Rick Falkvinge's Blog, page 9

Global: It begins: Amazon’s constantly-listening robotic home assistant was near a domestic murder case, and now the Police wants access to anything it might have heard. There have been similar cases in the past, but this is where it starts getting discussed: There are now dozens of sensors in our house. Do we still have an expectation of privacy in our home?

A recurring theme in the dystopic fiction of the 1950s was an everpresent government watching everything you did, as witnessed in the infamous Nineteen Eighty-Four and many others. Adding to the dystopia, starting in the 1970s with movies such as Colossus, computers are typically added to the mix of watching everything all the time.

However, these fictional dystopias all got one critical thing wrong in predicting the future: the government never installed cameras and microphones in everybody’s home. We did. We did it ourselves. And we paid good money for them, too. A smart television set — with infrared cameras built in, watching the people watching the television set as well as listening to them — costs good money that we happily paid.

“The television set received and transmitted simultaneously. Any sound that Winston made, above the level of a very low whisper, would be picked up by it, moreover, so long as he remained within the field of vision which the metal plaque commanded, he could be seen as well as heard. There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the government plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to. You had to live–did live, from habit that became instinct–in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.” — 1984

And now, the police wants access to all of it, not unlike in the brilliant short movie Plurality. In news this week, the police has just requested access to the recordings made by an Amazon smart unit in the home in order to solve a murder.

[image error]

Of course, it always starts like this. A murder case. One murder case. The next time, it’s an assault rape case. The public opinion wants blood, and privacy has no value compared to catching a killer or rapist. So somebody, somewhere with authority, decides that privacy doesn’t apply in cases “like this”. Then, the government notes this mechanism has already been used for “felonies” – severe crime in general – and decides to apply the same rule for tax evasion, a decision which has no support in public opinion, but which is a crime that the government considers severe. A few more years, and the blanket privacy invasion is used to sue teenagers sharing music and to issue the mundanest of parking tickets.

(I want to point out that this ridiculous example of a slippery slope is exactly what happened with the hated mandatory Internet logging laws in Europe. They started out against murder cases and mass-murder terrorism, and before even a decade had passed, the privacy invasions were used against “all crime, including ticket-level misdemeanors”, and the copyright industry had special private access to the surveillance data for the purpose of suing people. This isn’t made up, it’s exactly what happens. The European Supreme Court struck that shit down as utterly unconstitutional, but it took a decade.)

The question is as disturbing as it is important. Legally speaking, do we still have an expectation of privacy in our own home? Especially when we installed equipment for the express purpose of listening to us and watching us?

As the Snowden movie came out, it was highlighted yet again that our mobile phones are constantly-wiretappable microphones, as the movie version of Edward Snowden took everybody’s phones and put them in a Faraday cage in his hotel room. How long until this is an ordinary reflex with ordinary people, and not just the most knowledgeable? “You had to live — did live, from habit that became instinct — that every sound you made was overheard…”

Legally speaking, do we still have an expectation of privacy in our own home?

There are dozens of microphones and cameras in an ordinary household today. Not to mention all the other sensors: Wirelessly connected scales, cooking equipment, lighting, cars, toothbrushes, energy sensors, fridges. All connected. All wiretappable. If you haven’t used the “calm” color setting on the lights in your home in a while, the government has the ability to know. If your body fat increases, or if you don’t brush your teeth regularly. If you change your coffee grind, or switch to stronger espresso. If you undercook your meat. The list goes on.

There are five separate and important aspects to this.

The first question is if law enforcement can plant surveillance on suspects of serious crime, using their own equipment. Most people would agree that this is reasonable.

The second question is if law enforcement can retroactively activate surveillance, as in the murder case above. As this requires watching and listening to everybody, all the time, it completely eliminates the concept of privacy (even if, as the police tends to argue, only a small fraction of collected data is used for later investigations: the same was true for letters in East Germany — they were all opened and analyzed, but only a small fraction of them were forwarded for later action).

The third question is if law enforcement can legally use your equipment against you: this requires breaking into your equipment and effectively taking control of it. This is a completely separate topic from the first question, which assumes law enforcement is using (and paying for) its own equipment to violate your privacy. Five years ago, it was uncovered that the German Federal Police had broken into ordinary people’s computers to wiretap people – and with root access comes access to webcams and microphones, too. This is a deeply unsettling concept, one that gives national security employees a dangerous conflict of interest, as they’re supposed to be keeping people safe but can use people’s not-being-safe to make their own job easier, if this is permitted.

The third-and-a-half question is if law enforcement can coerce a third party to wiretap you retroactively, like Amazon or Google, eliminating your agency in the matter.

The fourth question is inter-country espionage, such as when the United States NSA broke into Belgacom (the Belgian national telecom operator) and wiretapped the entire European executive and legislative branches, in addition to Angela Merkel’s personal phone. While outrageous, espionage at this level has always existed and to some degree it’s up to every country to protect its own assets.

The fifth and final aspect is the notorious insecurity of all the connected things. The technology sector has only started to learn how to make secure software, including frequent patches. Other industries who are adding connectivity as a bonus feature – scales, fridges, toasters – will be notoriously insecure, won’t patch, and will be around homes for decades.

This discussion is just getting started. Privacy remains your own responsibility.

Syndicated article

This article has previously appeared on Private Internet Access.

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Europe: Fake news has always been around for humor purposes, but the real “fake news” scares happen when the establishment is so used to getting away with lying, that any alternate narrative is demonized as factually false, irresponsible, and dangerous.

“The Onion” was next to “The Economist” in the newspaper stands for almost two decades. “Weekly World News”, which one-ups most British tabloids with regular Elvis sightings and vivid descriptions of two-mile fish orbiting in the rings of Jupiter, is still next to “Foreign Policy” in the same newspaper stands. This was never considered problematic in the slightest. Why, then, is a unified establishment screaming bloody murder about “fake news” all of a sudden?

To see the pattern here, it helps to know a little history – let’s look at the great “Fake News” scare of 1530. It has a lot of elements similar to ours today.

“The statements that make [established] people mad are the ones they worry might be believed. […] If Galileo had said that people in Padua were ten feet tall, he would have been regarded as a harmless eccentric. Saying the earth orbited the sun was another matter. The church knew this would set people thinking.” — Paul Graham

After the Black Death hit Europe hard around 1350, the monasteries were chronically short on manpower. The families that had used to send a child or two to become monks or nuns simply needed all their kids to work in the fields, to ensure food production, before such luxuries as manning the monasteries could even be considered. Therefore, any work that required involving monasteries became increasingly steep or scarce for the coming century.

This is relevant as those monasteries were the only places that produced books, all of which were in Latin, and all of which were in complete synchronization with the messages of the Catholic Church, the owner of the monasteries and therefore the owner of all mass media at the time. To compound the situation, the same owner also employed all the news anchors – the village preachers, who were the ones who read the books (in Latin) and translated them to the common tongue in villages.

A book was hideously expensive to produce. Not only was each page copied by hand, but the pages were made from animal hides: it was estimated that a single book may require the hides of as much as 300 calves. We don’t have a lot of comparative numbers from Europe of the time, but we do have them from elsewhere: a fine book in the Islamic world of the time could cost 100 dinars, with the annual paycheck required to support a middle-class family being about 25 dinars. Put differently, the prospect of buying one single book would consume an entire family income for four years – or in the $500k to $1M range in today’s value.

Gutenberg was convinced his invention would strengthen the Church, as the ability to mass produce books from a single original would eliminate all the small copying errors invariably introduced in the manual book production process. It would therefore, he argued, improve the consistency of Christian bibles. The result was the exact opposite, through mechanisms Gutenberg did not foresee.

To the day, almost a century later, Johannes Gutenberg combined the four inventions of the squeeze press, oil-based inks, metal movable type, and cheap rag-based pages to produce the first printing press. All of a sudden, books could be mass produced cheaply, and there was an enormous profit motive to be made in producing books for the common people. You could accurately and shamelessly call it an undercutting of the monastery business. (“How will the monks get paid if we allow cheap copying technologies?”)

Gutenberg was convinced his invention would strengthen the Church, as the ability to mass produce books from a single original would eliminate all the small copying errors invariably introduced in the manual book production process. The result was the exact opposite, through mechanisms Gutenberg did not foresee.

It’s important to remember here, that through the media cartel of the medieval ages (where the Catholic Church produced all news and reported all news), that there was an absolute gatekeeper position over the narrative. The Church could essentially claim that something was true, and everybody would believe it. This is a very powerful position, being the gatekeeper of true and false – one that is prone to abuse without any opposition, or competition, in reporting. As it turned out, the Catholic Church would indeed come to abuse this power quite egregiously, and paid the price for it.

What Martin Luther protested was only superficially the selling of salvation to raise funds: fundamentally, he was objecting to abuse of the gatekeeper position over truth and lie for the gatekeeper’s material benefit.

