From tugwilson at gmail.com Sun Feb 5 14:00:46 2012 From: tugwilson at gmail.com (John Wilson) Date: Sun, 5 Feb 2012 14:00:46 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120112223928.539783ec@peterson.fenrir.org.uk> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120112100637.GB62241@davros.org> <20120112223928.539783ec@peterson.fenrir.org.uk> Message-ID: Rather to my surprise Bucks CC have given me the details of the hashing scheme used by ANPR cameras which implement the UTMC protocol (which is, I think, all of the civil and police ANPR cameras). This was the result of an FoI request. D 0 Q are replaced with O (Q isn't used in the current numbering scheme) 1 is replaced with I (I isn't used in the current numbering scheme) 5 is replaced with S Y is replaced with V 8 and B are replaced with 3 (this may cause problems after 2030) Z is replaced with 2 F is replaced with E C is replaced with G M N W are replaced with H In the scheme used since 2002 replacing a number by a letter or a letter by a number will not cause extra collisions. The transformed plate number is then hashed with the one-at-a-time hash function described here http://www.burtleburtle.net/bob/hash/doobs.html The 32 bit result is reduced to 24 or 18 bits simply by masking. This is described in the UTMC Technical Guide TR007.001b which, as far as I can tell is not published on the UTMC site. If anybody would like a copy of the document please contact me off list. It would appear that the Highways Agency's statement that a large prime number is used is untrue. I'm going to be doing some experiments to see how well the function does with some generated numberplate data. John Wilson From igb at batten.eu.org Sun Feb 5 21:56:38 2012 From: igb at batten.eu.org (Ian Batten) Date: Sun, 5 Feb 2012 21:56:38 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120112100637.GB62241@davros.org> <20120112223928.539783ec@peterson.fenrir.org.uk> Message-ID: <97203672-CBFE-423C-ADF1-D7E41AA27F5E@batten.eu.org> On 5 Feb 2012, at 14:00, John Wilson wrote: > > The transformed plate number is then hashed with the one-at-a-time > hash function described here > http://www.burtleburtle.net/bob/hash/doobs.html You have to wonder how on earth an obscure, unreviewed algorithm published in a hobbyist magazine ends up being used in a production system, don't you? ian From fw at deneb.enyo.de Sun Feb 5 22:55:55 2012 From: fw at deneb.enyo.de (Florian Weimer) Date: Sun, 05 Feb 2012 23:55:55 +0100 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <97203672-CBFE-423C-ADF1-D7E41AA27F5E@batten.eu.org> (Ian Batten's message of "Sun, 5 Feb 2012 21:56:38 +0000") References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120112100637.GB62241@davros.org> <20120112223928.539783ec@peterson.fenrir.org.uk> <97203672-CBFE-423C-ADF1-D7E41AA27F5E@batten.eu.org> Message-ID: <87pqds51qc.fsf@mid.deneb.enyo.de> * Ian Batten: > On 5 Feb 2012, at 14:00, John Wilson wrote: > >> >> The transformed plate number is then hashed with the one-at-a-time >> hash function described here >> http://www.burtleburtle.net/bob/hash/doobs.html > > You have to wonder how on earth an obscure, unreviewed algorithm > published in a hobbyist magazine ends up being used in a production > system, don't you? This particular function wasn't even published in Dr. Dobb's. However, Bob Jenkins' hash functions are widely used. Your own computer probably uses them in some fashion, too. From bdm at fenrir.org.uk Sun Feb 5 22:55:25 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Sun, 5 Feb 2012 22:55:25 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <97203672-CBFE-423C-ADF1-D7E41AA27F5E@batten.eu.org> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120112100637.GB62241@davros.org> <20120112223928.539783ec@peterson.fenrir.org.uk> <97203672-CBFE-423C-ADF1-D7E41AA27F5E@batten.eu.org> Message-ID: <20120205225525.4c2f5e51@peterson.fenrir.org.uk> On Sun, 5 Feb 2012 21:56:38 +0000 Ian Batten wrote: > You have to wonder how on earth an obscure, unreviewed algorithm published > in a hobbyist magazine ends up being used in a production system, > don't you? Sadly no, I imagine that the reason it was used was because someone found it and didn't do any more thinking about what was needed and how the algorithm would affect those needs. -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: not available URL: From tugwilson at gmail.com Mon Feb 6 10:24:48 2012 From: tugwilson at gmail.com (John Wilson) Date: Mon, 6 Feb 2012 10:24:48 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120205225525.4c2f5e51@peterson.fenrir.org.uk> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120112100637.GB62241@davros.org> <20120112223928.539783ec@peterson.fenrir.org.uk> <97203672-CBFE-423C-ADF1-D7E41AA27F5E@batten.eu.org> <20120205225525.4c2f5e51@peterson.fenrir.org.uk> Message-ID: On 5 February 2012 22:55, Brian Morrison wrote: > On Sun, 5 Feb 2012 21:56:38 +0000 > Ian Batten wrote: > >> You have to wonder how on earth an obscure, unreviewed algorithm published >> in a hobbyist magazine ends up being used in a production system, >> don't you? > > Sadly no, I imagine that the reason it was used was because someone > found it and didn't do any more thinking about what was needed and how > the algorithm would affect those needs. The document claims they tested a range of hash functions with 100,000 valid registration numbers. It seems quite a small test sample. I'm not sniffy about contributors to Dr Dobbs. Back in the day it was a good deal more useful to the working programmer than the ACM Communications. I've dome some quick tests using generated registration numbers. If you try all the possible valid registration numbers between 51 and 12 (that's about 130 million) 24% have 10 collisions or fewer, 53% have 25 collisions or fewer, 92% have 100 collisions or fewer. 1% of the numbers have 246 collisions or more. The highest number of collisions is 2080. Of course, in the field you will have pre 2001 registration numbers, "cherished numbers" and foreign numbers none of which I take into account with this test. It would be interesting to know if the DVLA manages the numbers it issues to minimise the number of collisions. The know all the current registration numbers so could suppress new numbers which would have a high collision rate. I think the hash function is good enough to argue that large datasets of traffic data are not really fully anonymised. John Wilson From lists at internetpolicyagency.com Mon Feb 6 11:10:19 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 6 Feb 2012 11:10:19 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120112100637.GB62241@davros.org> <20120112223928.539783ec@peterson.fenrir.org.uk> <97203672-CBFE-423C-ADF1-D7E41AA27F5E@batten.eu.org> <20120205225525.4c2f5e51@peterson.fenrir.org.uk> Message-ID: In article , John Wilson writes >It would be interesting to know if the DVLA manages the numbers it >issues to minimise the number of collisions. The know all the current >registration numbers so could suppress new numbers which would have a >high collision rate. Given that the "replacements" are also the sort of characters that humans might confuse, reducing the number of collisions would seem to be useful, or are more of the collisions caused by 'weakness' of the hash, rather than two numberplates having the same pre-hash text after the replacement function has been run? -- Roland Perry From igb at batten.eu.org Mon Feb 6 11:11:39 2012 From: igb at batten.eu.org (Ian Batten) Date: Mon, 6 Feb 2012 11:11:39 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120112100637.GB62241@davros.org> <20120112223928.539783ec@peterson.fenrir.org.uk> <97203672-CBFE-423C-ADF1-D7E41AA27F5E@batten.eu.org> <20120205225525.4c2f5e51@peterson.fenrir.org.uk> Message-ID: <1043A281-9EDA-45EE-BB47-38AC966E63F0@batten.eu.org> On 6 Feb 2012, at 10:24, John Wilson wrote: > > I'm not sniffy about contributors to Dr Dobbs. Back in the day it was > a good deal more useful to the working programmer than the ACM > Communications. That's not the point. The hash function that you cited was designed for table lookup. There's a lot of such functions, and their properties are fairly well understood. But the application it's being used for here isn't a table lookup: it's data anonymisation. It's different. Before worrying about which journal you're going to look in, you need to know what it is you want to achieve. And a table-lookup hash function probably doesn't have those properties. For example, it has no need to make the average hamming distance between two outputs independent of the hamming distance between the inputs, whereas for anonymisation I'd say that was likely to be essential. It's fine if the output from a table-lookup function sorts into the same order as its inputs (ie, f(x)>f(y) => x>y) but that would be suicidal in anonymisation. ian From igb at batten.eu.org Mon Feb 6 11:40:29 2012 From: igb at batten.eu.org (Ian Batten) Date: Mon, 6 Feb 2012 11:40:29 +0000 Subject: Regulatory Impact Assessment on LA use of RIPA Message-ID: <09531CB1-A310-4754-AB10-683D979E16A8@batten.eu.org> http://www.parliament.uk/documents/impact-assessments/IA12-004E.pdf From tugwilson at gmail.com Mon Feb 6 11:49:14 2012 From: tugwilson at gmail.com (John Wilson) Date: Mon, 6 Feb 2012 11:49:14 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120112100637.GB62241@davros.org> <20120112223928.539783ec@peterson.fenrir.org.uk> <97203672-CBFE-423C-ADF1-D7E41AA27F5E@batten.eu.org> <20120205225525.4c2f5e51@peterson.fenrir.org.uk> Message-ID: On 6 February 2012 11:10, Roland Perry wrote: > In article > , John > Wilson writes > >> It would be interesting to know if the DVLA manages the numbers it >> issues to minimise the number of collisions. The know all the current >> registration numbers so could suppress new numbers which would have a >> high collision rate. > > > Given that the "replacements" are also the sort of characters that humans > might confuse, reducing the number of collisions would seem to be useful, or > are more of the collisions caused by 'weakness' of the hash, rather than two > numberplates having the same pre-hash text after the replacement function > has been run? The "weakness" is caused by the substitution mechanism. Running the test on the same dataset without substitution gives: 70% with 10 collisions or fewer 99% with 25 collisions or fewer the highest number of collisions is 32 (2 instances) It's possible that the DVLA to avoid issuing numbers which can be easily confused. I might try an FoI request about this. John Wilson From lists at internetpolicyagency.com Mon Feb 6 13:18:07 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 6 Feb 2012 13:18:07 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120112100637.GB62241@davros.org> <20120112223928.539783ec@peterson.fenrir.org.uk> <97203672-CBFE-423C-ADF1-D7E41AA27F5E@batten.eu.org> <20120205225525.4c2f5e51@peterson.fenrir.org.uk> Message-ID: In article , John Wilson writes > >It's possible that the DVLA to avoid issuing numbers which can be >easily confused. I might try an FoI request about this. They do have some kind of programme for not issuing "rude" numbers, but PEN was one that got away. We can only speculate why they apparently haven't issued PEN S. -- Roland Perry From tugwilson at gmail.com Mon Feb 6 14:06:29 2012 From: tugwilson at gmail.com (John Wilson) Date: Mon, 6 Feb 2012 14:06:29 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120112100637.GB62241@davros.org> <20120112223928.539783ec@peterson.fenrir.org.uk> <97203672-CBFE-423C-ADF1-D7E41AA27F5E@batten.eu.org> <20120205225525.4c2f5e51@peterson.fenrir.org.uk> Message-ID: On 6 February 2012 13:18, Roland Perry wrote: > In article > , John > Wilson writes > >> >> It's possible that the DVLA to avoid issuing numbers which can be >> easily confused. I might try an FoI request about this. > > > They do have some kind of programme for not issuing "rude" numbers, but PEN > was one that got away. > > We can only speculate why they apparently haven't issued PEN S. I've asked them about this http://www.whatdotheyknow.com/request/licence_number_selection/new John Wilson From pwt at iosis.co.uk Mon Feb 6 20:15:54 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Mon, 06 Feb 2012 20:15:54 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: <4F3034FA.80804@iosis.co.uk> Surely the test is: is the method appropriate for the task? And the task appears to be traffic management. The monitoring software should be able to filter out many of the collisions. What interests me is why there isn't a common method. So what do the TrafficMaster people, who help us by warning of congestion ahead on motorways, do? And is their method good enough for monitoring urban congestion? Peter On 06/01/2012 16:48, John Wilson wrote: > Bucks County Council have installed about a dozen ANPR cameras on > roads leading in to Aylesbury and in Aylesbury town centre as part of > a central Government funded "Urban Traffic Management" scheme. The > idea is that this data is to be used to collect journey times to allow > them to give warnings of congestion to motorists (quite what the > motorists are supposed to do with the information is not explained). > They also run CCTV cameras as part of this scheme. From bdm at fenrir.org.uk Mon Feb 6 21:47:54 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Mon, 6 Feb 2012 21:47:54 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <4F3034FA.80804@iosis.co.uk> References: <4F3034FA.80804@iosis.co.uk> Message-ID: <20120206214754.426156c7@peterson.fenrir.org.uk> On Mon, 06 Feb 2012 20:15:54 +0000 Peter Tomlinson wrote: > So what do the > TrafficMaster people, who help us by warning of congestion ahead on > motorways, do? According to what I read back in the 90s I think, they claimed that they were scanning only the centre part of the registration plate and then tokenising that, then only looking at that token over a couple of 4 mile segments, or possibly only one, and estimating traffic flow based on the known percentage of cars that turn off main roads. But later information about police requests for TM's data relating to motorway journeys makes me wonder if that was a convenient untruth, I don't have the links but it was claimed that their data was used to convict the perps of a murder in Scotland where the travelling was done via the motorways. Since reg plates are not in one fixed position on vehicles it would need a pretty complex algorithm to find the plate and then look only at one part of it, particularly as some plates have all characters in a line and others are split into two rows. -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: not available URL: From lists at internetpolicyagency.com Tue Feb 7 08:29:00 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 7 Feb 2012 08:29:00 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120206214754.426156c7@peterson.fenrir.org.uk> References: <4F3034FA.80804@iosis.co.uk> <20120206214754.426156c7@peterson.fenrir.org.uk> Message-ID: In article <20120206214754.426156c7 at peterson.fenrir.org.uk>, Brian Morrison writes >Since reg plates are not in one fixed position on vehicles it would need >a pretty complex algorithm to find the plate You have to do that to perform ANPR at all. >and then look only at one part of it, Wouldn't you "look at" all of it, then discard all but the middle? >particularly as some plates have all characters in a line >and others are split into two rows. See my first comment above. Also, for the purposes of Trafficmaster, you could simply disregard the small percentage of plates that have two rows. -- Roland Perry From pwt at iosis.co.uk Tue Feb 7 08:37:09 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Tue, 07 Feb 2012 08:37:09 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <4F3034FA.80804@iosis.co.uk><20120206214754.426156c7@peterson.fenrir.org.uk> Message-ID: <4F30E2B5.6090909@iosis.co.uk> Doesn't Prof Peter White, Westminster Uni, specialise in the handling of large dirty datasets? I know someone who did a PhD on that subject there some 8 to 10 years ago, sponsored by DfT. But then DfT is not good a spreading the knowledge that it has (or even at using it internally)... Peter On 07/02/2012 08:29, Roland Perry wrote: > In article <20120206214754.426156c7 at peterson.fenrir.org.uk>, Brian > Morrison writes >> Since reg plates are not in one fixed position on vehicles it would need >> a pretty complex algorithm to find the plate > > You have to do that to perform ANPR at all. > >> and then look only at one part of it, > > Wouldn't you "look at" all of it, then discard all but the middle? > >> particularly as some plates have all characters in a line >> and others are split into two rows. > > See my first comment above. Also, for the purposes of Trafficmaster, > you could simply disregard the small percentage of plates that have > two rows. From bdm at fenrir.org.uk Tue Feb 7 10:15:36 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Tue, 7 Feb 2012 10:15:36 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <4F3034FA.80804@iosis.co.uk> <20120206214754.426156c7@peterson.fenrir.org.uk> Message-ID: <20120207101536.54587f4c@peterson.fenrir.org.uk> On Tue, 7 Feb 2012 08:29:00 +0000 Roland Perry wrote: > In article <20120206214754.426156c7 at peterson.fenrir.org.uk>, Brian > Morrison writes > >Since reg plates are not in one fixed position on vehicles it would need > >a pretty complex algorithm to find the plate > > You have to do that to perform ANPR at all. > > >and then look only at one part of it, > > Wouldn't you "look at" all of it, then discard all but the middle? Well this is where the controversy over police requests to TM for their data came from, TM's description (that I can't now find) said that they simply tokenised the centre of the plate and then discarded the tokens after using them for flow analysis. I suppose that most people took that to mean that they didn't keep the raw plate images, but it would appear that actually they did. There was a question about why they might have kept the raw data when the way their system works should not require it to be kept at all. -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: not available URL: From lists at internetpolicyagency.com Tue Feb 7 14:02:09 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 7 Feb 2012 14:02:09 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120207101536.54587f4c@peterson.fenrir.org.uk> References: <4F3034FA.80804@iosis.co.uk> <20120206214754.426156c7@peterson.fenrir.org.uk> <20120207101536.54587f4c@peterson.fenrir.org.uk> Message-ID: In article <20120207101536.54587f4c at peterson.fenrir.org.uk>, Brian Morrison writes >> >Since reg plates are not in one fixed position on vehicles it would need >> >a pretty complex algorithm to find the plate >> >> You have to do that to perform ANPR at all. >> >> >and then look only at one part of it, >> >> Wouldn't you "look at" all of it, then discard all but the middle? > >Well this is where the controversy over police requests to TM for their >data came from, TM's description (that I can't now find) said that they >simply tokenised the centre of the plate and then discarded the tokens >after using them for flow analysis. I suppose that most people took >that to mean that they didn't keep the raw plate images, but it would >appear that actually they did. If the camera is discarding all but the centre section of the plate, it would be consistent with both their traffic measuring objective but also being able to disclose to law enforcement a "trail" of particular centre sections[1]. But this begs the question of how the "centre section" is defined, because if it's not very precise (either in inches or in number of characters) then it wouldn't even work for the traffic measurement. Given that some [vanity] numberplates are as short as two letters, the concept of "centre" might be a little strained. [1] Using my earlier example, if you could show that a "centre section" of '?EN 1?' was consistently present on a route, you might regard that as sufficiently good signint about that particular car that day. There'd be collisions with plates like 'AEN 19' (rather than the target with P at the beginning and 5 on the end), but perhaps not catastrophically so. -- Roland Perry From clive at davros.org Tue Feb 7 15:06:02 2012 From: clive at davros.org (Clive D.W. Feather) Date: Tue, 7 Feb 2012 15:06:02 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <4F3034FA.80804@iosis.co.uk> <20120206214754.426156c7@peterson.fenrir.org.uk> <20120207101536.54587f4c@peterson.fenrir.org.uk> Message-ID: <20120207150602.GC69364@davros.org> Roland Perry said: > But this begs the question of how the "centre section" is > defined, because if it's not very precise (either in inches or in number > of characters) then it wouldn't even work for the traffic measurement. Firstly, the plate is a nice yellow rectangle, which should make it easy to spot on all except white and yellow cars. If you define "centre" as being the central 50% of the width then, *for a given car* you'll always get the same subset of the registration. It might be a different subset for different cars, but that's irrelevant. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From pwt at iosis.co.uk Tue Feb 7 16:19:50 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Tue, 07 Feb 2012 16:19:50 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120207150602.GC69364@davros.org> References: <4F3034FA.80804@iosis.co.uk><20120206214754.426156c7@peterson.fenrir.org.uk><20120207101536.54587f4c@peterson.fenrir.org.uk> <20120207150602.GC69364@davros.org> Message-ID: <4F314F26.8020409@iosis.co.uk> You should "always get the same subset of the registration", but off the motorways there are a lot of cars (and even some vans) with incorrectly formatted plates [1] that may well confuse. Mysteriously, on the motorways I have seen very few illegal plates... Peter [1] It just might be that I live in a lawless place. On 07/02/2012 15:06, Clive D.W. Feather wrote: > Roland Perry said: >> But this begs the question of how the "centre section" is >> defined, because if it's not very precise (either in inches or in number >> of characters) then it wouldn't even work for the traffic measurement. > Firstly, the plate is a nice yellow rectangle, which should make it easy to > spot on all except white and yellow cars. > > If you define "centre" as being the central 50% of the width then, *for a > given car* you'll always get the same subset of the registration. It might > be a different subset for different cars, but that's irrelevant. > From lists at internetpolicyagency.com Tue Feb 7 16:21:43 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 7 Feb 2012 16:21:43 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120207150602.GC69364@davros.org> References: <4F3034FA.80804@iosis.co.uk> <20120206214754.426156c7@peterson.fenrir.org.uk> <20120207101536.54587f4c@peterson.fenrir.org.uk> <20120207150602.GC69364@davros.org> Message-ID: In article <20120207150602.GC69364 at davros.org>, Clive D.W. Feather writes >> But this begs the question of how the "centre section" is >> defined, because if it's not very precise (either in inches or in number >> of characters) then it wouldn't even work for the traffic measurement. > >Firstly, the plate is a nice yellow rectangle, which should make it easy to >spot on all except white and yellow cars. On my car it's white at the front (where ANPR cameras look). The yellow one is on the back. >If you define "centre" as being the central 50% of the width then, *for a >given car* you'll always get the same subset of the registration. It might >be a different subset for different cars, but that's irrelevant. That makes a lot of sense, so you are voting for the centre being "inches"? On my car that's probably going to be all five characters (so not anonymised at all), but I can't complain as I've got a personal plate precisely so I'm more recognisable! [Actually, I got the plate because I was fed up having to remember a short-lived random sequence to recite every time I bought petrol with a credit card in the 80's, but one does become attached to them]. -- Roland Perry From lists at internetpolicyagency.com Tue Feb 7 16:24:59 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 7 Feb 2012 16:24:59 +0000 Subject: Unsecured wifi might be contributory negligence Message-ID: "A federal lawsuit filed in Massachusetts could test the question of whether individuals who leave their wireless networks unsecured can be held liable if someone uses the network to illegally download copyrighted content." -- Roland Perry From lists at internetpolicyagency.com Tue Feb 7 16:48:18 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 7 Feb 2012 16:48:18 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <4F314F26.8020409@iosis.co.uk> References: <4F3034FA.80804@iosis.co.uk> <20120206214754.426156c7@peterson.fenrir.org.uk> <20120207101536.54587f4c@peterson.fenrir.org.uk> <20120207150602.GC69364@davros.org> <4F314F26.8020409@iosis.co.uk> Message-ID: In article <4F314F26.8020409 at iosis.co.uk>, Peter Tomlinson writes >Mysteriously, on the motorways I have seen very few illegal plates... The only time my numberplate was challenged was when pulled over on a motorway specifically to check it (they said). Luckily I'd recently been reading some geekish stuff [2] about the spacing of numberplates, and was confident it was legal (and not just that, spaced completely normally[3] without even trying to bend the rules). They seemed a bit peeved, but the kerning[1] on the number I have does make it look rather more spaced out than it would be with different letters. [1] Or more exactly the lack of it, as decreed in the regulations. [2] Currently V796. [3] 61mm[4] per letter, with an extra 20mm between the two halves. [4] No idea where this comes from, it's not sufficiently close to 2.5" for example, and if metric why not 60mm? -- Roland Perry From clive at davros.org Tue Feb 7 17:52:48 2012 From: clive at davros.org (Clive D.W. Feather) Date: Tue, 7 Feb 2012 17:52:48 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <4F314F26.8020409@iosis.co.uk> References: <20120207150602.GC69364@davros.org> <4F314F26.8020409@iosis.co.uk> Message-ID: <20120207175248.GA93683@davros.org> Peter Tomlinson said: > You should "always get the same subset of the registration", but off the > motorways there are a lot of cars (and even some vans) with incorrectly > formatted plates [1] that may well confuse. It doesn't matter. What I said was: >> *for a >> given car* you'll always get the same subset of the registration. It might >> be a different subset for different cars, but that's irrelevant. If one car gets characters 2 to 6 while another gets characters 3 to 7 or even 3 to 5, you still get a consistent string for each car that you can use to see, with reasonable accuracy, when the same car turns up further along the road. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From ben at liddicott.com Tue Feb 7 18:44:35 2012 From: ben at liddicott.com (Ben Liddicott) Date: Tue, 7 Feb 2012 18:44:35 -0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org><4F0B222B.9090406@zen.co.uk><1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org><20120112100637.GB62241@davros.org><20120112223928.539783ec@peterson.fenrir.org.uk> Message-ID: Perhaps worth reiterating that for anonymisation, the object is to have a relatively high, fairly uniform, level of collisions. There are 18million-ish cars on the road. That means that if we are using a reasonable hash and masking to 24 bits, we have not performed any anonymisation whatsoever. Masking to 18 bits will give us approximately 10-20 cars in each bucket, which is a bare minimum level of anonymisation at a national level. However most driving doesn't occur at a national level. In Bucks there will (based on population) be around 250,000 to 300,000 cars registered. To get basic anonymisation you really want to restrict the hash to 15,000 to 30,000 buckets, = 14 to 15 bits at the absolute outside. (Also recall that the new numbering scheme is regional. So if you want to play "where in the world is YY 01 ABC" (made up number) a good guess will start with Yorkshire, for example. Anonymisation needs to take this into account). Bucket size may need to be higher/hash length lower if journey information can be combined with other information (such as a known start point, probable "first sight" entrypoints into the ANPR system etc). If such information is available to a malefactor you may struggle to justify more than four or five bits as anonymous. Cheers, Ben -----Original Message----- From: John Wilson Sent: Sunday, February 05, 2012 2:00 PM To: UK Cryptography Policy Discussion Group Subject: Re: Buckinghamshire CC ANPR cameras Rather to my surprise Bucks CC have given me the details of the hashing scheme used by ANPR cameras which implement the UTMC protocol (which is, I think, all of the civil and police ANPR cameras). This was the result of an FoI request. D 0 Q are replaced with O (Q isn't used in the current numbering scheme) 1 is replaced with I (I isn't used in the current numbering scheme) 5 is replaced with S Y is replaced with V 8 and B are replaced with 3 (this may cause problems after 2030) Z is replaced with 2 F is replaced with E C is replaced with G M N W are replaced with H In the scheme used since 2002 replacing a number by a letter or a letter by a number will not cause extra collisions. The transformed plate number is then hashed with the one-at-a-time hash function described here http://www.burtleburtle.net/bob/hash/doobs.html The 32 bit result is reduced to 24 or 18 bits simply by masking. This is described in the UTMC Technical Guide TR007.001b which, as far as I can tell is not published on the UTMC site. If anybody would like a copy of the document please contact me off list. It would appear that the Highways Agency's statement that a large prime number is used is untrue. I'm going to be doing some experiments to see how well the function does with some generated numberplate data. John Wilson From colinthomson1 at o2.co.uk Thu Feb 9 11:42:09 2012 From: colinthomson1 at o2.co.uk (Tom Thomson) Date: Thu, 9 Feb 2012 11:42:09 -0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <4F3034FA.80804@iosis.co.uk><20120206214754.426156c7@peterson.fenrir.org.uk><20120207101536.54587f4c@peterson.fenrir.org.uk> <20120207150602.GC69364@davros.org><4F314F26.8020409@iosis.co.uk> Message-ID: > [4] No idea where this comes from, it's not sufficiently close to 2.5" > for example, and if metric why not 60mm? > -- > Roland Perry Maybe it comes from a fifth of a foot? It's very close to that (much closer than 60 mm or 62 mm). But looking for a meaning for 61mm may be a bit pointless as the statutory instrument specifies, for plates fitted on or after 1 Sep 2001, a character width of 50mm and inter-character spacing of 11mm, which was derived from the previous 57mm and 11mm by producing a condensed version of the font. Condensation was needed because registration marks were longer than previously - which also caused the previous option of a larger face (89mm height instead of 79mm, 64mm width instead of 57mm, 13mm inter-character space instead of 11mm, and 38mm inter-group space instead of 33mm) to be dropped altogether. So 61mm appears to be an accident arising from the condensation, not a figure derived from a previous regulation which used inches. I think the 1971 regulation used metric too, and while 68mm doesn't look like anything derived from an earlier non-metric number, 64mm and 13mm may come from 2.5in and 0.5in; 57mm could come from 2.25in, but I can't think of anything that 11mm could have come from - unless maybe someone decided to use 11 instead of 12 (for 0.45in, 11.7cm, which is where a 2.5in to 2.25in scaling would have put the 0.5in gap on the smaller option) because 12 was too close to 13. Tom From matthew at pemble.net Fri Feb 10 08:09:05 2012 From: matthew at pemble.net (Matthew Pemble) Date: Fri, 10 Feb 2012 08:09:05 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <4F3034FA.80804@iosis.co.uk> <20120206214754.426156c7@peterson.fenrir.org.uk> <20120207101536.54587f4c@peterson.fenrir.org.uk> <20120207150602.GC69364@davros.org> <4F314F26.8020409@iosis.co.uk> Message-ID: On 7 February 2012 16:48, Roland Perry wrote: > They seemed a bit peeved, but the kerning[1] on the number I have does > make it look rather more spaced out than it would be with different letters. > > [1] Or more exactly the lack of it, as decreed in the regulations. And, lo and behold, Randall is on point with today's comic: http://xkcd.com/1015/ M -- Matthew Pemble -------------- next part -------------- An HTML attachment was scrubbed... URL: From theom+news at chiark.greenend.org.uk Tue Feb 14 11:42:28 2012 From: theom+news at chiark.greenend.org.uk (Theo Markettos) Date: Tue, 14 Feb 2012 11:42:28 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: Message-ID: In article Roland Perry wrote: > "A federal lawsuit filed in Massachusetts could test the question of > whether individuals who leave their wireless networks unsecured can be > held liable if someone uses the network to illegally download > copyrighted content." How does this differ from a secured but public network? Can operators of coffee shop or hotel lobby wifi networks, which are secured but have a password obtainable from the desk, be held responsible for traffic that their users generate? Are hotels liable for abusive phone calls made by their guests? Theo From matthew at pemble.net Tue Feb 14 13:34:47 2012 From: matthew at pemble.net (Matthew Pemble) Date: Tue, 14 Feb 2012 13:34:47 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: Message-ID: On 14 February 2012 11:42, Theo Markettos wrote: > In article Roland Perry wrote: > > "A federal lawsuit filed in Massachusetts could test the question of > > whether individuals who leave their wireless networks unsecured can be > > held liable if someone uses the network to illegally download > > copyrighted content." > > How does this differ from a secured but public network? Can operators of > coffee shop or hotel lobby wifi networks, which are secured but have a > password obtainable from the desk, be held responsible for traffic that > their users generate? > > Are hotels liable for abusive phone calls made by their guests? As I understand it, there are statutory "mere conduit" carve-outs in the law for commercial service providers (US and EU) as well as historic ones for postal and telephony services. Therefore, assuming there is liability in the non-commercial context (which I hope there is not but am not going to put any money on it), it comes down to a weighting as to whether the services were provided as part of a commercial service (liability excluded), non-commercially (the MPAA ownz your base) or ancillary to. The latter being the sort of horrid factional sub-jurisdictional and case law mess that lawyers love and engineers loath. M. -- Matthew Pemble -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Tue Feb 14 13:35:33 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 14 Feb 2012 13:35:33 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: Message-ID: In article , Theo Markettos writes >> "A federal lawsuit filed in Massachusetts could test the question of >> whether individuals who leave their wireless networks unsecured can be >> held liable if someone uses the network to illegally download >> copyrighted content." > >How does this differ from a secured but public network? Can operators of >coffee shop or hotel lobby wifi networks, which are secured but have a >password obtainable from the desk, be held responsible for traffic that >their users generate? My understanding is that as long as the operator in question complies with the DMCA, they are safe in this respect. The important difference being that even if they offer the service "free", it's still an intentional service for their customers. >Are hotels liable for abusive phone calls made by their guests? No, under different telecoms law. -- Roland Perry From maryhawking at tigers.demon.co.uk Wed Feb 15 21:49:59 2012 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Wed, 15 Feb 2012 21:49:59 -0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: Message-ID: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> Does this apply to private users? Suppose an OAP comes on the internet and does not realise that there is a way to secure the WiFi router (or does not realise it *is* wifi - and junior-next-door uses it - will the OAP be held liable? If so, will the Internet Provider have failed in its Duty of Care (if it has any)? Mary Hawking "thinking - independent thinking - is to humans as swimming is to cats: we can do it if we really have to."? Mark Earles on Radio 4. ? and don't forget patients like Fred! http://primaryhealthinfo.wordpress.com/2011/12/11/fred-and-his-dog-an-update / -----Original Message----- From: Theo Markettos [mailto:theom+news at chiark.greenend.org.uk] Sent: 14 February 2012 11:42 To: UK Cryptography Policy Discussion Group Subject: Re: Unsecured wifi might be contributory negligence In article Roland Perry wrote: > "A federal lawsuit filed in Massachusetts could test the question of > whether individuals who leave their wireless networks unsecured can be > held liable if someone uses the network to illegally download > copyrighted content." How does this differ from a secured but public network? Can operators of coffee shop or hotel lobby wifi networks, which are secured but have a password obtainable from the desk, be held responsible for traffic that their users generate? Are hotels liable for abusive phone calls made by their guests? Theo From lists at internetpolicyagency.com Wed Feb 15 22:04:17 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 15 Feb 2012 22:04:17 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> Message-ID: In article <069DA878E6E146A781F24677D0C5E2CE at MaryPC>, Mary Hawking writes >Does this apply to private users? >Suppose an OAP comes on the internet and does not realise that there is a >way to secure the WiFi router (or does not realise it *is* wifi - and >junior-next-door uses it - will the OAP be held liable? I think that's what they are trying to establish in the USA (which of course is not a precedent for the UK). >If so, will the Internet Provider have failed in its Duty of Care (if it has >any)? An even better can of worms. >Mary Hawking >"thinking - independent thinking - is to humans as swimming is to cats: we >can do it if we really have to."? Mark Earles on Radio 4. ? >and don't forget patients like Fred! >http://primaryhealthinfo.wordpress.com/2011/12/11/fred-and-his-dog-an-update > >-----Original Message----- >From: Theo Markettos [mailto:theom+news at chiark.greenend.org.uk] >Sent: 14 February 2012 11:42 >To: UK Cryptography Policy Discussion Group >Subject: Re: Unsecured wifi might be contributory negligence > >In article Roland Perry wrote: >> "A federal lawsuit filed in Massachusetts could test the question of >> whether individuals who leave their wireless networks unsecured can be >> held liable if someone uses the network to illegally download >> copyrighted content." > >How does this differ from a secured but public network? Can operators of >coffee shop or hotel lobby wifi networks, which are secured but have a >password obtainable from the desk, be held responsible for traffic that >their users generate? > >Are hotels liable for abusive phone calls made by their guests? > >Theo > > > > > -- Roland Perry From lists at internetpolicyagency.com Wed Feb 15 22:04:17 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 15 Feb 2012 22:04:17 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> Message-ID: In article <069DA878E6E146A781F24677D0C5E2CE at MaryPC>, Mary Hawking writes >Does this apply to private users? >Suppose an OAP comes on the internet and does not realise that there is a >way to secure the WiFi router (or does not realise it *is* wifi - and >junior-next-door uses it - will the OAP be held liable? I think that's what they are trying to establish in the USA (which of course is not a precedent for the UK). >If so, will the Internet Provider have failed in its Duty of Care (if it has >any)? An even better can of worms. >Mary Hawking >"thinking - independent thinking - is to humans as swimming is to cats: we >can do it if we really have to."? Mark Earles on Radio 4. ? >and don't forget patients like Fred! >http://primaryhealthinfo.wordpress.com/2011/12/11/fred-and-his-dog-an-update > >-----Original Message----- >From: Theo Markettos [mailto:theom+news at chiark.greenend.org.uk] >Sent: 14 February 2012 11:42 >To: UK Cryptography Policy Discussion Group >Subject: Re: Unsecured wifi might be contributory negligence > >In article Roland Perry wrote: >> "A federal lawsuit filed in Massachusetts could test the question of >> whether individuals who leave their wireless networks unsecured can be >> held liable if someone uses the network to illegally download >> copyrighted content." > >How does this differ from a secured but public network? Can operators of >coffee shop or hotel lobby wifi networks, which are secured but have a >password obtainable from the desk, be held responsible for traffic that >their users generate? > >Are hotels liable for abusive phone calls made by their guests? > >Theo > > > > > -- Roland Perry From lists at internetpolicyagency.com Wed Feb 15 22:04:17 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 15 Feb 2012 22:04:17 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> Message-ID: In article <069DA878E6E146A781F24677D0C5E2CE at MaryPC>, Mary Hawking writes >Does this apply to private users? >Suppose an OAP comes on the internet and does not realise that there is a >way to secure the WiFi router (or does not realise it *is* wifi - and >junior-next-door uses it - will the OAP be held liable? I think that's what they are trying to establish in the USA (which of course is not a precedent for the UK). >If so, will the Internet Provider have failed in its Duty of Care (if it has >any)? An even better can of worms. >Mary Hawking >"thinking - independent thinking - is to humans as swimming is to cats: we >can do it if we really have to."? Mark Earles on Radio 4. ? >and don't forget patients like Fred! >http://primaryhealthinfo.wordpress.com/2011/12/11/fred-and-his-dog-an-update > >-----Original Message----- >From: Theo Markettos [mailto:theom+news at chiark.greenend.org.uk] >Sent: 14 February 2012 11:42 >To: UK Cryptography Policy Discussion Group >Subject: Re: Unsecured wifi might be contributory negligence > >In article Roland Perry wrote: >> "A federal lawsuit filed in Massachusetts could test the question of >> whether individuals who leave their wireless networks unsecured can be >> held liable if someone uses the network to illegally download >> copyrighted content." > >How does this differ from a secured but public network? Can operators of >coffee shop or hotel lobby wifi networks, which are secured but have a >password obtainable from the desk, be held responsible for traffic that >their users generate? > >Are hotels liable for abusive phone calls made by their guests? > >Theo > > > > > -- Roland Perry From lists at internetpolicyagency.com Wed Feb 15 22:04:17 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 15 Feb 2012 22:04:17 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> Message-ID: In article <069DA878E6E146A781F24677D0C5E2CE at MaryPC>, Mary Hawking writes >Does this apply to private users? >Suppose an OAP comes on the internet and does not realise that there is a >way to secure the WiFi router (or does not realise it *is* wifi - and >junior-next-door uses it - will the OAP be held liable? I think that's what they are trying to establish in the USA (which of course is not a precedent for the UK). >If so, will the Internet Provider have failed in its Duty of Care (if it has >any)? An even better can of worms. >Mary Hawking >"thinking - independent thinking - is to humans as swimming is to cats: we >can do it if we really have to."? Mark Earles on Radio 4. ? >and don't forget patients like Fred! >http://primaryhealthinfo.wordpress.com/2011/12/11/fred-and-his-dog-an-update > >-----Original Message----- >From: Theo Markettos [mailto:theom+news at chiark.greenend.org.uk] >Sent: 14 February 2012 11:42 >To: UK Cryptography Policy Discussion Group >Subject: Re: Unsecured wifi might be contributory negligence > >In article Roland Perry wrote: >> "A federal lawsuit filed in Massachusetts could test the question of >> whether individuals who leave their wireless networks unsecured can be >> held liable if someone uses the network to illegally download >> copyrighted content." > >How does this differ from a secured but public network? Can operators of >coffee shop or hotel lobby wifi networks, which are secured but have a >password obtainable from the desk, be held responsible for traffic that >their users generate? > >Are hotels liable for abusive phone calls made by their guests? > >Theo > > > > > -- Roland Perry From lists at internetpolicyagency.com Wed Feb 15 22:04:17 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 15 Feb 2012 22:04:17 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> Message-ID: In article <069DA878E6E146A781F24677D0C5E2CE at MaryPC>, Mary Hawking writes >Does this apply to private users? >Suppose an OAP comes on the internet and does not realise that there is a >way to secure the WiFi router (or does not realise it *is* wifi - and >junior-next-door uses it - will the OAP be held liable? I think that's what they are trying to establish in the USA (which of course is not a precedent for the UK). >If so, will the Internet Provider have failed in its Duty of Care (if it has >any)? An even better can of worms. >Mary Hawking >"thinking - independent thinking - is to humans as swimming is to cats: we >can do it if we really have to."? Mark Earles on Radio 4. ? >and don't forget patients like Fred! >http://primaryhealthinfo.wordpress.com/2011/12/11/fred-and-his-dog-an-update > >-----Original Message----- >From: Theo Markettos [mailto:theom+news at chiark.greenend.org.uk] >Sent: 14 February 2012 11:42 >To: UK Cryptography Policy Discussion Group >Subject: Re: Unsecured wifi might be contributory negligence > >In article Roland Perry wrote: >> "A federal lawsuit filed in Massachusetts could test the question of >> whether individuals who leave their wireless networks unsecured can be >> held liable if someone uses the network to illegally download >> copyrighted content." > >How does this differ from a secured but public network? Can operators of >coffee shop or hotel lobby wifi networks, which are secured but have a >password obtainable from the desk, be held responsible for traffic that >their users generate? > >Are hotels liable for abusive phone calls made by their guests? > >Theo > > > > > -- Roland Perry From igb at batten.eu.org Thu Feb 16 08:39:10 2012 From: igb at batten.eu.org (Ian Batten) Date: Thu, 16 Feb 2012 08:39:10 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> Message-ID: On 15 Feb 2012, at 21:49, Mary Hawking wrote: > Does this apply to private users? > Suppose an OAP comes on the internet and does not realise that there is a > way to secure the WiFi router (or does not realise it *is* wifi - and > junior-next-door uses it - will the OAP be held liable? Quite a lot of ISPs now ship the routers with some security turned on. It might be weak --- WEP is commonly used, presumably for back-compatibility reasons --- but there's a substantial difference between leaving your front door unlocked and having a lock which turns out to be susceptible to bump-keys. I think you can just about construct an argument that if an access point is open it's reasonable to expect that others might use it and to then appreciate there might later be an attribution problem over who did what (although how that differs from, say, a landlord providing WiFi broadband in a shared student house where the individual students have no contractual relationship to each other is left as an exercise for the reader). But once there are measures in place that make it clear an invitation is not being extended, even if those measures are defeatable, then I think that argument evaporates. ian From nbohm at ernest.net Thu Feb 16 11:59:44 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Thu, 16 Feb 2012 11:59:44 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> Message-ID: <4F3CEFB0.1050906@ernest.net> On 16/02/2012 08:39, Ian Batten wrote: > On 15 Feb 2012, at 21:49, Mary Hawking wrote: > >> Does this apply to private users? >> Suppose an OAP comes on the internet and does not realise that there is a >> way to secure the WiFi router (or does not realise it *is* wifi - and >> junior-next-door uses it - will the OAP be held liable? > Quite a lot of ISPs now ship the routers with some security turned on. It might be weak --- WEP is commonly used, presumably for back-compatibility reasons --- but there's a substantial difference between leaving your front door unlocked and having a lock which turns out to be susceptible to bump-keys. I think you can just about construct an argument that if an access point is open it's reasonable to expect that others might use it and to then appreciate there might later be an attribution problem over who did what (although how that differs from, say, a landlord providing WiFi broadband in a shared student house where the individual students have no contractual relationship to each other is left as an exercise for the reader). But once there are measures in place that make it clear an invitation is not being extended, even if those measures are defeatable, then I think that argument evaporates. > It seems to need restating from time to time that you are not legally liable (civilly or criminally) for what third parties do with things that you own or control (unless you have actively aided or abetted them, or conspired with them, etc). E.g. if you leave a ladder in your garden and a burglar uses it to burgle your neighbour, you are not in breach of any duty of care because you failed to secure the ladder. The same applies to Wi-Fi routers. Nicholas -- Contact and PGP key here From lists at internetpolicyagency.com Thu Feb 16 12:57:28 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 16 Feb 2012 12:57:28 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F3CEFB0.1050906@ernest.net> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> Message-ID: In article <4F3CEFB0.1050906 at ernest.net>, Nicholas Bohm writes >It seems to need restating from time to time that you are not legally >liable (civilly or criminally) for what third parties do with things >that you own or control (unless you have actively aided or abetted them, >or conspired with them, etc). > >E.g. if you leave a ladder in your garden and a burglar uses it to >burgle your neighbour, you are not in breach of any duty of care because >you failed to secure the ladder. > >The same applies to Wi-Fi routers. To continue the analogy, one problem is that your fingerprints will be all over both the ladder and the communications from your wi-fi router. We are still at the early stages of forensic analysis of communications, and there is still a tendency to think that the wi-fi owner is guilty (of whatever infraction has his fingerprints on it) until proved innocent. -- Roland Perry From nbohm at ernest.net Thu Feb 16 13:13:30 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Thu, 16 Feb 2012 13:13:30 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> Message-ID: <4F3D00FA.9020109@ernest.net> On 16/02/2012 12:57, Roland Perry wrote: > In article <4F3CEFB0.1050906 at ernest.net>, Nicholas Bohm > writes >> It seems to need restating from time to time that you are not legally >> liable (civilly or criminally) for what third parties do with things >> that you own or control (unless you have actively aided or abetted them, >> or conspired with them, etc). >> >> E.g. if you leave a ladder in your garden and a burglar uses it to >> burgle your neighbour, you are not in breach of any duty of care because >> you failed to secure the ladder. >> >> The same applies to Wi-Fi routers. > > To continue the analogy, one problem is that your fingerprints will be > all over both the ladder and the communications from your wi-fi router. > > We are still at the early stages of forensic analysis of > communications, and there is still a tendency to think that the wi-fi > owner is guilty (of whatever infraction has his fingerprints on it) > until proved innocent. I'm sure you're right. And of course it's perfectly reasonable to interview the owner of the ladder or the router to ask whether he was the burglar or the downloader, or can provide information that might identify the culprit. But that implies no more than that he might be a useful witness if he doesn't admit to being the guilty party. Nicholas -- Contact and PGP key here From Andrew.Cormack at ja.net Thu Feb 16 13:37:29 2012 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Thu, 16 Feb 2012 13:37:29 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> Message-ID: <61E52F3A5532BE43B0211254F13883AE09F19CA9@EXC001> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Ian Batten > Sent: 16 February 2012 08:39 > To: UK Cryptography Policy Discussion Group > Subject: Re: Unsecured wifi might be contributory negligence > But once there are > measures in place that make it clear an invitation is not being > extended, even if those measures are defeatable, then I think that > argument evaporates. I did spot an SSID recently that made it *very* clear (in words of four and three letters) that an invitation was *not* being extended. However I doubt that'll make it into any ISP's default access point setting any time soon ;-) Lord Errol put the case of the confused access point owner rather well during the DEA debate in the Lords, IIRC Andrew -- Andrew Cormack Chief Regulatory Adviser Janet Direct line: +44 (0) 1235 822302 Janet, the UK's education and research network From lists at internetpolicyagency.com Thu Feb 16 15:07:09 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 16 Feb 2012 15:07:09 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F3D00FA.9020109@ernest.net> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> Message-ID: In article <4F3D00FA.9020109 at ernest.net>, Nicholas Bohm writes >>> E.g. if you leave a ladder in your garden and a burglar uses it to >>> burgle your neighbour, you are not in breach of any duty of care because >>> you failed to secure the ladder. >>> >>> The same applies to Wi-Fi routers. >> >> To continue the analogy, one problem is that your fingerprints will be >> all over both the ladder and the communications from your wi-fi router. >> >> We are still at the early stages of forensic analysis of >> communications, and there is still a tendency to think that the wi-fi >> owner is guilty (of whatever infraction has his fingerprints on it) >> until proved innocent. > >I'm sure you're right. > >And of course it's perfectly reasonable to interview the owner of the >ladder or the router to ask whether he was the burglar or the >downloader, or can provide information that might identify the culprit. >But that implies no more than that he might be a useful witness if he >doesn't admit to being the guilty party. But wifi routers seem to be in the same mental camp as motor cars, and if you can't prove someone