07 August, 2013

If Nats can't pick some one to keep party web sites secure how can we trust their decision for all Govt security?

The National party has decided to let the GCSB do all of Government security. The worry here is that the National Party can't even pick people who can keep their own sites secure from a bunch of script kiddies. Web site security on the whole is far smaller problem than all of Government security, so if they can't pick someone do that how can we have any confidence in their picking of GCSB? Also script kiddies are far easier to defend against than committed Nation State backed adversaries. Their evaluation process for selecting a provider for their Party web sites was obviously flawed and giving the rushed nature of the GCSB bill I can only assume that their evaluation process this time isn't any better.

Surely the best option would be set up the CERT model. CERTs are independent civilian organisations that worry just about computer security and are working well in most other countries other than NZ. CERTs have a sole focus of Computer Security and don't have the distractions of Spying. CERTs also build strong links with government and the private sector which the GCSB isn't currently doing.

07 May, 2013

Open Letter to John Key re Security Bills


With the changes to the GCSB Act and the Wiretapping you are missing the boat. Firstly these are not urgent matters and should go through the democratic process and along for public submissions at the Select Committee stage.

You are also you mixing up spying on NZers and their privacy and cyber security. Opinion in the NZ IT Security community is that the NCSC isn't working and that we need a CERT like every over country. in2security have made this point in Initiative 9 p51 of their "New Zealand Information Security Workforce Development Strategy". If you, as head of NZ security, had engaged at NZ's preeminent security conference Kiwicon or one of the monthly Info Sec Interest Group meetings you would know that community doesn't feel the NCSC isn't working. A CERT is a trusted independent civil organisation model/framework that is working well else where in the world and would be a good base to work from. A proper CERT is what is wanted by the community.

Maybe you would get more help form the Security Community if your Justice Minister didn't say "The ministry and I do not deal with hackers and we do not deal with burglars.". If you want to engage with security researchers you need to talk to them and not flat out say that you won't talk to them.

With the wire tapping can you explain how it is going to work? These days things like HTTPS means that the communication is heavily encrypted between the client and its destination and can not be intercepted along the way and HTTPS has ways of informing the user is a Man in the Middle is taking place. Most servers will belong to overseas organisations and not reside in a NZ thus you don't have jurisdiction to compel the company to decrypt the information for you. So I fail to see what this will gain and what benefit it will give you. Also more and more calls are using VoIP services like Skype and others which are encrypted user to user and even Skype can't decrypt a conversation for you, so again in this day and age what is this wiretapping actually going to do other than make it easy to get the low hanging fruit who already slip up in many others ways?

These changes are large and under urgency I don't feel they will get the scrutiny that they need without public submissions to the select committee and oversight from the privacy commissioner. It will also give you time to start a meaningful dialogue with the NZ IT Security community and help give us the tools that we need to do our job rather than wasting money on things like the NCSC which don't meant our needs.


01 May, 2011

My draft for my feedback on MED's request for feedback on the Copyright (Infringing File Sharing) Amendment Act discussion document

This is my draft for my feedback on MED's request for feedback on the Copyright (Infringing File Sharing) Amendment Act discussion document. I would be interested to hear what other things people are writing in theirs? Please feel free to use the ideas out of mine. I would prefer people not to copy and paste and with things like this individual submissions tend to carry more weight than copy pasted submissions as it shows more time spent, thought, actual reading and that it is truly your views not someone else's.

Don't criticise the law here as chances are they will just disregard your points. We can attack the Act directly separately. In response to this discussion paper we need to assume even given it's shortcomings we need to make it work the best we can and ensure the bar of accusation is as high and as fair to end users as possible.


I am writing in concern of Copyright (Infringing File Sharing) Amendment Act - discussion document http://www.med.govt.nz/templates/MultipageDocumentTOC____45923.aspx

Q1 If regulations were not made, are the possible implications noted above correct, and why?

Q2 Are there any other possible implications if regulations are not made? Why do these arise?
If there no regulations there will be no detail about the evidence needed and the qualifications the people doing the capture require. If there is not a minimum bar for evidence set there is a chance people will be accused when the the evidence isn't really there to justify the accusations. This will also means that a notice from one Copyright Holder meets the same requirements as another Copyright Holder. Without fees set ISPs may have to increase their fees to cover it or go out of business which is not what we want. If there Copyright Holders don't have a fee imposed upon them they may just send out notices for the sake of sending out notices.

Q3 What benefits, if any, might arise from not providing regulations? Why do these arise?
I see none. I see having no regulations as very dangerous to ISPs and End Users.

