Advertising industry is warned to shore up its house

You know the topic of privacy has arrived on the public agenda when the New York Times writes about the issue's nuanced implications for electoral politics [1] and CNN reports that the latest hot corporate title is Chief Privacy Officer [2].

Law.com / New York surveyed [3] the kinds of advice lawyers are now giving their corporate clients about privacy in light of these recent developments:

• 2000-04-21: The Children's Online Privacy Protection Act [4] went into effect, requiring Net companies that market to children to obtain verifiable parental consent and to follow other strict rules.

• 2000-05-22: The FTC, which previously had favored industry self-regulation, reversed field [5] and recommended to Congress that it enact legislation to protect online privacy.

• 2000-07-05: The European Parliament rejected [6] a proposed "safe harbor" data-protection agreement, two years in the making, between the Commerce Department and the European Union.

• 2000-07-10: The FTC sued to prevent bankrupt Toysmart.com from selling its customer database [7].

The Internet advertising industry is justifiably nervous about the public's rising concern over online privacy. Wired reports [8] on a meeting last week of the Internet Advertising Bureau at which a TRUSTe spokesman warned attendees that a "perfect privacy storm" is brewing. He noted that Al Gore had recently gone on record as favoring opt-in solutions to Net privacy concerns, and that George W. Bush had soon hopped onboard that bandwagon. Opt-in is anathema to the Net advertising crowd.

Steve Gibson is exceptionally ticked-off at this crowd, especially the subset that peddles adbots and spyware [9]. Savor his impassioned and articulate call for ethics in data collection [10].

[1] http://www.nytimes.com/library/review/060400private-info-review.html
[2] http://www.cnn.com/2000/TECH/computing/07/11/privacy.officers.ap/index.html
[3] http://www.nylj.com/stories/00/07/071300a4.htm
[4] http://www.ftc.gov/opa/1999/9910/childfinal.htm
[5] http://www.interesting-people.org/200005/0044.html
[6] http://www.idg.net/ic_197647_1794_9-10000.html
[7] http://www.thestandard.com/article/display/0,1151,16718,00.html
[8] http://www.wirednews.com/news/print/0,1294,37547,00.html
[9] http://tbtf.com/archive/2000-04-19.html#s02
[10] http://grc.com/oo/ethics.htm

Now the rest of the world is catching up fast. Herewith a sampling from the outer limits of boneheaded lawmaking around the world.

France: unintended consequences

In the wake of the ILOVEYOU virus, France moved to stamp out online anonymity within its borders [11], [12]. (The French distaste for anonymity predates the Internet by at least 150 years, as the note at [11] explains.) Now it appears that open-source development may suffer as a result of the proposed law. John Fremlin was quoted in a Freshmeat article [13]:

Open Source projects never have such information about all of their far-flung contributors, and gathering it would be next to impossible. Under the proposed law, open-source projects currently hosted on French servers would have to move outside the country's borders.

This unintended consequence is particularly twisted given France's expressed preference [14] for open-source software over that from Microsoft.

[11] http://tbtf.com/archive/2000-03-31.html#s04
[12] http://www.vnunet.com/News/601295
[13] http://freshmeat.net/news/2000/06/21/961587656.html
[14] http://tbtf.com/blog-archive/1999-10-24.html#4

Australia: streaming content = broadcasting?

The Australian government is playing silly buggers with the country's nascent online video and audio industry [15]. Recently passed legislation calls for a review of streaming content on the Australian Internet by Jan. 1, 2001. The betting is that streaming content will end up equated with over-the-air broadcasting, forcing site operators to scramble for licenses -- which won't come available until 2006. The minister responsible for reviewing the industry, Richard Alston, had said he planned to make no decision until next January, leaving a potential multi-billion dollar industry twisting slowly in the wind. An Internet Industry Association spokesman declared that the government had "defined the medium's commercial promise out of existence." But yesterday Alston appeared to back down [16], signalling that he didn't want to ban the internet industry from streaming video into Australian homes.

