It's one of the legalistic bits. Tumblr's being asked to turn over info in an action against Tumblr. That ought to fall under the Section 230 shield since there's not supposed to be an action against Tumblr at all in these circumstances. By rights, if the plaintiff wanted to go after the people who reblogged the link they should've filed actions against those users, shown that their actions were serious enough to allow for their identification, and then asked Tumblr to turn over the info as a third party in a proceeding not directed at Tumblr. But that's a lot more work than the plaintiff in this case wants to go to, especially given that they're unlikely to be able to show enough to get the identities, hence the shortcuts.
Looks suspiciously similar to the shape of the windshield of the 1999 Subaru Legacy wagon I owned. This should be easy to invalidate as an obvious and non-novel alteration of extensive prior art.
Firmware updates wouldn't help the problem any more than software updates have eliminated malware and exploits of standard PCs. It's a good idea to require network-connected devices to have upgradeable firmware just on general principles, but I think the real solution lies in asking and answering this question:
"Why do these devices need to be accessible from the Internet in the first place?"
I'd start by isolating them from the Internet completely, and in fact from the local LAN as much as is practical. The only devices on the LAN that need to talk to IoT devices are the ones that control them. The rest should be going through that hub or controller intermediary. That's got the advantage of also pressuring IoT makers to conform to standard protocols to avoid having users not buy their devices because they aren't compatible with the hub/controller the user already has (the likely hub/controller makers are Amazon and Google, both big enough that neither will abandon the market and they can't lock users into their hardware without giving up ~50% of the market in the process).
It happened a lot in the last 4 years. Every time the FCC tried to impose a regulation, the ISPs sued arguing that the new rules were arbitrary and lacked any basis justifying them. Even when the basis ought to have been self-evident to anyone with a working brain, the FCC had to spend time writing it all up in detail to show why the rules weren't arbitrary and what basis they had for deciding on those rules.
Have to agree. Bricking the devices (or close enough that that kind of consumer won't be able to unbrick it) will give those devices, and if it happens commonly enough that brand, a rep for being unreliable and consumers will start to avoid them. There's a point where we have to say "Subtle hasn't worked, let's try not-subtle." and I'm pretty sure we're well past it. It's not like it's not possible to design consumer hardware/firmware that's secure, it's just that the entity responsible for it doesn't bear the cost of not doing it.
Mr. Lau's right in that you generally start with just the IP address (because that's all that exists at the network level) and need to work from that which means going to the owner of the account that was using that address at that time to find out the actual person who was using the account's connection at the time. If cases are thrown out merely because an IP address is all the plaintiff has at the start, that's pretty much equivalent to prohibiting all complaints about on-line copyright infringement and that'd be wrong.
Where the problem lies isn't with starting with just an IP address, it's with cases where the sheer number of alleged defendants makes it clear the plaintiffs don't intend to pursue actual cases. Cases should start with a (relatively) small number of addresses which have some relationship to each other (eg. their reverse-lookups or traceroutes result in names indicating they're all in the same geographic region and the court you're filing in has jurisdiction over that region), should be for something reasonable (eg. "All we can identify based on the IP address is the account holder and we need to question the account holder to identify the actual infringer.") and most importantly should state up-front the basis for believing infringement has occurred (ie. "We downloaded and viewed the file ourselves and it is in fact a full copy of our film." rather than "It's got a name that vaguely resembles the title of our film.").
One mitigation would be to treat it as an extension like any other that just happens to come pre-installed. The first thing you get when you bring up Chrome (or upgrade to a version that includes the blocker) is a tab showing the default state and requiring the user to select their preference or confirm that the defaults are OK.
Of course, if I were Google I'd make it a 3-way thing: click button 1 to enable Google's blocker, click button 2 to be shown a list of other ad-blocking options and independent reviews of them, or click button 3 if you really truly want to see all ads. But then I'm a bofh.
I don't think you understand the process. With these terms of service a person brings suit, the company moves for dismissal and referral to arbitration based on the TOS, the judge tosses the suit (out or over the wall to the arbitration panel) based solely on the TOS and never gets to the question of whether the complaint had any basis. And if they sue after arbitration, they have to shell out hundreds of thousands of dollars over a couple of years with no ability to recover any of it and the possibility of having to also cover the company's legal fees even if the person wins.