Q4. Should the suggested requirements be included in regulations? Should there be any other information requirements and why?
For a start when it says once to the ISP it should also be given to the end user every time. There also needs to be proof a breach has happen. To prove a breach has happen:
* There needs a be a Network Dump of all network traffic from the Copyright Holder's end showing that the full work is in possession of the accused. This will show that Copyright Holder is sure that the user actually has the file and is simply not just looking for it. Remember it is the possession and sharing of full work that is at issue, not the act of wanting or looking for the work. It needs to be the full work as:
** The words part of work have been removed
** If you do not have 100% of the work it will be corrupted and thus not consumable/playable
** Part of a work may be consider fair use for review/satire
* There have been examples in the US where the Entertainment industry has sent notices to Printers which are not capable of file sharing. Obviously someone spoof the IP address into a torrent list and they just sent a notice without checking that the IP was actually fire sharing. http://dmca.cs.washington.edu/faq.html#q10 If there is a Network Dump showing the the whole file has been transferred this will provide evidence that it is not someone trying to spoof an IP and frame you but the IP address in question is actually sharing the content.
* The file(s) reconstructed from the Network Dump to indicate that the Network Dump does contain the entire work and in a non corrupt consumable state
* The Network Dump and File should not have any encryption, so the user and the tribunal can examine to check the evidence.
* Extracting the file out of the network dump will show that the file is real and not a fake file. Fake files aren't copyrighted works by that copyright holder so they have now ground to go after that person.
** For example you may download a video called transformers.avi you maybe accused of downloading the Transformers movie. The copyright holder needs to show that this is the Transformers movie and not a home video of someone's kids playing with some transformers toys for example.
* There needs to be a chain of evidence and proof all the evidence is accurate and has not been tampered with. This chain of evidence and non tampering is very import as Nikon Cameras have recently had their non tamper system broken so in this instance you can have forge photos and pass them off as legit photos in evidence. This system needs to ensure that all evidence is legit and non tampered with. http://blog.crackpassword.com/2011/04/nikon-image-authentication-system-compromised/
* Details on the timestamps need to be provided and there needs to be evidence that they are getting a secure/authenticated  NTP (https://secure.wikimedia.org/wikipedia/en/wiki/Network_Time_Protocol) feed. This will ensure all time are accurate and from a good source of time. The authenticated NTP feed can provide auditability that the time is correct. This will allow for logs, Network Dump and the like to be compared between locations and know that the times will line up fully. http://www.ntp.org/ntpfaq/NTP-s-algo-crypt.htm
* In summary there needs to be a minimum level of evidence to prove beyond reasonable doubt that a breach has actually occurred. It should be up to the copyright holder to provide the evidence beyond reasonable doubt, especially since you are guilty on their mere accusation.
* Evidence identifying the person needs to go beyond just an IP address as overseas judges are not recognising that an IP Address links to a person. This being the case the Copyright Holder should need to provide the ISP with more than just an IP as identification they need to provide evidence that identifies the person well enough that can rule out neighbours, hackers, botnets, etc. http://torrentfreak.com/ip-address-not-a-person-bittorrent-case-judge-says-110503/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Torrentfreak+%28Torrentfreak%29 http://arstechnica.com/tech-policy/news/2011/05/after-botched-child-porn-raid-judge-sees-the-light-on-ip-addresses.ars?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+Featured+Content%29
* The accused should also be provided with a flow chart indicating where they currently are in the process and what avenues are open to them.
* This evidence needs to be provided for every copyright work in question.
* The Copyright should also provide information about how the person could have obtained the work in question at the time in question legally and the cost of the work at the time the alleged offence took place. It should be for legal equal or higher quality and available on the Operating System that the user is using e.g. Linux, Android, Windows, Mac etc. It doesn't really count of the users uses Linux and the only legal way is via iTunes for example which only works on Windows and Mac and playable only on iod and iPhone devices.

Q5 Which (if any) requirements should not be included and why?
As mentioned where it says to the ISP once it should also be sent to the accused every time.

Q6 What are the costs associated with gathering and storing the information that would be required? How are these costs calculated?
* For the ISP:
** They will have to be storing more information they currently do for particular retention periods:
*** There are costs in setting this up
*** There are costs to run this
*** There needs to be guidelines around access to this data and with want warrant and the privacy commissioner needs to be involved here.
** There will be costs in processing of these accusations
** There are market rates for people and systems in this case
* The the copyright holder
** They will have to pay people to do the monitoring, evidence gather and making the accusations.

Q7 Is any other information regarding alleged infringements necessary to allow internet account holders to properly understand the allegations being made?
* As mentioned in Q4 there needs to be all the evidence to prove beyond reasonable doubt that a breach has occurred and that the evidence has not been tampered with. A flow chart of the process and where they are in process and what options they have is important.

Q8 Which of the above is your preferred option, and why?
* I prefer Option 2 as it will mean all people will get the same information independent of Copyright Holder and/or ISP involved. This should included all the information provided to the ISP along with all the evidence and all additional information in Option 1

Q9 Are the requirements in option one above adequate and why? What other requirements should be included, and why?
No the information provided to the ISP by the Copyright Holder also needs to passed on along with all the evidence, with a chain of custody, so the accused can be sure that a breach has actually happened.

Q10 Are the requirements in option one above adequate and why? What other requirements should be included, and why?
No Opinion

Q11 What information should be included with notices to ensure account holders are properly informed about the regime, and about copyright issues relating to file sharing or otherwise?
* Big one for me is evidence to proof beyond reasonable doubt that a breach has occurred and this needs to be provide to the accused in full and protected against tampering
* This should also be served on the person either in person or by registered mail. This is the start of legal proceedings so should be served on the person so all parties know that is has been received by the accused. And not sent to the wrong address or not read because they are on holiday or something.
* Also details on how they could have obtained the work legally on the day in question and the costs involved and how to do it on Linux, Windows and Mac.

Q12 What functions should an IPAP be able to recover costs for under clause 10(eh). Why? In answering this question you may wish to comment on the distinction between ongoing and set up costs.
* All the costs set and ongoing should be 100% payable by the copyright holder as it is not the ISPs core business of providing internet service to their customers. Setting this system up and running it should not lessen the service quality of the connection or support to the end user in anyway or involve a cost increase. As this means all users will be penalised for Copyright infringement when they are not personally involved.
* The recovery of costs will stop the copyright holder abusing the system

I'm not a ISP or Copyright Holder

Q17 Is this your preferred option and why?
Yes. Every ISP is different and will have different costs for implementing the system and staffing costs going forward. And given different sizes of ISPs scale will also affect costs. And different notices require different amount of efforts.

Q18 What potential impacts would result if a fee was not specified, and why would these arise?
That the copyrights holders might not pay the ISPs enough and they will have to take money from other areas of the business or shut down and this would punish users unlinked the the allegations.

