Now Ross Anderson and Steven Murdoch, computer security researchers at the University of Cambridge, have published a paper [PDF] analysing 3D-Secure. Announcing the work on his blog, Prof. Anderson said,

From the engineering point of view, [3D-secure] does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace? Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. … This is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.

The paper concludes by recommending technical measures that would improve security for card-holders. It also calls for regulation to protect consumers from being forced to accept liability for online fraud.

I hope that the academic rigour of Anderson and Murdoch’s work, backed by the formidable reputation of the University of Cambridge Security Research Laboratory, will help to focus mainstream attention on Visa and Mastercard’s selfish treatment of their customers.

The Digital Economy Bill will affect you:

• If your home Internet-connection contract is in your name.
• If your business offers Internet access to the public (wifi hotspots or terminals.)
• If you depend on copyright for your income (software writers, publishers, authors, bloggers, photographers, musicians, film-makers, artists, DJs, newspapers, radio stations etc.)

Come to the unconference and find out more about the legislation and how it will impact your home life, your business and your community. Stick around for the workshops and learn how you can make sure your opinions on these issues heard in Westminster.

Tickets are available separately for any of the following parts of the event. You can come to one of the workshops even if you can’t make it to the unconference.

13:30 – 17:30:	Digital Economy Bill Unconference
17:30 – 19:00:	Talk to your MP: Workshop 1 *
19:00 – 20:30:	Talk to your MP: Workshop 2 *

* Workshop places are limited, so booking is essential.

There will be breaks between sessions and time to socialise before, during and after the event.

Reserve your free tickets now. See you there!

For those who can’t get to Sheffield, workshops are also taking place in London, Manchester and Edinburgh, though these events will not be preceded by unconferences.

I’m writing to ask you to represent the voice of UK citizens during the passage through the House of Lords of the Government’s Digital Economy Bill.

I am deeply concerned by the measures this Bill would introduce, and given that my MP seems unwilling to represent my views or even to engage with me in a debate about them, I’m appealing to the House of Lords for representation. I chose to write to you as members of the Lords Science and Technology committee in the hope that you will weigh the Government’s proposals against objective evidence, accounting for bias on all sides including my own, and arrive at proportionate and evidence-based conclusions where, in my opinion, the Government has not.

The main issues with the Bill as it currently stands are:

1. Problems with due process procedures and indiscriminate sanctions targeting Internet users accused of copyright infringement.
2. Extremely wide powers to amend copyright law with minimal oversight or scrutiny.
3. Reduntant powers to nationalise Nominet – the body responsible for the .uk top-level domain.

It is the provisions to tackle copyright infringement on the Internet that I find most worrying. The Digital Economy Bill says much about how those accused of illegally sharing copyright material should be punished yet it contains few measures that will actually strengthen the UK economy by enabling digital business to thrive. The digital genie cannot be put back into its 20th century bottle. Copyright infringement is wrong however businesses must adapt to a digital Britain or they will die.

1. Copyright Infringement on the Internet.

Disconnection is not an appropriate sanction for copyright infringement. The damage caused by such a punishment would be indiscriminate and collective, imposed on households or businesses rather than an individual infringer, and could be very severe, hampering people’s jobs, businesses or education. Financial sanctions proportionate to the actual damage caused, against a test of evidence, would be more appropriate.

The standards of evidence relied upon in the Bill are low. Errors in recording such evidence are common, and in any case evidence can never identify an infringer, only an account-holder. However the Digital Economy Bill currently allows punishments to be imposed on people who are merely accused of wrong-doing on the basis of this flimsy evidence. Furthermore, the Bill fails to impose a duty on rights-holders to make sure evidence and accusations are fair and accurate. No mention is made of the roles of libel, malicious falsehood or data protection law.

