Ceci n'est pas un Bob

You Can Make SOPA and PIPA Irrelevant (But You're Probably Too Lazy)

2012-01-18T23:41:00.020-06:00

SOPA and PIPA are bad laws. And Clay Shirky's TED talk about why they're bad laws is great. But he gets the most important point wrong. Right at the end, he says there are two things you can do.

He says you can call your Congresspeeps, and you can "get ready", because more is coming.

But there aren't two things you can do. There are three. And the third thing is much more powerful than the two things Clay suggests.

You can make SOPA, PIPA, Copyright, and the Media moguls of the Hollywood studios, the music labels, the MPAA, and the RIAA irrelevant. You can cut off their air supply.

You can make your own media, and you can make it free.

And why wouldn't you? It's not like the media that's being made for you - for which the RIAA and the MPAA are willing to break the Internet and put you in jail - is any good.

Today's media is SHIT.

Are you dying to see "April of the Penguins" and "The Taking of Pelham 1-2-3D"?

Can you NOT FUCKING WAIT for the latest Justin Bieber disc?

(If you said "yes", you are not the target audience, and you are not the future. Please leave.)

I've said it before, but it bears repeating. This stuff is NOT WORTH STEALING. The RIAA and the MPAA want to break the Internet to protect Britney Spears and "Alvin and the Chipmunks: Chipwrecked". SRSLY.

You can make your own media, and you can OBVIOUSLY make better media.

My sisters and I made this in 48 hours with one iPhone, one iMac, and software that cost us zero dollars. You can do MUCH MUCH BETTER. (We can too, and we will).

A modern $300 point-and-shoot camera will take hi-def video whose quality would have made Orson Welles cry. A new Mac comes with iMovie and Garage Band FREE. These apps will let you do things a Hollywood studio would have spent millions of dollars on only a decade ago. Robert Rodriguez' 10-minute film schools are on YouTube and will teach you everything you need to know - IF you have a story to tell and a bit of talent.

So why do you pay $12 for a movie ticket to see some hack's cynical sequel to a sequel when you could make movies yourself and share them for free on YouTube or Vimeo?

Because you're lazy and afraid.

If enough of you shake off the fear and lethargy, you can make the Internet a BETTER place to watch movies than the theater: not just a cheaper place, but a BETTER place. Better because the stories are better and better because the viewing experience is better (no DRM, no lawyers, no restrictions on where a movie can be viewed, no need to wait for a movie to be "released" in our towns).

And you know what's even better than that? If you DO make the Internet a better place to watch movies than the theater, you'll also make it a place where the people who MAKE movies get paid. Which would be great, because the current system doesn't pay people who make movies: it pays people who finance movies, distribute movies, and lobby Congress to make sure watching movies stays expensive.

Here's all it would take. You'd get your ass off the couch and write down that story you think really needs to be told. You'd take in a few online tutorials - maybe Dan Allen's short-film and FCPX tutorials (look for iMovie tutorials if you're cheap), and a few GarageBand lessons. You'd read David Mamet's wonderful short book On Directing Film. And then you'd dust off your DSLR or your digital point-and-shoot camera and go out and make a movie.

You'd upload that movie to YouTube or Vimeo, and you'd give it a Creative Commons Attribution Share-Alike license so anybody could embed it, show it, or download it and remix it to create their own works for free.

You might make a really great film. If you do, you might get paid for it - or not, but you'd still have made a really great film. But - and this is the important point - NO MOVIE STUDIO WOULD GET PAID FOR IT. AND NO MOVIE STUDIO LAWYER WOULD BE ABLE TO THREATEN TO TAKE A WEBSITE OFF THE INTERNET FOR HOSTING IT. AND NO MOVIE STUDIO LOBBYIST WOULD BE ABLE TO BREAK THE INTERNET TO PREVENT OTHERS FROM RIFFING ON IT.

If enough of you do this, the movie studios will have less money. Less money to make shit movies, but also less money to pay lobbyists to pay Congressmen to break the Internet.

And if that happens, Clay's fears won't be realized. There won't be another SOPA waiting for us down the road.

But of course, you'd have to get your ass off the couch.

What Steve Jobs Built

2011-08-24T23:38:00.003-05:00

You've all heard the news by now. Steve Jobs has stepped down as Apple's CEO. I could recite his accomplishments, but you know them. I could link to the videos, but you've seen them. I could tell you to buy a Mac and an iPhone, but you've already got them.

But there is one thing I haven't seen anyone say about Steve, so I'll say it now.

You often hear that we don't build anything in America anymore. And it's true enough that we don't build TVs, and we don't make much steel, and we don't make many textiles, and even Apple doesn't make computers here anymore.

But we still do make ONE thing in America.

We make the future.

And Steve Jobs did that better than anybody, for a long, long time.

Thank you, Steve. I hope you have many happy and healthy years to enjoy the future you've done so much to build. I'm gonna head over to the Mac App Store now and buy Motion as a way-too-tiny token of my profound gratitude.

Photo credit: http://www.flickr.com/photos/home_of_chaos/4645091860 (Creative Commons BY License)

A Bipartisan Letter From Congress to the American People

2011-07-24T19:11:00.002-05:00

Dear America,

We know you're watching the debt ceiling debate with growing alarm, and we just wanted to reassure you that we know exactly what we're doing, and everything is going to be OK.

For us.

You, not so much.

You probably think we don't know your credit card interest rates are going to go up to 30% next week when we refuse to pay the bills we rang up invading Iraq, buying crooked banks, stuffing the pockets of CEOs and Union bosses, and throwing enough nickels at the rest of you to make sure you didn't ask too many questions about what was really going on.

You're wrong. We know.

We just don't care.

You probably think we're anguished about the fact that another million of you are going to have your houses repossessed by the bank when mortgage interest rates shoot up like a rocket in August.

Wrong again. It's not like OUR houses are in any danger.

You might even think we're worried that the dollar is going to inflate like Zimbabwean money until you're begging illegal Mexican immigrants to throw you a Peso or two.

Yeah right.

OUR money is already socked away in overseas gold accounts, and besides, we can always get more by throwing a few scraps to a lobbyist or cranking your tax rate up to 90%.

(If we had half a brain, a whole bunch of us would already have called our brokers and shorted T-Bonds; then we'd make out like BANDITS when we finish pushing US debt to junk-bond status! But that would be unethical. And un-American. Just like shirking our constitutional responsibility to ensure that "The Public Debt of the United States... shall not be questioned". Heh. Heh heh.)

What did you just say?

You're going to vote us out?

You cannot be serious.

We KNOW you don't vote. OK, a few of you vote in the general election. But that's the beauty of it: the general election doesn't matter! By the time the general election rolls around, there's nobody left but idiots, weasels, and nuts (oh my)!

You don't vote in primaries, and you're not going to. Only crazy people vote in primaries. Did you think we were STUPID when we stopped choosing our candidates in smoke-filled rooms? WE knew that the only people who would come out for primaries would be hate-filled lefty and righty extremists too chickenshit to become real terrorists and herds of morons our pollsters and fat cats drive to the polls and pay to vote the party line.

That's why everybody here is a pervert like Anthony Weiner, a crook like Charlie Rangel, or a feeble-minded lunatic like Michelle Bachmann. And it's why the only thing we care about is keeping the money hose pointed at the people who fill OUR trough.

So kiss the dollar goodbye, get used to sleeping in a box, and enjoy the Even Greater Depression, America - you're Boehned!

Oh, and one more thing:

See you in November, suckers!

Werner Herzog Reads Curious George

2011-04-28T23:46:00.002-05:00

When a work finds its truest performer, the magic happens.

:-)

Symmetry

2011-04-23T23:45:00.000-05:00

Radiolab posted this wonderful video to YouTube:

Improv Everywhere: Triumph of the Human Spirit

2011-04-03T00:20:00.001-05:00

Comedy?

A Beautiful Short Film

2011-03-25T21:31:00.004-05:00

How Football came to Panyee. This film is wonderfully made and tells an inspiring story in a little over 5 minutes. It doesn't hurt that the setting, Panyee Thailand, is one of the most beautiful places on the planet.

How Much Do Movies Really Cost?

2011-03-23T15:10:00.006-05:00

A while back I wrote about how much it costs Hollywood to make a movie, using Avatar as a (particularly depressing) example. Avatar seems to have cost about $237 million, of which $150 million went to promotion.

Avatar, of course, wasn't just "any old movie" - even by Hollywood standards. It was made by James Cameron, who has a history of making movies that rake in mountains of cash once they're released; Avatar seems to have made North of $2.5 BILLION dollars. It was also made in 3D (ick) using bleeding-edge graphics techniques on a set which was designed from the ground up to make the movie. Avatar won three Oscars, which is evidence that the Oscar should no longer be considered an honor worth having.

You can make a much better movie than Avatar for a lot less money; The Hurt Locker, directed by Cameron's ex-wife Kathryn Bigelow, was a better movie than Avatar even by Hollywood's standards - it won 6 Oscars the same year Avatar won its 3. The Hurt Locker cost less than $20 million to make, and it seems to have earned about $20 million.

You can get production costs down far below $20 million, but total costs are still high if you want a movie released in theaters. The Blair Witch Project cost between $20,000 and $750,000 to make, depending on who you believe and how you define expenses - but it cost $25 million to print, distribute, and advertise.

And of course, Robert Rodriguez famously shot El Mariachi for $7,000 - but again, the total costs of the movie the audience actually saw were much greater. Columbia paid at least another million, and probably more, to print the film, advertise it, and distribute it.

Rodriguez made El Mariachi on 16mm film. Film is expensive, and so is the equipment you need to use to shoot a movie on film. Today you can shoot a movie digitally for even less than Rodriguez spent on El Mariachi. I've done it.

The trick is to do everything yourself (or with a few friends), using consumer equipment, and avoid all the things that make Hollywood films expensive.

I made the movie at the head of this post for last year's Austin 48-Hour Film Project. I wrote the script myself, did all the filming, lighting, editing, and music myself on equipment I already owned, and used friends & family (me, my father, and my former boss) for actors.