Q19 Is this your preferred option and why?
No option 1 is my preference

Q20 Taking into account the lower range of fees outlined in para 28, what is an appropriate notice fee under this option?
Not an ISP so don't know the actual costs involved

Q21 How do you calculate this fee?
A mixture of operating costs. And formula to take into account the set up costs balanced across accusations and time for deprecation of the system.

Q22 Not in discussion document

Q23 What are the potential implications of calculating the fee under this option, and why do they arise?
That they will suit the average ISP and some ISP will make a profit while other will make a lost. There needs to be a yearly review to cover inflation and other changes that may affect price.

Q24 Is this your preferred option and why?
No option 1 is my preference

Q25 Taking into account the lower range of fee above in para 28, what is an appropriate notice fee for each notice (detection, warning and enforcement), under this option?
Not an ISP so don't know the actual costs involved

Q26 How do you calculate this fee?
A mixture of operating costs per notice type. And formula to take into account the set up costs balanced across accusations and time for deprecation of the system.

Q27 What are the potential implications of calculating the fee under this option, and why do they arise?
That they will suit the average ISP and some ISP will make a profit while other will make a lost. There needs to be a yearly review to cover inflation and other changes that may affect price.

Q28 Is this your preferred option and why?
No option 1 is my preference

Q29 Taking into account the lower range of fee outlined in para 28, what is an appropriate notice fee, and appropriate IP address fee for this option?
Not an ISP so don't know the actual costs involved

Q30 How do you calculate this fee?
A mixture of operating costs. And formula to take into account the set up costs balanced across accusations and time for deprecation of the system.

Q31 What are the potential implications of calculating the fee under this option, and why do they arise?
That they will suit the average ISP and some ISP will make a profit while other will make a lost. There needs to be a yearly review to cover inflation and other changes that may affect price.

Q32 Is this your preferred option and why?
100% on the copyright holder. The ISPs get money from there customers to cover the connection, data and customer support. This is a new service that ISPs will have to provide and Copyright Holders will be using this new service so they should be pay 100%

Q33 If so, what is an appropriate ratio?
100% for the copyright holder as mentioned in my answer to Q32

Q34 How do you calculate this ratio?
100% on the Copyright Holder

Q35 What are the potential implications of the sharing of costs under this option, and why do they arise?
That ISP customers will have to subsidise the copyright holders accusations to other users and this is not fair so hence 100% on the copyright holder.

Q36 Do you consider the Tribunal should have discretion to calculate the amount of an award and why? Should the Tribunal have discretion to include an additional element that acts as a deterrent to future infringing (a deterrent element)? Why?
* It should be based on the cheapest instance of that product in NZ market at the time infringing happen. If it was not in NZ market in the time the cost should be $0 as an incentive to the Entertainment Industry to provide the content legally in NZ in a timely manner. As this will help reduce the reasons people actually file share. I discuss this further here: http://mytwocents.karit.geek.nz/2011/04/fixing-root-cause-of-file-sharing.html
* It should focus solely on the works in question. In criminal trials previous convictions and future charges can not be provided as evidence for the Jury or taken into account by judges during sentencing so that shouldn't happen here either.
* The tribunal should only look at the uploading and downloading that the copyright holder has a network dump for as, assuming it hasn't been tampered with, it is the only evidence of what file sharing has actually taken place. Anything else is just speculation and not hard fact.
* If the user can not prove their innocent beyond reasonable doubt "court costs" will be applicable. If the user does prove they are innocent beyond reasonable doubt the Copyright Holder should be liable for court costs.
* If a work is currently not legally available for sale in NZ in form that is consumable by the user in question (i.e. on iTunes is useless for someone who runs Linux on their desktop and Android on their phone) it has no value and no sales have been lost so there is no compensation needed for this situation.

Q37 Are the considerations set out above appropriate for the Tribunal to consider and why?
* No they are creating a value for works that aren't available for sale in NZ at the time the offence occurred. This should be set to $0.

Q38 Should the Tribunal consider other factors and why?
* It should be based on the cheapest instance of that product in NZ market at the time infringing happen. If it was not in NZ market in the time the cost should be $0 as an incentive to the Entertainment Industry to provide the content legally in NZ in a timely manner. As this will help reduce the reasons people actually file share. I discuss this further here: http://mytwocents.karit.geek.nz/2011/04/fixing-root-cause-of-file-sharing.html
* The tribunal should only look at the uploading and downloading that the copyright holder has a network dump for as, assuming it hasn't been tampered with, it is the only evidence of what file sharing has actually taken place. Anything else is just speculation and not hard fact. If the copyright holder can not provide dumps to show that the user had 100% of the file how can one prove that an offence actually happened?
* If the Copyright Holder Educated the user about how they could have legally obtain the work in NZ on a varity of operating systems e.g. Linux, Android, Windows, Mac.

Q39 What are the potential implications of the Tribunal calculating the award via the method described under this option? Why do these arise?
That it takes into accounts works that are not legally obtainable in NZ and in a form that is consumable by the person in question. As it should only look at works that are legally obtainable in NZ and consumable by the person in question, in that if the user runs Linux or Android and the work is only on iTunes they have no way of consuming that work because iTunes is only on Windows, Mac and iOS.

Q40 Is this your preferred option and why?
If the multiple is less than or equal to one of the retail value of legally obtaining in NZ market and consumable by the user in question it is ok on date said offence took place. If the multiplier is greater than one prefer the previous option. If there is network dump evidence that they received or gave more than one copy (in whole unit increments (seeing Bill removed part of work)) then a multiplier equal to the number of copies maybe applied

Q41-50 Not in discussion document

Q51 If you think regulations should prescribe a multiplier of market value, or a prescribed set of sums in addition to the compensation element of an award, what should the multiplier or sums be, and why?
Is should be the retail value of legally obtaining in NZ market and consumable by the user in question it is ok on date said offence took place. A multiplier can be applied to number of whole copies shared and with evidence captured in a network dump as evidence and proof multiple copies were shared.