The Government has attempted to assuage some of these concerns by including an appeals process, however there is no obligation to tell people they can appeal, and no legal aid would be available to help with necessarily technical defences unless the matter went to court (a process that might take years). The appeals themselves do not extend to any discretion exercised in imposing a punishment, which is unreasonable. A right of appeal is not the same as a trial. Appeal presumes guilt – this is wrong. People should be presumed innocent until they are proven guilty, the accused should be allowed their day in court and only people who are proven guilty should be punished.

The government has said that introducing disconnection as a punishment is a last resort however the trigger for the imposition of so-called “technical measures” is open to abuse. Evidence from Ofcom would be supplied but the Secretary of State may order the sanctions into force in view of such a report or “any other consideration”. This would encourage lobbying by vocal rights-holders, such as media content companies with vested interests, to secure decisions that maximise their shareholders’ profits without taking into account objective evidence or the rights and needs of citizens. This may damage the valuable communications sector and discourage music and film rights-holders from innovating towards more sustainable and modern business models.

The Government proposes to introduce “technical measures” if its target of a 70% reduction in copyright infringement is not met within a year. This appears to be an arbitrary threshold. In addition, there are no accurate measurements of the current level of copyright infringement, and the Government has not said how it proposes to test whether its target has been met. An objective quantification of Internet copyright infringement is technically and legally problematic: technically because identifying and classifying all UK Internet traffic as it traverses the Internet would tax the state-of-the-arts of computer science and engineering; legally because firstly the copyright status of works depends on many complex factors so is not easy to determine automatically, and secondly, the Regulation of Investigatory Powers act makes it illegal for ISPs to employ the kind of communications interception required. Meanwhile wildly varying estimates of the cost and prevalence of copyright infringement continue to be circulated by all sides in the debate. The scientific and statistical rigour of these reports is questionable.

I mentioned that the technical process proposed to identify infringers can only trace back as far as the account holder of the connection used. The Bill sidesteps this issue by making account-holders responsible for the actions of others using their connection. This liability will adversely affect many businesses such as Internet cafés, pubs, hotels, libraries, community centres, schools, colleges and universities, all of which share their Internet connections as part of their business models. Many people extend to their neighbours and communities the use of their Internet connections as a public good. The Bill puts all of this activity in jeopardy: it may bring about the end of the wifi hotspot in the UK.

2. Statutory Instruments

The Bill allows the Secretary of State to amend copyright law by statutory instrument. This would create massive uncertainty and business risk for online service-providers with a consequential chilling effect on innovation and investment in the sector. Amending the law by SI will prevent the Lords from scrutinising changes, and by convention, the Upper House does not oppose SIs approved by the Commons. Thus the Government of the day would be able to impose changes to copyright law without proper debate or scrutiny. This would further open copyright law to “special pleading” and unbalanced, politicised decision-making.

3. Nominet

The last provision that I want to bring to your attention grants Ofcom the ability to “nationalise” the .uk domain registry Nominet. This is inappropriate for a functioning self-regulatory system such as the one that currently exists. The proposed power would lend Ofcom an undue and unnecessary influence over this independent body. Existing emergency powers to take control of vital national infrastructure are sufficient. Furthermore the current wording of the provision is so poor that any domain registry operating in the UK would be subject to these powers. The many small countries that operate their Internet domain-registries through UK providers would find them subject to UK control. They would be likely to move their business out of the UK in response.

Conclusions

I believe the Digital Economy Bill has many serious flaws that, if they are not rectified, present a clear danger to the UK economy, the future of the Internet in UK, the freedom of its citizens to express themselves and engage in society, our cultural commons and many opportunities of the digital age that are yet to be discovered.

Please will you represent my views to the House of Lords during the second reading of the Digital Economy Bill tomorrow?

Given the urgency of this matter, perhaps you could also pass on this message to your colleagues on the Science and Technology Committee – Lord Broers, Lord Cunningham of Felling, Lord Krebs, Lord May of Oxford and Lord Warner – who do not list a public email address.

I would also be interested to hear your views on the points I have raised.

Yours Sincerely, etc.

Write to a lord today!