Even if I'd had to buy all the equipment new, it would only have cost about $2,000. Here's the complete equipment list:

$1199 13" MacBook Pro

$399 Panasonic DMC-LX3

$43 8GB Class 10 SDHC card

$0: iMovie

$0 Garage Band

$199 8GB iPod Touch

$9.99 BeatMaker app

$14.99 MusicStudio app

$6.99 ThumbJam app

$1.99 Bebot app

$3.99 Bloom app

$0.99 Euphonics app

$1.99 Bowls app

$0.99 Church Organ app

$0 Audacity for Mac

$0 iMovie Tutorials

$0 Garage Band Tutorials

$20 "Conversations with the Great Moviemakers of Hollywood's Golden Age"

$279 Tripod

$10 "On Directing Film"

$30 Three Home Depot worklights with 100W bulbs

The total comes to $2,220.92.

But $1,598 of that is the laptop and a consumer digicam capable of HD video - and there's a good chance you already have one or both of those.

The most important items - David Mamet's book "On Directing Film", the tripod, and the lights - cost only $319.

By the way, you will be tempted to cheap out on the tripod.

DO NOT CHEAP OUT ON THE TRIPOD.

You want a good solid one with a smooth pan action, a quick-release plate, and a leveling bubble.

The moral of this story is that if you have a decent computer and digital camera, you can make a pretty good movie yourself for free. Next time we'll talk about whether you can get anybody to watch it, and whether you can make money from it.

Storytelling in 30 seconds

2010-08-05T22:04:00.005-05:00

Damn.

(Hat tip to Nancy Duarte for the link.)

Math Education Sucks the Same Way TV Sitcoms suck

2010-05-13T21:08:00.002-05:00

Fascinating observation from Dan Meyer at TED. Bonus: shout-out to the iPhone as a cheap & easy way to produce compelling video to fix the math education problem.

Great Movie, Cheap Gear

2010-04-24T22:11:00.006-05:00

While you're waiting for the New Studio's financials, take a second to watch "Uncle Jack":

It's 5 minutes long, its story is far better than Avatar's and it was shot in three days with equipment you can probably afford.

Here's Jamin Winans (the director) explaining how he did it:

Not Worth Stealing

2010-04-23T11:48:00.003-05:00

This week in movie news, Hitler has reacted badly to the news that Constantin Films, who own the copyright to "Downfall", have issued a DMCA notice resulting in the removal of many "Downfall"-based parodies from YouTube.

The Downfall parodies are a prime example of what Larry Lessig calls Remix. Constantin Film AG calls it "theft".

EFF, the Open Video Alliance, and others will argue til the cows come home about whether remix is theft or fair use.

I say the hell with it.

Forget about remix. Why start with crap?

I haven't seen Downfall; it was made in Germany, not Hollywood, so it might not be total crap. But what arguments over the DMCA are distracting us from is that

MODERN MOVIES AREN'T WORTH STEALING!

Take Avatar. It was released on video this week. It won THREE Oscars, and was nominated for six more including best director and best picture. It's a two hour cartoon with a juvenile story you could tell in one minute. Don't believe me? Here you go:

Evil militaristic corporation lands on pristine planet occupied by noble giant smurfs and priceless ore. Military begins wiping out smurfs but one honorable disabled underling falls in love with a smurf, goes rogue, and leads the resistance. Just as all seems lost, the planet itself rises up and crushes the invaders, and the hero is magically transformed into an able-bodied smurf himself. In 3D. With lots of heart-swelling music.

Avatar is crap; the only good thing about its DVD release is that if you watch it at home, you'll be able to pause it every two hours so you can pee; I saw it in the theater and I was praying for a catheter by the halfway point.

Edward Jay Epstein's recent book "The Hollywood Economist" is depressingly clear about why almost every movie made today is crap. In a nutshell, it's because moviemakers can't get distribution deals for pictures which aren't guaranteed to herd teenage boys into the theaters in droves (read the book for more details). Epstein notes on his blog that crap teenager-magnets like Avatar are squeezing indie movies (which are still occasionally worth seeing) out of the theaters. Epstein's conclusion is this:

With the prospect of American distribution rapidly fading, indie producers are now finding pre-sale financing almost impossible. "It's a dead business model," a former Miramax executive said.
If so how can Indie producers continue to make movies? They might be able to find wealthy individuals entranced enough with a movie fantasy to put up the money, but they still need to devise a new way in this digital age to distribute them to an audience willing to see something more than the movie versions of amusement park rides.

Bingo. So let's get started.

I promised you two years ago (I know, I know, but I've been busy…) that I'd post a business plan for a New Studio: "…a new business model that lets creative people make a decent living making good, cheap movies. [The New Studio is] going to trust its audience to pay for quality films. It's going to grow its fan base by distributing entire movies on the Internet with no DRM."

In the unlikely event you've been eagerly waiting for me to keep this promise, you're in luck. Here's the first installment:

What is The New Studio?

The New Studio is a business model which uses the new technologies of low-cost digital capture and editing, high-quality low-cost print-on-demand services, and near-zero-cost electronic distribution to take creative control of cinematic storytelling away from producers and studio executives and give it back to writers and directors.

The New Studio is owned and managed by directors and writers, who produce their own material and retain artistic control of their work. Every director in a New Studio has final cut.

The New Studio accomplishes its financial goals by enabling motion pictures to be produced, marketed, and distributed cheaply enough that there is a high probability of a modest profit (and a smaller possibility of a large profit) for every film the New Studio produces.

The New Studio may accept investments by outside producers. Producers’ relationship with The New Studio is, however, financial rather than creative. In return for lower financial risk (that is, a more predictable return on investment than a traditional studio can promise), investors in The New Studio willingly leave all creative decisions to the New Studio’s writers and directors.

What are the The New Studio’s principles?

Hollywood fears the web. Studios fear that releasing their movies on the web will destroy their revenue stream.

Fear of releasing movies on the web comes from a belief that the product is worthless – so no sane person would voluntarily pay for it. This belief is justified by most of today’s movies. They are made not to satisfy an artistic urge, or to tell a story, but to make money. A lot of money.

If you need to make 100 million dollars, you have no time to think about anything else. Including telling a story.

But you don't need to make 100 million dollars, because you don't need to spend 80 million dollars to make the movie and distribute it. In 2010 you can produce movies cheaply using new technologies, as Robert Rodriguez and others have demonstrated. You can distribute movies essentially free using the Internet. This means that, as long as you’re not greedy, there are stories you can afford to tell with the new tech which studios cannot afford to tell for theatrical release. This is good for the artists but bad for middlemen who add cost but not artistic value to projects.

People will want to pay for a story which is worth the money. No story is worth $100 million (well, maybe just a few. The Bible’s done pretty well at the box office…). But lots of stories are worth $2 million.

When you put content into electronic form you enable people to make an unlimited number of copies for free. There is therefore no such thing as theft. Want proof? If someone makes a free copy of my movie, what have I lost? Only something I never had: the copier’s money. (NOTE: If you thought Digital Rights Management could stop people from making copies, you’re confused. Study until you understand why you’re wrong. Until then, don’t bother us).

While there is no such thing as theft, there is such a thing as publicity. A good product, distributed widely, creates buzz and demand. This in turn generates sales.

People who see honest publicity for a good product want to buy it. Digital Rights Management is based on a worldview of shortage. Our worldview is abundance. We think our stories are good – so good that people who see them will want to own them. We want as many people as possible to see them because we know some (not all) of those people will pay us for them.

What does The New Studio sell?

We sell access, experience, and artifacts.

Access to our products and, to a few lucky fans, access to the process of producing our products.

Experience of the magic of motion pictures – the willing suspension of disbelief, the entry into the story, the magic of the motion-picture production process, the glamour of our stars.

Artifacts including high-quality art produced specially for our customers and actual items used in the production of our motion pictures.

We make motion pictures and sell films.

We release our motion pictures free on the Internet. In high-quality audio and video formats. Before theatrical release.
We sell films. Not DVDs (which are just little round pieces of plastic and metal) – films. Films are released to the retail market simultaneously with free Internet release. The buyer of a film gets a high-resolution DVD with an excellent motion picture that tells a compelling story. This DVD is not region-coded or protected by DRM; the buyer can play it on any device, create any number of copies, and exhibit it to the public if he chooses. The film comes in a high-quality package which creates a film experience.
The motion picture at the heart of the film is reproduced on the highest-quality media available, so that it will last a lifetime. If media is scratched, or if it degrades, it will be replaced at no cost, with no questions asked – guaranteed.
The film is sold in one of three editions, and not everyone can own one. The first edition is the limited edition.
The limited edition film includes original, limited-edition collectible art art (a numbered 8x10 archival black-and-white photograph of one of the stars by an outstanding photographer) which will grow in value over time and which represents a connection between the filmmakers and the buyer.
The limited edition film includes a high-quality illustrated book containing production stills and a commentary on the production by the screenwriter and the director; this book is available only as part of the film editions.
The limited edition film includes a unique password for a website which allows the buyer to view dailies and other production details of the next motion picture produced by the studio.
The limited edition film includes a coupon which can be redeemed for two free tickets to see the motion picture in a local theater after its theatrical release (if it gets released to theaters!).
And the limited edition film includes a lottery ticket. The two winners of the lottery will be auditioned for roles in a future motion picture produced by the studio. If the winners are not cast in speaking parts, they will be cast as extras or given roles in the crew of the production.
The limited edition film will be available for only $50 per copy. Only 100,000 limited edition copies of the film will be produced – ever.
The second edition of the film is the special edition. The special edition film includes all the contents of the limited edition. It also includes a copy of the movie’s poster (signed by the director and shipped rolled, not folded) and a numbered 11x14 archival black-and-white photo of one of the stars by an outstanding photographer, signed on the front by the star and on the back by the photographer. This photo will be shipped ready for framing in a 16x20 archival mat. Both the poster and the photograph will grow in value over time and represent the personal connection between the filmmakers and the buyer.
The special editions of the film are available for only $250 per copy. Only 1,000 special editions of the film will be produced – ever.
The third edition of the film is the collector’s edition. These collector’s edition will include, in addition to the special edition film contents, two premiums. The first premium is an actual prop or costume used in the production of the film, with a certificate of authenticity signed by the director and the star most closely associated with the item. The second premium is two tickets to the theatrical premiere of the motion picture, if such a premier is held.
The collector’s editions of the film are available for only $5,000 per copy. Only 100 collector’s editions of the film will be produced – ever.
We sell motion pictures via iTunes. No motion picture will be released to iTunes until three months after its free Internet release – guaranteed. The motion pictures will be optimized for high-quality playback on iPads and laptop computers, and will be free of any DRM restrictions.
Our motion pictures will be available via iTunes for only $4.99 per copy (for purposes of comparison, “Chicago” is sold on iTunes for $9.99 per copy).
We sell prints of motion pictures to theatrical distributors. No motion picture will be released to theatrical distribution until one year after its free Internet release – guaranteed. This benefits buyers of films because they will have exclusive access to high-quality prints of the motion picture for a year before the motion picture is released to theaters. It benefits theater owners because they will have access to motion pictures with a proven fan base on the day of release.