Q52 What are the potential impacts of the Tribunal calculating the award via the method described under this option? Why do these impacts arise?
If this is greater than the retail value of legally obtaining in NZ market and consumable by the user in question it is ok on date said offence took place you punishing the person more than they actually did. The Entertainment Industry may say well they shared it. Well in that case accused everyone of sharing and don't double dip i.e. get the retail value of legally obtaining in NZ market and consumable by the user in question it is ok on date said offence took place from the uploader and downloader.

28 April, 2011

Does NZ need a Technology based Political Party?

With the hilarity of the speeches by MPs during the debate of the recent Copyright Bill does NZ need a political party who has a focus on Technology and a clue about what is going on? There is the Pirate Party who does have similar goals but personally I think the branding of calling the party the Pirate party gives the majority of the public the wrong idea. I'm guessing they either need to rebrand or there needs to be another party that can focus on Technology without the linkage to Pirates. The Pirate Party has a lot of good ideas it is just I feel their name portrays the wrong image and is not helping get wider acceptance. I am guessing most people when they think pirates either think about talk like a pirate day, the pirates off the African coast or people who illegally obtain copyrights goods. If you have a read of their site they are not this but have some very good view points on things around technology, privacy, free and equal access, software patents and the ever lengthening time that copyright is for. I have done some digging around other parties and can't find their viewpoints on the below or they are vastly different and are not in the best interests of NZ Citizens.

The policies will be some along the lines of (happy to receive suggestions):
* Fixing the problems I have outlined in the Copyright Act

* Working towards making internet a basic Human Right. This is important as more Government Services move online, VoIP becomes more widespread and people need to dial 111 and banking, education and such also moves online more and more.

* Work on getting a second (and more) international fibre optical cable out of NZ to provide redundancy, competition, greater capacity, greater speed and hopefully cheaper prices.

* Better local peering. UFB should have the equivalent of "Free Local Calling". Thinking along the lines of WIX you should be able to connect and use as much data as you like within a calling area so you can VPN to work, make local VoIP or Skype calls to local places or backup files to friends nearby without it counting towards you bandwidth cap.

* With UFB it should have Net Neutrality imposed on it. Everyone should have equal access and all content must be treated equally and ISP shouldn't be able to make any traffic based on type, source or destination more expensive or more important than any other data. This needs to be imposed as Telecom and Telstra have already indicated that they won't play nice as they depeered years ago form WIX and APE trying to extort more money from content providers and make them pay money and while also charging their customers so receiving money twice for the same data. For the content providers that didin't pay the extortion money it meant the content often gets served from the US rather than NZ based servers so making it slower to access that content thus deceasing the user experience from optional.

* Make it illegal for data enroute to be tampered with or rerouted to deny access or change the data. There is a current example of an ISP injecting their own ads into sites like Apple and Google and intercepting 404 pages and DNS responses that return no result to have their ads in them. There is no excuse for tampering with content or results.

* Look at Spam policies. Maybe need to attack the root cause of spam which is people actually buy from it. Maybe we need better education of the public and maybe some harsher penalties for people buying from spam. If people stop buying from spam or falling for scammers their business model will no longer be profitable and they will shut up shop. For some more info on this have a look at a blog post I write last year.

* The DIA's Great Firewall of NZ needs more oversight. Child porn is bad but I don't think this system is the right way to go about it and is a slippery slope towards the Great Firewall of China. I would guess that this system doesn't actually stop the vast majority of people as I would expect the vast majority of Child Porn people don't use HTTP but use other ways to get the content they want. I feel this is more a PR thing than an actual stop people thing. If it does stay in place it needs greater transparency. It needs:
** Legislation governing what it can and can not do
** An independent over site committee
** Details about data is capture, how it is store, who can access it, under what requirements/scope and when/how it is destroyed
** The list of sites block should be public. They say they only block Child Porn so it should be no issue releasing the list to prove that no other site are blocked. Maybe not a full public release (so not telling people into child porn where to go) but a group of independent people who could verify it. Maybe InternetNZ, TUANZ and representatives of the media?
** A process and workflow to get sites unblocked
** The Australian system before they dropped it had blocked a Dentist's web site. What is there to currently stop the system from blocking web sites of the governments opponents or sites that don't give kickbacks?

* Better education of the public around security and practising safe internet use. A task force should be set up to work with ISP to detect infected machines and help the end users get their computers fixed. This should help make the internet a better for everyone.

* The public needs to be educated that P2P and filesharing is not bad and that it has legitimate and legal uses, it is just the sharing of copyrighted material that is the problem not the systems and networks themselves. Bittorrent is used to distributed things like Ubuntu and Twitter even uses Bittorrent internally for updating their servers. P2P and Filesharing has been unfairly tarred over the years and this need to be put right.

* There should also be public education around the use of public key encryption. Signing of emails may come in handy to stop phishing as banks could sign all their messages so it would make it harder to for the scammers to forge email.

* The Government when making law changes needs to engage with the IT community more around cost, timelines, etc. Currently the Government changes a law and has a date on it and IT has to scramble to make it happen. With this solutions needs to be rushed together and money scarped up from around the place. When time, scope and money is strictly limited quality is what suffers and low quality in IT systems costs more in the long run and doesn't provide optimal service to the public. Also given some the tight deadlines these changes to systems can't be integrated properly with corporate IT strategies, budgets and existing systems.

