Monday, April 4, 2016

Perspectives on computer security and encryption from Apple, the FBI and I : Apple

Apple's perspective on computer security and encryption

This is the third in a series that started with discussing the FBI and my own use of security and encryption technology.

Apple's most lucrative product line at the moment is their iOS based distributed content delivery platform. This includes the iPhone, iPad, Apple TV, iWatch, and related hardware.  While this hardware is distributed to customers, the platform is similar to the platform I manage for my employer where hardware is distributed geographically but control remains in our hands.   This is the platform which Apple has been marketing to the content industry for decades as a safe secure platform for them to distribute their multimedia where it is Apple and not the end users which control the technology.

These devices are intended to be connected to the network, and the ongoing work to secure them is similar to any other network connected device.  The network and exploits carried out on the network don't differentiate clients and servers as much as the layperson thinks, and any network connected device must be constantly updated to deny unauthorized control.  The question of authorized control doesn't differentiate between types of devices, and it is just as easy for Apple to remotely manage an iOS device as it is for me to remotely manage the computers I do.  The major difference is in the reliability of the network connection, with mobile devices having less stable network connections than servers.  People also don't tend to turn servers off when a specific user isn't using them, but remote management and control doesn't require constant network access.

Hardware assistance for Apple's security

Apple's iPhone 5C which was discussed in the FBI vs Apple lawsuit does not include Touch ID or a Security Enclave, so it is similar to the existing control which Canadiana has of our distributed computers. While Apple remains in control of the platform, they are not as secure from malicious apps or intruders with physical access to the computers as they would like.

Secure Enclave is Apples implementation of the SecureCore and TrustZone technologies from ARM I discussed in the previous article.  This will grant Apple greater control over the technology than they had before, including greater control over the scenario where the attacker has physical access to the hardware.

Some users may find this technology will eventually make what is commonly called jailbreaking much harder, if not impossible.  Apple could opt to use Secure Enclave to disallow the people who possess the hardware from having any ability to bypass any of Apple's control.  It is critical to understand that Apple's use of this technology is not to grant the technology user more control over the hardware or their data, but to transfer any remaining control that the user might have had to Apple.  People who possess this hardware often incorrectly think of themselves as owners, even though acquiring an iOS device has become legally more similar to renting than purchasing due to anti-circumvention legislation.

People who acquire this hardware are not alone in the confusion. When James B. Comey, Director of the FBI, offered testimony in front of the Judiciary Committee he said, "In recent months, however, we have on a new scale seen mainstream products and services designed in a way that gives users sole control over access to their data."  While some people have suggested he might have been talking about Apples adoption of SecureCore and TrustZone, he is incorrectly suggesting it was "users" of these devices who would have sole control over access to data rather than Apple having additional control over the device.  It is possible that he fully understands Apple's use of technology, and wants to offer free advertising to Apple knowing that Apple is specifically not offering the service he is suggesting they are.

This is the same concern I have with the services I provide:  If law enforcement and courts believe it is the entity that possesses the hardware that is in control rather than the entity controlling the software stack with full network access then they will continue to send court orders to the wrong entity.

Law enforcement need to understand the technology better.  In the case of an iOS device, it is Apple who is the responsible entity and should be served with the warrant.  A very different scenario would be someone who is running CyanogenMod where it is the individual user (in this case, legitimately called an owner) of the device that is in control and thus they should be served with the warrant.

Limits to Apple's control

In the specific case before the courts the technology user didn't destroy the device, and there has been nothing to suggest that the user even "jailbroke" the device to bypass any of Apple's control.  The FBI currently possesses the device and will obviously be granting network access and power to the device.  This means that all the potential limits to Apple's control do not apply in this case, and thus they have full access to do anything requested of them.

In this case it appears that the FBI jailbroke the device on their own, no longer having a technical requirement to require assistance from Apple.

The law

While I may believe that lawful access all too often grants excessive access to police without adequate oversight, the law is clearly in the government's favour in this instance with the iPhone.  If we were talking about information stored on Facebook or Twitter, where the physical location and who was in control of the computer in question wasn't confusing people, the debate would not be happening at all.  Clearly Facebook is in control of their network of computers whether or not the devices are stored in locations that Facebook owns, and Apple is similarly in control of their secured platform.

There is no back-door being discussed.  All that Apple was being asked is to use their keys to the front door and access the data.  They are the entity that holds those keys, not the user of the technology who under anti-circumvention laws are denied legal access to the keys.

While Apple has been misdirecting people and stalling, and there are "engineers" who have allegedly threatened to leave Apple if the government is lawfully granted access, the situation is no different than any other of hundreds of technology companies providing services to users on a platform that the vendor rather than the user controls.  If Apple executives or individual employees are destroying evidence they should be found in contempt of court, and handled severely.

If Apple's engineering staff is not sufficient (or no longer after vigilantes resign) to solve any technical problems, then the court should order all source code and technical specifications to be disclosed to a third party who can do the require work.   If Apple refuses to disclose this information, then I would suggest that revoking their corporate charter should be the minimum on the table.