else was driving at the time, they'll try to nail the keeper. -- Roland Perry From igb at batten.eu.org Thu Feb 16 15:49:24 2012 From: igb at batten.eu.org (Ian Batten) Date: Thu, 16 Feb 2012 15:49:24 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> Message-ID: <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> On 16 Feb 2012, at 15:07, Roland Perry wrote: > > But wifi routers seem to be in the same mental camp as motor cars, and if you can't prove someone else was driving at the time, they'll try to nail the keeper. But that's going to need to be put onto a legal footing. Cars do have registered keepers, which may be distinct from owners, and that those registered keepers have responsibilities (for example, companies need to keep records of who is driving pool cars) stems from the requirement that cars be insured. None of that's true for broadband connections, and even if you can construct some sort of "head of the household" concept for some domestic settings, it doesn't work for others, still less for businesses. ian From nbohm at ernest.net Thu Feb 16 16:21:04 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Thu, 16 Feb 2012 16:21:04 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> Message-ID: <4F3D2CF0.4020005@ernest.net> On 16/02/2012 15:07, Roland Perry wrote: > In article <4F3D00FA.9020109 at ernest.net>, Nicholas Bohm > writes >>>> E.g. if you leave a ladder in your garden and a burglar uses it to >>>> burgle your neighbour, you are not in breach of any duty of care >>>> because >>>> you failed to secure the ladder. >>>> >>>> The same applies to Wi-Fi routers. >>> >>> To continue the analogy, one problem is that your fingerprints will be >>> all over both the ladder and the communications from your wi-fi router. >>> >>> We are still at the early stages of forensic analysis of >>> communications, and there is still a tendency to think that the wi-fi >>> owner is guilty (of whatever infraction has his fingerprints on it) >>> until proved innocent. >> >> I'm sure you're right. >> >> And of course it's perfectly reasonable to interview the owner of the >> ladder or the router to ask whether he was the burglar or the >> downloader, or can provide information that might identify the culprit. >> But that implies no more than that he might be a useful witness if he >> doesn't admit to being the guilty party. > > But wifi routers seem to be in the same mental camp as motor cars, and > if you can't prove someone else was driving at the time, the burden of proof isn't on the keeper > they'll try to nail the keeper. For a non-criminal claim (e.g. negligence)? I rather doubt that. And the (private individual) keeper's obligation is to provide what information he has about who was driving. If three or four people are insured to drive and the keeper says he cannot remember, and there's no other evidence, I suspect that's the end of it. Or are there contrary examples? Nicholas -- Contact and PGP key here From lists at internetpolicyagency.com Thu Feb 16 21:42:18 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 16 Feb 2012 21:42:18 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> Message-ID: In article <8279E31C-D03C-412A-B16D-64E3181CF503 at batten.eu.org>, Ian Batten writes >> But wifi routers seem to be in the same mental camp as motor cars, and if you can't prove someone else was driving at the time, they'll try >>to nail the keeper. > >But that's going to need to be put onto a legal footing. Cars do have registered keepers, which may be distinct from owners, and that those >registered keepers have responsibilities (for example, companies need to keep records of who is driving pool cars) stems from the requirement >that cars be insured. None of that's true for broadband connections, and even if you can construct some sort of "head of the household" >concept for some domestic settings, it doesn't work for others, still less for businesses. There's no need for a new concept: "Subscriber" has been OK for a decade at least, for sundry activities associated with telecoms facilities. -- Roland Perry From lists at internetpolicyagency.com Thu Feb 16 21:44:47 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 16 Feb 2012 21:44:47 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F3D2CF0.4020005@ernest.net> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <4F3D2CF0.4020005@ernest.net> Message-ID: <9n3G7AmPjXPPFAaO@perry.co.uk> In article <4F3D2CF0.4020005 at ernest.net>, Nicholas Bohm writes >> But wifi routers seem to be in the same mental camp as motor cars, and >> if you can't prove someone else was driving at the time, > >the burden of proof isn't on the keeper > >> they'll try to nail the keeper. > >For a non-criminal claim (e.g. negligence)? I rather doubt that. And >the (private individual) keeper's obligation is to provide what >information he has about who was driving. If three or four people are >insured to drive and the keeper says he cannot remember, and there's no >other evidence, I suspect that's the end of it. Or are there contrary >examples? I thought the keeper got the parking tickets these days, if he couldn't decide who was driving. -- Roland Perry From igb at batten.eu.org Thu Feb 16 22:27:54 2012 From: igb at batten.eu.org (Ian Batten) Date: Thu, 16 Feb 2012 22:27:54 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F3D2CF0.4020005@ernest.net> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <4F3D2CF0.4020005@ernest.net> Message-ID: <3F2E8887-7CC5-42E3-AF1B-C799F1AD089A@batten.eu.org> On 16 Feb 2012, at 16:21, Nicholas Bohm wrote: > If three or four people are > insured to drive and the keeper says he cannot remember, and there's no > other evidence, I suspect that's the end of it. Or are there contrary > examples? I think businesses are obligated to keep records, but I don't know under what legislation or regulation. And of course Chris Huhne might have a point of view... ian From maryhawking at tigers.demon.co.uk Fri Feb 17 09:03:35 2012 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Fri, 17 Feb 2012 09:03:35 -0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC><4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> Message-ID: So the OAP will be held liable whether or not he/she has secured the WiFi? Was the original US case about the illegal download or the negligence of the subscriber? Mary Hawking "thinking - independent thinking - is to humans as swimming is to cats: we can do it if we really have to."? Mark Earles on Radio 4. ? and don't forget patients like Fred! http://primaryhealthinfo.wordpress.com/2011/12/11/fred-and-his-dog-an-update / -----Original Message----- From: Roland Perry [mailto:lists at internetpolicyagency.com] Sent: 16 February 2012 21:42 To: ukcrypto at chiark.greenend.org.uk Subject: Re: Unsecured wifi might be contributory negligence In article <8279E31C-D03C-412A-B16D-64E3181CF503 at batten.eu.org>, Ian Batten writes >> But wifi routers seem to be in the same mental camp as motor cars, and if you can't prove someone else was driving at the time, they'll try >>to nail the keeper. > >But that's going to need to be put onto a legal footing. Cars do have registered keepers, which may be distinct from owners, and that those >registered keepers have responsibilities (for example, companies need to keep records of who is driving pool cars) stems from the requirement >that cars be insured. None of that's true for broadband connections, and even if you can construct some sort of "head of the household" >concept for some domestic settings, it doesn't work for others, still less for businesses. There's no need for a new concept: "Subscriber" has been OK for a decade at least, for sundry activities associated with telecoms facilities. -- Roland Perry From lists at internetpolicyagency.com Fri Feb 17 09:33:27 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 17 Feb 2012 09:33:27 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <3F2E8887-7CC5-42E3-AF1B-C799F1AD089A@batten.eu.org> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <4F3D2CF0.4020005@ernest.net> <3F2E8887-7CC5-42E3-AF1B-C799F1AD089A@batten.eu.org> Message-ID: In article <3F2E8887-7CC5-42E3-AF1B-C799F1AD089A at batten.eu.org>, Ian Batten writes > >On 16 Feb 2012, at 16:21, Nicholas Bohm wrote: > >> If three or four people are insured to drive and the keeper says he >>cannot remember, and there's no other evidence, I suspect that's the >>end of it. Or are there contrary examples? > >I think businesses are obligated to keep records, but I don't know >under what legislation or regulation. RTA 1991 S.172 -- Roland Perry From lists at internetpolicyagency.com Fri Feb 17 09:36:21 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 17 Feb 2012 09:36:21 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> Message-ID: In article , Mary Hawking writes >So the OAP will be held liable whether or not he/she has secured the WiFi? Policy in this area is still being formed. >Was the original US case about the illegal download or the negligence of the >subscriber? Quoting from the original Computerworld Article (the case has yet to come to court), the complainant is proposing that: "Even if the defendants did not directly download the movies, they had control over the Internet access used for copyright infringement purposes.... Defendants' negligent actions allowed others to unlawfully copy and share Plaintiff's copyrighted Motion Picture". -- Roland Perry From nbohm at ernest.net Fri Feb 17 12:01:48 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 17 Feb 2012 12:01:48 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC><4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> Message-ID: <4F3E41AC.2090505@ernest.net> On 17/02/2012 09:03, Mary Hawking wrote: > So the OAP will be held liable whether or not he/she has secured the WiFi? Not in the UK (yet, at least). > Was the original US case about the illegal download or the negligence of the > subscriber? I've lost track of that. Nicholas -- Contact and PGP key here From amidgley at gmail.com Fri Feb 17 10:15:19 2012 From: amidgley at gmail.com (Adrian Midgley) Date: Fri, 17 Feb 2012 10:15:19 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> Message-ID: I don't feel I have an obligation to protect other people's "property" from copying. I'm not going to encourage it, but I'm not going to stop it on their behalf or comport myself for the benefit of their business. -- Adrian Midgley?? http://www.defoam.net/ From nbohm at ernest.net Fri Feb 17 12:10:02 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 17 Feb 2012 12:10:02 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <9n3G7AmPjXPPFAaO@perry.co.uk> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <4F3D2CF0.4020005@ernest.net> <9n3G7AmPjXPPFAaO@perry.co.uk> Message-ID: <4F3E439A.6060704@ernest.net> On 16/02/2012 21:44, Roland Perry wrote: > In article <4F3D2CF0.4020005 at ernest.net>, Nicholas Bohm > writes >>> But wifi routers seem to be in the same mental camp as motor cars, and >>> if you can't prove someone else was driving at the time, >> >> the burden of proof isn't on the keeper >> >>> they'll try to nail the keeper. >> >> For a non-criminal claim (e.g. negligence)? I rather doubt that. And >> the (private individual) keeper's obligation is to provide what >> information he has about who was driving. If three or four people are >> insured to drive and the keeper says he cannot remember, and there's no >> other evidence, I suspect that's the end of it. Or are there contrary >> examples? > > I thought the keeper got the parking tickets these days, if he > couldn't decide who was driving. Not that I know of. But sooner or later, I suppose. However, as administrative penalties, these lie somewhere between the criminal and the civil, and don't seem a good analogical basis for changing the general legal principle involved. Nicholas -- Contact and PGP key here From mikie.simpson at gmail.com Fri Feb 17 11:35:55 2012 From: mikie.simpson at gmail.com (Michael Simpson) Date: Fri, 17 Feb 2012 11:35:55 +0000 Subject: Remote access to patient records and security of android apps In-Reply-To: References: <823AC815FC524410942FA2BFC157DB49@MaryPC> <97F862189DC9427DAFE92D83AEACEABB@MaryPC> Message-ID: On 14 January 2012 09:30, Arthur Clune wrote: > Instead of using a directly connected snartcard, the app could use a token > based system like rsa keyfobs. That would satisfy the two factor > authentication requirement and would work with any hardware including > phones. > My worry would be the effortless manner in which one can root Android. There isn't the same degree of protection that one has on iOS with its app signage/walled garden/sandbox approach. The increase in Android malware is a worrying trend. -Zeus/SpyEye &c I 'm not stating that iOS is invulnerable or that the manner in which it is policed is unobjectionable but at the present time Android is being actively exploited. wrt the connectivity presumably a VPN client could be used to secure the connection over public networks. As an aside, data sent across the N3 network isn't usually encrypted unless you pay (lots) for it to be so http://www.n3.nhs.uk/TechnicalInformation/N3NetworkSecurity.cfm and conducting traceroutes from N3 sites shows an awful lot of public router traversal prior to re-entry into "private" N3 space. This combined with the recent CA problems and the acknowledment by trustwave that skeleton SSL keys get handed out gives me pause for thought. mike From lists at internetpolicyagency.com Fri Feb 17 15:01:26 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 17 Feb 2012 15:01:26 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F3E439A.6060704@ernest.net> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <4F3D2CF0.4020005@ernest.net> <9n3G7AmPjXPPFAaO@perry.co.uk> <4F3E439A.6060704@ernest.net> Message-ID: In article <4F3E439A.6060704 at ernest.net>, Nicholas Bohm writes >> I thought the keeper got the parking tickets these days, if he >> couldn't decide who was driving. > >Not that I know of. But sooner or later, I suppose. However, as >administrative penalties, these lie somewhere between the criminal and >the civil, and don't seem a good analogical basis for changing the >general legal principle involved. But isn't breach of copyright also straddling the criminal/civil boundary? -- Roland Perry From lists at internetpolicyagency.com Fri Feb 17 15:02:14 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 17 Feb 2012 15:02:14 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> Message-ID: In article , Adrian Midgley writes >I don't feel I have an obligation to protect other people's "property" >from copying. There's clearly a range of views on this. What the (USA-based) case is seeking to establish is whether providing tools to the thief is an issue. -- Roland Perry From nbohm at ernest.net Fri Feb 17 15:53:24 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 17 Feb 2012 15:53:24 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <4F3D2CF0.4020005@ernest.net> <9n3G7AmPjXPPFAaO@perry.co.uk> <4F3E439A.6060704@ernest.net> Message-ID: <4F3E77F4.4060501@ernest.net> On 17/02/2012 15:01, Roland Perry wrote: > In article <4F3E439A.6060704 at ernest.net>, Nicholas Bohm > writes >>> I thought the keeper got the parking tickets these days, if he >>> couldn't decide who was driving. >> >> Not that I know of. But sooner or later, I suppose. However, as >> administrative penalties, these lie somewhere between the criminal and >> the civil, and don't seem a good analogical basis for changing the >> general legal principle involved. > > But isn't breach of copyright also straddling the criminal/civil boundary? No. Infringement is either civil or criminal, depending on the circumstances. In neither case does it inhabit a halfway house like an administrative penalty. Nicholas -- Contact and PGP key here From nbohm at ernest.net Fri Feb 17 15:55:08 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 17 Feb 2012 15:55:08 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> Message-ID: <4F3E785C.2090700@ernest.net> On 17/02/2012 15:02, Roland Perry wrote: > In article > , > Adrian Midgley writes >> I don't feel I have an obligation to protect other people's "property" >> from copying. > > There's clearly a range of views on this. What the (USA-based) case is > seeking to establish is whether providing tools to the thief is an issue. Providing tools to a thief makes it sound like aiding or abetting - which is different from neglecting to take steps to prevent a thief from having access to your tools. Nicholas -- Contact and PGP key here From lists at internetpolicyagency.com Fri Feb 17 17:38:31 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 17 Feb 2012 17:38:31 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F3E785C.2090700@ernest.net> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> Message-ID: In article <4F3E785C.2090700 at ernest.net>, Nicholas Bohm writes >Providing tools to a thief makes it sound like aiding or abetting - >which is different from neglecting to take steps to prevent a thief from >having access to your tools. That's the distinction which I think policy makers have to discuss. Liability of intermediaries (even involuntary ones) is still very much in a state of flux. -- Roland Perry From lists at internetpolicyagency.com Fri Feb 17 17:41:41 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 17 Feb 2012 17:41:41 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F3E77F4.4060501@ernest.net> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <4F3D2CF0.4020005@ernest.net> <9n3G7AmPjXPPFAaO@perry.co.uk> <4F3E439A.6060704@ernest.net> <4F3E77F4.4060501@ernest.net> Message-ID: In article <4F3E77F4.4060501 at ernest.net>, Nicholas Bohm writes >> But isn't breach of copyright also straddling the criminal/civil boundary? > >No. Infringement is either civil or criminal, depending on the >circumstances. In neither case does it inhabit a halfway house like an >administrative penalty. So if someone commits a criminal breach of copyright, the rightsholder can't also sue for damages? They have to choose one or the other. And then there's the International/Trans-border issues, where our friends in the USA will have the FBI help them track down the more serious infringers. -- Roland Perry From nbohm at ernest.net Fri Feb 17 17:48:48 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 17 Feb 2012 17:48:48 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> Message-ID: <4F3E9300.5020108@ernest.net> On 17/02/2012 17:38, Roland Perry wrote: > In article <4F3E785C.2090700 at ernest.net>, Nicholas Bohm > writes >> Providing tools to a thief makes it sound like aiding or abetting - >> which is different from neglecting to take steps to prevent a thief from >> having access to your tools. > > That's the distinction which I think policy makers have to discuss. > > Liability of intermediaries (even involuntary ones) is still very much > in a state of flux. As regards routers (and perhaps as regards car users' parking fines) you are no doubt right. I detect no sign of ladder keepers being at risk, however, nor of the general principle changing. I think we are looking at a fight over a small number of exceptions to a well-established rule. Nicholas -- Contact and PGP key here From nbohm at ernest.net Fri Feb 17 17:58:04 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 17 Feb 2012 17:58:04 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <4F3D2CF0.4020005@ernest.net> <9n3G7AmPjXPPFAaO@perry.co.uk> <4F3E439A.6060704@ernest.net> <4F3E77F4.4060501@ernest.net> Message-ID: <4F3E952C.4010106@ernest.net> On 17/02/2012 17:41, Roland Perry wrote: > In article <4F3E77F4.4060501 at ernest.net>, Nicholas Bohm > writes >>> But isn't breach of copyright also straddling the criminal/civil >>> boundary? >> >> No. Infringement is either civil or criminal, depending on the >> circumstances. In neither case does it inhabit a halfway house like an >> administrative penalty. > > So if someone commits a criminal breach of copyright, the rightsholder > can't also sue for damages? They have to choose one or the other. No, I don't think so. My point is that administrative penalties are neither the one thing nor the other. It isn't refuted by pointing to something that is both one thing and the other. > And then there's the International/Trans-border issues, where our > friends in the USA will have the FBI help them track down the more > serious infringers. I would say, "So what?"; but I fear you would tell me. Nicholas -- Contact and PGP key here From richard.hopkins at bristol.ac.uk Fri Feb 17 14:53:13 2012 From: richard.hopkins at bristol.ac.uk (Richard Hopkins) Date: Fri, 17 Feb 2012 14:53:13 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: Message-ID: <429A15D70E6DD718A797A000@cse-rjhpc.cse.bris.ac.uk> --On Tuesday, February 14, 2012 1:35 PM +0000 Roland Perry wrote: > In article , Theo Markettos > writes >>> "A federal lawsuit filed in Massachusetts could test the question of >>> whether individuals who leave their wireless networks unsecured can be >>> held liable if someone uses the network to illegally download >>> copyrighted content." >> >> How does this differ from a secured but public network? Can operators of >> coffee shop or hotel lobby wifi networks, which are secured but have a >> password obtainable from the desk, be held responsible for traffic that >> their users generate? > > My understanding is that as long as the operator in question complies > with the DMCA, they are safe in this respect. The important difference > being that even if they offer the service "free", it's still an > intentional service for their customers. > >> Are hotels liable for abusive phone calls made by their guests? > > No, under different telecoms law. What about unsecured *public* networks (as provided by some City Councils, for example)? Are they even legal in the UK? "A provider of a public electronic communications service must take appropriate technological and organisational measures to safeguard the security of its services..." Cheers, Richard From ukcrypto at absent-minded.com Fri Feb 17 18:45:45 2012 From: ukcrypto at absent-minded.com (Mark Lomas) Date: Fri, 17 Feb 2012 18:45:45 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F3E9300.5020108@ernest.net> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> Message-ID: Ladder keepers might fall prey to the doctrine of 'attractive nuisance'. You have a duty to protect children against the dangers of anything they may find attractive but not recognise as dangerous. Originally the danger itself needed to be attractive (e.g. a swimming pool), but I understand that some jurisdictions now consider any unguarded danger to be an attractive nuisance. In particular, a warning sign may be considered inadequate protection, especially if the child is too young to read it. On 17 February 2012 17:48, Nicholas Bohm wrote: > On 17/02/2012 17:38, Roland Perry wrote: > > In article <4F3E785C.2090700 at ernest.net>, Nicholas Bohm > > writes > >> Providing tools to a thief makes it sound like aiding or abetting - > >> which is different from neglecting to take steps to prevent a thief from > >> having access to your tools. > > > > That's the distinction which I think policy makers have to discuss. > > > > Liability of intermediaries (even involuntary ones) is still very much > > in a state of flux. > > As regards routers (and perhaps as regards car users' parking fines) you > are no doubt right. > > I detect no sign of ladder keepers being at risk, however, nor of the > general principle changing. I think we are looking at a fight over a > small number of exceptions to a well-established rule. > > Nicholas > -- > Contact and PGP key here > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From maryhawking at tigers.demon.co.uk Fri Feb 17 19:13:50 2012 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Fri, 17 Feb 2012 19:13:50 -0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC><4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> Message-ID: <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> From: Mark Lomas [mailto:ukcrypto at absent-minded.com] Sent: 17 February 2012 18:46 To: nbohm at ernest.net; UK Cryptography Policy Discussion Group Subject: Re: Unsecured wifi might be contributory negligence >Ladder keepers might fall prey to the doctrine of 'attractive nuisance'. You have a duty to protect children against the dangers of anything they may find attractive but not recognise as dangerous. >Originally the danger itself needed to be attractive (e.g. a swimming pool), but I understand that some jurisdictions now consider any unguarded danger to be an attractive nuisance. >In particular, a warning sign may be considered inadequate protection, especially if the child is too young to read it. Could you elaborate on this doctrine and whether it is a legal one? It's new to me. Sounds as though it could be used for almost anything - children being evolutionally programmed (like adults) to be curious about new experiences: does the duty (if there is one) extend to adults and how is it defined? Do guardians of children have a corresponding duty to prevent them experiencing anything not legally guaranteed to be totally free from any risk whatsoever? And how is this enforced? Mary Hawking "thinking - independent thinking - is to humans as swimming is to cats: we can do it if we really have to." Mark Earles on Radio 4. and don't forget patients like Fred! http://primaryhealthinfo.wordpress.com/2011/12/11/fred-and-his-dog-an-update / Primary Health Info 2012 23rd - 25th April 2012, Chesford Grange Warwickshire 'Using IT and Information to Deliver Transformational Change' www.primaryhealthinfo.