* Work with the the Entertainment Industry to move them into 21st Century and the time post the Technological Pandora's box that has been opened. This has a lot to with what I discussed in my first blog in relation to the new Act covering the root cause of filesharing. Technology has changed consumers expectations have changed,so the Entertainment Industry needs to help meet those new expectations. It will have to be seen if the Entertainment industry does it willingly or if they need some legislation to help them along. DRM has to be be removed or at least a lot less restrictive. The current eco systems need to be lossen up e.g. everyone mentions iTunes but it only works on Windows or OSX, iPod, IPad, iPhone and Apple TV while what happens if I want to use this media which I have brougth on Linux, a WD TV Live, a Samsung TV and an Andorid phone? Well I am plain out of luck. Devices and platforms will change in the future and I don't want to have to keep rebuying the content over and over. Also DRM is an issue for places like the Natiional Library as it makes it near on impossible to archive the content for future generations. Also instead of inventing new DRM schemes isn't it better to give that money to the artists?

* Along similar lines Government content should be accessible to everyone. People have equal rights to get the same experience independent of OS choice Linux, Windows, OSX, Android, iOS, etc or browser choice Firefox, Webkit, Chromium, IE etc and the same content should be available via screen readers and the like. Proprietary formats should not be used at all so no PDF, Word, Excel, Powerpoint, Flash, etc it should be in open formats like HTML, Plain Text, and Open Document Format. This provides equal access to everyone and people will not have to buy or use proprietary application or formats.

* Schools also need better funding for their IT. Currently school IT budgets are small so for support and equipment it is a race to the bottom to find the cheapest people and unfortunately for schools pay peanuts get monkeys. From what I have about the standard of the people that do School IT support it makes me sick that they also call themselves IT Professionals. I am sure there are some good ones out there but I am just going on what I have heard.

* There should be measures put in place to ensure people's privacy online and the protection of the data as well. Like the recent Playstation Network case where the Credit Card detail was encrypted because of financial regulations but the person data like name, address, DOB, etc was in plain text and stolen. There should be requirements about how this data needs to be protected and what type of retention of data.

* Patents should be for revolutionary, innovated and game changing ideas not mere evolutions. Currently too many patents as being given out so instead of fostering and encouraging people to development news things it is actually doing the opposite.

* For passing Bills under urgency there must be an urgent need so all MPs should be in the house for Bills passed under urgency. MPs should arrive before the session starts and must stay in the house to be able to cast a vote in favour. If you are not in the house at the start of reading and/or leave during the reading for any reason you will be counted as a vote against the bill. If you want to vote against the bill you can either be in the house or be outside the house and have your vote counted automatically as a no. Urgent bills are for urgent matter so thus should take priority over all other work so there should be not issue with everyone being the house, if there is it isn't really an urgent matter is it. For MPs on leave their vote should count as an abstain as it is an urgent matter that has come up and given they are not at parliament they will be out of the loop of what is happening so thus do not have access to the information needed to exercise an informed vote.

* State Owned Enterprises should not be sold it may give money to the Government now but in the long run it is better for NZ to keep the assets. For instance Telecom was sold for $4.25 Billion and in 2008 made $0.7 Billion in profit disregarding inflation and what not 4.25/0.7 = 6ish years. So every six years the Government gets the equivalent amount of money with the additional of it continuing for a lot longer. So needless to say it does not make sense to sell off state assets. Also take the Rail Network the foreign companies ran it into the ground to make money then ditched in a dilapidated state. State assents are too important to NZ to be allowed to be run into the ground for a quick profit but should be left in the hands of government to play the long game with and do what is best for NZ.

So is anyone interested in such and idea? Need 500 financial members to like so can register as a party. Membership is 10 cents and I will spot the first 500 people the 10 cents to join.

27 April, 2011

What I see wrong with the Copyright (Infringing File Sharing) Amendment Act 2011

I will start out by saying IANAL

To have a read of the Act in question: http://www.legislation.govt.nz/act/public/2011/0011/latest/DLM2764312.html

Given the Copyright (Infringing File Sharing) Amendment Act 2011 and the speeches in Parliament it is quite clear that MPs do not have a collective clue about technology. Then there are people like Melissa Lee who spoke in favour of the Act when just the day before on twitter said was listening to a compilation CD put together by a friend, which is copyright infringement and illegal filesharing so is rather hypocritical (I am unaware of any physical CDs or download services that have a license that allows sharing by burning CDs to give to friend. Thus this is copyright infringement. If one does exist and was used I happy to correct this but as of yet there has been no information on this). The Music Industry has a report a Music Piracy site so I highly recommend everyone point out that tweat to them and get her and her friend down for copyright infringement.

I have already discussed in an earlier blog post about this Act covering the symptoms but not hitting the root cause of fixing why people actually file share.

There are many things wrong with this Act which steam from the MPs not having a clue about technology and it doesn't address why people file share and deal with the root cause.

If you have a read of the comments on the bill they mention that they want define file sharing in such a way as not to cover email. Well the definition in the act covers email. The act defines file sharing as "material is uploaded via, or downloaded from, the Internet using an application or network that enables the simultaneous sharing of material between multiple users; and uploading and downloading may, but need not, occur at the same time". Well last time I checked email clients were able to send emails to multiple people and they were able to received emails from multiple people. They are also multi threaded so are capability of sending and receiving simultaneously. A very interesting angle would be to get the MPs done for copyright infringement and have their internet shutdown. What I am thinking is to send an email to an MP with the following as the signature "©2011 I am the copyright holder of this file/email. I only grant permission for this file to be viewed by the people explicitly named in the To and CC fields. Any sharing of this file by electronic, physical, spoken, visually, summarised or other means outside (by the people or machines) the the people explicitly named above will be infringing on my copyright and be considered illegal file sharing. If you would like a license to share this email you can email about obtaining one. Licenses start at NZ$15000 per person". Sending emails to MPs will work well as on the whole they are answer by their staff and not the people explicitly named so thus infringing on the copyright I have over my email. Also spam filters will read the message proper as well. Mail servers only need to read the header information to know where to send they don't need to read the actual body of the email. We would most probably need to from a group which represents our copyright interests in email so we can send notice so the one person doesn't need to send all three notices. Adding the lincense cost to the signature would mean I can hopefully claim the entire amount of the $15k max fine that the tribunal can hand out.

