Daily Archives: July 24, 2024

US Congress Wants To Let Private Companies Own The Law – set standards you must comply with but can’t actually find or see easily

Posted on by

It sounds absolutely batty that there is a strong, bipartisan push to lock up aspects of our law behind copyright. But it’s happening. Even worse, the push is on to include this effort to lock up the law in the “must pass” National Defense Authorization Act (NDAA). This is the bill that Congress lights up like a Christmas tree with the various bills they know they can’t pass normally, every year.

And this year, they’re pushing the Pro Codes Act, a dangerous bill to lock up the law that has bipartisan support.

[…]

There are lots of standards out there, often developed by industry groups. These standards can be on all sorts of subjects, such as building codes or consumer safety or indicators for hazardous materials. The list goes on and on and on. Indeed, the National Institute of Standards and Technology has a database of over 27,000 such standards that are “included by reference” into law.

This is where things get wonky. Since many of these standards are put together by private organizations (companies, standards bodies, whatever), some of them could qualify for copyright. But, then, lawmakers will often require certain products and services to meet those standards. That is, the laws will “reference” those standards (for example, how to have a building be built in a safe or non-polluting manner).

Many people, myself included, believe that the law must be public. How can the rule of law make any sense at all if the public cannot freely access and read the law? Thus, we believe that when a standard gets “incorporated by reference” into the law, it should become public domain, for the simple fact that the law itself must be public domain.

[…]

Two years ago, there was a pretty big victory, noting that his publishing of standards that are “incorporated by reference” is fair use.

But industry standards bodies hate this, because often a large part of their own revenue stream comes from selling access to the standards they create, including those referenced by laws.

So they lobbied Congress to push this Pro Codes Act, which explicitly says that technical standards incorporated by reference retain copyright. To try to stave off criticism (and to mischaracterize the bill publicly), the law says that standards bodies retain the copyright if the standards body makes the standard available on a free publicly accessible online source.

[…]

They added this last part to head off criticism that the law is “locked up.” They say things like “see, under this law, the law has to be freely available online.”

But that’s missing the point. It still means that the law itself is only available from one source, in one format. And while it has to be “publicly accessible online at no monetary cost,” that does not mean that it has to be publicly accessible in an easy or useful manner. It does not mean that there won’t be limitations on access or usage.

It is locking up the law.

But, because the law says that those standards must be released online free of cost, it allows the supporters of this law, like Issa, to falsely portray the law as “enhancing public access” to the laws.

That’s a lie.

[…]

t flies in the face of the very fundamental concept that “no one can own the law,” as the Supreme Court itself recently said. And to try and shove it into a must pass bill about funding the military is just ridiculously cynical, while demonstrating that its backers know it can’t pass through regular process.

Instead, this is an attempt by Congress to say, yes, some companies do get to own the law, so long as they put up a limited, difficult to use website by which you can see parts of the law.

Library groups and civil society groups are pushing back on this (disclaimer: we signed onto this letter). Please add your voice and tell Congress not to lock up the law.

Source: Congress Wants To Let Private Companies Own The Law | Techdirt

FTC asks 8 big names to explain surveillance pricing tech

Posted on by

The US Federal Trade Commission (FTC) has launched an investigation into “surveillance pricing,” a phenomenon likely familiar to anyone who’s had to buy something in an incognito browser window to avoid paying a premium.

Surveillance pricing, according to the FTC, is the use of algorithms, AI, and other technologies – most crucially combined with personal information about shoppers like location, demographics, credit, the computer used, and browsing/shopping history – “to categorize individuals and set a targeted price for a product or service.”

In other words, the regulator is concerned about the use of software to artificially push up prices for people based on their perceived circumstances, something that incognito mode can counter by more or less cloaking your online identity.

[…]

But don’t mistake this for legal action – at this point it’s all about “helping the FTC better understand the opaque market for [surveillance pricing] products by third-party intermediaries,” the government watchdog said.

“Firms that harvest Americans’ personal data can put people’s privacy at risk,” FTC boss Lina Khan opined. “Now firms could be exploiting this vast trove of personal information to charge people higher prices.”

It’s not exactly a secret that sellers manipulate online prices, or that consumers know about it – recommendations to shop online in an incognito browser window are plentiful and go back years.

In this case, the FTC wants to know more about how Mastercard, JPMorgan Chase, Accenture and McKinsey & Co are offering surveillance pricing products. It also wants the same information from some names you may not have heard of, like Revionics, which offers surveillance pricing services to companies like The Home Depot and Tractor Supply; Task Software, which counts McDonald’s and Starbucks among its customers; PROS, which supports Nestle, DigiKey and others; and Bloomreach, which provides similar services like Williams Sonoma, Total Wine, and Virgin Experience Days.

