Archive for 'The Law'

Norm Coleman - Pwned!

It looks like Norm Coleman may have a new challenge: Violating state laws related to breach notifications. Politico is reporting that his web site exposed credit card details, and he hasn’t notified folks that their financial information was exposed. While the breach happened back in January, it wasn’t until this past Wednesday that the campaign issued a statement on the matter. This was precipitated by lists of the donors (and their information) being made available online.

I sent a comment off to the FTC today, as it’s the last day they’re soliciting comments on DRM. They’ve got a workshop coming up next month, and they’re looking for public comments. Browsing through the comments, I was struck by the number of people who are focused on videogames. Below is my comment.

DRM is a first step towards striking a balance between the needs of consumers and the interests of content producers. Done properly, taking Valve’s Steam as an example, it is beneficial to both consumers and content producers. Unfortunately, due to wildly overstepping their boundaries, as Sony did with their rootkit, changing DRM standards, forcing a repurchase of already licensed materials, or simply pulling the plug on the authorization server, as MLB did with their licensed game replays, content producers have consistently shown that they cannot be trusted to use DRM in a manner that is consistent with a positive customer experience, let alone in the consumer’s interests.

Even when implemented well, there are still sometimes onerous limitations placed on consumers. With high definition video gear, some systems purposely degrade the quality output to analog devices. This forces consumers to needlessly spend money to replace functional equipment simply because the content producer doesn’t want their content played on analog devices.

Recently, Microsoft’s Gears of War video game ceased working. Because of the DRM in the product, put in to stop cheating, the product stopped working due to the expiration of a certificate. Companies have consistently (MLB, Wal-Mart, MSN, etc) shown they are unwilling to support authentication servers and existing applications after they have stopped making the company money, in spite of consumers desire to continue to use the media they’ve rightfully paid for. When the business decision is made to turn off the authentication servers, consumers may no longer be able to legally access their properly licensed content.

Circumventing DRM, in the United States, is illegal. There are some specific exemptions, but all are of limited use when it comes to works entering the public domain. If a work that enters the public domain is protected by DRM, it may be technically infeasible to access it. If an authentication server isn’t available or if the encryption is sufficiently strong, the public may never exercise their rights with the content.

Some DRM systems dramatically overstep the boundaries of what most consumers would expect. From Sony’s music CD rootkit debacle to Blu Ray players’ BD+ DRM system, content producers routinely interfere with consumers’ rights to use their legally purchased hardware. In the case of Sony, software was secretly installed, without the consumer’s consent or knowledge, that exposed consumers to being hacked. The BD+ DRM system modifies itself, based on commands embedded in BluRay media. If one of these modifications renders the hardware inoperable, is it reasonable to expect that the content provider who distributed the disc will accept responsibility and provide a new BluRay player to the consumer?

All of these measures also impede fair use. I’m working on a professional presentation that uses scenes from movies to illustrate computer security concepts as seen in the movies. While I am legally allowed to include brief clips to illustrate my points, I need to use some potentially illegal tools to access the audio and video, due to DRM restrictions placed on DVD’s.

Even with all of these restrictions, at best, DRM only keeps honest people honest. Nearly every DRM system out there, from Apple’s FairPlay to Microsoft’s WMA, from the AS Consortium’s AACS DRM (used by many Blu Ray content producers) to DVD CA’s CSS (used on DVD’s), even including VHS tape’s Macrovision, all have been successfully bypassed. What is an inconvenience to consumers is a challenge to hackers, one that they have roundly met and won in nearly every instance, bypassing most major DRM systems.

Simply put, DRM is an inconvenience. It is one that penalizes honest consumers, who have to deal with it, and content providers, who have to keep coming up with new and novel schemes. It does little to stop piracy, as it’s also merely an inconvenience to those who seek unauthorized access to media.

A settlement has been proposed between TJX and the lead plaintiffs for consumers who were affected. Divided into two classes are those whose financial details were exposed and those whose identity information was exposed. If you lost money, you can collect up to two $30 gift certificates, provided you can document the loss, including your wasted time at a princely $10 per hour. If you returned something without a receipt, and gave your driver’s license, you can collect three years of credit monitoring too. Oh, and they’re going to have a sale sometime in 2008 where you can get 15% off.

So, if a company implements shoddy security practices and causes mass card cancellation, as well as untold identity theft and consumer fraud, instead of quietly burying it, you turn it into a marketing event. Got it.

I have an $80 charge from 11/05 against a card that was used at TJX during the period that thieves had open access to the credit card details. Needless to say, FCRA’s 60 day dispute period is long gone, so a lawsuit against TJX may be my only reasonable recourse. Treble damages, court fees, time lost, and identity monitoring and theft protection come up to a tidy sum. Even if I accepted the class action settlement, I’d get, at most, $60 in gift certificates for my lost $80.

In this Information Week article, it is reported that TJ Maxx, poster child for the mother of all data disclosures, is being sued by banks. If you remember, they let loose some 45 million credit and debit cards. Figuring $25 cost for each exposed card incurred by a bank to void and reissue the card in question, you come up with somewhere north of a billion dollars as the cost of cleanup. Banks are not primarily in the “spending money out of the goodness of our hearts” business, and will want to collect on their costs, thus coming after the responsible party. Enter the class action suit, covering some 300 banks.

Prediction: This is just the first wave in this type of lawsuit. No longer will admonishment by the FTC or a “mea culpa” sent to customers be the biggest driver behind keeping data on lockdown. Now, private recovery costs will be the biggest stick in the game.

If you live in Illinois, it may soon become illegal to own a magnetic stripe reader, if this bill is introduced into law, as reported by Bruce Schneier

Clearly, if we outlaw n, we won’t have to think about the fallout of n because no one will have n. It worked for alcohol, didn’t it?