In addition, ICANN just posted a summary of negotiations around the Registrar Accreditation Agreement and Law Enforcement requests. First among those requests from law enforcement:

(a) If ICANN creates a Privacy/Proxy Accreditation
Service, Registrars will accept proxy/privacy registrations only
from accredited providers; (b) “Registrants using privacy/proxy
registration services will have authentic Whois information
immediately published by Registrar when registrant is found to be
violating terms of service”

Now, even the WHOIS Review Team, which was not heavy with privacy advocates (thanks to those who were there!) acknowledged several legitimate uses of privacy or proxy services in domain registration, including from companies seeking to hide upcoming mergers or product launches; organizations sharing minority or controversial viewpoints; individuals; and webmasters registering on behalf of clients. The Non-Commercial Stakeholders Group listed others who might be concerned about publishing identities in domain registration in comments on a .CAT privacy amendment.

Would the proposed amendments (whose language is apparently agreed-upon but unshown to the broader community) protect these interests? Would they protect the confidentiality of an attorney-client relationship, where the attorney acted as proxy for a client? Will we all have to use ccTLDs (such as .is) whose operators are not bound by these rules? More once we hit the ground in San Jose…

foxylad on Hacker News gave us “Today’s sysadmin todo list:”

0. Get corporate membership with EFF.

1. Identify all applications with user-generated content.

2. Move all associated domains to a non-US based registrar.

3. Migrate DNS, web serving and other critical services to non-US based servers.

4. Migrate yourself to a non-US controlled country.

I’m sorry for US sites and users. Your government is hell-bent on turning the internet into a read-only device like TV, easily regulated and controlled.

Now I still believe that the United States’ First Amendment gives strong protection to free expression, online or off. But so long as the administration’s enforcers are playing with domain takedown like a shiny new toy gun, aimed without regard due process of law, online speech that depends on U.S. registries or registrars is at risk. I’ve registered my domains through the excellent Canada-based Hover, but the .com, .net, and .org registries are still located in the U.S. and hence vulnerable. I don’t think anything on my sites infringes, but that’s one more chance than I’d be taking outside U.S. jurisdiction.

Iceland, on the other hand, has expressed a strong commitment to free, online expression. I’m happy to support Iceland’s free-speech haven by moving some of my business there. If enough others do too, perhaps that jurisdictional arbitrage will show the U.S. government the harm that bad law-enforcement and bad law inflict on U.S. business and society.

Plus, what’s not to like in such fun URLs as http://wendy.seltzer.is/blogging (which redirects here) and http://wendy.seltzer.is/writing (which I’m counting on to inspire me to do more!)

Justice Breyer, joined by Justice Alito, gave a stirring dissent. Copyright law, he said, must be “designed to encourage new production,” not just redistribute works already created. Re-copyrighting already-written works “does not encourage anyone to produce a single new work.” Instead, backwards-looking copyright grants create a serious public choice problem:

Whereas forward-looking copyright laws tend to benefit those whose identities are not yet known (the writer who has not yet written a book, the musician who has not yet composed a song), when a copyright law is primarily backward looking the risk is greater that Congress is trying to help known beneficiaries at the expense of badly organized unknown users who find it difficult to argue and present their case to Congress.

We see the same problem with SOPA and PIPA. The legislation pits organized incumbents against future innovators. Congress risks being captured by the lobbying power of current copyright industries, organized in the MPAA and RIAA, before the artists who have yet to create and the industries who support them can find their political voice. But the SOPAstrike reminds us that more than industry interests are at stake here — the general public, the editors of and users of Wikipedia, the contributors and readers of Reddit and the coders and browsers of Mozilla also create and bring value to the Internet.

Golan reminds us too that we can’t count on the courts to help us where Congress gets copyright wrong. The majority leaves a great deal to Congressional discretion, as it did in Eldred (striking down a challenge to copyright term extension): “the Copyright Clause does not demand that each copyright provision, examined discretely, operate to induce new works.” In a chilling phrase, the Golan majority quotes the district court’s finding of a “settled rule that private censorship via copyright enforcement does not implicate First Amendment concerns.”

Perhaps a later Court will see the First Amendment as a stronger check on Congressional power to restrict speech in the name of copyright, but where we can’t count on 5 (Justices), defenders of free communications on the open Internet will need to count to 51% of Congress. Keep up the pressure, it’s having an impact!