The FTC wants to probe what types of surveillance pricing products exist, the services they offer, how they’re collecting customer data and where it’s coming from, information about who they offered services to, and what sort of impacts these may have on consumers and the prices they pay.

[…]

Source: FTC asks 8 big names to explain surveillance pricing tech • The Register

Switzerland now requires all government software to be open source. Sort of.

Posted on by

Several European countries are betting on open-source software. In the United States, eh, not so much. In the latest news from across the Atlantic, Switzerland has taken a major step forward with its “Federal Law on the Use of Electronic Means for the Fulfillment of Government Tasks” (EMBAG). This groundbreaking legislation mandates using open-source software (OSS) in the public sector.

This new law requires all public bodies to disclose the source code of software developed by or for them unless third-party rights or security concerns prevent it. This “public money, public code” approach aims to enhance government operations’ transparency, security, and efficiency.

[…]

Source: Switzerland now requires all government software to be open source | ZDNET

The Netherlands has a similar law, but you would be amazed how flimsy the accepted excuses are that claim that software should be delivered under a closed-source exception.

Google’s reCAPTCHAv2 is just labor exploitation, boffins say

Posted on by

Google promotes its reCAPTCHA service as a security mechanism for websites, but researchers affiliated with the University of California, Irvine, argue it’s harvesting information while extracting human labor worth billions.

The term CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart,” and, as Google explains, it refers to a challenge-response authentication scheme that presents people with a puzzle or question that a computer cannot solve.

[…]

The utility of reCAPTCHA challenges appears to be significantly diminished in an era when AI models can answer CAPTCHA questions almost as well as humans.

Show me the money

UC Irvine academics contend CAPTCHAs should be binned.

In a paper [PDF] titled “Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2,” authors Andrew Searles, Renascence Tarafder Prapty, and Gene Tsudik argue that the service should be abandoned because it’s disliked by users, costly in terms of time and datacenter resources, and vulnerable to bots – contrary to its intended purpose.

“I believe reCAPTCHA’s true purpose is to harvest user information and labor from websites,” asserted Andrew Searles, who just completed his PhD and was the paper’s lead author, in an email to The Register.

“If you believe that reCAPTCHA is securing your website, you have been deceived. Additionally, this false sense of security has come with an immense cost of human time and privacy.”

The paper, released in November 2023, notes that even back in 2016 researchers were able to defeat reCAPTCHA v2 image challenges 70 percent of the time. The reCAPTCHA v2 checkbox challenge is even more vulnerable – the researchers claim it can be defeated 100 percent of the time.

reCAPTCHA v3 has fared no better. In 2019, researchers devised a reinforcement learning attack that breaks reCAPTCHAv3’s behavior-based challenges 97 percent of the time.

[…]

The authors’ research findings are based on a study of users conducted over 13 months in 2022 and 2023. Some 9,141 reCAPTCHAv2 sessions were captured from unwitting participants and analyzed, in conjunction with a survey completed by 108 individuals.

Respondents gave the reCAPTCHA v2 checkbox puzzle 78.51 out of 100 on the System Usability Scale, while the image puzzle rated only 58.90. “Results demonstrate that 40 percent of participants found the image version to be annoying (or very annoying), while <10 percent found the checkbox version annoying,” the paper explains.

But when examined in aggregate, reCAPTCHA interactions impose a significant cost – some of which Google captures.

“In terms of cost, we estimate that – during over 13 years of its deployment – 819 million hours of human time has been spent on reCAPTCHA, which corresponds to at least $6.1 billion USD in wages,” the authors state in their paper.

“Traffic resulting from reCAPTCHA consumed 134 petabytes of bandwidth, which translates into about 7.5 million kWhs of energy, corresponding to 7.5 million pounds of CO2. In addition, Google has potentially profited $888 billion from cookies [created by reCAPTCHA sessions] and $8.75–32.3 billion per each sale of their total labeled data set.”

Asked whether the costs Google shifts to reCAPTCHA users in the form of time and effort are unreasonable or exploitive, Searles pointed to the original white paper on CAPTCHAs by Luis von Ahn, Manuel Blum, and John Langford – which includes a section titled “Stealing cycles from humans.”

[…]

As the paper points out, image-labeling challenges have been around since 2004 and by 2010 there were attacks that could beat them 100 percent of the time. Despite this, Google introduced reCAPTCHA v2 with a fall-back image recognition security challenge that had been proven to be insecure four years earlier.

This makes no sense, the authors argue, from a security perspective. But it does make sense if the goal is obtaining image labeling data – the results of users identifying CAPTCHA images – which Google happens to sell as a cloud service.

“The conclusion can be extended that the true purpose of reCAPTCHA v2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service,” the paper declares.

[…]

Source: Google’s reCAPTCHAv2 is just labor exploitation, boffins say • The Register