Thanks to TBTF Irregular [17] Eric Scheid for the story.

[15] http://theage.com.au/bus/20000712/A823-2000Jul11.html
[16] http://finance.news.com.au/0,3546,961328%255E462,00.html
[17] http://tbtf.com/the-irregulars.html

Germany: taxing Internet use at work

Note added 2000-07-22: Germany may not deserve the brickbat I tossed in TBTF as distributed by email (retained below in grey type). Prof. Dr. Maximilian Herberger, Director of the Institute for Computing in the Law in Saarbrücken, sent this note:

The ministry withdrew the proposal almost the next day. So unfortunately you contribute here to the distribution of outdated information. If in the future you want to deal with German legal topics, you can contact us in Saarbrücken. Our legal information system in the Internet is the most highly frequented in Germany.

[18] http://www.stuttgarter-zeitung.de/dc1/html/news-stz/20000714eins0003.shtml
[19] http://www.stuttgarter-zeitung.de/dc1/html/news-stz/20000714drei0005.shtml
[20] http://www.heise.de/newsticker/data/fm-14.07.00-000/

Reasonable men may disagree

A long-running and bitter dispute between two spam-fighting organizations broke out into the open after one of them suspended operations. ORBS [21] (the Open Relay Behaviour-modification System) shut down its list of spam-friendly "open relays" earlier this week because it claims the other organization, MAPS (the Mail Abuse Prevention System) [22], had influenced a major ISP to drop ORBS into an Internet black hole.

The upshot: because ORBS was (a) loved by many because it probed everywhere, and (b) hated by many because it probed everywhere, some folks are crying, some are dancing.

This forum on Kuro5hin [23] first brought the dispute to the notice of those outside the community of the newsgroup news.admin.net-abuse.email (called NANAE). (Note an error in the leadoff post in this forum: the proprietor of ORBS is Alan Brown, not Alan Cox.)

The feud between ORBS and MAPS has been simmering for over a year on NANAE, reminiscent of the underground coal fire burning for the past 38 years in Centralia, PA [24]. The following historical summary, courtesy of deja.com, suggests why it is so difficult to plumb the facts of this dispute. Most readers of the newsgroup have long since tuned it out, and many of those remaining are partisans for one side or the other.

Number of postings in news.admin.net-abuse.email containing "ORBS in MAPS":

  99q1  99q2  99q3  99q4  00q1  00q2 00july
     0   190   324   128   165   500+  1300+

Sometime more recently -- I have not been able to pin down when -- Above.net, a tier-1 ISP upstream of both MAPS and ORBS, blocked ORBS's open-relay probes. Now, the principals of MAPS are both executives at Above.net. ORBS claims that Above.net has gone farther and is now discarding all traffic intended for ORBS at exchange points in London and Austria -- a practice which would be illegal in those locales, according to ORBS [26]. Paul Vixie has confirmed [27] that his MAPS partner Dave Rand, also CTO of Above.net, indeed blocked ORBS from inside the ISP. In consequence ORBS has taken offline its DNS zone file, the resource by which ISPs identify spam to block.

ORBS claims that MAPS simply wants to shut down its (competing) free service, and hints that MAPS plans to begin charging for its own currently free services. Paul Vixie denies this [28].

For further background, details, and opinion on MAPS and ORBS, see this sidebar [29]. If you have opinions of your own, please join this Quick Topic forum [30].

[21] http://www.orbs.org/
[22] http://www.mailabuse.org/
[23] http://www.kuro5hin.org/?op=displaystory&sid=2000/7/18/05335/5018
[24] http://www.offroaders.com/album/centralia/study/ESL201Paper.htm
[25] http://x72.deja.com/[ST_rn=ps]/getdoc.xp?AN=647222588
[26] http://www.orbs.org/hallofshame.html
[27] http://x57.deja.com/[ST_rn=ps]/getdoc.xp?AN=647117259
[28] http://x57.deja.com/[ST_rn=ap]/getdoc.xp?AN=647050377
[29] http://tbtf.com/resource/maps-orbs.html
[30] http://www.quicktopic.com/tbtf/H/ODRAov1pBeWbefcT5Be

Fighting spam and dangling lawyer-bait

Over the weekend, news leaked out [33] that Yesmail had become the first email marketer to take them up on the offer. In fact Yesmail had won a temporary restraining order in Illinois federal court (most probably with no MAPS lawyer in attendance) preventing MAPS from adding Yesmail to the Realtime Blackhole List. Slashdot discussed the case [34] on Saturday. A preliminary hearing is scheduled for 25 July.

