of those outside the web got important enough, and the values of technologists who built it got disposable enough, that even the wise elders who make our standards voted for something they know to be a fool's errand.
We believe they will regret that choice. Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. They give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities. They side against the archivists who are scrambling to preserve the public record of our era. The W3C process has been abused by companies that made their fortunes by upsetting the established order, and now, thanks to EME, they’ll be able to ensure no one ever subjects them to the same innovative pressures.
So we'll keep fighting to fight to keep the web free and open. We'll keep suing the US government to overturn the laws that make DRM so toxic, and we'll keep bringing that fight to the world's legislatures that are being misled by the US Trade Representative to instigate local equivalents to America's legal mistakes.
We will renew our work to battle the media companies that fail to adapt videos for accessibility purposes, even though the W3C squandered the perfect moment to exact a promise to protect those who are doing that work for them.
We will defend those who are put in harm's way for blowing the whistle on defects in EME implementations.
It is a tragedy that we will be doing that without our friends at the W3C, and with the world believing that the pioneers and creators of the web no longer care about these matters.
Effective today, EFF is resigning from the W3C.
Thank you,
Cory Doctorow Advisory Committee Representative to the W3C for the Electronic Frontier Foundation
from Deeplinks http://ift.tt/2xd8hXK
0 notes
Text
“If buying isn’t owning, piracy isn’t stealing”
20 years ago, I got in a (friendly) public spat with Chris Anderson, who was then the editor in chief of Wired. I'd publicly noted my disappointment with glowing Wired reviews of DRM-encumbered digital devices, prompting Anderson to call me unrealistic for expecting the magazine to condemn gadgets for their DRM:
https://longtail.typepad.com/the_long_tail/2004/12/is_drm_evil.html
I replied in public, telling him that he'd misunderstood. This wasn't an issue of ideological purity – it was about good reviewing practice. Wired was telling readers to buy a product because it had features x, y and z, but at any time in the future, without warning, without recourse, the vendor could switch off any of those features:
https://memex.craphound.com/2004/12/29/cory-responds-to-wired-editor-on-drm/
I proposed that all Wired endorsements for DRM-encumbered products should come with this disclaimer:
WARNING: THIS DEVICE’S FEATURES ARE SUBJECT TO REVOCATION WITHOUT NOTICE, ACCORDING TO TERMS SET OUT IN SECRET NEGOTIATIONS. YOUR INVESTMENT IS CONTINGENT ON THE GOODWILL OF THE WORLD’S MOST PARANOID, TECHNOPHOBIC ENTERTAINMENT EXECS. THIS DEVICE AND DEVICES LIKE IT ARE TYPICALLY USED TO CHARGE YOU FOR THINGS YOU USED TO GET FOR FREE — BE SURE TO FACTOR IN THE PRICE OF BUYING ALL YOUR MEDIA OVER AND OVER AGAIN. AT NO TIME IN HISTORY HAS ANY ENTERTAINMENT COMPANY GOTTEN A SWEET DEAL LIKE THIS FROM THE ELECTRONICS PEOPLE, BUT THIS TIME THEY’RE GETTING A TOTAL WALK. HERE, PUT THIS IN YOUR MOUTH, IT’LL MUFFLE YOUR WHIMPERS.
Wired didn't take me up on this suggestion.
But I was right. The ability to change features, prices, and availability of things you've already paid for is a powerful temptation to corporations. Inkjet printers were always a sleazy business, but once these printers got directly connected to the internet, companies like HP started pushing out "security updates" that modified your printer to make it reject the third-party ink you'd paid for:
https://www.eff.org/deeplinks/2020/11/ink-stained-wretches-battle-soul-digital-freedom-taking-place-inside-your-printer
Now, this scam wouldn't work if you could just put things back the way they were before the "update," which is where the DRM comes in. A thicket of IP laws make reverse-engineering DRM-encumbered products into a felony. Combine always-on network access with indiscriminate criminalization of user modification, and the enshittification will follow, as surely as night follows day.
This is the root of all the right to repair shenanigans. Sure, companies withhold access to diagnostic codes and parts, but codes can be extracted and parts can be cloned. The real teeth in blocking repair comes from the law, not the tech. The company that makes McDonald's wildly unreliable McFlurry machines makes a fortune charging franchisees to fix these eternally broken appliances. When a third party threatened this racket by reverse-engineering the DRM that blocked independent repair, they got buried in legal threats:
https://pluralistic.net/2021/04/20/euthanize-rentier-enablers/#cold-war
Everybody loves this racket. In Poland, a team of security researchers at the OhMyHack conference just presented their teardown of the anti-repair features in NEWAG Impuls locomotives. NEWAG boobytrapped their trains to try and detect if they've been independently serviced, and to respond to any unauthorized repairs by bricking themselves:
https://mamot.fr/@[email protected]/111528162905209453
Poland is part of the EU, meaning that they are required to uphold the provisions of the 2001 EU Copyright Directive, including Article 6, which bans this kind of reverse-engineering. The researchers are planning to present their work again at the Chaos Communications Congress in Hamburg this month – Germany is also a party to the EUCD. The threat to researchers from presenting this work is real – but so is the threat to conferences that host them:
https://www.cnet.com/tech/services-and-software/researchers-face-legal-threats-over-sdmi-hack/
20 years ago, Chris Anderson told me that it was unrealistic to expect tech companies to refuse demands for DRM from the entertainment companies whose media they hoped to play. My argument – then and now – was that any tech company that sells you a gadget that can have its features revoked is defrauding you. You're paying for x, y and z – and if they are contractually required to remove x and y on demand, they are selling you something that you can't rely on, without making that clear to you.