The fact that the FBI jailbroke the device should not have ended the case, and Apple should still be pursued by the government.

Politics

Adi Shamir, an award-winning cryptographer who helped create the RSA encryption algorithm in 1977, suggested that Apple "wait for a better test case to fight where the case is not so clearly in favor of the FBI."

I'm not convinced that Apple had an interest in winning the case. Apple's greatest threat to the market share for their secure vendor controlled content delivery platform comes from technology users switching to devices which they can individually control. Apple has a history of dishonestly trying to misdirect responsibility for their centralized control. While for decades it has been the confused content industry that still has some who mistakenly believe that this vendor control benefits them, a far more powerful scapegoat would be law enforcement and national security agencies.

Apple has the FBI falsely suggesting that next generation iOS devices "gives users sole control over access to their data", providing Apple with marketing for a service they don't provide and driving users to technology which the FBI and other government agencies will have easier access to through the legal system than competing technology. Whenever Apple is requested to disclose information they can claim "the Government made me do it", even though it is Apple who denied users of their services any device control in the first place.

It seems unlikely to me that the FBI didn't already have technology to "jailbreak" the device at hand.  This isn't going to be the simpler third party services available to end users, as governments will have far more resources and techniques available to them to "jailbreak" devices.  I suspect that the case was pursued for political reasons to try to push this issue forward, and likely to prop up Apple's marketing claims that they are providing technology which protects the users rather than Apple's conflicting interests.

Apple also knows that their business model and lobbying in support of anti-circumvention legislation is controversial, and them being the ones to push this case forward would provide less community opposition to the FBI than if a less divisive company were bringing the case forward.  Their involvement complicates what could have been an easy to understand set of sound bites in support of protecting technology owners rights against unreasonable search and seizure into something extremely complex to discuss.  I have been delayed in participating in the discussion as it took me a while to decide how to explain my position, and I fully expect to still get confused "but Apple are the good guys" comments to this article.

Apple's ongoing attack on technology owners interests could cause considerable damage.  If it becomes considered normal to have the vendor rather than the user be in control of communications technologies it may eventually lead (likely with Apple's continuing political lobbying) to governments outlawing citizen controlled technology which competes with Apple's vendor controlled technology.  It could be used to strengthen backwards laws which outlaw alleged device "owners" from removing non-owner locks from their devices, with the justifications moving from odd unproven theories about protecting "copyright" to even further counter-productive arguments about law enforcement and national security.

Conclusion

My answer to the question of whether I was on Apple or the FBI's side is clearly neither, as I consider them to have perspectives dangerously close to each other.  Neither are interested in allowing the wide deployment of technology that "gives users sole control over access to their data", and while their positions appear to be in opposition they are actually greatly helping each other.

Those who recognize the critical importance of secure citizen controlled communications technology should be opposing both of these entities, not siding with one or the other in a battle where the public interest loses no matter which one of those entities wins.

Perspectives on computer security and encryption from Apple, the FBI and I : my use

My perspective on computer security and encryption

This is a second article in a series that started with discussing the FBI and will end with discussing Apple.

I have worked in this industry since the early 1990's, administering Internet network connected computers.  I have worked for companies that produced firewalls, as well as worked in government departments where implementing security policies were critical.  Encryption is a critical part of what I do for clients and/or employers, as without it we could not build the services we are able to offer.

Local vs Remote Control

One of the hardest concepts to grasp with modern technology, including with fairly technical people, is the need to separate the concepts of geography and control.  With simpler technology the person who possessed something was the one who controlled it, but with modern computing this is not the case.

A big part of my current job at Canadiana is to manage a network of computers.  While some of the computers are located in the building I normally work in, most are not.  We currently have computers in Ottawa, Montreal, Toronto and Edmonton, with plans to continue to expand across the country as we grow. I control all of these computers from wherever I am at the time, whether that is physically in our main Ottawa office or when I am working from remote (I am in Sudbury as I type this).

We use Virtual Private Networking (VPN) technology to connect these computers together, and a variety of other encryption technologies used for authentication and privacy.  In order to connect to any of these computers I must possess both the required cryptographic keys as well as passphrases required to unlock those keys.   This is required to ensure that it is only authorized individuals like myself that can gain administrative access to these computers, and we need to ensure that nobody can eavesdrop on this communication and learn anything that might allow them unauthorized access.  We often are working with multiple layers of cryptography: secured ssh command-line access through VPN encrypted connections to network interfaces which don't have publicly routable addresses.

It is modern computer security and cryptography which makes this critical feature possible.  It is what allows us to know that we are able to have exclusive control over these devices regardless of their location. Any weakening of computer security, either to benefit law enforcement or some third party special interests (device manufacturers, etc), opens the technology up to other unauthorized access and makes my clients at risk.  I am not alone, and much of the modern economy and politics of society is built upon the need to continuously improve computer security and encryption.

Hardware assistance for security

We plan to expand our services beyond what we currently offer in two important ways that will impact security policies.