Now, while we hear that DNS-blocking is off the table, the bills remain threatening to the network of intermediaries who carry online speech. Most critically to Tor, SOPA contained a provision forbidding “circumvention” of court-ordered blocking that was written broadly enough that it could apply to Tor — which helps its users to “circumvent” local-network censorship. Further, both bills broaden the reach of intermediary liability, to hold conduits and search engines liable for user-supplied infringement. The private rights of action and “safe harbors” could force or encourage providers to censor well beyond the current DMCA’s “notice and takedown” provision (of which Chilling Effects documents numerous burdens and abuses).

On January 18, we’re joining Wikipedia, Reddit, the MIT Media Lab, and hundreds of others in protest, turning a portion of the Tor site black to call attention to copyright balance and remind the US Congress and voters of the value of the open Internet.

U.S. citizens, please call or write, to urge your representatives to stop SOPA and PIPA. Elsewhere in the world, keep an eye out for similar legislation. and bring the fight there too.

The House’s Stop Online Piracy Act is in Judiciary Committee Markup today. As numerous protests, open letters, and advocacy campaigns across the Web, this is a seriously flawed bill. Sen. Ron Wyden and Rep. Darrell Issa’s proposed OPEN Act points out, by contrast, some of the procedural problems.

Here, I analyze just one of the problematic provisions of SOPA: a new”anticircumvention” provision (different from the still-problematic anti-circumvention of section1201). SOPA’s anticircumvention authorizes injunctions against the provision of tools to bypass the court-ordered blocking of domains. Although it is apparently aimed at MAFIAAfire, the Firefox add-on that offered redirection for seized domains in the wake of ICE seizures,[1] the provision as drafted sweeps much more broadly. Ordinary security and connectivity tools could fall within its scope. If enacted, it would weaken Internet security and reduce the robustness and resilience of Internet connections.

The anticircumvention section, which is not present in the Senate’s companion PROTECT-IP measure, provides for injunctions, on the action of the Attorney General:

(ii)against any entity that knowingly and willfully provides or offers to provide a product or service designed or marketed by such entity or by another in concert with such entity for the circumvention or bypassing of measures described in paragraph (2) [blocking DNS responses, search query results, payments, or ads] and taken in response to a court order issued under this subsection, to enjoin such entity from interfering with the order by continuing to provide or offer to provide such product or service. § 102(c)(3)(A)(ii)

As an initial problem, the section is unclear. Could it cover someone who designs a tool for”the circumvention or bypassing of” DNS blockages in general — even if such a person did not specifically intend or market the tool to be used to frustrate court orders issued under SOPA? Resilience in the face of technological failure is a fundamental software design goal. As DNS experts Steve Crocker, et al. say in their Dec. 9 letter to the House and Senate Judiciary Chairs, “a secure application expecting a secure DNS answer will not give up after a timeout. It might retry the lookup, it might try a backup DNS server, it might even restart the lookup through a proxy service.” Would the providers of software that looked to a proxy for answers –products “designed” to be resilient to transient DNS lookup failures –be subject to injunction? Where the answer is unclear, developers might choose not to offer such lawful features rather than risking legal attack. Indeed, the statute as drafted might chill the development of anti-censorship tools funded by our State Department.

Some such tools are explicitly designed to circumvent censorship in repressive regimes whose authorities engage in DNS manipulation to prevent citizens from accessing sites with dissident messages, alternate sources of news, or human rights reporting. (See Rebecca MacKinnon’s NYT Op-Ed, Stop the Great Firewall of America. Censorship-circumvention tools include Psiphon, which describes itself as an “Open source web proxy designed to help Internet users affected by Internet censorship securely bypass content-filtering systems,” and The Tor Project.) These tools cannot distinguish between Chinese censorship of Tiananmen Square mentions and U.S. copyright protection where their impacts — blocking access to Web content — and their methods — local blocking of domain resolution — are the same.

Finally, the paragraph may encompass mere knowledge-transfer. Does telling someone about alternate DNS resolvers, or noting that a blocked domain can still be found at its IP address — a matter of historical record and necessary to third-party evaluation of the claims against that site — constitute willfully “providing a service designed … [for] bypassing” DNS-blocking? Archives of historic DNS information are often important information to legal or technical network investigations, but might become scarce if providers had to ascertain the reasons their information was being sought.

For these reasons among many others, SOPA should be stopped.