But it's worse than that. When a tech company designs a device for remote, irreversible, nonconsensual downgrades, they invite both external and internal parties to demand those downgrades. Like Pavel Chekov says, a phaser on the bridge in Act I is going to go off by Act III. Selling a product that can be remotely, irreversibly, nonconsensually downgraded inevitably results in the worst person at the product-planning meeting proposing to do so. The fact that there are no penalties for doing so makes it impossible for the better people in that meeting to win the ensuing argument, leading to the moral injury of seeing a product you care about reduced to a pile of shit:
https://pluralistic.net/2023/11/25/moral-injury/#enshittification
But even if everyone at that table is a swell egg who wouldn't dream of enshittifying the product, the existence of a remote, irreversible, nonconsensual downgrade feature makes the product vulnerable to external actors who will demand that it be used. Back in 2022, Adobe informed its customers that it had lost its deal to include Pantone colors in Photoshop, Illustrator and other "software as a service" packages. As a result, users would now have to start paying a monthly fee to see their own, completed images. Fail to pay the fee and all the Pantone-coded pixels in your artwork would just show up as black:
https://pluralistic.net/2022/10/28/fade-to-black/#trust-the-process
Adobe blamed this on Pantone, and there was lots of speculation about what had happened. Had Pantone jacked up its price to Adobe, so Adobe passed the price on to its users in the hopes of embarrassing Pantone? Who knows? Who can know? That's the point: you invested in Photoshop, you spent money and time creating images with it, but you have no way to know whether or how you'll be able to access those images in the future. Those terms can change at any time, and if you don't like it, you can go fuck yourself.
These companies are all run by CEOs who got their MBAs at Darth Vader University, where the first lesson is "I have altered the deal, pray I don't alter it further." Adobe chose to design its software so it would be vulnerable to this kind of demand, and then its customers paid for that choice. Sure, Pantone are dicks, but this is Adobe's fault. They stuck a KICK ME sign to your back, and Pantone obliged.
This keeps happening and it's gonna keep happening. Last week, Playstation owners who'd bought (or "bought") Warner TV shows got messages telling them that Warner had walked away from its deal to sell videos through the Playstation store, and so all the videos they'd paid for were going to be deleted forever. They wouldn't even get refunds (to be clear, refunds would also be bullshit – when I was a bookseller, I didn't get to break into your house and steal the books I'd sold you, not even if I left some cash on your kitchen table).
Sure, Warner is an unbelievably shitty company run by the single most guillotineable executive in all of Southern California, the loathsome David Zaslav, who oversaw the merger of Warner with Discovery. Zaslav is the creep who figured out that he could make more money cancelling completed movies and TV shows and taking a tax writeoff than he stood to make by releasing them:
https://aftermath.site/there-is-no-piracy-without-ownership
Imagine putting years of your life into making a program – showing up on set at 5AM and leaving your kids to get their own breakfast, performing stunts that could maim or kill you, working 16-hour days during the acute phase of the covid pandemic and driving home in the night, only to have this absolute turd of a man delete the program before anyone could see it, forever, to get a minor tax advantage. Talk about moral injury!
But without Sony's complicity in designing a remote, irreversible, nonconsensual downgrade feature into the Playstation, Zaslav's war on art and creative workers would be limited to material that hadn't been released yet. Thanks to Sony's awful choices, David Zaslav can break into your house, steal your movies – and he doesn't even have to leave a twenty on your kitchen table.
The point here – the point I made 20 years ago to Chris Anderson – is that this is the foreseeable, inevitable result of designing devices for remote, irreversible, nonconsensual downgrades. Anyone who was paying attention should have figured that out in the GW Bush administration. Anyone who does this today? Absolute flaming garbage.
Sure, Zaslav deserves to be staked out over an anthill and slathered in high-fructose corn syrup. But save the next anthill for the Sony exec who shipped a product that would let Zaslav come into your home and rob you. That piece of shit knew what they were doing and they did it anyway. Fuck them. Sideways. With a brick.
Meanwhile, the studios keep making the case for stealing movies rather than paying for them. As Tyler James Hill wrote: "If buying isn't owning, piracy isn't stealing":
https://bsky.app/profile/tylerjameshill.bsky.social/post/3kflw2lvam42n
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
https://pluralistic.net/2023/12/08/playstationed/#tyler-james-hill
Image: Alan Levine (modified) https://pxhere.com/en/photo/218986
CC BY 2.0 https://creativecommons.org/licenses/by/2.0/
#pluralistic#playstation#sony#copyright#copyfight#drm#monopoly#enshittification#batgirl#road runner#financiazation#the end of ownership#ip
23K notes
·
View notes
Text
The US Copyright Office frees the McFlurry
I'll be in TUCSON, AZ from November 8-10: I'm the GUEST OF HONOR at the TUSCON SCIENCE FICTION CONVENTION.
I have spent a quarter century obsessed with the weirdest corner of the weirdest section of the worst internet law on the US statute books: Section 1201 of the Digital Millennium Copyright Act, the 1998 law that makes it a felony to help someone change how their own computer works so it serves them, rather than a distant corporation.
Under DMCA 1201, giving someone a tool to "bypass an access control for a copyrighted work" is a felony punishable by a 5-year prison sentence and a $500k fine – for a first offense. This law can refer to access controls for traditional copyrighted works, like movies. Under DMCA 1201, if you help someone with photosensitive epilepsy add a plug-in to the Netflix player in their browser that blocks strobing pictures that can trigger seizures, you're a felon:
https://lists.w3.org/Archives/Public/public-html-media/2017Jul/0005.html
But software is a copyrighted work, and everything from printer cartridges to car-engine parts have software in them. If the manufacturer puts an "access control" on that software, they can send their customers (and competitors) to prison for passing around tools to help them fix their cars or use third-party ink.
Now, even though the DMCA is a copyright law (that's what the "C" in DMCA stands for, after all); and even though blocking video strobes, using third party ink, and fixing your car are not copyright violations, the DMCA can still send you to prison, for a long-ass time for doing these things, provided the manufacturer designs their product so that using it the way that suits you best involves getting around an "access control."
As you might expect, this is quite a tempting proposition for any manufacturer hoping to enshittify their products, because they know you can't legally disenshittify them. These access controls have metastasized into every kind of device imaginable.
Garage-door openers:
https://pluralistic.net/2023/11/09/lead-me-not-into-temptation/#chamberlain
Refrigerators:
https://pluralistic.net/2020/06/12/digital-feudalism/#filtergate
Dishwashers:
https://pluralistic.net/2021/05/03/cassette-rewinder/#disher-bob
Treadmills:
https://pluralistic.net/2021/06/22/vapescreen/#jane-get-me-off-this-crazy-thing
Tractors:
https://pluralistic.net/2021/04/23/reputation-laundry/#deere-john
Cars:
https://pluralistic.net/2023/07/28/edison-not-tesla/#demon-haunted-world
Printers:
https://pluralistic.net/2022/08/07/inky-wretches/#epson-salty
And even printer paper:
https://pluralistic.net/2022/02/16/unauthorized-paper/#dymo-550
DMCA 1201 is the brainchild of Bruce Lehmann, Bill Clinton's Copyright Czar, who was repeatedly warned that cancerous proliferation this was the foreseeable, inevitable outcome of his pet policy. As a sop to his critics, Lehman added a largely ornamental safety valve to his law, ordering the US Copyright Office to invite submissions every three years petitioning for "use exemptions" to the blanket ban on circumventing access-controls.