Currently we host our servers in partner organizations that we trust, as well as a commercial service provider. As we expand we may want to physically locate computers on networks and in server rooms of organizations that we have less trust in.  We will want security features which will protect us even from people who have physical access to the computers, to ensure that the most they could do is disable a node and not be able to abuse keys/etc stored within that node to attack other nodes in our network.

As we move from hosting digitized images towards the data which the digital humanities community need, we will have reasons to offer these communities the ability to author apps which run on our servers with faster access to the data and only need to communicate the results of complex queries to remote computers. These apps will run on our computer, but we will want to ensure that nothing that these apps can do can impact the rest of our network.  While there is a wide variety of software based virtualization technologies, we may have reason to harness hardware assistance to implement security policies.

One example is ARM architecture manufacturers which offer SecurCore and TrustZone technologies.   This allows combinations of multiple physical CPUs as well as multiple sections within a CPU being separated, allowing one to secure the other.  This can be used in conjunction with UEFI secure boot, which if implemented correctly can ensure that only software digitally signed by the owner can run on the computer.

Using separate System on Chip (SoC) technologies, the firmware loaded into a secure SoC can be instructed to erase local keys if it detects tampering.  This way encrypted data on the system could not be accessed even if the computer itself was physically compromised.  Keys could be stored in that secure zone, meaning that even if disks were removed from the server the data on them would be inaccessible.

While some companies will be able to afford to manage the software stack on each CPU within each zone, many will simply hire this from other companies.  Ideal in these environments is if the hardware vendors and software authors of the different components consider each other hostile, providing the same types of checks-and-balances within a computer that we need in our public policy spaces.  In this way the operating system might detect hostile secure zone firmware in the same way that the secure zone firmware may detect a hostile operating system, with both working together to protect the computer owner from hostile applications.

For some of us we will only put our trust in transparent and accountable FLOSS.  Genode provides good documentation on their TrustZone implementation. Open Virtualization provides a great ARM TrustZone FAQ, which describes the relationship between TrustZone and the Trusted Platform Mobile (TPM).  These are both commercially supported projects which offer both FLOSS and non-FLOSS licensing options for software which is open and accountable.

The limits of physical access

Once a computer is fully secure, there are only a few things that someone with physical access can do that is not under the control of the entity with all the security keys.
  • They can disconnect the device from the network.  This doesn't grant the person with physical access control, but it does deny the remote owner the ability to issue new commands to the device.  The device can only act on instructions it already has on it, in the form of installed software.
  • They can disconnect the power to the device.  This also doesn't grant the person with physical access control, but denies the ability of the remote owner to execute any commands whether the software was already installed on the device or not.
  • They can destroy the device.  This also doesn't grant the person with physical access control, but denies the ability of anyone to ever control the device again.
This means that while it is possible for someone with physical access to disrupt the operations of the device, it doesn't grant them control over the device.

The Law

When I am controlling a distributed set of computers on behalf of my employer, I and my employer should not be considered above the law.  If evidence of a crime was stored on our computers, and we were served with a valid court order to present this information to law enforcement or the court, we would obviously do so.

I would not consider it a reasonable course of action to deliberately configure computers under our control to destroy evidence.  As much as we might claim we are protecting the "privacy" of our clients, I don't consider that to be a valid reason to ignore a court order.  I would consider this an example of vigilantism that would be contrary to the public interest.  When a government makes harmful demands this should be something that is fought in the courts and debated in parliaments, not something that individual citizens or corporations take on themselves.   While we might agree or disagree with any specific government in any individual case, it makes us all unsafe if we condone individuals or governments ignoring the rule of law.

When a law is wrong we work hard as citizens to fix the law, not ignore it.  While I agree there are many buggy laws deployed in every country, I consider this a reason to get politically engaged as any trustworthy citizen or corporation should.

Law enforcement and courts need to modernize their understanding of technology, most importantly the question of control in a networked computing environment.  They need to understand that the physical location of the computer is not the most important factor to determining who controls the computer, and thus who to serve warrants to.

If we deployed fully secure hardware with hardware assistance, and had security put in place to protect us against attacks by unauthorized persons with physical access (IE: wiped keys if unauthorized physical access detected), then law enforcement must be aware of this advancement.  If in the pursuit of evidence to convict a user of our services they served a warrant against the physical hosting company rather than us then they risk destroying the evidence they are trying to collect.     The warrant must be served against the entity that controls the computer, not the entity that physically houses the computer.

It must never be considered the fault of the computer owner that evidence was destroyed by law enforcement.  The current technology illiterate or technology neophyte politicians, judges and police officers are making all of us unsafe.  Technology literacy must become a requirement of those who will be trying to make or enforce laws impacting technology.


Keep reading: Apple's use of computer security and encryption

Perspectives on computer security and encryption from Apple, the FBI and I : FBI

Many people have weighed in on the Apple vs FBI case, including a speech by President Obama.  People in the technology industry have lined up in support of one or the other.