Yesmail claims to be a "good guy" marketer that only deals in opt-in mailing lists. What got them on the wrong side of MAPS is that subscribing to their lists does not require a confirmation by email. That is, Yesmail could very well load up a mailing list with thousands of Web-harvested email addresses from a spammer's CD-ROM and claim that each of those individuals had opted in. They must have, they're on the list, right?

The fact that MAPS is now blackholing email lists that don't offer a double opt-in process is indicative of how far they have expanded their anti-spam crusade beyond the initial elegance of the MAPS RBL. My guess is that this "mission creep" is part of a deliberate escalation strategy intended to insure that, eventually, some spammer will sue them. It's a dangerous strategy. Judges are conservative; courts can take decades to catch up with the changes that new technologies bring. I just hope that MAPS hasn't become so provocative that the courts hand down a spam-friendly ruling under which we will all suffer for a generation.

[31] http://www.wired.com/news/print/0,1294,37621,00.html
[32] http://www.mailabuse.org/lawsuit/
[33] http://www.directmag.com/content/newsline/main.html#81
[34] http://slashdot.org/article.pl?sid=00/07/15/225232
[34a] http://www.osopinion.com/Opinions/MIKE2/mike18.html
[34b] http://www.nwfusion.com/columnists/2000/compendium.html

Is this what ICANN means by "not unreasonably restraining competition?"

NSI insists it simply wants to get paid for services that have never been compensated. Much of the outcry [36] that greeted NSI's action missed or overlooked NSI's promise to cap all such auctions at $35, which is the price the registrar ordinarily charges per year.

Of course the whole issue would never have arisen -- and cybersquatting would not have gotten so quickly out of hand -- had NSI simply required payment before registering a name in the first place.

No one knows for sure how many names are involved. An NSI spokesman refers vaguely to "thousands," while other registrars guesstimate as high as half a million [35].

    c/o Begzudin Omerovic
    Ul. Hazima Fazlica 9
    Srebrenik, 75350
    BA

[35] http://www.thestandard.com/article/display/0,1151,16366,00.html
[36] http://slashdot.org/article.pl?sid=00/06/16/1941232

French pot to examine Anglo-American kettle

A French prosecutor announced [37] he has launched a preliminary investigation into the workings of Echelon, the rumored worldwide spy system run by intelligence agencies in the US, UK, Canada, Australia, and New Zealand. (The announcement came on July 4th, the American Independence Day holiday -- that must have been intentional.) The French probe will focus on allegations that the members of the UKUSA Alliance have used Echelon's intercept capabilities for economic espionage. Both the US and Britain have denied this charge without admitting officially that Echelon exists.

Those inclined to cheer the French for their courageous probe into UKUSA snooping ought to cast an eye over this excellent ZDNet collection of new Echelon material [38]. It includes details on France's copycat system, unfortunately dubbed "Frenchelon" [39].

Separately, the European Union voted to empanel an investigation into Echelon [40]. But to the consternation of this probe's supporters, the panel was denied any investigatory powers. (It was set up as a temporary committee rather than as an inquiry committee.) A member of Germany's Green Party, possibly with help from the Babelfish, called the resulting body a "toothless talkingshop."