In the late 1400s, the Catholic Church needed to raise money, and came up with the idea of selling forgiveness for sins, the basic idea being that you didn’t need to be a good person to gain the favor of the Church (and divine beings), you only needed to be Rich. A priest, monk, and theologist named Martin Luther took particular exception to this message, seeing how it stood in complete opposition to everything the Church was supposed to be about, and nailed his 95 theses to the church door in 1517.

These 95 theses outlined how the entire practice of selling divine forgiveness was based on falsehoods, fabrications, and fiction. However, it’s important to look at the bigger picture here: what Martin Luther protested was only superficially the selling of salvation to raise funds. More fundamentally, he was objecting to abuse of the gatekeeper position over truth and lie to twist the narrative for the gatekeeper’s material benefit.

This is where the story should start to feel familiar with modern day conflicts over the Power of Narrative.

Luther was excommunicated – banished, exiled – in 1521. This was one of the graver punishments administered, short of the death penalty, and the only thing remaining for somebody thus punished was normally to leave for foreign lands. However, in Luther’s case, he was given refuge in lands siding with him instead of the Catholic regime, ultimately setting off a century of civil war over the Power of Narrative.

The final death knell came when Luther published bibles in German and French using the new printing press, the so-called Luther Bibles, first published in 1522. These set off shockwaves, as they were 1) distributed by the cartload in the streets of Paris and France, 2) were readable by the common people without translation by the clergy, and 3) didn’t cost the equivalent of a million dollars each.

The Church immediately went into a panic, as they had instantly lost their gatekeeper position. No longer were they able to stand unchallenged when they were reading from the Bible in Latin, as people could – and would – verify the claims made, using their own direct sources. And as it turned out, a lot of the things that had been claimed – selling salvation among them – had been baloney of the highest order with no support in the Christian Bible as claimed.

The Catholic church went on a rampage and a crusade against this new spread of ideas that would challenge its narrative, and in particular, against the technology which enabled people to challenge its narrative. Copying books cheaply and efficiently instead of paying four annual salaries for a single book – the audacity, the outrageous heresy! How dared people copy books themselves without respecting the Church? Obviously, books could only be properly copied in monasteries, to ensure proper quality.

(“How will the monks copying books get paid otherwise?” was as much a smokescreen then as it is today.)

The church kept up the pressure against the printing press, as it saw all the resulting non-sanctioned news channels as completely fake, not just being wrong, but being dangerous. They were irresponsible. They were deliberately spreading misinformation – at least the Church saw it that way, a Church which was institutionally incapable of unlearning that it was no longer the single source of information and would no longer have whatever outlandish claim accepted without question.

However, the nobility and royalty of the time were certainly paying attention to the Church. After all, the Archbishop installed Kings, so there was a mutual dependence for power between the clergy and royalty at the time. Therefore, when the Church exclaimed the sky is falling (“there is fake news everywhere! We must do something!!!111!!one!”), the royalty tended to listen.

As a result, on January 13, 1535, the French King Francis I signed into law the death penalty by hanging for using a printing press at all. Yes, you read that right: there was a death penalty for making unauthorized copies. The justification for the law, as still readable in the preserved logs from 1535, was to “prevent the spread of misinformation and false news”.

So the gatekeepers of knowledge and culture in 1530, on losing their gatekeeper position over the narrative, didn’t counter with higher-quality reporting, but instead attacked the technology enabling competition, calling it out as spreading misinformation and irresponsible fake reports. Does any of this seem… familiar?

The law was a complete fiasco. Once people had learned to read competing reporting, there was no unlearning it. The law was repealed shortly thereafter. England went another route to prevent the success of the printing press by establishing a censorship regime with printing monopolies, known as copyright, but that’s a story for another day.

As a final touch, let’s consider the words of Paul Graham, in his excellent essay “what you can’t say”: “No one gets in trouble for saying that 2 + 2 is 5, or that people in Pittsburgh are ten feet tall. Such obviously false statements might be treated as jokes, or at worst as evidence of insanity, but they are not likely to make anyone mad. The statements that make people mad are the ones they worry might be believed. I suspect the statements that make people maddest are those they worry might be true. […] If Galileo had said that people in Padua were ten feet tall, he would have been regarded as a harmless eccentric. Saying the earth orbited the sun was another matter. The church knew this would set people thinking.”

Privacy and narrative remain your own responsibility.

Syndicated article

This article was previously published on Private Internet Access.

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Copyright Monopoly: A Hamburg court has ruled that certain links were illegal when they were pointing at photos that were posted in violation of copyright. This ruling follows the worst fears of a previous ruling by the European Court of Justice, and creates many problems for the future.

The court in Hamburg has ruled that the operator of a website was violating the distribution monopoly known as copyright when they posted a link to an image, an image which was posted under Creative Commons, but where the posting did not comply with the license terms. Not only was the website operator unaware of the infringement of the original post, but the original poster was also unaware.

This ruling is a substantial and disastrous overinterpretation of the precedent established in the European Supreme Court (the ECJ, the European Court of Justice) earlier this year in the case of Geenstilj v Playboy. In that case, the Dutch site Geenstijl had posted links to leaked images from Playboy, images published without Playboy’s permission, and the ECJ was asked to rule on whether such links constituted infringement (assuming that the publication-without-permission of the Playboy images did).

This was a case that had the copyright industry salivating: they have been trying to establish for over a decade that links are illegal if they link to material that violates the distribution monopolies, and in particular, going after any links-to-links in what they hoped would be an indefinite chain of liability. So far, courts had thrown them out wholesale and for good reason. For the first time, a case of this caliber was in a continental Supreme Court: were you allowed to link to things that themselves constituted an infringement of copyright? The case had enormous implications for the file-sharing witch-hunt and “speculative invoicing” (what we normally would call “systematic fraud by copyright trolls”).

When that ruling was handed down by the ECJ, the Court established two things:

1) When you post a link with a profit motive in a commercial setting, you can be expected to have the burden of verifying that the link points at non-infringing material. (Geenstijl lost the case.)

2) However, this burden of verification does not apply at all to non-commercial settings.

Therefore, this ruling set off a cascade of reactions between “yay, the copyright industry lost, they cannot go after links posted by ordinary people” and “the sky is falling, because now links can potentially be illegal”.

To be fair, I thought this was a ruling I could live with, in my analysis. I’ve personally been working for the past ten years to constrain the copyright construct to only cover commercial and for-profit activity, essentially constraining its application to commercial publishing, and this ruling seemed to be completely in line with that ambition. If somebody makes a deliberate and knowing link to infringing material with a direct profit motive to that specific linking, and can be found liable for that, then that was a price I was ready to pay for having all other sets of actions declared outside the scope of the copyright monopoly. But as it turns out, it wasn’t really that easy.

Note that the ECJ talks about “links posted for profit”. They are putting a very high emphasis on the direct profit motive on the posting itself, as was undeniably the case with Geenstijl linking to the Playboy images front row center.

In contrast, the Hamburg case has overinterpreted this as links published anywhere within the scope of a generally for-profit operation, which is easily three orders of magnitude larger scope. A link posted on a casual staff blog of a physics-research subdivision of a retail company would have to be subject to rigorous inspection. This is arguably completely different from a high-profile article front row center of the entire operations, the purpose of which is nothing but pointing at those Playboy images. (Julia Reda of the European Parliament expands on this problem in Ars Technica.)

There are at least two more obvious problems with this:

1) Interpretation of the copyright distribution monopoly is hard. It involves cases that frequently enough go to Supreme Courts for ruling, and yet, here’s a court putting the burden of compliance on completely unskilled employees posting any and every link. There’s definitely a chilling effect here as people will strive to avoid any gray area. Further, do remember that the copyright industry is frequently found abusing its own abusive rules.

2) Links are not static. The web keeps changing and any link you post, even with rigorous inspection, is fully capable of pointing at something completely different the next day, without your knowledge or intent. Is it the intent of the Hamburg court that we must inspect all our links, all the time? Moreover, inspect them for changes to the terms of the material linked to, even if the material is the same? The burden and liability is insanely high and unpredictable.

The tensions keep rising and something’s gotta give. This is still a fight between the 21st century and the 20th century.

Ars Technica also has a good writeup by the excellent Glyn Moody. At present, it’s unknown whether this case will be appealed.

Syndicated Article

This article has previously appeared at Private Internet Access.

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Global: There is a “war on cash” going on from the central banks, trying to reduce the usage (and personal storage) of cash. This is something that makes sense as a power move against the common people in a time of forced negative interest rates, but it is a shocking reduction of liberty and privacy (of finance), not to mention that the official justifications don’t hold a shred of water. What’s really behind this trend?

Would you like your government to have more insight into your personal finances than you have yourself? That’s where we’re heading with the ongoing “war on cash” – into a world where every transaction is not just loggable by the government (or a government-coerced agent), but where you can also be held responsible for anything and everything you buy and sell.