My views can't be expressed as a simple support of one position or the other.  As I believe there is a third option I am authoring this as a series of articles that discusses the issue from three perspectives:

* This article discusses FBI
* A second article discusses my use of security and encryption technology
* A third article discussing Apple

Lawful Access

I've written about the question of lawful access before, and the requirement for there to be strong oversight of police and security agencies in order for those agencies to not themselves be the risk to society that they are supposed to be reducing.  Law enforcement and security agencies must have strong court oversight, and the courts themselves must have strong citizen oversight through ensuring the number of closed court sessions are kept to an extreme minimum.

There is a conflict of interest when it comes to law enforcement and security agencies and protecting the public.  Often these agencies will confuse protecting citizens against death from protecting their lives.  They promote policies which make it easier for them to find and punish wrongdoers, but generally have no concern about the harmful consequences of those policies on the health, safety and security of citizens.

FBI Opposition to encryption

There is no better example of why there is a need for checks-and-balances than the extreme views expressed by James B. Comey, Director of the FBI.  He has for some time been suggesting that the world is "going dark" because an increasing amount of communications is encrypted.  He sees only the narrow potential downsides of this technology in that it might hide criminal activity from the FBI, and ignores the critically important features -- the very fact that the modern economy and much of modern society is built upon private communications requiring strong encryption.

If Mr Comey were a doctor, he would recommend amputating a patients head to solve a back pain problem. He would be correct in saying that after amputation the patient would no longer feel back pain, and would likely be confused why people would consider that a failure.

Fortunately in our society we don't leave extremists like him solely in charge.  Even the NSA, which does its own cracking of encryption and has been accused many times of trying to weaken or put back doors in encryption, had its director come out in favour of encryption due to the extreme views expressed by Mr Comey.  In fact, there is a rift within the US government about this issue, and it is quite a complex one that simply can't be expressed by saying individuals and agencies are picking sides between Apple or the FBI.

The FBI or any other government agency, here in North America or elsewhere, should never be given "back door" access to technology in general as that would enable them to bypass the required checks and balances which the courts and the public must be able to provide in a democratic society.  I have absolutely no respect for the position that suggests they should have no barriers to their investigations, as I do not believe democracy and the required separation of power between agencies can ever be claimed to be a barrier to protecting a democracy.


Keep reading:  My use of computer security and encryption

Sunday, April 3, 2016

First look at Bell's CraveTV

While I am not a fan of Bell as a company or their harmful politics, I decided to give CraveTV as a technology a quick look given they un-tied it to their BDU and Internet services since I wrote about it in January.

Technology

The service works on few devices, nowhere near what is available for Netflix.

While their site listed Samsung SmartTV, the model I have appears to be too old for their immature app. This makes it unlikely my wife will be interested in watching video on CraveTV as she finds the other options far less convenient than just using the remote control that came with the TV -- there is so much from Netflix, YouTube, and Ted Talks that all work great on the SmartTV option to bother looking elsewhere.

My first successful try with CraveTV was with what I would most often be using, which is my Chromebook and Chromecast devices.  The website was sufficient, but not inspiring.  Their "My cravings" menu allowed you to play the next video in a series, but using that interface you couldn't pull up information about the shows like you can in the other listings or after a search.  There is no recommendation engine, rating system, or other features that really bring you the modern video watching experience.  It felt kinda flat like traditional broadcast TV, only with more of a PVR experience where you can watch when you want rather than only when someone else scheduled it.

The play/pause button is not well implemented with Chromecast.  While you can open a new video on the website it does not switch which video the Chromecast is playing, and it will leave you stuck in the previous title.  There is no "stop" button which disconnects from the previous video and allows you to play a new one -- you are stuck going to the cast tab and stop casting before you can cast the next episode or switch titles.

The app for Android worked similar to the site with the Chromebook, with my phone also able to control a Chromecast device.

I tried on my desktop.   On Chrome it brings up all the widgets as if it is going to play video, and even gives that little spinning circle that they display when they are filling buffers, but no video or audio ever plays.  No indication why is ever displayed.   The little Chromecast button sits in the bottom-right corner, and interestingly it will connect to the Chromecast and play the video.  Possibly useful if you wanted to use a laptop as a remote control to a Chromecast, but not very useful otherwise.

First attempt with Firefox displayed a suggestion that I install a non-existent upgrade to the Adobe Flash plug-in.  I am already running the latest that is available for my Ubuntu 14.04 desktop (version 11.2.202.577 as I write this).  Second attempt after upgrading every package that had an update didn't get that far, with the site displaying a connection problem : "It appears there was  problem completing your request.  Please refresh this page.".  The page I was trying to go to was http://www.cravetv.ca itself, so that is a pretty bad sign.  I exited the browser and tried again, and again got the claim that "To watch video, you need an Adobe Flash Player Update" with a link to the Adobe site that only confirms I'm on the latest.

General impressions is that this is a beta service that they are marketing as if they were ready for general audiences.  I hope they realize the immature level of their site and plan to invest in finishing it.  Even ignoring my political problems with Bell I would not recommend this service to less technical users who would be frustrated having to fiddle and do odd things to try to get the video going.  The site is workable for technically literate people who can work their way around bugs in beta websites.