On mere accusation you are guilty. Some liken this to a speeding ticket. But there are great differences Police Officers have gone through Police College so have had to prove their understanding of law and process. With speeding tickets there are clear guidelines about what evidence needs to be gather. The tools used have to be certified and calibrated. The officer is available to present the evidence in court. The Police have procedures around chain of evidence and tampering with evidence. The law does not cover anything around what evidence needs to gather, who can gather the evidence and what qualifications they require and what access you have to see the evidence.The only requirements set out in 122N is that the copyright holder can fill out the infringement notice form correctly, it has nothing to do with evidence or proof.

You are not allowed to bring a lawyer along without special leave from the tribunal, yet what are the chances that the advent for the copyright will be covered by one or more of the following a solicitor, barrister, have a law degree, be part of a legal team, have access to near unlimited legal advice, do these hearings on a regular basis? Given that shouldn't you be able to have legal help at the tribunal? Remember you are guilty on mere accusation until you prove yourself innocent beyond reasonable doubt. This is not a particularly level or fair playing field, especially when it is already sloped such that you are guilty already.

Another aspect would be entrapment. If they are are going Bittorrent for example to prove that you have downloaded the file they will either have to upload to you the whole file and them there selves download the whole file off you. As the part of work has been removed so only the whole work counts. As you are allowed to use part of the work for review or satire. If the entertainment industry is on bit torrent they would be activity saying here come download from me or hey got a copy I could download? The fact they are saying that one could argue entrapment as if they weren't saying I have this file or can I have the file. If a police offer walked down the street offering drugs they couldn't charge you as they were advertising/offering that they had drugs. If they were sitting quietly and you just randomly asked them then that is entrapment. Given how bittorrent everyone is always asking and offering so thus could be considered entrapment.

IPv6 throws an interesting spanner in the works which is not covered by the bill. ISP will allocate end users a block of IP addresses an IP address block is a very different entity and concept from the IP address described in the act. Your computer automagically will assign itself an IP address from that block. That being the case does the copyright holder have to get the computer that automagically assigned itself an IPv6 address to send you a notice? And the ISP in this case should not send you a notice as they had nothing to do with that IP address.

You do have a right to challenge the notice but you have to have it back your ISP within 14 days of when they sent it to. They will deliver the notice by the normal means in which they send you a bill and given the clock starts ticking from when they send it given that post isn't the fastest thing, especially when different cities are involved and that there are weekends and holidays and need time to respond, get legal advice etc it will be very hard to meet this requirement. Given that these notices are part of potential legal procedures I feel these should be served upon the person either in person or by registered mail and the clock starts ticking from when it is served.

When it comes to cutting of people's internet there is nothing covering people using VoIP, as cutting off their internet connection will stop there phone connection and deny them access to calling 111. Committing fraud using a phone does not get you phone turned off, so you can still dial 111 an emergency, so why should this be different? Remember with UFB and Fibre to the home those phone connections will all be VoIP based.

Also more and more government services moving online so you will be denying people access to use government services when you disconnect their internet. Also banking on the whole is done online as well. So instead of cutting off the Internet shouldn't we be looking at making it a basic human right?

When motor vehicles first came out the horse coach building companies lobbied the governments of the time to make driving motor vehicles less attractive by forcing them have some one walk in front waving a red flag, is this law any different really? This act is about companies trying to protect their current business model rather than changing with the times? Given my last blog post there a lot more productive/positive ways to sort this issue out.

It is easy to frame people. Having a read of some research about the DMCA there have been instances of printers being framed by people using spoofed IP addresses. The printers didn't actually do any downloading someone just managed to get the IP address of the printer listed in the list of the person acting on behalf of the copyright holder. Spoofing IP addresses isn't too hard to do so will be interesting to see things like this happen. With my example of email above there are ways of violating this Act without you touching your computer, e.g if you forward your email like national.org.nz autoforwards to the MPs staff at @parliement.govt.nz addresses.

I'm sure there are also more holes in the Act, guess a lawyer really needs to sit down form a full template defence for this I guess. Though just as I was finishing this post up I stumbled across some else's post on Facebook which is well worth a read as well.

26 April, 2011

Fixing the root cause of file sharing

After the Government passed the controversial File Sharing bill I put forward the following questions to the Government about what they are doing to address the root cause of file sharing. The symptoms will not go away until you get to the root cause of the problem. The letter goes as follows, I haven't thus far received no response from the PM or the Minister of Commerce Simon Powers. I sent this on the 17th of April


You have just passed the Internet Copyright Bill, which covers the symptoms which is sharing of copyrighted material. I am wondering what your are working on to fix the root cause of the problem.

Want I am wondering is what plans do you have in place to start working on fixing the root cause of the problem? How I see it people download content because:
* The content isn't available in NZ in a timely manner. For instance a lot of shows aren't shown in NZ until 6 months to a couple of years later if at all, while they are available on the internet within 30 minutes of it first airing.
* The content needs to provided in forms that consumers want. For instance I want to watch one episode on my TV, the next one of my Linux desktop and the third episode on my Android phone. I also want to be able to watch it more than once and not be restricted in how long I can watch it for. With DVDs and CDs I can watch it unlimited times a lot of services overseas only allow one view and have a 24 hour expiry. This should also be via one service (all forms via one server but there should be multiple services so no one has a monopoly on the distribution of the content) and one download. One download is very important in NZ seeing we have very small and expensive data caps compared the rest of the world.
* It needs to be in the quality the user wants. With video content I want to watch it on my 1080p TV or Computer monitor (also capable of 1080p or higher) and I want it to look good. Currently TVNZ Ondemand is low quality and looks very blockly when viewed on a large screen. With audio it should be lossless so get the full CD Quality of the Audio not a compress lossey version on the audio in an AAC or MP3 format.