There’s both a carrot and a stick in this scheme of making everything traceable and trackable. The stick consists of outright bans on cash transactions – several European countries have banned cash transactions exceeding 1,000 euros. Uruguay has banned cash transactions over $5,000. Even Switzerland has proposed banning cash transactions over 100,000 Swiss francs (admittedly a high number, but once a government declares a right to ban cash transactions, the number is a matter of degree and not principle).

The carrots and incentives for not using cash, meanwhile, mostly take the form of making it easier to pay using cards. The latest example of Amazon Go, a brick-and-mortar store where there’s no checkout at all but just just grab what you want and leave, is one example of such a carrot. It is undeniably more convenient than standing in an annoying checkout line. Combine this with various fees for withdrawing cash from your own account in the bank, and the incentives become clearer.

But why pursue this direction? There are many conceivable reasons for wanting to eliminate cash from circulation altogether. ZeroHedge has homed in on the elimination of cash being an absolute necessity to maintain a zero-interest (or even negative-interest) policy, which in turn remains necessary to prevent a financial bloodbath. Others have talked about the costs inherent in transporting cash in armored cars, or the risk of robbery being eliminated.

From a national policymaking perspective, though, the general excuse seems to be to “make it difficult for organized crime”. This was the excuse behind the elimination of the 500-euro note, for example.

But from a national perspective, this excuse makes absolutely no sense at all. At the national level, the game is to dominate other countries. Petty organized crime is not really relevant at that level, unless it is useful in the context of dominating other countries. And that’s where we find that this excuse – this “we need to be tough on organized crime” – is a complete Maskirovka, a complete façade, an utter lie. It doesn’t make sense at all.

The notion of a currency being used as a default currency in global organized crime is a concept that has geopolitical strategists positively salivating.

Organized crime – which in many cases is just free and consensual non-aggressive trade which is still governmentally banned – is a significant part of the global economy, an estimated ten per cent. A very significant part, one that uses large amounts of currency in cash format. If you’re responsible for dominating other countries, one of the best and safest ways to do this is to pull strings that increase the value of your currency. We know from supply-and-demand lessons that this can take the form of causing the demand for the currency to increase.

If your currency is the default trade currency for organized crime (which I’d rather call “free and consensual trade” to a large degree), this brings an enormous benefit to your economy as a whole – it has been estimated that it means as much as 25% higher standard of living, for everybody. Given this number, there are two immediate and obvious observations:

1) A crackdown on cash transactions with the excuse of “combating organized crime” is utter bollocks of the highest order. When you’re working on the national policy level, you’re doing your utmost to have organized crime use your currency and nobody else’s. It’s the equivalent of printing lots of free money – roughly the equivalent of 10% of the world’s GDP.

2) More concerningly, given the enormous benefit of having organized crime use your own currency, what concern is more pressing than this – 10% global GDP essentially for free – that is the actual cause for these actions to fight cash?

Liberty and privacy, including financial privacy, remain your own responsibility.

Syndicated Article

This article has previously appeared on Private Internet Access.

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Privacy: In the spirit of commemoration, I thought we could mark this November the Fifth by taking some time out of our daily lives and consider again where society is going. Where once you had the freedom to object, to think and speak as you saw fit, you now have censors and systems of surveillance coercing your conformity and soliciting your submission. It may not be much, yet, but it is there. How did this happen?

Liberties are like muscles. They must be exercised regularly and in full, even to a degree of discomfort, or they will wither, atrophy, and vanish.

(Also posted on Privacy News blog, because Fifth of November.)

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Copyright Monopoly: There’s consistent disinformation from the copyright industry that even if a national parliament wanted to legalize file-sharing, it is not permitted to do so because of international treaties. This disinformational notion is hogwash, and I’m going to show exactly how it’s possible to legalize the private sharing of music, movies, and other culture while complying with all international treaties.

When determining whether it is possible to legalize file-sharing – defined as the noncommercial sharing of cultural works for personal use, without the consent of the distribution monopoly holder – and still stay in accordance with all international treaties, an obvious shortcut is to check if there is such legislation already somewhere, legislation that has been around for a long time and is accepted as a legislative precedent by the international community and the host legislature.

It turns out there is. Specifically, there is a very little-known such exception in Sweden (a country and a law I’m very familiar with since it’s my native country), and Sweden is affected by pretty much all existing EU treaties: what applies to Sweden will apply to any EU/EFTA country, like Germany, Czech Republic, or Iceland. When computer programs were moved in under the copyright monopoly umbrella in the early 1990s, politicians actually considered the cost of enforcement of the distribution monopoly when designing the law, unlike today.

(Before the early 1990s, you needed some kind of artistic expression to get a distribution monopoly — “copyright” — on the work. Thus, for a computer game, the graphics art and sound score could be copyrighted, but the algebra required to make 3D projections of objects onto a screen could not.)

In any case, this is the relevant paragraph from the Swedish — current and up-to-date — copyright monopoly law, upphovsrättslag (law “1960:729”), my translation and highlights:

Swedish law 1960:729, 53 §, 2nd paragraph

A person who copies a computer program which has either been made available to the public, or which was obtained with the consent of the rightsholder, shall not be held legally accountable for this, if the source of the copy wasn’t obtained from a commercial location [the person’s employer, my note] or government institution, and the copies so made aren’t used for anything else than personal use.

Well, what do you know. File-sharing computer programs such as Microsoft Office was always, and still is, completely legal in Sweden, as long as you’re not (knowingly) copying from your employer but only from other private individuals (maybe via something like The Pirate Bay), and only using the resulting copy for personal use (not for commercial use).

This law has been in effect through all the treaties with the knowledge of all parties involved, and despite a number of changes to this law in recent years, this particular passage has always remained in effect.

With this, it is established that there is a precedent exception for personal copying for computer programs, if a country wants it, while remaining in sufficient compliance with all treaties. This goes particularly for the so-called “Berne three-step test”.

Do note the term “sufficient compliance”. This is reality and politics, two fields where things are never black and white. By this term, I mean that the exception has remained and been in continuous effect without a sustained objection. This rule in Swedish law was established with the following justification (the book Copyright by H Olsson, page 310):

The special rule [in Swedish law] for computer programs […] is justified by the practical problems with criminalizing copying for personal use and in general. It is practically impossible, or in any case very hard, to enforce a criminalization in this area. If a law cannot be enforced, it is practically ineffective, and incurs a risk for reduced respect for legislation in general.

It’s worth noting that when this rule of law was written, computer programs were the only thing copied digitally. Digitization of other works started far later – notably from 1995 onward, with Fraunhofer’s publication of the L3ENC utility to encode to the MP3 standard, and the WinAmp utility to play MP3 files on a computer. But, as has been argued time and again, this is the reason why the same exception must apply – the exact reason that made it into Swedish law in the early 1990s: a ban on private, digital copying cannot be enforced without unjustifiable costs to other liberties.

This leads us to the next question: is it legally possible, as far as treaties go, to extend such an exception to the distribution monopoly from computer programs to other forms of culture?

This brings us to something called the WIPO Copyright Treaty, or WCT. It is the base for a lot of US and EU law (like the DMCA and the EUCD). In that treaty, we see what level of harmonization is required between such exceptions:

WIPO Copyright Treaty, Article 4

Computer programs are protected as literary works within the meaning of Article 2 of the Berne Convention. Such protection applies to computer programs, whatever may be the mode or form of their expression.

In other words, the WIPO Copyright Treaty says that computer programs must have the exact same level of protection as books, according to the Berne Convention (and according to other parts of these documents, this also goes for all other forms of works).

Therefore, it is completely justifiable — even required — by the treaties in effect to extend such an exception to music, movies, and other forms of shared culture.

Therefore, file-sharing can be legalized today, while still being in compliance with all active treaties.

(Last but not least, a country can safely ignore treaties and directives, even if that’s not the point of this article. Not just “can”: it happens all the time and consistently. In Southern European countries like France or Italy, when directives can’t be implemented, politicians say it’s impossible in the local political climate, shrug their shoulders with wide gestures, and just expect that to be the end of it. Sweden hasn’t introduced the Euro, despite being very required by high-profile treaties to do so: same thing there. Basically, in the political world, a treaty violation is only a violation if you call it a violation. This may seem cynical, but it’s exactly how it works in reality – as a lawmaker, as long as you explain how you’re not violating something, you aren’t, all other aspects be damned.)

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Iceland: The Icelandic Pirate Party has made a record election. Early vote counts place Pirates at 14 percent, for nine ten seats of the 63-seat world’s oldest Parliament. As the victory party draws to a close and the results slowly finalize, it’s worth looking a little at what comes next.

Pirate Parties keep succeeding, although on a political timescale. It started out a little carefully with getting elected to the European Parliament from Sweden, then to multiple state parliaments in Germany, city councils all over Europe, the Czech Senate, and the Icelandic Parliament, all in a decade’s insanely hard volunteer work.