Hmm. Who does the R Street Institute represent (as in, who are they being paid by)? The arguments Ms. Hobson presents look like they're taking the proposed law and interpreting every clause in it in the most disadvantageous manner (even when that contradicts the black-letter words of the proposal). The result is arguments that amount to eg. "There isn't a full screen to display details like we'd have on a computer on a toaster, so it's impossible for a toaster to comply.", easily countered by "State clearly in the manual what information is collected and transmitted, then either state that it's continuously collected/transmitted while the toaster is powered on or add one single LED and say that that LED being lit means data collection/transmission is in progress.". The whole thing smacks of an attempt to argue that we shouldn't hold manufacturers to any legal standard and should leave it entirely up to them to voluntarily do the right thing.
Well, if they would voluntarily do the right thing, we'd never have gotten to the point where a law like this is proposed.
That's already been thought of. That's why the "terms of service" for connected devices commonly include clauses preventing users from joining class-action suits and requiring them to first go through manufacturer-friendly arbitration before filing an individual lawsuit (and often making the consumer liable for the company's legal costs if the consumer fails to win the suit, where in the normal course of legal proceedings they wouldn't be). Lawsuits aren't a real threat when no individual consumer can show enough damages to cover the costs of suing and collective actions are prohibited.
If that worked, we wouldn't be here. Or haven't you noticed the stream of reports of various breaches that name virtually every company currently producing connected products?
It's not a security choice. A security choice would be to disable the fingerprint-recognition feature until the user had confirmed that they expected the sensor to have been changed (eg. during a repair). That would protect the integrity of the path between the sensor and the secure enclave. Everything else, including disabling the button for non-fingerprint-related functionality, has nothing to do with security and everything to do with locking out independent repairs. How does bringing up the PIN keypad, for instance, compromise security if it's done via a home key installed during a repair? Unless, of course, you're positing that some nefarious party has swiped the phone, swapped out both the home button _and_ the entire screen for hardware that'd somehow record and store fingerprints and PIN entries in hardware _not part of the phone_, and then returned the phone without the owner ever noticing it was missing for the length of time required to effect the work. And _then_ managing to swipe the phone a second time to offload the stored data from the hardware (it's not part of the phone, remember, and our nefarious actor doesn't have the fingerprint or PIN that'd permit him to install software on the phone (if he did, he wouldn't have to install hardware to get them)). I find that whole sequence highly unlikely, unless of course you've been targeted specifically by someone who wants access to your phone in particular and not any phone in general and who's also in physical proximity to you.
Seems there'd be multiple grounds to argue that there's no case:
The handshake and knock aren't trade secrets. Trade secrets require some economic value to their secrecy, and there seems to be no economic value in knowing how to access a PSS meeting or identify a PSS member.
The information wasn't known to be acquired by improper means. PSS itself couldn't identify the source as a member, and they haven't identified a member the source could have gotten the information from. They assert that it could only have come from one of their members, but it's on them to prove that and they haven't.
The information wasn't secret. They don't appear to make any assertion that the handshake and knock are never ever used in public. If they're used in public, there's a myriad of ways to acquire them without doing anything improper, eg. observing someone you know is a PSS member using them to identify themselves to someone else.
My response to Pai would be one of my standard ones: "If they're willing to promise that and intend to honor that promise, then having the terms of the promise written down as binding regulations shouldn't be any additional problem for them, right? After all, the regulations are just what they're going to do anyway, there shouldn't be any additional burden on them."
It comes from a standard statement when negotiating contracts: "If you intend to do that anyway you won't mind putting it in writing, right?"
I have a safe in my house. It was there when I bought the house. I didn't install it, I don't know the combination and I have no idea what's in it other than it isn't anything to do with me. Does this mean the police can enter my house, have a locksmith open the safe and riffle through it's contents, all without any warrant?
If the answer is no then the dissent's position is at best misguided and at odds with existing jurisprudence. Things don't have to have any intrinsic value to belong to me, they don't have to have been created by me to belong to me, and they certainly don't have to have been built and/or installed by me to belong to me. The black boxes were part of the car when I bought it, I paid for the whole car and I've got the title to the whole car, the title applies as much to the black boxes as to any other part of the car.