I call this "ornamental" because if the Copyright Office thinks that, say, it should be legal for you to bypass an access control to use third-party ink in your printer, or a third-party app store in your phone, all they can do under DMCA 1201 is grant you the right to use a circumvention tool. But they can't give you the right to acquire that tool.
I know that sounds confusing, but that's only because it's very, very stupid. How stupid? Well, in 2001, the US Trade Representative arm-twisted the EU into adopting its own version of this law (Article 6 of the EUCD), and in 2003, Norway added the law to its lawbooks. On the eve of that addition, I traveled to Oslo to debate the minister involved:
https://pluralistic.net/2021/10/28/clintons-ghost/#felony-contempt-of-business-model
The minister praised his law, explaining that it gave blind people the right to bypass access controls on ebooks so that they could feed them to screen readers, Braille printers, and other assistive tools. OK, I said, but how do they get the software that jailbreaks their ebooks so they can make use of this exemption? Am I allowed to give them that tool?
No, the minister said, you're not allowed to do that, that would be a crime.
Is the Norwegian government allowed to give them that tool? No. How about a blind rights advocacy group? No, not them either. A university computer science department? Nope. A commercial vendor? Certainly not.
No, the minister explained, under his law, a blind person would be expected to personally reverse engineer a program like Adobe E-Reader, in hopes of discovering a defect that they could exploit by writing a program to extract the ebook text.
Oh, I said. But if a blind person did manage to do this, could they supply that tool to other blind people?
Well, no, the minister said. Each and every blind person must personally – without any help from anyone else – figure out how to reverse-engineer the ebook program, and then individually author their own alternative reader program that worked with the text of their ebooks.
That is what is meant by a use exemption without a tools exemption. It's useless. A sick joke, even.
The US Copyright Office has been valiantly holding exemptions proceedings every three years since the start of this century, and they've granted many sensible exemptions, including ones to benefit people with disabilities, or to let you jailbreak your phone, or let media professors extract video clips from DVDs, and so on. Tens of thousands of person-hours have been flushed into this pointless exercise, generating a long list of things you are now technically allowed to do, but only if you are a reverse-engineering specialist type of computer programmer who can manage the process from beginning to end in total isolation and secrecy.
But there is one kind of use exception the Copyright Office can grant that is potentially game-changing: an exemption for decoding diagnostic codes.
You see, DMCA 1201 has been a critical weapon for the corporate anti-repair movement. By scrambling error codes in cars, tractors, appliances, insulin pumps, phones and other devices, manufacturers can wage war on independent repair, depriving third-party technicians of the diagnostic information they need to figure out how to fix your stuff and keep it going.
This is bad enough in normal times, but during the acute phase of the covid pandemic, hospitals found themselves unable to maintain their ventilators because of access controls. Nearly all ventilators come from a single med-tech monopolist, Medtronic, which charges hospitals hundreds of dollars to dispatch their own repair technicians to fix its products. But when covid ended nearly all travel, Medtronic could no longer provide on-site calls. Thankfully, an anonymous hacker started building homemade (illegal) circumvention devices to let hospital technicians fix the ventilators themselves, improvising housings for them from old clock radios, guitar pedals and whatever else was to hand, then mailing them anonymously to hospitals:
https://pluralistic.net/2020/07/10/flintstone-delano-roosevelt/#medtronic-again
Once a manufacturer monopolizes repair in this way, they can force you to use their official service depots, charging you as much as they'd like; requiring you to use their official, expensive replacement parts; and dictating when your gadget is "too broken to fix," forcing you to buy a new one. That's bad enough when we're talking about refusing to fix a phone so you buy a new one – but imagine having a spinal injury and relying on a $100,000 exoskeleton to get from place to place and prevent muscle wasting, clots, and other immobility-related conditions, only to have the manufacturer decide that the gadget is too old to fix and refusing to give you the technical assistance to replace a watch battery so that you can get around again:
https://www.theverge.com/2024/9/26/24255074/former-jockey-michael-straight-exoskeleton-repair-battery
When the US Copyright Office grants a use exemption for extracting diagnostic codes from a busted device, they empower repair advocates to put that gadget up on a workbench and torture it into giving up those codes. The codes can then be integrated into an unofficial diagnostic tool, one that can make sense of the scrambled, obfuscated error codes that a device sends when it breaks – without having to unscramble them. In other words, only the company that makes the diagnostic tool has to bypass an access control, but the people who use that tool later do not violate DMCA 1201.
This is all relevant this month because the US Copyright Office just released the latest batch of 1201 exemptions, and among them is the right to circumvent access controls "allowing for repair of retail-level food preparation equipment":
https://publicknowledge.org/public-knowledge-ifixit-free-the-mcflurry-win-copyright-office-dmca-exemption-for-ice-cream-machines/
While this covers all kinds of food prep gear, the exemption request – filed by Public Knowledge and Ifixit – was inspired by the bizarre war over the tragically fragile McFlurry machine. These machines – which extrude soft-serve frozen desserts – are notoriously failure-prone, with 5-16% of them broken at any given time. Taylor, the giant kitchen tech company that makes the machines, charges franchisees a fortune to repair them, producing a steady stream of profits for the company.
This sleazy business prompted some ice-cream hackers to found a startup called Kytch, a high-powered automation and diagnostic tool that was hugely popular with McDonald's franchisees (the gadget was partially designed by the legendary hardware hacker Andrew "bunnie" Huang!).