How does The New Studio sell?

We sell direct, over the Internet.

We create demand by letting people experience our motion pictures in their entirety, in high-quality reproduction, for no cost. Our customers are not thieves. They are fans. They appreciate motion-picture art when they see it. If they can afford to own motion-picture art, they will choose to buy our films because those films have lasting artistic value, are worth owning, and enhance their lives.

Some of our customers cannot afford our films, but they still love and treasure motion-picture art. We celebrate the opportunity to enrich their lives by providing them with excellent art, even though they cannot afford to buy a film. Many of these people will become more prosperous, and will buy our films in the future; others will pay for downloads of our motion pictures so that they can play them through iTunes. Fans who cannot afford to pay us in cash will pay us with their voices by recommending our motion pictures to friends. A few of our fans will be inspired to make their own motion pictures, and they will tell stories we cannot imagine – and that’s the best part of all.

How does The New Studio advertise?

We don’t. Our product speaks for itself. People will recommend our motion pictures to their friends and companies will recommend them to their customers. Our motion pictures are so good that we think other people will want to use them to advertise their products and services. We approve. We will give a limited number of people and companies with influence, good taste, and good products permission to host our motion pictures, uncut, on their sites – individuals’ blogs and corporate portals – to help them advertise themselves and their products and services to their customers. If you think your audience or your customers would be attracted to your site by an excellent motion picture, get in touch. But hurry – we’ll grant this permission to a limited number of people and companies who believe strongly and early in the value of each of our motion pictures.

In the next entry, I'll run the numbers to convince you that the New Studio can make money.

What Does DHS Think TSA's Job Is?

2009-12-30T13:40:00.004-06:00

I've been puzzling over Janet Napolitano's comments in the wake of Umar Farouk Abdulmutallab's semi-successful attempt to ignite a bomb onboard a Detroit-bound airliner on Christmas day.

At first I thought her comment that "the system worked" was just normal bureaucratic ass-covering, but after reading and re-reading her comments, and after thinking about the "additional security measures" most widely implemented after the incident, I'm not so sure.

The additional security measures just didn't make sense to me at first:

Passengers limited to one carryon bag (Abdulmutallab had none).
No personal effects in passenger laps during last hour (Abdulmutallab had nothing in his lap; the bomb was inside his clothing).
No moving around the cabin in the last hour (OK, Abdulmutallab did this).

But then I asked myself "what are these rules trying to prevent?"

The answer is unfortunately obvious - the rules are trying to prevent someone who has succeeded in getting a bomb on the plane from detonating it over a populated area near an airport.

What tipped me off was the weird restriction of the new rules to the last hour of the flight - what DHS apparently really doesn't want is a plane exploding in an urban area on TV, because that would look too much like 9/11. If we're going to lose one, let's make sure it goes down over a farm - like United 93.

Just to be perfectly clear, it looks to me like these rules are DHS's (specifically TSA's) attempt to protect the people on the ground, not the people on the plane. The underlying assumption is that terrorists who try to smuggle a bomb onto an airplane will succeed, at least some of the time.

Given the failure of TSA screening to detect pretty much all hazardous materials, this assumption is depressingly realistic. It also makes Secretary Napolitano's comments to CNN's Candy Crowley much easier to understand. If you're assuming that you can't stop people from smuggling bombs onto airplanes, you're going to assume that you'll lose a plane from time to time, and the best you can do is minimize the damage and respond quickly. Here's what Secretary Napolitano said:

...the system worked. Everybody played an important role here … the passengers and crew of the flight took appropriate action within literally an hour to 90 minutes of the incident occurring all 128 flights in the air had been notified to take some special measures in light of what had occurred on the Northwest Airlines flight. Uh, we instituted new measures on the ground and at screening areas both here in the United States and in Europe … uh … where this flight originated, so … ah … th … the whole process of making sure that we respond properly, directly and effectively went very smoothly.

These are the words of someone who's planning on cleaning up a mess rather than preventing people from making the mess in the first place. When Crowley followed up, the Secretary more or less confirmed that preventing an airplane bombing is a lower priority than keeping the planes running on time:

...what I really think deserves attention is everybody responded quickly effectively … witihout, without, you know, panicking and shutting down the airline systems — air travel.

If you're a taxpayer (or even if you're just a citizen), you're entitled to an opinion about what TSA's job should be. Here's a handy little poster illustrating what this citizen and taxpayer thinks it should be:

If TSA can't do this, or doesn't want to do it, I say shut 'em down and spend the money on something more effective.

You can watch the interview with Secretary Napolitano here.

Goodbye, Don

2009-11-01T14:02:00.004-06:00

Don Bowen died yesterday. He was 51 years and two days old - a bit older than me. He died of a brain tumor. I took the picture of Don you see above in San Diego's Gaslamp district on July 30. Don was attending my company's conference, and a lot of his friends held a party for him in the evening at a local restaurant.

The crowd lined up to see Don that night was huge. If you'd met Don, you'd know why. You can't meet him any more, of course, but you can get an idea of why all of us loved him. He chronicled his two years of living with cancer on his blog. What comes through the details of the story is Don's optimism, his faith, and his love of his friends and of the everyday reality of life. The very last entry sums it up; I imagine Don had prepared this well in advance:

On October 31, 2009, my Lord threw His loving arms around me tightly, invited me to enjoy life in this new world of His and pronounced me cancer free. He promised you and me a miracle if we prayed BIG, and He has kept His promise.
Memorial services will be held at 10:00 am on Saturday, November 28, 2009 at the Northwoods Community Church, 10700 N. Allen Road, Peoria IL 61614
Praise the Lord for His goodness!
Don

For the whole story, you can start at the beginning and read it in order. Goodbye Don. Don't worry about us - we'll be fine too. And we remember.

Never a Small Step

2009-07-20T20:42:00.004-05:00

"The day", to my grandparents's generation, was December 7th.

To my parents', it was November 22.

To me, and to my generation, "the day" is today - July 20.

I like to think that Neil Armstrong fumbled the first half of his famous quote because the false humility stuck in his throat.

It was never a small step. It was always and only a giant leap, and everyone knew it. Armstrong knew it, because he and everyone he worked with signed up for a giant leap, and would never have settled for anything less. Kennedy knew it; he gave the call Armstrong answered. Kruschev knew it, behind all his bluster.

And I knew it, and so did all my fourth-grade friends on Robin Hill drive in Williamsville, New York. That leap defined my generation and set us on our path. The Beatles and the race to the moon were the soundtrack and the backdrop to our childhood (and Walter Cronkite, who's left us just this week, was our narrator.) Armstrong's leap, and his footprint, told us everything we needed to know about how the world worked. It told us that anything we could imagine was possible.

Fantasy and Science Fiction are one section at the bookstore, but they're not the same. Fantasy is the fiction of what can never be; science fiction is the fiction of what has not been yet. The generation of kids before me read fantasy - Tolkien's Lord of the Rings. We read science fiction; Asimov and Bradbury and Clarke and the others. And we watched Star Trek.

NBC cancelled Star Trek just two months before Armstrong took that giant leap for us all. But it was too late - all of us, we 10-year-olds, had been watching, and Armstrong had proved it could really be done.

We remembered. Gene Rodenberry gave Captain Kirk a flip phone in 1966 just as NASA was winding Gemini down and planning for Apollo and the moon. When we got to be old enough to work for companies like Motorola and Nokia, we built that flip phone (Kirk called it a "communicator"), and we gave it to you. Because, after all, that's what Armstrong would have done. And we built lots of other things too; the talking computers and giant electronic encyclopedias and autopilots and phasers we learned about by reading Amazing Science Fiction and watching Star Trek.

My kids' generation is reading fantasy again; Harry Potter. Their day is September 11. Things like that matter; still, I hope they know Armstrong leaped for them, and that if they leap, they can leave footprints too.

Remembering Frank

2009-07-19T19:34:00.003-05:00

Frank McCourt died today.

Frank was famous for Angela's Ashes - his account of his "miserable Irish Catholic childhood". If you haven't read it, you should. He was a wonderful writer.

Mostly by chance, I had the pleasure of spending a week on a bus with Frank. Karen & I signed up for a Photo Mentor Series trek to Ireland in 2003. The Ireland trip was unique among the Photo Mentor series treks in that it had a local host who wasn't a photographer, and Frank was that host. I took the above picture of him in the pitch-dark interior of the Gallarus Oratory on the Dingle peninsula.

The photo mentors - Barbara Kinney, Jill Enfield, and Joe McNally, - were fantastic; Barbara had been Bill Clinton's White House staff photographer, Jill is a leading expert in hand-coloring photographs, and Joe shot the first digital cover for National Geographic.

Frank and Joe hit it off immediately; they were both Irish boys who'd attended Catholic school and come away with a decidedly mixed view of the experience. And they were both master storytellers. They bickered constantly from their seats in the front of the bus about whether it was a more miserable life to be a writer or a photographer. Frank's books give you a hint of what he was like, but they don't really convey how warm or how funny he was as a person.

What they do convey is what he was most passionate about: his hatred of suffering. Angela's ashes is all about that.

It showed in person, too; as we walked up to the Killarney Cathedral, a historical marker caught Frank's eye. The marker said that construction of the cathedral had begun in earnest in 1846. Frank exploded. "1846 was the WORST year of the famine...", he began. I don't even remember if he finished the sentence, but his meaning was clear. The church had spent its money piling up stones instead of feeding its faithful, suffering people.