[37] http://dailynews.yahoo.com/htx/nm/20000704/ts/france_usa_dc_1.html
[38] http://www.zdnet.co.uk/news/specials/2000/06/echelon/
[39] http://www.zdnet.co.uk/news/2000/25/ns-16281.html
[40] http://www.heise.de/tp/english/inhalt/te/6891/1.html

Now that's a virus

Security experts were not much surprised when the Morris worm [41] dragged down 10% of the Internet overnight in 1988. Security experts in recent days have been unsurprised by Melissa, ILOVEYOU, DDoS attacks, and the thousands of other manmade ills to which the Net is heir. And I doubt they will be overly surprised when a truly nasty and devious piece of malware slouches toward Bethlehem to be born.

Remember the Central Park scene in Crocodile Dundee [42]? Mick and his love interest are accosted by a gang of punks, one of whom whips out a switchblade. The girl shouts, "Mick, watch out! He's got a knife!" Mick examines the switchblade with pursed lips then says dismissively, "Naah. That's not a knife." Reaching behind his back, he withdraws and displays his 12-by-4-inch blade. "That's a knife."

Melissa? ILOVEYOU? That's not a virus.

For a glimpse of how bad it could be, scan these two thought experiments [43], [44]. The first is a conceptual design for the most elusive and versatile trojan horse the author could think up. It's bad enough. The second describes an actual project to design and build a worm of truly staggering stealthiness and damage potential.

Michal Zalewski and a few friends prototyped a worm the team called Samhain. It was designed to:

• run on multiple platforms
• secrete itself invisibly
• employ a distributed library of system exploits to obtain privileges on the compromised system
• communicate in encrypted packets with other similar worms in a Freenet-like [45] "wormnet"
• spread automatically without user interaction

Its payload would be a plug-in module. The wormnet would discover new exploits and spread them immediately. The worm's code would morph constantly to defeat anti-virus signature checks. It would employ active countermeasures against debuggers and other nosy processes that might be capable of uncovering it.

If such a worm were competently developed and released into the world, the fate of the Internet would be in the hands of those who controlled it.

To discuss these or other proposed uber-viruses, please visit this Quick Topic forum [46].

[41] http://www.eos.ncsu.edu/eos/info/computer_ethics/www/abuse/wvt/worm/
[42] http://us.imdb.com/Title?0090555
[43] http://www.hackernews.com/bufferoverflow/99/nitmar/nitmar1.html
[44] http://lcamtuf.na.export.pl/worm.txt
[45] http://freenet.sourceforge.net/
[46] http://www.quicktopic.com/tbtf/H/nikFBZikIxlLrXC8KjX

Lots more features and still preposterously easy

Steve Yost has relaunched Take It Offline -- the discussion service first announced in TBTF for 1999-10-05 [47] -- under the new name Quick Topic [48]. ( The old name no longer exists, so any links to www.takeitoffline.com will take you to a typo spammer's site.) The new moniker reflects QT's widespread general use beyond the original idea of diverting off-topic or controversial subjects from existing email discussions.

You'll find new features based on the original TBTF reader feedback [49] and user comments, including user login, a My Topics page, message editing and deletion, and sorting preferences. Amazingly, Steve has incorporated all these new goodies while keeping the interface dead simple. There is also an XML-RPC interface [50] for developers wanting to do deeper integrations.

Disclosure: Steve is a friend of mine and a TBTF Irregular. I've offered advice on the Quick Topic service but have no stake in Steve's company, Internicity.

[47] http://www.tbtf.com/archive/1999-10-05.html#s06
[48] http://www.quicktopic.com/
[49] http://www.quicktopic.com/1/H/emxb7z9ubBnT5eAuc8l
[50] http://www.quicktopic.com/xmlrpc.html

Forget the hype, this is where it's really at

Suddenly the TBTF contributors are returning, as if they had all just flown in from their various distant winter feeding grounds. First Lloyd Wood [51] turned in a profile of Richard Stallman. Then Ted Byfield, the roving_reporter [52], started up something like a blog here on TBTF. And now Rick Treitman sends along a new number of The View from Softpro. (Here are previous columns from 1998 [53], [54].)