This site is improvement over  Rogers on Demand Online from 2009 which implemented commercials so poorly as to make programming unwatchable.  Then again, that might only be because they aren't trying to put commercials into the stream.

Content

It is the content that made me look at CraveTV rather than Shomi.   I'm not interested in the regular "reality" TV, sitcoms, or excessively light drama that the lowest-common-denominator brought to broadcast television.  CraveTV has a number of titles that are more to my liking, the type of stuff that would normally be on Space.ca (about the only channel I miss from my Cable TV days) as well as titles from HBO (Although, no Game of Thrones or even True Blood for whatever reason).  12 titles went into the "My Cravings" listing pretty quickly, and even though I only started my free trial yesterday I've already watched several episodes of The Librarians and Penny Dreadful.

It is typical of Bell that they are relying on questionable legal/business tactics like exclusive regional licensing to force people to their services, rather than offering competitive services using technology that would be considered of "release" quality by modern Internet era companies.  The only reason I would use their service is to access content I'm not legally able to get elsewhere, and I expect I will always have to put up with technology from them that is generations behind what modern companies like Netflix are offering.   It is sad that HBO and other cable-era content companies like it see Netflix as a competitor and Bell as a partner, rather than the other way around. I think far more people would be paying to access that content if it were untied from lesser distribution services and providers.

Sunday, March 13, 2016

Windows 10 the last desktop version of Windows? The future is unevenly distributed...

I was pointed to a Linux-centric article that included the following section which surprised the person who pointed it out:
Windows 10 will be the last desktop version of the operating system that once gave Microsoft dominance in the PC software market. After that, Windows will be offered on a subscription basis and run from the cloud, but this will not be a Microsoft-exclusive cloud. Internally, Windows will be virtualized within software containers running on Ubuntu.
I'd like to parse this quote a bit, and offer some of my own interpretation.

Last Desktop version

The inevitable disappearance of the desktop operating system has been discussed for decades.  It is really a poor fit for the modern era.  Unlike their more thin mobile counterparts, desktop operating systems really only work well if you have a systems administrator on-hand to handle issues ranging from malware to multi-application compatibility.  System administrators, on the other hand, really want to centrally manage these services so they don't have to spend large parts of their budgets going to each individual desktop to maintain them.  While there is software that attempts to help with this, none of those options can ever compare to running those applications in a server room (local to the office, or in some other server room in "the cloud"). In the server room it is also easier to manage hardware resources, virtualize applications into their own containers to avoid multi-application compatibility issues, and manage software testing and upgrades in a way that is transparent (and thus not disruptive) to users.

Far worse than the problems within medium and large businesses is people running desktop operating systems in small offices or homes that don't have a system administrator.  This why such a high percentage of desktop operating systems are infected by one thing or another -- or just generally not working as well as the hardware and software could work.  This has a high cost to society as a whole, given the harm from spam and malware distribution from this army of infected desktop operating is only surpassed by the fact that these remotely controlled clusters can be bought to be utilized for anything including cyber warfare/terrorism.

I've been looking forward to the death of the desktop operating system for decades, and that is both as a person who works in offices where people expect the IT staff to inappropriately spend a chunk of their budget on desktop support, or as someone constantly asked by less technical family members or friends for help.

It shouldn't surprise anyone that I purchased my wife, mother and my father-in-law each a Chromebook, and as quickly as I could upload all their old documents to a Google drive or put on a USB drive -- and gleefully tossed their old desktops in the trash.

I hope I also will see the eradication of desktop computers in my workplace as well, but that isn't something I have much influence on (even as "Lead Systems Engineer").

What I see in the future isn't less computers, but a recognition that we should be using the right computer and right operating system to fit the job.  The historical "one size fits all" approach that we saw in the desktop era always meant that the operating system used did the job at hand poorly compared to alternatives.

While it is possible that there may be a kernel that will dominate because it receives the most contributions and the most vetting (IE: The Linux kernel), I would consider it yet another market failure if the software stack on top of that remained as similar as we saw in the desktop era.

In my home I run CentOS and Ubuntu on the server, Ubuntu on my development workstation, and we have a variety of mobile devices running Android and ChromeOS.  We have entertainment devices running a variety of OS's (Android on Chromecast, Linux kernel+Boxee software on Boxee box, and a Samsung Smart TV).  While they may all have a linux kernel under the hood, the rest of the operating system built on top is not the same.   I would consider it a backward movement on the part of Google if they merged ChromeOS and Android into the same OS as these two classes of devices serve different purposes and the operating system should be more focused on each purpose.  And I have no interest in running Ubuntu or CentOS on my tablet or phone.

When Google announced ChromeOS they had Citrix there, with the suggestion being in those early days that desktop apps should be virtualized into the server infrastructure, with mobile/portable/disposable devices providing the user interface.

