Archive for the ‘rant’ Category

A better WannaCry advisory for schools

The Ministry of Education sent out a very poor advisory to schools about “WannaCry” today, based primarily (from what it seems) on the poor information coming from CERT-NZ. The advisory contains several factual errors, which the Ministry should not be spreading to schools.

I’ve written an improved advisory (I’ll update it as required).

Continue reading

Advertisements

Open source in government is not important

Labour’s “ICT” policy includes a statement on “Open software” in government, part of which is attempting to get two thirds of government agencies to use some sort of open-source software by 2015.  This is basically what you expect from politicians when talking about “ICT” (or nearly anything, unfortunately) – they jump on whatever bandwagon/buzzwords are popular without any understanding of what should be done.

Firstly, I would be shocked if more than two thirds of government agencies were not already using some form of open-source software already.  For a start, it’s nearly impossible to use the Internet without accessing something running Linux or Apache.

More importantly, it makes no sense at all to aim for governments to be using more open-source software.  They should be using the software most suited to the job at hand, whether closed source or open source.  What benefit is there in requiring open source?  If they think it’s cheaper, then they should look more closely, because it’s often not.  The same applies to being more secure.  There are absolutely situations where the best choice is an open-source one – but there are absolutely situations where closed source is better.  I don’t want government employees forced to use less than the best tools because of some ideological burden placed on them by someone wanting a cushy job for the next three years.

They have a few other requirements:

Software developed in-house will be made publicly available.  A nice idea, but (a) I’m fairly sure that most of the in-house software is of no use to anyone else, (b) I suspect most of the software you’d assume was in-house was actually developed by non-government contractors, and, most significantly, (c) not all code is ready to be shared.  If a government sysadmin writes a quick script to do a job, do we really want to add the pressure that it will be publicly available (and given that it’s the government, it’s reasonable to assume that someone will be looking at everything).  As long as the software does the job, that’s good enough (in the “in-house” context).  What would be worthwhile is ensuring that government agencies consider whether software should be released to the public – I’m sure that there is some that would be of general interest and where the quality is suitably high.

Agencies considering technology purchases over $2 million would first evaluate whether publicly available technology would substantially meet their requirements.

Ugh.  A technology purchase over $100 should involve consideration of whether there was an existing public tool that could do the job – this should always be the case, not just for obscenely costly jobs.

Labour would also create a government “app store” to provide “a short circuit for fledgling NZ software developers to get to market” which would allow local developers to submit software for purchase by government agencies. Labour promises to ensure “informed neutrality” in software purchasing with due consideration of open-source software.

I really don’t understand what this is trying to achieve.  There’s no indication that local developers would be preferred (only, with no reasoning, open-source software), so how does this help local developers?  This sounds like a way to spend a lot of money for very little gain.

What they are missing are the most important “open”s: open standards (and open formats) and open data.

Governments should only be using software that produces and accepts files that are in formats that are open standards (this includes Microsoft Office documents).  We do have a “New Zealand official interoperability framework definition” already, but it could be significantly expanded on (see what other governments require, for example).  Everything the government produces should be in some sort of open format and everywhere the government accepts data at least one open format should be accepted.  Open standards apply to other areas too, but open formats is the key in “ICT”.

We have a limited commitment to open data already (see data.govt.nz).  This should be significantly expanded on – every data set that the government creates (and there are a huge number of these) should be publicly available, so that (a) we have transparency, and (b) other researchers can benefit from the data.  The only limitation is privacy – unfortunately even when a data set appears to be anonymous it is often possible to identify individuals – it would be worth spending money on figuring out how to get past this so that we can share just about everything without breaching individual people’s privacy.