In response, Taylor played dirty, making a less-capable clone of the Kytch, trying to buy Kytch out, and teaming up with McDonald's corporate to bombard franchisees with legal scare-stories about the dangers of using a Kytch to keep their soft-serve flowing, thanks to DMCA 1201:
https://pluralistic.net/2021/04/20/euthanize-rentier-enablers/#cold-war
Kytch isn't the only beneficiary of the new exemption: all kinds of industrial kitchen equipment is covered. In upholding the Right to Repair, the Copyright Office overruled objections of some of its closest historical allies, the Entertainment Software Association, Motion Picture Association, and Recording Industry Association of America, who all sided with Taylor and McDonald's and opposed the exemption:
https://arstechnica.com/tech-policy/2024/10/us-copyright-office-frees-the-mcflurry-allowing-repair-of-ice-cream-machines/
This is literally the only useful kind of DMCA 1201 exemption the Copyright Office can grant, and the fact that they granted it (along with a similar exemption for medical devices) is a welcome bright spot. But make no mistake, the fact that we finally found a narrow way in which DMCA 1201 can be made slightly less stupid does not redeem this outrageous law. It should still be repealed and condemned to the scrapheap of history.
Tor Books as just published two new, free LITTLE BROTHER stories: VIGILANT, about creepy surveillance in distance education; and SPILL, about oil pipelines and indigenous landback.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
https://pluralistic.net/2024/10/28/mcbroken/#my-milkshake-brings-all-the-lawyers-to-the-yard
Image: Cryteria (modified) https://commons.wikimedia.org/wiki/File:HAL9000.svg
CC BY 3.0 https://creativecommons.org/licenses/by/3.0/deed.en
#pluralistic#dmca 1201#dmca#digital millennium copyright act#anticircumvention#triennial hearings#mcflurry#right to repair#r2r#mcbroken#automotive#mass question 1#us copyright office#copyright office#copyright#paracopyright#copyfight#kytch#diagnostic codes#public knowledge
2K notes
·
View notes
Text
Lexmark's toxic printer-ink
"Every pirate wants to be an admiral." That is a truism of industrial policy: the scrappy upstarts that push the rules to achieve success then turn into law-and-order types who insist that anyone who does unto them as they did unto others is a lawless cur in need of whipping.
This is true all over, but there's an especial deliciousness to see it applied to printers and printer ink, always a trailblazer in extractive, deceptive and monopolistic practices of breathtaking, shameless sleaze.
https://www.eff.org/deeplinks/2020/11/ink-stained-wretches-battle-soul-digital-freedom-taking-place-inside-your-printer
Pierre Beyssac, a director of Internet Europe, recounts his campaigns in the Printer Wars, which start when he ordered a non-wifi-enabled Lexmark printer but got shipped the wifi version.
https://twitter.com/pbeyssac/status/1386988213923983362
He didn't mind...except that the two models use different models of ink-cartridge, and he'd preordered €450 worth of cartridges, which were nonreturnable by the time he discovered the error.
The cartridges are identical; all that stops them from working is that they're DRM-locked, with software that refuses to run if you put it in a different model printer (this lets Lexmark charge more for an identical product if they think some customers are price-insensitive).
But there's an answer - a Chinese vendor sells a €15 conversion kit that bypasses the DRM (this is probably illegal in the EU under Article 6 of 2001's EUCD). Beyssac was able to salvage his €450 ink investment.
But the adventure prompted him to investigate further. He discovered that Lexmark uses DRM to "regionalize" cartridges (similar to DVD regions): a cart bought in region 1 won't work in a printer bought in region 2.
Hilariously, Lexmark claims that this is because each cartridge is specially tuned for each region's "humidity." By way of rebuttal, Beyssac points out that all of Russia shares a region with all of Africa (!).
(Likewise, the Canadian Arctic shares a region with the Pacific Northwest and the Arizona desert)
Now all of this would be idiotic enough if it were any old printer monopolist, but because this is Lexmark, it is especially delicious,.
Lexmark, after all, fought one of the most important battles of the Printer Wars - and lost. Lexmark vs Static Controls was brought by Lexmark when it was a division of the early tech monopolist IBM.
https://www.eff.org/deeplinks/2019/06/felony-contempt-business-model-lexmarks-anti-competitive-legacy
Lexmark sold toner cartridges filled with the cheap and abundant element carbon, and it wanted to charge vintage Champagne prices for it. To that end, Lexmark ran a 55-byte program in a "security chip" that flipped an "I am full" bit to "I am empty" when the toner ran out.
Lexmark's competitor Static Controls reverse-engineered this trivial program so you could refill a cartridge and flip it back to "I am full" so the printer would recognize it. In 2002 Lexmark sued, under Sec 1201 of the recently passed Digital Millennium Copyright Act.
DMCA 1201 made it a felony to traffick in a device that "bypassed an access control for a copyrighted work." The judge asked Lexmark which copyrighted work was in its printer cartridges (it wasn't the carbon powder!). Lexmark said it was the 55-bytle program.
The judge handed Lexmark its own ass, ruling that while software could be copyrighted, a 55-byte I-am-full/empty program didn't rise to the level of copyrightability - it wasn't even a haiku.
Lexmark lost, and today, Lexmark is...*a division of Static Controls.*
That's right, the company that's using all this bullshit DRM to prevent people from using their printers the way they want to is the company that did the exact same thing to IBM, won its court case, and then merged with the company whose racket it had destroyed.
Every pirate *seriously* wants to be an admiral.
But here's the thing. Lexmark/Static turned on the fact that 55-byte programs (all that fit affordably in a primitive 2002 chip) wasn't a copyrighted work. The cartridges Lexmark sells now have thousands of lines of code.
There's whole OSes in there. These *are* copyrightable. As is the OS in every embedded system we buy, from car engine parts to smart speakers to pacemakers. That means that companies can use DMCA 1201 to prevent rivals from unlocking lawful features in their products.
They can use it to block independent repair and independent security audits. They can make it illegal to use any product you own in ways that disadvantages their shareholders, even if that's what's good for you.
Despite the "C" in DMCA standing for "copyright," this isn't copyright protection, it's felony contempt of business model - a legally enforceable obligation to arrange your life to benefit multinational corporations' shareholders.
And worse, this law has been spread around the world thanks to the US Trade Rep: it's in 2001's EUCD and Canada's 2012 Copyright Modernization Act. Last summer, Mexico passed an even more extreme version as part of the USMCA.