What this will mean is that applications previously run on desktops like office suites and image editing (Photoshop) will be run on servers (in office or in the "cloud") where the computing and system administrators are, and the mobile OS is the user interface only. The desktop application divisions of Adobe and Microsoft have already been moving this direction. The free trials from Google apps may last longer (including still being available free for Gmail users), but they are by no means the only alternative available.

This is also an obvious and long discussed solution to much of the software copyright infringement problem. If you don't distribute software to end users to run in their computers then you don't need to worry about them infringing copyright.   This not only suggests proprietary vendors moving more to the cloud, but that the devices that end users have in their hands will eventually be FLOSS-only.

Subscription?

This is also an inevitable modernization of how proprietary software development will be paid for.  It has never made sense to think of software as a product, as it is more of an ongoing conversation.  While you can buy snapshots of the conversation with a fixed fee, that isn't a useful thing to do when you need to at least keep up with the security patches part of the conversation even if you don't care about new features.

In the early days of computing the hardware advanced quickly as well, and thus people were buying a new computer every few years and thus was paying for new software as well.  Now that computers have reached beyond what the average user needs on their desk/lap there isn't a constant hardware upgrade stream to pay for the massive amount of work that goes into upgrading the software.  In fact, people are wanting to simplify the hardware that they carry with them and want to go mobile where the computing power (as well as battery power consumption) is decreasing rather than increasing.

Subscriptions are the obvious way to go, and this will be of great benefit to both vendors and consumers.

And if you don't want to pay a subscription fee, there will always be legally free FLOSS alternatives. Given software development and system administration time is also expensive this will have to be financed somehow (by someone) even if you never have to pay a software licensing fee again. 

Not be a Microsoft-exclusive cloud

This is also inevitable, and we shouldn't be making a big political deal out of it.  As Microsoft moves away from trying to squeeze percentages out of hardware purchases to being a services company their focus will transition to choosing the right tool for the job.  This will also be a transition away from some of their odd historical political rhetoric in opposition to FLOSS and Linux. Sometimes the right tool will be software from companies and/or open source communities they thought of as competitors in their previous market.

Microsoft's Azure Cloud Switch (ACS) is but one example of this. This isn't a server, desktop, or mobile operating system, but a specialized operating system for network switches built on the Linux kernel.  Using the Linux kernel just makes sense as they can leverage existing community software work, as well as contribute their own code to a community that will then help massively deploy ACS compatible devices.   It is a win-win for everyone involved.

Virtualized within software containers running on Ubuntu

This is the only part of the quote that I'm not convinced was articulated clearly.  Why bother with Ubuntu?   Ubuntu offers a good application server environment, and it works great for workstations, but why bother with the overhead of Ubuntu for a virtualization environment?   This may not be what is being presented in the article.  There may be some value in using the Debian packaging system and build environments, and then spin a virtualization focused distribution.  It might even make sense to build this as a fork of a tiny subset of packages from Ubuntu.  I just don't see using Ubuntu itself as being likely for a company that has the resources to do this right on their own.

Thursday, March 10, 2016

Educational fair dealings battles: Educational Institutions

I discussed Collective Societies in the context of this issue in a previous article.  While I started with them, I don't fault them for the battles we keep seeing.  Those representing collectives are just trying to keep these entities alive in a changing marketplace where their value is diminishing.   While this transition is good for authors and users alike, and is one that we should be encouraging, it will eventually lead to some redundant collective societies closing.

The problem is that educational institutions have been propping up the legacy publishing methods that these collective societies are dependant on.  These publicly funded institutions have been throwing away taxpayer money at lawsuits and royalty fees which leave the sector (and often the country) rather than modernizing.

Educational Institutions

When you get past the superficial "authors vs teachers" rhetoric, you find a very different scenario. The most expensive collections of works fall into the category of non-fiction textbooks, journals, and other academic writings.  The primary authors as well as the primary users of the works are staff and students at educational institutions.  Students are mandated to publish works as part of their learning, and staff are told to publish or perish with career advancement often tied to published works. Textbooks, even for K12, are authored by educators, and reviewed by educators -- with some reviewers merely paid with pizza by publishers.

All of this work by staff and students then leaves the institution and is redistributed back to the educational sector by third party publishers who extract massive royalty fees along the way.  It is fees flowing to academic publishers that dominate collectives like Access Copyright, as well as dominating the fees that academic institutions have to pay to publishers in direct licensing fees.

An alternative funding model that has been growing is Open Access(OA) where royalties are no longer charged. This enables the educational sector to directly pay staff for their authorship, hire editors and other staff they may not have, with the results then available freely to the rest of the sector.   There are a growing number of OA journals worldwide, and the Canadian Association of Research Libraries provides information on ongoing development in Canada.

While the movement to OA is a win-win for the educational community which is the sector for both the majority of the authors and users, there has still been barriers to adoption.

One of the greatest barriers is a perception that historical reputation of some of the previously established journals and textbook publishers is somehow more important than dealing with the financial, political and legal problems created by propping up an outdated academic publishing model.  This problem is made worse by the fact that the departments promoting the established publishers have separate budgets than the libraries who are expected to pay for the expensive journals, or students who have to pay outrageous and unnecessary textbook fees.