Timely is very important:
* Example one I will use Top Gear which is widely reported to be the most watched and the most downloaded TV show. Prime is getting better at showing this in a timely manner but is still twoish months behind. Top Gear is recorded weekly so a lot of jokes, comments and news is very timely and current to the current week, so when it is showed in NZ a lot this is out of date and lacks the effect it would have if it was shown in NZ 12 hours after airing in the UK (shown in NZ evening like it is shown in UK evening).
* Example two is the Hurt Locker movie:
** It was screened at some film festivals and got some good reviews
** Some more film festivals and more good reviews
** Gets nominated for some Oscars
** Wins some Oscars
** People now if not earlier go "hmm must be a good movie I should watch it". They have a look around and can't find it at the cinemas, they can't find it in DVD Rentals and they can't find it the DVD Store. So where do people go and find this great movie? Well they download it as there is no legal method to get it.
** The Hurt Locker decides to sue people for downloading it
** Finally gets a general wide scale cinema release
** Even later a DVD release
** What the entertainment industry needs to realise is that it is a global market these days. News through the media spreads throughout world nearly instantaneously. There is now only a global market place; countries aren't their own separated market places any longer, it is one world wide market and needs to be treated such. TV and Movies also have online fan communities and if you are not watching things at the same time as your peers in the communities you either can't be part of the community as you haven't it seen it or you risk having it spoilt by people discussing the plot.
* The NZ movie Boy was very similar. Lots of NZers discussed it with friends and families overseas and the only way to see it overseas was via download it wasn't going to be available to them in a timely manner if at all. So NZ needs to get international quickly but also the flipside if NZ content is doing well it needs to be release quickly overseas so the people hearing the good things about it have a legal way to get it.
* TV companies point of "Northern Hemisphere shows have a large break over their summer which is our winter which is the peak viewing time" some counter points:
** Well people are currently downloading and watching TV on a Northern Hemisphere schedule and and watching it heavily over the NZ Summer so people will keep watching
** Maybe the NZ content could be shown over the NZ Winter. If the NZ winter is highest TV watching time to get the best return on NZ on Air funding shouldn't the NZ TV shows be shown during peak viewing?
* Sport on the whole is not often illegally downloaded as it is normally available worldwide live (and replays at convenient times the next day for events during the NZ night for the people not awake to see it live), so people will watch it through legal avenues. So that is an example of showing how timely broadcast results in lower illegal download rates. I will say events like the Olympics are more downloaded but then not all events are shown live or at all in all countries.
* So how are you working with the Entertainment industry to provide the content to NZers within 24 hours of it screening overseas to help reduce the timely aspect of why people download?

Provided in a form that people want:
* These days with big screen TV, computers, tablets and smart phones people want to watch content on their terms when and where they want. From the one download people want to be able to consume the content on multiple devices time shift and watch more than once and not be limited to watching when have an internet connection and within the 24 hours or 2 weeks that is often imposed. For instance I may want to a whole series and sit down one weekend and what the whole season in one go.
* It needs to be in one download as seeing in NZ we have very small and expensive data caps multiple downloads for different devices or streaming to all the different devices is rather cost prohibitive given what ISPs currently charge for data.
* Need to loosen up the ecosystems somewhat.
** Services like Hulu, BBC iPlayer and Netflix aren't available in NZ unless you jump through hopes and get overseas proxies, overseas VPNs, overseas credit cards and overseas mailing addresses. It is order of magnitudes easier to get the content via P2P than via the legal means. The legal means needs to be as or even easier and convenient and needs suiting than the illegally method for people to switch.
** These systems are also locked to particular makes of TV, set top box, computer operating system. Running the Linux Computer Operating System means there is no legal way of purchasing or consuming this content. For instance iTunes only runs on Mac and Windows. This is really going to come to a head soon as Android based Smart Phone now commands the largest market share out of the Smart Phones and Andriod Phones (and tablets) run on top of Linux.

Quality is also very important:
* For music via iTunes and over online digital sellers they only provide the music in a lossy format (https://secure.wikimedia.org/wikipedia/en/wiki/Lossy_compression) such as MP3 or AAC. This means they audio will never sound as good as a CD. Online retailers of music need to release Music in a Lossless (https://secure.wikimedia.org/wikipedia/en/wiki/Lossless_compression) format such as FLAC (https://secure.wikimedia.org/wikipedia/en/wiki/FLAC). FLAC and other lossless audio codecs can provide the quality and fidelity of CD which a lossey codec such as MP3 or AACs can't.
* Video is similar. Most people these days have TVs and Computer Screens that are capable of 1080p yet there is very little content of that quality out there. When lower quality is scaled to a large display device it looks blockly and other compression artefacts are very apparent. TV On Demand is fairly low quality for instance its native size is the small box you see on your computer screen (computer screen can't get it on my TV of course) that takes a very small portion of the screen and if you scale it up it looks downright awful. The media provides need to provide the content in the same quality which is availability through file sharing networks which is either Blu-Ray, DVD or 1080p which the source is available in.

So I am very interested to hear how you are working with the entertainment industry to provide a legal way to get the content in the manner that consumers want. If you really want to work on reducing copyright infringement you need to go to the root of the problem and work your way up from there, not just slap a band aid on the symptoms of the root problem. The root of the problem is lack of legal access to the content in a timely manner, in a form people want in a quality that people want. Then and only then will you start to fix the problem of copyright infringement.

07 September, 2010

Some ideas for NZ Civil Defence in the Social Media Space

Below is a letter I am sending to MCDEM and the Minister of Civil Defence with some thoughts from for their Lesson Learnt workshops post the Chrischurch Earthquake.