Today, as the victory party draws long into the night and as the Election Saturday becomes Celebration Sunday (and quite probably Interview-and-Media Sunday for a lot of people), it’s clear that the Pirate Party of Iceland has broken all previous election records, clocking in at 14% with about one-third of the votes counted at 01:00 on election night. (UPDATED to show final results; the Pirate Party is in shared second place with 10 seats out of the Icelandic Alþingi’s 63.)

[image error]

In the polls, it was a close race up until the very end whether the Pirate Party would become the largest party, but as we can see, that support doesn’t seem to have materialized – which by no means diminishes the feat of re-election and tripled support. Polls had been showing the Píratar as high as 42%, wiping the floor with the competition and being close to a solo majority, but polls are not the election.

It is absolutely crucial here to not measure this result in terms of expectations from earlier polls, but in terms of getting re-elected — which no pirate party has succeeded in before — and in terms of tripling support, reaching a new election highscore. Now that we’re at the election night, ignore the polls. This is the big thing that just happened.

With Pirate Parties in about 60 countries, we keep learning from each other. There’s no clear cut correct answer on how to change the world, no preset path to follow. We all learn by trial and error and learn from each other – somebody’s always in the lead, and others can learn from their experience. It used to be Sweden, then Germany; now, it is most definitely Iceland.

And as I said on the Berlin election victory night in 2011: Tomorrow, this is going to be in all the papers. Not just in Berliner Zeitung and Die Welt, but in the Wall Street Journal, the South China Morning Post, and the India Today. (I was wrong then. Not about the coverage, but about the time: the stories were breaking in world media during the victory party, and not holding off until tomorrow as I claimed. I expect the same thing to be happening right now.)

On the victory night of 2009, I said that this is the net generation starting to reclaim its civil liberties from stale, vested interests trying to prevent the future from taking place. The hard road was bumpier than expected, but that is most definitely what is happening.

So today, this is an Icelandic celebration. This is the Icelandic pirate volunteers’ victory, their hard work coming to fruition, and their night to celebrate. They have more than earned it. And the rest of the movement have everything to learn, while buying an Icelander a beer.

(I thought of wearing a custom made shirt with the text “I voted pirate before it was cool” printed on the back to this victory party, since pirates have now gone mainstream, but didn’t think of it in time. Plus, as Andy Carling pointed out, voting pirate was always cool.)

[image error]

Background to early elections

The Icelandic Pirates are already in Parliament with three seats out of 63, which is what has allowed them to show their attitude to things in the past term, after the financial crisis of 2008, which hit Iceland hard. Unlike most (or all) countries, Iceland let its bankers carry the burden of their own downfall, not bailing them out but sending the bankers to prison instead. However, the ruling coalition at the time – led by the Independence Party – tried very hard to bail out the Icelandic bankers, but failed to find somebody willing to pay for it, leaving bankruptcy as the only remaining option.

When the Panama Papers burst earlier this year, and it turned out that the Prime Minister and the President had, or were connected to, offshore accounts that had profited nicely from the Icelandic banking collapse, the situation became politically impossible, they all stepped down, and called early elections. Not extremely early like half-term or anything like that, though — the elections are six months early on a four-year schedule; they would have been held in May 2017 otherwise.

It’s also worth mentioning what it means that Iceland has a proportional parliament: it means that there are more than two parties, lots more than two parties, and that these parties negotiate after the election to form a coalition that reaches more than 50% of the seats in the Icelandic Parliament, the Alþingi (the all-thing, “thing” being an Old English word for a time and place where you settled disputes – still present in some Scandinavian words like tingsrett, “thing-rights”, meaning the local District Court.)

In any case, this means that “winning” doesn’t necessarily mean becoming the largest party; you may be the largest party and still end up in opposition for the coming term.

[image error] The Icelandic Alþingi, the world’s oldest parliament.

The next steps

What happens next is the coalition game. Seeing that you need at least three parties to form any majority coalition with the early results, pirates may end up in the governing coalition, and pirates may not. This is far too early to tell and it’s going to be weeks before the negotiations produce a new government.

We’ll see in a few weeks which plays out and which coalition succeeds in forming. Regardless, this result is enormously promising every bit of the way, not just for Iceland, but for civil liberties activists everywhere.

A “Switzerland of Bits”

This leaves the question of what this means for the future. Assuming the Icelandic Pirate Party gets into a position to set a significant amount of policy for Iceland, and where they have talked of creating a “Switzerland of Bits” in Iceland, what does that mean for the world?

As it turns out, it means a whole lot.

The current old-world regime depends on all countries cooperating and agreeing on various monopolies that hold back the Internet and civil liberties. For example, for the copyright monopoly to be effective, it really requires that every single country that is connected to the Internet cracks down ruthlessly on any civil liberty that happens to threaten the entertainment industry’s distribution monopoly.

It only takes one.

It only takes one country out of 196 to say “enough is enough” and kick the old dinosaurs out. There’s no reason a cartoon industry – Disney Corporation – should get to regulate the world’s most important infrastructure. Quite the reverse: I find the idea revolting.

And it only takes one country to say out loud that this cartoon industry’s regulation is bullshit for all the dominoes to start falling, and that is completely doable. For all the international agreements out there, there are well enough legislative precedents to allow all copying for private use from tomorrow onward, just to start somewhere.

The same principles go across the board for civil liberties as they apply to the Internet. It’s going to be real exciting, indeed – a “Switzerland of bits” is exactly what the world needs at this point, and it’s going to bring the old controlling world down and the new networked world in.

Like on New Year’s, sometimes it’s time to go to the bells and ring out the old, and ring in the new, with a smile on your face full of hopes and dreams. And even if the pirate party doesn’t get to make policy this time around, there’s a next election, and a next. This is a long term thing.

Birgitta, Jon Þor, Smári, Ásta, Finnur, Kári, Elsa, Halldór, Halldóra, Sigridur, Eva, Helgi, and everybody else, all the fantastic people – awesome, amazing work. But you knew that already. I am proud, as always, to call myself your colleague.

UPDATE: As of 1300, the pirate vote count stands at 14.5% and ten seats to the Alþingi; one more seat than the midnight tally. The article has been updated to reflect this.

The post Reykjavik: Icelandic Pirates Triple Result, But Not Largest Party appeared first on Falkvinge on Liberty.

Activism – Nozomi Hayase: In its seven years of existence, Bitcoin has gained wide mainstream attention with its disruptive potential in finance. Yet, currency is just its first application. The technology’s other potential lies in affecting governance and law. Democracy has weakened in the existing systems of governance. With concentration of power created through hierarchy, ordinary people are kept out of influencing policies or participating in vital decision-making. In this lock down system, many politicians do not represent true interests of the people and those who do are often blocked out. Can Bitcoin strike this balance of power? In this article, I argue how Bitcoin is not just an innovation of banking and finance, but at its core concerns innovation of governance systems, built upon a new security model that protects and empowers everyday people.

For many decades, activists, workers and concerned citizens have been working hard and dedicating their life to bring equality and justice. Unprecedented levels of government and corporate corruption in recent years have signaled a breakdown of checks and balances, while an extreme trend toward authoritarianism has discouraged popular dissent, often depriving people of hope.

Problems are not simply a lack of care or will for change. The fundamental issue seems to revolve around our basic view of humanity. Many tend to think that people are inherently good and operate with similar motives to themselves. The deep failure of democracy has shaken up these assumptions, showing this to be a naive and overly idealistic view of man. The 2008 financial meltdown and crisis of legitimacy exposed the existence of individuals who have a radically different makeup than the rest of the population. These are psychopaths, whom psychopathy expert Robert Hare called “social predators who charm, manipulate, and ruthlessly plow their way through life”.

Psychopaths exhibit total lack of conscience and empathy for others. They embody a dark side of individuality, with aggressive and narrow selfish desires that often come in conflict with the public good. Regulation has shown to be ineffective and laws often fail to offer protection because its very mechanism has been gutted and used by those in power for their advantage. The question now is how to account for this hidden vulture within humanity and build a system that is resilient to these adversarial forces.

Security Holes Within Representative Democracy

In that seminal white paper, mysterious creator Satoshi Nakamoto described Bitcoin as a purely peer-to-peer version of electronic cash that would allow “online payments to be sent directly from one party to another without going through a financial institution”. The core invention is distributed trust and Nakamoto stated that it was put forward as a solution to the “inherent weakness of the trust based model”, where financial institutions act as trusted third parties.

What is this inherent weakness identified by the inventor of Bitcoin? Most people are bound by empathy and naturally restrain actions in consideration of others’ needs. On the other hand, psychopaths are not governed by these internal laws of empathy and therefore cannot regulate self-interests. Moreover, as was articulated by psychiatrist Hervey M. Cleckley in Mask of Sanity, deception is at the core of psychopathy. With superficial charm, these predators hide their claws and teeth and gleefully trespass other’s boundaries, erasing their trails and even manipulating laws to get away with their crimes.