We need a bundle of policy solutions to encourage the transition.

Taxpayers interests must be protected

In the "authors vs teachers" rhetoric an important fact is forgotten, which is that taxpayers are ultimately paying and their interests should be respected.

I have long believed that the results of publicly funded work should be publicly licensed.  For educational institutions I would tie part of their budgets to fund OA publishing.  OA publications are not only available royalty-free within the education sector, but outside as well allowing the fruits of the work partly funded by taxpayers to be available to taxpayers (and the public in general).

During a transition period this funding could be divided by academic department, such that additional funding would be made available to departments that shifted to OA early.  The funding would come from a expenditure-neutral shift in funding to the institution, so that in effect budgets would be reduced for those departments that had not yet moved to OA publishing and increased for those who had.

In a later part of the transition period this funding would then be assumed to be institution-wide, where part of the funding to the institution as a whole would be tied to a requirement that all departments had moved to OA publishing.  This would put additional pressure on laggard departments.

Overall the goal of the policy must be to mandate OA publishing for publicly funded institutions, so the end goal of the policy would be that no public funding would be available to institutions who were unwilling to transition from legacy royalty-based publishing models to OA publishing.

Fairness in Fair Dealings

It has never seemed fair to me that we should be treating educational institutions as if they were charities, and that somehow they should have royalty-free access to the works of the world and yet be able to charge (or allow third party publishers to charge) royalties for the outputs of the institutions.

I believe that one of the primary fairness criteria for educational fair dealings should be the licensing methods used for the outputs of the academic work.  If the results will be OA or released to the public domain, this would be weighed strongly towards fairness on the input.

I would further propose that after a transition period similar to the  funding proposal above that the specific educational institution (sections 29.4-30.04) should only be available to institutions whose outputs have been primarily made available through public licensing.

Policy proposal for the remaining works

While nearly all the works used in an educational setting fall under direct licensing (royalty or publicly licensed) or fair dealings, there are still some works used which should be compensated but where direct licensing isn't available or isn't practical.  With educational sector created works handled through OA, there is also far more money available to compensate non-academic authors who have always been on the losing end of these debates.

Decades of taxpayer money wasted in the so-called "educational fair use" debate and never ending  lawsuits suggests that none of publishers, collectives, or educational institutions can be entrusted to provide fair compensation to those non-academic authors.

I believe an appropriate model to use is the Public Lending Right program that provides funding to authors for the use of their works in public libraries.  This is a program outside of copyright that is focused on authors rather than copyright holders.  The program to fund authors for uses of their works in publicly funded educational institutions should be funded from an expenditure shift from educational institutions.   Unlike what happens with collectives, the proceeds for this program should be accountably targeted to authors, with funding not accessible to intermediaries or their feuding lawyers.   This would provide far better funding to authors than the small amounts paid through collective societies, and be far more accountable to taxpayers who have ultimately been funding this nonsense debate.

Educational fair dealings battles: Collective Societies

Anyone who follows copyright in the news will have heard the epic battles around educational fair use.

To hear it from the perspective of those who represent collective societies it is a battle between starving artists on one hand and thieving big business educational institutions on the other.

To hear it from the perspective of educational institutions it is charities providing a public service trying to reduce costs to students and taxpayers any legitimate way they can.

The problem is that both of these perspectives are wrong.

This article is in two parts, with the second part addressing educational institutions.

Collective Societies

Collective societies don't "represent" creators, starving or otherwise.  They provide a specific business model service available to copyright holders, and compete in a marketplace that includes a wide variety of other business models available to copyright holders.

Collectives don't "represent" creators in the sense that an elected politician or union representative might claim to represent constituencies, any more than ScotiaBank can claim to "represent" me simply because I happen to be a customer of some of their financial services.

If a large number of home owners who had mortgages with Scotiabank decided to switch to BMO, Scotiabank would never be allowed to claim that there was a crisis in the mortgage business or home ownership, and lobby the government to try to force home owners to take out mortgages from Scotiabank.

This is essentially the argument that certain collective societies have been making for many years in Canada. Copyright holders and educational institutions have been migrating to directly licensing works through a wide variety of online services where there is a direct flow of money from the institutions to the copyright holders.

This is the reality of the marketplace today: the overwhelming majority of works used within an educational setting are directly licensed.  What remains to be sorted between collective licensing and fair dealings is decreasing in size all the time, and it is this modernization that bogus "studies" by PricewaterhouseCoopers failed to take into consideration.  The fact that revenues flowing through collectives has decreased is not an indication of a failure, but an indication of a successful ongoing transition to more direct licensing models.

Collective societies should have always been understood as a licensing model of last resort.  Authors licensing directly is ideal, and if that isn't possible then through a publisher or some other intermediary. Collectives are only needed when normal direct licensing options are somehow failing, and creating indirect licensing is the only remaining option.  Rather than copyright holders licensing directly they become members of collectives and receive payments based on very rough statistics about possible uses of their works.