If you think this shit is odious when it's in your printer, you're going to hate it when it's in your toothbrush, wristwatch, car engine and toaster.
https://arstechnica.com/gaming/2020/01/unauthorized-bread-a-near-future-tale-of-refugees-and-sinister-iot-appliances/
In 2016, EFF brought a lawsuit to overturn DMCA 1201 on behalf of Bunnie Huang and Matt Green. It has been working its way through the courts ever since.
https://www.eff.org/cases/green-v-us-department-justice
127 notes
·
View notes
Text
Podcasting Part III of "The Internet Heist"
This week on my podcast, I read the final part of “The Internet Heist,” my Medium series on the copyright wars’ early days, when the entertainment and tech giants tried to leverage the digital TV transition into a veto over every part of our lives.
https://onezero.medium.com/the-internet-heist-part-iii-8561f6d5a4dc
In Part I, I described the bizarre Broadcast Flag project, where Hollywood studios and Intel colluded with a corrupt congressman (later Phrma’s top lobbyist) to ban any digital product unless it had DRM and blocked free/open source software:
https://onezero.medium.com/the-internet-heist-part-i-3395769891b0
In Part II, I recount the failure of the Broadcast Flag (killed by a unanimous Second Circuit decision), and how the studios pivoted to “plugging the Analog Hole”: mandatory kill-switches for recorders to block recording of copyrighted works:
https://onezero.medium.com/the-internet-heist-part-ii-cb2add31a4fb
This week’s installment describes the global efforts by the studios to seize the future by creating a bizarre DRM system for the DVB digital TV standard (called CPCM), which is used in most of the world (but not the US/Canada, Mexico, or South Korea).
The centerpiece of CPCM was the “Authorized Domain,” a euphemism for “a family.” The creators of CPCM wanted to develop a DRM that would let you share videos within your household, but not with the world. But of course, that meant that they had to define what a real family was and then turn that definition into a technical standard.
The group — an almost all-male, all-white group of wealthy executives from some of the largest corporations on Earth — had some very weird ideas about what a “family” looked like. For example, they spent a lot of time figuring out how to support an Authorized Domain that included seat-back videos in a luxury SUV and a PVR in an overseas vacation home. But when I asked if they could support, say, a family whose parents lived in the Philippines, with one kid working construction in Qatar, another nursing in San Francisco, and a third as home help in Toronto, they called it an “edge case.” Obviously, there are a lot more families that look like that than have luxury SUVs and French chalets for weekends away.
It wasn’t just poor people who got the shitty end of the stick in these standards meetings. One bizarre turn came when they contemplated how to support a joint-custody arrangement whereby a child changed households every week. The system was designed to limit how often a device could be severed from one “domain” and joined to another, to prevent “content laundering.” This meant that a 12 year old who went from Mom’s house to Dad’s every week would find her devices locked out of one or both domains.
The solution to this came from an exec at a giant software company. They explained that when their own customers tripped a fraud-detection system when entering a license key into a new installation, they were prompted to call a toll-free number to get a bypass. If you had a good explanation for why you were reusing a license key (say, you were upgrading, or reinstalling after a malware infection), the customer service rep on the other end could override the system.
Let that sink in for a moment. If you’re a 12 year old girl who’s been locked out of your parents’ digital system, all you need to do is call a strange adult in a distant land and explain the circumstances of your parents’ divorce and the resulting custody arrangement. You have to do that once a month or so, until you attain adulthood or your parents get back together.
The thing is, European law (Article 6 of the EUCD) and US law (Sec 1201 of the DMCA) makes it a crime to bypass a DRM system like CPCM. That lets these cartels act as de facto legislators: if every device has DRM, and if DRM is illegal to bypass, then doing anything prohibited by the DRM is illegal.
This is how the map becomes the territory. Rather than having to design a standard that conforms to all the different kinds of households people form out there in the world, you define a “family” in a standard and then all the families have to conform to the standard. The computer says “no,” and you can’t say “no” back.
Thankfully, the bad publicity and natural enmity among the coconspirators turned CPCM into a historical footnote with little uptake. But in the intervening years, mergers in entertainment, broadcasting, sports and tech have made it easier than ever for industries to conspire to constrain the lives of billions of people by coming up with private agreements about how their tech will work.
Here are the podcast episodes:
Part I:
https://craphound.com/news/2022/02/07/the-internet-heist-part-i/
Part II:
https://craphound.com/news/2022/02/13/the-internet-heist-part-ii/
Part III:
https://craphound.com/news/2022/02/21/the-internet-heist-part-iii/
And here are direct links to the MP3s (hosting courtesy of the @InternetArchive; they’ll host your stuff for free, forever):
Part I:
https://ia801407.us.archive.org/26/items/Cory_Doctorow_Podcast_413/Cory_Doctorow_Podcast_413_-_The_Internet_Heist_Part_I.mp3
Part II:
https://ia801504.us.archive.org/9/items/Cory_Doctorow_Podcast_414/Cory_Doctorow_Podcast_414_-_The_Internet_Heist_Part_II.mp3
Part III:
https://archive.org/download/Cory_Doctorow_Podcast_415/Cory_Doctorow_Podcast_415_-_The_Internet_Heist_Part_III.mp3
And here’s the RSS feed for my podcast:
https://feeds.feedburner.com/doctorow_podcast
17 notes
·
View notes
Text
#1yrago UK consumer review magazine Which?: your smart home is spying on you, from your TV to your toothbrush
The UK consumer review magazine Which? (equivalent to America's Consumer Reports) has published a special investigation into the ways that Internet of Things smart devices are spying on Britons at farcical levels, with the recommendation that people avoid smart devices where possible, to feed false data to smart devices you do own, and to turn off data-collection settings in devices' confusing, deeply hidden control panels.
The findings are pretty bonkers: HP Envy 5020 Printer broadcasts the name of every file you print as well as sending it to HP; Philips Sonicare Bluetooth electric toothbrush tracks your location; all 200,000 ieGeek 1080p IP Camera's usernames and passwords are exposed on a badly secured website; and an unnamed smart TV contacted 700 different IP addresses during 15 minutes' use.