This conversation about domain name abuse benefits from a multi-stakeholder environment, where it can include domain registrars, registrants, and Internet users, along with law enforcement representatives. Broad debate helps because the question is not just how to “mitigate criminal activity using the domain name system,” but how to recognize criminal activity at the DNS level, how to implement due process to protect legitimate online speakers from abusive or mistaken takedowns, and how to protect the privacy and security of non-criminal users of the domain name system.

ICANN’s processes, particularly the GNSO Policy Development Process, are designed to bring these viewpoints together and find consensus. The Generic Names Supporting Organization has representatives from domain registries, registrars, business, and non-commercial users. (I sit on the GNSO Council as a Non-Commercial Stakeholder Group representative.) Governments are invited to participate in these processes, as well as having a specially privileged role to give “Advice” to the ICANN Board, which the Board must explicitly consider. The rights of domain registrants and Internet users depend on the terms of the Registrar Accreditation Agreement between domain registrars and ICANN. Under all the acronyms lie important issues of free expression.

Yet the U.S., speaking through the GAC, demanded a bigger stick and a smaller discussion, asserting that domain registrars should have unilaterally acceded to the 12-point law enforcement demands instead of going through community comment, negotiation, and discussion. The U.S. cannot simultaneously seek public support for multistakeholder processes while attempting to circumvent those processes in action. Thus I welcome the ICANN Board’s resolution starting an Issue Report for the GNSO to consider issues for RAA amendment.

Now some of the law enforcement demands — publication of a contact address, identification of registrars’ principals — appear relatively innocuous, but even those could be the prelude to assessing intermediary liability and pressure on those who facilitate speech. More troubling, law enforcement wants to force registrars to do extensive verification of domain name registrants’ identities, and to constrain the privacy and proxy services that currently permit registrants to shield identities and addresses from public disclosure.

Domain names are often tools of individual and group expression; not so much through expressive content of the strings themselves, but through the speech hosted at a domain, the conversations carried on through URLs and hyperlinks, and the use of domains to route email and other messaging. Domain names provide stable location pointers for individuals’ and groups’ online speech; as such, they also present possible chokepoints for censorship and suppression of speech.

In the specific instance of responding to law enforcement requests for the publication of registrar contact information, the potential impact is indirect but not insubstantial. In response to law enforcement requests for “registrar cooperation in addressing online crime,” the resolution considers a requirement that registrars “must publish on their respective web sites e-mail and postal mail addresses to which law enforcement actions may be directed.”

If we could be sure that the requests would relate only to activity universally agreed to be criminal, from law enforcement agencies following due process of law and respecting human rights, the proposed requirement would be uncontroversial. As legal regimes and their approaches to human rights are not uniform, we cannot make that blanket assumption. The contacts could be used to censor.

I don’t want to interfere with legitimate law enforcement. I do want to specify explicit procedure and limitations so that these contact points do not become points of control through which registrars can be pressured into removing domains that provide access to critical or “inharmonious” speech. To that end, it’s important that the discussion take place in the GNSO forum where civil society is represented to raise these concerns and develop procedural protections.

I also appreciate Android’s openness at the practical level of the individual user. This weekend I put the CyanogenMod firmware on my Android phone, in response to security warnings about recently introduced logging functions, and so as not to lose root access with a stock upgrade. The process was simple, well-documented, and gives me the level of control I expect over a device that can track all my movements and communications.

Then there are the little things: I like to change the default screen density to take better advantage of the high-resolution screen, no problem. (Note, however, that in the latest version of the Android market, some apps check these settings and won’t install, claiming device incompatibility. The fix? Change the lcd_density back, install apps, and revert the change; those I’ve tried work just fine.)

Larry Page himself emphasized the patent angle of the merger in the corporate blog post:

We recently explained how companies including Microsoft and Apple are banding together in anti-competitive patent attacks on Android. The U.S. Department of Justice had to intervene in the results of one recent patent auction to “protect competition and innovation in the open source software community” and it is currently looking into the results of the Nortel auction. Our acquisition of Motorola will increase competition by strengthening Google’s patent portfolio, which will enable us to better protect Android from anti-competitive threats from Microsoft, Apple and other companies.

Android-users already faced several patent lawsuits, and after a coalition of Google’s opponents, including Microsoft, Apple, and Oracle, purchased Nortel’s patent portfolio for $4.5 Billion, Google and its Android partners (including HTC and Motorola) had reason to fear a deepening thicket. Without many patents of its own, Google couldn’t make the traditional counter-strike of suing its attackers for infringement. Motorola’s mobile portfolio (17,000 issued patents and 7,500 pending applications) adds to Android’s arsenal.