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From fjmd1a at gmail.com Fri Feb 17 21:00:47 2012 From: fjmd1a at gmail.com (Francis Davey) Date: Fri, 17 Feb 2012 21:00:47 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> Message-ID: 2012/2/17 Mary Hawking : > > Could you elaborate on this doctrine and whether it is a legal one? It?s new > to me. > > Sounds as though it could be used for almost anything ? children being > evolutionally programmed (like adults) to be curious about new experiences: > does the duty (if there is one) extend to adults and how is it defined? > For occupiers section 2 of the 1957 Act: http://www.legislation.gov.uk/ukpga/Eliz2/5-6/31/section/2 says most of the above. If you (say) open your (large) garden to families then you will expect children to be running around, so you have to make sure to they don't fall in the traps, etc. Its common sense. Rather less duty is owed to non-visitors like trespassers: http://www.legislation.gov.uk/ukpga/1984/3/section/1 But this is all a long way from duty to protect others from IP infringement. -- Francis Davey From ukcrypto at absent-minded.com Fri Feb 17 21:21:07 2012 From: ukcrypto at absent-minded.com (Mark Lomas) Date: Fri, 17 Feb 2012 21:21:07 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> Message-ID: Thank you - yes, the logic behind the doctrine is that children may not be able to judge risk, it is not to eliminate all risk. e.g. Lynch v Nurdin (Queen's Bench 1841): a 7 year old child climbed onto the wheel of an unattended cart. Other children disturbed the horse and the first child fell, breaking his leg. The servant who left the cart unattended was found responsible. I agree that it does not apply to IP infringement. I was only suggesting that it may apply to ladders. Mark On 17 February 2012 21:00, Francis Davey wrote: > 2012/2/17 Mary Hawking : > > > > Could you elaborate on this doctrine and whether it is a legal one? It?s > new > > to me. > > > > Sounds as though it could be used for almost anything ? children being > > evolutionally programmed (like adults) to be curious about new > experiences: > > does the duty (if there is one) extend to adults and how is it defined? > > > > For occupiers section 2 of the 1957 Act: > > http://www.legislation.gov.uk/ukpga/Eliz2/5-6/31/section/2 > > says most of the above. If you (say) open your (large) garden to > families then you will expect children to be running around, so you > have to make sure to they don't fall in the traps, etc. Its common > sense. > > Rather less duty is owed to non-visitors like trespassers: > > http://www.legislation.gov.uk/ukpga/1984/3/section/1 > > But this is all a long way from duty to protect others from IP > infringement. > > -- > Francis Davey > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mozolevsky at gmail.com Fri Feb 17 21:07:44 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Fri, 17 Feb 2012 21:07:44 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> Message-ID: On 17 February 2012 19:13, Mary Hawking wrote: > Could you elaborate on this doctrine and whether it is a legal one? It?s new > to me. > > Sounds as though it could be used for almost anything ? children being > evolutionally programmed (like adults) to be curious about new experiences: > does the duty (if there is one) extend to adults and how is it defined? On top of what Francis said, there is a case of Taylor v Glasgow Corp (not on Bailii) where a 7 year old ate "attractive" poisonous berries (which were fenced off, but within reach) and died... In any event, isn't "contributory negligence" a defence to a claim of negligence, and not a form of accessory liability? -- Igor M. From colinthomson1 at o2.co.uk Sat Feb 18 02:20:25 2012 From: colinthomson1 at o2.co.uk (Tom Thomson) Date: Sat, 18 Feb 2012 02:20:25 -0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC><4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net><4B7B78858F71470ABDEFB94E96DB5925@MaryPC> Message-ID: <15B8AABE1E59455A8624EADA07454E4B@your41b8d18ede> 17 February 2012 Francis Davey > Rather less duty is owed to non-visitors like trespassers: > > http://www.legislation.gov.uk/ukpga/1984/3/section/1 And (5) of that section, with the phrases "in an appropriate case" and "as are reasonable in all the circumstances of the case", ensures that no layman can possibly know what he has to do give warning that is adequate to fulfil the duty or indeed whether it is even possible to give such warning; and no lawyer can tell him unless he knows of some case law from a court high enough up the tree to set a binding precedent. It is typical unreasonable law - ignorance of the law is no defence, but the law is phrased in such a way as to ensure that ordinary mortals like myself have no idea what it means. > But this is all a long way from duty to protect others from IP infringement. It is indeed, thank goodness. Some ISPs provide their subscribers with routers which have the ISP's own firmware in them and can't be decently secured because because the firmware doesn't permit it. For example Telefonica (in Spain) supplies a router manufactured by Thomson (the French company, nothing to do with me) from which Thomson's firmware (which supports both WPA and WPA2 in PSK mode) ripped out and Telefonica (or Movistar - not sure which) firmware added that cannot be configured to use WPA or WPA2. I imagine there will be UK ISPs that have done the same silly thing (I haven't had the misfortune to discover one yet - it's been something I've checked for ISPs I've considered using since I've switched to wireless from wired access in 2005, but I've considered only a very small proportion of UK ISPs so that's no indication that they are all sensible). I wonder what the liability of a subscriber caught in that silliness would be if the law changed to create a duty to protect against IP infringement. Tom From igb at batten.eu.org Sat Feb 18 07:10:35 2012 From: igb at batten.eu.org (Ian Batten) Date: Sat, 18 Feb 2012 07:10:35 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <15B8AABE1E59455A8624EADA07454E4B@your41b8d18ede> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC><4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net><4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <15B8AABE1E59455A8624EADA07454E4B@your41b8d18ede> Message-ID: On 18 Feb 2012, at 02:20, Tom Thomson wrote: > For example Telefonica (in Spain) supplies a router manufactured by Thomson (the French company, nothing to do with me) from which Thomson's firmware (which supports both WPA and WPA2 in PSK mode) ripped out and Telefonica (or Movistar - not sure which) firmware added that cannot be configured to use WPA or WPA2. I imagine there will be UK ISPs that have done the same silly thing (I haven't had the misfortune to discover one yet - it's been something I've checked for ISPs I've considered using since I've switched to wireless from wired access in 2005, but I've considered only a very small proportion of UK ISPs so that's no indication that they are all sensible). > I wonder what the liability of a subscriber caught in that silliness would be if the law changed to create a duty to protect against IP infringement. Most Eurocylinder locks are susceptible to at least one of bumping and snapping, and many of them both; if your house is secured with them, as most modern ones are, then there is a strong chance that a prospective intruder can open the doors irrespective of the number of rack bolts and so on that you have. Bumping is a problem if you have a "signs of forced entry" clause in your insurance, because it doesn't leave any, while lock snapping does at least leave a large footprint. But no insurance company --- whose ability to say "sorry, we're not paying" without challenge is a great deal larger than a court's ability to make up law --- has attempted to claim that your insurance is invalid unless you have replaced all of your locks with bump and snap-resistant cylinders. So even though the locks (read encryption) is not as strong as it was intended to be, it's still regarded as sufficient to show you have taken reasonable precautions. It would be manifestly unreasonable to argue that encryption marketed as sufficient in fact wasn't and a random customer should have known that, and such a claim wouldn't survive in court. One might as well argue that people are responsible for the poor qualify of the RNG in their key-generation process even though they were using WPA2 (I used a hardware RNG to generate the keys from home, but should it have had a CESG Claims Tested mark? Should I seek EAL4+ for my home wireless base station?) ian From lists at internetpolicyagency.com Sat Feb 18 09:28:45 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 18 Feb 2012 09:28:45 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <429A15D70E6DD718A797A000@cse-rjhpc.cse.bris.ac.uk> References: <429A15D70E6DD718A797A000@cse-rjhpc.cse.bris.ac.uk> Message-ID: <0sn05cPN92PPFALZ@perry.co.uk> In article <429A15D70E6DD718A797A000 at cse-rjhpc.cse.bris.ac.uk>, Richard Hopkins writes >What about unsecured *public* networks (as provided by some City >Councils, for example)? Are they even legal in the UK? > >"A provider of a public electronic communications service must take >appropriate technological and organisational measures to safeguard the >security of its services..." I think the problem is that people use the word "security" to mean a whole range of different (and sometimes conflicting) things. The ICO probably means that the services should be free from the risk of eavesdropping, whereas many law enforcement agencies would say that it means gathering data on the users so that bomb plots can be foiled. -- Roland Perry From lists at internetpolicyagency.com Sat Feb 18 09:31:00 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 18 Feb 2012 09:31:00 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F3E952C.4010106@ernest.net> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <4F3D2CF0.4020005@ernest.net> <9n3G7AmPjXPPFAaO@perry.co.uk> <4F3E439A.6060704@ernest.net> <4F3E77F4.4060501@ernest.net> <4F3E952C.4010106@ernest.net> Message-ID: In article <4F3E952C.4010106 at ernest.net>, Nicholas Bohm writes >> And then there's the International/Trans-border issues, where our >> friends in the USA will have the FBI help them track down the more >> serious infringers. > >I would say, "So what?"; but I fear you would tell me. All I will say is that the news report I originally mentioned was from the USA, where many laws differ from the UK, but commentators often have difficulty with the idea that it could be different here. -- Roland Perry From lists at internetpolicyagency.com Sat Feb 18 09:43:01 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 18 Feb 2012 09:43:01 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <15B8AABE1E59455A8624EADA07454E4B@your41b8d18ede> Message-ID: In article , Ian Batten writes >your insurance is invalid unless you have replaced all of your locks >with bump and snap-resistant cylinders. I've had insurance policies that specify a certain British Standard for the locks, but I have no idea whether that means such locks are bump and snap resistant (or even if the standards attempt to test this - but if they don't one is left wondering what the standard does in fact do). > So even though the locks (read It would be manifestly unreasonable to >argue that encryption marketed as sufficient in fact wasn't and a >random customer should have known that Sure, but the question in hand is about not using the supplied encryption at all. -- Roland Perry From mozolevsky at gmail.com Sat Feb 18 11:06:48 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sat, 18 Feb 2012 11:06:48 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: Message-ID: On 7 February 2012 16:24, Roland Perry wrote: > "A federal lawsuit filed in Massachusetts could test the question of whether > individuals who leave their wireless networks unsecured can be held liable > if someone uses the network to illegally download copyrighted content." > > _owners_of_non_secure_wireless_networks> Despite all the analogies in the thread focusing mainly on breach of duty of care, there is no established duty of care between an Internet user and the rest of the users on the Internet, and especially no DoC of an Internet user to an IP rights holder. Even if the first leg (foreseeability of damage) of the Caparo test could be satisfied, the test would fail at the second hurdle (proximity of the relationship) and the third (justice and fairness). On top of that, since there is no physical damage, you have the whole mess of pure economic loss to deal with... I have no idea to what extent the American law follows these principles, but I think it's going to be a very long time before similar is tried in this jurisdiction. -- Igor M. From nbohm at ernest.net Sat Feb 18 13:16:42 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 18 Feb 2012 13:16:42 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> Message-ID: <4F3FA4BA.6020201@ernest.net> On 17/02/2012 21:07, Igor Mozolevsky wrote: > On 17 February 2012 19:13, Mary Hawking wrote: > >> Could you elaborate on this doctrine and whether it is a legal one? It?s new >> to me. >> >> Sounds as though it could be used for almost anything ? children being >> evolutionally programmed (like adults) to be curious about new experiences: >> does the duty (if there is one) extend to adults and how is it defined? > On top of what Francis said, there is a case of Taylor v Glasgow Corp > (not on Bailii) where a 7 year old ate "attractive" poisonous berries > (which were fenced off, but within reach) and died... > > In any event, isn't "contributory negligence" a defence to a claim of > negligence, and not a form of accessory liability? > Yes. (Usually only a partial defence, in the sense that it reduces the quantum of liability to the claimant if the was partly his own fault.) I think the original reference was intended to be about whether ISPs were liable to contribute to their customers' loss if their customers were sued successfully by rightsholders as a result of using unsecured routers and the ISPs had failed to do what they should to help the customer secure the router. (This isn't contributory negligence in the technical sense, it's about liability under the Civil Liability (Contribution) Act 1978 .) The answer is that it's a nice thought, but there are too many imponderables along the way to make a reliable guess about the outcome. Nicholas -- Contact and PGP key here From lists at internetpolicyagency.com Sat Feb 18 13:17:08 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 18 Feb 2012 13:17:08 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: Message-ID: In article , Igor Mozolevsky writes >On 7 February 2012 16:24, Roland Perry wrote: >> "A federal lawsuit filed in Massachusetts could test the question of whether >> individuals who leave their wireless networks unsecured can be held liable >> if someone uses the network to illegally download copyrighted content." >> >> > _owners_of_non_secure_wireless_networks> > >Despite all the analogies in the thread focusing mainly on breach of >duty of care, there is no established duty of care between an Internet >user and the rest of the users on the Internet, and especially no DoC >of an Internet user to an IP rights holder. I'm not sure why "contributory negligence" has morphed into "a duty of care". But I'll make a stab at why CN is involved. First of all you have to admit that intellectual property theft is a unlawful, if not it's moot, but a different point of law. Then we must realise that the "thief" has been identified by the IP address of the router. But his excuse is "a stowaway dunnit". The contributory negligence presumably arises as a result of the lack of measures used by the router's owner/subscriber to secure it from stowaways. I have no idea if this line of argument will prevail, I'm simply bringing it to the list's attention that such a lawsuit has been filed. >I have no idea to what extent the American law follows these >principles, but I think it's going to be a very long time before >similar is tried in this jurisdiction. Maybe so, but it's clear the story I highlighted was in the USA. -- Roland Perry From nbohm at ernest.net Sat Feb 18 13:19:16 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 18 Feb 2012 13:19:16 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> Message-ID: <4F3FA554.7060008@ernest.net> On 17/02/2012 21:21, Mark Lomas wrote: > Thank you - yes, the logic behind the doctrine is that children may > not be able to judge risk, it is not to eliminate all risk. > > e.g. Lynch v Nurdin (Queen's Bench 1841): a 7 year old child climbed > onto the wheel of an unattended cart. Other children disturbed the > horse and the first child fell, breaking his leg. The servant who left > the cart unattended was found responsible. > > I agree that it does not apply to IP infringement. I was only > suggesting that it may apply to ladders. Ladders that fall on people, certainly. Ladders that are taken next door and used to burgle the neighbours, no: the liability is to people coming onto the defendant's land. Nicholas -- Contact and PGP key here > > On 17 February 2012 21:00, Francis Davey > wrote: > > 2012/2/17 Mary Hawking >: > > > > Could you elaborate on this doctrine and whether it is a legal > one? It?s new > > to me. > > > > Sounds as though it could be used for almost anything ? children > being > > evolutionally programmed (like adults) to be curious about new > experiences: > > does the duty (if there is one) extend to adults and how is it > defined? > > > > For occupiers section 2 of the 1957 Act: > > http://www.legislation.gov.uk/ukpga/Eliz2/5-6/31/section/2 > > says most of the above. If you (say) open your (large) garden to > families then you will expect children to be running around, so you > have to make sure to they don't fall in the traps, etc. Its common > sense. > > Rather less duty is owed to non-visitors like trespassers: > > http://www.legislation.gov.uk/ukpga/1984/3/section/1 > > But this is all a long way from duty to protect others from IP > infringement. > > -- > Francis Davey > > From nbohm at ernest.net Sat Feb 18 13:23:37 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 18 Feb 2012 13:23:37 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <15B8AABE1E59455A8624EADA07454E4B@your41b8d18ede> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC><4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net><4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <15B8AABE1E59455A8624EADA07454E4B@your41b8d18ede> Message-ID: <4F3FA659.7020002@ernest.net> On 18/02/2012 02:20, Tom Thomson wrote: > > 17 February 2012 Francis Davey >> Rather less duty is owed to non-visitors like trespassers: >> >> http://www.legislation.gov.uk/ukpga/1984/3/section/1 > And (5) of that section, with the phrases "in an appropriate case" and "as are reasonable in all the circumstances of the case", ensures that no layman can possibly know what he has to do give warning that is adequate to fulfil the duty or indeed whether it is even possible to give such warning; and no lawyer can tell him unless he knows of some case law from a court high enough up the tree to set a binding precedent. It is typical unreasonable law - ignorance of the law is no defence, but the law is phrased in such a way as to ensure that ordinary mortals like myself have no idea what it means. I sympathise with this, though I find it hard to see what legislators or judges can do about it. In practice household insurance policies provide public liability cover for the liabilities in question, so householders do whatever they think sensible and leave the risk to the insurers. If insurers thought it would reduce their exposure if they insisted on specific precautions, that's probably what they would do. As far as I know, they don't. Nicholas -- Contact and PGP key here -------------- next part -------------- An HTML attachment was scrubbed... URL: From nbohm at ernest.net Sat Feb 18 13:27:45 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 18 Feb 2012 13:27:45 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: Message-ID: <4F3FA751.9060602@ernest.net> On 18/02/2012 11:06, Igor Mozolevsky wrote: > On 7 February 2012 16:24, Roland Perry wrote: >> "A federal lawsuit filed in Massachusetts could test the question of whether >> individuals who leave their wireless networks unsecured can be held liable >> if someone uses the network to illegally download copyrighted content." >> >> > _owners_of_non_secure_wireless_networks> > > Despite all the analogies in the thread focusing mainly on breach of > duty of care, there is no established duty of care between an Internet > user and the rest of the users on the Internet, and especially no DoC > of an Internet user to an IP rights holder. Even if the first leg > (foreseeability of damage) of the Caparo test could be satisfied, the > test would fail at the second hurdle (proximity of the relationship) > and the third (justice and fairness). On top of that, since there is > no physical damage, you have the whole mess of pure economic loss to > deal with... I entirely agree. And since pure economic loss isn't recoverable (with exceptions for the "advice" cases), and damage to intangible assets like copyright (even if it really is "damaged" in the relevant sense) is pure economic loss, that further supports your points. > I have no idea to what extent the American law follows these > principles, but I think it's going to be a very long time before > similar is tried in this jurisdiction. I agree. Statute is the only risk. Nicholas -- Contact and PGP key here From mozolevsky at gmail.com Sat Feb 18 13:28:50 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sat, 18 Feb 2012 13:28:50 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: Message-ID: On 18 February 2012 13:17, Roland Perry wrote: > In article , Igor Mozolevsky > writes > >> On 7 February 2012 16:24, Roland Perry >> wrote: >>> >>> "A federal lawsuit filed in Massachusetts could test the question of >>> whether >>> individuals who leave their wireless networks unsecured can be held >>> liable >>> if someone uses the network to illegally download copyrighted content." >>> >>> >> _owners_of_non_secure_wireless_networks> >> >> >> Despite all the analogies in the thread focusing mainly on breach of >> duty of care, there is no established duty of care between an Internet >> user and the rest of the users on the Internet, and especially no DoC >> of an Internet user to an IP rights holder. > > > I'm not sure why "contributory negligence" has morphed into "a duty of > care". Because, to have a claim in negligence you need to show three things: duty of care, breach of that duty and injury (damage); without first establishing duty of care, talking about breach of that duty is... academic, if that... Now, whether IP rights infringement amounts to "damage" under Civil Liability (Contribution) Act 1978 is a separate issue... -- Igor M. From mozolevsky at gmail.com Sat Feb 18 14:18:06 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sat, 18 Feb 2012 14:18:06 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: Message-ID: On 18 February 2012 13:17, Roland Perry wrote: > But I'll make a stab at why CN is involved. > > First of all you have to admit that intellectual property theft is a > unlawful, if not it's moot, but a different point of law. Well, it's not "theft" in its technical sense but infringement; but yes, accepted. > Then we must realise that the "thief" has been identified by the IP address > of the router. But his excuse is "a stowaway dunnit". The contributory > negligence presumably arises as a result of the lack of measures used by the > router's owner/subscriber to secure it from stowaways. In absence of a positive legal obligation to take those measures, would you not be bringing a tort action for non-feasance? >> I have no idea to what extent the American law follows these >> principles, but I think it's going to be a very long time before >> similar is tried in this jurisdiction. > > Maybe so, but it's clear the story I highlighted was in the USA. You did, hence my comment about the two different jurisdictions... -- Igor M. From lists at internetpolicyagency.com Sat Feb 18 14:31:12 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 18 Feb 2012 14:31:12 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F3FA4BA.6020201@ernest.net> References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: In article <4F3FA4BA.6020201 at ernest.net>, Nicholas Bohm writes >I think the original reference was intended to be about whether ISPs >were liable to contribute to their customers' loss if their customers >were sued successfully by rightsholders as a result of using unsecured >routers and the ISPs had failed to do what they should to help the >customer secure the router. I think it's about householders claiming to be unable to show it wasn't them who stole the movie, because their wifi was unsecured (so they can't pass the buck to someone else who they can identify). Going back to the parking ticket analogy, it's like a driver saying "I left the keys in the car and have no idea who borrowed it for half an hour and parked on that double yellow line". The idea, of course, being (a) to discourage people from leaving their cars unsecured so that random people can get away with parking on double yellow lines and (b) to discourage people from claiming they didn't know which hypothetically unidentifiable person borrowed the car, when in fact it was them. -- Roland Perry From mozolevsky at gmail.com Sat Feb 18 14:35:28 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sat, 18 Feb 2012 14:35:28 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: On 18 February 2012 14:31, Roland Perry wrote: > Going back to the parking ticket analogy, it's like a driver saying "I left > the keys in the car and have no idea who borrowed it for half an hour and > parked on that double yellow line". But does the statute law not compel the disclosure and sets out the default position in the event of failure to disclose? Is there anything of the sort wrt "securing" the wifi routers? -- Igor M. From lists at internetpolicyagency.com Sat Feb 18 14:38:27 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 18 Feb 2012 14:38:27 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: Message-ID: In article , Igor Mozolevsky writes >> I'm not sure why "contributory negligence" has morphed into "a duty of >> care". > >Because, to have a claim in negligence you need to show three things: >duty of care, breach of that duty and injury (damage); without first >establishing duty of care, talking about breach of that duty is... >academic, if that... > >Now, whether IP rights infringement amounts to "damage" under Civil >Liability (Contribution) Act 1978 is a separate issue... You still seem to be talking about UK law, when my posting was about a lawsuit in the USA. But if you are saying that anyone in the UK who accused of P2P copyright infringement has an automatic cast iron defence if they have an open wifi, then that's quite an interesting conclusion. And something to feed into the Digital Economy Act debate (which I hasten to add I've not been following at that level of detail). -- Roland Perry From mozolevsky at gmail.com Sat Feb 18 14:53:35 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sat, 18 Feb 2012 14:53:35 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: Message-ID: On 18 February 2012 14:38, Roland Perry wrote: > In article > , Igor > Mozolevsky writes > >>> I'm not sure why "contributory negligence" has morphed into "a duty of >>> care". >> >> >> Because, to have a claim in negligence you need to show three things: >> duty of care, breach of that duty and injury (damage); without first >> establishing duty of care, talking about breach of that duty is... >> academic, if that... >> >> Now, whether IP rights infringement amounts to "damage" under Civil >> Liability (Contribution) Act 1978 is a separate issue... > > > You still seem to be talking about UK law, when my posting was about a > lawsuit in the USA. I don't see what practical or policy point can be made discussing the lawsuit you mention only in so far as the USA is concerned, I don't know if there are any American lawyers who can comment on the position of the law state-side with respect to that. So, simply focusing on the States is kind of pointless, for the purpose of this mailing list, would you not agree? Besides, from what I am lead to believe (by "authoritative" sources like the TV) is that because of lack of cost sanctions/awards, people State-side can simply be sued into non-existence or "bully" into settling because they can't afford a lawyer (or find a pro-bono one). >From this, arises a situation where people with cash can bring frivolous lawsuits and settle them with a profit... > But if you are saying that anyone in the UK who accused of P2P copyright > infringement has an automatic cast iron defence if they have an open wifi, > then that's quite an interesting conclusion. And something to feed into the > Digital Economy Act debate (which I hasten to add I've not been following at > that level of detail). Absolutely not what I was saying. What I was saying is that claiming any form of negligence by an owner of an evidently unsecured wifi router is a long stretch. If someone was asserting the defence that you propose, they could either consent to a search order of their "equipment" (PCs, external HDDs, &c) or the party claiming infringement is free to apply to a court for a search order. I don't see a practical problem with the scenario you envisaged there... -- Igor M. From nbohm at ernest.net Sat Feb 18 15:03:06 