When you start doing your debrief and lesson learnt sessions about the Christchurch earthquake there are a few points below about the use of the internet and social media which you might want to consider.  This is the first major emergency event in NZ that has has involved a very active involvement of the social media and this medium beings both new opportunities and new challenges to communications in chaotic situations.

Your site (in particular the Chch update page http://www.civildefence.govt.nz/memwebsite.nsf) does not work at all on mobile phones. I have a Nexus One cellphone and when in landscape views it wouldn't scroll and when put the phone in portrait and zoomed in (so could read the text) could scroll a little bit and then got cut off, meaning I couldn't read the all the text on the page. This is an issue because when there is a disaster people may not have power or they might not be at there desktop or laptop.  They are more likely to be accessing your information, which is out there to help them in the disaster area, on a mobile phone of some type. In future this is going to become more and more common.

Either you need to make your pages work on a mobile or have a dedicated mobile site which auto redirects when it detects a mobile phone. The mobile version should also be lighter on the images to improve load time and also to reduce cost. 2 Degrees did a good thing of saying the mcdem, moh, get thru etc sites would be free of data traffic charges. Not sure if this is a short term thing or a permanent thing. Maybe you could work with the Telcos and ISPs about making traffic to sites like yours free either during an emergency or all of the time, in the interests of the greater good.

You updated your site hourly but it didn't show what had changed, so you had to read it all every time. Maybe you need to look at some type of versioning or what's changed thing, so people can just read what has changed since the last update. Wikipedia has an example of what I mean by showing the difference http://en.wikipedia.org/w/index.php?title=2010_Canterbury_earthquake&action=historysubmit&diff=383217142&oldid=383211709.and http://en.wikipedia.org/w/index.php?title=2010_Canterbury_earthquake&action=history

This was the first big NZ disaster that involved Social Media and there are some things that can be learnt about using Twitter to better engage with the public.
* You were late to game, there was a lot of info on the web before you poked your head up. Apparently Twitter was busy by 5am or so, which I gather is about 1.5 hours before you came online.
* You were using the wrong #tag on Twitter. #eqnz was the main twitter hash by the time of your first post on #christchurchquake
** Most people followed and posted to #eqnz, so they missed your updates which you tagged with #christchurchquake
** #christchurchquake was far too long as a #tag. Tweets are only 140 characters and people may be typing them on a cellphone. People want content not lengthy #tags in messages
** http://www.cats-pyjamas.net/2010/09/social-media-use-in-a-crisis-eqnz-which-hashtag-prevails/ This is an informative blog about Twitter and Hash Tags and the development of the #eqnz  tag following the Quake

* Your messages could have been more useful.  They just linked and didn't say what the info was in the tweet or what had changed/new on the page since the last update
** Your messages were along the lines of #christchurchquake Update XX HH:MM LINK. Firstly you are not describing the information contain in the link nor are you saying what is new. Some people retweeted your messages onto the main #eqnz feed, but on the whole they did not get much penetration.
** Tweets that got retweeted a lot were along the lines of: "For information on water tanker locations LINK #eqnz" "For damage claim information see LINK #eqnz". These messages were retweeted far more than your tweets even though in some cases they were linking to your page. You need to give a reason for people to go there why they should spend time clicking on your link
** http://www.cats-pyjamas.net/2010/09/social-media-in-a-crisis-eqnz-the-findable-usable-shareable/ This is about useful messages and the quake

* Your tweets were just a bot posting when your site was updated.
** You should have had a comms person monitoring and participating in the twittersphere in real time.
** People were sending you questions and you weren't responding to them.

* The Internet and social media allows for information to travel much faster and there was a lot of information coming up on Twitter.
** You weren't using the information on twitter. I remember at one stage someone was giving an interview on TV and said that the hospital hadn't reported anything major.  At the same time I was reading that the hospital was saying two people were seriously injured.  These days information travels much faster in a much more one to all fashion rather than a one to one chain. And when you start using outdated information people trust you less as you seem to be behind the time and not knowing what is going on
** The downside to this fast one to all communication is from time to time rumours started and would have been good to get under control quickly e.g.
*** "All cell were going to die in under hour." Telecom and VF stood up in this case and said they had more battery than that and managed the rumour effectively.
*** "Riccarton Mall's roof collapsing" from Monday
*** Rumours need to be stopped quickly and from an authoritative source but you were not on Twitter so missed all this and could feed in correct and up to date information.
** Telstra, Vodafone and Telecom early on seemed to be the ones who knew what was going one they were reporting on the status of their networks but also power and the such and generally what happened. Come mid morning once you and main stream media picked up and started telling people what was going on, the Telcos left it to Radio NZ, Stuff and NZ Herald to cover.

Also for personal updates Facebook was an important medium as people could in one place give and update about themselves and also find out the status of their friends and family.

With social media and the internet becoming more important as a communication tool and where people these days go for information and contacting people there are new needs for emergency kits.  Maybe you should start recommending for people to have spare phone batteries and/or solar chargers in their emergency kits. I found the internet much more on the pulse and up to date than other media. I found the radio was behind and TV One really slow and outdated and TV3 seemed to completely miss the fact of the earthquake until the 6pm news.

New mapping opportunities also arise through Google maps and Twitter.  For example the link below is a really good map.  It is being crowd sourced and found via the #eqnz tag
It is a Google Map of cordon, portaloos, water, welfare centres, open fast food, open Petrol Stations, etc.  Neither MCDEM nor ECAN are linking to it. And it is showing the information that people need and a lot is sourced from you but just presented, to me at least, a more usable/digestible form.

I would be happy to discuss some of the above matters with you in more detail if you would like that.  I am located in Wellington.