|04-09-13, 07:13 AM||#1|
Join Date: May 2001
Location: New England
Peer-To-Peer News - The Week In Review - September 7th, '13
"I’d speculate that one reason for the secrecy of the program is that it would be very hard to justify it to the public or the courts." – Jameel Jaffer
"We pay them to spy. But if in the process they degrade the security of the encryption we all use, it’s a net national disservice." – Representative Rush D. Holt Jr, D-NJ
"Trust the math. Encryption is your friend." – Bruce Schneier
September 7th, 2013
Ashes to Ashes, Peer to Peer: An Oral History of Napster
The most important startup in early Internet history was also one of its most controversial.
Like the birth of most great music movements -- Elvis on Ed Sullivan, Patti Smith at CBGB -- Napster was rebellious of convention, threatening to established norms, and, well, really loud. The tiny startup from Hull, Mass. launched in early-1999, grabbing the world's attention almost immediately. At its core was a clever-if-crude piece of software -- so-called peer-to-peer technology -- that allowed computers to easily send each other files over a network. It would transform the Internet into a maelstrom, definitively proving the web's power to create and obliterate value.
The company was famously co-founded by Shawn Fanning, a shy and earnest student at Northeastern University in Massachusetts; his uncle John Fanning, an entrepreneur who pioneered online chess; and Sean Parker, a friend Shawn had met on hacker message boards. The service became a phenomenon, shaping the cultural lexicon; "downloading" became a household term, and "sharing" became more than an elementary school lesson. And, of course, it brought the music industry to its knees, eventually leading to an unprecedented legal battle over intellectual property. At its peak, Napster had 70 million users -- a feat considering consumers were only getting their feet wet with broadband Internet service. Even in the age of Google (GOOG) and Facebook (FB), Napster is still enshrined in the Guinness Book of World Records as the fastest-growing business ever. (A recently release documentary Downloaded traces the company's history; it will be available to stream online this month.)
In the history of the Internet, Napster's story is foundational. Yes the company died. But don't most pioneers traversing new frontiers? The truth is, even today, Napster's mark is as visible as ever. Earlier this summer, Apple (AAPL) announced iTunes Radio, its own streaming music service, a faint echo of Napster's one-time ambitions. Artists continue to spar with the likes of Pandora (P) and Spotify over royalty issues. And though Napster didn't invent peer-to-peer networks, it introduced them into the mainstream. Now, some of the most disruptive startups, Airbnb to name one, run on peer-to-peer marketplaces.
Napster finally fizzled away in 2011. It was unceremoniously bought and folded into Rhapsody, a competing music subscription service. But Napster's glory days were its first three years, before it filed for bankruptcy a decade ago. What follows here is the sometimes-bitter tale of Napster's rise and fall, as recalled by many of the players who lived it. These are recollections; like all memories, they may be fallible at the margins. In fact, some recollections herein contradict each other. Shawn Fanning and Sean Parker did not respond to repeated requests to be interviewed. John Fanning declined to comment.
I. THE IDEA
So let's step back to spring of 1999. Shawn Fanning is a teenager hanging out on the messaging service Internet Relay Chat. He's on a channel called w00w00, a hacker network. Going by the online handle "Napster," -- a nickname he got from a trash talker making fun of his hair on the basketball court -- he tells the group about a program he's working on that will make it easier for people to swap music files. One person he turns to for help is Jordan Ritter, a 20-year-old security programmer who goes by the name "Nocarrier."
Jordan Ritter (Napster founding architect): Interesting story there. The roots of Napster are actually in the computer security world. The underground. Myself and Matt Conover [another hacker on IRC] and a few other guys founded this group. And Fanning, er, Napster, was one of those people as well. Kind of a peripheral connection to the group. I'd never actually talked to him much before. Fanning started to solicit the group for help on this project he was working on, which I believe at the time was called Music Net.
As technologists, as hackers, we were sharing content, sharing data all the time. If we wanted music, we would go into some IRC channel, and hit up a bot there and download music from it. It was still kind of a pain in the ass to get that stuff. So Fanning had a youthful idea: Man, this sucks. I'm bored, and I want to make something that makes this easier.
MORE: 5 social media all-stars
Ali Aydar (Napster senior director of technology): I have to admit, I didn't get the gravity of Napster itself immediately. And what I mean by immediately, I mean when [Fanning] first described it to me. He kind of worked on me for 20 minutes, and after that it dawned on me how big this thing could be. And so that got me interested in helping him.
II. THE STARTUP
Soon after, Shawn's software becomes the centerpiece of Napster Inc.. The company is operating out of headquarters in Hull, Mass., and there is tumult over ownership stakes from the very beginning.
Ritter: Towards the end of that summer, I remember [Shawn] getting online and saying, "Dude, my uncle just incorporated the company."
As Napster looks for a CEO, Yosi Amram, an early investor, calls Eileen Richardson, a venture capitalist thinking about leaving the investment world, to tell her about the intriguing new piece of software. The company would soon give her the position.
Eileen Richardson: So I went home that night and downloaded it. And holy shit. I remember at that time, folks started saying that people didn't want to download anything onto their computers anymore, because it was all getting to be web-based. But anybody would download that, easily. I just remember shaking, thinking: Oh my god, oh my god.
With a CEO in place, most of the team leaves New England and sojourns west to Silicon Valley (John Fanning stays back east). Ritter moves to California a few months later. The night he arrives, Fanning, Parker, and Aydar pick him up from the airport and drive directly to their very first company meeting.
Ritter: That car ride, the most important thing about that conversation was that Parker and [Shawn] Fanning were talking about reincorporating the company in order to get rid of John. The company had been incorporated as Napster Inc. They were plotting to reincorporate as Napster.com Inc., or something. Plotting is probably a strong term. It was an important topic of conversation. These two kids are 17 years old. And those conversations are very high level and pie in the sky and impractical. And it probably was.
Despite the early palace intrigue, the sense of excitement is palpable.
Ritter: I had never been to California before, except from when I was born. I left when I was age 2. I didn't know about hills. The most hilly places I lived in were Massachusetts and Pennsylvania, but those hills are often dark and wooded and foresty. So I landed at night, and the hills were dotted with lights. It was this magical, wondrous looking thing. I had no context what was San Mateo vs. Redwood City versus San Francisco. I can't conceive of the distance that we crossed. My tongue hanging out the window. Christmas trees. It looked like Christmas fucking trees. It was beautiful.
Aydar: Our first company meeting started at 11 p.m. one night. We were all young. We were single. We were excited about this thing. We could see the impact it was going to have once we got it built.
The company gets to work building out the rest of the management team. Their next executive hire is Eddie Kessler, a 40-year-old soft-spoken engineer with stints at Infoseek and Quote.com under his belt.
Eddie Kessler: Yosi arranged to have me come up to San Mateo, where he'd have me sit down with Shawn and Sean and Ali Aydar at a small table in this crappy office building. We talked about what they were doing. It was kind of interesting. I thought, these are young kids, they don't know how to write software. I can give them some interesting pointers on how to do things.
Kessler signs up as vice president of engineering. Meanwhile, the team has concerns over the service's legality.
Kessler: I spoke to John Fanning. He said that this was going to be a 10 billion dollar business -- he was sure of it ... he had commissioned a report from a lawyer, a constitutional lawyer that proved that Napster had a strong and defensible legal position. I said, "Really? Interesting."
Richardson: Did I think it might be illegal? Yeah, of course. That's the first thing I thought. This is too good to be true. You can't be able to do this. But Yosi had done some legal work and had a legal opinion.
Aydar: [Shawn] felt pretty strongly that if he built something really good and really cool, that the artists and record labels would appreciate the distribution mechanism and the amount of data you could pull from it -- understanding who's listening to what, who's engaged with what content. He wasn't focused on the legality. He felt like once he built something really good, any issues would solve themselves.
Kessler: When I joined, I figured we'd know in three to six months, whether this was going to be a complete flop and we'd get sued out of business, or not be able to raise money, or whatever. And one of the funny things is, pretty much until I left the company, we always felt like within three to six months we'd know whether it would be wildly successful or it would go out.
As buzz spreads, legal action from the record industry becomes a more prescient concern. The company snags its own record exec as vice president of marketing: Elizabeth Brooks, a former artist and repertoire director at Work Group, a subsidiary of Sony Music.
Elizabeth Brooks: I cold-called Napster. I emailed a resume to firstname.lastname@example.org, and Eileen called me back. It literally took less than 24 hours.
People said, "You're going to work at some dot-com?" People ask me all the time how my old colleagues at the record industry felt. I was following music, technology, and disruption. It was a startup that was building up its users and getting a lot of press. It was a smart business move, and the record industry is nothing if not pragmatic.
As user numbers skyrocket, the Internet age finds a reluctant and shy hero: Shawn Fanning.
Richardson: In the beginning there was a lot of, "We want to interview you. We want you to be on the front page of this or that," [from the media]. And I always said, "You really need to talk to Shawn." And he'd say, "I don't wanna do it. I don't wanna do it. I can't do." He was a 19-year-old kid! But I said, "You've got to be the face of us. Because it's Napster, and it's your story about your hair. That's your story.
Laurence Pulgram (Napster's eventual attorney): The first meeting I had with Shawn Fanning in San Francisco at our offices, he looked out the window, and he was wondering what the Transamerica pyramid tower was. He had never seen it before, had no idea about it. He knew software.
For a company that's quickly taking over the Internet, Napster has set up shop in a meager office in San Mateo, Calif. -- the fourth and sixth floors of a converted bank building. Napster becomes vintage Silicon Valley startup lore: youngsters working feverishly, staggering to deal with growth.
Ritter: It was shitty, sure. But that's startups, man. And the office had a beautiful view. It was on the corner of 4th Avenue, overlooking the bay. You get to see the airplanes lining up as they're coming in for landing at SFO. And the weather was nice in San Mateo. There was a deck, so on the other side of the office were the San Mateo hills, which were beautiful.
Richardson: The place was really tiny. To the point where, if you pushed someone's chair back, you'd hit someone else's chair.
Brooks: When we started, our engineers made as much as senior management. We all made the exact same salary. And our top engineers made as much as our CEO, at the beginning.
Pulgram: The team had incredible energy, powered by Red Bull -- when it too was a nascent technology. People were coding all day and all night in a tiny office.
Brooks: When we outgrew the San Mateo office, prices had gone up even more. The price per square foot in the Valley was just ridiculous. It got to the point where it was pretty standard for landlords to ask for equity in addition to rent. It was unbelievable. We actually almost moved into a paintball arena. I actually thought it would have been kind of cool. It was painted all black inside, and we could form an indoor paintball club. [Laughs] Except it didn't have enough windows, and we thought that everyone would go crazy.
Richardson: We put in some late, late hours. Initially, we had this little tiny office that had like five desks in it. It was like, Shawn, Parker, Bill Bales [an early employee], and me. We probably had three, or at least two different offices during that short amount of time.
As the company grows, the team moves into a slightly bigger office in Redwood City, Calif.
Brooks: There was this staircase that led to this mezzanine. And in the mezzanine there were two conference rooms and my office. Why I got the special office I will never know. But it gave me the opportunity to kind of watch how things were going, because at the top of the stairs I could see the entire office. I could gauge the mood, see if the engineers were happy, and occasionally sing a song or two.
At the time, Groove Armada had that song, "I See You Baby." That was a big hit. If you don't remember, it goes "I see you baby, shakin' that ass, shakin' that ass." So one or the other of us -- it would often be me -- would just call out, "I see you baby!" And somebody would inevitably respond, "Shakin' that ass, shakin' that ass!"
Kessler: I was the adult supervision. Eileen and Bill weren't even really "employees." I was the only sort of adult employee.
Brooks: Our door was always open. There were a few startups on our floor, and we all kept our doors open and wandered in and out, talking to other companies that were on our floor.
The neighborly vibe helps when Napster begins to court investors for a second round of funding. Through the grapevine, noted Silicon Valley investor Ron Conway takes interest, and his firm SV Angel invests $200,000.
Ron Conway: We knew another company in the same building. I asked that entrepreneur, and he commented to me that the building is full of startups. And I asked him, "Are there any interesting startups in the building?" And he said, "Yep, there's this service called Napster."
Numbers continue to mushroom, and Napster experiences growing pains as it tries to scale.
Brooks: Shawn and I went up to the server room with a stopwatch and sat there counting files flying back and forth, and we realized the scope of the business because the number was just astronomical. Uncountable. Billions of songs a month, and this was early on. Realizing that you're really in a game changing moment -- that's the happiest feeling anybody who's committed to innovation can have.
Aydar: There was one particular night about three or four months in where we had a breakthrough that really solidified the scalability of the system. We were all in the office. It was the middle of the night, and we switched over the system to this new one that scaled. We got out the beers, and the music was loud. We were having a lot of fun. You could see the numbers. It was almost as if it was growing in real time. You could see it.
Kessler: It was very, very frenetic. Any direction you looked at, there were problems. From not enough hardware to not enough space and racks in data centers to the software crashing, servers crashing, the client software not working properly. Every direction you looked, there were issues. It was just a constant battle. We would buy twice as many servers, and we would wipe our brows and say, "Okay, now we've bought ourselves some time." And then three or four hours later we were over capacity again. Then we'd work on algorithmic changes to speed up some things and say, "Whew, god, we made it 10 times faster, we're good for two weeks." And 24 hours later we were at maximum capacity. It was this fire hose.
Richardson: It was during this time when everyone [in Silicon Valley] is raising all this money and bringing in a brand expert for a million dollars. I just couldn't understand it, why you would spend all that money. Everyone was like, "We're going to change the name. No one's ever going to understand the name 'Napster.' Let's change it to 'Rapster!'" Which makes no sense whatsoever. To this day, I almost never pull the CEO card. But in that case I said, "We are not changing the name. Because if you put your head down and get to work, everyone will know who we are."
Kessler: Sometimes we would just order hundreds of servers at a time, just these stacks of servers. We had to drive them at high speeds down to our data center in San Jose. We had to get these things up as soon as possible, so we would race them down, and we'd have screwdrivers in the back of the car. We'd pull into AboveNet, which was one of our data centers, and get a cart and start stacking up boxes of servers. We'd rush them into a cage we had with a lock on it and start shoving these into racks, as quickly as we could.
While users flock to the software, the team tries to partner with the music labels and major entertainment organizations. One person they see early on is Jay Samit, an executive at EMI who was tasked with trying to develop a way to monetize musical distribution over the Internet.
Jay Samit: Shawn and Sean came in, and they didn't have a model. Their model was: Somebody other than them makes money. Somebody has to pay. I said, "Come back, and tell me how someone is going to get paid." And they never came back.
Brooks: There were a few people that got it and a couple that actually did something about it. Most of the meetings were quite frank. Most people were not hostile. Business is business, and we were running a business and so were they. And they were pretty frank about how no way, no how were they going to scare off traditional retail. They thought, We do a deal with Napster, we won't be able to distribute to Tower Records anymore. Now you can see that worrying about alienating Tower Records was a shortsighted concern.
Conway: The day after we invested, Eileen Richardson and I flew down to L.A. and met with Jeff Berg, who was then the head of ICM [International Creative Management], and I think Mo Ostin [then-head of DreamWorks records] was in the room too. And we said, "Hey, we've got 100,000 downloads here. We need to work together to commercialize this business, because the genie's outside of the bottle."
Amid the frustrations, the overnight success also affords the team a few perks, like newfound celebrity status.
MORE: Why music matters to Apple
Brooks: When I coined our tag phrase, "Thanks for sharing," and we made up a bunch of Napster t-shirts. Those went over really well. Literally, if you were one of our guy engineers and you went out to a bar in Silicon Valley, apparently it was a little bit of catnip. Somebody said, half-joking, "Oh, you know, we should make more t-shirts for the engineers that say, 'Fuck me. I work at Napster.'" And there are a few of those floating around.
Conway: I had a reception at our home where Larry Page and Sergey Brin [co-founders of Google] said to me, "Wow, we'll never be as famous as that Fanning guy standing over there."
III. THE LAWSUITS
By December 1999, Napster mania is full blown. Frustrated, the Recording Industry Association of America (RIAA) enlists Russell Frackman, already the music industry's go-to litigator, having won a copyright infringement case five years earlier that deemed selling pirated music at swap meets illegal.
Russell Frackman (lead attorney for the RIAA): I remember after that case, my then-contact at the RIAA said to me, "This case is going to be very important on the Internet." And I didn't have a clue what he meant, frankly, at the time.
Hilary Rosen (then-chair of the RIAA): When it had gotten much bigger and then-management was much more adversarial, we had no choice but to file litigation. Once, I brought a computer into a meeting of the RIAA board, which was all of the heads of the record labels across the country at the time. And we basically played Name That Tune with the heads of the record companies, who were naming some of their current and new releases, some of which hadn't been released commercially.
Richardson: Then I got to talk to Hilary. That was fun. I was in my car. I was heading back to the office from a meeting, on Fourth Street in San Mateo, not far from the office. We're both strong personalities, so it's going to get a little heated. She said, "You're letting people download ..." I said, "You don't understand the technology. That is not what we're doing." She said, "You're infringing on copyrights." I said, "Well, I'd like to know which ones. Who, what, when, where, how?" And that's when she said, "Open up Billboard magazine! The top 200 are right there!" Really meanly. And I said, "I'm sorry. I don't subscribe to Billboard magazine."
On behalf of the five major music labels, the RIAA files suit against Napster on December 6, 1999.
Frackman: It was either on or right around D-Day -- no, not D-Day -- Pearl Harbor day.
Rosen: It became clear that guys who were in the digital music space, who were trying to do it the legitimate way -- getting licenses, paying royalties, all of that -- were starting to resent the volume of attention Napster was getting. So then I realized I wasn't just making an effort for the creative community, but that really the only way the startup community would have a shot is if everybody had a level playing field. So I gave our guys the go-ahead.
The case reunites Frackman with an old colleague.
Jeff Knowles (attorney representing the song publishers): I met Russ quite a number of years earlier, because when I was an associate at this firm, one of the first cases that I worked on was the Milli Vanilli lip-synching scandal in the early '90s. Russ was involved in that case, so we worked together on that.
I can remember having seven or eight people in my office just looking at the software operating. A lot of times, there would be a whole group of people from outside -- New York or elsewhere or L.A. or San Francisco -- they would all gather in my office, and we would do the whole demonstration of the software, so that was fun. And at the time there were millions of parody videos on the Internet, and we'd watch those, the latest parodies. We had a lot of attention focused on computer screens those days.
Back at Napster, the team receives word of the lawsuit.
Kessler: People were sort of stunned initially. On the technical side, we had so much to do that we just had to get back to work.
Aydar: Management portrayed it more as a negotiation tactic, more than any major threat. It wasn't anything we were going to be able to control. In my mind, I was just sticking to Shawn's original vision of, "Let's build a really good product that would be valuable to everybody." And it might take some time for everybody to see the value in it, but once everybody sees it, then any issues would go away.
Richardson: We got sued several times. The songwriters sued us too. They sued me personally, by sending something to my home address. And that scared the shit out of me. I had finally made enough money to buy a really nice home in Palo Alto, and all of a sudden, boom. All of it could be gone.
Pulgram (Napster's attorney): The first job was: keep Napster open. The RIAA had sought a temporary restraining order, wanting the judge to shut down the company immediately. Our strategy at the outset was to get breathing room to prepare a defense. Get breathing room to get some funding. A key and early purely procedural victory was to get the preliminary injunction hearing essentially put off for seven months -- to get funding, to get a chance to prepare the defense.
Napster gets the hearing postponed until that summer, when it will have to fight against a preliminary injunction -- or an official judge's order -- in this case to halt Napster's service. Meanwhile, the company courts investors to help it fund its legal battle.
Brooks: We were doing the rounds of the Sand Hill Road VCs, and we had a presentation to make with Kleiner Perkins. Neither of us had ever met John Doerr and the meeting was with him and a couple of the associates. And we were told, in no uncertain terms, not to expect anything good: We would be faced by an absolute poker face. He would probably sit in a corner of a room, not react, and we would never know what he was thinking. He was unlikely to ask a lot of questions, and that we shouldn't take any of that basically as either a good sign or bad sign.
It all sounded incredibly intimidating, especially for me because it was the first time I'd ever done a financial road show in my career. And I believe it was very early in the morning, like 7:30 in the morning. We walk in and he's at the table -- and he's a huge music fan. He'd been a DJ, I believe, in college as well, just as I had. So immediately we got into a conversation about music, and the passion people feel about music. And he was animated and participatory and so excited about Napster. It was an amazing meeting. And when we left, he hugged us both. It was not what we'd been led to expect from a Kleiner Perkins meeting.
After meeting with top tier venture firms, small San Francisco-based firm Hummer Winblad -- led by John Hummer, a 6'10" former NBA center for the Seattle SuperSonics -- emerges as the surprise frontrunner, but not without a few roadblocks.
Conway: The Webby award was the award to win at the time, and the ceremony was in the Masonic Auditorium in San Francisco. One year Napster swept the Webby -- they got like 3 Webby's. And Sean Parker and Shawn Fanning walk out of the ceremony ecstatic. Going into the night they thought we were getting funded by Hummer Winblad, and during the ceremony Hummer Winblad pulled out of the financing. And this is when the company was out of money. They had spent all of the angel money. So I corralled them and we stood in the corner of this huge party and tried to figure out how to put the financing back together. And we were successful. That was a Thursday night, and by Monday Hummer Winblad had reengaged and funded the company. Otherwise the company would have gone out of business that weekend. But no one knew it. And Hummer Winblad didn't know it either. We didn't tell them how out of money we were.
After much debate, Hummer Winblad officially comes aboard. With anticipation to the lawsuit building, Napster becomes even more high profile.
Brooks: The press could say anything they wanted about us. We thought, just say "free music" and print the URL.
Richardson: One of my friends says it was like doing three years of work in nine or ten months. It was insane. You did not know if Howard Stern was going to call. I mean, one time it was, "Howard Stern is on the phone, he's looking for Shawn." Then the next second, a friend of mine -- who's a respected venture capitalist -- calls and says, "Eileen, I just heard that the CIA is coming. They're going to confiscate all your laptops," And I'm just like, "What? This is insane." In one hour, you get both of those calls.
Musical artists become divided over Napster. Leading the two camps are the anti-Napster Lars Ulrich, drummer for heavy metal band Metallica (who also sued Napster separately) and pro-Napster Chuck D, frontman of hip hop group Public Enemy. The two even debate the topic face-to-face on Charlie Rose's talk show in May 2000.
Chuck D: I applauded what Shawn Fanning was doing 185%. It was a cause. I thought he was the one-man Beatles. I thought what he had done with Napster was one of the most revolutionary things ever done in music, period. 'Til this day. And I wanted to support that. I wanted to be somewhere around that.
To me, I thought that artists had no clue what the fuck was going on. I'm not saying that about Lars. I think Lars very clearly knew what was going on. But many other artists didn't give a fuck [to find out]. They were in a haze.
Richardson: It was really cool meeting the artists who got it. But I also had to sit across a stage from Jimmy Page [guitarist from Led Zeppelin], who hated my guts, at some conference in New York City. It was me, Jimmy Page, Chris Robinson [singer from the Black Crowes], and another Internet CEO. The organizers came into the green room and said, "Internet CEOs, get out. The stars are coming in." And we had to sit outside in a hallway on boxes.
Rosen: I was always getting calls and compliments and thanks from artists -- even artists that went out in the press and said, "Oh yeah, I think Napster is so cool." Tom Petty's people were calling to get his music offline, then he was quoted in Billboard or something saying how great he thought Napster was. But that's how it works. We expected that.
On May 24, 2000, the House Small Business Committee meets to discuss the popularity of online music services. Chuck D is one artist who speaks in support of Napster. He even writes an op-ed in the New York Times declaring Napster "a new kind of radio."
Chuck D: My job was to try to keep their name out there. I wanted them to be such a big, major part of the industry. I wanted them to be the new industry. I was just down with that revolution. And it is a revolution. Just, at the end of the day, these same lawyers and accountants are meddling in that shit.
Soon changes abound at the company. Eileen Richardson -- who says it was her intention only to serve as CEO for a few months anyway -- resigns, though some attribute it to pressure from Hummer Winblad. Hank Barry, a partner at Hummer and a lawyer by trade, becomes Napster's new interim CEO.
Hank Barry: A lot of people comment that it was unusual that I was a lawyer and I had this operation or role as the CEO. But it's also true that the legal controversy around the company was their biggest operational issue. So my main goal going in was to try to help them both to operationally get the business to a businesslike setting and negotiate with the record companies, while at the same time defending the litigation.
Richardson: I was leaving anyway, but it could have been on better terms. I was kind of glad to wash my hands at that point. There's nothing else I can do but tell you how I feel.
Brooks: The management style was much more hands off when Hummer came in and Hank became the CEO. A lot of Hank's attention was on the legal actions. He wasn't there a lot of the time. A lot of the employees didn't really get a chance to know him at all. And that's a really strange feeling, especially when you're used to a really effusive, bubbly CEO. And that switchover, it wasn't really a friendly switchover.
I think people felt really out of touch. Decisions were being made at the management level that the rest of the company didn't know much about. And that made people feel disenfranchised, and it also made people feel scared, because they did not know. There were people who would say to me, "Wow, all I know about what's going on in the lawsuit is all I read in the news."
Kessler: When Hank Barry came on board, he, for whatever reason sort of treated some information on sort of an as needed basis, so there were a bunch of things that only executives would be involved in and not the whole company. So it was interesting to be privy to some but not necessarily all of the goings on.
In the case's discovery process, when each side gathers evidence, an early internal email written by Sean Parker catches the eyes of attorneys: "Users will understand that they are improving their experience by providing information about their tastes without linking that information to a name or address or other sensitive data that might endanger them, especially since they are exchanging pirated music." (Provided to Fortune by Frackman.)
Frackman: Buried in those documents was this email. And I believe that was the email that we blew up for this hearing, and provided to Judge Patel [the case's eventual judge].
Knowles: I remember thinking, "How many cases do you have an email that's essentially a confession?"
Pulgram: That was an awfully dark day. Because you see the way that 18-year-olds writing about this piece of software was going to play out. The way it was going to be scraped off the page and into the record. No good could come out of those statements no matter how early and anticipatory they were.
As the court date nears, the Napster team prepares for depositions -- out of court testimonies from each of the witnesses, including former employees.
Richardson: They were two full, solid days. I remember doing really well the first day. And [Pulgram] was like, "Wow you're amazing." Because I've got a big mouth, and he thought I'd be saying a lot of stuff or whatever. It's hard to go through those. Imagine eight hours of all that legal, formal bullcrap. But then by the second day, I started getting really comfortable and making jokes. And he goes, "Can I talk to…I'm going to talk to my client right now." And we stand outside and he says, "What the hell are you doing?" And I say, "What do you mean?" He says, "Answer the question: Yes. No."
Brooks: I remember I had just gotten a puppy. And this puppy went everywhere with me. It had abandonment issues. So I would fly back from LA to my rented apartment in San Mateo, and I go to the depositions. And I would sneak this puppy into these law offices.
Pulgram: It was a lot of long weekends in hot office buildings with air conditioners not functioning on Sundays spent getting ready for stuff. When you go back and look at the fact that your talking about 19, 20, 21-year-olds, carrying the torch and being scrutinized for what they said in dorm room write ups, you get a sense of what the company was up against. However smart those guys were, it's a little different than preparing a 30 to 40-something seasoned CEO. [Parker leaves the company soon after his RIAA deposition.]
Napster ups the ante by adding star litigator David Boies -- already famous for pummeling Microsoft in an antitrust case -- as the company's lead attorney.
Barry: David Boies wasn't at the office when we first called his law firm. His kids told him that he needed to take the case. There was a sense that this was going to be a protracted legal battle. I thought going in these were going to be important legal questions that generally take a long time to sort out. So I was trying to build a legal team that could scale and be around for a long time.
On June 26, 2000, the case goes to San Francisco district court, presided over by Judge Marilyn Patel. There is a circus atmosphere at the courthouse.
Knowles: Judge Patel had a courtroom that was really quite small -- her regular courtroom. And it was clear that there was going to be huge attendance and media coverage, so there was an overflow courtroom with a feed. I don't remember if there was video and audio, or just audio. There was huge anticipation for this.
After hearing arguments, Judge Patel takes a short recess and returns to the courtroom. She rules in favor of the record companies, forcing Napster to take down all copyright infringing material from the service. The ruling surprises everyone -- not because of the decision itself, but how quickly she comes to it.
Knowles: She disappeared for a while and then she came back and said she was going to rule. And everybody was like, "Really? You're going to rule?"
Frackman: I was caught by surprise because afterward she turned to me and said, "Mr. Frackman, when do you suggest that this injunction become effective?" And I started to walk from the counsel table, and I was looking up, as it turned out, at the clock, trying to stall for time. And Judge Patel said to me, "Well I see you're looking up at the clock, and not at the calendar." And I replied to her, "Yes your honor, I think it should become effective immediately."
Rosen: I remember being surprised by how many cameras were there. And I think CNN took it live. I was surprised by that. That was before I was in cable news. [Rosen has been on CNN as a pundit.] I don't know what they cut away from. But they took the verdict and our press conference live as soon was we got out of the courthouse.
Knowles: The group of lawyers and clients from our side went to the Jardinier, a restaurant in the Civic Center that had a piano in it. My colleague Julie Greer, who was a musician in a former life, was there too. I told her Cary Sherman, the head of the RIAA, is a pretty accomplished pianist. I said, "You guys should play and sing." She said, "No way!" I said, "Here, have a martini. Let's do it."
Julie Greer: We did a couple of jazz standards. One of them was a Billie Holiday song, "God Bless the Child." I think I sang two and then the restaurant guys made us stand down. We were distracting the patrons.
Brooks: Info@napster.com and email@example.com both came to me, which caused a lot of havoc with my laptop and killed one of my Blackberries. I literally saw it fizzle in front of my eyes. It was the day the injunction came down, and I foolishly had forgotten to not forward those mailboxes to my Blackberry. This was the first Blackberry, the little thing that looks like a pager. We got something like 10,000 emails in a minute. I was meeting with Hank Barry and another investor. And there's my Blackberry sitting on the table between us, and it started to do that little hop-vibrate thing across the table that the old Blackberries did. And it hopped and it hopped and it buzzed and it buzzed, and all of a sudden it basically flipped over on it's back and gave up the go. And it never worked again. It was a hilarious moment in device history.
Napster's legal team quickly gets to work on an appeal to the Ninth Circuit of the Supreme Court, asking for a chance to overturn Judge Patel's decision. The company meanwhile talks about next steps.
Kessler: I remember discussing with some of my fellow employees, maybe we should go into used CD swapping, basically building an online market for used CDs, things like that.
Barry: I was at the venture firm office, and we were having a conference call with David Boies and others about how to shut down the company. I think Eddie was on the phone. The lawyers were in a conference room. We were going back and forth about how mechanically to do things, and one of the lawyers said, "Hey, wait a minute. There's no reason for this phone call to continue."
Pulgram: Someone runs in with a copy of the Ninth Circuit's order, staying the injunction, stopping the shutdown, and keeping jobs of all those people who were working, keeping the company alive. It was as ecstatic and relief filled a moment that I've had practicing law for 25 years.
Aydar: It was euphoric when we got the stay. Shawn was really excited. He practically tackled me, he was so excited. It was a big deal. We thought that we turned a corner there. But it didn't turn out that way.
Barry: I left the venture firm and drove down to the company. I got there and there was somebody from Fortune there--somebody already scheduled to be there, who was writing an article, and just happened to be there that day.
Ritter: The stay was exuberance. It was rejoicing. It was dancing. There was actual nerd dancing. It was a great deal of wiping the brows.
I was not that happy. And I didn't fully understand why. So I smiled and I high-fived and did whatever. But it was different for me than I think for most others. It didn't seem like it was over. Someone fired a bullet at us, and missed. They still had ammunition. They were still accumulating guns, metaphorically speaking.
Meanwhile, the music industry reacts.
Frackman: The way I used to describe it to people was that I had barely put my tooshie down on the chair when the Ninth Circuit granted the stay.
The appeal means the company has another six months to keep operating and bolster its defense. User numbers balloon as media attention reaches a fever pitch.
Kessler: Those were crazy times. Basically, it went from thinking we were going to shut down immediately -- that we were going to have to find jobs for the employees -- to the realization that we weren't going to have to shut down, at least right away. We had this incredible amount of publicity. From a technical side, that got us refocused on getting the service running.
To drum up goodwill, in July 2000 Napster throws a free concert tour with rap-rock band Limp Bizkit as headliner -- a rare occurrence of successful "dealings" with the music industry.
Brooks: I had one conversation with Jimmy Iovine [founder of Interscope Records, Limp Bizkit's then-label]. He didn't explicitly endorse it. I said, "You've got to be thrilled that this tour is happening a few months before this major album release." He laughed and he didn't say anything. The attitude from the label was: We don't know that you're doing this.
Barry: We were in the process of talking to everyone--Universal Music, et cetera. We had lots of meeting principally with Edgar Broffman [then-head of Vivendi], who had sort of taken the lead on behalf of the labels.
Pulgram: I think Hank was always trying to get to a deal, and the record companies were never willing to entertain one that was realistic from the prospects of the company.
Rosen: By the time the litigation was filed and Hummer Winblad brought in Hank, it was almost too late from that moment. But Hank gave it a valiant try to come up with a licensing structure. But he came close. He came close.
On July 12, 2000, the Senate Judiciary Committee holds a hearing to discuss intellectual property rights and the Internet. Senator Orrin Hatch presides, and representatives from all sides attend, including several musicians.
Barry: Manus Cooney [then chief counsel for the senate judiciary committee, and later a Napster employee] and he said, "We want you to come and appear at this hearing." And I thought, "Oh my gosh, this is not good." So I said, "Who else is going to be on it?" And he mentioned Roger McGuinn from the Byrds, and I always wanted to meet Roger.
For both Napster and the record industry, the stress of the lawsuit takes its toll.
Brooks: We were really becoming a company of litigation, and not an innovative, disruptive technology company, which is what we wanted to be, and what we were born as. This is the part where I get sad.
Frackman: It was the only time I'd ever traveled with my wife and we had separate rooms. I had my own room because I had boxes and boxes full of stuff. Every evening, I would continue to refer to materials.
Knowles: I remember sitting there at my computer and realizing I'd exchanged literally hundreds of emails in a day with all these other lawyers for one case. It was all just very intense.
Kessler: I'd never worked at a company where every day on the radio on the way in, on this 45 minute drive in, I'd be hearing about Napster the whole way up. And then every other day there's an article about your company on the front page of the New York Times. This was very usual. And I now work at Google, so I'm now getting a little bit more used to it. But back then it was really odd for me.
To deal with the overwhelming press scrutiny, Napster brings in Ricki Seidman, a consultant with TDS Communications, who previously served as White House deputy communications director for the Clinton administration.
Ricki Seidman: One of the most interesting things to me, looking at it from 30,000 feet even at that time, was that the intense pressure on Shawn Fanning and Hank was, at points, at least as much as the president might get on a day-by-day basis.
By the end of summer 2000, morale is waning at the company, and the team does what it can to lift spirits.
Brooks: During the Limp Bizkit tour, we threw a picnic in the back parking lot, rented an old school bus and just carted our employees to see the band in San Jose. They got to meet the band backstage. Depending on the age of the employee, either the employee was excited about it or their kids were. I had been there a while and had really begun to see the change. Somebody came up to me and told me my title should be chief morale officer.
Aydar: It was one of those things that was very slow and happened over time. The longer it went, the more it became apparent that, yeah, this might not work out. It was hard to keep up spirits.
Kessler: Sometimes my 3-year-old daughter would come up to the office. We had a full drum set that Hank [who was a former musician himself] had donated and brought in. And so Emily -- that was my daughter's name -- would sometimes go up there and she would sit at the drums, and beat on the drums and have the greatest time.
As the possibility of actually shutting down sinks in, the team realizes another unsettling outcome: What if we actually win the lawsuit? Their idea is to turn the business into a paid subscription model.
Brooks: When we bought Macster -- Napster for the Mac -- their interface was so much better than ours. We had just never put our energies into creating that better, gooier user interface. Everybody really wanted to.
Our idea was, if we want to survive, we have to keep as much of our user base as possible. In order to do that, we needed them to keep the client [software application] on their desktop, so we could turn this back into a music distribution business. What really bothered us was we were trying to win this battle and we had absolutely no plan for what we were going to do if we did.
Aydar: All the while, the licenses from the labels hadn't been procured. And management was assuring us that those licenses would be procured and they would be in place in time, and the only thing to hold it up was our ability to build a service. So we built a service. And it didn't launch. People felt like we had worked really hard. We had done our part to get everything in line. I don't blame management for not being able to get the licenses. It was not a time where the labels were willing to give licenses to a service called Napster.
On October 2, 2000, Napster and the record industry argue over an appeal in front of a three-judge Ninth Circuit panel. Coincidentally, one of the judges on the panel had ruled in Frackman's favor during his swap meet case five years before.
Frackman: Lawsuits always take twists and turn, or frequently do, and this was one of them. In a sense I had been preparing for this case for basically my whole career.
Conway: After the first Ninth Circuit court hearing, here in San Francisco, there was a massive press conference, and lots of people speaking at the mic. And Shawn Fanning is very, very shy -- never wanted to get near the mic. So I kind of stood in the back with him listening to everybody. And the reporters obviously really just wanted to hear Shawn fanning. But he was in the back and happy to be in the shadows. And he was very proud of himself because he wore a suit for one of the very first times, and he had to borrow a suit. And we were laughing because the pants were too long and were dragging on the pavement. So it shows that in the middle of all this hoopla -- and there had to be a hundred cameras there -- Shawn was unaffected enough to be proud of the fact that he put on a suit.
In a stunning move on Halloween 2000, German media company Bertelsmann -- which owns the record label BMG, and had been one of the Napster's great adversaries -- announces an alliance with the company, giving them reportedly a $20 million loan.
Rosen: The rest of the companies were pissed. Bertelsmann called me before the announcement and said they were doing it. And I think Middelhoff was looking to do two things. I do think he thought he was going to get them legal, as it were. But I also think he thought he would make a lot of money from it. And I knew that the minute Bertelsmann did that, that the other companies would never license it.
I remember Thomas Middelhoff called me up and told me what he was doing, and then Strauss Zelnick [then Chief Operating Officer of BMG] called me up and said, "I cannot fucking believe that Bertelsmann is doing this."
Thomas Middelhoff (then-CEO of Bertelsmann): The reaction was surprising. Because we thought -- and I especially thought -- that I could convince the other record labels to join us, because we were open to such a venture between Bertelsmann and the other major labels in the music business. But their perspective was: This is a power game -- especially Universal's position. It was, "We are the biggest record company in the world. We have to own the biggest part of it, and not Bertelsmann." And surprisingly enough, in the end, we couldn't come to terms with the other major music labels.
In February, Napster and Bertelsmann make headlines again by holding a press conference in which they offer the record industry $1 billion dollars to settle the case. The music labels balk at the offer.
Barry: In private, the record labels were looking at [our proposals] and having quite civil discussions. But in public their statements were, "Well, Napster doesn't have any business model. Napster doesn't know what it's doing," And so when we got to February, we said, "Let's have a press conference and let's just go through all of the modeling that we were showing to the record labels in a way that people would understand that we were doing things in a very serious, businesslike way." I was not a fan of the billion dollar offer. I was afraid of exactly what happened: that it became the focus of attention.
Rosen: I think it was Grammy week, so we were all in LA. Look, a billion dollars was significant. At the time it was a $35 billion industry -- a billion dollars was somethin'. But I think that Bertelsmann had so burned bridges at the time and people didn't trust their negotiators that I don't think it was ever taken seriously.
On February 12, 2001, the Ninth Circuit rules. The panel upholds most of Judge Patel's decision, siding with the record companies. Frackman is at RIAA headquarters in Washington, DC, to hear the decision with his clients. Julie Greer (the young lawyer who sang at the restaurant the night of the first ruling) is tasked with picking up the written decision from the courthouse and relaying the news to the rest of the music industry's team.
Greer: When I got there in a cab, there were reporters lined up with cameras et cetera. So I dressed down because I didn't want anyone to know I was a lawyer. I wore jeans and a t-shirt. I didn't want to get mobbed by reporters when I came out. I just wanted to be under the radar.
Knowles: Our opposing counsel [Pulgram] was down there doing the same thing. So [Greer] just sat there on a bench at the courthouse flipping to the end of the decision, with her opposing counsel right next to her doing the exact same thing. Both of them on their cell phones, with several people on their side of the case going, "What's the decision?"
Frackman: There was a whole pile of us in the conference room as the opinion was being I guess in those days faxed through to the RIAA offices and being distributed. And the television was also on. And I can't remember whether we saw the opinion first or we heard the news on the TV that we had won. The reaction was: Break out the champagne.
Rosen: I remember we very quickly arranged a press availability. I think we went over to the Four Seasons.
For Napster, the mood is somber.
Brooks: I think for most of us it was obvious we were going to lose on some level, just because copyright law was so woefully inadequate in terms of addressing the Internet. Simply in terms of that, no judge was just going to let us do what we were doing without some kind of, at the very least, firm slap on the wrist. It just wasn't going to happen, because then it was just going to become the Wild West.
The case finally over, it had been fraught with emotion the entire way.
Rosen: I remember being outside a courtroom in San Francisco, and Shawn Fanning and I were both in a hallway. And you couldn't help but admired him from afar, and liked him, and even liked the way he handled himself during the whole huge amount of publicity that rained down on him. We had both been interviewed by Charlie Rose the week before, and Charlie had told me what a nice person he was. And we found ourselves awkwardly together at one point in the hallway outside the courtroom and started talking. Our conversation was basically, "How did it come to this?" And we were both sort of lamenting what felt like the inevitable future of this great technology. I could definitely feel his sadness, and I knew he felt mine. It was sort of a private depression among us.
Frackman: I don't know whether this is apocryphal or not, but after the second preliminary injunction hearing, when David Boies got on a plane to go back home, he was greeted with a round of applause. Other than from my own clients, I don't think I was ever greeted with a round of applause based on anything that happened in a lawsuit.
Knowles: It had been very hard fought, adversarial. It wasn't like it is now where people would be more likely to come to the table, and their might be some deals and there might be some posturing, but people know the lay of the land. This was a brand new thing, and there was a lot of emotion around it.
Frackman: My son was in high school then, and he was in a technology club. He asked me if I would talk to the club -- a group of high school kids. Not the most receptive audience. As it turned out, it was an interesting talk. They were not combative, but they were not happy. And as I finished speaking, I said, "Come on up if you have any questions." And I saw this high school kid kind of shuffling up toward me with his head down. And he looked at me, and I remember this, he said, "The end of Napster is the end of the world."
IV. THE SHUTDOWN
When Judge Patel initially ruled against Napster, she didn't explicitly order a shutdown. Instead, she ordered that all copyright-infringing files be taken down from the service -- a herculean task that would leave the service barren. In a last ditch effort, Napster tries to take down all infringing material in hopes of keeping users around long enough to transition them into a paid subscription model.
Kessler: We met with the technical team and they basically said [taking down all infringing files] is not possible. We can't do this. Then I went home and did some thinking, and I wrote some notes on a napkin and said, "No I think there may be a way here."
We built an editorial system where we could enter manually alterations. We hired probably 50 temps to come in and search for all these filenames and song titles from a list that the RIAA and labels had given us. So they would type these queries into the system, and if they found them, they would enter whatever variation in names they found into the system. Then we included those [to the RIAA's black list] as well.
The team works with Gracenote -- a metadata company with a database full of artists' names and common misspellings -- to purge Napster's index of filenames.
Stephen White (then-contract worker at Gracenote, now President): The band Aha was a big one. They had a lot of different spellings -- capping the "A," or adding a hyphen or a space.
Even with the new filtering efforts, clever users still manage to get infringing files onto the system.
Barry: Rather that put the company in a position where people could be at risk, we stopped the sharing.
Kessler: If the requirements are that there can be absolutely no infringing content ever, I can get it as close as possible, but I can't guarantee that there isn't one piece of infringing content. We said, we basically don't have a choice, and we shut down. It was really a tough decision, and a tough day.
On July 1, 2001, Napster shuts down its service.
Aydar: By the time we ultimately turned everything off, we had not only been beaten down and demoralized -- and our integrity had been questioned in a public court regarding the filters and their efficacy. So by the time we shut it off, it was like, "good riddance. Shut it off.
I don't remember the particular day we shut it off. I know I'm the one that shut it off. To be honest with you, I don't remember. Maybe it's just one of those things you block out. I don't actually remember doing it, though I know I did do it. I've been told I did it.
Kessler: We had a set of servers that would redirect traffic from the Windows and Mac applications to a specific backend service that would run the Napster back-end. What we did basically was take those front-end servers offline, so the clients could no longer connect up to the back-end. We then powered down all the back end servers. We did it from the office, then later went to the data center to make sure everything was turned off.
Turned out, we found out accidentally sometime later that one of the servers that had been turned off had accidentally been turned back on. So there were a few users that had found a way to -- not using our normal software -- access that server.
When we decided to shut down it was the end of an era. We had a company meeting and people asked questions. They were frustrated; they were bummed. But I think in general they respected that we had done the right thing.
Without its product, the company is a carcass. By 2002, Napster is on the brink. It is up for bankruptcy and goes on sale for liquidation. Hank Barry is replaced as CEO by Bertelsmann employee Konrad Hilbers, and Middelhoff is replaced by Gunther Thielen, another longtime employee for the German company. Bertelsmann, in fact, emerges as a potential Napster buyer, but that acquisition deal crumbles and is blocked by the courts, citing conflicts of interest.
One by one, each original executive leaves until only Shawn Fanning remains. He finally leaves in 2002 to found Snocap, a legitimate digital content registry. Roxio, a small computer hardware company, eventually buys the company's assets, and re-launches as a tepid subscription service. Ownership changes hands twice more after that -- first the electronics retailer Best Buy purchases the company, then finally, in 2012, Rhapsody. Last January, the digital music competitor bought the brand, absorbed its 8 million users, and finally silenced the once-boisterous blare of the company, by then just an echo.
Over a decade later, the players in this story still carry around the weight of the experience. Asking what went wrong is an exercise that falls somewhere between prudent and masochistic, but some at the company think the problem stemmed from hiring.
Sean Parker (Napster co-founder): [Speaking at Le Web conference in Paris in 2011] We hired all the wrong people. We hired the people that were really not competent executives. But I was too young and naïve to distinguish between a competent, seasoned executive, and someone who just had a whole bunch more experience than I did and was able to communicate in a polished way, and impressed me. And Shawn Fanning and I were both easily impressed at that moment in time. And as a result, we hired a lot of really crazy people.
Ritter: At a meta level, if we had better people involved from the beginning, we would have had a different outcome. If there had been less turmoil and drama and tragedy, the company would have been better able to focus on its external enemies. Unfortunately, it had a lot of internal strife -- outside the engineering culture, which drove everything. You would think the truly fastest growing Internet startup in the world would attract the best people. But it did not. It attracted the worst people.
Since the original service's shutdown, the technology world has made a few inroads with the music industry. On April 23, 2003, Apple launched the iTunes Music Store. On July 14, 2011, the on-demand music service Spotify opened for business in the United States. But many still lament the loss of Napster's unbridled possibility, while others are just happy to have been a part of it.
Rosen: This word "innovation" is thrown about a lot. And that's because folks who work in technology are used to obsolescence. But you don't tend to feel that the best Bob Dylan song will ever be obsolete. Or that you're going to get the Bob Dylan 2.0. There are certain timeless things that you want to keep going. Steve Jobs used that analogy with me once. And of course it was a Bob Dylan reference.
Pulgram: The opportunity to take the power of this and harness it was one of the great lost opportunities for the music industry. That early energy, that value of the user generated nature of this, that charisma was something they were ultimately set on destroying. The alternatives haven't played out nearly as well.
Frackman: It gave me a videotape of myself arguing in the Ninth Circuit, which I have never looked at. But I intend to pass it onto my grandchildren when I have them.
Chuck D: Lars brought his two sons out to a concert we played in Aspen. We talked. It was a good talk.
Ritter: The saddest thing was not being able to use Napster. Why? Because of principle. Because it would be. Fucking. Stupid. I was not going to be the guy -- and no one on my team would be the guy -- that sunk the company for potentially infringing. There's a whole avenue of legal shit that could be foisted on us, and was, for using it.
Aydar: The early days are where the fond memories are. Work was fun for us. It's hard to look beyond the work because it was fun for us. It's hard to replicate. You've got some skills and talent. You're making an impact with these people who are your friends.
Ritter: I've often likened it to that epic bender in college. You go out and rage and you party and there's all this crazy shit that you're seeing. People doing crazy shit, and you're a rock star for a night. And then you come home. And you wake up at 1 o'clock in the afternoon the next day. And you slap your forehead with this killer headache. And you groan, oh what just happened? And the experience alone is the value for me.
Richardson: I remember talking to Shawn Fanning later. After everything, after they'd gone bankrupt. And I said, "God, just maybe if we had done some stuff differently, we could have made it." And he said, "Eileen, we didn't stand a chance. There was no way on earth that the RIAA was not going to make an example out of us. They had to."
Rosen: I guess I would be surprised if the overarching sentiment for a retrospective of Napster wouldn't be regret, from all sides. Many would argue nothing has been as cool since, right?
Brit Music Body BPI Lobbies Hard for 'UK File-Sharers Database'
Virgin Media brands plan 'unworkable', TalkTalk says 'our customers come first'
Britain's biggest ISPs are in talks with copyright-holders to find ways to nag broadband subscribers about illegal file-sharing or downloading that may have happened on their connections.
But plans apparently tabled by the British Phonographic Industry (BPI) that include maintaining a database of customers whose IP addresses are pinpointed have already been labelled as "unworkable" by Virgin Media.
The Register understands that telcos and music execs are looking at the possibility – once again – of a voluntary letter-writing campaign addressed from ISPs such as TalkTalk, BT and Virgin Media to inform their customers where illegal file-sharing activity has been detected.
But the BPI wants to take the process one step further by keeping a record of which subscribers had already received such a missive. Presumably that information could then be used to build a case against repeat offenders.
It's unclear, however, if such a database would comply with current UK data protection law. At present, ISPs say they only maintain records that allow them to provide the agreed services to customers, but nothing more than that.
Virgin Media said:
Music and film companies are speaking to broadband providers about how to address illegal file-sharing but what they’re currently proposing is unworkable.
TalkTalk offered us a slightly more nuanced statement:
We are involved in discussions about measures to address illegal file-sharing and ultimately would like to reach a voluntary agreement. However our customers' rights always come first and we would never agree to anything that could compromise them.
The BPI declined to comment on the matter when asked by The Register. But a spokesman at the music industry lobby group had earlier claimed to the Guardian that the BPI had Prime Minister David Cameron's support. Specifically on the 2010 Digital Economy Act, the flack said:
[We] will discuss with government the need for swifter action to reduce online copyright theft, improve consumer awareness of legal services and make the UK the leading digital economy in Europe.
The Graun reported that Cameron will chat to the BPI and other music industry players about online piracy during a breakfast meeting at Number 10 next week.
In June this year, Whitehall confirmed that letters flung at broadband subscribers warning them that stuff has been downloaded illegally on their connections could not be enacted under the DEA for at least two years, which would push notification provisions beyond the 2015 General Election.
"That’s how long we think it will take to implement the mass notification system in the DEA," the Department for Culture, Media and Sport told us at the time. It added: "We’re currently making technical changes to the cost-sharing statutory instrument. These changes will not impact on the overall effect of the legislation."
Kim Dotcom Resigns Mega Directorship
Flamboyant internet entrepreneur Kim Dotcom has resigned as a director of his Mega data storage empire to focus on his efforts on fighting extradition to the United States and other projects.
Dotcom resigned as a director of Mega on Aug 29, and was replaced by Hong Kong-based Bonnie Lam the same day, according to filings to the Companies Office.
Dotcom staged a full-scale global media launch for Mega last year to replace Megaupload, his previous venture which was shut down in a US-led operation that alleged the file-sharing firm and its owners had committed mass copyright infringement and money laundering of more than US$500 million. Tony Lentino and Mathias Ortmann are still on Mega's board.
Mega chief executive Vikram Kumar told BusinessDesk in an emailed statement Dotcom resigned "to be able to focus on the extradition case, an upcoming music website, and to build a political party.''
Dotcom doesn't hold any directorships in New Zealand, and has one direct shareholding in RSV Holdings, according to Companies Office filings. His wife, Mona, is a director of Mr KimDotcom Ltd and a director and shareholder in MD Corporate Trustee Ltd, the biggest shareholder in Mega.
Earlier this week Dotcom told followers on Twitter he planned to launch a political party in New Zealand, with the next election likely to be near the end of next year, and has previously signalled plans for web-based music service called Megabox.
Dotcom and his co-accused Finn Batato, Mathias Ortmann and Bram van der Kolk have taken their case to the Supreme Court, seeking access to evidence in the US Federal government's case to extradite them, and are awaiting a decision.
The District and High Courts upheld their request for a trimmed down disclosure, though that was overturned in the Court of Appeal earlier this year.
Dotcom's high profile arrest in January last year led to an overhaul of New Zealand's external spy agency, the Government Communications Security Bureau, after the intelligence unit unlawfully intercepted his communications. At the time of the surveillance, the GCSB wasn't allowed to spy on New Zealand residents and Dotcom had been granted residency.
The government has since tweaked the law governing the spy agency, allowing it to act on behalf of the domestic spy agency, the Security Intelligence Service, the police or the Defence Force.
Ministry of Sound Sues Spotify for Copyright Infringement
Lawsuit focuses on playlists created on streaming music service that mirror dance brand's compilation albums
Dance music brand Ministry of Sound is suing Spotify for copyright infringement, claiming the streaming music company has refused to delete users' playlists that copy its compilation albums.
Ministry of Sound launched proceedings in the UK High Court on Monday, and is seeking an injunction requiring Spotify to remove these playlists and to permanently block other playlists that copy its compilations. The company is also seeking damages and costs.
Chief executive Lohan Presencer claims that his company has been asking Spotify to remove the playlists – some of which include "Ministry of Sound" in their titles – since 2012
"It's been incredibly frustrating: we think it's been very clear what we're arguing, but there has been a brick wall from Spotify," said Presencer.
A Spotify spokesperson confirmed to the Guardian that it had received the lawsuit, but declined to comment further.
While Presencer is known to be no fan of Spotify according to industry sources, the lawsuit came as a surprise to the company. The Guardian understands that Spotify has held talks in the past with Ministry of Sound about licensing tracks from its label division, albeit without a deal being struck.
The case will hinge on whether compilation albums qualify for copyright protection due to the selection and arrangement involved in putting them together. Spotify has the rights to stream all the tracks on the playlists in question, but the issue here is whether the compilation structure - the order of the songs - can be copyrighted.
Similar arguments featured in a high-profile case in 2010, when the High Court ruled that the English and Scottish football leagues could protect their fixture lists on copyright grounds. However, this ruling was later overturned on appeal.
"What we do is a lot more than putting playlists together: a lot of research goes into creating our compilation albums, and the intellectual property involved in that. It's not appropriate for someone to just cut and paste them," said Presencer.
Playlists are an increasingly prominent feature on Spotify's service, which provides its users with a catalogue of more than 20m music tracks to stream.
Spotify's 24 million users have created more than 1bn playlists since its launch in 2008. In August, Spotify launched a new "Browse" feature to help people discover one another's playlists more easily.
"Everyone is talking about curation, but curation has been the cornerstone of our business for the last 20 years," said Presencer.
"If we don't step up and take some action against a service and users that are dismissing our curation skills as just a list, that opens up the floodgates to anybody who wants to copy what a curator is doing."
This hints at the wider context for Ministry of Sound's lawsuit, as its compilations business adapts to a new world of streaming music and user-generated, shareable playlists.
The company has sold more than 50m copies of its compilations in the 20 years since it was founded, but streaming is more problematic: the vast majority of tracks on those compilations have been licensed from other labels.
"When we license our compilations, which include a lot of major-label repertoire, they do not grant us the rights to stream those compilation albums," said Presencer.
His company does have a separate label business that signs and develops artists, and owns the rights to sell and stream their music. Thus far, Ministry has not made these tracks available to stream on Spotify.
Spotify Ministry of Sound playlists Spotify users have created a number of playlists with Ministry of Sound in their titles.
The company's policies contrast with those of another famous compilations brand in the UK, NOW That's What I Call Music, which launched an app within Spotify's desktop software earlier this year.
However, NOW's joint owners are major labels – Universal and Sony – who are both shareholders in Spotify, and also own the rights to a significant proportion of tracks on the NOW compilations, thus earning money from streams of those tracks on Spotify.
As things stand, a Ministry of Sound Spotify app would only make money from streams of tracks signed to its label division. "Spotify only remunerates you for content ownership. It doesn't pay you if you're compiling third-party content," said Presencer.
"We've been asking them about this for the past four years, and have tried to engage in dialogue with them on how they would remunerate us for curation. They've said they don't have a structure for that in their model."
The risk for Ministry of Sound with its lawsuit is in looking like a company trying to protect its existing business model – compilation sales – at the expense of a new form of music consumption that is appealing to a growing number of people.
"Our digital compilations business is up 30% this year, and our international digital compilations business is up over 100% this year. That's double and triple-digit growth year-on-year," said Presencer.
"That doesn't strike me as being an old business model. Just because something is new doesn't mean something is good."
In a blog post published on the Guardian website this morning, Presencer went into more detail on that point, criticising Spotify's business model on the grounds that it has made sustained losses since the service launched in 2008.
A quarter of its 24 million active users currently pay for Spotify, and while the company's 2012 revenues rose 128% year-on-year to €434.7m (around £377.9m), its net losses increased from €45.4m in 2011 to €58.7m in 2012.
For its part, Spotify has said it expects to pay more than $500m to music rightsholders in 2013, taking it to more than $1bn in total payments since its launch.
The company has faced criticism from artists over the size of its payouts for streams of their music, most recently when Thom Yorke and Nigel Godrich's Atoms for Peace removed their albums from Spotify and rival services in July.
Presencer confirmed that Ministry Sound is only suing Spotify, but said it is monitoring rivals. "We are looking at every service," he said.
"There are other services that have playlists, and when we have seen this happening – playlists using Ministry of Sound's name – when we have notified them, they have willingly taken them down. It's only against Spotify that we've hit this brick wall."
Anti-Patent-Troll Ads Launch on Radio and in Print in 15 States
Tech companies join retailers, restaurants, and grocers to get Congress' attention.
A new ad campaign focuses on the damage patent trolls can do to Main Street businesses.
Regular readers of tech news sites are used to hearing about patent trolls. Soon, though, you might start hearing about them in surprising places: like on the drive home from work.
The Internet Association has teamed up with the biggest trade groups representing restaurants, supermarkets, and retailers to launch a new ad campaign in print and radio outlets. The new campaign isn't tech-centric at all, and it emphasizes how trolls hurt "Main Street"-type businesses.
"Imagine you start the business of your dreams," begins the radio ad. "That one store turns into ten. But then you get a letter—from a patent troll. The troll claims to hold a patent on a common business practice like—"
Then an evil-sounding male voice comes in: "The store locator map on your website!" (That's the troll, get it?)
The troll asks for $100,000, and then the honest businessperson gets the message from their lawyer: even though the patent is bunk, it costs more to defend the case than to pay off the troll. "So even though patent trolls don't make anything, they get rich—while honest businesses are ruined," continues the ad. "They won't stop until Congress makes them... Tell Congress to stop bad patents and stop the trolls."
The ads are running in 15 states, including Illinois, Iowa, Kentucky, Nevada, Ohio, Rhode Island, South Dakota, Texas, Vermont, and Virginia. The hope is that the ads send a message to businesses that they should speak out about their experiences. The media campaign is a broad-based follow-up to a summer letter to Congress from a wide range of groups expressing desire for action on the troll issue.
"At this point, trolls have gotten so aggressive—frankly they've gotten greedy," said Internet Association President Michael Beckerman in an interview with Ars. "In the early stages they were going after very large companies focusing on tech and Internet. Then they found they could extort restaurants, and retailers, and coffee shops, and hospitals—now even charities are getting threatening letters."
"They've really jumped the shark—they're going to be victims of their own success," he continued. "They've enraged the entire economy, and these people have voices. They're voters and they're pillars of the economy on Main Street. A lot of businesses are scared about this and embarrassed. We want to say, you can talk to your member of Congress, you can talk to the press. It's okay to speak up."
Reformers are hoping to capitalize on unprecedented concerns about patent trolls, with Congress coming back in session in two weeks. Six anti-patent-troll bills have been introduced so far this year.
Solid Alternatives to the Cloud for Sharing Files
We increasingly use cloud-based services such as Dropbox to share information and pictures over the internet, back them up or sychronise them between desktop and mobile devices. But some people worry about privacy and the cost. Now storage device makers are trying to combine the benefits enjoyed by cloud users with the advantages of a separate gadget.
Transporter 2.0 (rating: 4/5)
Suppose you want to share lots of big files such as photos, video clips or other media with distant family and friends, but you want to keep tight control over them and avoid paying for another monthly online subscription service. You should try Connected Data’s Transporter 2.0.
The Transporter (named for its ability to “transport” files between users) provides the file-sharing, syncing, remote access and back-up benefits of online services. But it also enables users to do so without needing to store information and images “in the cloud”, in someone else’s data centre or sign up for a potentially expensive subscription service.
The basic Transporter hardware looks like a small black obelisk and costs $199 (£170 in the UK); you add a hard drive of the appropriate capacity – in my case, 500Gb. Setting up a Transporter simply involved plugging it into a power source and home network, and installing the software from the web.
The latest version of the software has an improved user interface, and the ability to drag-and-drop and copy files easily to and from the Transporter hard drive from any Windows PC or Mac connected to the same network.
The software creates two dedicated folders, the Transporter Folder and the Transporter Library. Files dropped into the Transporter Folder are automatically copied and synced to all your computers (each PC must have Transporter software installed) and to any other Transporters you have set up, wherever they are. I set up a second Transporter in the office so I had a local copy at home or at work of my most important files.
If, however, you have really big files you intend only to access direct from your Transporter, you save the files in the Library Folder.
You can still share and access the files from anywhere, but they will not be taking up valuable disk space on the smartphone or tablet you are using to view your digital photo library or listen to your music collection.
You can, of course, do most of these things using a combination of cloud-based services.
But Transporter 2.0 makes it simple and easy, and, once you have bought the hardware, there are no extra costs.
Seagate Central (rating: 3/5)
Our grown-up children are scattered between Leamington Spa in the UK, New York and Los Angeles, and that presents a challenge for my wife who likes to share lots of photos with them. So I have been copying the family digital photo collection and music library on to Seagate Central, a device that can be accessed by my wife and other family members, both locally and remotely.
The Seagate Central external hard drive plugs into your home network to make it easy to organise, automatically back up and stream your digital content to any internet-connected device with a web browser.
It works with both Windows PCs and Macs and can wirelessly stream your media library – music, video and still images – to gaming consoles, media players and smart TVs. Tablet and smartphone users can access the same content remotely with a free app. Now my wife will be able to show her elderly mother in England pictures of the family pets on her iPhone when she visits.
The 4 Terabyte model I tested is a very reasonable $200 (£180). It has fewer features than the Transporter 2.0, but Seagate Central is cost-effective and easy to use.
Western Digital My Book Live (rating: 3/5)
Like the Seagate Central, Western Digital’s My Book Live Duo is a family and wallet-friendly storage device that functions mainly as a secure central depository for digital files on a home network.
Western Digital’s software automatically backs up designated files and folders on local PCs and can save an extra copy of files on its second built-in drive.
It also allows users to access files remotely from any PC, Mac, tablet or smartphone by using free apps. The 4 Terabyte model (big enough to store about 1m MP3 music tracks or 6,000 movies) costs $285 (£239) and is a good choice if you want the added comfort of twin back-up drives.
Planet of the Apps
Paul Taylor picks his favourite from the latest crop
What it is: BitTorrent Sync for iOS
Why you should try it: A month after launching an Android mobile version, BitTorrent has unveiled an iOS version of BitTorrent Sync, a free and secure way to move big files between devices and people. It also remotely backs up photos from an iPhone to a laptop or sends work projects directly to your iPad at home. It is available in 10 languages.
Huge Summer for Hollywood, But With Few Blockbusters
Here in Hollywood, the land of false-front movie sets and business-has-never-been-better studio spin doctors, summer ticket sales are being summed up with a single word: blockbuster.
Ticket revenue in North America for the period between the first weekend in May and Labor Day totaled $4.71 billion, a 10.2 percent increase over the same period last year, according to analyst projections. Attendance rose 6.6 percent, to about 573 million. Higher ticket prices contributed to the rest of the growth.
But behind that rosy picture lurk some darker realities.
Ticket sales rose in part because Hollywood crammed an unusually large number of big-budget movies into the summer, a period that typically accounts for 40 percent of box office revenue. Studios released 23 films that cost $75 million and up (sometimes way up), 53 percent more than in the same period last year.
The audience fragmented as a result, leaving films like “The Wolverine” and “The Hangover Part III” wobbling when they should have been slam dunks.
“Turbo” the animated snail was squished, taking in $80 million at North American theaters — one of the smallest totals in DreamWorks Animation history. (Only the unfortunately titled “Flushed Away” from 2006 did worse.)
“We’re very pleased with the overall strength of the summer,” said John Fithian, president of the National Association of Theater Owners, “but there was almost too much product. Some of these individual movies would have made more money if studios had spread them out a little more.”
Mr. Fithian noted that the $4.71 billion in total summer ticket sales represents a new high-water mark for the industry, not accounting for inflation, and the growth comes after several years of largely flat sales or declines.
It is not surprising that more films sold more overall tickets, but the total does demonstrate a resilience for cinema as competition for consumer attention continues to spike.
“To keep the exhibition business alive, we have to give people a darn good reason to put down all their electronics and get in their cars and get into theaters, and this summer we did it,” said Nikki Rocco, president of distribution at Universal Pictures, which printed money with “Despicable Me 2” and “Fast & Furious 6,” both of which took in roughly $800 million worldwide.
Still, appearances can be deceiving. “Pacific Rim,” for instance, has taken in more than $400 million worldwide — no small feat. The picture’s price tag, however, made it an everyone-or-nothing enterprise. Legendary Entertainment and Warner Brothers spent about $330 million to make and market the film, which could end its run in the red since theater owners take roughly 50 percent of ticket revenue.
With the notable exception of Paramount, which released just two films, “Star Trek Into Darkness” and the surprisingly successful “World War Z,” every studio suffered at least one major dud. In many cases, big hits were offset by big flops.
Disney, for instance, had the summer’s No. 1 movie in “Iron Man 3,” which took in $408.6 million in North America, for a global total of $1.2 billion. Disney’s Pixar also scored with “Monsters University,” a prequel that generated more than $700 million in global ticket sales.
But Disney also had the summer’s No. 1 box office bomb: “The Lone Ranger,” which cost at least $375 million to make and market, and has taken in about $232 million worldwide. After theater owners take their cut, Disney is looking at a write-down of $160 million to $190 million on the film.
Higher-priced 3-D tickets took another tumble, at least in the United States and Canada, as more consumers decided the visual gimmick was not worth paying a $2 to $5 premium per ticket. Family films fared the worst — those glasses don’t fit little faces very well — with “Turbo” setting a new industry low for the format, according to analysts: 3-D screenings accounted for only 25 percent of its opening-weekend results. (Last summer’s low was 35 percent.)
Over the weekend, the 3-D concert documentary “One Direction: This Is Us” took in $17 million at domestic theaters, enough for first place, according to Hollywood.com, which compiles box office data. Sony, which has had a particularly rough summer, spent $10 million to make the film. A Sony spokesman on Saturday wrote in an e-mail, “We are off to a fantastic start!”
“Instructions Not Included,” a Spanish-language comedy from Pantelion and Lionsgate, came out of nowhere over the weekend to take in $7.5 million at only 347 locations, an indication of the growing power of Hispanic moviegoers. “Getaway,” the only other new release of note, drove into a ditch, taking in just $4.5 million. The thriller, which was released by Warner, cost about $18 million to make and stars Ethan Hawke and Selena Gomez. It was the worst-reviewed wide-release film of the summer, according to the review-aggregation site RottenTomatoes.com.
As usual, Hollywood paraded out a cavalcade of stars over the warm-weather months; as usual, only a very few emerged with their star power undiminished.
Brad Pitt pulled off “World War Z,” which took in more than $527 million worldwide and proved that studios can surmount negative advance chatter if they work hard enough. Sandra Bullock and Melissa McCarthy had the No. 1 comedy with “The Heat,” which took in $210 million worldwide for 20th Century Fox — not quite “Bridesmaids” money, but not chump change, either.
At the same time, Will Smith, Johnny Depp, Ryan Reynolds, Owen Wilson, Vince Vaughn, Jamie Foxx, Channing Tatum and Matt Damon, among others, failed to turn out ticket buyers, at least to the degree that studios needed. In particular, a box office era ended when Mr. Smith’s “After Earth,” which cost Sony $135 million to produce and roughly $100 million to market worldwide, opened to $27.5 million in ticket sales, by far the worst summer showing of the once-infallible actor’s career. Its global sales were $244 million.
Movie companies continued to make most of their profits with sequels; eight of this summer’s top 12 films came from continuing franchises. And at least one major new series was born in “Man of Steel.” Warner has already announced casting for a sequel to that movie, which returned Superman to theaters and took in more than $290 million in North America, for a global total of about $650 million.
But audiences also revolted against more of the same, especially if quality came up short. “The Smurfs 2,” “Kick-Ass 2,” “Red 2,” “The Hangover Part III” and “Percy Jackson: Sea of Monsters” all struggled and all received largely negative reviews.
In many ways, the summer belonged to smaller original movies, at least when it came to turning out larger-than-expected audiences.
Lionsgate’s “Now You See Me,” an old-fashioned midrange thriller, took in almost $300 million worldwide; it cost about $75 million to make. “This Is the End,” an R-rated apocalypse comedy from Sony, cost an estimated $32 million to produce and took in $114 million. With a budget of just $3 million, “The Purge,” a thriller starring Mr. Hawke, sold about $85 million in tickets for Universal.
And “The Conjuring,” a horror movie that cost New Line Cinema about $20 million to make, is closing in on ticket sales of $240 million worldwide.
“Films from other genres did exceptionally well this summer, proving that counterprogramming can work,” wrote Doug Creutz, an analyst at Cowen and Company, in a research note released on Thursday.
Still, Mr. Creutz did not seem to hold out much hope that Hollywood paid attention. “Looking ahead to next summer,” he wrote, “it already appears as if we are likely to have another sizable batch of money-losing blockbusters.”
Broadcasters Succeed in Temporarily Shutting Down Streaming TV Service
U.S. television broadcasters won a significant court battle on Thursday when a federal judge shut down an online television service in most parts of the country until a lawsuit on the issue is resolved.
FilmOn allows users to watch live television on their computers or mobile devices by streaming local news broadcasts and national television programs.
Twenty-First Century Fox Inc, Walt Disney Co's ABC and other networks sued FilmOn in May, claiming the service pays no licensing fees and is stealing their copyrighted content.
The broadcasters are likely to succeed on their claims that FilmOn violates their exclusive rights to their copyrighted television programming, said U.S. District Judge Rosemary Collyer of Washington, D.C.
The case, and others like it, are being closely watched by the television industry because services like FilmOn threaten the traditional broadcast model and broadcasters see them as a challenge to their ability to control subscription fees and generate advertising income.
FilmOn, formerly known as Aereokiller, did not immediately respond to a request for comment.
FilmOn is also being sued in California by several broadcasters, including CBS Corp and Comcast Corp's NBC.
A more prominent television streaming service, Barry Diller's IAC-backed Aereo Inc, is being sued in New York.
While the U.S. 2nd Circuit Court of Appeals in New York refused to shut down Aereo while that lawsuit continues, a federal judge in California did bar FilmOn from operating in that state and the others in the U.S. 9th Circuit Court of Appeals.
The injunction issued by Collyer applies nationwide, except in the jurisdiction of the 2nd Circuit, which includes New York, Connecticut and Vermont. The 2nd Circuit's decision in the Aereo case applies in that geographical region, Collyer said.
Fox was "pleased but not surprised" that the Washington court granted the injunction and hopes the decision "will discourage other illegal services from attempting to steal our content," said Fox spokesman Scott Grogin.
ABC, CBS and NBC did not immediately respond to a request for comment.
The case is Fox Television Stations Inc, et al v. FilmOn X LLC, U.S. District Court for the District of Columbia, No. 13-758.
(Reporting by Erin Geiger Smith in New York; Editing by Lisa Shumaker)
Oyster Launches Netflix For Books
More and more we are transforming into society of subscribers. Netflix NFLX +0.92% gives us endless, on demand movies and TV. Spotify does the same trick for music. And even though libraries have done this for books, for free, for more than a century, so far there’s hasn’t been a digital, all you can eat subscription platform for books. Start-up Oyster is changing that.
Today Oyster launches its iPhone platform giving users 100,000 titles, from publishers like HarperCollins, Houghton Mifflin Harcourt, Workman and self-publishing giant Smashwords, for $9.95 a month. An iPad version will be released later this fall.
The simple, made-for-mobile app was created by tech veterans Eric Stromberg, Andrew Brown and Willem Van Lancker just last summer. In a year the team not only built the product but, more impressively, was able to seal deals with some publishing heavyweights. Stromberg, who cut his start-up teeth at eCommerce company Hunch, spent three months working with lawyers, authors and publishers to craft workable contract. Meantime Brown, who was a product manager at Google GOOG +0.89%’s DoubleClick division, built the tech platform. Van Lancker, the former lead designer for Google Maps, crafted the user interface. The three founders used their tech connections to raise $3 million from Peter Thiel‘s Founders Fund, Chris Dixon, SV Angel and Shari Redstone.
Like Netflix, Oyster lets users search by title, genre and also offers recommendations for topics in the news, or in theaters. Since it’s on the iPhone, Oyster has social features that let you follow friends to see what they’re reading and vice versa. There’s also a privacy mode, in case you don’t want to advertise that self-help book or Vampire novel (or any other in the “paranormal lust” category) to your network. Stromberg and Van Lancker are tight lipped about how publishers or author get paid through the platform–Netflix licenses content out-front, while Spotify pays publisher each time a song is played.
Oyster’s an obvious option for voracious readers, or those of us living in 300 sq ft studios. It’s also perfect for skimming select chapters of business books or health books that you’re curious about but not willing to pay full price for. Ditto for junk books. Another plus, Oyster brings with it the anonymity of the Amazon Kindle that has made the likes of Fifty Shades of Grey blockbuster hits .
If Oyster itself is a hit, it seems inevitable that Amazon, Apple AAPL -0.7% and Google will jump in with their own subscription business, if they aren’t already working on them. The founders don’t seem too concerned. “It’s out of our hands,” says Stromberg as we sit in Oyster’s minimalist loft space off Broadway in New York. “So doesn’t make too much sense to worry about it.” Van Lancker adds that unlike giants like Apple and Amazon Oyster has one clear mission: “Our focus is books, that’s all we think about.”
The Internet’s Next Victim: Advertising
What the story of AdBlock Plus tells us: The online economy is broken, and won't be easy to fix
“Everyone agrees that advertising on the Internet is broken,” says Till Faida, CEO of Adblock Plus, creator of by far the most popular ad-blocking software on the Web.
The soft-spoken German, visiting the San Francisco Bay Area to network and drum up support for his company’s “Acceptable Ads” initiative, sketches out a distressing scenario: Ads aren’t generating enough revenue, so websites are forced to run ever more “aggressive” ads — a maddening deluge of pop-ups, blinking banners, and autoplaying video and audio commercials. But as ads steadily become even more annoying, users click even less, forcing revenues down even further.
“This is creating a vicious circle, which will at some point lead to the whole system collapsing,” says Faida.
Faida believes he can help avoid that apocalyptic scenario. It might seem a little strange to hear that the CEO of a company whose main product is designed to quash ads is dedicated to the goal of saving advertising — certainly, the owners of websites whose revenues are crimped by Adblock Plus users could be excused for looking askance. But Faida believes that he can leverage Adblock Plus’ market power — the company claims 50 million active users — to create market incentives that force online advertisers to behave.
It’s a bold claim, and when you look closely, there’s a big catch. Because Adblock Plus’ business model — the way the company plans to generate a profit — is to charge big advertisers a fee to not block some of their ads.
An ad-blocking company that cashes in by letting some ads through? Isn’t that, uh, false advertising?
But not all ads are bad, argues Faida. A veteran of online marketing who joined Adblock Plus in 2010, Faida makes the perfectly logical argument that the Web needs a healthy advertising industry to support its vast array of free services. And 80 percent of Adblock Plus’ users, claims Faida, have no objection to ads that aren’t obnoxious.
Left unanswered, however, is the question of whether a world full of “acceptable ads” is a world in which advertising actually pays the bills. Because “acceptable” doesn’t just mean “not annoying.” It also means “easy to ignore.” And if advertising is easy to ignore, it doesn’t work.
Adblock Plus’ success, almost by definition, squeezes the advertising industry, and shines the spotlight on a now all-too-familiar question. The Internet has destroyed the traditional business model for a lot of industries. Is it set to destroy advertising, too?
* * *
Here’s how Adblock Plus’ “Acceptable Ads” program works. The Adblock Plus “community” flags new ads as completely beyond the pale or as acceptable. A group of 200 or so “open source” volunteers then builds Adblock Plus filters designed to block ads that fall into both categories. But for most small websites, blogs or news sites, the “acceptable” ads are “whitelisted” by default. That means, they’ll go right through. They won’t be blocked. (Any Adblock Plus user can flip a switch, says Faida, that blocks all ads, but only about 6 percent of users follow through and do so.)
“Large companies,” says Faida, are held to a different standard. To pay for the cost of operating Adblock Plus for everyone, the company charges such companies a fee to participate in the “Acceptable Ads” program. If they pay the fee, their non-obtrusive, community-acceptable ads go through.
When I first learned of AdBlock Plus’ business model, I wrote a headline calling it a “pay-to-play” scheme. A P.R. person representing Adblock Plus named Mark Addison wrote me an email asking for a correction. I declined, largely because I couldn’t get a clear answer to my direct questions as to what would happen if a company such as Google refused to pay.
Several weeks later Addison told me that Faida was visiting the Bay Area and offered a chance for an in-person interview. But during the interview I had to ask the same question – what happens if the large companies don’t pay? – three separate times before I got a straight answer: If a company doesn’t pay, then all their ads are blocked by default.
So if Google fails to pony up, all of the ads that support Google’s services –- including text ads and sponsored search result ads that Adblock Plus users have already decided are acceptable — are blocked.
Faida and Addison portrayed the business model as an exercise in fairness. For the little guys to get their acceptable ads whitelisted automatically, those who could “afford to pay” must contribute.
But it still sounds to me like something that bears more than a passing resemblance to a protection racket. Pay up, or we’ll break your windows! Pay up, or millions of Adblock Plus users will never see any of your ads.
Faida is not shy about the club that Adblock Plus wields.
“I think we have come to a point where we have so many users,” says Faida, “that blocking all ads would be destructive to the Internet.”
At first glance, Faida’s boast sounds like unmitigated hubris. One tiny German company has the power to upend the entire Internet economy? But Google acknowledged to me that it has agreed to pay the required participation fee. When the biggest company in the Internet advertising economy concedes that it is paying to get its ads whitelisted on Adblock Plus, it’s worth taking notice.
Whether one considers Adblock Plus’s business model extortion or simply canny deal-making — in fact, whether or not one considers ad-blocking itself to be outright theft — the bottom line is that ad-blockers appear to be making a real difference.
A report released this week by PageFair that looked at 220 different websites said that 22.7 percent of visitors to those sites were using ad-blocking software. PageFair, according to the New York Times, makes money by helping companies get around ad-blocking, so it has a dog in this fight, but there’s no question that the advertising industry takes a very dim view of Adblock Plus — or any other independent party that tries to help Web users defend themselves from advertisers..
In July, Randall Rothenberg, CEO of the Interactive Advertising Bureau, published a screed titled ”Has Mozilla Lost Its Values?” in which he cited Mozilla’s role as “the world’s largest distributor of Adblock Plus” as evidence that the Firefox browser developer’s “civic positioning and public character are heavily freighted with antipathy toward advertising and the commercial Internet.”
Like the piracy of music and movies online, ad blocking appears to be a victimless endeavor, but in fact is a possibly illegal activity that deprives a cascading chain of legitimate enterprises of income. In some markets, Adblock Plus is responsible for stopping as much as 50 percent of mainstream publishers’ ads, significantly harming their revenue stream. For small publishers, the effect is devastating.
If we judge people by their enemies, Adblock Plus scores high. The IAB is an implacable foe of any effort to put limits on online advertising or restrict the ability of advertisers to track the online movements of Web users. To most technologically savvy Web users, Rothenberg’s complaints about AdBlock Plus are the best possible endorsement Faida could wish for. (By press time, Rothenberg had not answered questions sent to him by Salon.)
But for the IAB, Mozilla’s support of the Adblock Plus browser extension isn’t the biggest gripe. Web filters that quash pop-up ads are a minor irritation compared to the threat posed by Mozilla’s plan, announced earlier this spring, to release a version of Firefox that automatically blocked all cookies placed by third parties onto the computers of browser users.
Third-party cookie placement enables online tracking. The notion that one of the biggest browser developers could completely cut out the middlemen that help advertisers develop detailed portraits of online Web user behavior strikes directly at the heart of the evolving Internet advertising model. This summer, the advertising industry got so angry at Mozilla that in mid-August, the Digital Advertising Alliance took out full page ads in trade press papers alleging that Mozilla was “hijacking the Internet.”
But Mozilla wants to eliminate the same cookies that enable advertisers to reach the right audience, with the right message, at the right time. Mozilla claims it’s in the interest of privacy. Truth is, we believe it’s about helping some business models gain a marketplace advantage and reducing competition. Right now consumers have control over whether they receive interest-based ads through the Digital Advertising Alliance’s self-regulatory program.
It appears that Mozilla wants to be “judge and jury” for business models on the Net.
I asked the Digital Advertising Alliance if they could be more specific about exactly which “business models” would gain a “marketplace advantage” through Mozilla’s actions. I received no answer. I asked Mozilla whether the fierce industry backlash to the plan to enable third-party cookie blocking by default had influenced their decision to back off that move and replace it with a “Cookie Clearinghouse” that would let browsers transparently manage lists of what parties would be permitted to set cookies and who would be blocked. Mozilla also declined to comment.
Apparently, the fight over advertising on the Internet is a sensitive issue!
But that makes sense. Because the backdrop to the struggle over third-party cookie blocking and ad-blocking is troubling: The fierceness of the rhetoric is a sign that the entire economic basis of our free-service-on-the-Internet economy is fundamentally unstable. People don’t like ads, new technology makes it easy to avoid them, and as a consequence, it’s very difficult to make advertising-dependent business models work.
Even Google, by far the biggest player in online advertising, is aware of this. Want to understand why Google is willing to pay Adblock Plus to participate in the Acceptable Ads program? Here is a potential answer: The prices paid by advertisers for online impressions and click-throughs has been falling more or less steadily for two years. In that kind of environment, maybe you can’t afford not to get in bed with Adblock Plus!
Perhaps. Google wouldn’t give me more than a one-line statement to acknowledge its participation in Adblock Plus. And it’s not clear how many “large companies” are paid up members of the Acceptable Ad program. Faida would only tell me that the total number is “less than 20.”
It’s also not clear that the battle over ad-blocking on the open Web is where the future of online advertising will be decided. Right now, all those precious eyeballs are rapidly moving to the mobile environment, followed closely by a rising percentage of advertising dollars.
In theory, the app-centric mobile world offers a much friendlier, more controllable environment for advertisers. In the constant technodialectic playing out between advertisers and ad-blockers, the more constrained environment of smartphones and tablets offers some hope that advertisers can regain ground lost to the ad-blockers. But their advantage is hardly clear-cut: It’s also a lot harder to advertise on the smallest screens.
Google may be willing to pay to participate in Adblock Plus’s Acceptable Ads program, but its real feeling about ad-blockers was made clear in March, when the company banned Adblock Plus from the Google Play store.
Oh, and you can’t find Adblock Plus in Apple’s App Store either. Which raises the question: Who is really hijacking the Internet? Anti-ad technologies, or the smartphone?
Records Found on Peer-to-Peer File Sharing Site Subject Company to FTC Complaint
Liisa M. Thomas and Sara Skinner Chubb
The Federal Trade Commission recently announced that it has filed a complaint against LabMD, a lab testing company, alleging that that the company failed to reasonably protect consumers' personal data after medical and other personal records of approximately 10,000 consumers were exposed. In the complaint, the FTC alleges that nearly 9,000 consumer records were found on a peer-to-peer file sharing network and that at least another 500 consumer records made their way into the hands of identity thieves. The FTC argued that LabMD failed to take "reasonable and appropriate measures" to protect consumer information, specifically alleging that it: 1) did not implement or maintain a comprehensive data security program to protect this information; 2) did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information; 3) did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs; 4) did not adequately train employees on basic security practices; and; 5) did not use readily available measures to prevent and detect unauthorized access to personal information. As part of the proposed order included in the complaint, LabMD would be required to implement a comprehensive data security program and have that program regularly reviewed by an independent expert. In addition, LabMD would have to notify all consumers whose information may have been accessible to unauthorized persons. Due to the sensitive nature of the documents provided to the FTC in connection with the investigation, the FTC has indicated that it will publicly release the complaint pending the resolution of any confidentiality claims.
TIP: This case is a reminder that the FTC will take action if it believes a company has failed to provide adequate security under the FTC Act, on the theory that such failure is an unfair or deceptive act. This case suggests that the FTC, in looking for what constitutes adequate security, will be looking at not just security programs, but also the effectiveness of those programs, and the existence of employee training and measures to detect incidents of unauthorized access.
Boffins Follow TOR Breadcrumbs to Identify Users
Anonymity? Fuggedaboutit! Watching TOR for months reveals true names
It's easier to identify TOR users than they believe, according to research published by a group of researchers from Georgetown University and the US Naval Research Laboratory (USNRL).
Their paper, Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries, is to be presented in November at November's Conference on Computer and Communications Security (CCS) in Berlin. While it's been published at the personal page of lead author Aaron Johnson of the NRL, it remained under the radar until someone posted a copy to Cryptome.
The paper states simply that “Tor users are far more susceptible to compromise than indicated by prior work”. That prior work provided the framework for what Johnson's group has accomplished: using traffic correlation in the live TOR network to compromise users' anonymity.
“To quantify the anonymity offered by Tor, we examine path compromise rates and how quickly extended use of the anonymity network results in compromised paths”, they write. In some cases, they found that for the patient attacker, some users can be identified with 95 percent certainty.
The compromise isn't something available to the trivial attacker. The models that Johnson developed assume that an adversary has access either to Internet exchange ports, or controls a number of Autonomous Systems (for example an ISP). However, it's probably reasonable to assume that the instruments of the state could deploy sufficient resources to replicate Johnson's work.
At the core of Johnson's work is a Tor path simulator that he's published at github. The TorPS simulator helps provide accurate AS path inference from TOR traffic.
“An adversary that provides no more bandwidth than some volunteers do today can deanonymize any given user within three months of regular Tor use with over 50 percent probability and within six months with over 80 percent probability. We observe that use of BitTorrent is particularly unsafe, and we show that long-lived ports bear a large security cost for their performance needs. We also observe that the Congestion-Aware Tor proposal exacerbates these vulnerabilities,” the paper states.
If the adversary controls an AS or has access to Internet exchange point (IXP) traffic, things are even worse. While the results of their tests depended on factors such as AS or IXP location, “some users experience over 95 percent chance of compromise within three months against a single AS or IXP.”
The researchers also note that different user behaviours change the risk of compromise. Sorry, BitTorrent fans, your traffic is extremely vulnerable over time.
Majority of Tor Crypto Keys Could Be Broken by NSA, Researcher Says
Got elliptical curve?
The majority of devices connected to the Tor privacy service may be using encryption keys that can be broken by the National Security Agency, a security researcher has speculated.
Rob Graham, CEO of penetration testing firm Errata Security, arrived at that conclusion by running his own "hostile" exit node on Tor and surveying the encryption algorithms established by incoming connections. About 76 percent of the 22,920 connections he polled used some form of 1024-bit Diffie-Hellman key. The analysis came a day after revelations the NSA can circumvent much of the encryption used on the Internet. While no one knows for sure exactly what the NSA is capable of cracking, educated speculation has long made a case that the keys Graham observed are within reach of the US spy agency.
"Everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys," Graham wrote in a blog post published Friday. "Assuming no 'breakthroughs,' the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they've got fairly public deals with IBM foundries to build chips."
He went on to cite official Tor statistics to observe that only 10 percent of Tor servers are using version 2.4 of the software. That's the only Tor release that implements elliptical curve Diffie-Hellman crypto, which cryptographers believe is much harder to break. The remaining versions use keys that are presumed to be weaker.
Graham called on Tor Project leaders to do a better job of getting end users to upgrade to version 2.4, but he also couched his findings with a word of caution.
"Of course, this is just guessing about the NSA's capabilities," he wrote. "As it turns out, the newer elliptical keys may turn out to be relatively easier to crack than people thought, meaning that older software may in fact be more secure. But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I'd assume that it's that, rather than curves, [it's 1024 RSA/DH] that the NSA is best at cracking."
The Feds Pay for 60 Percent of Tor’s Development. Can Users Trust it?
This week, we learned that the NSA had managed to circumvent much of the encryption that secures online financial transactions and other activities we take for granted on the Internet. How? By inserting backdoors into the very commercial software designed to keep sensitive medical records, bank files and other information private.
The NSA’s sustained attempt to get around encryption calls into question many of the technologies people have come to rely on to avoid surveillance. One indispensable tool is Tor, the anonymizing service that takes a user’s Internet traffic and spits it out from some other place on the Web so that its origin is obscured.
So far there’s no hard evidence that the government has compromised the anonymity of Tor traffic. But some on a Tor-related e-mail list recently pointed out that a substantial chunk of the Tor Project’s 2012 operating budget came from the Department of Defense, which houses the NSA.
Last year, DoD funding accounted for more than 40 percent of the Tor Project’s $2 million budget. Other major donors include the U.S. State Department, which has an interest in promoting Internet freedom globally, and the National Science Foundation. Add up all those sources, and the government covers 60 percent of the costs of Tor’s development.
Tor Executive Director Andrew Lewman wrote in an e-mail to users that just because the project accepts federal funding does not mean it collaborated with the NSA to unmask people’s online identities.
“The parts of the U.S. and Swedish governments that fund us through contracts want to see strong privacy and anonymity exist on the Internet in the future,” Lewman wrote. “Don’t assume that ‘the government’ is one coherent entity with one mindset.”
And Roger Dingledine, a founder of the Tor Project, says that the Defense Department money is much more like a research grant than a procurement contract.
“They aren’t ‘buying products’ from us,” Dingledine tells me. “They’re funding general research and development on better anonymity, better performance and scalability and better blocking-resistance. Everything we do we publish in the open.”
Dingledine acknowledges that “bad guys” could conceivably introduce vulnerabilities into Tor’s open-source code. But one of the major advantages of open-source software is that the product can be inspected by anyone for defects, which raises its security somewhat. There’d only be a problem if the NSA were somehow able to insert malicious code that nobody recognized.
The NSA didn’t immediately respond to a request for comment Friday afternoon.
Update: Roger Dingledine writes in to explain why the government has never asked the Tor Project to install a backdoor:
I think this is mainly due to two reasons:
A) We’ve had that faq entry up for a long time, including the part where
we say we’ll fight it and that we have lots of lawyers who will help us
fight it. So they know it won’t be easy.
B) I do a lot of outreach to various law enforcement groups to try to
teach them how Tor works and why they need it to be safe. See e.g.
the first two paragraphs of this:
I think ‘A’ used to be a sufficient reason by itself, but now we’re
reading about more and more companies and services that have tried to
fight such a request and given up. The architecture of the Tor network
makes it more complex (there’s no easy place in the deployed network to
stick a backdoor), but that doesn’t mean they won’t try.
I guess we rely on ‘B’ for now, and see how things go.
Americans Go to Great Lengths to Mask Web Travels, Survey Finds
Most Americans try to scrub their digital footprints by doing a variety of things, including clearing browsing histories and deleting certain social media posts, according to the Pew Internet Center.Stuart Isett for The New York Times Most Americans try to scrub their digital footprints by doing a variety of things, including clearing browsing histories and deleting certain social media posts, according to the Pew Internet Center.
Most Americans say they believe the law is inadequate in protecting their privacy online. The e-mail or social media accounts of one in five have been broken into. And most American consumers take great efforts to mask their identities online.
These findings are part of a survey by the Pew Internet Center that was released Thursday. They come amid a cascade of widely publicized revelations about the depth of United States government surveillance on the electronic communications of its citizens. And they challenge the conventional wisdom advanced in support of both commercial tracking and official monitoring of Web services: “If you’ve got nothing to hide, you’ve got nothing to fear.”
Apparently, most Americans do have something to hide – at least from complete strangers trying to profit from knowing what they do online. The Pew survey found that 86 percent of Americans were trying to scrub their digital footprints by doing a variety of things, like clearing browsing histories, deleting certain social media posts, using virtual networks to conceal their Internet Protocol addresses, and even, for a few, using encryption tools.
“Our team’s biggest surprise was discovering that many Internet users have tried to conceal their identity or their communications from others,” noted Sara Kiesler, an author of the report and a computer science professor at Carnegie Mellon University in Pittsburgh. “It’s not just a small coterie of hackers. Almost everyone has taken some action to avoid surveillance.”
The findings come at a time when many lawmakers have reacted with outrage about government surveillance but done very little to curb private tracking of Americans Web browsing. Google and Facebook, among other popular services, profit almost entirely on the behaviorally targeted advertising. What we write in our e-mails, what we browse online and what we buy, both online and offline, are compiled and analyzed, all in the service of showing us what the digital advertising industry calls “relevant” advertising.
Efforts to develop global standards for Do Not Track browser settings have been stalled. Anyway, as consumers move to smartphones, companies and advertisers have devised new ways of tracking them.
The legislature in California recently approved a measure to require Web sites to tell users whether they honor Do Not Track signals on browser settings. The bill does not prohibit tracking, but requires all Web services to spell out what they do when faced with a Do Not Track signal, which some browsers turn it on automatically. It is now pending the California governor’s signature.
The Pew survey was carried out on the phone with 792 adult Americans in July. It contained a margin of error of 3.8 percentage points. In the survey, 55 percent said they were worried about the breadth of personal information that exists about them online, considerably higher than the 33 percent who admitted to being worried in 2009.
Public concern seemed also to stem from apprehension about the law. Two-thirds of those surveyed said they believed the nation’s laws were “not good enough in protecting their privacy online.”
Users experimented with a variety of strategies to mask themselves. About half said they posted material using their real names, or aliases commonly associated with them. But one in four surveyed said they “posted material without revealing who they are.” Young people were more likely than others to switch back and forth, suggesting what previous studies have suggested: that digital natives, as the generation who grew up with the Internet are called, heavily curate their online identities.
The sometimes painful consequence of disclosure was also reflected. Just over 20 percent said an intruder had broken into their e-mail or social networking account; 12 percent said they had been “stalked or harassed;” and 10 percent had lost sensitive information to online thieves, including bank account information.
These findings are echoed by a poll also issued Thursday by TRUSTe, a San Francisco company that vets the privacy policies of Web sites and mobile apps and gives a seal of approval to those that meet its criteria. It found that nearly four out of five smartphone users in the United States were reluctant to download apps they did not trust.
More than two-thirds of mobile users did not like being tracked for the purposes of behavioral advertising. And even as about half of all smartphone users said they were willing to share some personal information in exchange for shopping discounts, most were loathe to reveal their exact location or their Web browsing activity.
The TrustE survey was conducted online with over 700 Internet users in the United States in June.
In March, before a former National Security Agency contractor began to leak details about the agency’s surveillance apparatus, a survey by Forrester Research picked up on a trend of heightened privacy concerns among consumers about online tracking for behavioral advertising.
Commissioned by Neustar, an Internet service provider company, Forrester’s survey found that 27 percent of Americans were using an ad blocking tool when they browse the Web; 18 percent had turned on a “Do Not Track” setting in their browsers.
F.T.C. Says Webcam’s Flaw Put Users’ Lives on Display
The so-called Internet of Things — digitally connected devices like appliances, cars and medical equipment — promises to make life easier for consumers. But regulators are worried that some products may be magnets for hackers.
On Wednesday, the Federal Trade Commission took its first action to protect consumers from reckless invasions of privacy, penalizing a company that sells Web-enabled video cameras for lax security practices.
According to the F.T.C., the company, TRENDnet, told customers that its products were “secure,” marketing its cameras for home security and baby monitoring. In fact, the devices were compromised. The commission said a hacker in January 2012 exploited a security flaw and posted links to the live feeds, which “displayed babies asleep in their cribs, young children playing and adults going about their daily lives.”
“The Internet of Things holds great promise for innovative consumer products and services,” Edith Ramirez, the commission’s chairwoman, said in a statement. “But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet.”
TRENDnet officials did not respond to a request for comment.
While the Internet of Things is still evolving, the concept currently embraces both industrial and consumer products. In a factory, sensors can be used to monitor manufacturing processes, warning that a machine needs maintenance and potentially avoiding a breakdown. At home, so-called smart appliances like refrigerators or thermostats can feed information via the Internet to manufacturers and service providers to keep the products humming.
In a speech last month, Ms. Ramirez noted that such developments required more diligence by consumers and regulators. While many individuals consent to data collection, consumers rarely are consulted about where their personal information goes afterward. The F.T.C. plans to conduct a workshop in November to discuss the issue, with an eye toward drawing up rules that allow for both innovation and the protection of consumers.
Robert R. Belair, who formerly served in the commission’s division of consumer protection and who is now the managing partner of the Washington office of Arnall Golden Gregory, said it was not yet clear whether the Internet of Things “changes the nature of the privacy threat, or just exacerbates the threat in certain ways that require a little more vigilance.”
In detailing the security lapses, the commission said the company transmitted customers’ login information over the Internet in clear, readable text rather than encrypting the data. It also said TRENDnet’s mobile application, which allows customers to control the home camera from a smartphone, did not properly protect users’ credentials. When the company became aware of the flaws, it uploaded a software patch to its Web site and tried to alert customers.
As part of the case, TRENDnet agreed to sanctions that include a 20-year security-compliance auditing program. The company also promised not to misrepresent the security of its cameras, the confidentiality of the activity that its devices transmit, or consumers’ ability to control the security of the cameras or their recordings. The agency’s four current commissioners voted unanimously for the sanctions.
The F.T.C. does not have the legal authority to impose fines in such cases. But TRENDnet agreed to a consent order prohibiting similar practices, so the commission has the ability to seek penalties in the future.
Despite its recent action, the F.T.C.’s authority in this area has been called into question. The Wyndham Hotel Group is challenging the commission’s ability to penalize companies that do not do enough to protect consumer information, like credit card numbers. Wyndham has argued that the agency has not published any formal rules on data security. The case is pending in Federal District Court in New Jersey.
The case against TRENDnet highlights the potential vulnerabilities that consumers face when they connect everyday, in-home products to the Internet. As with e-mail accounts, online banking and shopping Web sites, enterprising hackers can get around security systems when vendors are sloppy.
In 2010, TRENDnet began selling its digitally connected cameras under the product name SecurView. With the device, individuals and businesses could, via an individual Web site, monitor family members, customers or security concerns. In three years, its camera business produced nearly $19 million in revenue, accounting for 10 percent of the company’s total revenue in that period.
According to the F.T.C., a hacker in 2012 identified a security flaw and circulated the information publicly. Though the company was notified of the breach within three days, others saw the message and quickly posted links to live video feeds of about 700 cameras.
The commission said that the hacker was able “to identify a Web address that appeared to support the public sharing of users’ live feeds.” While only some customers opted to share their feeds publicly, the hacker found that all of the feeds could be viewed and shared, the commission said. After the episode, news accounts sometimes included photos taken from the feeds.
Consumers “had little, if any, reason to know that their information was at risk,” the commission said.
That kind of exposure “increases the likelihood that consumers or their property will be targeted for theft or other criminal activity,” the F.T.C. said, and “increases the likelihood that consumers’ personal activities and conversations or those of their family members, including young children, will be observed and recorded by strangers over the Internet.”
The Terrifying Search Engine That Finds Internet-Connected Cameras, Traffic Lights, Medical Devices, Baby Monitors And Power Plants
Marc Gilbert got a horrible surprise from a stranger on his 34th birthday in August. After the celebration had died down, the Houston resident heard an unfamiliar voice coming from his daughter’s room; the person was telling his sleeping 2-year-old, “Wake up, you little slut.” When Gilbert rushed in, he discovered the voice was coming from his baby monitor and that whoever had taken control of it was also able to manipulate the camera. Gilbert immediately unplugged the monitor but not before the hacker had a chance to call him a moron.
The monitor, made by Foscam of Shenzhen, China, lets users monitor audio and video over the Internet from anywhere in the world. Months earlier security researchers had discovered software flaws in the product that allowed attackers to take control of the monitor remotely or to sign into its stream if they used the user name “admin.” Foscam had quietly come up with a fix the month before but had not pushed it out to its users. When Gilbert checked his Foscam account, he discovered that the hacker had added his own user name–”Root”–so he could sign in whenever he wanted. Gilbert is now considering a class action against Foscam. He could find other plaintiffs using a search engine called Shodan. It’s likely the tool the pervy hacker used to find him.
Shodan crawls the Internet looking for devices, many of which are programmed to answer. It has found cars, fetal heart monitors, office building heating-control systems, water treatment facilities, power plant controls, traffic lights and glucose meters. A search for the type of baby monitor used by the Gilberts reveals that more than 40,000 other people are using the IP cam–and may be sitting ducks for creepy hackers.
“Google GOOG +0.67% crawls for websites. I crawl for devices,” says John Matherly, the tall, goateed 29-year-old who released Shodan in 2009. He named it after the villainous sentient computer in the videogame System Shock. “It’s a reference other hackers and nerds will understand.”
Matherly originally thought Shodan would be used by network behemoths like Cisco, Juniper or Microsoft MSFT -0.37% to canvas the world for their
competitors’ products. Instead, it’s become a crucial tool for security researchers, academics, law enforcement and hackers looking for devices that shouldn’t be on the Internet or devices that are vulnerable to being hacked. An industry report from Swedish tech company Ericsson ERIC -0.78% estimates that 50 billion devices will be networked by 2020 into an “Internet of Things.” Matherly’s the only one putting the results of the surveying into a public search engine. “I don’t consider my search engine scary,” says Matherly. “It’s scary that there are power plants connected to the Internet.”
Shodan’s been used to find webcams with security so low that you only needed to type an IP address into your browser to peer into people’s homes, security offices, hospital operating rooms, child care centers and drug dealer operations. Dan Tentler, a security researcher who has consulted for Twitter, built a program called Eagleeye that finds webcams via Shodan, accesses them and takes screenshots. He has documented almost a million exposed webcams. “It’s like crack for voyeurs,” he says.
(Update: And it’s fodder for Federal Trade Commission enforcement. The FTC ordered one company with cameras showing up in Shodan to clean up its security act.)
After finding a vulnerability in a common piece of building software, Cylance security researcher Billy Rios used Shodan, in conjunction with another tool, to find that banks, apartment buildings, convention centers and even Google’s headquarters in Australia, had security, lights and heating and cooling systems online that could be controlled by a hacker. “There are 2,000 facilities on the Internet right now that if someone guesses the IP address, they can take over the buildings,” says Rios. The Department of Homeland Security revealed earlier this year that hackers have taken advantage of this, virtually breaking into the energy management systems of a “state government facility” in 2012 to make it “unusually warm” and of a “New Jersey manufacturing company” in early 2013; they got in using Shodan.
Matherly grew up in Switzerland, dropped out of high school at 17 and moved to the States to live with his flight attendant aunt in San Diego. Earning his way initially by working at a bookstore, he went to community college and then on to a degree in bioinformatics from the University of California, San Diego. He got a job at the university’s supercomputer center, working on a protein database project. After short stints programming for a startup and doing Web design for the Union-Tribune, he started building Shodan. Its freemium model has paid the bills since then so he can add more crawlers to scan more of the Internet. A free search will get you ten results. Approximately 10,000 users pony up a nominal one-time fee of up to $20 to get 10,000 results per search. A dozen institutional users, all of them cybersecurity firms, pay five figures annually for access to Matherly’s entire database of 1.5 billion connected devices.
Shodan is a one-man operation, and you can tell by using it. It lacks Google’s clean search interface. You have to know some part of a device’s signature to find what you’re looking for. The results include Internet Protocol language a casual user won’t be familiar with. But it can be the most effective way to show the impact of a security flaw in a product: A tally on the left-hand side of the screen after a search tells you how many of those devices are on the Internet and in which countries they are.
The feds could make life difficult for Matherly if they choose to go after him under the Computer Fraud & Abuse Act, which forbids unauthorized access to computer systems. An aggressive prosecutor in March put Andrew “weev” Auernheimer in jail for accessing a website AT&T had put on the Internet with the inadvertent inclusion of e-mail addresses for its iPad customers. “I don’t try to log into servers or anything that could be considered hacking,” he says.
Rather than be prosecuted, Matherly should be rewarded for calling attention to the incredibly stupid mistakes that gadget companies make when configuring their products and the inattention of consumers to the security of the products they buy. Everything that connects to the Internet should be password-protected, and many aren’t. Nor should these devices ship with a default user name and password, yet many do.
Last year an anonymous user took control of more than 400,000 Internet-connected devices using just four default passwords and used them to build a data set much like Shodan’s, calling it the Internet Census 2012. “Everybody is talking about high-class exploits and cyberwar,” wrote the unnamed operator, who wisely stayed anonymous to avoid legal complications. “[But] four simple, stupid, default Telnet passwords can give you access to hundreds of thousands of consumers as well as tens of thousands of industrial devices all over the world.”
Matherly hopes Shodan leads to more transparency and public shaming of companies that are selling vulnerable systems, but he’s not optimistic. “Everything is going on the Internet whether you want it or not,” says Matherly.
Scientists Expand Scale of Digital Snooping Alert
Scientists reported on Wednesday that they had taken a step toward bringing improved security to computer networks, developing an encryption technique that will extend protection to a small group of computer users.
The researchers at Toshiba’s European research laboratory in Cambridge, England, in a paper published on Wednesday in the journal Nature, wrote that they had figured out a way to allow a group of users to exchange encryption keys — long numbers that are used to mathematically encode digital messages — through an experimental technique known as quantum key distribution.
The new technique is believed to be more practical and less expensive than existing technologies. It also extends the scale of the current quantum key systems to as many as 64 computer users from just two users.
The system does not prevent eavesdropping — it simply serves as a kind of burglar alarm, alerting computer users that an outsider is listening to a transmission on an optical network.
Nevertheless, the advance comes at a time of growing concern about the relative ease of breaching computer security, prompted by recent disclosures based on the documents leaked from the National Security Agency and the British Government Communications Headquarters intelligence agencies by Edward J. Snowden. One worry is that the initial exchange of the key material in modern encryption systems has become vulnerable.
Today many digital encryption systems are based on the ability of two computer users to secretly exchange a “key” — a large number, which is then used to establish a secure communication channel to exchange messages over a computer network.
The encryption key is encoded in a special stream of photons or bits. The Toshiba work is based on the ability to make the infinitesimally short time measurements required to capture pulses of quantum light hidden in streams of photons transmitted over fiber optic links — and to do that in a network of dozens of users.
The key exchange is usually protected by the use of mathematical formulas based on the challenge of factoring large numbers. In recent years public key cryptographic systems have been improved by lengthening the factored numbers used in the formula. That, in principle, would require vastly more computing resources to break into the system.
Quantum cryptography relies instead on encoding the key in a stream of quantum information — photons that are specially polarized. If a third party eavesdrops on the communication, the fact will be immediately obvious to the parties of the secret communication.
“One of the attractive things about quantum cryptography is that security comes in the form of the laws of nature,” said Andrew J. Shields, one of the authors and the assistant managing director for Toshiba Research Europe. “It should, in principle, be secure forever.”
Encryption systems that are now commercially available are used to secured the wires over which digital information is transferred, but they are costly and function only over limited distances. Allowing multiple users to share a network connection while using a quantum encryption system could significantly lower costs, Dr. Shields said.
He acknowledged that a quantum encryption system solved only a portion of the problem.
“To be honest, quantum cryptography allows us only to know if someone is tapping the fiber,” he said. “There are other areas of concern.”
But the eavesdropping that the system is designed to detect has been well documented. For example, in 2006 an AT&T technician came forward to report that the National Security Agency had established such a system to monitor communications traffic flowing through an AT&T network switching facility in San Francisco. Had a quantum cryptography system been in place, Dr. Shields said, the N.S.A. presence would have been detected.
Dr. Shields said that he could not speak publicly about whether Toshiba would try to commercialize the research work of his group. The group, he said, now plans to extend the range of the system further and use it in a live computer network.
Toshiba Has Invented a Quantum Cryptography Network that Even the NSA Can’t Hack
If you’ve got communications that absolutely cannot be intercepted—whether you’re a NSA whistleblower, the president of Mexico, or Coca-Cola—quantum cryptography is the way to go. +
It harnesses the bizarro-world properties of quantum physics to ensure that information sent from point A to point B isn’t intercepted. The laws of physics dictate that nobody—not even the NSA—can measure a quantum system without disrupting it. +
The problem, as Edward Snowden could probably tell you, is that quantum cryptography is still in its infancy. It only works over relatively short distances, and the required gear—including lasers and a dedicated fiber optic network—is prohibitively expensive, limiting its use to a handful of research labs, corporations and governments. +
A new research paper from scientists at Toshiba brings quantum cryptography a baby-step closer to the masses. The paper, published today in Nature, explains how to expand a point-to-point quantum network with only two users into a “quantum access network” with up to 64 users. +
Rolling quantum dice.Toshiba
“This kind of communication cannot be defeated by future advances in computing power, nor new mathematical algorithms, nor fancy new engineering,” said co-author Andrew Shields, head of the Quantum Information Group of Toshiba Research Europe. “As long as the laws of physics hold true, it will ensure that your communications are fully secured.” +
A quantum network uses specially polarized photons to encode an encryption key—a very long series of numbers and letters that can unlock a digital file. The photons are then sent down a fiber optic cable until they reach their destination, a photon detector, which counts them, and delivers the key to the intended recipient. If the photons are interfered with, the individual packets of information are forever altered and the recipient can see the telltale signs of tampering.
The Toshiba team focused its efforts on improving the photon detector, and created a system that counts up to 1 billion photons per second, which makes it feasible to add more people to the network. “Our breakthrough is we’ve developed an architecture that is point-to-multipoint. This greatly increase the number of potential users in the network, and reduces costs,” Shields said. +
Current quantum cryptography systems from companies like ID Quantique start at around $50,000, and only connect two parties at a time. “If up to 64 people can share a single photon detector than you can spread out those costs,” Shields said. +
The next step toward mainstreaming quantum crypto is increasing the distance that photons can travel before they degrade—currently the record is 200 km (124 miles) using a dedicated fiber optic cable. But researchers are working on ways to transmit quantum bits on so-called “noisy” fiber that carries other information, which means that the day may not be far away when your Gmail may have a quantum key. +
Until then, it’s probably safer to assume that Big Brother is listening.
Lockbox Aims to NSA-Proof the Cloud
Fewer words will have as much import in the coming months and years as encryption. In the post-NSA-leaks world, encryption isn't just a buzzword, it's a necessity. Even more, it's a political statement that makes friends of partisans. So it's no surprise that Lockbox, a tech startup founded in 2008, just received $2.5 million in seed funding for its end-to-end encryption cloud service, Client Portal.
So, how does end-to-end cloud encryption work? Lockbox encrypts and compresses files before they are uploaded to the cloud. Only a person in possession of the corresponding key can unlock, or decrypt, the files. This means that the NSA, malicious hackers, business competitors, and even crazy girlfriends and boyfriends won't be be able to peer into users' most sensitive and private files.
The startup has done it for NASA and Coca-Cola, and now they're looking to expand their reach.
Lockbox's Client Portal, like Least Authority's encryption service, lives on Amazon's S3 servers. It's also worth nothing that Lockbox developed the encryption libraries that Google uses in its Android operating system.
The secure file-sharing service puts customers in control of their data, Lockbox CEO Peter Long said in a press release. "Businesses that have stayed away from the cloud in the past are excited by the global opportunities that Lockbox technology has opened. The close of our seed round is another sign of our incredible momentum over the past few months—signing new partners, customers, and expanding the business."
The company is also set to unveil its iOS apps, which will allow users to securely view encrypted files on iPhones and iPads. The cheapest plan is $500 per year (or $50 per month), and users can share the service with 20 other people.
Leave it to business to create a privacy industry to handle consumer demand. But, you really can't put a price on personal secrecy, can you?
Google Encrypts Data Amid Backlash Against NSA Spying
Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.
The move by Google is among the most concrete signs yet that recent revelations about the National Security Agency’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs.
Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program, first reported in The Washington Post and the Guardian that month. PRISM obtains data from American technology companies, including Google, under various legal authorities.
Encrypting information flowing among data centers will not make it impossible for intelligence agencies to snoop on individual users of Google services, nor will it have any effect on legal requirements that the company comply with court orders or valid national security requests for data. But company officials and independent security experts said that increasingly widespread use of encryption technology makes mass surveillance more difficult — whether conducted by governments or other sophisticated hackers.
“It’s an arms race,” said Eric Grosse, vice president for security engineering at Google, based in Mountain View, Calif. “We see these government agencies as among the most skilled players in this game.”
Experts say that, aside from the U.S. government, sophisticated government hacking efforts emanate from China, Russia, Britain and Israel.
The NSA seeks to defeat encryption through a variety of means, including by obtaining encryption “keys” to decode communications, by using super-computers to break codes, and by influencing encryption standards to make them more vulnerable to outside attack, according to reports Thursday by the New York Times, the Guardian and ProPublica, based on documents provided by former NSA contractor Edward Snowden.
But those reports made clear that encryption — essentially converting data into what appears to be gibberish when intercepted by outsiders — complicates government surveillance efforts, requiring that resources be devoted to decoding or otherwise defeating the systems. Among the most common tactics, experts say, is to hack into individual computers or other devices used by people targeted for surveillance, making what amounts to an end run around coded communications.
Security experts say the time and energy required to defeat encryption forces surveillance efforts to be targeted more narrowly on the highest-priority targets — such as terrorism suspects — and limits the ability of governments to simply cast a net into the huge rivers of data flowing across the Internet.
“If the NSA wants to get into your system, they are going to get in . . . . Most of the people in my community are realistic about that,” said Christopher Soghoian, a computer security expert at the American Civil Liberties Union. “This is all about making dragnet surveillance impossible.”
The NSA declined to comment for this article. The Office of the Director of National Intelligence issued a statement Thursday saying: “Throughout history, nations have used encryption to protect their secrets, and today terrorists, cybercriminals, human traffickers and others also use code to hide their activities. Our intelligence community would not be doing its job if we did not try to counter that.”
The U.S. intelligence community has been reeling since news reports based on Snowden’s documents began revealing remarkable new detail about how the government collects, analyzes and disseminates information — including, in some circumstances, the e-mails, video chats and phone communications of American citizens.
Many of the documents portray U.S. companies as pliant “Corporate Partners” or “Providers” of information. While telecommunications companies have generally declined to comment on their relationships with government surveillance, some technology companies have reacted with outrage at the depictions in the NSA documents released by Snowden. They have joined civil liberties groups in demanding more transparency and insisting that information is turned over to the government only when required by law, often in the form of a court order.
In June, Google and Microsoft asked the Foreign Intelligence Surveillance Court to allow them greater latitude in reporting how much information they must turn over to the government. On Friday, Yahoo issued its first “government transparency report,” saying it had received 12,444 requests for data from the U.S. government this year, covering the accounts of 40,322 users.
Google has long been more aggressive than its peers within the U.S. technology industry in deploying encryption technology. It turned on encryption in its popular Gmail service in 2010, and since then has added similar protections for Google searches for most users.
Yet even as it encrypted much of the data flowing between Google and its users, the information traveling between its data centers offered rare points of vulnerability to potential intruders, especially government surveillance agencies, security officials said. User information — including copies of e-mails, search queries, videos and Web browsing history — typically is stored in several data centers that transmit information to each other on high-speed fiber-optic lines.
Several other companies, including Microsoft, Apple and Facebook, increasingly have begun using encryption for some of their services, though the quality varies by company. Communications between services — when an e-mail, for example, is sent from a user of Gmail to a user of Microsoft’s Outlook mail — are not generally encrypted, appearing to surveillance systems as what experts call “clear text.”
Google officials declined to provide details on the cost of its new encryption efforts, the numbers of data centers involved, or the exact technology used. Officials did say that it will be what experts call “end-to-end,” meaning that both the servers in the data centers and the information on the fiber-optic lines connecting them will be encrypted using “very strong” technology. The project is expected to be completed soon, months ahead of the original schedule.
Grosse echoed comments from other Google officials, saying that the company resists government surveillance and has never weakened its encryption systems to make snooping easier — as some companies reportedly have, according to the Snowden documents detailed by the Times and the Guardian on Thursday.
“This is a just a point of personal honor,” Grosse said. “It will not happen here.”
Security experts said news reports detailing the extent of NSA efforts to defeat encryption were startling. It was widely presumed that the agency was working to gain access to protected information, but the efforts were far more extensive than understood and reportedly contributed to the creation of vulnerabilities that other hackers, including foreign governments, could exploit.
Matthew Green, a Johns Hopkins cryptography expert, applauded Google’s move to harden its defenses against government surveillance, but said recent revelations make clear the many weaknesses of commonly used encryption technology, much of which dates back to the 1990s or earlier. He called for renewed efforts among companies and independent researchers to update systems — the hardware, the software and the algorithms.
“The idea that humans can communicate safely is something we should fight for,” Green said.
But he said he wasn’t sure that would happen: “A lot of people in the next week are going to say, this is too hard. Let’s forget about the NSA.”
Haylet Tsukayama contributed to this report.
How to Remain Secure Against NSA Surveillance
The NSA has huge capabilities – and if it wants in to your computer, it's in. With that in mind, here are five ways to stay safe
'Trust the math. Encryption is your friend. That's how you can remain secure even in the face of the NSA.'
Now that we have enough details about how the NSA eavesdrops on the internet, including today's disclosures of the NSA's deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves.
For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden. I wasn't part of today's story – it was in process well before I showed up – but everything I read confirms what the Guardian is reporting.
At this point, I feel I can provide some advice for keeping secure against such an adversary.
The primary way the NSA eavesdrops on internet communications is in the network. That's where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly.
Leveraging its secret agreements with telecommunications companies – all the US and UK ones, and many other "partners" around the world – the NSA gets access to the communications trunks that move internet traffic. In cases where it doesn't have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.
That's an enormous amount of data, and the NSA has equivalently enormous capabilities to quickly sift through it all, looking for interesting traffic. "Interesting" can be defined in many ways: by the source, the destination, the content, the individuals involved, and so on. This data is funneled into the vast NSA system for future analysis.
The NSA collects much more metadata about internet traffic: who is talking to whom, when, how much, and by what mode of communication. Metadata is a lot easier to store and analyze than content. It can be extremely personal to the individual, and is enormously valuable intelligence.
The Systems Intelligence Directorate is in charge of data collection, and the resources it devotes to this is staggering. I read status report after status report about these programs, discussing capabilities, operational details, planned upgrades, and so on. Each individual problem – recovering electronic signals from fiber, keeping up with the terabyte streams as they go by, filtering out the interesting stuff – has its own group dedicated to solving it. Its reach is global.
The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on. This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability.
The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO – Tailored Access Operations – group. TAO has a menu of exploits it can serve up against your computer – whether you're running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer. Your anti-virus software won't detect them, and you'd have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it's in. Period.
The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs. First, there's a lot of bad cryptography out there. If it finds an internet connection protected by MS-CHAP, for example, that's easy to break and recover the key. It exploits poorly chosen user passwords, using the same dictionary attacks hackers use in the unclassified world.
As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. We know this has happened historically: CryptoAG and Lotus Notes are the most public examples, and there is evidence of a back door in Windows. A few people have told me some recent stories about their experiences, and I plan to write about them soon. Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it's explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.
TAO also hacks into computers to recover long-term keys. So if you're running a VPN that uses a complex shared secret to protect your data and the NSA decides it cares, it might try to steal that secret. This kind of thing is only done against high-value targets.
How do you communicate securely against such an adversary? Snowden said it in an online Q&A soon after he made his first document public: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on."
I believe this is true, despite today's revelations and tantalizing hints of "groundbreaking cryptanalytic capabilities" made by James Clapper, the director of national intelligence in another top-secret document. Those capabilities involve deliberately weakening the cryptography.
Snowden's follow-on sentence is equally important: "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."
Endpoint means the software you're using, the computer you're using it on, and the local network you're using it in. If the NSA can modify the encryption algorithm or drop a Trojan on your computer, all the cryptography in the world doesn't matter at all. If you want to remain secure against the NSA, you need to do your best to ensure that the encryption can operate unimpeded.
With all this in mind, I have five pieces of advice:
1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.
2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you're much better protected than if you communicate in the clear.
3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.
4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.
Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about. There's an undocumented encryption feature in my Password Safe program from the command line); I've been using that as well.
I understand that most of this is impossible for the typical internet user. Even I don't use all these tools for most everything I am working on. And I'm still primarily on Windows, unfortunately. Linux would be safer.
The NSA has turned the fabric of the internet into a vast surveillance platform, but they are not magical. They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.
Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That's how you can remain secure even in the face of the NSA.
N.S.A. Foils Much Internet Encryption
Nicole Perlroth, Jeff Larson and Scott Shane
The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.
Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth.
The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.
The N.S.A. hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.
“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
When the British analysts, who often work side by side with N.S.A. officers, were first told about the program, another memo said, “those not already briefed were gobsmacked!”
An intelligence budget document makes clear that the effort is still going strong. “We are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic,” the director of national intelligence, James R. Clapper Jr., wrote in his budget request for the current year.
In recent months, the documents disclosed by Mr. Snowden have described the N.S.A.’s broad reach in scooping up vast amounts of communications around the world. The encryption documents now show, in striking detail, how the agency works to ensure that it is actually able to read the information it collects.
The agency’s success in defeating many of the privacy protections offered by encryption does not change the rules that prohibit the deliberate targeting of Americans’ e-mails or phone calls without a warrant. But it shows that the agency, which was sharply rebuked by a federal judge in 2011 for violating the rules and misleading the Foreign Intelligence Surveillance Court, cannot necessarily be restrained by privacy technology. N.S.A. rules permit the agency to store any encrypted communication, domestic or foreign, for as long as the agency is trying to decrypt it or analyze its technical features.
The N.S.A., which has specialized in code-breaking since its creation in 1952, sees that task as essential to its mission. If it cannot decipher the messages of terrorists, foreign spies and other adversaries, the United States will be at serious risk, agency officials say.
Just in recent weeks, the Obama administration has called on the intelligence agencies for details of communications by Qaeda leaders about a terrorist plot and of Syrian officials’ messages about the chemical weapons attack outside Damascus. If such communications can be hidden by unbreakable encryption, N.S.A. officials say, the agency cannot do its work.
But some experts say the N.S.A.’s campaign to bypass and weaken communications security may have serious unintended consequences. They say the agency is working at cross-purposes with its other major mission, apart from eavesdropping: ensuring the security of American communications.
Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including Secure Sockets Layer, or SSL, virtual private networks, or VPNs, and the protection used on fourth generation, or 4G, smartphones. Many Americans, often without realizing it, rely on such protection every time they send an e-mail, buy something online, consult with colleagues via their company’s computer network, or use a phone or a tablet on a 4G network.
For at least three years, one document says, GCHQ, almost certainly in close collaboration with the N.S.A., has been looking for ways into protected traffic of the most popular Internet companies: Google, Yahoo, Facebook and Microsoft’s Hotmail. By 2012, GCHQ had developed “new access opportunities” into Google’s systems, according to the document.
“The risk is that when you build a back door into systems, you’re not the only one to exploit it,” said Matthew D. Green, a cryptography researcher at Johns Hopkins University. “Those back doors could work against U.S. communications, too.”
Paul Kocher, a leading cryptographer who helped design the SSL protocol, recalled how the N.S.A. lost the heated national debate in the 1990s about inserting into all encryption a government back door called the Clipper Chip.
“And they went and did it anyway, without telling anyone,” Mr. Kocher said. He said he understood the agency’s mission but was concerned about the danger of allowing it unbridled access to private information.
“The intelligence community has worried about ‘going dark’ forever, but today they are conducting instant, total invasion of privacy with limited effort,” he said. “This is the golden age of spying.”
A Vital Capability
The documents are among more than 50,000 shared by The Guardian with The New York Times and ProPublica, the nonprofit news organization. They focus primarily on GCHQ but include thousands either from or about the N.S.A.
Intelligence officials asked The Times and ProPublica not to publish this article, saying that it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read. The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of Americans and others.
The files show that the agency is still stymied by some encryption, as Mr. Snowden suggested in a question-and-answer session on The Guardian’s Web site in June.
“Properly implemented strong crypto systems are one of the few things that you can rely on,” he said, though cautioning that the N.S.A. often bypasses the encryption altogether by targeting the computers at one end or the other and grabbing text before it is encrypted or after it is decrypted.
The documents make clear that the N.S.A. considers its ability to decrypt information a vital capability, one in which it competes with China, Russia and other intelligence powers.
“In the future, superpowers will be made or broken based on the strength of their cryptanalytic programs,” a 2007 document said. “It is the price of admission for the U.S. to maintain unrestricted access to and use of cyberspace.”
The full extent of the N.S.A.’s decoding capabilities is known only to a limited group of top analysts from the so-called Five Eyes: the N.S.A. and its counterparts in Britain, Canada, Australia and New Zealand. Only they are cleared for the Bullrun program, the successor to one called Manassas — both names of an American Civil War battle. A parallel GCHQ counterencryption program is called Edgehill, named for the first battle of the English Civil War of the 17th century.
Unlike some classified information that can be parceled out on a strict “need to know” basis, one document makes clear that with Bullrun, “there will be NO ‘need to know.’ ”
Only a small cadre of trusted contractors were allowed to join Bullrun. It does not appear that Mr. Snowden was among them, but he nonetheless managed to obtain dozens of classified documents referring to the program’s capabilities, methods and sources.
Ties to Internet Companies
When the N.S.A. was founded, encryption was an obscure technology used mainly by diplomats and military officers. Over the last 20 years, with the rise of the Internet, it has become ubiquitous. Even novices can tell that their exchanges are being automatically encrypted when a tiny padlock appears next to the Web address on their computer screen.
Because strong encryption can be so effective, classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware.
According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” Sigint is the abbreviation for signals intelligence, the technical term for electronic eavesdropping.
By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors or by surreptitiously exploiting existing security flaws, according to the documents. The agency also expected to gain full unencrypted access to an unnamed major Internet phone call and text service; to a Middle Eastern Internet service; and to the communications of three foreign governments.
In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.
The 2013 N.S.A. budget request highlights “partnerships with major telecommunications carriers to shape the global network to benefit other collection accesses” — that is, to allow more eavesdropping.
At Microsoft, as The Guardian has reported, the N.S.A. worked with company officials to get pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service.
Microsoft asserted that it had merely complied with “lawful demands” of the government, and in some cases, the collaboration was clearly coerced. Executives who refuse to comply with secret court orders can face fines or jail time.
N.S.A. documents show that the agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages. If the necessary key is not in the collection, a request goes to the separate Key Recovery Service, which tries to obtain it.
How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored. To keep such methods secret, the N.S.A. shares decrypted messages with other agencies only if the keys could have been acquired through legal means. “Approval to release to non-Sigint agencies,” a GCHQ document says, “will depend on there being a proven non-Sigint method of acquiring keys.”
Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.
Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”
“Eventually, N.S.A. became the sole editor,” the memo says.
Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products and services to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.
A Way Around
By introducing such back doors, the N.S.A. has surreptitiously accomplished what it had failed to do in the open. Two decades ago, officials grew concerned about the spread of strong encryption software like Pretty Good Privacy, or P.G.P., designed by a programmer named Phil Zimmermann. The Clinton administration fought back by proposing the Clipper Chip, which would have effectively neutered digital encryption by ensuring that the N.S.A. always had the key.
That proposal met a broad backlash from an unlikely coalition that included political opposites like Senator John Ashcroft, the Missouri Republican, and Senator John Kerry, the Massachusetts Democrat, as well as the televangelist Pat Robertson, Silicon Valley executives and the American Civil Liberties Union. All argued that the Clipper would kill not only the Fourth Amendment, but also America’s global edge in technology.
By 1996, the White House backed down. But soon the N.S.A. began trying to anticipate and thwart encryption tools before they became mainstream.
“Every new technology required new expertise in exploiting it, as soon as possible,” one classified document says.
Each novel encryption effort generated anxiety. When Mr. Zimmermann introduced the Zfone, an encrypted phone technology, N.S.A. analysts circulated the announcement in an e-mail titled “This can’t be good.”
But by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government’s nuclear department and another’s Internet service by cracking the virtual private networks that protected them.
By 2010, the Edgehill program, the British counterencryption effort, was unscrambling VPN traffic for 30 targets and had set a goal of an additional 300.
But the agencies’ goal was to move away from decrypting targets’ tools one by one and instead decode, in real time, all of the information flying over the world’s fiber optic cables and through its Internet hubs, only afterward searching the decrypted material for valuable intelligence.
A 2010 document calls for “a new approach for opportunistic decryption, rather than targeted.” By that year, a Bullrun briefing document claims that the agency had developed “groundbreaking capabilities” against encrypted Web chats and phone calls. Its successes against Secure Sockets Layer and virtual private networks were gaining momentum.
But the agency was concerned that it could lose the advantage it had worked so long to gain, if the mere “fact of” decryption became widely known. “These capabilities are among the Sigint community’s most fragile, and the inadvertent disclosure of the simple ‘fact of’ could alert the adversary and result in immediate loss of the capability,” a GCHQ document outlining the Bullrun program warned.
Since Mr. Snowden’s disclosures ignited criticism of overreach and privacy infringements by the N.S.A., American technology companies have faced scrutiny from customers and the public over what some see as too cozy a relationship with the government. In response, some companies have begun to push back against what they describe as government bullying.
Google, Yahoo, Microsoft and Facebook have pressed for permission to reveal more about the government’s secret requests for cooperation. One small e-mail encryption company, Lavabit, shut down rather than comply with the agency’s demands for what it considered confidential customer information; another, Silent Circle, ended its e-mail service rather than face similar demands.
In effect, facing the N.S.A.’s relentless advance, the companies surrendered.
Ladar Levison, the founder of Lavabit, wrote a public letter to his disappointed customers, offering an ominous warning. “Without Congressional action or a strong judicial precedent,” he wrote, “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”
John Markoff contributed reporting.
The NSA Hacks Other Countries by Buying Millions of Dollars’ Worth of Computer Vulnerabilities
Like any government agency, the NSA hires outside companies to help it do the work it’s supposed to do. But an analysis of the intelligence community’s black budget reveals that unlike most of its peers, the agency’s top hackers are also funneling money to firms of dubious origin in exchange for computer malware that’s used to spy on foreign governments.
This year alone, the NSA secretly spent more than $25 million to procure “‘software vulnerabilities’ from private malware vendors,” according to a wide-ranging report on the NSA’s offensive work by the Post’s Barton Gellman and Ellen Nakashima.
Companies such as Microsoft already tell the government about gaps in their product security before issuing software updates, reportedly to give the NSA a chance to exploit those bugs first. But the NSA is also reaching into the Web’s shadier crevices to procure bugs the big software vendors don’t even know about — vulnerabilities that are known as “zero-days.”
Just who might the NSA be paying in this covert marketplace?
One of the most famous players in the arena is Vupen, a French company that specializes in selling zero-day exploits. A 2011 brochure made public on WikiLeaks showed Vupen boasting that it could “deliver exclusive exploit codes for undisclosed vulnerabilities discovered in-house by Vupen security researchers.
“This is a reliable and secure approach to help [law enforcement agencies] and investigators in covertly attacking and gaining access to remote computer systems,” the brochure continued.
To take advantage of the service, governments can purchase an annual subscription. The subscription comes with a number of “credits” that are spent on buying zero-day exploits; more sophisticated bugs require more credits.
In 2012, Vupen researchers who discovered a bug in Google Chrome turned down the chance to win a $60,000 bounty from the search giant, presumably in order to sell the vulnerability to a higher bidder. The company announced earlier this month that it would be opening an office in the same state as the NSA’s headquarters in Fort Meade, Md.
WikiLeaks identified a total of nearly 100 companies participating in the electronic surveillance industry worldwide, though not all of them are involved in the sale of software vulnerabilities.
Zero-days are particularly effective weapons that can sell for up to hundreds of thousands of dollars each.
The market for these exists in a legal gray area. Beyond that, it’s still unclear whether the NSA is actually drawing on black-market sources to bolster its network intrusion capabilities. But would it really surprise any of us if it were?
Drug Agents Use Vast Phone Trove, Eclipsing N.S.A.’s
Scott Shane and Colin Moynihan
For at least six years, law enforcement officials working on a counternarcotics program have had routine access, using subpoenas, to an enormous AT&T database that contains the records of decades of Americans’ phone calls — parallel to but covering a far longer time than the National Security Agency’s hotly disputed collection of phone call logs.
The Hemisphere Project, a partnership between federal and local drug officials and AT&T that has not previously been reported, involves an extremely close association between the government and the telecommunications giant.
The government pays AT&T to place its employees in drug-fighting units around the country. Those employees sit alongside Drug Enforcement Administration agents and local detectives and supply them with the phone data from as far back as 1987.
The project comes to light at a time of vigorous public debate over the proper limits on government surveillance and on the relationship between government agencies and communications companies. It offers the most significant look to date at the use of such large-scale data for law enforcement, rather than for national security.
The scale and longevity of the data storage appears to be unmatched by other government programs, including the N.S.A.’s gathering of phone call logs under the Patriot Act. The N.S.A. stores the data for nearly all calls in the United States, including phone numbers and time and duration of calls, for five years.
Hemisphere covers every call that passes through an AT&T switch — not just those made by AT&T customers — and includes calls dating back 26 years, according to Hemisphere training slides bearing the logo of the White House Office of National Drug Control Policy. Some four billion call records are added to the database every day, the slides say; technical specialists say a single call may generate more than one record. Unlike the N.S.A. data, the Hemisphere data includes information on the locations of callers.
The slides were given to The New York Times by Drew Hendricks, a peace activist in Port Hadlock, Wash. He said he had received the PowerPoint presentation, which is unclassified but marked “Law enforcement sensitive,” in response to a series of public information requests to West Coast police agencies.
The program was started in 2007, according to the slides, and has been carried out in great secrecy.
“All requestors are instructed to never refer to Hemisphere in any official document,” one slide says. A search of the Nexis database found no reference to the program in news reports or Congressional hearings.
The Obama administration acknowledged the extraordinary scale of the Hemisphere database and the unusual embedding of AT&T employees in government drug units in three states.
But they said the project, which has proved especially useful in finding criminals who discard cellphones frequently to thwart government tracking, employed routine investigative procedures used in criminal cases for decades and posed no novel privacy issues.
Crucially, they said, the phone data is stored by AT&T, and not by the government as in the N.S.A. program. It is queried for phone numbers of interest mainly using what are called “administrative subpoenas,” those issued not by a grand jury or a judge but by a federal agency, in this case the D.E.A.
Brian Fallon, a Justice Department spokesman, said in a statement that “subpoenaing drug dealers’ phone records is a bread-and-butter tactic in the course of criminal investigations.”
Mr. Fallon said that “the records are maintained at all times by the phone company, not the government,” and that Hemisphere “simply streamlines the process of serving the subpoena to the phone company so law enforcement can quickly keep up with drug dealers when they switch phone numbers to try to avoid detection.”
He said that the program was paid for by the D.E.A. and the White House drug policy office but that the cost was not immediately available.
Officials said four AT&T employees are now working in what is called the High Intensity Drug Trafficking Area program, which brings together D.E.A. and local investigators — two in the program’s Atlanta office and one each in Houston and Los Angeles.
Daniel C. Richman, a law professor at Columbia, said he sympathized with the government’s argument that it needs such voluminous data to catch criminals in the era of disposable cellphones.
“Is this a massive change in the way the government operates? No,” said Mr. Richman, who worked as a federal drug prosecutor in Manhattan in the early 1990s. “Actually you could say that it’s a desperate effort by the government to catch up.”
But Mr. Richman said the program at least touched on an unresolved Fourth Amendment question: whether mere government possession of huge amounts of private data, rather than its actual use, may trespass on the amendment’s requirement that searches be “reasonable.” Even though the data resides with AT&T, the deep interest and involvement of the government in its storage may raise constitutional issues, he said.
Jameel Jaffer, deputy legal director of the American Civil Liberties Union, said the 27-slide PowerPoint presentation, evidently updated this year to train AT&T employees for the program, “certainly raises profound privacy concerns.”
“I’d speculate that one reason for the secrecy of the program is that it would be very hard to justify it to the public or the courts,” he said.
Mr. Jaffer said that while the database remained in AT&T’s possession, “the integration of government agents into the process means there are serious Fourth Amendment concerns.”
Mr. Hendricks filed the public records requests while assisting other activists who have filed a federal lawsuit saying that a civilian intelligence analyst at an Army base near Tacoma infiltrated and spied on antiwar groups. (Federal officials confirmed that the slides are authentic.)
Mark A. Siegel, a spokesman for AT&T, declined to answer more than a dozen detailed questions, including ones about what percentage of phone calls made in the United States were covered by Hemisphere, the size of the Hemisphere database, whether the AT&T employees working on Hemisphere had security clearances and whether the company has conducted any legal review of the program
“While we cannot comment on any particular matter, we, like all other companies, must respond to valid subpoenas issued by law enforcement,” Mr. Siegel wrote in an e-mail.
Representatives from Verizon, Sprint and T-Mobile all declined to comment on Sunday in response to questions about whether their companies were aware of Hemisphere or participated in that program or similar ones. A federal law enforcement official said that the Hemisphere Project was “singular” and that he knew of no comparable program involving other phone companies.
The PowerPoint slides outline several “success stories” highlighting the program’s achievements and showing that it is used in investigating a range of crimes, not just drug violations. The slides emphasize the program’s value in tracing suspects who use replacement phones, sometimes called “burner” phones, who switch phone numbers or who are otherwise difficult to locate or identify.
In March 2013, for instance, Hemisphere found the new phone number and location of a man who impersonated a general at a San Diego Navy base and then ran over a Navy intelligence agent. A month earlier the program helped catch a South Carolina woman who had made a series of bomb threats.
And in Seattle in 2011, the document says, Hemisphere tracked drug dealers who were rotating prepaid phones, leading to the seizure of 136 kilos of cocaine and $2.2 million.
U.S. Spied on Presidents of Brazil, Mexico: Report
The U.S. National Security Agency spied on the communications of the presidents of Brazil and Mexico, a Brazilian news program reported, a revelation that could strain U.S. relations with the two biggest countries in Latin America.
The report late Sunday by Globo's news program "Fantastico" was based on documents that journalist Glenn Greenwald obtained from former NSA contractor Edward Snowden. Greenwald, who lives in Rio de Janeiro, was listed as a co-contributor to the report.
"Fantastico" showed what it said was an NSA document dated June 2012 displaying passages of written messages sent by Mexican President Enrique Pena Nieto, who was still a candidate at that time. In the messages, Pena Nieto discussed who he was considering naming as his ministers once elected.
A separate document displayed communication patterns between Brazilian President Dilma Rousseff and her top advisers, "Fantastico" said, although no specific written passages were included in the report.
Both documents were part of an NSA case study showing how data could be "intelligently" filtered, Fantastico said.
Justice Minister Jose Eduardo Cardozo told O Globo newspaper that the contents of the documents, if confirmed, "should be considered very serious and constitute a clear violation of Brazilian sovereignty."
"This (spying) hits not only Brazil, but the sovereignty of several countries that could have been violated in a way totally contrary to what international law establishes," Cardozo said.
Cardozo traveled last week to Washington and met with U.S. Vice President Joseph Biden and other officials, seeking more details on a previous, seemingly less serious set of disclosures by Snowden regarding U.S. spying in Brazil.
Rousseff is scheduled to make a formal state visit in October to meet U.S. President Barack Obama in Washington, a trip intended to illustrate the warming in Brazil-U.S. relations since she took office in 2011.
A spokesman for Rousseff would not comment on the new spying allegations. Officials at Mexico's presidential palace did not immediately respond to a request for comment.
Snowden, an American who worked as a contractor for the NSA before leaking the documents, currently lives in asylum in Russia. "Fantastico" said it contacted Snowden via Internet chat, and that Snowden said he could not comment on the content of the report because of his asylum agreement with Russian authorities.
(Reporting by Brian Winter; editing by Jackie Frank)
Justice Department Talks With Microsoft and Google Stall
The U.S. Department of Justice's talks with Microsoft Corp and Google Inc have hit a wall as the government pushes back at the tech companies' demand for the ability to disclose the now-secret data requests they receive.
Microsoft's general counsel, Brad Smith, on Friday described as a failure the outcome of the companies' recent negotiations with the government over the disclosure of Foreign Intelligence Surveillance Act (FISA) court orders the companies receive.
"While we appreciate the good faith and earnest efforts by the capable government lawyers with whom we negotiated, we are disappointed that these negotiations ended in failure," he said.
The director of National Intelligence, James Clapper, on Thursday pledged to disclose aggregate numbers of FISA orders issued to tech and telecom companies, but the intelligence community has not agreed to allow particular companies to make such disclosures.
"FISA and national security letters are an important part of our effort to keep the nation and its citizens safe, and disclosing more detailed information about how they are used and to whom they are directed can obviously help our enemies avoid detection," Clapper said in a statement.
The tech sector has been pushing for greater transparency of government data requests as companies seek to shake off the concerns about their involvement in vast secret U.S. surveillance programs revealed by former spy contractor Edward Snowden.
"Google's reputation and business has been harmed by the false or misleading reports in the media, and Google's users are concerned by the allegations. Google must respond to such claims with more than generalities," the company said in a June motion filed with the FISA court, alongside a similar Microsoft filing.
The Department of Justice on Friday was due to file in a secret surveillance court its response to Microsoft and Google's motions filed in the wake of Snowden's leaks.
Filings in the court are classified, and the department's response was not published on the court's website late on Friday. A department spokesperson declined comment.
"We are deeply disappointed that despite months of negotiations and the efforts of many companies, the government has not yet permitted our industry to release more detailed and granular information about those requests," the general counsel for Facebook Inc, Colin Stretch, said in a statement.
The tech companies and privacy advocates tepidly welcomed Clapper's pledge for annual reports on numbers of data requests to Internet and phone companies, but expressed disappointment at stopping short of more detailed breakdowns.
"The new data that the government plans to publish is not nearly enough to justify the government's continued attempts to gag companies like Google and Microsoft and prevent them from engaging in meaningful transparency reporting of their own," said Kevin Bankston, director of free expression at privacy group Center for Democracy and Technology.
A Google spokesperson called Clapper's announcement "a step in the right direction," while adding, "There is still too much secrecy around these requests and that more openness is needed."
(Reporting by Alina Selyukh; additional reporting by Joseph Menn and David Ingram; Editing by Leslie Adler)
Hundreds of Pages of NSA Spying Documents to be Released As Result of EFF Lawsuit
In a major victory in one of EFF's Freedom of Information Act (FOIA) lawsuits, the Justice Department conceded yesterday that it will release hundreds of documents, including FISA court opinions, related to the government’s secret interpretation of Section 215 of the Patriot Act, the law the NSA has relied upon for years to mass collect the phone records of millions of innocent Americans.
In a court filing, the Justice Department, responding to a judge’s order, said that they would make public a host of material that will “total hundreds of pages” by next week, including:
[O]rders and opinions of the FISC issued from January 1, 2004, to June 6, 2011, that contain a significant legal interpretation of the government’s authority or use of its authority under Section 215; and responsive “significant documents, procedures, or legal analyses incorporated into FISC opinions or orders and treated as binding by the Department of Justice or the National Security Agency.”
While the government finally released a white paper detailing its expansive (and unconstitutional) interpretation of Section 215 last month, more important FISA court opinions adopting at least part of that interpretation have remained secret. The results of EFF’s FOIA lawsuit will finally lift the veil on the dubious legal underpinnings of NSA’s domestic phone surveillance program.
This victory for EFF comes on the heels of another FOIA success two weeks ago, when the Justice Department was also forced to release a 2011 FISA court opinion ruling some NSA surveillance unconstitutional.
Like our lawsuit over that 2011 FISA opinion—where the government posted the results on Director of National Intelligence’s new Tumblr account—the Justice Department may attempt to portray this release as being done out of the goodness of its heart and as a testament to its commitment to transparency. While we applaud the government for finally releasing the opinions, it is not simply a case of magnanimity. The Justice Department is releasing this information because a court has ordered it to do so in response to EFF’s FOIA lawsuit, which was filed on the tenth anniversary of the enactment of the Patriot Act—nearly two years ago.
For most of the duration of the lawsuit, the government fought tooth and nail to keep every page of its interpretations secret, even once arguing it should not even be compelled to release the number of pages that their opinions consisted of. It was not until the start of the release of documents leaked by NSA whistleblower Edward Snowden that the government’s position became untenable and the court ordered the government to begin the declassification review process.
It also should be noted, that on the same day the government agreed to release this information, GOP Rep. Jim Sensenbrenner, the author of the Patriot Act, submitted an amicus brief authored by EFF supporting ACLU’s constitutional challenge of the NSA phone collection program that relies on Section 215. In other words, even the author of Section 215 thinks the government has twisted and distorted its language to justify something that the law was never supposed to allow. Now, we will finally see that tortured interpretation.
Judge Says Search Warrants for E-mails Must Be ‘Limited’
Can law enforcement obtain a search warrant to dig through a vast trove of e-mails, instant messages and chat logs because they have reasonable suspicion that the owners of those accounts robbed computer equipment from a private company?
No, according to a ruling by a federal judge in Kansas earlier this week.
The case is significant in that it limits what constitutes unreasonable search and seizure, as protected by the Fourth Amendment, in the age of big data. The magistrate judge, David J. Waxse, denied the government’s search warrant requests on the grounds that it has to be particular and “reasonable in nature of breadth.”
Orin Kerr, a law professor at George Washington University and an expert on surveillance law, interpreted it this way on Twitter: “You can’t look through the kitchen sink to get the evidence, as you do with physical searches.”
Prosecutors sought search warrants to extract information from Verizon, an Internet service provider, GoDaddy, a Web site hosting company, along with Web communications companies Google, Skype and Yahoo on account holders suspected of having stolen $5,000 in computer equipment from Sprint.
The government believed that the suspects used e-mail and instant-message accounts to “facilitate the purchase, receipt and transportation of the equipment” from Kansas to New Jersey. The government sought “contents of all emails, instant messages and chat logs/sessions — and other account-related information” for the named suspects.
The judge balked.
If the authorities are looking for a stolen lawn mower in a garage, he wrote, citing a previous case involving search warrants of physical property, they can’t get a search warrant that covers the upstairs bedroom.
“The manifest purpose of the Fourth Amendment particularity requirement is to prevent general searches. By limiting the authorization to search the specific areas and things for which there is probable cause to search, the particularity requirement ensures that the search will be carefully tailored to its justifications, and will not become a wide-ranging, exploratory search prohibited by the Fourth Amendment.”
The judge went on to say that the government’s search order ought to have “sufficient limits or boundaries” to the communications that law enforcement officials can rifle through. He suggested that the search order be limited to certain keywords or that an independent vendor be asked to automate the process of finding relevant material.
That is to say, use data-mining techniques to not rummage through everything.
The US Government Has Betrayed the Internet. We Need to Take it Back
The NSA has undermined a fundamental social contract. We engineers built the internet – and now we have to fix it
Government and industry have betrayed the internet, and us.
By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.
This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.
And by we, I mean the engineering community.
Yes, this is primarily a political problem, a policy matter that requires political intervention.
But this is also an engineering problem, and there are several things engineers can – and should – do.
One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don't cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers.
We need to know how exactly how the NSA and other agencies are subverting routers, switches, the internet backbone, encryption technologies and cloud systems. I already have five stories from people like you, and I've just started collecting. I want 50. There's safety in numbers, and this form of civil disobedience is the moral thing to do.
Two, we can design. We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information.
We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.
The Internet Engineering Task Force, the group that defines the standards that make the internet run, has a meeting planned for early November in Vancouver. This group needs to dedicate its next meeting to this task. This is an emergency, and demands an emergency response.
Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.
Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country.
Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose.
Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground.
Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy.
To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.
Legislation Seeks to Bar N.S.A. Tactic in Encryption
Scott Shane and Nicole Perlroth
After disclosures about the National Security Agency’s stealth campaign to counter Internet privacy protections, a congressman has proposed legislation that would prohibit the agency from installing “back doors” into encryption, the electronic scrambling that protects e-mail, online transactions and other communications.
Representative Rush D. Holt, a New Jersey Democrat who is also a physicist, said Friday that he believed the N.S.A. was overreaching and could hurt American interests, including the reputations of American companies whose products the agency may have altered or influenced.
“We pay them to spy,” Mr. Holt said. “But if in the process they degrade the security of the encryption we all use, it’s a net national disservice.”
Mr. Holt, whose Surveillance State Repeal Act would eliminate much of the escalation in the government’s spying powers undertaken after the 2001 terrorist attacks, was responding to news reports about N.S.A. documents showing that the agency has spent billions of dollars over the last decade in an effort to defeat or bypass encryption. The reports, by The New York Times, ProPublica and The Guardian, were posted online on Thursday.
The agency has encouraged or coerced companies to install back doors in encryption software and hardware, worked to weaken international standards for encryption and employed custom-built supercomputers to break codes or find mathematical vulnerabilities to exploit, according to the documents, disclosed by Edward J. Snowden, the former N.S.A. contractor.
The documents show that N.S.A. cryptographers have made major progress in breaking the encryption in common use for everyday transactions on the Web, like Secure Sockets Layer, or SSL, as well as the virtual private networks, or VPNs, that many businesses use for confidential communications among employees.
Intelligence officials say that many of their most important targets, including terrorist groups, use the same Webmail and other Internet services that many Americans use, so it is crucial to be able to penetrate the encryption that protects them. In an intense competition with other sophisticated cyberespionage services, including those of China and Russia, the N.S.A. cannot rule large parts of the Internet off limits, the officials argue.
A statement from the director of national intelligence, James R. Clapper Jr., criticized the reports, saying that it was “not news” that the N.S.A. works to break encryption, and that the articles would damage American intelligence collection.
The reports, the statement said, “reveal specific and classified details about how we conduct this critical intelligence activity.”
“Anything that yesterday’s disclosures add to the ongoing public debate,” it continued, “is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions.”
But if intelligence officials felt a sense of betrayal by the disclosures, Internet security experts felt a similar letdown — at the N.S.A. actions.
“There’s widespread disappointment,” said Dan Kaminsky, a prominent security researcher. “This has been the stuff of wild-eyed accusations for years. A lot of people are heartbroken to find out it’s not just wild-eyed accusations.”
Sascha Meinrath, the director of the Open Technology Institute, a research group in Washington, said the reports were “a startling indication that the U.S. has been a remarkably irresponsible steward of the Internet,” which he said the N.S.A. was trying to turn into “a massive platform for detailed, intrusive and unrestrained surveillance.”
Companies like Google and Facebook have been moving to new systems that, in principle, would make government eavesdropping more difficult. Google is in the process of encrypting all data that travels via fiber-optic lines between its data centers. The company speeded up the process in June after the initial N.S.A. disclosures, according to two people who were briefed on Google’s plans but were not authorized to speak publicly about them. The acceleration of the process was first reported Friday by The Washington Post.
For services like Gmail, once data reaches a user’s computer it has been encrypted. But as messages and other data like search queries travel internally among Google’s data centers they are not encrypted, largely because it is technically complicated and expensive to do.
Facebook announced last month that it would also transition to a novel encryption method, called perfect forward secrecy, that makes eavesdropping far more difficult.
Marc Rotenberg, the executive director of the Electronic Privacy Information Center, a civil liberties group in Washington, said the quandary posed by the N.S.A.’s efforts against encryption began with its dual role: eavesdropping on foreign communications while protecting American communications.
“Invariably the two missions collide,” he said. “We don’t dispute that their ability to capture foreign intelligence is quite important. The question is whether their pursuit of that mission threatens to undermine the security and privacy of Internet communications.”
Mr. Rotenberg is a veteran of what were known as the “crypto wars” of the 1990s, when the N.S.A. proposed the Clipper Chip, a government back door that would be built into every encryption program.
That proposal was defeated by a diverse coalition of technology businesses and privacy advocates, including Mr. Rotenberg’s organization. But the documents make clear that the N.S.A. never gave up on the goal of being able to read everything and has made what memos call “breakthroughs” in recent years in its efforts.
A complicating factor is the role of the major American Internet companies, which have been the target of counterencryption efforts by both the N.S.A. and its closely allied British counterpart, GCHQ. One document describes “new access opportunities” in Google systems; the company said on Thursday that it had not given the agencies access and was aware of no breach of its security.
But the perception of an N.S.A. intrusion into the networks of major Internet companies, whether surreptitious or with the companies’ cooperation, could hurt business, especially in international markets.
“What buyer is going to purchase a product that has been deliberately made less secure?” asked Mr. Holt, the congressman. “Even if N.S.A. does it with the purest motive, it can ruin the reputations of billion-dollar companies.”
In addition, news that the N.S.A. is inserting vulnerabilities into widely used technologies could put American lawmakers and technology companies in a bind with regard to China.
Over the last two years, American lawmakers have accused two of China’s largest telecommunications companies, Huawei Technologies and ZTE, of doing something parallel to what the N.S.A. has done: planting back doors into their equipment to allow for eavesdropping by the Chinese government and military.
Both companies have denied collaborating with the Chinese government, but the allegations have eliminated the companies’ hopes for significant business growth in the United States. After an investigation last year, the House Intelligence Committee concluded that government agencies should be barred from doing business with Huawei and ZTE, and that American companies should avoid buying their equipment.
Some foreign governments and companies have also said that they would not rely on the Chinese companies’ equipment out of security concerns. Last year, Australia barred Huawei from bidding on contracts in Australia’s $38 billion national broadband network. And this year, as part of its effort to acquire Sprint Nextel, SoftBank of Japan pledged that it would not use Huawei equipment in Sprint’s cellphone network.
Claire Cain Miller contributed reporting.
How the Anti-Piracy Lobby is Like the Syrian Electronic Army
The attack on the New York Times' web site this week was accomplished via a method that proponents of anti-piracy measures wanted written into U.S. law.
The attack that knocked The New York Times offline this week was an old-school hack: simple DNS blocking. The Syrian Electronic Army, which apparently mounted the attack, broke into domain-name servers run by Melbourne IT (and not into the NYT's own systems, which would have been a much bigger deal) and changed some numbers, redirecting the NYT's incoming traffic away from the site.
As tech journalist Rob Pegaro points out at Sulia (which, fair warning, is a confusing, unnavigable mess of a website), this technique is pretty much what the backers of the anti-copyright-infringement laws SOPA and PIPA wanted written into the law. It "would have let copyright holders require Internet providers to use DNS redirection to block access to allegedly infringing sites," Pegaro notes. "That authority would inevitably have been abused in social-engineering exploits -- and we'd likely see a lot more outages like the NYT's."
It's hard to know that for sure, but DNS blocking was something that backers of the bills insisted upon, and thanks to the backlash -- including from many security experts -- that insistence helped kill the bills in Congress. Blocking domain-name service -- which is one of the foundational technologies
Not only is DNS blocking dangerous, it's also "laughably ineffective" for something like stopping piracy, says Mike Masnick of TechDirt. That's because blocking DNS doesn't actually knock a site offline -- it merely causes the domain name (in this case, nytimes.com) to not work. The site is still there, behind its Internet protocol address. (Domain-name service is what maps an IP address, expressed in numbers, to a web domain like nytimes.com. The Washington Post has an excellent explainer on all this, including the hack.)
Masnick's right to a point. Some people did figure out how to get to the Times' web page. But most people would have no idea how to do so, and the newspaper lost a ton of traffic while it was down. When it comes to piracy, yes, people who want free movies from Pirate Bay would be able to get to that site even if its DNS were blocked -- and presumably more of them than average would be tech-savvy enough to figure out how to do so.
Meanwhile, Bloomberg reports that Twitter was able to withstand a similar attack because it has something called a "registry lock" in place. It can be had for $50.
Until next week,
Current Week In Review
Recent WiRs -
August 31st, August 24th, August 17, August 10th
Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.
"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public." - Hugo Black
|Thread Tools||Search this Thread|
|Thread||Thread Starter||Forum||Replies||Last Post|
|Peer-To-Peer News - The Week In Review - November 24th, '12||JackSpratts||Peer to Peer||0||21-11-12 09:20 AM|
|Peer-To-Peer News - The Week In Review - July 16th, '11||JackSpratts||Peer to Peer||0||13-07-11 06:43 AM|
|Peer-To-Peer News - The Week In Review - January 30th, '10||JackSpratts||Peer to Peer||0||27-01-10 07:49 AM|
|Peer-To-Peer News - The Week In Review - January 16th, '10||JackSpratts||Peer to Peer||0||13-01-10 09:02 AM|
|Peer-To-Peer News - The Week In Review - December 5th, '09||JackSpratts||Peer to Peer||0||02-12-09 08:32 AM|