Trust is a vital foundation of human relationship and this has become psychopaths’ primary entry point for predation. These ruthless individuals fake empathy to elicit trust and then exploit it. When a governance model is structured in a manner that relies heavily on trust, such a system inevitably becomes vulnerable to this unknown member of society who can cleverly mimic good attributes of human nature and blend into society.

Representative democracy that requires people to trust those who claim to represent them in the form of elected officials has increasingly become a mask used by these ruthless individuals to hide and gain a grip on the populace. Behind the veil of secrecy, psychopaths leverage our trusting nature and construct promise-based governance. For instance, corporate masters behind the charade of electoral politics sponsor political candidates, who with campaign promises keep people passive and manage down their expectation levels. With future faking, which involves making plans that will never happen and gas-lighting, a tactic known to challenge one’s memory, they deceive and gain power over others.

Money dependent on systems of representation requires trust to work. It has now largely been turned into promissory notes and fabricated interest obligations, becoming a weapon for psychopathic control. The hidden captains of this managed democracy direct the flow of currency through financial engineering and have created incentive structures that are bent toward preserving their power. Radical deregulation is enacted under the banner of a ‘free market’ to manipulate interest rates and fiscal policy, creating never ending cycles of harsh austerity and usury.

Stimulated by toxic asset bubbles, derivatives and quantitative easing, these incentives work like invisible hands of the market, promoting fraud and depravity. It suppresses democratic values by controlling information, which is the currency of democracy, and constraining free speech with economic censorship, as was seen in the case of the financial blockade against WikiLeaks. All of this has resulted in the creation of a two-tiered justice system and derisked capitalism, where those in power are never allowed to fail and are not held accountable either by markets or the legal system.

Bitcoin as a New Security Model

Bitcoin addresses this inherent weakness of third party trust that has been exploited to create systemic parasitic rent-seeking structures. As asset-based digital cash, it offers an alternative to the promissory system of value creation by decree from above. Bitcoin’s underlying technology, the blockchain is a public asset ledger. This is a distributed database that records a history of transactions in the network without anyone in charge. Once data is verified, no one can undo it. This immutable timestamp goes beyond simple accounting of monetary transactions.

Bitcoin enables a new security model and it addresses the problem of security holes in the existing trust-based model of governance. Author and security expert Andreas Antonopoulos called this “trust by computation” that has “no central authority or trusted third party”. He explained this form of trust as follows:

Trust does not depend on excluding bad actors, as they cannot ‘fake’ trust. They cannot pretend to be the trusted party, as there is none. They cannot steal the central keys as there are none. They cannot pull the levers of control at the core of the system, as there is no core and no levers of control.

With this trust by computation, the need to trust institutions or central authorities is replaced with mathematics. Human trust is easily exploited by those prone to act with little concern for others. In the Bitcoin network where there is no point of control, attackers cannot fake trust. In order to gain control over the network, they would have to compromise math.

Power corrupts, and the best way to check and balance power is to not have these points of control in the first place. Thus, decentralization is a natural progression of security models. In a decentralized system, there is no ladder of power that psychopaths can climb and exploit others. Through distributing trust across a network and minimizing the necessity to trust a third party, the system removes vulnerabilities that often lead to such concentration of power.

Honest Account of the Darkness Within

So, how does Bitcoin distribute trust and secure this peer-to-peer network? In traditional systems, psychopaths rise to power, cheat and control the game. In these new cryptographic systems, psychopathic deception and attempts to cheat the system could manifest in covert chip fabrication, spam attacks and miners colluding in a mining pool to earn more than their fair share at the expense of honest miners.

Yet, the genius of this protocol is in the ability for this math-based network to enforce rules of consensus and fair play. At its foundation is Satoshi. The Japanese character of his name as history of philosophy. This philosophy is like wisdom gained through history; an understanding of the contradiction inherent in man as both corruptible as well as perfectible. This is at the crux of Bitcoin’s game theory. Instead of naively assuming good intentions in others, the creator of this technology expected that some would try to cheat and attack the network. This is an acknowledgment that we live in a world where we cannot just eliminate psychopaths out of the equation.

This assumption is shared by developers who are committed to Satoshi’s vision of this particular security model. At the Hong Kong Scaling Bitcoin conference, developer Andrew Poelstra explained the mindset that Bitcoin lives in an adversarial environment and that the possibility of individuals acting selfishly and taking advantage of others’ good will needs to be factored into designing its governance. Bitcoin core developer Peter Todd also emphasized the necessity of adversarial thinking. In a Twitter interaction on the topic of security, Todd noted, “security isn’t about people promising they won’t do something, it’s about people being unable to do something”.

When greed and self-interests are condemned or denied, these aspects do not disappear, but are simply pushed out of sight and kept hidden. Efforts through law enforcement to regulate and punish selfish actors can just make them more cunning and deceitful. Bitcoin’s security model is based on honest accounting of our selfishness within. Instead of trying to shun this darkness, it finds a way to acknowledge and openly work with it.

Rule of Algorithmic Consensus

What governs Bitcoin is a consensus mechanism called proof-of work. By embodying Bitcoin’s particular security assumption, it works like a lighting rod. It attracts potentially destructive forces and diverts them in order to protect the network.

Through using bitcoins as tokens of value with a combination of cryptographic hash functions, game theory and economic incentives, a whole new economy is now being created. Bitcoin mining is a broadcast math competition engaged by a network of computers around the world with clear rules such as the total number of bitcoin created, a predictable issuance rate and automatic adjustment of mining difficulty. By using precious resources, miners work to solve difficult math problems. Each 10 minutes, problems are solved and whoever solves the problem first wins a fixed number of bitcoins. This process leads to both creation of money and clearing of transactions and it is designed to create economies of scale, with rewards proactively incentivizing all to follow the network rules of consensus.

Miners play a crucial role in the Bitcoin ecosystem. Yet, what makes the system resilient is not just miners and developers, but everyone’s participation in the network. This includes merchants, investors, entrepreneurs and users. Journalist Aaron van Wirdum describes how full nodes that relay and validate transactions within the network check and enforce Bitcoin’s consensus rules. He explains how “not all full nodes are equal from a network perspective”. The full nodes that miners, companies and developers run “all add weight to a set of consensus rules”. Yet, he emphasizes how all users play a crucial role in governance, as they are what ultimately gives Bitcoin value.

By removing third parties, the inventor of this technology found a way to create a direct feedback loop among all participants, aligning the balance of supply and demand with the force of consensus, which is more democratic than the current oligarchic system that operates under a pretense of democracy. In the current financially engineered markets, monetary supply does not correlate with the real needs of people. Yet, with this new Bitcoin market, monetary supply is created through real demand with the feature of infinite divisibility (bitcoin can be divided into 8 decimal points and more if consensus is reached).

The only way miners and developers get paid for their work is to be on the side of consensus, so they are incentivized to respond to the demands of users. This direct feedback loop created though decentralization is a crucial wire that connects the lighting rod with the ground.

Law of Self-Regulation

In the current system of representation, activists and human right lawyers have been trying to regulate greed and hold selfish actors accountable. ‘Power does not concede without demand’, yet in the existing model of governance, people struggle to make real demands. Any plea for change does not reach the merciless logic of this small section of society. While traditional efforts have shown to be ineffective in enforcing rule of law upon the elites, Bitcoin brings a new form of accountability through algorithmic regulation.

The Bitcoin incentive structure, designed as a lightning rod, captures and creatively engages the mind of psychopaths. Hare pointed out how a psychopaths’ brain is wired differently and how they have weakened moral force. Unlike most people, they cannot overcome temptations and restrain their actions in the face of opportunities for short-term self-gratification. Hare described this as a lack of ability to imagine the consequences of their own actions, noting that for psychopaths, “concrete rewards are pitted against vague future consequences – with the rewards clearly the stronger contender”.

Research from Vanderbilt University on the brain’s reward system in psychopathy further supports this finding. Lead researcher Joshua W. Buckholtz described how in experiments, individuals with high scores in psychopathy get heightened levels of dopamine responses in anticipated rewards compared to non-psychopathic subjects, showing how the brain of a psychopath is more susceptible to rewards. Buckholtz explained that this is because “once they focus on the chance to get a reward, psychopaths are unable to alter their attention until they get what they’re after” and these rewards override any concerns over threat or punishment.

With this ability to think like an attacker, market forces are used in the Bitcoin network to create a kind of electric circuit that allows energy to move naturally and convert it for good use. This enables a new law to regulate ruthless actions without relying on the moral strength of any individual or external authority. Robert Wolinsky, senior manager of blockchain research, explains how “Satoshi introduces a cost equation to cheating/collusion via the proof-of-work protocol”, making it clear to parties what the cost of attacking the network is and having them pay for it upfront. Furthermore, by making the rewards for playing by the rules higher than the value of attacking the network, it can proactively protect the system from the lack of impulse control of those who are instinctively programmed to strike with no remorse.