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 18 Feb 2012 15:03:06 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <069DA878E6E146A781F24677D0C5E2CE@MaryPC> <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: <4F3FBDAA.3090308@ernest.net> On 18/02/2012 14:31, Roland Perry wrote: > In article <4F3FA4BA.6020201 at ernest.net>, Nicholas Bohm > writes >> I think the original reference was intended to be about whether ISPs >> were liable to contribute to their customers' loss if their customers >> were sued successfully by rightsholders as a result of using unsecured >> routers and the ISPs had failed to do what they should to help the >> customer secure the router. > > I think it's about householders claiming to be unable to show it > wasn't them who stole the movie, because their wifi was unsecured (so > they can't pass the buck to someone else who they can identify). The burden of proof is on the claimant, not the defendant. If the claimant shows that the defendant was the subscriber, and the defendant does bot claim that any other person had access to the connection, a court could infer that the defendant was the downloader. If the defendant's claim (and evidence) is that there were several users (either because the router was unsecured or because its password was shared with a number of family members and visitors), and that the defendant did not authorise them to download infringing materials, I do not see how the claimant can establish the defendant's liability even on the balance of probabilities. (I'm talking about the English legal position, this being a UK list; I assumed your reference to an American case was to promote discussion of the corresponding English or UK issues. If you want a debate about the US legal landscape, you may have to try your luck elsewhere, I suspect.) Nicholas -- Contact and PGP key here From lists at internetpolicyagency.com Sat Feb 18 15:19:04 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 18 Feb 2012 15:19:04 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: In article , Igor Mozolevsky writes >> Going back to the parking ticket analogy, it's like a driver saying "I left >> the keys in the car and have no idea who borrowed it for half an hour and >> parked on that double yellow line". > >But does the statute law not compel the disclosure and sets out the >default position in the event of failure to disclose? I think there is. >Is there anything of the sort wrt "securing" the wifi routers? Not yet, but policy is being formed in this area. Currently the USA is leading, but the UK often follows. Pardon me for bringing this to the list's attention. -- Roland Perry From mozolevsky at gmail.com Sat Feb 18 15:32:41 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sat, 18 Feb 2012 15:32:41 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: On 18 February 2012 15:19, Roland Perry wrote: >> Is there anything of the sort wrt "securing" the wifi routers? > > > Not yet, but policy is being formed in this area. Currently the USA is > leading, but the UK often follows. Pardon me for bringing this to the list's > attention. >From a cursory reading of the article you pointed to, there doesn't seem to be a codified obligation to keep your wifi secure State-side, hence the obscure civil "test" lawsuit (although the article doesn't actually provide a link to the court paperwork that was filed, which would undoubtedly benefit this discussion). If you are going down the road of forcing wifi routers to be secure, then who is "responsible": the end user who "owns" the ISP connection, the ISP who provides the router and goes out of their way to keep the users from tinkering with the settings to minimise support costs, or the router manufacturer? You can't force WPA2 on everyone (assuming WPA2 is deemed "secure"), people still use computers with wifi cards that are only capable of WEP, should those users be forced to junk their laptops and upgrade or invest in more equipment? What happens if that "security" is compromised? The landscape is entirely different from the car examples discussed previously. -- Igor M. From lists at internetpolicyagency.com Sat Feb 18 15:47:27 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 18 Feb 2012 15:47:27 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: In article , Igor Mozolevsky writes >On 18 February 2012 15:19, Roland Perry wrote: > >>> Is there anything of the sort wrt "securing" the wifi routers? >> >> Not yet, but policy is being formed in this area. Currently the USA is >> leading, but the UK often follows. Pardon me for bringing this to the list's >> attention. > >From a cursory reading of the article you pointed to, there doesn't >seem to be a codified obligation to keep your wifi secure State-side, >hence the obscure civil "test" lawsuit (although the article doesn't >actually provide a link to the court paperwork that was filed, which >would undoubtedly benefit this discussion). You need to think about the American legal system as privatised regulation, through the lens of class action suits - or big corporates suing many individuals, which is much the same ides. >If you are going down the road of forcing wifi routers to be secure, >then who is "responsible": the end user who "owns" the ISP connection, >the ISP who provides the router and goes out of their way to keep the >users from tinkering with the settings to minimise support costs, or >the router manufacturer? You can't force WPA2 on everyone (assuming >WPA2 is deemed "secure"), people still use computers with wifi cards >that are only capable of WEP, should those users be forced to junk >their laptops and upgrade or invest in more equipment? What happens if >that "security" is compromised? The landscape is entirely different >from the car examples discussed previously. I thought we'd got past the issue of "whose fault if the security is weak". What this is about, in the first instance, is *no* security. And that's something maybe the user might reasonably be responsible for. Although if enough get successfully sued, and they claim it was really the ISP or router manufacturer's fault, that's a class action in the making so eventually the "most guilty party" gets identified and cleans up their act. [All of this in USA of course]. -- Roland Perry From mozolevsky at gmail.com Sat Feb 18 16:13:40 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sat, 18 Feb 2012 16:13:40 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: On 18 February 2012 15:47, Roland Perry wrote: > You need to think about the American legal system as privatised regulation, > through the lens of class action suits - or big corporates suing many > individuals, which is much the same ides. I don't follow your logic, how do you suggest that would transpose to English law/UK legislation? > I thought we'd got past the issue of "whose fault if the security is weak". > What this is about, in the first instance, is *no* security. And that's > something maybe the user might reasonably be responsible for. Going back to your car example, the statute provides a positive obligation on the vehicle keeper to identify the driver at some specific instances. So far as the keeper is concerned, it would be fairly obvious (e. g. by giving your keys) that someone else was driving the vehicle at the time, or (by distinct absence of the vehicle) that someone has stolen it. When you've got a wifi router, the situation is different---someone hijacking your connection is not exactly going to make your router disappear, neither can you really rely on router's logs because forging MAC addresses is a straight forward exercise. So if you are saying that there should be a statutory/common law obligation to keep the router "secure", I can't see how that could be implemented in a meaningful way... -- Igor M. From lists at internetpolicyagency.com Sat Feb 18 17:31:18 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 18 Feb 2012 17:31:18 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: In article , Igor Mozolevsky writes >> You need to think about the American legal system as privatised regulation, >> through the lens of class action suits - or big corporates suing many >> individuals, which is much the same ides. > >I don't follow your logic, how do you suggest that would transpose to >English law/UK legislation? It doesn't transfer via class actin suits, because we don't do those. What might happen is that (because it's also hitting mainstream now) we could get laws which introduce expectations on the behaviour of domestic Internet subscribers along the same lines as were eventually introduced for car drivers. >> I thought we'd got past the issue of "whose fault if the security is weak". >> What this is about, in the first instance, is *no* security. And that's >> something maybe the user might reasonably be responsible for. > >Going back to your car example, the statute provides a positive >obligation on the vehicle keeper to identify the driver at some >specific instances. So far as the keeper is concerned, it would be >fairly obvious (e. g. by giving your keys) that someone else was >driving the vehicle at the time, or (by distinct absence of the >vehicle) that someone has stolen it. You've forgotten the situation of leaving the keys in the car. Whether the owner notices it's gone or not is a separate layer in the debate. >When you've got a wifi router, >the situation is different---someone hijacking your connection is not >exactly going to make your router disappear, neither can you really >rely on router's logs because forging MAC addresses is a straight >forward exercise. If they are hijacking your *open* router, the solution is to apply some kind of (any kind will do for now) security. It shows willing, if nothing else. >So if you are saying that there should be a statutory/common law >obligation to keep the router "secure", I can't see how that could be >implemented in a meaningful way... By making it clear that operators of open domestic wifi points are responsible for bad things which happen as a result. Remembering also that the primary objective here probably isn't to make domestic wifi points secure from "masked men", or responsible for identifying those masked men, but to neutralise the excuse of the operator that "It wasn't me, it was a masked man wot dunnit". -- Roland Perry From mozolevsky at gmail.com Sat Feb 18 18:48:04 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sat, 18 Feb 2012 18:48:04 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: On 18 February 2012 17:31, Roland Perry wrote: > It doesn't transfer via class actin suits, because we don't do those. What > might happen is that (because it's also hitting mainstream now) we could get > laws which introduce expectations on the behaviour of domestic Internet > subscribers along the same lines as were eventually introduced for car > drivers. You are assuming that there is a sufficiently large portion of domestic users who would know what that means. What about all those people to whom "the Internet" is nothing more than the "Internet Explorer" window? I am getting more and more convinced that comparing this situation to driving cars is not helpful at all---the latter requires a competence test and the government regulates who may or may not drive, whereas the former clearly does not; unless you are advocating that you need to pass some competence test and obtain a licence to have Internet connection... Of course we have not touched upon why imposition of such laws should be the case---if you accept that connectivity to the Internet is ubiquitous then would you not be imposing a positive obligation to a small class (IP rights holders) on the population as a whole (cf. car drivers being a distinct class of population)? > You've forgotten the situation of leaving the keys in the car. Whether the > owner notices it's gone or not is a separate layer in the debate. So you are saying that if you were to leave your keys in the car and someone else were to steal that car and run someone over, you should be held liable at least in some part? Besides, vehicular owners always have "cannot be in two places at once" defence, which clearly will not work in case of an open wifi box... > If they are hijacking your *open* router, the solution is to apply some kind > of (any kind will do for now) security. It shows willing, if nothing else. Yes, but again, you are ducking the "who is responsible" issue---all the parties (domestic users, ISPs, manufacturers, and IP rights holders) have competing, and quite often, mutually exclusive interests. > By making it clear that operators of open domestic wifi points are > responsible for bad things which happen as a result. > > Remembering also that the primary objective here probably isn't to make > domestic wifi points secure from "masked men", or responsible for > identifying those masked men, but to neutralise the excuse of the operator > that "It wasn't me, it was a masked man wot dunnit". How is that going to work though? If you make that a criminal liability, presumably, all the defendant would have to do is to assert the "not me" defence and it would be for the Crown to disprove it. If the statute would impose "duty of care" to the IP rights owners, we will most likely end up with the situation where ISPs would be liable and not the domestic users. How is this dramatically different? Also, you are forgetting what the ECJ said in Scarlet: the rights of IP rights holders are not absolute and must be balanced against everything else. One would argue that imposing liability "at large" is simply disproportionate. -- Igor M. From maxsec at gmail.com Sun Feb 19 08:30:02 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Sun, 19 Feb 2012 08:30:02 +0000 Subject: UK government restarting comms "spying" proposals Message-ID: http://www.telegraph.co.uk/technology/internet/9090617/Phone-and-email-records-to-be-stored-in-new-spy-plan.html Would still like to know how practical this is never mind the privacy issues of being able to get at this data without court orders -- Martin -- -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: From igb at batten.eu.org Sun Feb 19 18:47:40 2012 From: igb at batten.eu.org (Ian Batten) Date: Sun, 19 Feb 2012 18:47:40 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: <12A00A17-FA82-4A8B-80E0-E49D8CAA10E7@batten.eu.org> On 18 Feb 2012, at 15:32, Igor Mozolevsky wrote: > You can't force WPA2 on everyone (assuming > WPA2 is deemed "secure"), people still use computers with wifi cards > that are only capable of WEP, It would be interesting to know how many, outside "people like us" who would be able to cobble together some sort of multiple-SSID setup with a VPN protecting the WEP side. The turnover of hardware appears to be much faster amongst civilians than amongst "people like us", who keep old gear going as an end in itself. ian From mozolevsky at gmail.com Sun Feb 19 19:28:33 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sun, 19 Feb 2012 19:28:33 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <12A00A17-FA82-4A8B-80E0-E49D8CAA10E7@batten.eu.org> References: <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <12A00A17-FA82-4A8B-80E0-E49D8CAA10E7@batten.eu.org> Message-ID: On 19 February 2012 18:47, Ian Batten wrote: > It would be interesting to know how many, outside "people like us" who > would be able to cobble together some sort of multiple-SSID setup with > a VPN protecting the WEP side. ? The turnover of hardware appears to > be much faster amongst civilians than amongst "people like us", who > keep old gear going as an end in itself. I was thinking more of people who live on income support/council estates and the "older" generation... -- Igor M. From igb at batten.eu.org Sun Feb 19 19:42:49 2012 From: igb at batten.eu.org (Ian Batten) Date: Sun, 19 Feb 2012 19:42:49 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <12A00A17-FA82-4A8B-80E0-E49D8CAA10E7@batten.eu.org> Message-ID: On 19 Feb 2012, at 19:28, Igor Mozolevsky wrote: > On 19 February 2012 18:47, Ian Batten wrote: > >> It would be interesting to know how many, outside "people like us" who >> would be able to cobble together some sort of multiple-SSID setup with >> a VPN protecting the WEP side. The turnover of hardware appears to >> be much faster amongst civilians than amongst "people like us", who >> keep old gear going as an end in itself. > > I was thinking more of people who live on income support/council > estates and the "older" generation... They weren't buying laptops prior to WPA2 being common place. ian From mozolevsky at gmail.com Sun Feb 19 20:02:31 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sun, 19 Feb 2012 20:02:31 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <12A00A17-FA82-4A8B-80E0-E49D8CAA10E7@batten.eu.org> Message-ID: On 19 February 2012 19:42, Ian Batten wrote: > > On 19 Feb 2012, at 19:28, Igor Mozolevsky wrote: >> >> I was thinking more of people who live on income support/council >> estates and the "older" generation... > > They weren't buying laptops prior to WPA2 being common place. What makes you say that? -- Igor M. From igb at batten.eu.org Sun Feb 19 20:21:31 2012 From: igb at batten.eu.org (Ian Batten) Date: Sun, 19 Feb 2012 20:21:31 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <12A00A17-FA82-4A8B-80E0-E49D8CAA10E7@batten.eu.org> Message-ID: <6608256D-6C1F-4620-86D6-AF15731DD8B9@batten.eu.org> On 19 Feb 2012, at 20:02, Igor Mozolevsky wrote: > On 19 February 2012 19:42, Ian Batten wrote: >> >> On 19 Feb 2012, at 19:28, Igor Mozolevsky wrote: >>> >>> I was thinking more of people who live on income support/council >>> estates and the "older" generation... >> >> They weren't buying laptops prior to WPA2 being common place. > > What makes you say that? Because the first mass-market integrated WiFi solution was the Intel 2100 MiniPCI card, which was released in late 2002. That does WPA2 with Windows XP SP3. There's a Broadcom card of a similar vintage, that also does WPA2 with up-to-date drivers. Prior to the MiniPCI cards, you needed to use PCMCIA cards. I don't believe that laptops were being purchased as consumer items in 2002, and especially not with PCMCIA cards to add wireless. If there are such machines in circulation --- and we're both guessing --- then PCMCIA cards that will do WPA2 are dirt cheap and could be provided by the ISP as part of the programme. There might be, somewhere, a laptop still in use which has an on-board WiFi adapter which will not do WPA2, but which also does not have a PCMCIA slot, although such beasts would have been rare even when new: I've never seen one (G4 iBooks do WPA2; G3 ones might not, but how many of those are still in use?) But I seriously doubt any of this stuff is in use by civilians. ian From mozolevsky at gmail.com Sun Feb 19 21:02:50 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sun, 19 Feb 2012 21:02:50 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <6608256D-6C1F-4620-86D6-AF15731DD8B9@batten.eu.org> References: <4F3CEFB0.1050906@ernest.net> <4F3D00FA.9020109@ernest.net> <8279E31C-D03C-412A-B16D-64E3181CF503@batten.eu.org> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <12A00A17-FA82-4A8B-80E0-E49D8CAA10E7@batten.eu.org> <6608256D-6C1F-4620-86D6-AF15731DD8B9@batten.eu.org> Message-ID: On 19 February 2012 20:21, Ian Batten wrote: > > On 19 Feb 2012, at 20:02, Igor Mozolevsky wrote: > >> On 19 February 2012 19:42, Ian Batten wrote: >>> >>> On 19 Feb 2012, at 19:28, Igor Mozolevsky wrote: >>>> >>>> I was thinking more of people who live on income support/council >>>> estates and the "older" generation... >>> >>> They weren't buying laptops prior to WPA2 being common place. >> >> What makes you say that? > > Because the first mass-market integrated WiFi solution was the Intel > 2100 MiniPCI card, which was released in late 2002. ?That does WPA2 > with Windows XP SP3. ? There's a Broadcom card of a similar vintage, > that also does WPA2 with up-to-date drivers. ? ?Prior to the MiniPCI > cards, you needed to use PCMCIA cards. ? I don't believe that laptops > were being purchased as consumer items in 2002, and especially not > with PCMCIA cards to add wireless. [snip] If end-user WPA2-capability is so widespread then, is the problem of open and unsecured wifi APs so widespread and causes so many problems that the passing of appropriate legislation is warranted? -- Igor M. From ukcrypto at philipkatz.eu Sun Feb 19 22:32:50 2012 From: ukcrypto at philipkatz.eu (ukcrypto at philipkatz.eu) Date: Sun, 19 Feb 2012 22:32:50 -0000 Subject: Unsecured wifi might be contributory negligence Message-ID: <001e01ccef56$69b112a0$3d1337e0$@philipkatz.eu> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Igor Mozolevsky > Sent: Saturday, February 18, 2012 3:33 PM > > You can't force WPA2 on everyone (assuming > WPA2 is deemed "secure"), people still use computers with wifi cards > that are only capable of WEP, should those users be forced to junk their > laptops and upgrade or invest in more equipment? It's not only laptops. I have an internet radio which is only capable of WEP, and there may be lots of other devices out there which can't talk WPA2. (It's all fairly academic anyway. Yes, WEP can be broken fairly easily, but we're only talking about access to Internet connectivity here, so for most real world circumstances it will be less effort to find an unsecured network instead.) -- Philip From colinthomson1 at o2.co.uk Mon Feb 20 08:01:54 2012 From: colinthomson1 at o2.co.uk (Tom Thomson) Date: Mon, 20 Feb 2012 08:01:54 -0000 Subject: FW: Unsecured wifi might be contributory negligence Message-ID: <20E24E9CC372482B8B61690163C86EB9@your41b8d18ede> In reply to: 19 February 2012 20:22 Ian Batten > > Because the first mass-market integrated WiFi solution was the Intel 2100 > MiniPCI card, which was released in late 2002. That does WPA2 with > Windows XP SP3. There's a Broadcom card of a similar vintage, that also > does WPA2 with up-to-date drivers. Prior to the MiniPCI cards, you > needed to use PCMCIA cards. I don't believe that laptops were being > purchased as consumer items in 2002, and especially not with PCMCIA > cards to add wireless. If there are such machines in circulation --- and we're > both guessing --- then PCMCIA cards that will do WPA2 are dirt cheap and > could be provided by the ISP as part of the programme. > > There might be, somewhere, a laptop still in use which has an on-board WiFi > adapter which will not do WPA2, but which also does not have a PCMCIA > slot, although such beasts would have been rare even when new: I've never > seen one (G4 iBooks do WPA2; G3 ones might not, but how many of those > are still in use?) But I seriously doubt any of this stuff is in use by civilians. Surely the capabilities of laptops are a bit irrelevant given that routers without WPA (let alone WPA2) capability continued to be shipped for quite a bit longer and router replacement tends to be rather rarer than laptop replacement (and if there are UK ISPs who do things the way Telefonica does, there are also routers where the hardware has the capability but they are running firmware that doesn't). M. From lists at internetpolicyagency.com Mon Feb 20 09:41:15 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 20 Feb 2012 09:41:15 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: In article , Igor Mozolevsky writes >On 18 February 2012 17:31, Roland Perry wrote: > >> It doesn't transfer via class actin suits, because we don't do those. What >> might happen is that (because it's also hitting mainstream now) we could get >> laws which introduce expectations on the behaviour of domestic Internet >> subscribers along the same lines as were eventually introduced for car >> drivers. > >You are assuming that there is a sufficiently large portion of >domestic users who would know what that means. What about all those >people to whom "the Internet" is nothing more than the "Internet >Explorer" window? I am getting more and more convinced that comparing >this situation to driving cars is not helpful at all---the latter >requires a competence test and the government regulates who may or may >not drive, whereas the former clearly does not; unless you are >advocating that you need to pass some competence test and obtain a >licence to have Internet connection... Perhaps building regulations is a better analogy, and not installing unsafe DIY electrical outlets and gas fires in your house? >Of course we have not touched upon why imposition of such laws should >be the case---if you accept that connectivity to the Internet is >ubiquitous then would you not be imposing a positive obligation to a >small class (IP rights holders) on the population as a whole (cf. car >drivers being a distinct class of population)? I think I've mentioned it several times. It's so the householder can't hide behind the figleaf of "someone else did it". As a second order, some miscreants might be dissuaded from bad behaviour if they knew they had to use their own connectivity to do it. >> If they are hijacking your *open* router, the solution is to apply some kind >> of (any kind will do for now) security. It shows willing, if nothing else. > >Yes, but again, you are ducking the "who is responsible" issue---all >the parties (domestic users, ISPs, manufacturers, and IP rights >holders) have competing, and quite often, mutually exclusive >interests. Which you could characterise as a market failure, and hence a need to regulate... >> By making it clear that operators of open domestic wifi points are >> responsible for bad things which happen as a result. >> >> Remembering also that the primary objective here probably isn't to make >> domestic wifi points secure from "masked men", or responsible for >> identifying those masked men, but to neutralise the excuse of the operator >> that "It wasn't me, it was a masked man wot dunnit". > >How is that going to work though? If you make that a criminal >liability, presumably, all the defendant would have to do is to assert >the "not me" defence and it would be for the Crown to disprove it. First you prove a bad thing has happened (I've never suggested that copyright infringement is either the only, or the most serious, thing that might happen). Then you have a penalty (proportionate, obviously) for the subscriber if he manages to convince you it was another person who did it. -- Roland Perry From lists at internetpolicyagency.com Mon Feb 20 09:46:04 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 20 Feb 2012 09:46:04 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <12A00A17-FA82-4A8B-80E0-E49D8CAA10E7@batten.eu.org> <6608256D-6C1F-4620-86D6-AF15731DD8B9@batten.eu.org> Message-ID: In article , Igor Mozolevsky writes >If end-user WPA2-capability is so widespread then, is the problem of >open and unsecured wifi APs so widespread and causes so many problems >that the passing of appropriate legislation is warranted? It's nothing to do with WEP vs WPA2, but whether either of them is turned on at all. -- Roland Perry From ben at liddicott.com Mon Feb 20 10:44:52 2012 From: ben at liddicott.com (Ben Liddicott) Date: Mon, 20 Feb 2012 10:44:52 -0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <6608256D-6C1F-4620-86D6-AF15731DD8B9@batten.eu.org> References: <4F3CEFB0.1050906@ernest.net> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net><4B7B78858F71470ABDEFB94E96DB5925@MaryPC><4F3FA4BA.6020201@ernest.net> <12A00A17-FA82-4A8B-80E0-E49D8CAA10E7@batten.eu.org> <6608256D-6C1F-4620-86D6-AF15731DD8B9@batten.eu.org> Message-ID: <9251818AE68C4D21AB0E0835E5ABE947@ROCKET> Not only laptops, but other consumer equipment uses WiFi: The Nintendo DS Lite will only do WEP. So if you want to be able to use the Nintendo store, you have to enable WEP on your access