The RIAA Succeeds Where the CypherPunks Failed

From: nec-admin@xxxxxxxxxx
Sent: Wednesday, December 17, 2003 12:29 PM
To: nec@xxxxxxxxxx
Subject: [NEC] #2.12: The RIAA Succeeds Where the CypherPunks Failed

NEC @ Shirky.com, a mailing list about Networks, Economics, and Culture

            Published periodically / #2.12 / December 17, 2003
                Subscribe at http://shirky.com/nec.html
                               Archived at http://shirky.com
           Social Software weblog at http://corante.com/many/

In this issue:

  - Introduction
  - Essay: The RIAA Succeeds Where the Cypherpunks Failed
      Also at http://www.shirky.com/writings/riaa_encryption.html
  - Worth Reading:
     - GrokLaw: MVP of the SCO Wars
     - Tom Coates Talks With A Slashdot Troller

* Introduction =======================================================

The end of another year. Thank you all for reading. See you in January.

-clay

* Essay ==============================================================

The RIAA Succeeds Where the Cypherpunks Failed
   http://www.shirky.com/writings/riaa_encryption.html

For years, the US Government has been terrified of losing surveillance
powers over digital communications generally, and one of their biggest
fears has been broad public adoption of encryption. If the average user
were to routinely encrypt their email, files, and instant messages,
whole swaths of public communication currently available to law
enforcement with a simple subpoena (at most) would become either
unreadable, or readable only at huge expense.

The first broad attempt by the Government to deflect general adoption of
encryption came 10 years ago, in the form of the Clipper Chip
[http://www.epic.org/crypto/clipper/]. The Clipper Chip was part of a
proposal for a secure digital phone that would only work if the
encryption keys were held in such a way that the Government could get to
them. With a pair of Clipper phones, users could make phone calls secure
from everyone except the Government.

Though opposition to Clipper by civil liberties groups was swift and
extreme [1] the thing that killed it was work by Matt Blaze, a Bell Labs
security researcher, showing that the phone's wiretap capabilities could
be easily defeated [2], allowing Clipper users to make calls that even
the Government couldn't decrypt. (Ironically, ATT had designed the
phones originally, and had a contract to sell them before Blaze sunk the
project.)

[2]
http://cpsr.org/cpsr/privacy/crypto/clipper/clipper_nist_escrow_comments
/
[3]
http://www.interesting-people.org/archives/interesting-people/199406/msg
00006.html

The Government's failure to get the Clipper implemented came at a heady
time for advocates of digital privacy -- the NSA was losing control of
cryptographic products, Phil Zimmerman had launched his Pretty Good
Privacy (PGP) email program, and the Cypherpunks, a merry band of
crypto-loving civil libertarians, were on the cover of
[http://www.wired.com/wired/archive/1.02/crypto.rebels.html] the second
issue of Wired. The floodgates were opening, leading to...

...pretty much nothing. Even after the death of Clipper and the launch
of PGP, the Government discovered that for the most part, users didn't
_want_ to encrypt their communications. The single biggest barrier to
the spread of encryption has turned out to be not control but apathy.
Though business users encrypt sensitive data to hide it from one
another, the use of encryption to hide private communications from the
Government has been limited mainly to techno-libertarians and a small
criminal class.

The reason for this is the obvious one: the average user has little to
hide, and so hides little. As a result, 10 years on, e-mail is still
sent as plain text, files are almost universally unsecured, and so on.
The Cypherpunk fantasy of a culture that routinely hides both legal and
illegal activities from the state has been defeated by a giant
distributed veto. Until now.

It may be time to dust off that old issue of Wired, because the RIAA is
succeeding where 10 years of hectoring by the Cypherpunks failed. When
shutting down Napster turned out to have all the containing effects of
stomping on a tube of toothpaste, the RIAA switched to suing users
directly. This strategy has worked much better than shutting down
Napster did, convincing many users to stop using public file sharing
systems, and to delete MP3s from their hard drives. However, to sue
users, they had to serve a subpoena, and to do that, they had to get
their identities from the user's internet service providers.

Identifying those users has had a second effect, and that's to create a
real-world version of the scenario that drove the invention of
user-controlled encryption in the first place. Whitfield Diffie,
inventor of public key encryption
[http://www.webopedia.com/TERM/P/public_key_cryptography.html], the
strategy that underlies most of today's cryptographic products, saw the
problem as a version of "Who will guard the guardians?"