The investigators say that they were limited in how deeply they could investigate their test devices because of "legal restrictions" (presumably license agreements and the anti-circumvention rules under Article 6 of the EUCD).
https://boingboing.net/2018/06/03/your-tv-is-watching-back.html
8 notes
·
View notes
Text
#1yrago Researchers craft Android app that reveals menagerie of hidden spyware; legally barred from doing the same with iOS
Yale Privacy Lab and Exodus Privacy's devastating report on the dozens of invasive, dangerous "trackers" hidden in common Android apps was generated by writing code that spied on their target devices' internal operations, uncovering all manner of sneaking trickery.
it would be great if we had effective regulatory oversight and the power to seek legal relief from these companies for lying to us and/or sneaking spyware into our lives; but every bit as important is the right to independently audit their actions (as Privacy Lab and Exodus have done) and to install code that overrides the undesirable functions of this spyware -- for example, by blocking its communications or chaffing it with plausible garbage data.
The Exodus Privacy app's functionality is key to attaining the first goal, gathering independent evidence about the conduct of mobile firms and app providers. Without that evidentiary basis, there's no way to know you need self-help measures, nor is there any way to convince regulators to take action, nor is there the possibility of creating public clamour for competing products that would spur investors and entrepreneurs to make tools that let you reclaim control over your device.
As Exodus and Yale note, these trackers are almost certainly also present in iOS: the companies that make them advertise their iOS compatibility, for one thing. But iOS is DRM-locked and it's a felony -- punishable by a 5-year prison sentence and a $500,000 fine for a first offense in the USA under DMCA 1201, and similar provisions of Article 6 of the EUCD in France where Exodus is located -- to distribute tools that bypass this DRM, even for the essential work of discovering whether billions of people are at risk due to covert spying from the platform.
It's true that the US Copyright Office gave us a soon-to-expire exemption to this rule that started in 2016, but that exemption only allows Exodus to use that tool; it doesn't allow Exodus to make that tool, or to distribute it so independent researchers can investigate iOS.
https://boingboing.net/2017/11/25/la-la-la-cant-hear-you.html
27 notes
·
View notes
Text
#1yrago World Wide Web Consortium abandons consensus, standardizes DRM with 58.4% support, EFF resigns
In July, the Director of the World Wide Web Consortium overruled dozens of members' objections to publishing a DRM standard without a compromise to protect accessibility, security research, archiving, and competition.
EFF appealed the decision, the first-ever appeal in W3C history, which concluded last week with a deeply divided membership. 58.4% of the group voted to go on with publication, and the W3C did so today, an unprecedented move in a body that has always operated on consensus and compromise. In their public statements about the standard, the W3C executive repeatedly said that they didn't think the DRM advocates would be willing to compromise, and in the absence of such willingness, the exec have given them everything they demanded.
This is a bad day for the W3C: it's the day it publishes a standard designed to control, rather than empower, web users. That standard that was explicitly published without any protections -- even the most minimal compromise was rejected without discussion, an intransigence that the W3C leadership tacitly approved. It's the day that the W3C changed its process to reward stonewalling over compromise, provided those doing the stonewalling are the biggest corporations in the consortium.
EFF no longer believes that the W3C process is suited to defending the open web. We have resigned from the Consortium, effective today. Below is our resignation letter:
Dear Jeff, Tim, and colleagues,
In 2013, EFF was disappointed to learn that the W3C had taken on the project of standardizing “Encrypted Media Extensions,” an API whose sole function was to provide a first-class role for DRM within the Web browser ecosystem. By doing so, the organization offered the use of its patent pool, its staff support, and its moral authority to the idea that browsers can and should be designed to cede control over key aspects from users to remote parties.
When it became clear, following our formal objection, that the W3C's largest corporate members and leadership were wedded to this project despite strong discontent from within the W3C membership and staff, their most important partners, and other supporters of the open Web, we proposed a compromise. We agreed to stand down regarding the EME standard, provided that the W3C extend its existing IPR policies to deter members from using DRM laws in connection with the EME (such as Section 1201 of the US Digital Millennium Copyright Act or European national implementations of Article 6 of the EUCD) except in combination with another cause of action.
This covenant would allow the W3C's large corporate members to enforce their copyrights. Indeed, it kept intact every legal right to which entertainment companies, DRM vendors, and their business partners can otherwise lay claim. The compromise merely restricted their ability to use the W3C's DRM to shut down legitimate activities, like research and modifications, that required circumvention of DRM. It would signal to the world that the W3C wanted to make a difference in how DRM was enforced: that it would use its authority to draw a line between the acceptability of DRM as an optional technology, as opposed to an excuse to undermine legitimate research and innovation.
More directly, such a covenant would have helped protect the key stakeholders, present and future, who both depend on the openness of the Web, and who actively work to protect its safety and universality. It would offer some legal clarity for those who bypass DRM to engage in security research to find defects that would endanger billions of web users; or who automate the creation of enhanced, accessible video for people with disabilities; or who archive the Web for posterity. It would help protect new market entrants intent on creating competitive, innovative products, unimagined by the vendors locking down web video.
Despite the support of W3C members from many sectors, the leadership of the W3C rejected this compromise. The W3C leadership countered with proposals — like the chartering of a nonbinding discussion group on the policy questions that was not scheduled to report in until long after the EME ship had sailed — that would have still left researchers, governments, archives, security experts unprotected.
The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew — and the large corporate members continued to reject any meaningful compromise — the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. In essence, a core of EME proponents was able to impose its will on the Consortium, over the wishes of a sizeable group of objectors — and every person who uses the web. The Director decided to personally override every single objection raised by the members, articulating several benefits that EME offered over the DRM that HTML5 had made impossible.
But those very benefits (such as improvements to accessibility and privacy) depend on the public being able to exercise rights they lose under DRM law — which meant that without the compromise the Director was overriding, none of those benefits could be realized, either. That rejection prompted the first appeal against the Director in W3C history.
In our campaigning on this issue, we have spoken to many, many members' representatives who privately confided their belief that the EME was a terrible idea (generally they used stronger language) and their sincere desire that their employer wasn't on the wrong side of this issue. This is unsurprising. You have to search long and hard to find an independent technologist who believes that DRM is possible, let alone a good idea. Yet, somewhere along the way, the business values of those outside the web got important enough, and the values of technologists who built it got disposable enough, that even the wise elders who make our standards voted for something they know to be a fool's errand.
We believe they will regret that choice. Today, the W3C bequeaths a legally unauditable attack-surface to browsers used by billions of people. They give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities. They side against the archivists who are scrambling to preserve the public record of our era. The W3C process has been abused by companies that made their fortunes by upsetting the established order, and now, thanks to EME, they’ll be able to ensure no one ever subjects them to the same innovative pressures.