point. There are also such things as consoles, digital photo frames, PVRs etc, which exist in huge variety. Cheers, Ben -----Original Message----- From: Ian Batten Sent: Sunday, February 19, 2012 8:21 PM On 19 Feb 2012, at 20:02, Igor Mozolevsky wrote: (...) I don't believe that laptops were being purchased as consumer items in 2002, and especially not with PCMCIA cards to add wireless. If there are such machines in circulation (...) But I seriously doubt any of this stuff is in use by civilians. ian From igb at batten.eu.org Mon Feb 20 11:34:36 2012 From: igb at batten.eu.org (Ian Batten) Date: Mon, 20 Feb 2012 11:34:36 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <9251818AE68C4D21AB0E0835E5ABE947@ROCKET> References: <4F3CEFB0.1050906@ernest.net> <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net><4B7B78858F71470ABDEFB94E96DB5925@MaryPC><4F3FA4BA.6020201@ernest.net> <12A00A17-FA82-4A8B-80E0-E49D8CAA10E7@batten.eu.org> <6608256D-6C1F-4620-86D6-AF15731DD8B9@batten.eu.org> <9251818AE68C4D21AB0E0835E5ABE947@ROCKET> Message-ID: <47D80C56-E351-4FEA-B2E1-86B163D0505E@batten.eu.org> On 20 Feb 2012, at 10:44, Ben Liddicott wrote: > Not only laptops, but other consumer equipment uses WiFi: The Nintendo DS Lite will only do WEP. So if you want to be able to use the Nintendo store, you have to enable WEP on your access point. There are also such things as consoles, digital photo frames, PVRs etc, which exist in huge variety. I didn't know that: all the non "computer" stuff in my house does WPA2 (a Pure radio, a Panasonic webcam, a Lexmark printer), but obviously I'm lucky. ian From mozolevsky at gmail.com Mon Feb 20 14:05:39 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Mon, 20 Feb 2012 14:05:39 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: On 20 February 2012 09:41, Roland Perry wrote: > Igor Mozolevsky writes: [snip] >> I am getting more and more convinced that comparing >> this situation to driving cars is not helpful at all [snip] > Perhaps building regulations is a better analogy, and not installing unsafe > DIY electrical outlets and gas fires in your house? I'm not convinced that helps either. Insofar as the electrical outlets are concerned, only the end-user can cause havoc not some drive-by electricity hijacker, and the havoc is limited to the house (or a few houses at worst) not to some third party at large (this, incidentally goes well with Lord Atkin's "legal neighbour" principle in tort---you can identify to whom you owe duty of care---someone living in Aberdeen is not going to have their house destroyed by one's poor electrical wiring in Plymouth). With respect to gas, that's the whole reason why Mercaptan (or similar) is added to the natural gas---it's pretty easy to detect a "breach", whereas the situation is entirely different to a wifi box... >> Of course we have not touched upon why imposition of such laws should >> be the case---if you accept that connectivity to the Internet is >> ubiquitous then would you not be imposing a positive obligation to a >> small class (IP rights holders) on the population as a whole (cf. car >> drivers being a distinct class of population)? > > > I think I've mentioned it several times. It's so the householder can't hide > behind the figleaf of "someone else did it". As a second order, some > miscreants might be dissuaded from bad behaviour if they knew they had to > use their own connectivity to do it. Are you not ending up in a situation where the householders are far worse off than public wifi providers in this scenario? >> Yes, but again, you are ducking the "who is responsible" issue---all >> the parties (domestic users, ISPs, manufacturers, and IP rights >> holders) have competing, and quite often, mutually exclusive >> interests. > > Which you could characterise as a market failure, and hence a need to > regulate... I'm not following this argument (isn't the whole idea of a market to balance various parties' needs?), are you saying that the need to regulate arises because the IP rights holders are being unduly oppressed at large; because, so far, the arrangement appears to be working for all but those?.. > First you prove a bad thing has happened (I've never suggested that > copyright infringement is either the only, or the most serious, thing that > might happen). Then you have a penalty (proportionate, obviously) for the > subscriber if he manages to convince you it was another person who did it. Proportionate to what---the alleged infringement, householder's income, some other yardstick? How are you going to prove that a bad thing has happened? In a criminal prosecution, you will most likely be wanting to seize and analyse the suspect's equipment because of the high threshold the Crown has to reach to convict (in which case "my router was hijacked" defence is irrelevant), and in a civil case, every time third-party "evidence" was being adduced, the cases were dropped as soon as the cases were transferred to specialist court [1,2]. For a civil case, I would hazard a guess that only expert evidence of wrong-doing by the defendant would stand to scrutiny; again, the router problem goes away. This circles back to the issue of whether the legislation is needed at all... 1. MediaCAT v Andrews & ors: http://www.bailii.org/ew/cases/EWPCC/2011/10.html 2. Golden Eye v Maricar: http://www.bailii.org/ew/cases/EWPCC/2011/27.html -- Igor M. From igb at batten.eu.org Mon Feb 20 14:53:47 2012 From: igb at batten.eu.org (Ian Batten) Date: Mon, 20 Feb 2012 14:53:47 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: On 20 Feb 2012, at 14:05, Igor Mozolevsky wrote: >> >> I think I've mentioned it several times. It's so the householder can't hide >> behind the figleaf of "someone else did it". As a second order, some >> miscreants might be dissuaded from bad behaviour if they knew they had to >> use their own connectivity to do it. > > Are you not ending up in a situation where the householders are far > worse off than public wifi providers in this scenario? I think that's a very good point. Assuming that the government wouldn't be so deranged as to either criminalise or impose obligations on every cafe in the country that offers WiFi with a latte, householders would be placed in a position of having a wide range of obligations that business owners don't. And that's the inverse of the case in most analogous situations, where private individuals have lower regulatory thresholds. The implication would be that householders have some sort of control over or responsibility for the actions of other people in the house which cafe owners don't have over their customers, which seems hard to sustain. And in any event, given that many cafes are run by sole traders who aren't even limited companies, it would hardly be difficult for a householder to offer WiFi to other people in their vicinity as though they were a cafe-owner. That's why regulatory thresholds usually involve things like "being a limited liability company". ian From lists at internetpolicyagency.com Mon Feb 20 15:43:32 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 20 Feb 2012 15:43:32 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: <+kC2rhukomQPFATb@perry.co.uk> In article , Igor Mozolevsky writes >> Perhaps building regulations is a better analogy, and not installing unsafe >> DIY electrical outlets and gas fires in your house? > >I'm not convinced that helps either. Insofar as the electrical outlets >are concerned, only the end-user can cause havoc not some drive-by >electricity hijacker, and the havoc is limited to the house (or a few >houses at worst) not to some third party at large It's not havoc, but risk, and is passed on to subsequent inhabitants. >> I think I've mentioned it several times. It's so the householder can't hide >> behind the figleaf of "someone else did it". As a second order, some >> miscreants might be dissuaded from bad behaviour if they knew they had to >> use their own connectivity to do it. > >Are you not ending up in a situation where the householders are far >worse off than public wifi providers in this scenario? That's why discussion of liability of intermediaries is so important. It normally excludes the issue of "involuntary intermediaries" though. >>> Yes, but again, you are ducking the "who is responsible" issue---all >>> the parties (domestic users, ISPs, manufacturers, and IP rights >>> holders) have competing, and quite often, mutually exclusive >>> interests. >> >> Which you could characterise as a market failure, and hence a need to >> regulate... > >I'm not following this argument (isn't the whole idea of a market to >balance various parties' needs?), And aren't you arguing that someone who apparently "needs" to run an open domestic wifi point could be a casualty? >> First you prove a bad thing has happened (I've never suggested that >> copyright infringement is either the only, or the most serious, thing that >> might happen). Then you have a penalty (proportionate, obviously) for the >> subscriber if he manages to convince you it was another person who did it. > >Proportionate to what---the alleged infringement, householder's >income, some other yardstick? I don't think anyone has decided yet. >How are you going to prove that a bad thing has happened? That's relatively easy. Seeing spam emanating, or a copyright work being shared, or harassment taking place. -- Roland Perry From Andrew.Cormack at ja.net Mon Feb 20 16:52:50 2012 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Mon, 20 Feb 2012 16:52:50 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> Message-ID: <61E52F3A5532BE43B0211254F13883AE09F1B373@EXC001> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Ian Batten > Sent: 20 February 2012 14:54 > To: UK Cryptography Policy Discussion Group > Subject: Re: Unsecured wifi might be contributory negligence > > > On 20 Feb 2012, at 14:05, Igor Mozolevsky wrote: > >> > >> I think I've mentioned it several times. It's so the householder > can't hide > >> behind the figleaf of "someone else did it". As a second order, some > >> miscreants might be dissuaded from bad behaviour if they knew they > had to > >> use their own connectivity to do it. > > > > Are you not ending up in a situation where the householders are far > > worse off than public wifi providers in this scenario? > > I think that's a very good point. Assuming that the government > wouldn't be so deranged as to either criminalise or impose obligations > on every cafe in the country that offers WiFi with a latte, Ofcom's original commentary on the Draft Initial Obligations Code in May 2010 said that imposing obligations on cafe owners was precisely what the Government had done (see s.3.23, 3.30 & 3.31) of http://stakeholders.ofcom.org.uk/binaries/consultations/copyright-infringement/summary/condoc.pdf) :( More recently they've been saying that they don't have authority to interpret the definitions in the Act, so it may be that their view has changed. > householders would be placed in a position of having a wide range of > obligations that business owners don't. And that's the inverse of the > case in most analogous situations, where private individuals have lower > regulatory thresholds. The implication would be that householders > have some sort of control over or responsibility for the actions of > other people in the house which cafe owners don't have over their > customers, which seems hard to sustain. And in any event, given that > many cafes are run by sole traders who aren't even limited companies, > it would hardly be difficult for a householder to offer WiFi to other > people in their vicinity as though they were a cafe-owner. That's why > regulatory thresholds usually involve things like "being a limited > liability company". Worth noting that the DEA doesn't, as far as I can see, do anything to change the position on liability *for* breach of copyright: that's still defined by the CDPA. What the DEA does is introduce some new duties on both subscribers and ISPs to prevent breach of copyright using their networks: those who fail to satisfy those duties can have sanctions imposed by the DEA, but that's not "liability for copyright breach". The serious infringers list could help rightsholders to bring to court those *subscribers* whose connections have allegedly been used repeatedly to breach copyright, but it shouldn't affect the subsequent process of determining whether the subscriber standing in front of the court is actually responsible for those infringements under the CDPA. Andrew > ian > From igb at batten.eu.org Mon Feb 20 17:18:41 2012 From: igb at batten.eu.org (Ian Batten) Date: Mon, 20 Feb 2012 17:18:41 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <61E52F3A5532BE43B0211254F13883AE09F1B373@EXC001> References: <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <61E52F3A5532BE43B0211254F13883AE09F1B373@EXC001> Message-ID: On 20 Feb 2012, at 16:52, Andrew Cormack wrote: > > Worth noting that the DEA doesn't, as far as I can see, do anything to change the position on liability *for* breach of copyright: that's still defined by the CDPA. What the DEA does is introduce some new duties on both subscribers and ISPs to prevent breach of copyright using their networks: those who fail to satisfy those duties can have sanctions imposed by the DEA, but that's not "liability for copyright breach". It's possible, I suppose, that ISPs could be leaned on to refuse to supply service to endpoints that are associated with copyright infringement. Provided they can show they are not breaching the Equality Act 2010, they're perfectly at liberty to refuse to do business with people for any or no reason --- even BT's USO doesn't extend to broadband. In which case, the ISP would simply withdraw service based on complaints from rights holders, perhaps after some sort of warning regime ("we aren't accusing you of X and we can't punish you for X and X isn't a crime, but we aren't going to do business with you in your line is used for X"). Of course, if ISPs did that --- and it's hard to imagine them acting en bloc to do so --- then it would bring to a head the tension between Internet access being a purely commercial transaction between willing parties, and Internet access being pretty much a requirement to run a business or participate in education. ian From mozolevsky at gmail.com Tue Feb 21 07:02:17 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Tue, 21 Feb 2012 07:02:17 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <+kC2rhukomQPFATb@perry.co.uk> References: <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <+kC2rhukomQPFATb@perry.co.uk> Message-ID: On 20 February 2012 15:43, Roland Perry wrote: > Mozolevsky writes < >>> Perhaps building regulations is a better analogy, and not installing >>> unsafe >>> DIY electrical outlets and gas fires in your house? >> >> >> I'm not convinced that helps either. Insofar as the electrical outlets >> are concerned, only the end-user can cause havoc not some drive-by >> electricity hijacker, and the havoc is limited to the house (or a few >> houses at worst) not to some third party at large > > > It's not havoc, but risk, and is passed on to subsequent inhabitants. Firstly, that only goes to support the point that I was making---your liability is limited to yourself and a clearly identifiable *small* class of people, not the world of home owners (or in our case Internet users) at large. Secondly, I would presume, the earlier inhabitants still have the "it wasn't my 'handiwork' that was defective" defence---the thing you are suggesting is eliminated for households wrt "unsecured" wifi routers. >> Are you not ending up in a situation where the householders are far >> worse off than public wifi providers in this scenario? > > That's why discussion of liability of intermediaries is so important. > > It normally excludes the issue of "involuntary intermediaries" though. I don't see what point you are trying to make: are you saying that public wifi providers ought to be afforded greater protection at law than the households, or are you saying that the households ought to be treated as involuntary intermediaries? The latter seems a more rational approach... >>>> Yes, but again, you are ducking the "who is responsible" issue---all >>>> the parties (domestic users, ISPs, manufacturers, and IP rights >>>> holders) have competing, and quite often, mutually exclusive >>>> interests. >>> >>> Which you could characterise as a market failure, and hence a need to >>> regulate... >> >> I'm not following this argument (isn't the whole idea of a market to >> balance various parties' needs?), > > And aren't you arguing that someone who apparently "needs" to run an open > domestic wifi point could be a casualty? Absolutely, but not just those who "need" to do so, but innocent, yet not sufficiently technically competent to do something about it, as well. Let me give you a practical illustration here: I have put your suggestion to someone whom I consider to be "a reasonable person" and initially that person was entirely agreeing with your suggestion, but only up to the point when I asked whether that person considered themselves to be sufficiently competent to avoid liability if such law was passed. >> Proportionate to what---the alleged infringement, householder's >> income, some other yardstick? > > I don't think anyone has decided yet. I can't take this any further than this then... >> How are you going to prove that a bad thing has happened? > > That's relatively easy. Seeing spam emanating, or a copyright work being > shared, or harassment taking place. Let's think about the situation in these scenarios. With spammers, you would have some affiliation between the spammer and the contents of the messages, some form of payments, and I would hazard a guess templates of those messages would be stored somewhere "handy". In the case of harassment, there is some form of relationship between the harasser and the harassee, or in case of a stalker, one would expect to find some other evidence (e. g. a huge collection of photos). Dealing with a large scale copyright infringement (sufficiently large to bring that within the ambit of a criminal offence) you would have other corroborating evidence and, more significantly, payments made to the person distributing the works, which is what seems to attract the FBI attention. The problem seems to arise (and this appears to be the case in the original article that you have pointed to, or at least that is the inference I am making from abstracts of the court filing quoted therein) when the IP rights holders (or their agents) use torrent tracking to identify those who they think are "sharing" and have diddly-squat by way of corroborative evidence. In the first MediaCAT judgment [1], there was an explicit point being made by the judge about the fact that mere "IP address" evidence is quite simply untested and the judge did not appear to want to test it there and then. What you seem to be suggesting is that such evidence (even though produced by an interested party without any corroboration) is sufficient for civil/criminal liability. Are you seriously saying that you are happy with that situation? Naturally, there would be no problem is one were to try to download the copyrighted material from the sharer and subsequently obtained a search order and discovered the same content on the defendant's equipment... 1. http://www.bailii.org/ew/cases/EWPCC/2011/6.html -- Igor M. From igb at batten.eu.org Tue Feb 21 09:14:53 2012 From: igb at batten.eu.org (Ian Batten) Date: Tue, 21 Feb 2012 09:14:53 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <+kC2rhukomQPFATb@perry.co.uk> Message-ID: <51B1540B-F391-4153-A260-97946374353D@batten.eu.org> On 21 Feb 2012, at 07:02, Igor Mozolevsky wrote: > > Firstly, that only goes to support the point that I was making---your > liability is limited to yourself and a clearly identifiable *small* > class of people, not the world of home owners (or in our case Internet > users) at large. Secondly, I would presume, the earlier inhabitants > still have the "it wasn't my 'handiwork' that was defective" > defence---the thing you are suggesting is eliminated for households > wrt "unsecured" wifi routers. As is often pointed out, real-world metaphors often fail to illuminate. One reason for the building regulations is to avoid owner x doing a bodge job on the wiring and owner x+1 being killed when the RCD doesn't trip when it should. It's not about liability, it's about safety. That metaphor is very difficult to extend into the online world. > > Naturally, there would be no problem is one were to try to download > the copyrighted material from the sharer and subsequently obtained a > search order and discovered the same content on the defendant's > equipment... It would be amusing to provoke the rights holders into attempting to use search warrants. Aside from the fact I doubt that any court would be willing to grant one, I think it's safe to say that such sympathy as there is for the poor hard done by film studios [1] would evaporate as soon as the story hit the newspapers. ian [1] Is it just me, or is the fact that you can't now go to the cinema without an endless succession of hectoring adverts about piracy really annoying? I'm one of the people that pays for cinema, and the way that the people placing those adverts can tell is because I'm sat in a cinema watching it. One of the benefits of watching DVDs is not having to sit through thirty minutes of shite before the film starts, and that's even more annoying when a large part of that shite is given over to wagging a finger at the people who precisely don't need to have fingers wagged at them. From nbohm at ernest.net Tue Feb 21 11:14:45 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Tue, 21 Feb 2012 11:14:45 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <51B1540B-F391-4153-A260-97946374353D@batten.eu.org> References: <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <+kC2rhukomQPFATb@perry.co.uk> <51B1540B-F391-4153-A260-97946374353D@batten.! eu.org> Message-ID: <4F437CA5.8000605@ernest.net> On 21/02/2012 09:14, Ian Batten wrote: > On 21 Feb 2012, at 07:02, Igor Mozolevsky wrote: > >> Firstly, that only goes to support the point that I was making---your >> liability is limited to yourself and a clearly identifiable *small* >> class of people, not the world of home owners (or in our case Internet >> users) at large. Secondly, I would presume, the earlier inhabitants >> still have the "it wasn't my 'handiwork' that was defective" >> defence---the thing you are suggesting is eliminated for households >> wrt "unsecured" wifi routers. > As is often pointed out, real-world metaphors often fail to illuminate. One reason for the building regulations is to avoid owner x doing a bodge job on the wiring and owner x+1 being killed when the RCD doesn't trip when it should. It's not about liability, it's about safety. That metaphor is very difficult to extend into the online world. > >> Naturally, there would be no problem is one were to try to download >> the copyrighted material from the sharer and subsequently obtained a >> search order and discovered the same content on the defendant's >> equipment... > It would be amusing to provoke the rights holders into attempting to use search warrants. Aside from the fact I doubt that any court would be willing to grant one, Copyright enforcement litigation not uncommonly involves a sort of civil equivalent of a search warrant in the form of an order to the defendant to admit the claimant's lawyers to his premises to search for evidence, the order being obtained in the defendant's absence and served on the doorstep. > I think it's safe to say that such sympathy as there is for the poor hard done by film studios [1] would evaporate as soon as the story hit the newspapers. Up to now the orders have been used against alleged industrial scale rip-offs, without much signs of controversy. Using them in the domestic context might indeed be inflammatory. > [1] Is it just me, or is the fact that you can't now go to the cinema without an endless succession of hectoring adverts about piracy really annoying? I'm one of the people that pays for cinema, and the way that the people placing those adverts can tell is because I'm sat in a cinema watching it. One of the benefits of watching DVDs is not having to sit through thirty minutes of shite before the film starts, and that's even more annoying when a large part of that shite is given over to wagging a finger at the people who precisely don't need to have fingers wagged at them. Sums up the attitude, doesn't it. Nicholas -- Contact and PGP key here From lists at internetpolicyagency.com Tue Feb 21 15:47:56 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 21 Feb 2012 15:47:56 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <51B1540B-F391-4153-A260-97946374353D@batten.eu.org> References: <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <+kC2rhukomQPFATb@perry.co.uk> <51B1540B-F391-4153-A260-97946374353D@batten.eu.org> Message-ID: <0ygUOhDsy7QPFACL@perry.co.uk> In article <51B1540B-F391-4153-A260-97946374353D at batten.eu.org>, Ian Batten writes >Is it just me, or is the fact that you can't now go to the cinema >without an endless succession of hectoring adverts about piracy really >annoying? The normal ads (especially the interminable trailers for films they haven't even released yet, and I would never go to see) are enough to put me off. Maybe they should provide free wifi so I can read my email while I'm waiting ;) -- Roland Perry From lists at internetpolicyagency.com Tue Feb 21 16:00:56 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 21 Feb 2012 16:00:56 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <4F3E785C.2090700@ernest.net> <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <+kC2rhukomQPFATb@perry.co.uk> Message-ID: In article , Igor Mozolevsky writes >> It's not havoc, but risk, and is passed on to subsequent inhabitants. > >Firstly, that only goes to support the point that I was making---your >liability is limited to yourself and a clearly identifiable *small* >class of people, not the world of home owners (or in our case Internet >users) at large. Secondly, I would presume, the earlier inhabitants >still have the "it wasn't my 'handiwork' that was defective" >defence---the thing you are suggesting is eliminated for households >wrt "unsecured" wifi routers. The analogy is about laws being passed to make domestic technology installations meet some minimum standard. >>> Are you not ending up in a situation where the householders are far >>> worse off than public wifi providers in this scenario? >> >> That's why discussion of liability of intermediaries is so important. >> >> It normally excludes the issue of "involuntary intermediaries" though. > >I don't see what point you are trying to make: are you saying that >public wifi providers ought to be afforded greater protection at law >than the households, The laws which give "commercial" intermediaries a degree of protection are there precisely to promote the commercial availability of access, because no suppliers would be able to take the risk of being in that business otherwise. >> And aren't you arguing that someone who apparently "needs" to run an open >> domestic wifi point could be a casualty? > >Absolutely, but not just those who "need" to do so, but innocent, yet >not sufficiently technically competent to do something about it, as >well. Let me give you a practical illustration here: I have put your >suggestion to someone whom I consider to be "a reasonable person" and >initially that person was entirely agreeing with your suggestion, but >only up to the point when I asked whether that person considered >themselves to be sufficiently