In any system where a user's identity is in the hands of a third party,
that third party cannot be trusted. No matter who the third party is,
there will be at least hypothetical situations where the user does not
want his or her identity revealed, but the third party chooses or is
forced to disclose it anyway. (The first large scale example of this
happening was the compromise of anon.penet.fi, the anonymous email
service, in 1995
[http://www.mids.org/pay/mn/701/anon.html].) Seeing that this problem
was endemic to all systems where third parties had access to a user's
identity, Diffie set out to design a system that put control of
anonymity directly in the hands of the user.

Diffie published theoretical work on public key encryption in 1975, and
by the early 90s, practical implementations were being offered to the
users. However, the scenario Diffie envisioned had little obvious
relevance to users, who were fairly anonymous on the internet already.
Instead of worrying now about possible future dangers, most users'
privacy concerns centered on issues local to the PC, like hiding
downloaded pornography, rather than on encrypting network traffic.

However, Diffie's scenario, where legal intervention destroys the users'
de facto privacy wherever it is in the hands of commercial entities, is
now real. The RIAA's successful extraction of user identity from
internet service providers makes it vividly clear that the veil of
privacy enjoyed by the average internet user is diaphanous at best, and
that the obstacles to piercing that veil are much much lower than for,
say, allowing the police to search your home or read your (physical)
mail. Diffie's hypothetical problem is today's reality. As a result,
after years of apathy, his proposed solution is being adopted as well.

In response to the RIAA's suits, users who want to share music files are
adopting tools like WINW (WINW Is Not WASTE) [http://www.winw.org/] and
BadBlue [http://www.badblue.com/], that allow them to create encrypted
spaces where they can share files and converse with one another. As a
result, all their communications in these spaces, even messages with no
more commercial content than "BRITN3Y SUX!!!1!" are hidden from prying
eyes. This is not because such messages are sensitive, but rather
because once a user starts encrypting messages and files, it's often
easier to encrypt everything than to pick and choose. Note that the
broadening adoption of encryption is not because users have become
libertarians, but because they have become criminals; to a first
approximation, every PC owner under the age of 35 is now a felon.

The obvious parallel here is with Prohibition. By making it
unconstitutional for an adult to have a drink in their own home,
Prohibition created a cat and mouse game between law enforcement and
millions of citizens engaged in an activity that was illegal but
popular. As with file sharing, the essence of the game was hidden
transactions -- you needed to be able to get into a speakeasy or buy
bootleg without being seen.

This requirement in turn created several long-term effects in American
society, everything from greatly increased skepticism of Government-
mandated morality to broad support for anyone who could arrange for
hidden transactions, including organized crime. Reversing the cause did
not reverse the effects; both the heightened skepticism and the
increased power of organized crime lasted decades after Prohibition
itself was reversed.

As with Prohibition, so with file sharing -- the direct effects from the
current conflict are going to be minor and over quickly, compared to the
shifts in society as a whole. New entertainment technology goes from
revolutionary to normal quite rapidly. There were dire predictions made
by the silent movie orchestras' union trying to kill talkies, or film
executives trying to kill television, or television executives trying to
kill the VCR. Once those technologies were in place, however, it was
hard to remember what all the fuss was about. Though most of the writing
about file sharing concentrates on the effects on the music industry,
whatever new bargain is struck between musicians and listeners will
almost certainly be unremarkable five years from now. The long-term
effects of file sharing are elsewhere.

The music industry's attempts to force digital data to behave like
physical objects has had two profound effects, neither of them about
music. The first is the progressive development of decentralized network
models [], loosely bundled together under the rubric of peer-to-peer.
Though there were several version of such architectures as early as the
mid-90s such as ICQ and SETI@Home, it took Napster to ignite general
interest in this class of solutions.

And the second effect, of course, is the long-predicted and oft-delayed
spread of encryption. The RIAA is succeeding where the Cypherpunks
failed, convincing users to trade a broad but penetrable privacy for
unbreakable anonymity under their personal control. In contrast to the
Cypherpunks "eat your peas" approach, touting encryption as a
first-order service users should work to embrace, encryption is now
becoming a background feature of  collaborative workspaces. Because
encryption is becoming something that must run in the background, there
is now an incentive to make it's adoption as easy and transparent to the
user as possible. It's too early to say how widely casual encryption use
will spread, but it isn't too early to see that the shift is both
profound and irreversible.

People will differ on the value of this change, depending on their
feelings about privacy and their trust of the Government, but the
effects of the increased use of encryption, and the subsequent
difficulties for law enforcement in decrypting messages and files, will
last far longer than the current transition to digital music delivery,
and may in fact be the most important legacy of the current legal
crackdown.

-=-

* Worth Reading =======================================================

- GrokLaw: MVP of the SCO Wars

My colleague Elizabeth Lawley of RIT has convinced me that one of the
most profound effects of weblogs is the communal workings of those who
publish them, and that they contribute significant new value to
collaboration across disciplines and boundaries.

