A confession about the ICANN WHOIS Data Reminder Policy.

With all the recent attention to WHOIS, it’s time for a confession: I’m somewhat guilty for the infamous WHOIS Data Reminder Policy. With hindsight, it’s a bad policy, and it needs to die. The year was 2002. ICANN’s DNSO (soon to be renamed as the…

With all the recent attention to WHOIS, it’s time for a confession: I’m somewhat guilty for the infamous WHOIS Data Reminder Policy. With hindsight, it’s a bad policy, and it needs to die.

The year was 2002. ICANN’s DNSO (soon to be renamed as the GNSO) had a WHOIS Task Force, and was trying to extract policy choices from an ill-conceived and worse-executed survey of assorted self-selected stakeholders. As today, the topics at hand included privacy protections, compliance (and graduated sanctions for non-complying registrars), and accuracy of WHOIS records.

To get the discussion going, I threw a few of the proposals that had come up in the survey into a draft report as straw men; I probably made up a few more policy proposals out of whole cloth. Alas, there it was: The seemingly-innocuous concept that having an annual data reminder might be good customer service, and that it might somehow help to increase data accuracy. Next to graduated sanctions and other proposals on the table at the time, this idea had the attraction of saving face in the accuracy area, while not being an obviously bad idea by the standards of that particular task force. And so we inflicted it on the gTLD registrars and registrants of the world. And on ICANN’s not-yet nascent compliance department.

The policy appears to be implemented by most registrars in the form of an e-mail notification to registrants (even though it doesn’t have to be in email). By definition, these notifications include almost entirely public information. They’re therefore a first-rate phishing vector: For example, send a notification with slightly (but embarrassingly) wrong WHOIS data, give a link to fix the data, and hope that people will click that link and hand over the credentials that they’re using to manage their registration.

More generally, this policy exhibits a few flaws that are symptomatic for the broken policy process of the time: It micro-managed a particular piece of registrars’ interactions with their customers. It didn’t have a sunset date. It had no clear success metrics (e.g., number of corrections traceable to notices) that would have permitted ICANN to phase it out if unnecessary. It had no proper review for its security impact on registrants.

Even the WHOIS Review Team acknowledges that the policy is probably ineffective.

It’s time for the GNSO to propose to the Board to repeal this policy. Should be a slam dunk of a task force.

Crossing borders: Tracks without a train.

I’m on my way to the IETF meeting in Paris, and it’s close enough to take the train. Timing means that I won’t use the direct TGV from Luxembourg to Paris today, and so the trajectory I’m taking — a regional train to Nancy, and then onward by TGV…

I’m on my way to the IETF meeting in Paris, and it’s close enough to take the train. Timing means that I won’t use the direct TGV from Luxembourg to Paris today, and so the trajectory I’m taking — a regional train to Nancy, and then onward by TGV –, carries some strong reminders of Germany’s and France’s long and painful history with each other, and that history’s traces in the region where the two countries touch.

I live in the Mosel valley, on the Luxembourg side of the river. In walking distance, a bridge across, and a somewhat decrepit train station on the German side. The railway that follows the Moselle is today a minor regional affair, but was originally built as a Prussian / German military investment: Purpose-built to transport troops and heavy guns from Berlin to Thionville, and onward to Metz; often tunneling through the Moselle’s tightly wound vineyards to not make those heavy trains brake. When it was built, that railway line had the world’s longest rail tunnel, and the infrastructure is still impressively over-engineered for today’s use.

The tracks are still there all along the Mosel, and along that route, Thionville train station still shows some of its belligerent past, in the form of bunkered-up artillery casemates right next to the station (and a matching fortress across the river) — as does the gorgeous city of Metz, with one of the larger surviving fortresses of the region. And even as the train makes it further into France, through towns too small for a stop and therefore nameless to this traveller, there are castles and fortresses to be seen, witnesses of wars gone by.

Also along these tracks: The remains of the steel mills that once contributed to making Lorraine a strategically important bone of contention between Germany and France — now either owned by Arcelor Mittal, torn down, or turned into repurposed heritage structures.

It would have seemed natural for me, then, to have jumped on a regional train to take me to Metz or Nancy along these direct tracks, and onward to Paris from there. But alas, that train doesn’t run: To this date, the German railway system stops at Perl, and the French one stops a kilometer or two upstream at Apach. Between them, Sierck-les-Bains, an old seat of the Dukes of Lorraine, features the ruins of their castle torn down by war in the early 1700s. Across the Moselle in Luxembourg lies the small village of Schengen, with its peaceful vineyards. The Schengen agreement was signed on a ship on the river right where Germany, Luxembourg, and France meet each other.