When we sat down later in the pub, Frank said there were three things every visitor to Ireland must do: see a horse race, attend a mass, and drink a pint of Guinness. Then he narrated the ritual of the pouring and drinking of the Guinness, and remarked that the foam on the top of a properly poured pint was known to the Irish of his youth as a "collar" because of its resemblance to the priest's neckwear. A trekker asked him, this being the case, why we needed to attend the mass and drink the Guinness, and he answered "to see which of them is false".

Frank got to see the end of most of Ireland's suffering; he told us as we were preparing to leave for home that the combination of European Union money and high-tech jobs for highly literate English speakers had transformed Ireland into a place his parents could not have imagined and would not have recognized. He said that without nostalgia; he was happy to see the poverty and the misery pass away, though they had given him the wonderful stories he left for us all.

I suspect Frank would disapprove of any mention of flights of Angels, so I'll pass all that in silence. We're poorer without him.

In Memoriam

2009-06-22T22:28:00.004-05:00

I'm breaking one of my rules because I can't bear to headline this entry with a picture.

As if it weren't bad enough that American Airlines has just announced the demise of the "nerd bird" nonstop flights between Austin and San Jose (when people ask where I'm from I tell them that I live on the nerd bird and vote in Austin) - today comes word of an even more momentous loss.

Kodachrome is no more. It was the world's oldest film in continuous production (invented in 1935 by Kodak's Leopold Godowski and Leopold Mannes - "God and Man") and the most stable color film in existence.

In my closet are 100 Kodak Carousel trays of the Kodachrome slides my grandfather took in 40 years' travel around the world. I have pictures of the Sydney Opera house, unfinished. Of temples in Southeast Asian countries an American can't visit anymore. Of my grandmother in a middle East that now seems like a fairy tale.

All those slides look as good today as they did on the long-ago days the mailman brought them back to Annapolis from the lab.

Kodachrome gave us the nice bright colors; it gave us the greens of summer. It made all the world like a sunny day.

Oh yeah.

Thanks, Kodachrome. You gave us 4 years more than the requisite threescore and ten, and those of us who knew you will never forget.

Cyber Security

2009-06-01T11:54:00.002-05:00

The Obama administration released the results of its Cyber-Security Review last week. The report's conclusions and recommendations aren't going to do any harm, but they're not going to solve the cyber-security problem either.

Start with the obvious: information security has failed, as a technology and as a discipline. A lot of security professionals object to this statement, but let's get real. Hundreds of millions of credit card numbers are stolen from retailers, processors, and other online properties every year. Foreign hackers roam the systems supporting major national defense projects. Spam, malware, and viruses circulate constantly despite the purchase and use of millions of dollars worth of anti-malware tools. Serious penetration tests succeed essentially 100% of the time. The list goes on; the news is all bad, and it's on all the time.

The Cyberspace Policy Review team wants to fix this by building "next generation secure computers and networking for national security applications"; it also wants the government to "provide a framework for research and development strategies that focus on game-changing technologies." These are fine goals, but they're not going to solve the cyber-security problem.

If we eventually do solve the cyber-security problem, the cause of our success is almost certainly not going to be the new, smart things we start doing. It is going to be the old, dumb things we stop doing.

The dumbest thing we're doing right now, in a nutshell, is optimizing our systems for low cost, fast performance, and convenience in the average case. Designing systems this way requires tradeoffs, and those tradeoffs make the systems unsafe in the worst case.

We optimize for the average case because when we're using systems, we're almost always using them in the average case. Things are fine, and we want our systems to be cheap, easy, and fast (insert your own obvious joke here).

We almost never see the worst case, so we don't worry about it much. But that doesn't mean that the worst case isn't a big problem. We built New Orleans' levees for the average case; hurricane Katrina destroyed them (Katrina, of course, wasn't even close to the worst case). We've built our cyber infrastructure, like New Orleans' levees, for the average case.

Unless we (the information security industry, the technology industry as a whole, and society generally) stop sacrificing worst-case safety on the altar of average-case convenience, we're going to continue to fail. But rebuilding cyberspace for a safe worst case is going to require sacrifices.

The Cyberspace Policy Review says "The national dialog on cyber-security must begin today." I agree. Let's start the dialog with a conversation about what sacrifices we're willing to make to get to an acceptable worst-case performance. Here are four questions to get the ball rolling:

Question 1: Are we willing to give anything up?

Not everything can be made secure, and securing some things makes them slower, or less convenient, or less flexible. If we really want security, we're going to have to give up some other things we want. We need to be clear about where security falls on our scale of priorities, we need to be clear about what type and magnitude of loss we're willing to sustain as a result of cyber-security failures, and we need to be clear about what we will have to give up in order to get the security we decide we need.

Are we willing to give up the ability to execute code downloaded from untrusted sources? Are we willing to give up instant enrollment in new services with no meaningful background checks? Are we willing to give up anonymity? Are we willing to give up connecting critical systems to the public internet, even if it means we've got to put human operators in more places to manage disconnected systems?

Question 2: Are we willing to do anything different?

For years the technology community and society generally have been headed down the path of using cheap, generic, general-purpose components for everything. The government calls this strategy "COTS" (Commercial Off-The-Shelf). The strategy is great for building a cheap, convenient average case. It's terrible for building a safe worst case.

Complicated general-purpose systems are impossible to secure. A complicated system sometimes does things its users and even its designers didn't expect. This makes complicated systems unsafe. But we keep using complicated general-purpose systems (Windows computers, for example) to handle security-critical and even safety-critical tasks. It's a recipe for disaster, but it's easy because complicated general-purpose systems are cheap, and they're easy to customize for new applications. Small, simple systems, carefully designed for one specific job, are much safer - but they're also more expensive to buy and more time-consuming to build and test.

Are we willing to build new, special-purpose tools to help us secure cyberspace? Are we willing to tell the general-purpose system vendors that we're not going to use their wares in critical applications?

Question 3: Are we willing to take any blame?

If your painkiller kills not just pain but patients' hearts, you pay the victims. If your Pinto turns into an external combustion engine, you pay the victims.

If your financial software leaks a couple hundred million credit card numbers to a hacker, you write a press release describing your commitment to security.

Are we, the information security community, willing to assume a duty of care to those who use our products? Are we willing to submit to liability when our products are defective or fail to meet a minimum standard of fitness for purpose?

Bruce Schneier has argued in favor of liability for security failures; in fact he's argued that we can't solve the problem without it.

Question 4: Are we willing to give any guarantees?

If your lawnmower doesn't cut grass, or if your printer doesn't load paper, you can take it back to the store and get your money back.

If your information security product doesn't keep hackers out of your corporate secrets, you're out of luck.

Are we, the information security community, willing to stand behind the performance of the products we build?

John F. Kennedy, in his inaugural address, promised the world that the United States would "pay any price, bear any burden, meet any hardship, support any friend, and oppose any foe" to assure the survival of liberty. What, if anything, are we willing to do to assure information security?

The Porkalypse, Blakley's Law, and the WHO

2009-05-01T11:25:00.004-05:00

Swine Flu has been downgraded to Influenza Type A (H1N1) for the sake of the pigs, but the WHO Epidemic and Pandemic Alert and Response Phase is still at 5 ("A pandemic is imminent").

The Department of Homeland Security claims that its National Threat Advisory is at "Yellow" ("Significant risk of terrorist attacks") - but DHS is just kidding. For air travellers it's still "Orange" ("High risk of terrorist attacks").

At first glance these two alarming indicators seem similar. They're not. The DHS National Threat Advisory is a public alert system. That a public alert system is indicating imminent disaster is not surprising. In fact it's inevitable. It's the nature of public alert systems to signal imminent disaster at all times. I've composed "Blakley's Law" (next time I come up with one of these I'll rename this one "Blakley's First Law") to describe the phenomenon:

"Every public alert system's status indicator rises until it reaches its disaster imminent setting and remains at that setting until it is retired from service."

It's easy to see why Blakley's law holds: if something terrible happens and the alert status didn't predict it, the keepers of the alert status will be blamed for not preparing us for the disaster. Setting the alert status to "Disaster imminent" when no disaster is likely costs the public some money and mental health, but it doesn't hurt them in other ways. On the other hand, setting the alert status to "Don't worry, be happy" just before a disaster does happen is the worst case for everyone - nobody prepares for the disaster, and the people in power lose their jobs for failing to prevent or prepare for the crisis.

This is why public alert systems are silly; for political reasons they always tell people to be afraid, but most of the time nothing bad happens so people develop distrust and contempt for the alert system and its operators over time.

It's a pity that the WHO pandemic alert and response phase indicator is being used by the media as if it were a public alert system, because the phase indicator wasn't designed as a public alert system, and what it was designed to do - and does do - is quite important.

What the pandemic alert and response phase indicator was designed to do is to alert healthcare, government, and first-responder organizations (NOT the general public) to prepare to deal with a serious disease outbreak if it occurs. Unlike DHS, which releases none of the underlying facts supporting the National Threat Advisory's current status, the WHO operates the Pandemic Phase as a fact-based system and publishes the phase criteria along with the current phase setting. The real audience for the WHO's status indicator are people who can do something to help if a pandemic breaks out, do need to know what the current situation is to make proper plans, and won't panic when they receive the information.

Unlike the media. And the public.

Influenza Type A (H1N1) may still turn out to give us a very bad season (though that does not seem very likely right now). But the biggest hazard we face from the porkalypse of 2009 seems to me to be that the media's misuse of the WHO's information may discredit the very system we will depend on when we finally do have a really deadly pandemic.

The Zone of Essential Risk

2009-03-27T09:31:00.003-05:00

Bruce and I recently had a bit of email conversation about his eBay Fraud blog entry.

I emailed him saying that this incident is the fraud pattern for which escrow agents were invented; Investopedia defines an escrow agent as:

An entity that has fiduciary responsibilities in the transfer of property from one party to another. Typically associated with selling or buying a home or other property, the escrow agent will secure the property and examine documents to make sure that the terms of the sale are met on each end, serving both the buyer and seller in the transaction.