Of course Motorola also makes hardware — smartphones that run Android — but few analysts are emphasizing that point. There, the acquisition raises strategic questions for Google: Can it convincingly offer the Android platform to others with whom it now competes? Even if Google maintains Motorola as a separate business, as Page says it intends, will now-competing vendors such as HTC, Samsung, and Acer be reassured of Google+Motorola’s neutrality among them?

Owning a handset maker could improve Android, if it shortens the feedback loop for problem-reporting and new ideas, but it could hurt the platform — and its end-users — more if it scared off competing hardware vendors, shrinking the base to which new applications are written and reducing the diversity of options available to end-users. As proprietor of an open, multi-sided market, Google needs to serve Android’s hardware vendors, app developers, and end-users well enough that a good-sized group of each continue to bring it value — and so the end-users watch the ads whose sale puts money into Google’s pocket from it all. (Oh, and maybe the acquisition will revitalize GoogleTV, as Lauren Weinstein points out.)

The patent motivations are more straightforward. As we know, it doesn’t take deliberate copying to infringe a patent, and patents are granted on small enough increments of software advance that an independently developed application may incorporate dozens to hundreds of elements on which others claim patents, and at millions of dollars a lawsuit, it’s expensive to disprove them. At least if those others are also making phones or software, Google is now more likely to have patents on what they are doing too, paving the way for a cross-license rather than a lawsuit.

Wouldn’t we all be better off skipping those patent threats and cross-licensing transaction costs? As Google’s pre-Motorola travails showed, it’s almost* impossible to opt-out of the patent system by choosing to publish and not patent your own inventions. Unlike in copyright, where you can share under Creative Commons, for example, and just have to prove you never accessed another’s work if accused of infringement, you can only save yourself from patent claims by assuring that every bit of technology you use was published more than 17-20 years ago! (*Rare but not impossible: Richard Hipp of SQLite says he only uses 17-year old, published algorithms to keep his code free of patent clouds.)

In work-in-progress, I argue that patent’s incentives aren’t working right for software, because they come at too early a stage in development. Patents for software motivate lawsuits more than they induce or reward product development. Google+Motorola may prove to have non-patent benefits too, but its early indications shine a spotlight on the thorny thickets of the patent landscape.

Tim O’Reilly, however, takes a different tack:

Face recognition is here to stay. My question is whether to pretend that it doesn’t exist, and leave its use to government agencies, repressive regimes, marketing data mining firms, insurance companies, and other monolithic entities, or whether to come to grips with it as a society by making it commonplace and useful, figuring out the downsides, and regulating those downsides.

…We need to move away from a Maginot-line like approach where we try to put up walls to keep information from leaking out, and instead assume that most things that used to be private are now knowable via various forms of data mining. Once we do that, we start to engage in a question of what uses are permitted, and what uses are not.

O’Reilly’s point –and face-recognition technology — is bigger than Facebook. Even if Facebook swore off the technology tomorrow, it would be out there, and likely used against us unless regulated. Yet we can’t decide on the proper scope of regulation without understanding the technology and its social implications.

By taking these latent capabilities (Riya was demonstrating them years ago; the NSA probably had them decades earlier) and making them visible, Facebook gives us more feedback on the privacy consequences of the tech. If part of that feedback is “ick, creepy” or worse, we should feed that into regulation for the technology’s use everywhere, not just in Facebook’s interface. Merely hiding the feature in the interface, while leaving it active in the background would be deceptive: it would give us a false assurance of privacy. For all its blundering, Facebook seems to be blundering in the right direction now.

Compare the furor around Dropbox’s disclosure “clarification”. Dropbox had claimed that “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password,” but recently updated that to the weaker assertion: “Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so).” Dropbox had signaled “encrypted”: absolutely private, when it meant only relatively private. Users who acted on the assurance of complete secrecy were deceived; now those who know the true level of relative secrecy can update their assumptions and adapt behavior more appropriately.

Privacy-invasive technology and the limits of privacy-protection should be visible. Visibility feeds more and better-controlled experiments to help us understand the scope of privacy, publicity, and the space in between (which Woody Hartzog and Fred Stutzman call “obscurity” in a very helpful draft). Then, we should implement privacy rules uniformly to reinforce our social choices.