So we'll keep fighting to keep the web free and open. We'll keep suing the US government to overturn the laws that make DRM so toxic, and we'll keep bringing that fight to the world's legislatures that are being misled by the US Trade Representative to instigate local equivalents to America's legal mistakes.
We will renew our work to battle the media companies that fail to adapt videos for accessibility purposes, even though the W3C squandered the perfect moment to exact a promise to protect those who are doing that work for them.
We will defend those who are put in harm's way for blowing the whistle on defects in EME implementations.
It is a tragedy that we will be doing that without our friends at the W3C, and with the world believing that the pioneers and creators of the web no longer care about these matters.
Effective today, EFF is resigning from the W3C.
Thank you,
Cory Doctorow Advisory Committee Representative to the W3C for the Electronic Frontier Foundation
https://boingboing.net/2017/09/18/antifeatures-for-all.html
3 notes
·
View notes
Text
#1yrago How big is the market for DRM-Free?
It's the Day Against DRM, and EFF is celebrating by publishing the first public look at How Much Do Consumers Value Interoperability? Evidence from the Price of DVD Players, a scholarly economics paper that uses clever techniques to reveal some eye-popping number on the strangled market for DRM-free gadgets.
The paper was written by a team from the University of Glasgow, led by Kristofer Erickson: they scraped Amazon DVD-player pricing data, and compared the sale-prices of players with (grey market) DRM-breaking features with the ones that obeyed all the rules that DVD players are supposed to obey.
They reached a shocking conclusion: DVD players with even minimal circumvention features sell for about 50% more than similarly reviewed DVD players of similar vintage -- that means that in a commodity electronics category where the normal profit would be 2% or less, manufacturers that sell a model with just slightly different software (a choice that adds virtually nothing to the manufacturing costs) pocket 25 times the profits.
In one way, this is unsurprising. People want DVD players, but they don't want DRM. If a manufacturer sells you a DVD player with some useful and desirable features, and some undesirable anti-features (like region-locking, or anti-ripping, etc), then under normal circumstance you'd expect a market to emerge for add-ons or rival products that remove the anti-features. If you bought a car whose cigarette lighter port came with a special bolt plugging it up because you hadn't bought the "charge your phone while you drive" option, you'd expect that your local garage would sell you a tool to remove that bolt.
But laws that protect DRM are indiscriminate, overbroad, and thus an invitation to mischief. Laws like Section 1201 of the US DMCA (or EU implementations of Article 6 of the EUCD, etc) make it a crime to bypass DRM, even when you're doing so for a legal reason. Ripping your DVDs isn't illegal. Buying a DVD in one country and watching it on a DVD player from another country isn't illegal. But breaking DRM is illegal, and since you can't do these activities without breaking the DRM, these activities become illegal, too.
That means that anyone who makes a product with some software in it can force you to use it only in ways that they prefer, and make it a felony to use it any other way. We're one vision-system away from a toaster that refuses to toast third-party bread, one RFID system away from a dishwasher that won't wash unauthorized dishes.
But as the Glasgow paper reveals, the monopoly rents that DRM allows manufacturers to extract from their customers come at a high price to the overall economy. Creating a business that lets people do legal things with the stuff they own is the key to economic growth: it's how we got the iPhone, it's how we got Netflix, and it's how we got cable TV.
This all only hangs together because the US Trade Representative has pressured virtually every country in the world into passing DRM laws that mirror America's version. But it would only take a few high-profile defectors to challenge this idea everywhere: the enormous profits -- and consumer satisfaction -- to be gleaned through giving people the ability to use their property in legal ways would quickly trump this incumbents' gentleman's agreement.
Normally, once you own something, the rule is" "use it any way you want, just don't break the law." Once DRM is in the mix, the rule is, "use it only in the way we tell you, and don't rock the boat."
https://boingboing.net/2017/07/09/dont-rock-the-boat.html
9 notes
·
View notes
Text
UK consumer review magazine Which?: your smart home is spying on you, from your TV to your toothbrush
The UK consumer review magazine Which? (equivalent to America's Consumer Reports) has published a special investigation into the ways that Internet of Things smart devices are spying on Britons at farcical levels, with the recommendation that people avoid smart devices where possible, to feed false data to smart devices you do own, and to turn off data-collection settings in devices' confusing, deeply hidden control panels.
The findings are pretty bonkers: HP Envy 5020 Printer broadcasts the name of every file you print as well as sending it to HP; Philips Sonicare Bluetooth electric toothbrush tracks your location; all 200,000 ieGeek 1080p IP Camera's usernames and passwords are exposed on a badly secured website; and an unnamed smart TV contacted 700 different IP addresses during 15 minutes' use.
The investigators say that they were limited in how deeply they could investigate their test devices because of "legal restrictions" (presumably license agreements and the anti-circumvention rules under Article 6 of the EUCD).
https://boingboing.net/2018/06/03/your-tv-is-watching-back.html
16 notes
·
View notes
Text
#1yrago Portuguese proposal to legalize breaking DRM passes Parliament
The amazing advocacy of the DRM-PT movement has resulted in the country's Parliament passing a bill that legalizes breaking DRM to accomplish lawful ends, such as exercising the private copying right, or making uses of public domain works or works produced at public expense.
The bill still has to be signed by the president to enter law.
This is a most welcome development! I've read the bill and commentary and one thing I can't quite figure out is whether the bill authorizes uses alone, or if it also encompasses the tools to make those uses. Many DRM rules -- including those implemented under Article 6 of the EUCD (like the Portuguese law), and the rules defined under Section 1201 of the US DMCA -- create some exemptions for "legitimate uses," but they do not authorize the creation of tools to accomplish these uses.
A good example is Norway's DRM law, which grants an exemption for blind people who want run ebooks through screen readers or Braille embossers. However, it does not authorize anyone to make, distribute, or assist in the creation of a tool to do this. When I debated the minister who drafted this legislation in Oslo more than a decade ago, he admitted that the way the law was supposed to work was that each blind person would become a software developer, and would each, individually, discover flaws in ebook DRM, exploit those flaws to extract ebooks they'd purchased, and then run them through their assistive tools. They could not share the flaws they discovered, nor the tools they made, nor the books they'd unlocked. Any blind person who was not also a programmer with advanced reverse-engineering skills would not be able to take advantage of this.