And now that she's convinced me, I see the pattern everywhere. The Dean
campaign piece I posted earlier today exhibits much of that pattern, and
so does today's Groklaw piece on SCO. By way of background, SCO, once a
technology company, has become a company devoted to a single legal
strategy:

1. Assert rights to the Unix operating system
2. Assert infirnging contributions of Unix source code to Linux 3. Sue
firms that sell or use Linux, especially deep-pocketed IBM 4.
Profit!!!1! (or at least buyout by IBM, to save them the expense of the
suit.)

Much of the matter is in dispute, and IANAL, but what is clear is
this: a) many SCO employees contributed to the Linux kernel, back when
SCO was a tech company ("oldSCO"), with the approval of their bosses,
and b) the Groklaw is doing an astonishing, world-changing job of
finding, documenting and publicizing these occurrences (alongside much
other work on the case.)

A recent GrokLaw entry reads:

   Groklaw has reported before on contributions made to the Linux
   kernel by Christoph Hellwig while he was a Caldera employee.  We
   have also offered some evidence of contributions by oldSCO employees
   as well.  Alex Rosten decided to do some more digging about the
   contributions of one kernel coder, Tigran Aivazian.
   [...]
   This paper is a group effort.  Alex's research was shared with
   others in the Groklaw community, who honed, edited, and added
   further research.  Then the final draft was sent to Tigran himself,
   so he could correct and/or amplify, which he has done.

   http://www.groklaw.net/article.php?story=20031210111235600

Look at that second graf: "This paper is a group effort." Everyone
always says that about complex work, but this is different. This is the
end of two-party law, where plaintiff and defendant duke it out in an
arms race of $350/hr laywers and "Take that" counter-motions.

Instead, we have a third party, Groklaw, acting as a proxy for millions
of Linux users, affecting the public perception of the case (and the
outcome SCO wants has to do with its stock price, not redress in the
courts.) Groklaw may also be affecting the case in the courts, by
helping IBM with a distributed discovery effort that they, IBM, could
never accomplish on their own, no matter how may lawyers they throw at
it.

There are two ways to change the amount of leverage you have. The
obvious one is to put more force on the lever, and this is what SCO
thought they were doing -- engaging IBM in a teeter-totter battle that
would make it cheaper for IBM to simply buy SCO than to fight it out in
the courts.

The other way to get more leverage is to move the fulcrum. Groklaw has
moved the fulcrum of this battle considerably closer to SCO, making it
easier for IBM to exert leverage, and harder for SCO to. I can't predict
how the current conflict will end, but the pattern Groklaw has
established, of acting on behalf of the people who will be adversely
affected by a two-party legal battle, has already been vindicated, even
if SCO avoids bankruptcy.

- Tom Coates talks with a Slashdot troller:

Tom Coates, who has been talking on EverythingInModeration.org about his
travails with a persistent troll on the Barbelith community and his
subsequent attempts to ban that user, has elicited a response, which has
now become a conversation, with a slashdot troller. This troller,
posting as 20721, is arguing that any hidden moderation system helps
stimulate an arms race:

   i believe that it takes a certain amount of hubris to assume that
   the people you want to exclude are, by their nature, not as smart as
   you. you may be right about the people you're trying to exclude; i
   defer to your judgement, i'm not a member of the communities you
   are; but where i come from, the best & the brightest are the ones
   being cast out. they're cast out from communities by the following
   chain of events:

   1) secretive backhanded moderation tactic by the admins is discovered
   2) someone alerts the community
   3) the most technically apt in the community are able to reproduce
   the backhanded moderation tactic and verify its existence
   4) these people call foul and are labelled "trolls" for doing so,
   leading to the institution of more of 1) (repeat).

   this is how i started down the road i'm on. i was one of the many
   people who discovered that the people at slashdot were secretly
   moderating the users' comments, and one day they moderated the same
   comment 800 times - and then they lied about it, and said anyone who
   told the truth about it was a "troll". hence i became what they
   called me.

More, much more, at
http://www.everythinginmoderation.org/2003/10/tagging_difficult_users_wi
th_infectious_markers.shtml

* End
====================================================================

This work is licensed under the Creative Commons Attribution License.
The licensor permits others to copy, distribute, display, and perform
the work.  In return, licensees must give the original author credit.

To view a copy of this license, visit
http://creativecommons.org/licenses/by/1.0

or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305,
USA.

2003, Clay Shirky _______________________________________________
NEC - Clay Shirky's distribution list on Networks, Economics & Culture
NEC@xxxxxxxxxx
http://shirky.com/nec.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@xxxxxxxxxxxx