competent to avoid liability if such law >was passed. Would that reasonable person deny the CORGI gas installer scheme, or the need for CE marks on some equipment, on the grounds they might not be able to pass the qualification or test the apparatus themselves? What's needed here is public awareness that certain standards need to be met, then you can find the equipment (and if necessary installers) to meet that standard. >>> Proportionate to what---the alleged infringement, householder's >>> income, some other yardstick? >> >> I don't think anyone has decided yet. > >I can't take this any further than this then... I'm trying to look into a 'safer' future. >>> How are you going to prove that a bad thing has happened? >> >> That's relatively easy. Seeing spam emanating, or a copyright work being >> shared, or harassment taking place. > >Let's think about the situation in these scenarios. With spammers, you >would have some affiliation between the spammer and the contents of >the messages, some form of payments, and I would hazard a guess >templates of those messages would be stored somewhere "handy". That's a very naive view of what Spam is and what it contains. If it was that easily traceable, people would have stopped most of it by now. > In the case of harassment, there is some form of relationship between >the harasser and the harassee, or in case of a stalker, one would >expect to find some other evidence (e. g. a huge collection of photos). Once you've found them, but if they are using a neighbour's open wifi, that could be almost impossible. >Dealing with a large scale copyright infringement (sufficiently large >to bring that within the ambit of a criminal offence) you would have >other corroborating evidence and, more significantly, payments made to >the person distributing the works, which is what seems to attract the >FBI attention. Again, very naive view of what's happening with (eg) pirated movies. Most of the people distributing them on P2P are not requiring payment. >The problem seems to arise (and this appears to be the case in the >original article that you have pointed to, or at least that is the >inference I am making from abstracts of the court filing quoted >therein) when the IP rights holders (or their agents) use torrent >tracking to identify those who they think are "sharing" and have >diddly-squat by way of corroborative evidence. In the first MediaCAT >judgment [1], there was an explicit point being made by the judge >about the fact that mere "IP address" evidence is quite simply >untested and the judge did not appear to want to test it there and >then. What you seem to be suggesting is that such evidence (even >though produced by an interested party without any corroboration) is >sufficient for civil/criminal liability. Are you seriously saying that >you are happy with that situation? I'm not at all happy with the way some previous investigations have been bodged. That's why better traceability would significantly increase the probability that the IP address could be linked to the infringers. -- Roland Perry From nbohm at ernest.net Tue Feb 21 16:06:47 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Tue, 21 Feb 2012 16:06:47 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <0ygUOhDsy7QPFACL@perry.co.uk> References: <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <+kC2rhukomQPFATb@perry.co.uk> <51B1540B-F391-4153-A260-97946374353D@batten.eu.org> <0ygUOhDsy7QPFACL@perr! y.co.uk> Message-ID: <4F43C117.5090907@ernest.net> On 21/02/2012 15:47, Roland Perry wrote: > In article <51B1540B-F391-4153-A260-97946374353D at batten.eu.org>, Ian > Batten writes >> Is it just me, or is the fact that you can't now go to the cinema >> without an endless succession of hectoring adverts about piracy really >> annoying? > > The normal ads (especially the interminable trailers for films they > haven't even released yet, and I would never go to see) are enough to > put me off. > > Maybe they should provide free wifi so I can read my email while I'm > waiting ;) And download the films in the trailers from filesharing websites so the cinema gets the blame. Good plan. Nicholas -- Contact and PGP key here From lists at internetpolicyagency.com Tue Feb 21 16:26:30 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 21 Feb 2012 16:26:30 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F43C117.5090907@ernest.net> References: <4F3E9300.5020108@ernest.net> <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <+kC2rhukomQPFATb@perry.co.uk> <51B1540B-F391-4153-A260-97946374353D@batten.eu.org> <0ygUOhDsy7QPFACL@perry.co.uk> <4F43C117.5090907@ernest.net> Message-ID: <2XGEn4J2W8QPFAx6@perry.co.uk> In article <4F43C117.5090907 at ernest.net>, Nicholas Bohm writes >> The normal ads (especially the interminable trailers for films they >> haven't even released yet, and I would never go to see) are enough to >> put me off. >> >> Maybe they should provide free wifi so I can read my email while I'm >> waiting ;) > >And download the films in the trailers from filesharing websites so the >cinema gets the blame. Good plan. You read my mind, apart from the fact that the trailers always seem to be yet-to-be-released movies... -- Roland Perry From nbohm at ernest.net Tue Feb 21 16:34:25 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Tue, 21 Feb 2012 16:34:25 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <2XGEn4J2W8QPFAx6@perry.co.uk> References: <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <+kC2rhukomQPFATb@perry.co.uk> <51B1540B-F391-4153-A260-97946374353D@batten.eu.org> <0ygUOhDsy7QPFACL@perry.co.uk> <4F43C117.5090907@ernest.net> <2XGEn4J2W8QPFAx6@perr! y.co.uk> Message-ID: <4F43C791.1090905@ernest.net> On 21/02/2012 16:26, Roland Perry wrote: > In article <4F43C117.5090907 at ernest.net>, Nicholas Bohm > writes >>> The normal ads (especially the interminable trailers for films they >>> haven't even released yet, and I would never go to see) are enough to >>> put me off. >>> >>> Maybe they should provide free wifi so I can read my email while I'm >>> waiting ;) >> >> And download the films in the trailers from filesharing websites so the >> cinema gets the blame. Good plan. > > You read my mind, apart from the fact that the trailers always seem to > be yet-to-be-released movies... I know you enjoy a challenge. Nicholas -- Contact and PGP key here From bdm at fenrir.org.uk Tue Feb 21 16:36:01 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Tue, 21 Feb 2012 16:36:01 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <2XGEn4J2W8QPFAx6@perry.co.uk> References: <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <+kC2rhukomQPFATb@perry.co.uk> <51B1540B-F391-4153-A260-97946374353D@batten.eu.org> <0ygUOhDsy7QPFACL@perry.co.uk> <4F43C117.5090907@ernest.net> <2XGEn4J2W8QPFAx6@perry.co.uk> Message-ID: <20120221163601.00004bdf@surtees.fenrir.org.uk> On Tue, 21 Feb 2012 16:26:30 +0000 Roland Perry wrote: > You read my mind, apart from the fact that the trailers always seem > to be yet-to-be-released movies... Some of those have escaped into the wild before their official release in the past. -- Brian Morrison From dfawcus+lists-ukcrypto at employees.org Tue Feb 21 17:12:52 2012 From: dfawcus+lists-ukcrypto at employees.org (Derek Fawcus) Date: Tue, 21 Feb 2012 09:12:52 -0800 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <+kC2rhukomQPFATb@perry.co.uk> Message-ID: <20120221171252.GA88839@banjo.employees.org> On Tue, Feb 21, 2012 at 04:00:56PM +0000, Roland Perry wrote: > > Would that reasonable person deny the CORGI gas installer scheme, or the > need for CE marks on some equipment, on the grounds they might not be > able to pass the qualification or test the apparatus themselves? What's > needed here is public awareness that certain standards need to be met, > then you can find the equipment (and if necessary installers) to meet > that standard. I'd suggests there is a significant difference. wrt CORGI, there is a risk of death; and widespread damage for poor installations. As to CE marks - as I recall they're a joke, being a self certification scheme. So the comparision to a situation where copyright infringment is the risk is not really valid. .pdf From igb at batten.eu.org Tue Feb 21 19:32:49 2012 From: igb at batten.eu.org (Ian Batten) Date: Tue, 21 Feb 2012 19:32:49 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F43C791.1090905@ernest.net> References: <4B7B78858F71470ABDEFB94E96DB5925@MaryPC> <4F3FA4BA.6020201@ernest.net> <+kC2rhukomQPFATb@perry.co.uk> <51B1540B-F391-4153-A260-97946374353D@batten.eu.org> <0ygUOhDsy7QPFACL@perry.co.uk> <4F43C117.5090907@ernest.net> <2XGEn4J2W8QPFAx6@perr! y.co.uk> <4F43C791.1090905@ernest.net> Message-ID: On 21 Feb 2012, at 16:34, Nicholas Bohm wrote: >> >> You read my mind, apart from the fact that the trailers always seem to >> be yet-to-be-released movies... > > I know you enjoy a challenge. Well, until "day and date" releases become commonplace, most films are released in different territories at different times and rarely is the UK the first. As cinemas become digital that's going to become less of an issue, of course, but one of the things that drives TV and Film "piracy" is people who want to see things before all the spoilers get everywhere. Different dates in different territories (and the nonsense of DVD region encoding, which comes from the same motivation) drive piracy. ian From lists at internetpolicyagency.com Tue Feb 21 21:29:31 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 21 Feb 2012 21:29:31 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <20120221171252.GA88839@banjo.employees.org> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> Message-ID: In article <20120221171252.GA88839 at banjo.employees.org>, Derek Fawcus writes >> Would that reasonable person deny the CORGI gas installer scheme, or the >> need for CE marks on some equipment, on the grounds they might not be >> able to pass the qualification or test the apparatus themselves? What's >> needed here is public awareness that certain standards need to be met, >> then you can find the equipment (and if necessary installers) to meet >> that standard. > >I'd suggests there is a significant difference. > >wrt CORGI, there is a risk of death; and widespread damage for poor installations. > >As to CE marks - as I recall they're a joke, being a self certification scheme. > >So the comparision to a situation where copyright infringment is the risk >is not really valid. But I'm not comparing CORGI/CE and copyright piracy, just drawing an analogy that sometimes there are laws which affect the quality of domestic installations. Remember - this was about saying you shouldn't install a router without simple encryption, which is probably more basic even than CE marks. -- Roland Perry From Ian.Johnson at uwe.ac.uk Tue Feb 21 22:55:28 2012 From: Ian.Johnson at uwe.ac.uk (Ian Johnson) Date: Tue, 21 Feb 2012 22:55:28 -0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> Message-ID: <5CD785FB9D8049C581C00CBAA213D8AC@pingu> I've deliberately stayed out of this conversation because it felt like an "angels on a pinhead" argument. I deliberately choose to run an open wifi network (actually 2). Why? I want to make life easy for vistors, particularly my children's friends. My wifi network lets you access my mono laser, the internet, and ssh to the firewall m/c. I can't see any risk to *me* in that. Yes, if someone did something dodgy on my network I may end up with some interesting conversations, but I can't see how I have any liability under UK law for what others do using my connection, nor can I see any reason why I should. When I say "interesting conversations" I've been through the same previously as a director of a motor trade company where the registered keeper of a vehicle that had been caught speeding claimed it had been sold to my company. The safety camera partnership were rude and very persistent and it eventually went to court. This cost them quite a lot of money :) If they'd behaved reasonably I would have resolved the problem for them [1] It appears to me that this is just yet another boat been floated to make life easier for rights holders. If anything (going on past practice, e.g. unfair contracts act, consumer credit act), the law should be biased (if at all) in consumers interests. The problem appears to be the difficulty rights-holders have in identifying infringers, so they would prefer to target others. Ian [1] The company I was involved with sold vehicles to traders. My guess is that given the index mark of the vehicle she had bought (and which she had p/x'ed the vehicle in question for) I could have identified the firm from our records. When people fail the attitude test I don't feel any need to be helpful :) __________ Information from ESET NOD32 Antivirus, version of virus signature database 6898 (20120220) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From igb at batten.eu.org Wed Feb 22 11:37:55 2012 From: igb at batten.eu.org (Ian Batten) Date: Wed, 22 Feb 2012 11:37:55 +0000 Subject: Insider attacks on PIN generation Message-ID: I have a memory of being told of an insider attack at a bank where programmers managed to force the system to issue PINs drawn from a very small set, so that with a stolen card they had a better than 50% chance of guessing the correct PIN within three attempts. But I can't find it in the literature. Anyone find it rings a bell? ian From mozolevsky at gmail.com Wed Feb 22 11:41:43 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Wed, 22 Feb 2012 11:41:43 +0000 Subject: Insider attacks on PIN generation In-Reply-To: References: Message-ID: On 22 February 2012 11:37, Ian Batten wrote: > I have a memory of being told of an insider attack at a bank where > programmers managed to force the system to issue PINs drawn > from a very small set, so that with a stolen card they had a better > than 50% chance of guessing the correct PIN within three attempts. > But I can't find it in the literature. ?Anyone find it rings a bell? http://www.arx.com/files/Documents/The_Unbearable_Lightness_of_PIN_Cracking.pdf ? Cheers, -- Igor M. From nbohm at ernest.net Wed Feb 22 12:09:01 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Wed, 22 Feb 2012 12:09:01 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> Message-ID: <4F44DADD.1080806@ernest.net> On 21/02/2012 21:29, Roland Perry wrote: > In article <20120221171252.GA88839 at banjo.employees.org>, Derek Fawcus > writes >>> Would that reasonable person deny the CORGI gas installer scheme, or >>> the >>> need for CE marks on some equipment, on the grounds they might not be >>> able to pass the qualification or test the apparatus themselves? >>> What's >>> needed here is public awareness that certain standards need to be met, >>> then you can find the equipment (and if necessary installers) to meet >>> that standard. >> >> I'd suggests there is a significant difference. >> >> wrt CORGI, there is a risk of death; and widespread damage for poor >> installations. >> >> As to CE marks - as I recall they're a joke, being a self >> certification scheme. >> >> So the comparision to a situation where copyright infringment is the >> risk >> is not really valid. > > But I'm not comparing CORGI/CE and copyright piracy, just drawing an > analogy that sometimes there are laws which affect the quality of > domestic installations. Remember - this was about saying you shouldn't > install a router without simple encryption, which is probably more > basic even than CE marks. Laws "which affect the quality of domestic installations", and hinder people from doing whatever they prefer, require justification. The safety of the non-expert occupiers (and their successors) is generally thought to justify CORGI et al. It ought to require much better evidence than we have of damage by copyright infringement to the public welfare to justify either imposing anomalous "liability for things" on their owners or hindering them in installing open routers. Or that's my take, anyway. Nicholas -- Contact and PGP key here From mikie.simpson at gmail.com Wed Feb 22 16:14:42 2012 From: mikie.simpson at gmail.com (Michael Simpson) Date: Wed, 22 Feb 2012 16:14:42 +0000 Subject: Insider attacks on PIN generation In-Reply-To: References: Message-ID: On Wednesday, February 22, 2012, Ian Batten wrote: > I have a memory of being told of an insider attack at a bank where > programmers managed to force the system to issue PINs drawn from a very > small set, so that with a stolen card they had a better than 50% chance of > guessing the correct PIN within three attempts. But I can't find it in > the literature. Anyone find it rings a bell? > > ian I'm pretty certain that (initially) bank insiders didn't have any limit to the number of times they could try a pin number, as there was no lock-out for them, allowing them to try the usual combinations. Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Wed Feb 22 18:33:14 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 22 Feb 2012 18:33:14 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F44DADD.1080806@ernest.net> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <4F44DADD.1080806@ernest.net> Message-ID: In article <4F44DADD.1080806 at ernest.net>, Nicholas Bohm writes >It ought to require much better evidence than we have of damage by >copyright infringement It's not just about copyright infringement (even if the trigger for this exploratory case in the USA is). -- Roland Perry From lists at internetpolicyagency.com Wed Feb 22 18:44:44 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 22 Feb 2012 18:44:44 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <5CD785FB9D8049C581C00CBAA213D8AC@pingu> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> Message-ID: In article <5CD785FB9D8049C581C00CBAA213D8AC at pingu>, Ian Johnson writes >I deliberately choose to run an open wifi network (actually 2). >Why? I want to make life easy for vistors, particularly my >children's friends. My wifi network lets you access my mono >laser, the internet, and ssh to the firewall m/c. I can't >see any risk to *me* in that. Traditionally you run the risk of getting blocked if your network is hijacked by a spammer. >I can't see how I have any liability under UK law for what others do >using my connection, Currently, probably not a lot if "it's a civil matter sir", but I don't see why a clever lawyer couldn't arrange something if it was consciously aiding and abetting a criminal offence. It's the unconscious stuff where the Americans are flying a kite on contributory negligence. >nor can I see any reason why I should. One of this year's hot topics is exactly what the long term position should be. >The problem appears to be the difficulty rights-holders have in >identifying infringers, so they would prefer to target others. If the infringers had to log into your network, they'd be easier to identify. But as I've said countless times, this isn't just about intellectual property theft. -- Roland Perry From Ian.Johnson at uwe.ac.uk Thu Feb 23 08:53:46 2012 From: Ian.Johnson at uwe.ac.uk (Ian Johnson) Date: Thu, 23 Feb 2012 08:53:46 -0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> Message-ID: >On Behalf Of Roland Perry > Sent: 22 February 2012 18:45 > > Traditionally you run the risk of getting blocked if your network is > hijacked by a spammer. Wireless users can't contact my MTA, and would need to login to my ISP's. No issues. > > >I can't see how I have any liability under UK law for what others do > >using my connection, > > Currently, probably not a lot if "it's a civil matter sir", > but I don't > see why a clever lawyer couldn't arrange something if it was > consciously > aiding and abetting a criminal offence. It's the unconscious > stuff where > the Americans are flying a kite on contributory negligence. I would have thought that any aiding & abetting would require mens rea and a specific act. > If the infringers had to log into your network, they'd be easier to > identify. But as I've said countless times, this isn't just about > intellectual property theft. That's assuming I was legally compelled to surrender the logs. I cannot see any reason why I should care who is using my network unless it affects my contractual relationship with my ISP. Ian __________ Information from ESET NOD32 Antivirus, version of virus signature database 6904 (20120222) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From lists at internetpolicyagency.com Thu Feb 23 09:27:11 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 23 Feb 2012 09:27:11 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> Message-ID: <2UB0XF1vZgRPFAZP@perry.co.uk> In article , Ian Johnson writes >> Traditionally you run the risk of getting blocked if your network is >> hijacked by a spammer. > >Wireless users can't contact my MTA, and would need to login to my >ISP's. No issues. Many spammers will have their own MTA (it's faster than using someone else's anyway), or back in the day use an open relay. I've got an MTA on my Windows laptop (which is part of my road warrior kit). >> >I can't see how I have any liability under UK law for what others do >> >using my connection, >> >> Currently, probably not a lot if "it's a civil matter sir", but I >>don't see why a clever lawyer couldn't arrange something if it was >>consciously aiding and abetting a criminal offence. It's the >>unconscious stuff where the Americans are flying a kite on >>contributory negligence. > >I would have thought that any aiding & abetting would require >mens rea and a specific act. Yes, but you didn't say that it was only what others did (on your connection) *without* your knowledge. >> If the infringers had to log into your network, they'd be easier to >> identify. But as I've said countless times, this isn't just about >> intellectual property theft. > >That's assuming I was legally compelled to surrender the logs. I >cannot see any reason why I should care who is using my network >unless it affects my contractual relationship with my ISP. cf being forced to surrender encryption keys, when you as a carrier have added encryption to a connection. -- Roland Perry From igb at batten.eu.org Thu Feb 23 10:45:58 2012 From: igb at batten.eu.org (Ian Batten) Date: Thu, 23 Feb 2012 10:45:58 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <2UB0XF1vZgRPFAZP@perry.co.uk> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> Message-ID: On 23 Feb 2012, at 09:27, Roland Perry wrote: > In article , Ian Johnson writes >>> Traditionally you run the risk of getting blocked if your network is >>> hijacked by a spammer. >> >> Wireless users can't contact my MTA, and would need to login to my >> ISP's. No issues. > > Many spammers will have their own MTA (it's faster than using someone else's anyway), or back in the day use an open relay. I've got an MTA on my Windows laptop (which is part of my road warrior kit). But a lot of ISPs block port 25 (and sometimes even 587) to and from anything other that their MTAs. It's a common complaint for customers who want to (for whatever reason) use their own MTA. I think that, aside from a few hold-outs, that's generally now held to be good practice. >> That's assuming I was legally compelled to surrender the logs. Logs? In a domestic setting? ian From Ian.Johnson at uwe.ac.uk Thu Feb 23 12:19:56 2012 From: Ian.Johnson at uwe.ac.uk (Ian Johnson) Date: Thu, 23 Feb 2012 12:19:56 -0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> Message-ID: <1FF6399639564D458DC09CB4CCAEA3FD@pingu> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk > [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of > Ian Batten > > >> That's assuming I was legally compelled to surrender the logs. > > Logs? In a domestic setting? > Roland raised the issue that people could be identified if they "logged on to the network". My response was that that would only be of benefit to a 3rd party if they could compel me to release them. Obviously in such a situation you'd also need to be compelled to retain them! Ian From igb at batten.eu.org Thu Feb 23 15:57:49 2012 From: igb at batten.eu.org (Ian Batten) Date: Thu, 23 Feb 2012 15:57:49 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <1FF6399639564D458DC09CB4CCAEA3FD@pingu> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <1FF6399639564D458DC09CB4CCAEA3FD@pingu> Message-ID: <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> On 23 Feb 2012, at 12:19, Ian Johnson wrote: > > >> -----Original Message----- >> From: ukcrypto-bounces at chiark.greenend.org.uk >> [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of >> Ian Batten >> >>>> That's assuming I was legally compelled to surrender the logs. >> >> Logs? In a domestic setting? >> > > Roland raised the issue that people could be identified if they "logged > on to the network". My response was that that would only be of benefit > to a 3rd party if they could compel me to release them. Obviously > in such a situation you'd also need to be compelled to retain them! I think we can safely say that legislation that forces end users to keep evidential logs of activity on their private networks is (a) unlikely (b) unenforceable and (c) unimplementable. ian From lists at internetpolicyagency.com Fri Feb 24 13:51:20 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 24 Feb 2012 13:51:20 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> Message-ID: In article , Ian Batten writes >>> Wireless users can't contact my MTA, and would need to login to my >>> ISP's. No issues. >> >> Many spammers will have their own MTA (it's faster than using someone >>else's anyway), or back in the day use an open relay. I've got an MTA >>on my Windows laptop (which is part of my road warrior kit). > >But a lot of ISPs block port 25 (and sometimes even 587) to and from >anything other that their MTAs. It's a common complaint for customers >who want to (for whatever reason) use their own MTA. I think that, >aside from a few hold-outs, that's generally now held to be good practice. Blocking (or transparent proxying) is very common for Port 25, but I've yet to encounter one that blocks Port 587 (not even the various Mobile Broadband offerings). I'm posting this from a colleague's BT Broadband, using Port 587, to a non-BT MTA, no problems. -- Roland Perry From lists at internetpolicyagency.com Fri Feb 24 13:52:59 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 24 Feb 2012 13:52:59 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <1FF6399639564D458DC09CB4CCAEA3FD@pingu> <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> Message-ID: In article <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3 at batten.eu.org>, Ian Batten writes >I think we can safely say that legislation that forces end users to >keep evidential logs of activity on their private networks is >(a) unlikely (b) unenforceable and (c) unimplementable. The way you persuade people to do it, is a presumption that the subscriber was the offender, in the absence of logs. Whether it'll never happen - who knows. The Internet is in its infancy. -- Roland Perry From nbohm at ernest.net Fri Feb 24 14:16:06 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 24 Feb 2012 14:16:06 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> Message-ID: <4F479BA6.8080503@ernest.net> On 24/02/2012 13:51, Roland Perry wrote: > In article , Ian > Batten writes >>>> Wireless users can't contact my MTA, and would need to login to my >>>> ISP's. No issues. >>> >>> Many spammers will have their own MTA (it's faster than using someone >>> else's anyway), or back in the day use an open relay. I've got an MTA >>> on my Windows laptop (which is part of my road warrior kit). >> >> But a lot of ISPs block port 25 (and sometimes even 587) to and from >> anything other that their MTAs. It's a