Bad Analogies

NetHui 2011 is currently in progress, so there’s a lot of discussion about Internet usage in New Zealand, and – of course – the controversial amendments to the Copyright Act.  TUANZ‘s Paul Brislen tweeted something I’ve seen and heard (in various forms) a lot recently:

Cf electricity. Won’t cut me off because I look at something I shouldn’t on my PC so why is it ok to cut off my Comms if I do? #nethui

Variations of this substitute other tools for electricity, and the analogy is generally used to say that the amendment (which allows a District Court to order an ISP to suspend the account of a user) goes further than other laws, which don’t take away the tools you used to break the law when you are convicted.  This is true in some cases – if I hit someone with a bat, I get to keep the bat and my right to use it, if I use lockpicks to break into someone’s home, I get to keep the lockpicks and my right to (legally) use them.  However, it’s not always true.  I believe if I use a gun to kill someone, I (permanently?) lose my right to a gun license, and I think that I also lose the gun.  To use an analogy that’s more likely to be something people have experience with, if I break the law while driving a court may temporarily suspend my right to drive, and I may also have my car impounded.  I pointed this flaw out to Paul, who responded:

cars are not a utility. Banning you from all transport is a better analogy for my analogy.

[…] it’s not your acc that’s banned, it’s you. Unenforceable.

This demonstrates my point about analogies being a flawed way to educate people about issues with changes to the law.  I am not a lawyer, but I am fairly certain that Paul is wrong, has been swayed into believing this by the analogy, and is making others believe this by repeating it.  The amendment states (Section 122O (1)):

A District Court may, on application by a copyright owner, make an order requiring an ISP to suspend the account of an account holder for a period of up to 6 months (emphasis mine)

You don’t lose the right to use transport – you lose the right to drive a car.  You can still use a friend’s car (Internet connection), or public transport (public Internet access is available at our wonderful public libraries).  I believe the transport analogy is significantly better than (e.g.) electricity, because of this similarity, and because the punishment must be enacted by a District Court, is limited term, and comes into effect only when the crime is significant enough or repeated enough to be warranted.  However, there are still areas in which it doesn’t work as an analogy – for example, I don’t lose the right to drive if I use my car as a getaway vehicle in a bank heist (although neither do I lose my Internet access if I rob a bank with it).

The problem here is in using analogies at all.  No matter how carefully you select the “lie-to-children“,  the analogy will be an imperfect match and will lead to people forming opinions based on an erroneous understanding of the facts.  The original furor over the S92A amendment was full of these – the amendment had plenty of problems, but most of the uproar was based on misunderstanding and propaganda.

I’m not saying that including the ability for a court to suspend an Internet account is a worthwhile part of the law: as Paul himself said, it’s useless (I’d say weak rather than useless) because it’s so easy to replace the account with another, and I feel it’s too specific (in much the same way as specifying talking on a phone while driving as illegal is too specific) to be enshrined in law, and there’s no evidence that copyright needs to be protected in this way as opposed to other crime (e.g. one does not lose Internet access for viewing child pornography, unless that happens to be a copyright violation).  What I am saying is that I’d like to see some informed debate about these changes to the law.

Paul’s right when he says that the law is complicated and hard for many to understand.  I thoroughly agree with his point that using examples and “what if” scenarios are a good way to help people understand.  However, I think it’s dangerous to let a lie-to-children carry on too far.  Eventually the children need to grow up and learn the truth (as we understand it), and when it comes to making laws, understanding the truth is essential.  You can’t fit an example into a soundbite, but you can give an easy-to-understand example of how suspension will (if this part of the Act is ever ‘turned on’) work in practice.  For example:

John downloads episodes of Outrageous Fortune illegally.  The owner of that content detects this, and informs John’s ISP, who gives John a warning.  John continues to download this material, and after a month the content owner again informs John’s ISP, who again warns John.  John still ignores the warnings, and continues to download the material.  A month later the content owner informs the ISP yet again, who again notifies John.  The content owner then applies to the District Court to have John’s account with his ISP suspended.  John admits to the Court that he is guilty, and the Court considers his specific circumstances and orders his ISP to suspend his account for a three-month period.

This example leaves out a lot of detail (e.g. the official names for each warning, the minimum and maximum periods between each notice, exactly what the court needs to consider, any action taken by the Tribunal, what happens if John denies the allegations, and more), but I don’t believe it contains any errors, and I do believe that it’s simple enough for anyone to understand what would actually happen in practice.  It doesn’t fit in a tweet, and it takes a minute or two more to express than an analogy, but isn’t informed debate about the laws of our country worth the extra time?