With modern digital delivery mechanisms the costs of creating accurate statistics and offering transactional licensing has dramatically decreased, which means that the pre-digital collective management option will have diminishing value in the marketplace to either authors or users.

Collective management of copyright is nothing like collective bargaining

One of the more warped suggestions you will hear is that collective management is comparable to collective bargaining, and that collectives are simply representing their members like a union does in negotiating with the employers for better fees.   This claim is nonsense for many reasons.

The closest thing that authors have to an employer is the publishers, not the customers of the publishers. Workers at a Ford plant don't picket in front of the homes of car owners as a mechanism to get better wages, they picket in front of their place of employment trying to convince the employer to give them better wages.  While authors require this type of representation as the deals offered by many publishers are unfair to authors, collective societies aren't helpful in that scenario.

In the case of collectives like Access Copyright, the publishers (employers) already dominate the money flowing through them and as much as some collective devotees try to claim otherwise also control the organizations politically.   Normally a union isn't made up of a mixture of employees and employers, where the employers control the agenda -- so suggesting that a collective is like a union makes no sense.

As collectives exist in a competitive marketplace, and authors and users are switching to better licensing models, you will see collectives fighting against these competitive pressures.  An analogy might be having the employees and management of Ford picketing outside Chrysler headquarters complaining to Chrysler employees that Ford isn't getting paid because people are switching to purchasing Chrysler vehicles rather than Ford.  It is an odd mentality, and it violates much of what a union normally stands for as you have workers from one employer picketing against the workers from another employer, in solidarity with their management rather than their fellow workers.

Some oppose any form of fairness in copyright law

Of that diminishing proportion of works which are not available for direct licensing, we are left with sorting between those uses which should be considered fair dealing and uses where a royalty would be paid through a collective society.

As with the other aspects of this debate, the "sky is falling" rhetoric is false as the vast majority of uses we are discussing are legitimately fair dealings that would be recognized as fair by anyone who remotely believes that copyright law should have the concept of fairness within it.  The loudest people you will hear complaining about legitimate uses of fair dealings, even with the fairly conservative policies most educational institutions are using, are people opposed to their being any limits or exceptions to copyright at all.  These extremists should be recognized as outsiders from the core of the policy debate.   As discussed in earlier articles, they certainly don't represent the interests of authors who depend on these limitations and exceptions to create our own works which build on the past.

The blanket licensing problem

After we consider direct licensing and necessary limits and exceptions to copyright, there still remains an extremely small number of uses or works that are still worthy of consideration.

What educational institutions have been asking for is a mechanism to provide transactional licensing for those instances where a work that is used in an educational setting is not already available through direct licensing, and where the copyright holder is in the repertoire of a collective society.  As the marketplace advances these instances are becoming less common, but this service would still provide value to copyright holders and their potential customers.

Unfortunately some collective societies have been fighting against this eventuality for decades.  They want to offer blanket licensing (an expensive per-student price, regardless of what copyrighted works are ever used), and refuse to offer transactional licensing except to those institutions that already have a blanket licensing.

Like the frustration consumers have with other unfair bundles like much hated cable packages leading people to "cut the cord", this failure caused by collective societies are inducing more and more institutions to cease any type of licensing with the collectives.

I see this scenario as similar to what I have already written about the Orphan works and Netflix region restriction problems.  The general policy proposal was this:

Fair dealing for non-commercial uses of works not otherwise offered for license under reasonable terms is not an infringement of copyright.
The onus should be on the copyright holder to provide appropriate licensing options to educational institutions if they wish to get paid royalties.  If they refuse to offer direct licenses through the variety of existing mechanisms, and are only members of a collective society that is refusing transactional licenses, then they shouldn't expect much sympathy for their complaint that they aren't receiving royalties.  (Note: I offer a funding program suggestion in the second part)

Members of collective societies should be demanding that collectives provide transactional licenses, otherwise the copyright holders should form a competing collective to replace the failing one.  This has been discussed in the past, such as by a splinter group contemplating creating a Creators' Access Copyright as they recognized that Access Copyright primarily represented the (often competing) interests of (largely foreign) publishers.  While that group was drinking the same cool-aid that Access Copyright devotees are in opposing fairness in copyright law, they at least recognized one of the largest problems with Access Copyright: there are obvious conflicts of interests between authors and older business model dependent publishers.

Competing interests of authors and collectives

The politics of this situation is made more confusing because there are individuals that represent the interests of collective societies against competitors who allege to represent the interests of artists. You will see press releases coming from professional writers associations and unions echoing the false claims of collective societies.   I have never believed that these individuals represent the interests of artists but the increasingly conflicting interests of collective societies.

One of the best things that fellow members of the creators rights movement can do is distance themselves as much as possible from collective societies, their lawsuits, and their counter-productive political campaigns. If you are a member of a union or professional association whose leadership is parroting the rhetoric of a collective it is time to get together with other members and depose those with this conflict of interest.