In the USA, temporary exemptions are granted every three years at the Copyright Office's 1201 exemption process. These exemptions are also strictly "use" exemptions, not "tools" exemptions. So you are legally allowed to jailbreak your mobile devices -- thanks to the latest exemption -- but you are expected to do so without outside assistance (including any outside instructions or HOWTO files). Under the DMCA, you are expected to discover an error in the Ios operating system, develop a tool that exploits that error, and jailbreak your own Iphone, and you are bound -- under both criminal and civil liability -- never to reveal to anyone how you did this.
I can't tell whether the Portuguese bill is a use exemption or a tools exemption. Some Europeans have mooted the possibility of tying use exemptions to court orders for non-DRM versions of a work; in other words, rather than making their own DRM-breaking tool, a blind person would be able to hire lawyers to sue publishers to give them non-DRM-locked ebooks they could use with their assistive technology. This is an improvement, but it's still obviously inadequate: expensive, cumbersome, and unduly burdensome to people who want to exercise their rights under law.
I suspect the Portuguese proposal is drafted to comply with Article 6 of the EUCD, and will thus only permit uses, and not tools -- though perhaps with some process to require DRM-free versions to accomplish those uses (and maybe with a nuclear option of being able to develop and traffic in tools if the DRM vendor doesn't comply). But in an ideal world, Portugal -- which is struggling under austerity -- would use this law to give itself the right to develop tools to unlock DRM for lawful purposes, and export them, both to the EU (though they'd face enforcement action from the EU if they did) and to the rest of the world.
If GM can get $75,000 out of every mechanic in exchange for the tool that unlocks the DRM from its engine-telemetry, Portuguese companies could make a $100 version of this tool (an app you run on a phone or laptop) and sell it to mechanics in every country in the world, offering support and service through ongoing contracts. This tool would be virtually impossible for other countries to interdict, and it would allow small, local, independent repair shops to offer better service at lower prices in communities wherever GM cars are driven.
DRM has metastasized into every corner of our world; it's even coming to the web. Portugal could set itself up for billions in policy arbitrage at the stroke of a pen, selling products that virtually no other country on earth could compete with, and which every country demands. From alternative app stores to alternative tractor firmware, Portugal would be a powerhouse, during the planet's DRM dollars into DRM-breaking dimes for its own treasury, while saving the world's technology users billions and enabling local repair, service, parts, consumables and app markets.
https://boingboing.net/2017/04/10/o-melhor.html
6 notes
·
View notes
Text
#1yrago Google quietly makes "optional" web DRM mandatory in Chrome
The World Wide Web Consortium's Encrypted Media Extensions (EME) is a DRM system for web video, being pushed by Netflix, movie studios, and a few broadcasters. It's been hugely controversial within the W3C and outside of it, but one argument that DRM defenders have made throughout the debate is that the DRM is optional, and if you don't like it, you don't have to use it. That's not true any more.
Some time in the past few days, Google quietly updated Chrome (and derivative browsers like Chromium) so that Widevine (Google's version of EME) can no longer be disabled; it comes switched on and installed in every Chrome instance.
Because of laws like section 1201 of the US Digital Millennium Copyright Act (and Canada's Bill C11, and EU implementations of Article 6 of the EUCD), browsers that have DRM in them are risky for security researchers to audit. These laws provide both criminal and civil penalties for those who tamper with DRM, even for legal, legitimate purposes, and courts and companies have interpreted this to mean that companies can punish security researchers who reveal defects in their products.
Dozens of W3C members -- and hundreds of security professionals -- have asked the W3C to amend its policies so that its members can't use EME to silence security researchers and whistleblowers who want to warn web users that they are in danger from security vulnerabilities in browsers.
So far, the W3C has stonewalled on this. This weekend, the W3C executive announced that it would not make such an agreement part of the EME work, and endorsed the idea that the W3C should participate in creating new legal rights for companies to decide which true facts about browser defects can be disclosed and under what circumstances.
Barriers to disclosure ensure that defects linger. Google's now-mandatory Widevine had a critical flaw for six years, which was only reported because a researcher from Israel, the only industrialized nation that doesn't have a law protecting DRM, published his findings.
Other browsers make W3C DRM optional for now. Brave explicitly allows you to turn it off and warns you about using it.
Chrome Widevine DRM can no longer be disabled [Hacker News]
Please allow disabling Widevine/EME again [Bugs/Chromium.org]
https://boingboing.net/2017/01/30/google-quietly-makes-optiona.html
9 notes
·
View notes
Text
Researchers craft Android app that reveals to find horrific menagerie of hidden spyware; legally barred from doing the same with iOS
Yale Privacy Lab and Exodus Privacy's devastating report on the dozens of invasive, dangerous "trackers" hidden in common Android apps was generated by writing code that spied on their target devices' internal operations, uncovering all manner of sneaking trickery.
it would be great if we had effective regulatory oversight and the power to seek legal relief from these companies for lying to us and/or sneaking spyware into our lives; but every bit as important is the right to independently audit their actions (as Privacy Lab and Exodus have done) and to install code that overrides the undesirable functions of this spyware -- for example, by blocking its communications or chaffing it with plausible garbage data.
The Exodus Privacy app's functionality is key to attaining the first goal, gathering independent evidence about the conduct of mobile firms and app providers. Without that evidentiary basis, there's no way to know you need self-help measures, nor is there any way to convince regulators to take action, nor is there the possibility of creating public clamour for competing products that would spur investors and entrepreneurs to make tools that let you reclaim control over your device.
As Exodus and Yale note, these trackers are almost certainly also present in iOS: the companies that make them advertise their iOS compatibility, for one thing. But iOS is DRM-locked and it's a felony -- punishable by a 5-year prison sentence and a $500,000 fine for a first offense in the USA under DMCA 1201, and similar provisions of Article 6 of the EUCD in France where Exodus is located -- to distribute tools that bypass this DRM, even for the essential work of discovering whether billions of people are at risk due to covert spying from the platform.
It's true that the US Copyright Office gave us a soon-to-expire exemption to this rule that started in 2016, but that exemption only allows Exodus to usethat tool; it doesn't allow Exodus to make that tool, or to distribute it so independent researchers can investigate iOS.
https://boingboing.net/2017/11/25/la-la-la-cant-hear-you.html
18 notes
·
View notes