It turns out I wasn’t the only one to notice this potential. Reports last week indicate that a Verified by Visa phishing scam is now circulating by email:

Webroot’s Andrew Brandt claimed that the scam begins with an email that appears to be targeted at holiday shoppers who buy gifts online. Brandt said: “Once you register with the (real) Verified by Visa service, participating merchants permit you to enter a password in addition to your card information.

“In addition to providing the purchaser with an additional layer of safety, the password also gives the merchant some assurance that larger-than-normal transactions (like the ones you make during holiday shopping season) will be approved quickly, without triggering fraud alerts.”

However Brandt pointed that in the email, the user is sent to a web page that asks you for the information you gave the card-issuing bank at the time you first signed up for the credit card. He also commented that the page is clearly more professional, slick and clean than most phishing pages as the form’s businesslike appearance serves to reassure the victim that the page really belongs to Visa.

You might think that credit-card companies have a vested interest in reducing fraud however the reality is subtly different. Their interests lie in reducing their liability not the overall fraud-loss figures. Like chip-and-pin before it, the main benefit to banks and merchants of the 3D-secure system is that it transfers liability for fraud onto the card-holder, not that it improves the intrinsic security of transactions.

Here’s my understanding of how it works: banks first offer to indemnify merchants from any fraudulent transactions they charge that have been authenticated using the scheme. This is a strong incentive for merchants and has ensured widespread adoption. Next the banks adjust their terms and conditions to make their customers liable for all password-authenticated transactions and impose on them a duty to protect their password. Lastly the bank asserts that any password-authenticated transaction must either have originated with the cardholder or be as a result of their neglect – i.e. they have allowed their password to become known to someone else. The customer is then held liable for the cost of the fraud unless they can somehow prove they are not to blame for their password being used without their consent. Both the bank and merchant are protected from loss at the expense of the card-holder.

Is it reasonable to expect credit-card customers to shoulder the blame for the failure of such a fragile security system given the prevelance and increasing sophistication of phishing attacks such as the one reported by Webroot? Implementations of 3D-Secure vary between banks and card companies, however the technology is inherently susceptible to social-engineering attacks, as I noted in my previous post. In addition, even if your password security is meticulous, in some cases all a fraudster needs to reset it are the details on the card and the holder’s date of birth. Hardly a challenge for criminals with a passing knowledge of social-networking and the darknets.

I think fraud liablility should remain with banks and credit-card companies except in cases where they can prove their customers are trying to rip them off. The card companies are best placed to solve the problem of online fraud but there’s no incentive for them to do so if they don’t stand to lose from it.

Digital Restrictions Management (DRM) is bad for consumers because it deprives you of control over how – or even whether – you can use the digital products you buy.

While it’s not news that Microsoft has treated its customers with contempt, their household name is helping to carry concern on the issue from geek circles into the mainstream. A personal example illustrates the point: only two weeks ago a friend asked me to recommend a peer-to-peer file sharing app so she could get hold of unencrypted music. She was sick of paying for tracks only to find they wouldn’t work the way she expected.

I’m quite happy to pay for tracks. I want the artists to get paid for me purchasing a copy. But if I end up not being able to, for example, play that track on my mp3 player (because I happen to have one that won’t play DRM files) or burn to a CD (because Microsoft won’t let me) then I’m going to resort to other means.

I could always just buy the CD of course… but that’s old-fashioned ;o) I like the whole digital music thing, I like that it’s immediate and takes up no physical space, but currently it doesn’t serve my needs – unless I get hold of it illegally.

To my mind, there can be no more powerful demonstration of the commercial folly of DRM. Record labels, software companies and film distributors take note: putting obstacles in the way of your customers is bad for business. Customers spend more on products that are the easy to buy and use. The more difficult you make things for them, the less they’ll buy.

Do you have a tale of DRM frustration to tell? Are you going to lose out when PlaysForSure stops playing? Where do you buy your DRM-free tracks from? Hit the “Comments” link and share your thoughts.