In this feature Rick looks at the industry through the lens of sales patterns at an established bookstore for computer professionals. Rick and his brother Bob run Softpro [55] in Burlington and Marlboro, Massachusetts. A third brother, Jim, manages Softpro in Denver, Colorado. Rick writes:

[51] http://tbtf.com/jaundiced/index.html
[52] http://tbtf.com/roving_reporter/index.html
[53] http://tbtf.com/archive/1998-02-09.html#s07
[54] http://tbtf.com/archive/1998-01-12.html#s07
[55] http://www.softpro.com/

The View from Softpro by Rick Treitman <rick at softpro dot com> Softpro, 112 Mall Road, Burlington, MA 01803-5300 v.781-273-2917 | f.781-273-2499 | www.softpro.com Software As July starts off, one operating system is outselling all others combined by a factor of more than two. (At Softpro, "all others" includes various flavors of Linux plus FreeBSD -- we don't sell enough Windows products even to include them.) OpenBSD 2.7 is the best seller for the first 12 days of July, and sales are accelerating. Books More predictably, the hot book categories this month are: Java Server Pages, XML, Java, and HTML. Interestingly enough, there has been very little interest in Windows 2000, and none of our month-to-date best sellers have anything to do with Microsoft. Apache books are among the better selling books, but nothing doing for the various Microsoft servers.

When good personalized marketers get desperate

How will the direct-target-marketing crowd react when privacy fears really kick in and Americans begin to choke off their flood of personal data? This satire at SegFault [56] had me rolling on the floor laughing and scaring the cats.

[56] http://segfault.org/story.phtml?id=396caaba-052cfec0

Someone else who invented (part of) the Internet

Any number of people have a legitimate claim to inventing the Internet. Here's a modest and graceful claim [57] to something less grandiose: in 1989 Spike Illaqua wrote the software that enabled the operation of the first commercial ISP. That was The World, at Software Tool & Die (where I became customer number 128 or so early in 1990). Spike's account of the origins of The World is engaging and readable, filled with helpful analogies for the benefit of those who were busy watching Saturday morning cartoons in those pioneering days.

I had the serendipitous honor of attending Spike's going-away party at The World in 1994 -- happened to be there for something Kibo was filming about Usenet -- and I still have the tee shirt, though it's not good for much these days except mowing the lawn in. So to Spike, thanks for the memories. And to Jon Callas, thanks for the forward.

[57] http://www.usenix.org/publications/login/1999-2/isp.html

Here are the spaces I've set up at Quick Topic [58], [59] for those who wish to comment on and discuss this issue's articles. I'll be monitoring and actively posting to these forums.

• Spam fighters duke it out
  http://www.quicktopic.com/tbtf/H/ODRAov1pBeWbefcT5Be
• What if smart people wrote computer viruses?
  http://www.quicktopic.com/tbtf/H/nikFBZikIxlLrXC8KjX
• Other comments on this issue of TBTF
  http://www.quicktopic.com/tbtf/H/m0S11BAVfszZNPKIOdzu

[58] http://www.quicktopic.com/
[59] http://tbtf.com/archive/1999-10-05.html#06

That was a long hiatus. I hope never again to let so much time elapse between issues of TBTF. I've gone and gotten my life so entangled with this newsletter that producing it is now essential to my happiness. To the roughly 2,600 new subscribers who have signed up since the previous issue came out: thanks for your patience, and I hope you find it worth the wait.

I've continued posting regularly to the TBTF Log [60]. The collected Log items are mailed weekly to subscribers on a separate list, tbtf-log@tbtf.com . To subscribe, send the message "subscribe" to tbtf-log-request@tbtf.com ; lose the quotes.

[60] http://tbtf.com/blog-archive/

TBTF home and archive at http://tbtf.com/ . To (un)subscribe send
the message "(un)subscribe" to tbtf-request@tbtf.com. TBTF is Copy-
right 1994-1999 by Keith Dawson, <dawson at world dot std dot com>. Commercial
use prohibited. For non-commercial purposes please forward, post,
and link as you see fit.
_______________________________________________
Keith Dawson    dawson at world dot std dot com
Layer of ash separates morning and evening milk.