Why “3 tries and you’re locked” *weakens* security

Some organisations have a security policy that after three failed authentication attempts an account is locked (requiring manual unlocking by an IT support person) – the goal is to strengthen security, but this actually decreases the security of the organisation. Continue reading

Why the Government should ignore the People

The infamous “Section 92A” that so riled people up, was this (in full):

92A Internet service provider must have policy for terminating accounts of repeat infringers

(1) An Internet service provider must adopt and reasonably implement a policy that provides for termination, in appropriate circumstances, of the account with that Internet service provider of a repeat infringer.

(2) In subsection (1), repeat infringer means a person who repeatedly infringes the copyright in a work by using 1 or more of the Internet services of the Internet service provider to do a restricted act without the consent of the copyright owner.

This is entirely reasonable.  All it says is that there has to be a policy – it says nothing about the policy other than it must be ‘reasonably implemented’ (where the court gets to decide what is “reasonable”), and that there has to be some way to get to termination of an account in repeat infringement cases.

Despite what huge numbers of people claimed: there is no “guilt on accusation” here and there is no “3 strikes” here. However, through the bad reporting that is unfortunately common now, that’s what people believed, and they made a huge fuss about it, and the Government cravenly caved in to pressure from “the People” and have come up with a new version.  I can’t post the full text of the new version here, because it’s 18 sections long.

With S92A, it was up to the ISPs (or “IPAP”s) to decide what a suitable policy was.  Given that writing policy is hard work, it’s likely that there would end up being a fairly boilerplate policy adopted by most ISPs, but there was no requirement for a central policy.  A “reasonable” policy could be that (a) the rights holder must have proved in court or through the Tribunal that an infringement took place, and (b) the termination would be for no more than one day per infringement (recall that file sharing may involve hundreds of infringements in a single case).  Probably the major ISPs would have had something closer to what’s now law, with a system of warnings and notices and probation periods, but it would be up to the ISP and if the consumers cared, then they could chose based on this policy.  Certainly the policy could “reasonably” have required more than 3 infringements.

Importantly, if the policy needed adjustment (perhaps to limit the number of infringement notices from a single rights holder to counter blanket accusations), that would be something that the ISP could decide to do and implement at any time.  What we have now instead is a policy that’s enshrined in law, so the Government needs to pass an amendment to change anything (and given the ruckus each time this is touched, that seems unlikely).

The irony here is that if “the People” had just (a) read the original version, and (b) shut up about it, or if the Government had ignored the People, we would have had a much simpler and more flexible law that most people would probably have been happier with.  (There are other changes in the Amendment, like the definition of an ISP/IPAP, that are genuinely superior – I’m referring only to the infringement policy).

Instead, we now do have a “3 strikes” law (but it’s not “guilt on accusation”).  However, if you actually bother to take the time to read it, it’s really not that bad (unless you’re guilty of illegal file-sharing, of course.  In that case you need to (a) campaign for copyright reform if you honestly believe that it should be legal, and (b) stop breaking the law).  I much prefer the old version where the policy wasn’t in law, but since “the People” more-or-less killed that possibility, this is probably as good as we’ll get.  Note how many hoops have to be jumped through in order to get a 6-month account suspension – it’s really not going to be that common.

(Note, too, that there’s nothing preventing you from opening an account with another provider (assuming they’ll have you, and probably they won’t care).  This is unlike (e.g.) driving-related cases where you are forbidden to drive at all for a period of time.  Imagine if someone convicted of a DUI wasn’t allowed to drive that vehicle for 6 months, but could drive anything else!).

I can see two potential problems with the Amendment, both unfortunately reasonably likely.