Bruce pointed out in his return email that while the fraud pattern was a good match for escrow, the transaction size wasn't: since the item exchanged in the eBay transaction he highlighted was sold for only $500, the price of an escrow agent would have been hard to justify. He's right.

We ran into each other at the IAPP Summit and discussed the situation a little more, and I've concluded on the basis of our little chat that there's actually no good solution to the problem in Bruce's example; it falls into what I'm going to call a "zone of essential risk".

The figure at the head of this post illustrates the problem. If you conduct infrequent transactions which are also small, you'll never lose much money and it's not worth it to try to protect yourself - you'll sometimes get scammed, but you'll have no trouble affording the losses.

If you conduct large transactions, regardless of frequency, each transaction is big enough that it makes sense to insure the transactions or pay an escrow agent. You'll have occasional experiences of fraud, but you'll be reimbursed by the insurer or the transactions will be reversed by the escrow agent and you don't lose anything.

If you conduct small or medium-sized transactions frequently, you can amortize fraud losses using the gains from your other transactions. This is how casinos work; they sometimes lose a hand, but they make it up in the volume.

But if you conduct medium-sized transactions rarely, you're in trouble. The transactions are big enough so that you care about losses, you don't have enough transaction volume to amortize those losses, and the cost of insurance or escrow is high enough compared to the value of your transactions that it doesn't make economic sense to protect yourself.

As far as I can see, there are only three ways out of this box: make your transactions smaller, make your transactions bigger, or make your transactions more frequent. If you've got a better idea, I'd love to hear it. But unless you do, I'd advise you not to order your risk medium-rare.

Martin

2009-01-19T00:27:00.004-06:00

Today we celebrate Martin Luther King.

What I celebrate him for, more than anything, is that he reminded us how to handle injustice.

He did not handle injustice by attacking it, or by blaming others for it, or by taking it to the courts, or by running from it, or by despairing in its face.

He dealt with it by naming it. Again and again, in the face of scorn and threats and violence and discrimination, he stood up and he called it what it was. He said "this is injustice".

It really is that simple.

After a long while, people listened to Martin, and they looked, and they saw injustice.

It's not all gone. But after Martin, it couldn't hide.

Happy Martin Luther King day. Name the injustices you see.

Role Model

2009-01-04T21:11:00.003-06:00

This is Brent Jeffery. I met him tonight on MARTA's Orange-line train from Atlanta Hartsfield airport to Lindbergh Center, and I'm in awe of what he does.

To put it in perspective, I speak to audiences for a living. I've done it for a long time (more than 25 years), and I had a lot of training - 9 years of drama, speech and debate in Junior High School, High School, and College. I'm a good presenter. I study presentation experts like Garr Reynolds, and I watch the best of the best at places like TED to see how I can improve. I spend a lot of time making my presentation materials informative, entertaining, and attractive. But for an old throat injury which forces me to clear my throat a lot to keep my voice from breaking, my delivery is fluid and natural. My audience ratings are consistently high.

I couldn't do what Brent does, though - at least not without a lot of practice and preparation, and not without developing a kind of courage I don't need to have to do the presentations I've been doing up til now.

I do sometimes talk about sensitive subjects - privacy, for example - but I speak to audiences who sign up to come to my talks, who know what I'm going to be talking about, and who want to be there.

Brent talks about the Bible to complete strangers on public transit. His audience paid two bucks to go home, and a lot of them are tired and crabby after a hard day at work or a series of delayed flights. They're not expecting entertainment, and they're sure not looking for a sermon.

After the MARTA train's doors close at the start of the trip, Brent gets up and asks a car full of Atlanta's weary travellers if they can spare two minutes to hear about God.

A lot of them listen. I did. He promises that it will only take two minutes. It's an exaggeration; it's really more like ten minutes. But it seems like two, because Brent's a great presenter.

And he hands out a presentation. Nothing fancy; just a xeroxed page containing a four-paragraph sermon on one verse of the Bible. Today's verse was Proverbs 13:20 ("He that walketh with wise men shall be wise: but a companion of fools shall be destroyed.") Here's the handout:

When he gave it to me, he assured me it wouldn't bite. I guess a lot of people don't reach eagerly for the paper.

Like I said, it's nothing fancy. But Brent respects his materials; at the end of the talk he comes back around the car and asks you not to throw the paper away; you're free to keep it, but if you're not going to keep it, he'd appreciate having it back. Part of the concern is surely for saving money on printing, but I bet if you asked him he'd say that a paper which might bring someone an important message shouldn't be wasted in the trash.

Brent's an inspiration to me as a presenter, and he's reminded me of something important: the most important part of a truly outstanding presentation is a profound belief that the message you're trying to communicate really matters to your audience.

If you're reading this, Brent, thanks for the lesson. It was a pleasure to meet you.

The 2008 Ceci Award

2008-11-05T10:54:00.003-06:00

Penny for the Guy?

It's that time of year again; Guy Fawkes day is here, and with it comes the presentation of the annual Ceci award for the year's most significant contribution to clear thinking about identity, privacy, security, and risk.

Modern Britons often say that Guy Fawkes was "the only man ever to enter Parliament with honorable intentions"; this year's award goes to the US Army, which, with the publication of US Army Field Manual FM 3-07, has demonstrated that it's about to become the only army ever to enter conflict with honorable intentions. Here I don't mean that other armies aren't honorable; I do mean that for the first time the US Army has as an explicit goal not only "victory" but also the transformation of conflict zones into stable, peaceful states under the rule of law. FM 3-07's remarkable opening quote, from Colonel Sir William F. Butler, holds up the example of General Charles George Gordon's British Army as a force more ready to create than to destroy:

It is needless to say that Charles Gordon held a totally different view of the soldier’s proper sphere of action, and with him the building part of the soldier’s profession was far more important than the breaking part…. The nation that will insist upon drawing a broad line of demarcation between the fighting man and the thinking man is liable to find its fighting done by fools and its thinking by cowards.

In this spirit, FM 3-07 introduces the notion of "conflict transformation", which it defines as follows:

Conflict transformation focuses on converting the dynamics of conflict into processes for constructive, positive change. Conflict transformation is the process of reducing the means and motivations for violent conflict while developing more viable, peaceful alternatives for the competitive pursuit of political and socioeconomic aspirations. It aims to set the host nation on a sustainable positive trajectory where transformational processes can directly address the dynamics causing civil strife or violent conflict. It seeks to resolve the root causes of conflict and instability while building the capacity of local institutions to forge and sustain effective governance, economic development, and the rule of law.

Contrast this with the goals of our current enemy, as recited by Abu Dujan al Afghani after the Madrid train bombings:

"You love life and we love death, which gives an example of what the Prophet Muhammad said. If you don't stop your injustices, more and more blood will flow and these attacks will seem very small compared to what can occur in what you call terrorism.

Those who aim only to destroy can never defeat those who aim to create; the contrast is too stark and the choice too obvious. Winning a war against extremist terrorists should be a sure thing, and it is in the long run - but only if we offer an alternative that's not based on pure destruction. Shock and Awe failed this test; FM 3-07 passes it. Look at the focus on legitimacy:

Legitimacy is central to building trust and confidence among the people. Legitimacy is a multifaceted principle that impacts every aspect of stability operations from every conceivable perspective. Within national strategy, legitimacy is a central principle for intervention: both the legitimacy of the host nation government and the legitimacy of the mission...
The credible manner in which intervening forces conduct themselves and their operations builds legitimacy as the operation progresses. Highly professional forces are well disciplined, trained, and culturally aware. They carry with them an innate perception of legitimacy that is further strengthened by consistent performance conforming to the standards of national and international law. For military forces, a clearly defined commander’s intent and mission statement are critical to establishing the initial focus that drives the long-term legitimacy of the mission.

An army thoroughly trained in this doctrine would not have suffered the disgrace of Abu Ghraib, and its officers and men would not have countenanced waterboarding.

We are safe when we are just as well as strong. If we must use the Army, we should use it not only in a just cause but also in a just fashion. FM 3-07 provides a foundation for doing that.

Congratulations to Gen. William Caldwell, LTC Steven Leonard, and the US Army Combined Arms Doctrine Directorate on the publication of FM 3-07. As always, acceptance comments are not expected but would be most welcome.

The End of Taxation

2008-11-04T14:33:00.003-06:00

With the election cycle coming to a close here in the USA, there's lots of the usual talk about tax reform. During the campaign, Ron Paul, Mike Huckabee, and John McCain endorsed a "fair tax" - basically a flat national sales tax intended to replace the income tax; Sam Brownback and Rudy Guiliani wanted a "flat tax" - a single-rate income tax. Various candidates wanted to whittle around the edges of the tax code by repealing (or not) the estate tax, raising (or lowering) the capital gains tax, taxing (or not) carried interest, taxing (or not) carbon emissions, raising (or lowering) cigarette and gasoline taxes, and so on. And of course, Barack Obama wants to cut your taxes if you make under $200,000 - a number Joe Biden can't seem to remember. The shared consensus underlying all these proposals is that the existing tax code is neither fair nor simple - and this consensus is correct.

But none of the existing proposals will fix this problem. They'll just reward the constituency of the winner of tonight's election. We'll continue to tinker unsuccessfully with the tax code until we come to grips with a fundamental issue: taxation itself is obsolete.

Wikipedia says taxes originated 5,000 years ago in Egypt. This might be right, or it might not - we probably don't actually know when taxation was invented. But we do know why it was invented. It was invented because Pharaoh was a senior executive: instead of doing work, he supervised it.

Although Pharaoh didn't cultivate a garden, he still had to eat: he had to rely on the fruits of others' labor in order to set his table. Laborers being laborers, many of those growing the fruits doubted that Pharaoh was earning his supper, so they sent rotten produce, or they sent their regrets.

And (Pharaoh being Pharaoh) when the laborers sent their regrets, Pharaoh sent his army, and his army took everything they thought Pharaoh might need to impress his dinner guests (plus a little bonus for the Captain, as I'm sure you'll understand).

In order to minimize conflict (and to keep the Captain poorer than Pharaoh!) this system of royal confiscation was eventually systematized and scheduled, so that the laborers would grow accustomed to the seizures and plan their productivity accordingly (rather than, say, getting all surpirsed and in a huff, and marching on Thebes with sharp farm implements). The result was a tax.

Pharaoh really had no alternative to taxation; he needed grain for his bread and papyrus for his scrolls and tallow for his candles, and the only way to get these things was to go to the people who had them and claim a portion.

Now flash forward 1500 years and swim the Mediterranean to Rome. The Republic, and later the Empire, found it inconvenient to scour the landscape for cattle and grain and tallow and wine every time the legions needed to be paid; the logistics were too daunting, and it was tough to remember that Severus wanted 200 candles but Quintus wanted a cow. So the Romans innovated and came up with a standard medium of exchange - salt. Salt was great stuff. It was infinitely divisible, it was small in proportion to its value, it was imperishable, and it was in lots of demand because you could use it for many useful purposes, including curing meat and hides and flavoring food. So the legions were paid a "salary" (salt ration). Quintus could use his valuable salt to make his camp rations taste better, or he could trade it to the local farmer for that cow he had his eye on.

Commodity media of exchange make taxation much easier. You don't have to see if the cow Quintus sends to the emperor is scrawny or has foot-in-mouth; all you have to do is weight the salt. So the laborers began to bring a portion of their salary to the seat of government and turn it in. They had to do this, of course, because the Republican (and later the Imperial) tax authorities couldn't just make salt - they had to collect it.

Salt is, unfortunately, somewhat tough to test for purity. And, laborers being laborers, they tended to mix the Emperor's salt with sugar, or quartz crystals, or flour, or cocaine, or any number of other things. This made it hard for the Emperor's tax collector to know when he was being cheated. The Emperor hated to be cheated, so he encouraged his tax collectors to innovate. They did so by switching from salt to metal coinage. Soft metals can be tested for purity using a touchstone. Some soft metals are also nice and rare, and they can be turned into pretty jewelry, so they have intrinsic value. And they have another property which is just irresistable to a megalomaniacal Emperor - you can stamp pictures (of, oh, let's see - the Emperor?) onto them, and those pictures are fairly hard to copy exactly and fairly hard to deface.

Putting his face on metal coinage gives the coins a property very dear to the heart of the all-powerful Emperor: he can control its supply. The laborer can't use just any old pure silver as a coin - he can only use a piece of silver with the Emerpor's very own personal face (and other symbols of authority and value) stamped on it. And the Emperor can strictly control who gets to do the stamping. Now pesky foreign potentates can't get richer than the Emperor, at least on the Emperor's own turf, because only the Emperor can create valuable currency.

Taxation was still necessary with metal coinage, because, while the Emperor could make coins, he couldn't make silver - so he had to have the laborers hand in some of their coins so he could turn around and give them to the people who mined his silver and brought it back to the mint.

Now flash forward another thousand years or so. People were getting pretty flush in Europe, and carrying around big bags of metal coins was starting to be a drag. The bags were heavy, and bandits tended to notice them. Keeping the bags under your pillow at home was no solution, as it attracted unwanted visitors. Storage and transport of money, in short, was starting to cause problems. Enterprising merchants, being enterprising merchants, came up with a solution. German merchants began accepting cash deposits and issuing receipts; these receipts (which were much lighter and less conspicuous than bags of cash) could be used to reclaim the deposited amount of metal coinage - either from the merchant who issued the receipt, or from another cooperating merchant. These merchants quickly started charging for their services; they became bankers, and their receipts became a form of paper currency.

As paper currency established itself, people used it to pay their taxes. It was still necessary for the government to collect actual currency from its citizens, since the currency was tied directly to the commodities the government needed to use to build its roads, feed and equip its armies, and write and enforce its laws.

Things worked pretty much this way for a long time; until, in fact, 1975 - at which time the US Government declared that the value of the dollar would no longer be tied to the price of gold. The dollar thus became a fiat currency, which meant, essentially, that the dollar became valuable "because we say it is" rather than "because you can trade it in for a specific amount of some valuable commodity".

This is where our hero - J.S.G. Boggs - comes in. Recall that we first met Boggs way back when we were talking about Similarity vs. Identity. The question Boggs repeatedly forces us to try to answer is "what is money, and why is it valuable?" Here's Boggs on Boggs, as told to Lawrence Weschler:

"Some of the early American paper bills included engravings on the back depicting the metal coins for which the paper bills could at any moment be redeemed. On the back of the five-dollar silver certificate, put out in 1886, there was a picture of five silver dollars. If you wanted to know what a five-dollar bill represented in those days, all you had to do was look at the picture on the back. But anyway, when they started withdrawing the dollar's metal backing - when you couldn't redeem your dollars for gold and in fact were no longer even allowed to posses gold on your own except as jewelry - that's when they started putting that phrase ("In God We Trust") on the currency. When you could no longer trust in gold, they invited you to trust in God. It was like a Freudian slip." "It's all an act of faith. Nobody knows what a dollar is, what the word means, what holds the thing up, what it stands for. And that's also what my work is about. Look at these things, I try to say. They're beautiful. But what the hell are they? What do they do? How do they do it?"

In a fiat-currency system, value is "Boggsian"; there doesn't have to be any particular amount of fiat currency, because there's no absolute standard of value, because it's all fundamentally an act of faith. The basic idea (the "act of faith") behind the value of fiat currency is that the "total wealth" of a society is in some sense equal to the "total value" of all the currency the society has in circulation. If society's total wealth stays the same but the government prints enough currency to double the money supply, the value of each individual bill is cut in half. And, conversely, if society's total wealth stays the same but the banks all get together and throw a party at which they burn half of the bills in existence (a depressingly plausible scenario given recent events), the value of each of the remaining bills doubles.

Let's look at one sentence of the previous paragraph again: If society's total wealth stays the same but the government prints enough currency to double the money supply, the value of each individual bill is cut in half. Think about that carefully; what it means is that every time the government prints a dollar, it is effectively taking that dollar away from "everyone". A government which can do this doesn't need to collect taxes; it can just print the money it needs, and the appropriate amount of value is subtracted from the money you and I still have - automagically! Aristotle would hate this; it's action at a distance.

It's that simple. Taxation is no longer necessary. It's an artifact of an older time when money was made out of stuff instead of made out of ideas. As soon as enough of us realize this, we can simply close the IRS and H&R Block and the Tax Courts.

Each year, the congress can simply instruct the Bureau of Engraving and Printing to fire up the presses and fund the federal budget. This will do the same thing as collecting taxes, but it will do it in a different way: by driving up inflation. It will be, to coin a phrase, a "Boggs Tax".

Switching to a Boggs Tax would have a lot of good effects:

A Boggs Tax taxes wealth. It does not tax income, or economic activity, or personal behavior - which is good because taxing any of these always discriminates against some groups and in favor of others. Because it can't be sheltered against (see below), it taxes the very wealthy much more heavily than the current system does.
It requires no expense to collect. The government simply prints the money it needs. There is no tax return preparation, no Internal Revenue Service, no audit, and no court proceeding.
There is no way to shelter against a Boggs Tax - every dollar in existence is automatically taxed. Whether a dollar sits in the Cayman Islands, or in the bank, or in a municipal bond, or in a corporate stock certificate, or in a mattress, the tax is applied to that dollar as if by magic. A Boggs Tax taxes dollars held overseas just as effectively as those held at home, it taxes dollars held secretly by criminals just as effectively as those held by honest taxpaying citizens, it taxes the "underground" (cash) economy just as effectively as the official economy, and, as a special bonus, it even taxes counterfeit North Korean $100 superbills just as effectively as red-white-and blue US Bureau of Engraving and Printing honest-to-goodness real $100 bills.
There is only one public-policy argument where before there were two. Today we have to talk about who we will take money from and who we will give it to. Under a Boggs tax, we only have to decide who to give it to - since it's taken from every dollar automatically.

There are a couple of arguments against a Boggs tax; it seems to me that the three most important are these:

While a Boggs Tax is radically more progressive than today's tax code at the top end of the wealth scale, it's much more regressive at the bottom end - it taxes the meagre wealth of the poor at the same rate as it taxes the rich. But there's no real problem here; simple annual subsidies to the poor can relieve their burden, and as a bonus, all government's activities are focused on distributing money (which makes people happy) rather than confiscating it (which makes them angry), so the quality of the average citizen's interactions with government improves.
There is evidence to suggest that high inflation makes economies unstable, so a system which operates by increasing inflation might have bad economic effects. I'm not an economist, and I have no desire to play one on TV, so I'll leave this one, for the most part, to the professionals. But I will observe that we already pay an economic cost for our current tax system; operating the IRS and the tax courts, and requiring every citizen to burn a day (or a week) of productive time or pay an accountant to prepare tax returns is a real cost to the economy. Paying this cost produces nothing of value; it's pure economic friction. My guess is that the inflation incurred by a Boggs Tax would be smaller than the total of tax receipts plus collection friction, so the Boggs Tax would have a net positive effect on productivity.
The third objection is the biggie: using inflation to collect taxes guarantees that the value of a dollar held as an investment decreases over time. This means that the dollar's value as a reserve currency is diminished, and it also means that dollar-denominated investments operate at a disadvantage compared to investments in currencies which do not inflate. Again the details of how this would affect the real economy have to be left to economists, but again there's a counter-argument: if a Boggs Tax makes the economy as a whole more efficient (and I hypothesize that it should), inflation due to causes other than taxation might decline - and the overall rate of inflation might not be extreme compared to other economies. Calculating how much inflation the Boggs Tax would create seems tricky. The CIA World Factbook gives a figure of $2.73 Trillion for the US Federal budget. This is the numerator in the inflation calculation, but the denominator is slipperier. It's not GDP (which according to the same source was $13.84 Trillion dollars in 2007) - because GDP only measures newly created wealth for a year. The denominator also doesn't seem to be M2 (the total money supply of the nation, which according to Wikipedia was about $7 Trillion in 2005). The correct denominator is something like "total dollar-denominated wealth in the world"; I can't find a statistical source for this, but it's evidently quite big; according to Wikipedia again, the total wealth of US households and nonprofit organizations (which doesn't count corporate wealth or dollar-denominated assets held overseas) was about $60 Trillion in 2007. If we're very conservative and simply double the US personal wealth number to $120 Trillion, this gives us a figure of about 4% annual inflation for using a Boggs Tax to fund the current US Federal budget - not trivial, but not crippling either.

I don't imagine the administration we elect today will switch the US to a Boggs Tax, at least not in its first term. But I do think a Boggs Tax is coming; traditional taxation is just too twentieth-century to survive in an information economy.

The Last Polaroid

2008-10-16T00:51:00.002-05:00

Photographers today like to call their pictures "images". But when I was a kid, photographs weren't "images". "Images", to quote Abraham, are formless and void. When I was a kid, photographs had very specific forms. When I was a kid, photographs were things.

School photos came in little blue cardboard frames. Slides came in much smaller frames; Kodachromes were the best slides, and they came in tiny, square paper frames with rounded corners and a Kodak logo on the front, with the frame number and date stamped in ink on each one. And Polaroids - ah, Polaroids.

Polaroids came with a gray backing, a white frame, and a slight curl. And they came right away.

You pulled them out of the camera, watched your second hand count to 45, peeled the picture off the backing paper (dont't touch that! It's coated with caustic goo!), smeared the slimy (and slightly mysterious) pink wand across the picture, and there you were - a fully developed photograph in less than a minute. Later - when I was about 10 - Polaroid invented integral film; it didn't even need to be peeled apart, and you could watch the picture emerge like a magic trick from a plain white rectangle of plastic. And it still took less than a minute!

A minute seems like forever to kids who grew up using digital cameras, but to us a minute was a miracle.

Here's what we were used to: buy a roll of film. Shoot for about a week (really! It took us a week to find 24 things worth photographing! Today's DSLR users shoot that many pictures in six seconds!). Unload the film and put it in a mailing envelope addressed to Kodak in Rochester, New York. Drop the envelope in a mailbox. Spend another week checking mail every day to see if the pictures are back yet. Finally!!! Rip open the red-and-yellow return envelope and take out our twenty-four little things.

The weeks of suspense died with Polaroid - but not the excitement. The excitement of Polaroid - for my generation anyway - has never died. But Polaroid itself is dying now.

Polaroid instant film was introduced in the late 50s, and integral Polaroid film (no peeling apart) came on the scene in the early 70s. All Polaroid instant film production is being discontinued this year (though Polaroid will continue to market a very limited selection of instant films produced by Fuji, at least for a while).

My generation's relationship with Polaroid instant film is unique; we were the kids in the Polaroid pictures; when you see a Polaroid of a child, it's one of us. Not coincidentally, I think we may also be the last generation for whom photographs are things and not just "images".

I went back to see my generation this summer at my 30th high school reunion. I heard the news that Polaroid was going to stop making instant film as I was planning my trip. It occurred to me that I had a decent supply of 4x5 Polaroid Type 56 film in my closet waiting for a project, so I cleaned up my 4x5 camera and put it in the car before I hit the road and headed for Bryan High School.

I told my classmates at the beginning of the reunion dinner that Polaroid was going away, and that I'd be happy to give each of them the last Polaroid they were likely to have of themselves.

A lot of people took me up on the offer. I took 70 pictures in about two and a half hours; each one took about a minute to shoot and develop, and I rephotographed each one with a digital camera on a copystand. It was a great experience; I probably talked to more of my classmates than anyone else at the reunion, and the classmates I photographed seemed to be having a great time with the process. A lot of them liked the pictures, and I did too.

For me, one of the most interesting parts of the experience was that people really did get unique, one-of-a-kind things. My digital copies are different from the originals for several reasons; the copystand legs cast shadows on the pictures because I used room lighting instead of copy lighting. I had to use a glass plate to hold the curly polaroids flat, and over the course of the evening the plate developed a film of crud from the surfaces of the pictures, and from my fingerprints.

It's a great irony that digital technology, with its ability to generate perfect copies, left me with imperfect shadows of the unique, original artifacts my subjects took home with them. I love that.

I loved the process too, and the subjects. The Bryan High School class of 1978 are the people I grew up with, and who, to a large extent, made me who I am. It was wonderful to see them again, and to be able to give them something unique as a memento of our getting together in 2008. I'd like to think you can see a little bit of what makes them so special in the pictures. I call the project "The Last Polaroid"; you can see the digital copies of the Polaroid originals here.

A Simple Question for Congress

2008-09-26T22:53:00.004-05:00

Last time I checked, I live in a capitalist country.

In capitalist countries, when I spend money to buy part of a bank, what I get in return is shares in the bank.

Congress wants to spend $700 Billion of taxpayer money to buy some banks.

They say there's going to be a profit involved, which is why it's OK to use my money.

By my calculations, $700 Billion dollars divided by 350 Million people is $2,000 for each US citizen - including me.

So what I want to know is: how many shares of these banks am I buying for my $2,000?

And when is Congress going to send me my stock certificates?

(photo by missbeckles)

Round Up the Usual Suspects

2008-07-18T13:23:00.016-05:00

As a birthday present to me, the FBI's Terrorist Watch List database added its one millionth entry this week, according to the ACLU's estimate.

I've been waiting for this event, because the one millionth entry gives us a nice round number to do the calculations which demonstrate that the terrorist watch list is as close to completely useless as it's possible for a manmade artifact to get. (Note that the database doesn't actually contain a million identities; it's got a million records representing - at a guess - about 400,000 distinct individuals. But since it's my birthday we're gonna pretend that there are a million identities, in order to make all the math turn out nice and pretty.)

Let's assume that we know the names of 1,000 terrorists, and that there are another 9,000 people with terrorist intent whose names we don't know.

According to the Department of Commerce, about 46 million international travellers visited the United States in 2004; the number seems to be holding pretty steady at about 4 million visitors a month. For ease of calculation we'll round this up very slightly to 50 million a year.

When you add this to more than 25 million Americans travelling abroad each year (it's really more than that; 25 million is just for the summer), you've got in excess of 75 million people crossing the borders in a year.

Not a lot of them are terrorists; let's say we get 500 terrorists a year trying to get into the country, and that of these 500, 10% (50) are known bad guys and 450 are new recruits who we don't yet know are bad guys.

So to sum up, each year we expect to have:

1,000 known terrorists
9,000 unknown terrorists
10,000 total terrorists
1,000,000 watch list entries
at least 1,000 and no more than 10,000 actual terrorists on the watch list
at least 990,000 non-terrorists on the watch list
75,000,000 total border crossers
500 terrorist border crossers
50 known terrorist border crossers
450 unknown terrorist border crossers
74,999,500 total non-terrorist border crossers

IMPORTANT NOTE: If you don't like my numbers, I invite you to plug your own numbers into the calculations below. For any plausible set of numbers, the conclusion will remain the same. If you prefer an implausible set of numbers, there are lots of conspiracy theory blogs which will probably make you a happier person than you'll be if you keep reading here - or you could wait a week or two and catch the opening of "The X-Files: I Want To Believe".

Let's assume that all variables are independent and random, and let's assume that there's never any error in matching a person against a name on the watch list. There are six cases of interest at a border crossing:

Non-terrorist is checked and does not match an entry on the list. Since there are 990,000 non-terrorists on the watch list, there are (74,999,500) - (990,000) = 74,009,500 non-terrorists who are not on the watch list, and this event happens in (74,009,500) / (75,000,000) = 98.7 percent of the cases.
Non-terrorist is checked and matches an entry on the list. Since there are 990,000 non-terrorists on the list, this event happens in (990,000) / (75,000,000) = 1.3 percent of the cases.
Known terrorist is checked and does not match an entry on the list. We don't make matching mistakes, so this event doesn't ever happen.
Known terrorist is checked and matches an entry on the list. This happens every time a known bad guy tries to enter the country. On the other hand, only 500 bad guys enter the country, and only 50 of them are known bad guys, so this event happens (50) / (75,000,000) = .00007 percent of the cases.
Unknown terrorist is checked and matches an entry on the list. Since this guy is an unknown terrorist, the probability that his name is on the list is the same as the probability that an innocent civilian's name is on the list. That probability is 1 in 75 (1,000,000 names on the list; 75,000,000 total travellers). There are 450 unknown terrorists crossing the border, so (450) / (75) = 6 of their names are on the list. So this event happens in (6) / (75,000,000) = 0.000008 percent of the cases
Unknown terrorist is checked and does not match an entry on the list. 444 unknown terrorists who try to cross the border aren't on the list, so this happens in (444) / (75,000,000) = 0.0006 percent of the cases

Now let's have a look at the results in rank order.

Outcome	Occurrences
Innocent non-match	74,009,500
Innocent match	990,000
Unknown terrorist non-match	444
Known terrorist match	50
Unknown terrorist match	6
Known terrorist non-match	0

We match (50 + 6) / (444 + 50 + 6) = 11.2% of terrorists using this scheme.

Of the people matched, (50 + 6) / (990,000 + 50 + 6) = 0.006% are terrorists. Put another way, 99.994% of all people matched are innocent.

It's bad enough that we're letting 90% of the terrorists cross our border without additional checks, and that we're putting 990,000 innocent people through unecessary additional checks.

What's worse is that we're probably arresting some of those 990,000 innocent people because they matched the list and "seem suspicious" (ask Brandon Mayfield about this!)

What's even worse than this is that we're training the people who operate the system to ignore the real terrorist matches when they happen. 9999 out of every 10,000 matches is a false match. After the first 5,000 or so false matches, normal humans start to assume that every match is a false match (this is called "habituation", or "the fallacy of induction"). When that one true match (a real terrorist) sets off the alarm, the operator's natural tendency is just to turn the alarm off and wave the guy through.

But what's worst of all is that this system is trivially easy for even the dumbest terrorist to circumvent. It doesn't take a genius to figure out that the thing to do to defeat this system is stop sending known terrorists through it. Catching a new recruit without a terrorist history happens only by accident, and it happens with very low probability.

We're spending God knows how many millions of dollars on this list, and it cannot possibly do the job for which it's intended. We could "fix" the system to the extent that we provide a way to take innocent people off it, but it will always be the case that the huge majority of people checked against the list are innocent. As long as this is the case, the base rate fallacy will make the system essentially worthless for catching bad guys. And this is even if the bad guys are dumb enough to enter the country at controlled border crossings and send known terrorists using papers issued under their real names.