I'd like a variant of two-factor: my fingerprint can unlock the phone alone while connected to my headset or PC via Bluetooth, otherwise it requires the PIN or password in addition to the fingerprint.
To be nasty, let it ask for the PIN/password regardless of what fingerprint it scanned but too many failed PIN/password attempts with the wrong fingerprint presented would lock out all further attempts.
This wouldn't be to the prosecutors when they come to enforce an order. It'd be to the supporters of this bill and the prosecutors when they testify to needing it in Congress when it's debated. Lay the groundwork for taking child trafficking out of the debate entirely by making them show that it actually exists on these platforms. My estimation is that they won't be able to respond because they won't have anything to show.
Start fighting it by asking the prosecutors one pointed question: "Which ads have resulted in successful prosecutions where the providers were in fact under-age? Be specific please, I don't want just numbers I want to see the actual ads and to hear you state the ages of the minors involved.". Then let them fumble but keep them on-point: actual ads, not their guesses. And when they try to wiggle out with a plea that they need this law because they can't find the actual criminals, reply with "Then how do you propose to prove that the site was hosting child-trafficking posts if you admit you don't know and can't prove that the posts were trafficking minors? This isn't the Wild West where we tolerate vigilantes, you know, we expect crimes to be proven in court before we punish people for them.".
On the post: Should Tumblr Be Forced To Reveal 500 People Who Reblogged A Sex Tape?
Re:
It's one of the legalistic bits. Tumblr's being asked to turn over info in an action against Tumblr. That ought to fall under the Section 230 shield since there's not supposed to be an action against Tumblr at all in these circumstances. By rights, if the plaintiff wanted to go after the people who reblogged the link they should've filed actions against those users, shown that their actions were serious enough to allow for their identification, and then asked Tumblr to turn over the info as a third party in a proceeding not directed at Tumblr. But that's a lot more work than the plaintiff in this case wants to go to, especially given that they're unlikely to be able to show enough to get the identities, hence the shortcuts.
On the post: Stupid Patent Of The Month: Ford Patents A Windshield
On the post: Could Firmware Expiration Dates Fix The Internet Of Broken Things...Before People Get Hurt?
Firmware updates wouldn't help the problem any more than software updates have eliminated malware and exploits of standard PCs. It's a good idea to require network-connected devices to have upgradeable firmware just on general principles, but I think the real solution lies in asking and answering this question:
"Why do these devices need to be accessible from the Internet in the first place?"
I'd start by isolating them from the Internet completely, and in fact from the local LAN as much as is practical. The only devices on the LAN that need to talk to IoT devices are the ones that control them. The rest should be going through that hub or controller intermediary. That's got the advantage of also pressuring IoT makers to conform to standard protocols to avoid having users not buy their devices because they aren't compatible with the hub/controller the user already has (the likely hub/controller makers are Amazon and Google, both big enough that neither will abandon the market and they can't lock users into their hardware without giving up ~50% of the market in the process).
On the post: FCC Ignores The Will Of The Public, Votes To Begin Dismantling Net Neutrality
Re:
On the post: Trump Fires FBI Director Comey
On the post: Malware Hunts And Kills Poorly Secured Internet Of Things Devices Before They Can Be Integrated Into Botnets
Re:
On the post: Singapore Court Tosses Copyright Troll Cases Because IP Addresses Aren't Good Enough Evidence
Mr. Lau's right in that you generally start with just the IP address (because that's all that exists at the network level) and need to work from that which means going to the owner of the account that was using that address at that time to find out the actual person who was using the account's connection at the time. If cases are thrown out merely because an IP address is all the plaintiff has at the start, that's pretty much equivalent to prohibiting all complaints about on-line copyright infringement and that'd be wrong.
Where the problem lies isn't with starting with just an IP address, it's with cases where the sheer number of alleged defendants makes it clear the plaintiffs don't intend to pursue actual cases. Cases should start with a (relatively) small number of addresses which have some relationship to each other (eg. their reverse-lookups or traceroutes result in names indicating they're all in the same geographic region and the court you're filing in has jurisdiction over that region), should be for something reasonable (eg. "All we can identify based on the IP address is the account holder and we need to question the account holder to identify the actual infringer.") and most importantly should state up-front the basis for believing infringement has occurred (ie. "We downloaded and viewed the file ourselves and it is in fact a full copy of our film." rather than "It's got a name that vaguely resembles the title of our film.").
On the post: The Weird Antitrust Questions Of A Google Chrome Ad Blocker
Of course, if I were Google I'd make it a 3-way thing: click button 1 to enable Google's blocker, click button 2 to be shown a list of other ad-blocking options and independent reviews of them, or click button 3 if you really truly want to see all ads. But then I'm a bofh.
On the post: The Teddy Bear And Toaster Act Is Device Regulation Done Wrong
Re: Re: Re: Re: So what's your solution?
I don't think you understand the process. With these terms of service a person brings suit, the company moves for dismissal and referral to arbitration based on the TOS, the judge tosses the suit (out or over the wall to the arbitration panel) based solely on the TOS and never gets to the question of whether the complaint had any basis. And if they sue after arbitration, they have to shell out hundreds of thousands of dollars over a couple of years with no ability to recover any of it and the possibility of having to also cover the company's legal fees even if the person wins.
On the post: The Teddy Bear And Toaster Act Is Device Regulation Done Wrong
Hmm. Who does the R Street Institute represent (as in, who are they being paid by)? The arguments Ms. Hobson presents look like they're taking the proposed law and interpreting every clause in it in the most disadvantageous manner (even when that contradicts the black-letter words of the proposal). The result is arguments that amount to eg. "There isn't a full screen to display details like we'd have on a computer on a toaster, so it's impossible for a toaster to comply.", easily countered by "State clearly in the manual what information is collected and transmitted, then either state that it's continuously collected/transmitted while the toaster is powered on or add one single LED and say that that LED being lit means data collection/transmission is in progress.". The whole thing smacks of an attempt to argue that we shouldn't hold manufacturers to any legal standard and should leave it entirely up to them to voluntarily do the right thing.
Well, if they would voluntarily do the right thing, we'd never have gotten to the point where a law like this is proposed.
On the post: The Teddy Bear And Toaster Act Is Device Regulation Done Wrong
Re: Re: So what's your solution?
On the post: The Teddy Bear And Toaster Act Is Device Regulation Done Wrong
Re: Re:
If that worked, we wouldn't be here. Or haven't you noticed the stream of reports of various breaches that name virtually every company currently producing connected products?
On the post: Apple Takes Heat For Software Lock That Prevents iPhone 7 Home Button Replacement By Third-Party Vendors
Re: Re:
On the post: No, The Wall St. Bull Sculptor Doesn't 'Have A Point'
Re:
On the post: Secret Sorority Handshakes, Questionable Lawsuits, Free Speech, The Right To Be Forgotten And Section 230
Seems there'd be multiple grounds to argue that there's no case:
The handshake and knock aren't trade secrets. Trade secrets require some economic value to their secrecy, and there seems to be no economic value in knowing how to access a PSS meeting or identify a PSS member.
The information wasn't known to be acquired by improper means. PSS itself couldn't identify the source as a member, and they haven't identified a member the source could have gotten the information from. They assert that it could only have come from one of their members, but it's on them to prove that and they haven't.
On the post: FCC Boss Wants 'Voluntary' ISP Net Neutrality Promises Instead Of Real Rules
It comes from a standard statement when negotiating contracts: "If you intend to do that anyway you won't mind putting it in writing, right?"
On the post: State Appeals Court Says There's An Expectation Of Privacy In Vehicle Data Recorders
For the dissent's position, I'd ask:
If the answer is no then the dissent's position is at best misguided and at odds with existing jurisprudence. Things don't have to have any intrinsic value to belong to me, they don't have to have been created by me to belong to me, and they certainly don't have to have been built and/or installed by me to belong to me. The black boxes were part of the car when I bought it, I paid for the whole car and I've got the title to the whole car, the title applies as much to the black boxes as to any other part of the car.
On the post: If A Phone's Facial Recognition Security Can Be Defeated By A Picture Of A Face, What Good Is It?
To be nasty, let it ask for the PIN/password regardless of what fingerprint it scanned but too many failed PIN/password attempts with the wrong fingerprint presented would lock out all further attempts.
On the post: Congressperson's Sex Trafficking Bill Looks To Carve Holes In Section 230 Immunity
Re: Re: Re:
On the post: Congressperson's Sex Trafficking Bill Looks To Carve Holes In Section 230 Immunity
Re:
Next >>