common complaint for customers >> who want to (for whatever reason) use their own MTA. I think that, >> aside from a few hold-outs, that's generally now held to be good >> practice. > > Blocking (or transparent proxying) is very common for Port 25, but > I've yet to encounter one that blocks Port 587 (not even the various > Mobile Broadband offerings). > > I'm posting this from a colleague's BT Broadband, using > Port 587, to a non-BT MTA, no problems. My PC crashed (BSOD), I restarted, Thunderbird wouldn't send mail, checked account settings and it was trying to send using port 587, changed this to port 25 and it worked fine. (How the average user is supposed to cope with this sort of thing I can't imagine.) Nicholas -- Contact and PGP key here From igb at batten.eu.org Fri Feb 24 15:34:52 2012 From: igb at batten.eu.org (Ian Batten) Date: Fri, 24 Feb 2012 15:34:52 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <1FF6399639564D458DC09CB4CCAEA3FD@pingu> <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> Message-ID: <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> On 24 Feb 2012, at 13:52, Roland Perry wrote: > In article <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3 at batten.eu.org>, Ian Batten writes >> I think we can safely say that legislation that forces end users to >> keep evidential logs of activity on their private networks is >> (a) unlikely (b) unenforceable and (c) unimplementable. > > The way you persuade people to do it, is a presumption that the subscriber was the offender, in the absence of logs. Whether it'll never happen - who knows. The Internet is in its infancy. That places a burden on the end user which is completely unacceptable. For a start off, the logs would have to be tamper-proof in some way, and contain "truth". Who would appear in court to attest to the accuracy of the logs? ian From nbohm at ernest.net Fri Feb 24 15:48:13 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 24 Feb 2012 15:48:13 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <1FF6399639564D458DC09CB4CCAEA3FD@pingu> <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> Message-ID: <4F47B13D.5040401@ernest.net> On 24/02/2012 15:34, Ian Batten wrote: > On 24 Feb 2012, at 13:52, Roland Perry wrote: > >> In article <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3 at batten.eu.org>, Ian Batten writes >>> I think we can safely say that legislation that forces end users to >>> keep evidential logs of activity on their private networks is >>> (a) unlikely (b) unenforceable and (c) unimplementable. >> The way you persuade people to do it, is a presumption that the subscriber was the offender, in the absence of logs. Whether it'll never happen - who knows. The Internet is in its infancy. > That places a burden on the end user which is completely unacceptable. For a start off, the logs would have to be tamper-proof in some way, and contain "truth". Who would appear in court to attest to the accuracy of the logs? > You can subpoena the user to bring the logs to court (with contempt sanctions for failing). If he won't agree to testify to their truth, you can threaten him with prosecution for failing to keep accurate logs. He might respond by objecting to testifying on the grounds that it might incriminate him (and it would take primary legislation to get round this). Sounds a good game. Roland will love it. Nicholas -- Contact and PGP key here From bdm at fenrir.org.uk Fri Feb 24 16:21:27 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Fri, 24 Feb 2012 16:21:27 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <1FF6399639564D458DC09CB4CCAEA3FD@pingu> <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> Message-ID: <20120224162127.000055f8@surtees.fenrir.org.uk> On Fri, 24 Feb 2012 15:34:52 +0000 Ian Batten wrote: > > On 24 Feb 2012, at 13:52, Roland Perry wrote: > > > In article <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3 at batten.eu.org>, > > Ian Batten writes > >> I think we can safely say that legislation that forces end users to > >> keep evidential logs of activity on their private networks is > >> (a) unlikely (b) unenforceable and (c) unimplementable. > > > > The way you persuade people to do it, is a presumption that the > > subscriber was the offender, in the absence of logs. Whether it'll > > never happen - who knows. The Internet is in its infancy. > > That places a burden on the end user which is completely > unacceptable. For a start off, the logs would have to be > tamper-proof in some way, and contain "truth". Who would appear in > court to attest to the accuracy of the logs? Well, justice doesn't often seem to believe in establishing truth, it's too busy sending a message pour encourager les autres... -- Brian Morrison From igb at batten.eu.org Fri Feb 24 17:20:47 2012 From: igb at batten.eu.org (Ian Batten) Date: Fri, 24 Feb 2012 17:20:47 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F47B13D.5040401@ernest.net> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <1FF6399639564D458DC09CB4CCAEA3FD@pingu> <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> <4F47B13D.5040401@ernest.net> Message-ID: On 24 Feb 2012, at 15:48, Nicholas Bohm wrote: > On 24/02/2012 15:34, Ian Batten wrote: >> On 24 Feb 2012, at 13:52, Roland Perry wrote: >> >>> In article <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3 at batten.eu.org>, Ian Batten writes >>>> I think we can safely say that legislation that forces end users to >>>> keep evidential logs of activity on their private networks is >>>> (a) unlikely (b) unenforceable and (c) unimplementable. >>> The way you persuade people to do it, is a presumption that the subscriber was the offender, in the absence of logs. Whether it'll never happen - who knows. The Internet is in its infancy. >> That places a burden on the end user which is completely unacceptable. For a start off, the logs would have to be tamper-proof in some way, and contain "truth". Who would appear in court to attest to the accuracy of the logs? >> > > You can subpoena the user to bring the logs to court (with contempt > sanctions for failing). If he won't agree to testify to their truth, > you can threaten him with prosecution for failing to keep accurate > logs. He might respond by objecting to testifying on the grounds that > it might incriminate him (and it would take primary legislation to get > round this). Surely his solicitor would respond that the accuracy of the logs can only be discussed by an expert witness with the skills to forensically analyse them? You can't attest to the accuracy of something you don't understand. The whole thing's absolutely absurd. ian From nbohm at ernest.net Fri Feb 24 17:24:56 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 24 Feb 2012 17:24:56 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <1FF6399639564D458DC09CB4CCAEA3FD@pingu> <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> <4F47B13D.5040401@ernest.ne t> Message-ID: <4F47C7E8.3040709@ernest.net> On 24/02/2012 17:20, Ian Batten wrote: > On 24 Feb 2012, at 15:48, Nicholas Bohm wrote: > >> On 24/02/2012 15:34, Ian Batten wrote: >>> On 24 Feb 2012, at 13:52, Roland Perry wrote: >>> >>>> In article <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3 at batten.eu.org>, Ian Batten writes >>>>> I think we can safely say that legislation that forces end users to >>>>> keep evidential logs of activity on their private networks is >>>>> (a) unlikely (b) unenforceable and (c) unimplementable. >>>> The way you persuade people to do it, is a presumption that the subscriber was the offender, in the absence of logs. Whether it'll never happen - who knows. The Internet is in its infancy. >>> That places a burden on the end user which is completely unacceptable. For a start off, the logs would have to be tamper-proof in some way, and contain "truth". Who would appear in court to attest to the accuracy of the logs? >>> >> You can subpoena the user to bring the logs to court (with contempt >> sanctions for failing). If he won't agree to testify to their truth, >> you can threaten him with prosecution for failing to keep accurate >> logs. He might respond by objecting to testifying on the grounds that >> it might incriminate him (and it would take primary legislation to get >> round this). > Surely his solicitor would respond that the accuracy of the logs can only be discussed by an expert witness with the skills to forensically analyse them? You can't attest to the accuracy of something you don't understand. The whole thing's absolutely absurd. Indeed, for your reason as well as mine. Nicholas -- Contact and PGP key here From mozolevsky at gmail.com Fri Feb 24 17:41:37 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Fri, 24 Feb 2012 17:41:37 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <1FF6399639564D458DC09CB4CCAEA3FD@pingu> <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> <4F47B13D.5040401@ernest.net> Message-ID: On 24 February 2012 17:20, Ian Batten wrote: > Surely his solicitor would respond that the accuracy of the logs can > only be discussed by an expert witness with the skills to forensically > analyse them? ? You can't attest to the accuracy of something you > don't understand. ?The whole thing's absolutely absurd. I, too, was thinking that the idea is utterly unworkable---what proportion of the population at large knows that their router a) keeps some form of a log, b) knows how to access those logs, and most importantly c) have the technical knowledge to comply with such legislation if it were enacted? Moreover, if we are talking about the "open" APs, surely the only things that would be logged are MAC addresses of stations that connect to that AP? As no doubt, we all know, the technological skill involved in spoofing those addresses to look like ones actually coming from AP owner's network is next to most basic---all modern OSes even provide a nice native GUI to do so. So even if there was a legislation forcing those logs to be kept, the value of information in those logs would be next to nothing... Since as we are making absurd propositions, why not just force all routers to use WPA-802.1X and have the state issue a certificate for each station and access point upon homeowner's application?.. This, certainly, would make Internet-banning orders easy to manage---all someone has to do is disable access on the state-run RADUIS box ;-) -- Igor M. From bdm at fenrir.org.uk Fri Feb 24 18:16:04 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Fri, 24 Feb 2012 18:16:04 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <1FF6399639564D458DC09CB4CCAEA3FD@pingu> <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> <4F47B13D.5040401@ernest.net> Message-ID: <20120224181604.00000707@surtees.fenrir.org.uk> On Fri, 24 Feb 2012 17:41:37 +0000 Igor Mozolevsky wrote: > Since as we are making absurd propositions, why not just force all > routers to use WPA-802.1X and have the state issue a certificate for > each station and access point upon homeowner's application? Sadly, a lot of the people that wish to make these kind of regulations simply do not understand the absurdity and hence are likely to try to require something similar in future. Blocking their stupidity will waste a lot of intelligent people's time and energy. -- Brian Morrison From nbohm at ernest.net Fri Feb 24 19:08:19 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 24 Feb 2012 19:08:19 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <20120224181604.00000707@surtees.fenrir.org.uk> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <1FF6399639564D458DC09CB4CCAEA3FD@pingu> <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> <4F47B13D.5040401@ernest.net> <20120224181604.00000707@surtees.fenrir.org.uk> Message-ID: <4F47E023.1070104@ernest.net> On 24/02/2012 18:16, Brian Morrison wrote: > On Fri, 24 Feb 2012 17:41:37 +0000 > Igor Mozolevsky wrote: > >> Since as we are making absurd propositions, why not just force all >> routers to use WPA-802.1X and have the state issue a certificate for >> each station and access point upon homeowner's application? > Sadly, a lot of the people that wish to make these kind of regulations > simply do not understand the absurdity and hence are likely to try to > require something similar in future. Blocking their stupidity will waste > a lot of intelligent people's time and energy. > Against stupidity the gods themselves contend in vain. (Schiller) Nicholas -- Contact and PGP key here From lists at internetpolicyagency.com Sat Feb 25 09:36:25 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 25 Feb 2012 09:36:25 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <4F479BA6.8080503@ernest.net> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <4F479BA6.8080503@ernest.net> Message-ID: In article <4F479BA6.8080503 at ernest.net>, Nicholas Bohm writes >(How the average user is >supposed to cope with this sort of thing I can't imagine.) They shouldn't have to, but most email clients (including the one I use) have very poor user interfaces and diagnostics in this respect, which make it more complex than it might otherwise be. -- Roland Perry From lists at internetpolicyagency.com Sat Feb 25 09:38:04 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 25 Feb 2012 09:38:04 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <1FF6399639564D458DC09CB4CCAEA3FD@pingu> <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> Message-ID: In article <41F07218-8A11-4AE4-A8FB-B8A16C4F858E at batten.eu.org>, Ian Batten writes >For a start off, the logs would have to be tamper-proof in some way, >and contain "truth". Who would appear in court to attest to the >accuracy of the logs? At the risk of one-too-many car analogies, the process presumably works well enough when it comes to identifying wayward drivers of pool or hire cars. -- Roland Perry From lists at internetpolicyagency.com Sat Feb 25 10:13:08 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 25 Feb 2012 10:13:08 +0000 Subject: Unsecured wifi might be contributory negligence In-Reply-To: <20120224181604.00000707@surtees.fenrir.org.uk> References: <+kC2rhukomQPFATb@perry.co.uk> <20120221171252.GA88839@banjo.employees.org> <5CD785FB9D8049C581C00CBAA213D8AC@pingu> <2UB0XF1vZgRPFAZP@perry.co.uk> <1FF6399639564D458DC09CB4CCAEA3FD@pingu> <8EA7ED0D-A4F2-4A6A-8B0D-4D6DB4BEFBB3@batten.eu.org> <41F07218-8A11-4AE4-A8FB-B8A16C4F858E@batten.eu.org> <4F47B13D.5040401@ernest.net> <20120224181604.00000707@surtees.fenrir.org.uk> Message-ID: <5K0XAch0QLSPFAQ+@perry.co.uk> In article <20120224181604.00000707 at surtees.fenrir.org.uk>, Brian Morrison writes >Sadly, a lot of the people that wish to make these kind of regulations >simply do not understand the absurdity and hence are likely to try to >require something similar in future. I've been working with "people making regulations" (about the Internet) for over a decade now, with the objective often being to make sure they don't legislate for the impossible. There's bound to be a period where the pendulum swings back and forth, and even perhaps the need for a new "London to Brighton protest run". But I don't think it's realistic to expect the status quo to prevail indefinitely. -- Roland Perry From theom+news at chiark.greenend.org.uk Sat Feb 25 23:53:18 2012 From: theom+news at chiark.greenend.org.uk (Theo Markettos) Date: Sat, 25 Feb 2012 23:53:18 +0000 Subject: Insider attacks on PIN generation In-Reply-To: Message-ID: In article you wrote: > I have a memory of being told of an insider attack at a bank where > programmers managed to force the system to issue PINs drawn from a very > small set, so that with a stolen card they had a better than 50% chance of > guessing the correct PIN within three attempts. But I can't find it in > the literature. Anyone find it rings a bell? Ross mentions some cases in Why Cryptosystems Fail, where banks have issued all their customers with the same PINs or from a tiny subset, either unintentionally or maliciously: http://www.cl.cam.ac.uk/~rja14/wcf.html Theo From igb at batten.eu.org Mon Feb 27 07:42:47 2012 From: igb at batten.eu.org (Ian Batten) Date: Mon, 27 Feb 2012 07:42:47 +0000 Subject: Break-Open One-Shot Password Stores Message-ID: <62E4045D-9F52-4D90-8F83-7EC6DD9DDCB1@batten.eu.org> Fictional films of nuclear missile launch processes show passwords and other key material stored in plastic enclosures which are broken in order to obtain the secret. The idea presumably is that you can check that the key material has not been accessed without exposing it. Whether it's true or not, it's a neat way to deal with "break glass" processes for storing the root password to servers, the back-stop copy of your lastpass password for your executor or enduring power of attorney, etc. Has anyone seen such devices for sale? It wouldn't be hard to do it yourself with a lucite box and some araldite, but it would probably require a tool to break open and it's hard to be sure that the system doesn't have a back door: presumably the "real" items would be very weak in one plane, so they are easy to break and any force applied to attempt to open them otherwise will break that weak point. ian From lists at barnfather.net Mon Feb 27 11:00:17 2012 From: lists at barnfather.net (Paul Barnfather) Date: Mon, 27 Feb 2012 11:00:17 +0000 Subject: Break-Open One-Shot Password Stores In-Reply-To: <62E4045D-9F52-4D90-8F83-7EC6DD9DDCB1@batten.eu.org> References: <62E4045D-9F52-4D90-8F83-7EC6DD9DDCB1@batten.eu.org> Message-ID: On 27 February 2012 07:42, Ian Batten wrote: > Has anyone seen such devices for sale? How about the way banks issue PIN codes for ATM and credit cards? They come in the form of a printed letter with a neat little plastic tear-off tab which makes it very clear if the PIN has been read by someone else. They seem to be a cheap and effective way of storing and communicating a "read once" password. I assume they are fairly resistant to casual tampering. Does anyone know if they are printed with a conventional printer, or do they require specialised hardware to produce? From mozolevsky at gmail.com Mon Feb 27 12:10:18 2012 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Mon, 27 Feb 2012 12:10:18 +0000 Subject: Break-Open One-Shot Password Stores In-Reply-To: References: <62E4045D-9F52-4D90-8F83-7EC6DD9DDCB1@batten.eu.org> Message-ID: On 27 February 2012 11:00, Paul Barnfather wrote: > How about the way banks issue PIN codes for ATM and credit cards? They > come in the form of a printed letter with a neat little plastic > tear-off tab which makes it very clear if the PIN has been read by > someone else. > They seem to be a cheap and effective way of storing and communicating > a "read once" password. > > I assume they are fairly resistant to casual tampering. > > Does anyone know if they are printed with a conventional printer, or > do they require specialised hardware to produce? I would hazard a guess that you can "engineer" the same effect with carbon paper and a dot-matrix printer (with its ribbon removed), so long as you don't have needle impressions on the outer layer of the paper (so you'd probably need to add a layer of paper for padding). -- Igor M. From zenadsl6186 at zen.co.uk Mon Feb 27 13:22:57 2012 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Mon, 27 Feb 2012 13:22:57 +0000 Subject: Break-Open One-Shot Password Stores In-Reply-To: References: <62E4045D-9F52-4D90-8F83-7EC6DD9DDCB1@batten.eu.org> Message-ID: <4F4B83B1.9090303@zen.co.uk> Paul Barnfather wrote: > On 27 February 2012 07:42, Ian Batten wrote: >> Fictional films of nuclear missile launch processes show passwords >> and other key material stored in plastic enclosures which are >> broken in order to obtain the secret. The idea presumably is that >> you can check that the key material has not been accessed without >> exposing it. Whether it's true or not, it's a neat way to deal >> with "break glass" processes for storing the root password to >> servers, the back-stop copy of your lastpass password for your >> executor or enduring power of attorney, etc. > >> Has anyone seen such devices for sale? > > How about the way banks issue PIN codes for ATM and credit cards? > They come in the form of a printed letter with a neat little plastic > tear-off tab which makes it very clear if the PIN has been read by > someone else. They seem to be a cheap and effective way of storing > and communicating a "read once" password. > > I assume they are fairly resistant to casual tampering. They probably are fairly resistant - if the recipients know what to expect the untampered item to look like. Otherwise it's fairly easy to pass off an opened item as being unopened. US Presidential missile control code cards in movies have a similar problem, in that the unopened card has to be unforgeable. (of course they also had a bigger problem - for much of their history the hardware PALs in the missiles and bombs the codes in the card were supposed to unlock were all actually set to code 00000000, the military not trusting politicians, and in real terms launch control was actually under human voice orders. The codes themselves, and even the electronics in the "football", were almost totally irrelevant, their only real function was to make the President feel in control ... though there were some papers in the "football" about attack options etc.) -- Peter Fairbrother From ukcrypto at absent-minded.com Mon Feb 27 13:32:27 2012 From: ukcrypto at absent-minded.com (Mark Lomas) Date: Mon, 27 Feb 2012 13:32:27 +0000 Subject: Break-Open One-Shot Password Stores In-Reply-To: References: <62E4045D-9F52-4D90-8F83-7EC6DD9DDCB1@batten.eu.org> Message-ID: The last time I inquired about buying PIN envelopes they were sealed in the factory but completed using a dot matrix printer on the outside of the envelope. Note that these don't protect you against an insider with access to unused envelopes. The boxes that Ian asked about are sold as 'evidence boxes'. The police use them to prove that that they didn't misuse something in custody. I have used these in the past to protect keys. For example we kept an alarm override key in such a box in case it was needed in the middle of the night. Evidence boxes are better than PIN envelopes because the tab that seals it shut has a serial number. It has a ratchet mechanism like a cable tie so you have to cut it to open the box. Having cut the tab it is difficult to obtain a replacement with the same number. A slight design flaw is that the boxes are clear. We used to wrap keys in card before putting them in the box. Mark On 27 February 2012 11:00, Paul Barnfather wrote: > On 27 February 2012 07:42, Ian Batten wrote: > > > Has anyone seen such devices for sale? > > How about the way banks issue PIN codes for ATM and credit cards? They > come in the form of a printed letter with a neat little plastic > tear-off tab which makes it very clear if the PIN has been read by > someone else. > They seem to be a cheap and effective way of storing and communicating > a "read once" password. > > I assume they are fairly resistant to casual tampering. > > Does anyone know if they are printed with a conventional printer, or > do they require specialised hardware to produce? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From David_Biggins at usermgmt.com Mon Feb 27 09:59:03 2012 From: David_Biggins at usermgmt.com (David Biggins) Date: Mon, 27 Feb 2012 09:59:03 -0000 Subject: Break-Open One-Shot Password Stores In-Reply-To: <62E4045D-9F52-4D90-8F83-7EC6DD9DDCB1@batten.eu.org> References: <62E4045D-9F52-4D90-8F83-7EC6DD9DDCB1@batten.eu.org> Message-ID: Hi Ian Don't know whether they would fit the bill or not, but Postsafe claim to do tamper-evident uniquely numbered security envelopes. http://www.google.co.uk/products/catalog?hl=en&q=security+envelopes&cid= 6771560181040730997&ei=JlJLT8TtO8-E5AbP9YTUDw&ved=0CBUQrRI# I wouldn't however try going to a postsafe com website to try for more details - my AV got very unhappy just now. Which assuming it is the same company, does not totally inspire warm feelings. D > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Ian Batten > Sent: 27 February 2012 7:43 AM > To: UK Cryptography Policy Discussion Group > Subject: Break-Open One-Shot Password Stores > > Fictional films of nuclear missile launch processes show passwords and other > key material stored in plastic enclosures which are broken in order to obtain > the secret. The idea presumably is that you can check that the key material > has not been accessed without exposing it. Whether it's true or not, it's a > neat way to deal with "break glass" processes for storing the root password > to servers, the back-stop copy of your lastpass password for your executor or > enduring power of attorney, etc. > > Has anyone seen such devices for sale? It wouldn't be hard to do it yourself > with a lucite box and some araldite, but it would probably require a tool to > break open and it's hard to be sure that the system doesn't have a back door: > presumably the "real" items would be very weak in one plane, so they are > easy to break and any force applied to attempt to open them otherwise will > break that weak point. > > ian > > From lists at barnfather.net Mon Feb 27 18:12:18 2012 From: lists at barnfather.net (Paul Barnfather) Date: Mon, 27 Feb 2012 18:12:18 +0000 Subject: Break-Open One-Shot Password Stores In-Reply-To: References: <62E4045D-9F52-4D90-8F83-7EC6DD9DDCB1@batten.eu.org> Message-ID: On 27 Feb 2012, at 13:32, Mark Lomas wrote: > Note that these don't protect you against an insider with access to unused envelopes. I assume that is why the PIN must also be changed on first use; the PIN is not only "read once" but "use once" as well. Otherwise, as you point out, they are totally vulnerable to someone with access to unused envelopes (or the ability to make a reasonable-looking copy). From igb at batten.eu.org Tue Feb 28 07:38:50 2012 From: igb at batten.eu.org (Ian Batten) Date: Tue, 28 Feb 2012 07:38:50 +0000 Subject: Break-Open One-Shot Password Stores In-Reply-To: References: <62E4045D-9F52-4D90-8F83-7EC6DD9DDCB1@batten.eu.org> Message-ID: <6BC2881B-F440-4F99-80BC-39B9B5936516@batten.eu.org> On 27 Feb 2012, at 18:12, Paul Barnfather wrote: > On 27 Feb 2012, at 13:32, Mark Lomas wrote: > >> Note that these don't protect you against an insider with access to unused envelopes. > > I assume that is why the PIN must also be changed on first use That varies from bank to bank, I believe. It seems an obvious measure to guard against insider threats, but on the other hand people don't by and large set good PINs. ian From mikie.simpson at gmail.com Wed Feb 29 10:59:41 2012 From: mikie.simpson at gmail.com (Michael Simpson) Date: Wed, 29 Feb 2012 10:59:41 +0000 Subject: Break-Open One-Shot Password Stores In-Reply-To: <62E4045D-9F52-4D90-8F83-7EC6DD9DDCB1@batten.eu.org> References: <62E4045D-9F52-4D90-8F83-7EC6DD9DDCB1@batten.eu.org> Message-ID: On Monday, February 27, 2012, Ian Batten wrote: > Fictional films of nuclear missile launch processes show passwords and > other key material stored in plastic enclosures which are broken in order > to obtain the secret. The idea presumably is that you can check that the > key material has not been accessed without exposing it. Whether it's true > or not, it's a neat way to deal with "break glass" processes for storing > the root password to servers, the back-stop copy of your lastpass password > for your executor or enduring power of attorney, etc. > > If you don't need to seal too many items and it is for your personal use then how about using Victorian sealing wax. You could design your own seal and there are mailable waxes now. You can also use methods to adhere the seal to plastic or metal for more tamper proof envelopes. Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: