18.03.2007 20:56

Selling user data

It's not a secret that if you're an researcher, you can get ISP traffic for your research. It is (or at least should be) anonymized, however.

It has been revealed recently that data about user traffic is also sold (check also here). It looks it was about US market. Is it the same in EU? I guess the answer is yes.

Suprise? Rather not. What's more, the thing is rather not regulated in most countries, there's also nothing about that when you subscribe for your Net access. It seems logical. Website-based tools do not give very acurate results, because you can deal with them using Adblock and such things. The request that come from your machine... That's another source for analysis and a very good one.

Then we come to EU data retention, which does look like a distant subject, but it is not. What is the data to be stored under the retention law? The same thing that I think is sold (probably in slightly more aggregated form). That rises an concern about the use of the stored data. Having it on the disks will make it much easier to sell in huge volumes and also run certain data mining techniques and then sell the results. With or without notifying the users. Legally or not. With such amount of data (in Poland the project has 5 years of mandatory data storage, when EU max is 2 years) it's easy to imagine that the data will leak. What we currently have may be just a start of that.

Should the users be notified that their habbits, even websites they visit are (or will be) monitored? I think they should. Clearly notified.

The defence is encryption. Unfortunately not so many sites support it (banks and financial institutions are exceptions here). Also, there are sites where passwords fly unencrypted, sometimes even clearly in the URL line. Trying not to use sites without even basic security is quite hard. Every unencrypted action (most of web browsing, many IM messages, emails etc) just travel the Net in plaintext. Are you aware of that?

Posted by Mara | Permalink | Categories: Security

02.03.2007 22:39

DRM: a few years earlier

I trace the change of atmosphere around DRM (and I don't write about FLOSS-related websites here, they have unchanged opinion since the appearance of the whole thing). Not more than a year ago I thought that DRM-like solutions will be finally implemented and the user would have no choice different from not buying the equipment at all.

And now? Jobs writes against DRM, in fact. That caused criticism from the media industry, of course. The question, about the costs and benefits of DRM and if it makes sense to implement it at all, has appeared in the places I have not expected. That's definitely positive.

The context of the media-related discussion is the ease to crack HD DVD and Blu-Ray. That issue is a clear example of one major vulnerability the systems have: key distribution. The ones leaked can be, theoretically, blocked, but what if it happens in a case of popular hardware? Imagine hardware sold in milions of copies (quite possible, in fact). Will the producer risk unhappiness of the clients and the need to change at least a part of firmware for all of them? It's also interesting to compare the costs of development of those solutions and the time it took to break them. The question is, was there a better way to spend all that money?

Another news is that there's now an OS with heavy DRM build-in. It will show how much it affects usability. First reviews seem to be rather negative...

On the other hand, the market of non-DRM books and music is quite well if you only search for it. See, for instance Baens and Jamendo.

So why the title 'DRM: a few years earlier'? The DRM issue is not yet solved and it's flowing. I think that from the perspective of the next 10 years we will consider current times as the moment when the whole thing was decided. Ans what will the decision be? I'm quite optimistic. I think that some kind of DRM will survive, but only for limited uses, not the popular market.

Posted by Mara | Permalink | Categories: Security, Software