  1. Because this is an election year and because people don’t understand what they are riled up about, the Amendment gets overturned (or amended again) in a year or so – we need some stability here, even if the law isn’t perfect.  Perhaps then the people that work on this stuff could start figuring out the copyright issue in more totality and leave file-sharing alone.  (i.e. how long should copyright last? should computer code be copyrightable? should we get rid of copyright altogether?)
  2. The courts get convinced that penalties should be foolishly high (there are plenty of US cases that could be used as examples here).  For example, if the work is a song, and there is evidence that 1,000 people gained access to that song through the infringer, then the absolute maximum penalty should be $2390 ($2.39 to buy the song from iTunes x1000).  In nearly all cases it should be considerably less, because (a) not all of the 1,000 people would have purchased the song (so the damages do not apply), (b) the cost of the song is often much less, and (c) the sharing may have increased sales in some cases (evidence of this should be provided).  It would be much better if the law restricted the fine to something that reflected damages (i.e. no punitive fines).  I’m hopeful that this won’t happen – if you look at judgements in New Zealand most often the punishment is far less than what “reasonable people” could consider merited – so if anything we may get the opposite effect, where the fines are extremely minimal.

(I do absolutely agree that passing the Amendment under an urgency created to deal with the earthquake is extremely inappropriate.  My guess is that there was room to put it in, so they wanted it out of the way (particularly as far before the election as possible).  More care should be taken by the Government about what gets dealt with under urgency – this is hardly the first inappropriate example).

An actual problem with the Copyright (Infringing File Sharing) Amendment Bill

The most glaringly wrong part of the Amendment is this:

122PB Application of section 122C to cellular mobile networks

(1) An IPAP need not comply with either of the obligations in section 122C(1) in respect of the services it provides by way of a cellular mobile network.

(2) Subsection (1) is repealed with the close of 31 July 2013 (but see subsection (3)(c)).

(3) The Governor-General may, by Order in Council made on the recommendation of the Minister, do all or any of the following:

(a) repeal this section:

(b) repeal subsection (2):

(c) amend subsection (2) by replacing the date specified in that subsection with any other date, whether that date is earlier or later than the one it replaces:

(d) revoke or amend any Order in Council made under this section (the principal order), but only if the repeal, amendment, or revocation effected by the principal order has not taken effect.

(4) The powers in subsection (3) may be exercised more than once.

This makes absolutely no sense.  A rights violation doesn’t change based on the medium used – why should it matter if the Internet access is via cellular data, microwave, satellite, fiber, copper DSL, or copper dial-up?  Even the authors of the Amendment clearly know that it makes no sense, which is why there’s the built-in expiry and ability to remove it at essentially any earlier time (or, crazily, extend it).

Unless the point is to encourage everyone to illegally file-share over cellular data?  Given that the prices are higher, I’m sure the providers would be happy with that…

Guilt if not denied, not guilt on accusation

Once again, many New Zealanders are saying incredibly incorrect things about copyright law – most of them because they are parroting other people in a twisted Chinese whispers style of journalism.  People are calling the latest changes “guilt on accusation”.  All you have to do is actually read the amendment (which is not something that many do) and you can tell that is not the case.

The relevant part of the amendment is this:

122MA Infringement notice as evidence of copyright infringement

(1) In proceedings before the Tribunal, an infringement notice is conclusive evidence of the following:

(a) that each incidence of file sharing identified in the notice constituted an infringement of the right owner’s copyright in the work identified:

(b) that the information recorded in the infringement notice is correct:

(c) that the infringement notice was issued in accordance with this Act.

(2) An account holder may submit evidence, or give reasons, that show that any 1 or more of the presumptions in subsection (1) do not apply with respect to any particular infringement identified in an infringement notice.

(3) If an account holder submits evidence or gives reasons as referred to in subsection (2), the rights owner must satisfy the Tribunal that the particular presumption or presumptions are correct.

What this says is that if you are accused and you do not deny the accusation then the tribunal does not need to consider additional evidence – they can get on with the rest of their work.  As soon as you say “no, this wasn’t a rights violation”, or “there’s a mistake here”, or “this notice wasn’t in the right form”, the burden is explicitly on the rights holder to prove guilt.  In case this is “TL;DR”, it’s the final words: “the rights owner must satisfy the Tribunal that the particular presumption or presumptions are correct.

This is doesn’t mean you are guilty until proven innocent – this means that if you can’t be bothered denying the accusation, then the Tribunal doesn’t have to waste a lot of time looking at evidence.  If you’re innocent, all you need to do is point that out, and you are presumed to be correct until proven otherwise.