That one or two kilometer piece of train tracks between Perl and Apach is crossed by two local passenger trains in each direction every Saturday, and by the occasional freight train between France and Germany. To this date, there is no direct train connection between the neighboring cities of Trier, Thionville and Metz, and German train passengers have to travel through Luxembourg to make it into Lorraine — and back into the Moselle valley. Even today, the train routing strangely exaggerates the distance between Trier and Thionville.

Along this trip, it is tangible how the European unity, the Schengen agreement, and globalized trade more generally have helped to bring peace to this region that was ravaged by war for centuries, and changed owners far too often, and far too violently. But it is also tangible how the traces of past wars, past borders, and artificially built-up distance between nations still exist — for example in that direct railway track without a direct train.

Artificial Intelligence gone Bad: Robert Harris, Fear Index.

Most of the time, Robert Harris writes great speculative fiction ??? I’m mostly a fan, and have hugely enjoyed several of his novels. However, I’m afraid that Fear Index isn’t a book I can recommend. In Fear Index, a genius computational particle ph…

Most of the time, Robert Harris writes great speculative fiction — I’m mostly a fan, and have hugely enjoyed several of his novels. However, I’m afraid that Fear Index isn’t a book I can recommend.

In Fear Index, a genius computational particle physicist turned rich and successful algorithmic hedge fund manager in beautiful Geneva has a spectacularly bad day: Is the world going mad? Is a mysterious adversary trying to drive him crazy? Is past depression coming back to haunt him? Is he falling victim to a brain tumor? And what is going on in his company whose computers are placing incredibly risky, but eventually hugely successful bets in the market?

Set before the background of the Dow Jones Flash Crash in May 2010, Fear Index has many of the ingredients of a great thriller, and is often well written. However, half way through the novel, Harris runs out of ideas: It’s blindingly obvious that the AI has gone both conscious and mad, and is plotting a massive assault on the market, leading to the 2010 flash crash. Also, the AI (which is predicated on predicting fear in the markets) has set out to kill its inventor, who in turn tries to kill the AI — only to predictably realize at the novel’s climax that it is now beyond his powers to do so.

In the end, this novel is yet another knock-off of the sorcerer’s apprentice theme, set in the age of the computation, communication, and algorithmic trading, complete with the depressed genius, yet another quick visit to CERN and yet another cameo appearance by Tim’s old NeXT workstation — and, even worse, yet another conscious-by-accident AI as the main antagonist that (when it isn’t highly profitable on the stock market) rents computing centers, buys old books, hacks the psychiatrist’s laptop, and manipulates the building’s elevator. The characters are mostly clichés, and while the AI’s machinations are quite creative, Harris lacks the imagination to give the reader any motivation why that would be the case. I’ll take 2001’s HAL over Harris’ VIXAL-4 any time.

Review: Neal Stephenson, Anathem

I know I’m late to the party: I finally got hold of Neal Stephenson’s Anathem. Still, the book is worth a quick review, and a whole-hearted “go read it.” The first quarter or so is a fun, but somewhat slow read: Some ideas and the academic world o…

I know I’m late to the party: I finally got hold of Neal Stephenson’s Anathem. Still, the book is worth a quick review, and a whole-hearted “go read it.”

The first quarter or so is a fun, but somewhat slow read: Some ideas and the academic world of Arbre that serves as the backdrop for so much of the story are gently introduced. Those of us who deal with computer science in any shape or form get to chuckle at the phrase “syntactic devices” for Turing machines, and at discussions whether human thought knows meaning beyond what an AI can comprehend. We learn that Arbre was devastated by the Terrible Events (whose details the world has forgotten in the mist of time) that led the worldly society to seclude its all too resourceful and perhaps irresponsible academics in space and time, and itself on a stage of technical development that feels roughly contemporary to the reader, but must look like a plunge into the dark ages to those on Arbre who might remember what had been known and put to both good and terrible use before — and now seems almost forgotten.

But then, the story’s hero (a young academic, only ten years removed from the sæcular world) begins to encounter the unexpected, and the carefully structured world of Arbre comes apart on a scale that few would even think of, and that requires the best brains on the planet to address.

That’s when Anathem’s story picks up its pattern, and when it becomes virtually impossible to put the book down: Stephenson has wrought a first-rate thriller out of an improbable set of ingredients all across philosophy, cosmology, physics — and Socratic dialogue. On another level, Anathem can be read as asking some inconvenient questions about the responsibility of those who develop and build technology that is deployed on a global scale, and their relationship to traditional social and governance systems. 

If you haven’t read it yet, you’re missing out!

 

The Cloud Service Smell Test: Does it use HTTPS? (hey @funambol, you fail)

All sorts of cloud services want to get their hands on all sorts of private data these days. Case in point today, Funambol ??? looks like a nice combination of cross-platform synchronization software, a bunch of open source software to build applica…

All sorts of cloud services want to get their hands on all sorts of private data these days.

