The other day I posted criticisms and warnings about Mozilla's propensity to follow commercial programs that involve handing over their customers' data. Now, to underscore the Alice in Wonderland quality of the debate about data safety in America, we can read this over on Risks:
Feds Continue Push For Mandated Internet Data Retention (R-24.29) Lauren Weinstein Fri, 2 Jun 2006 08:28:06 -0700 (PDT)The Justice Department said Thursday that it was not seeking to have the contents of e-mail archived, just information about the websites people visit and those with whom they correspond.""Sounding the Alarm on Government-Mandated Data Retention"
This is a critical topic. The impracticality and cost issues associated with the new DOJ Internet data retention proposals are relatively obvious. It's difficult to even understand who would be required to comply with such demands. Only the big Web service companies? ISPs? (via packet tracking of their subscribers running their own servers?) Every small firm, organization, or even individual who operate their own e-mail and Web servers? Are the existing privacy policies of such entities instantly negated if they conflict with the DOJ wish list or data retention legislation?
Risks is a serious, long-lived institution in publishing, dating back to the pre-popular-Internet days. It's widely read, respected, and venerable. How then could the above poster have gotten it so wrong?
In America, the data a company has and the data their software controls is theirs to sell. That's how it is, get used to it. But this seems to be a new theme recurring over and over again, and Weinstein is not alone in misunderstanding the basic nature of data in America. (You'll note that when I posted about the issue with Mozilla, I wasn't saying "don't do that," rather I was warning of the need to manage the transition from open service to the rampant commerciality that the user base is afraid of.)
To see why this news is ominous (and Daniel offered a counter-perspective which I have not as yet got around to addressing), let's go back the ADK story.
I recall the day this idea of "impracticality and costs" was destroyed as an excuse for me. Actually, it was about two weeks of hard debate and thought, surrounding PGP Inc's infamous actions in introducing a way for people to escrow messages to another key. When PGP Inc decided it was going to add the feature for its customers, it ignited a firestorm of criticism over the net as apparently, "one of our own" had turned to the dark side.
Why? Because, at the very same time as this was happening, the net community was fighting FBI director Loius Freeh in US Congress who wanted exactly that. Escrow of all messages, or keys or whatever, as long as the LEAs could read the crypto. And, the fight was being carried on with exactly the same argument as written above - it would be impractical and costly to escrow keys or add FBI keys.
PGP Inc totally destroyed the case of expense and impracticality for the crypto and privacy lobbies. The curious fact was that they were pursuing an honest business need, one that many businesses not only need but must have by law (securities industry for example are desparate for secure but escrowed data comms). And if PGP Inc had only realised that their support base would rebel and had done something about it in advance, they could have successfully migrated that base over and still have the feature put in place.
Are going to see a repeat of this, as the privacy community squares up against the DoJ? Difficult to predict, the times are different. On thing that is different is we might have a better understanding of how this is going to happen. The DoJ just needs to find the right economic deal.
An organisation that sells stuff for money will do just that - sell it for money. Finding the deal was evidently workable for Firefox 2.0. Whether this deal is as bad as the fearmongers think, or whether it is benign as Daniel suggested, is irrelevant - the other interested party, the user, is not paying for the privilege of having a say, so the deal will eventually move against that user. That's economics, get used to it.
There is now, and has been for some time, a hole in the market for an independent secure browser. A sort of OpenBSD of Mozilla, if you are aware of the brands. It's not clear who will fill this hole, I know at least one group that is looking to do this. The problem of course is that it is no small undertaking, and kudos to those who have got their big browser projects to where they are now, with minimal or no funding.
Here's more:
U.S. Wants Companies to Keep Web Usage RecordsPosted by iang at June 9, 2006 09:36 AM | TrackBackBy SAUL HANSELL and ERIC LICHTBLAU
03/02/06 "New York Times" -- -- The Justice Department is asking Internet companies to keep records on the Web-surfing activities of their customers to aid law enforcement, and may propose legislationto force them to do so.
The director of the Federal Bureau of Investigation, Robert S. Mueller III, and Attorney General Alberto R. Gonzales held a meeting in Washington last Friday where they offered a general proposal on record-keeping to a group of senior executives from Internet companies, said Brian Roehrkasse, a spokesman for the department. The meeting included representatives from America Online, Microsoft, Google, Verizon and Comcast.
The attorney general has appointed a task force of department officials to explore the issue, and that group is holding another meeting with a broader group of Internet executives today, Mr. Roehrkasse said. The department also met yesterday with a group of privacy experts.
...
The PGP, Inc. controversy was, I think, heightened by the bug that allowed an ADK to be added to a key packet without voiding the signatures on that key. At the time, I recall several people opining that such an oversight could well have been an intentional move to facilitate surreptitious encryption to an ADK held by a TLA. That, more than the business case for ADKs, seemed to be the main sticking point.
That being said, the move for data retention is still repugnant.
Posted by: Roy at June 9, 2006 11:29 AM