While the language of altruism and empathy doesn’t compute with those who have fallen from a communal ground, Bitcoin is a source code that speaks the language of cold and calculating rationale that can reach the selfish parts within ourselves and turn on the brain of the super computer of the world. Bitcoin mining reintroduces risk into the market. Here, concrete rewards are used to channel risk-taking and self-serving inclinations, making all compete for honesty and truth. The competitive drive of survival of the fittest, fueled by this global math contest does not create ruthless bloodbaths or make a killing on the back of someone’s misery, but instead is guided to serve the whole network. The fire of this hashing power burns aggressive and violent parts of our humanity, transforming them into generating global level security for all.

Power of Free Speech

Over the decades, many democratic governments have been taken over by cannibals within humanity and become vehicles of control that have lost their fail-safe. Increasingly, people are held hostage by corrupted political systems. While the flow of currency is controlled, free speech as a foundation of democracy has increasingly become permissioned.

Satoshi’s act of publishing the white paper in 2008 unleashed the power of free speech. Progress and true social change is only possible through each person freely sharing their ideas and associating with fellow men and women to innovate better systems. Bitcoin is an open source project that brings together diverse developers around the world who are inspired by Satoshi’s freeing of speech. By writing codes, they too have begun exercising free speech.

While psychopaths deceive us and exploit our trust with promises that never match real actions, Bitcoin, as a holy grail of the Cypherpunks is stewarded by those who speak with codes instead of making promises. By making software open source, which allows anyone to read and modify the codes, innovators of this system make themselves available to be held accountable by their equal peers. This freely available code calls for voluntary association with this language of risk and reward, which then builds the network demand for armory against any psychopathic attack.

Governance without central authority can at first seem inefficient. But it is more secure than the current system of representation. The more the system reduces the need to trust a third party, replacing it with a borderless network, the lower the security risk becomes. The Bitcoin blockchain opens a door into a pluralistic society where all can participate in creating many governance models and currencies that manifest our true values through the principles of mutual aid and voluntary association. Upon such a secure foundation, progressive ideas of basic income, universal health-care, free tuition as well as privacy and truly free markets can be built as an app.

As Bitcoin gains more value, the proof-of-work lightning rod attracts malicious attackers. Man is fallible and each person alone can’t account for themselves. But, through our genuine efforts of working together to keep the network decentralized, a spark is created that emanates light out of our own darkness. Every 10 minutes, the heart of the Bitcoin network expands, time-stamping on greed and antisocial impulses, so the beast inside does not grow too large. The networked consensus lights the lamp of liberty, validating the universal truth that ordinary people are the source of all legitimacy.

Photo credit – Dr. Frankenstein’s dream II by Joaquin Casarini

Headlines: So it’s happened again – a security researcher showing a marketing claim to be atrociously false has been threatened with a copyright monopoly lawsuit to take down the posted proof. The company DigiExam claims that their examination software is “cheat proof”, which it can’t be by definition when it’s running on somebody’s own computer: these are DRM fantasies. Security researcher Hannes Aspåker developed a proof of concept to show the claim is false and posted it, and was promptly hit with a threat of copyright monopoly infringement lawsuit from DigiExam to take down the proof: DigiExam is deliberately creating chilling effects on free speech in order to protect its false marketing.

DigiExam is a company claiming to sell secure education examinations intended to run in an education environment, but on the student’s own computer. To anybody with a shred of technical knowledge, the security in this situation is utter nonsense, due to the simple fact that DigiExam doesn’t hold the key to the student’s own computer, but the student does: the student can run and modify any code they like to give whatever result they like, including modifying DigiExam’s code to not be cheat proof, which it therefore isn’t to begin with. This is Security 101 for anybody even mildly technically competent.

This hasn’t prevented DigiExam from making bold (and false) claims about being “cheat-proof”. Security researcher Hannes Aspåker decided to face the false marketing head on, and developed a proof of concept showing the modified exam software from DigiExam failing to live up to any of its marketing claims. This is what security researchers do: they puncture dangerous marketing made of nothing but hot air. It didn’t sit well with DigiExam, though. Specifically, when seeing this GIF demonstrating how DigiExam’s product security has been disabled, DigiExam considered it a good idea to threaten the security researcher with a copyright monopoly infringement lawsuit over this particular demonstration artwork, which was made by Aspåker and not them:

[image error]

This kind of legal threat can cause a lot of people to back down in the face of unknown adversity. Most people don’t know the laws and underlying treaties in detail, and outright fear the concept of facing a courtroom. Thus, such a threat has a chilling effect on legitimate research, even when the threat is utterly baseless, which makes it malicious and in bad faith.

However, this particular security researcher contacted me to ask for some advice, and without technically providing legal advice, I could tell unusually quickly that DigiExam are unusually full of shit. They have no legal clue whatsoever, they’re just angry that someone is pulling the pants down on an obvious lie, and are resorting to anything they can come up with in order to save face. This is a particularly nasty case of deliberately creating chilling effects on baseless takedown grounds just to protect DigiExam’s marketing. (Disclaimer: Aspåker did not ask me to write this article, I’m doing that on my own to call attention to the particularly nasty abuse of legal threats on DigiExam’s part.)

Here’s the (legally) recorded call of when this researcher calls DigiExam back and says he won’t take down the security bulletin in response to the threat:

https://falkvinge.net/files/2016/05/DigiExam-return-call-Thu-May-19-13.12.04-GMT02.00-2016.mp3

Call in Swedish where the threat from DigiExam is reiterated.

What’s said by DigiExam’s representative in this call is the following (at the one minute mark), after the lawsuit threat has been reiterated:

— Aspåker: So I understand you’re claiming copyright [to the second GIF and demanding I’m taking it down]?

— DigiExam: Yes. Our logotype and our interface is our brand, and we have trademark protected them. It’s simply our property.

Let’s review: they are claiming they hold a copyright monopoly to the GIF (which was created by Aspåker, not them), and are saying that the logo and interfaces are their trademark, “simply our property”. This is a stunning ignorance and conflation of wildly different exclusive rights – the copyright monopoly and trademark rights – not to mention the utter clueless confusion with property rights, which is something completely different again from exclusive monopolies.

First, the copyright monopoly goes to the creator of an artwork, end of story. The creator is Aspåker. There can be some problems when other people’s artwork can be seen as part of the new work, and they did claim something about the logotype, something that literally thousands of court cases have determined is perfectly fine to portray in critical reports. Further, they move on to claim trademark rights – where you register your name (or color or smell etc) in one of 45 classes of goods and services, to prevent other actors in that class to use your trademark. It’s noteworthy here that if you don’t sell a good or service, you can’t infringe on somebody’s trademark by definition. DigiExam aren’t even aware of these most basic concepts of the threats they’re spewing.

To top it off, Aspåker’s advisory was posted on Medium, which doesn’t go by Swedish laws in the first place but United States code, which has an extensive Fair Use defense against this type of bullshit. Ohyeah, there’s also that rather important detail: Aspåker isn’t the legal publisher in the first place, Medium is. DigiExam had no business giving a Cease and Desist to Aspåker to begin with: he’s the legal equivalent of a reporter publishing at Medium.

(However, in republishing the GIF here on this blog, I am also taking on that role as publisher. And I’m based in Sweden. As a constitutionally protected publisher. I also happen to be one of the world’s leading experts on copyright monopoly law, unlike DigiExam, and would love to crush such assholes under ten tons of bricks if they so much as whisper a threat to me.)

The Internet doesn’t take kindly to baseless takedown threats in order to save one’s own face – in particular not copyright monopoly threats against security disclosures. This shit should be criminal. This action from DigiExam was far more harmful than the security bulletin in the first place, and they deserve to know what the Internet thinks of their shit. This kind of behavior, to throw around force and legal threats to deliberately create chilling effects against researchers who reveal your marketing claims as bullshit, is one of the least acceptable things conceivable to free speech.

The full article by Hannes Aspåker is reproduced (and republished!) below for reference.

The Myth of the Cheat Proof Digital Exam

Why it is impossible to lock someone out of their own computer

The age-old tradition of pen-and-paper exams has barely changed at all over the last century, and it carries with it a lot of burden. They are costly and environmentally unfriendly to print. Students complain of hand cramps and teachers grumble over unreadable handwriting. And what to do when one of the students’ exams is misplaced and then trashed by the janitor?

Of course, there is a reason exams have not yet experienced the digital revolution that most other parts of our society have. If you let students write exams on their own computers, the technology not only streamlines the process, but also inadvertently gifts the test takers with thousands of new and imaginative ways to cheat the system — smuggling hand-written notes will seem like the stone age when compared to Wikipedia. The alternative, schools supplying a trusted test device to each student in the class, is an economical and administrative nightmare.

This has not stopped a handful of young startups from trying to tackle this problem. The most successful one I have heard of, the Swedish company DigiExam, promises the best of both worlds: Students can bring their own devices to the exam hall, and their system will ensure that they can not use the computers to cheat while writing their answers.

The company has seen a fair bit of success. The application is used at more than 600 schools in over 40 countries, including more prestigious ones such as the Stockholm School of Economics and Columbia University.

Unsurprisingly, the cheat proof aspect plays an important role in their marketing: On the website they boldly label themselves as “Easy to use — Cheat proof — Reliable”. A slogan that, unfortunately, falls flat as soon as you realise it would take a competent student no more than 15 minutes to circumvent every single safeguard they have put in place.

To be fair, it must be said that DigiExam has made admirable effort to prevent abuse. When the exam has started the student can do nothing but answer the questions — no switching to Wikipedia to check some quick facts. Full kiosk mode is enforced, and with it the menu bar, desktop switching, and all other functions not strictly necessary for completing the exam are disabled. Scheduling a script to pause the process at system level after the exam has started will just leave you with an unresponsive screen. You might try to bypass all this by opening the app in a virtual machine, but you will find that DigiExam easily detects the VM and shuts itself down.

As said, it is an admirable effort, but ultimately futile. Because the challenge they are trying to solve is — by definition — impossible.

When somebody owns a computer, that in all likelihood means they have root access to it. And when they have root access, they are capable of changing the behaviour of any program that runs on it in any way they’d like.

How To Disable Cheat Protection in Any Digital Exam

An application is essentially just a bunch of machine instructions: a collection of ones and zeroes that tells the computer which commands to execute. If you want to change the behaviour of an application you have been given, the most reliable and universal way of doing that is to directly edit these machine instructions — changing the ones and zeroes–to do something else.

To do this you will need a disassembler (for OS X, I recommend Hopper) and/or a hex editor (such as Hex Fiend).

A screencast of me editing the binary of an open source program

Now, I will not show you how to break DigiExam specifically, as I would n0t want to make it entirely too easy for an enterprising student to use this article in order to gain an unfair advantage. But I will tell you the general process of how to disable certain parts of an application, a method which can be applied to DigiExam as well as any other digital exam software.

The first step is to disassemble the application (convert it from machine code to a more readable format) using a disassembler such as Hopper. Then follows some detective work were we search the disassembled application for the method responsible for enabling cheat protection, either by following its flow of execution or by searching directly among the names of its methods and variables.

When we have found the part of the program that we want to disable, we neuter it by modifying or removing some of the machine instructions so that it no longer performs its intended function. We can either do this in the disassembler and then reassemble the program, or we can edit the binary of the application directly using a hex editor.

Generally, only small adjustments are necessary. Disabling an entire section of code often requires nothing more than setting the value of global constant to 0 instead of 1, or changing a jump if equal (je) instruction to its oppositejump if not equal (jne).

In fact, to disable every kind of cheat protection in DigiExam the student only needs to modify two machine instructions at two specific places. This takes no more than 15 minutes — 10 minutes to find the relevant sections and 5 minutes to make the changes.

[image error]

A modified version of DigiExam with cheat protection disabled

I can not understate the inevitability of this exploit, as there is nothing DigiExam can do to prevent this. Any safeguards they attempt to construct, no matter how complex, can (and will) ultimately be dismantled by someone using this technique.

The only sliver of protection available is to employ what is known as obfuscation and anti-tampering techniques. These increase the time investment required by making it harder (but not impossible) for malicious users to explore and understand the codebase.

Recently, advanced (and ghoulishly expensive) obfuscation software has miraculously increased the time until cracked versions of AAA video games hit the internet from a few days to to a few weeks or months. This works wonders in the video game industry, where the majority of units are sold immediately after release, but is only a small comfort for an exam software that is meant to be used indefinitely.

The Full Extent of the Problem

So digital exams on personal computers can never be trusted, but why should we care? It is a fair question. After all, regular exams can be cheated as well. And if the student needs access special technical knowledge to do so, that does not seem very problematic.

But in reality, it will require neither knowledge nor effort. The application needs only be cracked once by a single individual, such as me, who can then upload and share the corrupted version with either their friends or with all 600 schools.

As such, a widespread adoption of digital exams could enable a black market of cheating software. This is especially true for DigiExam, whose exam interface is just a basic webview. With a compromised version of the application you can easily write or download simple JavaScript extensions to help you in various clever ways. Think Chrome App Store, but for cheating.

And while cheating on a regular exam is confined to concealed notes or peeking at your neighbours desk, in the digital world only your imagination sets the limit. Automatic spelling and grammar correction? Piece of cake. An extension that grabs and copies the answers from a friend writing the same exam? Sure. It could even paste the answers letter for letter in sync to random tapping on the keyboard, to make it appear as if typed out by hand. If you can dream it, you can do it.

In spite of this, the Swedish National Agency for Education has decided DigiExam fulfills its criteria for a secure digital examination. With this official seal of approval the application was used by more than twenty thousand Swedish students when writing the national subject exams this spring.

So maybe next year, upping your grade on the national exam could be as easy as finding your favourite among a growing batch of cheating software. A digital revolution for sure — but is it in the right direction?

A note about responsible disclosure

Usually when I discover a security flaw in a piece of software or on a website I contact the authors in private and give them time to fix the issue before going public, a process known as responsible disclosure.

This, however, is not a fixable bug. This in an inherent and unfixable flaw with the entire concept of digital exam software. Therefore, while I have contacted DigiExam ahead of time and notified them about this article, I felt I was unable to offer them a timeframe in which to “fix” it. Furthermore, responsible disclosure also entails disclosing vulnerabilities to the public as early as possible to allow the users to make informed decisions as to the safety and security of the tools they employ.

The post Security Researcher Revealing "Secure" Advertising Claim By DigiExam As Utterly False Threatened With Copyright Monopoly Lawsuit appeared first on Falkvinge on Liberty.

Repression: So it’s happened again – a security researcher showing a marketing claim to be atrociously false has been threatened with a copyright monopoly lawsuit to take down the posted proof. The company DigiExam claims that their examination software is “cheat proof”, which it can’t be by definition when it’s running on somebody’s own computer: these are DRM fantasies. Security researcher Hannes Aspåker developed a proof of concept to show the claim is false and posted it, and was promptly hit with a threat of copyright monopoly infringement lawsuit from DigiExam to take down the proof: DigiExam is deliberately creating chilling effects on free speech in order to protect its false marketing.

DigiExam is a company claiming to sell secure education examinations intended to run in an education environment, but on the student’s own computer. To anybody with a shred of technical knowledge, the security in this situation is utter nonsense, due to the simple fact that DigiExam doesn’t hold the key to the student’s own computer, but the student does: the student can run and modify any code they like to give whatever result they like, including modifying DigiExam’s code to not be cheat proof, which it therefore isn’t to begin with. This is Security 101 for anybody even mildly technically competent.

This hasn’t prevented DigiExam from making bold (and false) claims about being “cheat-proof”. Security researcher Hannes Aspåker decided to face the false marketing head on, and developed a proof of concept showing the modified exam software from DigiExam failing to live up to any of its marketing claims. This is what security researchers do: they puncture dangerous marketing made of nothing but hot air. It didn’t sit well with DigiExam, though. Specifically, when seeing this GIF demonstrating how DigiExam’s product security has been disabled, DigiExam considered it a good idea to threaten the security researcher with a copyright monopoly infringement lawsuit over this particular demonstration artwork, which was made by Aspåker and not them:

[image error]

This kind of legal threat can cause a lot of people to back down in the face of unknown adversity. Most people don’t know the laws and underlying treaties in detail, and outright fear the concept of facing a courtroom. Thus, such a threat has a chilling effect on legitimate research, even when the threat is utterly baseless, which makes it malicious and in bad faith.

However, this particular security researcher contacted me to ask for some advice, and without technically providing legal advice, I could tell unusually quickly that DigiExam are unusually full of shit. They have no legal clue whatsoever, they’re just angry that someone is pulling the pants down on an obvious lie, and are resorting to anything they can come up with in order to save face. This is a particularly nasty case of deliberately creating chilling effects on baseless takedown grounds just to protect DigiExam’s marketing. (Disclaimer: Aspåker did not ask me to write this article, I’m doing that on my own to call attention to the particularly nasty abuse of legal threats on DigiExam’s part.)

Here’s the (legally) recorded call of when this researcher calls DigiExam back and says he won’t take down the security bulletin in response to the threat:

https://falkvinge.net/files/2016/05/DigiExam-return-call-Thu-May-19-13.12.04-GMT02.00-2016.mp3

Call in Swedish where the threat from DigiExam is reiterated.

What’s said by DigiExam’s representative in this call is the following (at the one minute mark), after the lawsuit threat has been reiterated:

— Aspåker: So I understand you’re claiming copyright [to the second GIF and demanding I’m taking it down]?

— DigiExam: Yes. Our logotype and our interface is our brand, and we have trademark protected them. It’s simply our property.

Let’s review: they are claiming they hold a copyright monopoly to the GIF (which was created by Aspåker, not them), and are saying that the logo and interfaces are their trademark, “simply our property”. This is a stunning ignorance and conflation of wildly different exclusive rights – the copyright monopoly and trademark rights – not to mention the utter clueless confusion with property rights, which is something completely different again from exclusive monopolies.

First, the copyright monopoly goes to the creator of an artwork, end of story. The creator is Aspåker. There can be some problems when other people’s artwork can be seen as part of the new work, and they did claim something about the logotype, something that literally thousands of court cases have determined is perfectly fine to portray in critical reports. Further, they move on to claim trademark rights – where you register your name (or color or smell etc) in one of 45 classes of goods and services, to prevent other actors in that class to use your trademark. It’s noteworthy here that if you don’t sell a good or service, you can’t infringe on somebody’s trademark by definition. DigiExam aren’t even aware of these most basic concepts of the threats they’re spewing.

To top it off, Aspåker’s advisory was posted on Medium, which doesn’t go by Swedish laws in the first place but United States code, which has an extensive Fair Use defense against this type of bullshit. Ohyeah, there’s also that rather important detail: Aspåker isn’t the legal publisher in the first place, Medium is. DigiExam had no business giving a Cease and Desist to Aspåker to begin with: he’s the legal equivalent of a reporter publishing at Medium.

(However, in republishing the GIF here on this blog, I am also taking on that role as publisher. And I’m based in Sweden. As a constitutionally protected publisher. I also happen to be one of the world’s leading experts on copyright monopoly law, unlike DigiExam, and would love to crush such assholes under ten tons of bricks if they so much as whisper a threat to me.)

The Internet doesn’t take kindly to baseless takedown threats in order to save one’s own face – in particular not copyright monopoly threats against security disclosures. This shit should be criminal. This action from DigiExam was far more harmful than the security bulletin in the first place, and they deserve to know what the Internet thinks of their shit. This kind of behavior, to throw around force and legal threats to deliberately create chilling effects against researchers who reveal your marketing claims as bullshit, is one of the least acceptable things conceivable to free speech.

The full article by Hannes Aspåker is reproduced (and republished!) below for reference.

The Myth of the Cheat Proof Digital Exam

Why it is impossible to lock someone out of their own computer

The age-old tradition of pen-and-paper exams has barely changed at all over the last century, and it carries with it a lot of burden. They are costly and environmentally unfriendly to print. Students complain of hand cramps and teachers grumble over unreadable handwriting. And what to do when one of the students’ exams is misplaced and then trashed by the janitor?

Of course, there is a reason exams have not yet experienced the digital revolution that most other parts of our society have. If you let students write exams on their own computers, the technology not only streamlines the process, but also inadvertently gifts the test takers with thousands of new and imaginative ways to cheat the system — smuggling hand-written notes will seem like the stone age when compared to Wikipedia. The alternative, schools supplying a trusted test device to each student in the class, is an economical and administrative nightmare.

This has not stopped a handful of young startups from trying to tackle this problem. The most successful one I have heard of, the Swedish company DigiExam, promises the best of both worlds: Students can bring their own devices to the exam hall, and their system will ensure that they can not use the computers to cheat while writing their answers.

The company has seen a fair bit of success. The application is used at more than 600 schools in over 40 countries, including more prestigious ones such as the Stockholm School of Economics and Columbia University.

Unsurprisingly, the cheat proof aspect plays an important role in their marketing: On the website they boldly label themselves as “Easy to use — Cheat proof — Reliable”. A slogan that, unfortunately, falls flat as soon as you realise it would take a competent student no more than 15 minutes to circumvent every single safeguard they have put in place.

To be fair, it must be said that DigiExam has made admirable effort to prevent abuse. When the exam has started the student can do nothing but answer the questions — no switching to Wikipedia to check some quick facts. Full kiosk mode is enforced, and with it the menu bar, desktop switching, and all other functions not strictly necessary for completing the exam are disabled. Scheduling a script to pause the process at system level after the exam has started will just leave you with an unresponsive screen. You might try to bypass all this by opening the app in a virtual machine, but you will find that DigiExam easily detects the VM and shuts itself down.

As said, it is an admirable effort, but ultimately futile. Because the challenge they are trying to solve is — by definition — impossible.

When somebody owns a computer, that in all likelihood means they have root access to it. And when they have root access, they are capable of changing the behaviour of any program that runs on it in any way they’d like.

How To Disable Cheat Protection in Any Digital Exam

An application is essentially just a bunch of machine instructions: a collection of ones and zeroes that tells the computer which commands to execute. If you want to change the behaviour of an application you have been given, the most reliable and universal way of doing that is to directly edit these machine instructions — changing the ones and zeroes–to do something else.

To do this you will need a disassembler (for OS X, I recommend Hopper) and/or a hex editor (such as Hex Fiend).

A screencast of me editing the binary of an open source program

Now, I will not show you how to break DigiExam specifically, as I would n0t want to make it entirely too easy for an enterprising student to use this article in order to gain an unfair advantage. But I will tell you the general process of how to disable certain parts of an application, a method which can be applied to DigiExam as well as any other digital exam software.

The first step is to disassemble the application (convert it from machine code to a more readable format) using a disassembler such as Hopper. Then follows some detective work were we search the disassembled application for the method responsible for enabling cheat protection, either by following its flow of execution or by searching directly among the names of its methods and variables.

When we have found the part of the program that we want to disable, we neuter it by modifying or removing some of the machine instructions so that it no longer performs its intended function. We can either do this in the disassembler and then reassemble the program, or we can edit the binary of the application directly using a hex editor.

Generally, only small adjustments are necessary. Disabling an entire section of code often requires nothing more than setting the value of global constant to 0 instead of 1, or changing a jump if equal (je) instruction to its oppositejump if not equal (jne).

In fact, to disable every kind of cheat protection in DigiExam the student only needs to modify two machine instructions at two specific places. This takes no more than 15 minutes — 10 minutes to find the relevant sections and 5 minutes to make the changes.

[image error]

A modified version of DigiExam with cheat protection disabled

I can not understate the inevitability of this exploit, as there is nothing DigiExam can do to prevent this. Any safeguards they attempt to construct, no matter how complex, can (and will) ultimately be dismantled by someone using this technique.

The only sliver of protection available is to employ what is known as obfuscation and anti-tampering techniques. These increase the time investment required by making it harder (but not impossible) for malicious users to explore and understand the codebase.

Recently, advanced (and ghoulishly expensive) obfuscation software has miraculously increased the time until cracked versions of AAA video games hit the internet from a few days to to a few weeks or months. This works wonders in the video game industry, where the majority of units are sold immediately after release, but is only a small comfort for an exam software that is meant to be used indefinitely.

The Full Extent of the Problem

So digital exams on personal computers can never be trusted, but why should we care? It is a fair question. After all, regular exams can be cheated as well. And if the student needs access special technical knowledge to do so, that does not seem very problematic.

But in reality, it will require neither knowledge nor effort. The application needs only be cracked once by a single individual, such as me, who can then upload and share the corrupted version with either their friends or with all 600 schools.

As such, a widespread adoption of digital exams could enable a black market of cheating software. This is especially true for DigiExam, whose exam interface is just a basic webview. With a compromised version of the application you can easily write or download simple JavaScript extensions to help you in various clever ways. Think Chrome App Store, but for cheating.

And while cheating on a regular exam is confined to concealed notes or peeking at your neighbours desk, in the digital world only your imagination sets the limit. Automatic spelling and grammar correction? Piece of cake. An extension that grabs and copies the answers from a friend writing the same exam? Sure. It could even paste the answers letter for letter in sync to random tapping on the keyboard, to make it appear as if typed out by hand. If you can dream it, you can do it.

In spite of this, the Swedish National Agency for Education has decided DigiExam fulfills its criteria for a secure digital examination. With this official seal of approval the application was used by more than twenty thousand Swedish students when writing the national subject exams this spring.

So maybe next year, upping your grade on the national exam could be as easy as finding your favourite among a growing batch of cheating software. A digital revolution for sure — but is it in the right direction?

A note about responsible disclosure

Usually when I discover a security flaw in a piece of software or on a website I contact the authors in private and give them time to fix the issue before going public, a process known as responsible disclosure.

This, however, is not a fixable bug. This in an inherent and unfixable flaw with the entire concept of digital exam software. Therefore, while I have contacted DigiExam ahead of time and notified them about this article, I felt I was unable to offer them a timeframe in which to “fix” it. Furthermore, responsible disclosure also entails disclosing vulnerabilities to the public as early as possible to allow the users to make informed decisions as to the safety and security of the tools they employ.