Case in point today, Funambol — looks like a nice combination of cross-platform synchronization software, a bunch of open source software to build applications on top, and a probably useful web service. Now, do I trust this service with my address book?

Conveniently, the fail begins early enough that I don’t even get to the point where I look at the privacy policy: Not just are password choices that I can make when signing up constrained in all the wrong ways — all the interaction with the web portal is, of course, through plain HTTP.

Why, exactly, dear Funambol, do you think that I’d trust you with others’ home addresses and private phone numbers when you don’t even bother to take the elementary steps to keep my password and those data out of the hands of the attacker who’s probably sniffing the wireless network I’m using at the airport?

Come back when you’ve built a secure site. Right now, you’re not even getting past the smell test.

 

MacOS X Lion, first impressions: Mail.app, and lots of incremental changes

So, I’ve made the jump. Initial impressions: 1. Most changes are incremental. Mission control seems nice, full-screen mode is nice for some applications; haven’t yet tried airdrop. 2. The faux leather / physical object skin for iCal and Adressbook…

So, I’ve made the jump.  Initial impressions:

1. Most changes are incremental.  Mission control seems nice, full-screen mode is nice for some applications; haven’t yet tried airdrop.

2. The faux leather / physical object skin for iCal and Adressbook is annoying and silly.  SRSLY, Apple?

3. The biggest positive change so far is Mail:  GMail-like conversations, and — if you pick the right options in the preference menu — automatic retrieval of archived e-mails.  My current setup:  Using rules, I store a backup copy of each incoming message in an archive folder. I rigorously delete things that I’ve seen from my inbox.  If a thread is revived, Mail.app will pull the thread together from my archive folders.  Yay, finally!  The other important addition to Mail.app is, well, speed: The search is now usable even for large archive folders.  

Screen_shot_2011-07-20_at_230screen_shot_2011-07-20_at_23Screen_shot_2011-07-20_at_23Screen_shot_2011-07-20_at_23

Do Not Track: The Regulators’ Challenge.

This item also appears on the W3C blog. The fine people at the UC Berkeley law school have pulled together an amazing two-day workshop about Web Tracking in Brussels. The conversation kicked off today with European Commissioner Neelie Kroes talkin…

This item also appears on the W3C blog.

The fine people at the UC Berkeley law school have pulled together an amazing two-day workshop about Web Tracking in Brussels. The conversation kicked off today with European Commissioner Neelie Kroes talking about privacy, self-regulation and do not track, and with Director General Robert Madelin and FTC Commissioner Julie Brill on the subsequent panel. Together, the three handed a sizable challenge to the Web standards community: Standardize Do Not Track within a year (or less), be transparent, be inclusive.

Neelie Kroes‘ key points: While the advertising industry’s self-regulatory efforts are important and welcome, they aren’t enough. Tracking protection cannot be limited to just cookies (and cannot ignore other ways to create client state); it cannot be limited to just advertising or other specific sectors; and it cannot be limited to just the use of the data; instead, tracking protection needs to apply to data collection as well. Also, industry needs to address both Web and mobile tracking, and soon. Kroes’ challenge to industry: Standardize Do Not Track by June 2012. Come to the standards table.

FTC Commissioner Julie Brill spoke about the FTC’s efforts in the space over the last several years. She reminded us of the FTC’s staff paper and the five principles for an effective Do Not Track technology: 1. It must be easy to use (in fact, asked Brill, wouldn’t it be nice if the advertising industry was making opt-outs as easy to use as ads); 2. It must be effective; 3. It must be universal; 4. It must deal with collection as well as with use of information; 5. It must be persistent (and not go away after 5 days, or when you delete your cookies). As a significant footnote, Brill pointed out the special sensitivity of geolocation information, and the need for minimization there.

On standardization, Brill’s worry is that industry standardization might be too slow a process, and could possibly take beyond mid 2012.

Finally, Robert Madelin (Director General for the European Commission DG Information Society and Media) put the tracking conversation into the context of Internet regulation overall (“it can’t be a random walk between individual jurisdictions”) and the eG8, and into broader thinking about effective self-regulatory approaches. The sweet spot, according to Madelin, is somewhere in the middle between strongly mandated co-regulation and purely industry-led self-regulation: industry-led, yes – but inclusive, with a clear process, and with clear accountability and transparency to the public, and with a preference for shipping over the sort of perfection that can hold up agreement forever.

Nick Doty blogged about our plans with Do Not Track earlier today. We believe that the standards process provides an appropriate framework for conversations about not just the bits on the wire, but also the broader meaning of do not track.