I realize that it's bureaucratically impossible to dismantle a large government system which has been publicly criticized, so in a helpful and public-spirited gesture I'll offer the following alternative suggestion:

Put everybody on the list.

It's cheap, it's fast, it's inevitable eventually anyway as long as the list continues to grow at its current rate, and it makes checking people against the list really easy (you can do it even without a computer!).

After you've put everybody on the list, implement something that might actually work as your secondary screening process.

Bruce blogged about the absurdity of the watch list here.

The New Studio

2008-01-27T00:29:00.000-06:00

I have a bet with a colleague. It's a very serious bet with the highest possible stakes (No, silly, not our immortal souls. A bottle of good Scotch).

My colleague thinks that either movies or music will still be sold with Digital Rights Management in 2012. I, on the other hand, know DRM will be long gone by then. It should be gone now, because it doesn't work. But that's not why it will be gone. It will be gone because it's bad for business.

DRM is bad for business for lots of reasons, but the most important reason is very, very simple.

All products generate sales by exposing people to the product. People who are exposed to the product and don't like it aren't potential customers; they'll never pay. The people who like the product after they're exposed to it are potential customers; they're the addressable opportunity - the "fan base". The people who like the product and decide to buy it are the paying customers. The trick in business is to maximize the number of paying customers.

The first step in the DRM business model is this:

Shrink the fan base by making it impossible for potential fans to try the product.

Any business model that starts this way will be destroyed by a business model that increases the size of the fan base.

The music industry has figured this out, and DRM for music is already dead. Every major label now sells DRM-free music, and Radiohead has proved pretty conclusively that people will pay good money, voluntarily, if you put good music up on the Web with no restrictions. Not only that, they'll pay a premium for limited-edition collector's sets, and they'll still buy shipping containers full of your CDs - and your brand new vinyl LPs.

It's amazing that it took Steve Jobs to teach the music business that DRM was a bad bet; after all, record label executives are the same people who used to bribe DJs to give music away free on the radio. But two cheers to the labels anyway; freeing music will result in more music and better music; it may even allow artists to keep some of the money they are currently turning over to agents, managers, and label executives. (well, ok, probably not. But we can always hope.)

Hollywood is lagging behind the music business; Hollywood still hasn't admitted that the DRM business model is a guaranteed loser. There's a reason Hollywood hasn't admitted this: the stakes are too high. As Upton Sinclair famously put it, "It is difficult to get a man to understand something when his salary depends on his not understanding it".

Hollywood isn't run by people who watch movies or who make movies. It's run by people who fund movies. The purpose of a modern movie studio is not to make movies. It's to make money. A lot of money. Not for directors or actors or writers (especially not for writers!), but for studio executives and producers. Whether the movies are good is a minor concern. The major concern is whether the revenues are good.

At this point I want to make it clear that I am a capitalist, and I'm completely behind the idea of businesses making a profit. The problem I have with the Hollywood studios is that their business model is increasingly driving them to try to make more money by making the product worse. This is bad for the audience, of course, because it means we have to watch a lot of awful movies. But in the long run it's also bad for the studios, because it means that someone is going to come along and put them out of business by making a better product for less money (Clayton Christensen explained how this phenomenon kills successful companies in his book "The Innovator's Dilemma". If you're a studio executive, read the book. Now, before it's too late. If you're too busy to read the book, you can just read the Wikipedia entry.)

Movies are hugely expensive today. Paying movie stars is very expensive; exotic locations are very expensive; special effects are very expensive; unionized crew and soundstages are very expensive; and distribution and advertising are insanely expensive. If you believe Wikipedia, the average cost to produce a Hollywood feature is now about $50 million; the cost of advertising and distribution drives the total to $100 millon.

This is a big problem for the studios. If you're spending $100 million, you can't afford a failure. You've got to make the $100 mil back just to break even.

You might think people who are putting $100 million into a movie and who can't afford a failure would make damn sure the movie was great.

You'd be wrong.

You can't make a great enough movie to guarantee $100 million dollars in ticket sales; almost no stories are that good, and almost no movies are that good. Even movies which are that good won't necessarily make $100 million - maybe they'll just win a lot of Oscars and change the way a generation thinks about the world - and leave you famous and $80 million in debt.

Studio executives are smart businesspeople. They know they can't make a good enough movie to earn a profit on a $100 investment. So instead do the only thing they can. They make movies which will sell more than $100 million worth of tickets even if they suck.

They do this by appealing to their audience the same way the Roman emperors appealed to their audience: bread and circuses. Brad Pitt all oiled up in leather armor? You got it. Bruce Willis crashing a car into a helicopter? No problem. Halle Berry giving a blowjob? Absolutely. You want the good guys to win? We can do that. Want the guy to get the girl? Why the hell not?

This stuff is mesmerizing in the previews. But once the audience gets into the theater, the game's up. The audience figures out very quickly that they've been tricked. The story makes no sense. The special effects are just a gimmick to distract us from the boredom of the action. The sex isn't as good as what we can get free on the Internet. The characters are two-dimensional robots; we hope in vain that they'll die.

By the time the audience is in the theater, though, it's too late - the studio has won. All the studio needs is four days. Opening weekend. The studio makes its money before the audience realizes the movie sucks, and before they can tell their friends. The chumps who wander into the theater a week later, or watch the movie in foreign markets, or buy the DVD, are gravy.

Theater owners and distributors love this. Zillion-dollar blockbusters with lots of sex and blood and explosions and huge advertising budgets keep the seats filled, and the money keeps pouring in.

The dark side of all this, of course, is that there are no theater seats left for good movies - especially good movies with small advertising budgets. Even if you save your pennies and make a very good movie for $1 million, you still have to pay $40 million in advertising and distribution to compete with the people who make bad $100 million movies.

Actors and directors know this, and they do things to try to sneak the occasional good film into the theaters. George Clooney makes movies that suck (Ocean's Twelve) to earn enough money to advertise movies that don't (Good Night and Good Luck). Robert Redford runs a festival whose whole purpose is to convince distributors that good movies have a big enough audience to fill a few of their valuable seats for a week or two.

All this explains why DRM makes sense to movie studios; the single most important thing a studio has to do is to make sure nobody sees the movie before opening weekend. Because if anybody sees it early and starts telling people it's no good, the whole house of cards collapses, and everybody loses giant piles of cash. If DRM can allow studios to send the movie to reviewers and Oscar voters without taking a chance that a copy will get loose and screw up the release - well, bring it on! If it can protect dailies and rough cuts and test screening copies from escaping into the wild - hallelujah! This is the most important reason studios use DRM; preventing DVD piracy is nice, but a tax on recordable DVDs would do that job just as well, and a tax on DVD drives or computers would solve any problem the studios might have with P2P sharing.

The elephant in the room is this: Seats don't watch movies. Peoples' eyes do. And movie fans can use their eyes even if they're not in a scarce and expensive movie seat.

If you can make a good movie really cheap, the Internet will let you distribute it free to many more people than you could ever get into all the movie theaters in the world for a weekend. And if you can make a good movie really cheap, you don't need to get paid very much to make a profit.

This means you can take a chance the Hollywood studios can't take. If you can make a movie really cheap, and distribute it for free, you can afford a flop. If people don't like the movie, you're out a few bucks but you don't have to sell ten thousand pounds of crystal meth to pay your creditors. But if people really love it, you can make a lot of money. And you can make money lots of ways - you can charge for downloads, you can charge for DVDs, you can charge for posters, you can charge for action figures. You can even charge distributors to show your movie in a real theater, because you've already proved that there's an audience.

Wanna know a secret?

You can make a good movie really cheap.

Just ask Robert Rodriguez. (And he did it back when it was still pretty hard; you're much better off. You can buy your own HD camcorder for less than $1,000. Not chicken feed, but not close to $100 million. You'll need a good script and good actors, of course, but hey - nobody promised you a rose garden.)

The Hollywood studios know this.

It frightens them.

It should.

Someone's going to come along and create a New Studio. It's going to have a new business model that lets creative people make a decent living making good, cheap movies. It's going to trust its audience to pay for quality films. It's going to grow its fan base by distributing entire movies on the Internet with no DRM, just as Radiohead distributed music on the Internet with no DRM. And if the old Hollywood studios try to compete against it with DRM-encumbered movies that shrink their fan base while the New Studio grows its fan base, the Hollywood studios are going to die.

Mike Masnick at Techdirt has already explained the theory of how to make money selling free goods. I won't try to summarize Mike's Grand Unified Theory of the Economics of Free because I want you to read the real thing. But I do want to agree publicly with what I think is his most important point:

"Saying you can't compete with free is the same as saying you can't compete period."

I'm going to try to apply Mike's theory to the movie industry by posting a business plan for the New Studio. I'll do it in chapters. I hope you like it. I hope you use it. I'm waiting to see your movies.

Maybe you don't believe it can be done; fair enough. But if you don't think you can compete and make money by selling people things they could get for free, I want to ask you one question.

When was the last time you bought a bottle of water?

What rough beast, its hour come round at last.... ?

2008-01-26T21:34:00.000-06:00

Online retailer Life is good has entered into a consent decree with the US Federal Trade Commission to settle claims that its assurances of privacy protection to consumers were false. Davis, Wright, Tremaine LLP's excellent Privacy and Security Law blog has coverage of the decree here.

Corporate counsel and Chief Information Security Officers need to pay very close attention to this decree; it lays the groundwork for a standard of due care in the protection of consumers' private information. In my opinion this is, to use Churchill's famous phrase, "the end of the beginning" for information security and privacy as a liability-free zone.

Bruce Schneier, who has just been selected to receive CPSR's Norbert Wiener award, has long advocated liability as a step toward better computer security.

Whether you agree with Bruce or disagree with him, the FTC's action means that you now must acknowledge, and start to plan for, the possibility of liability for your security failures. You must also begin to prepare for the imposition of legally mandated minimum standards on your security programs, at least if those programs protect private information.

As Ronald London, who posted the Privacy and Security Law blog's entry on the Life is good consent decree, so mildly puts it, "The FTC's announcement of the consent decree provides an opportunity for all companies that collect sensitive personal information, and that publicly make promises about how they safeguard that data, to re-evaluate their data security programs".

A word, to the wise, is sufficient.

Reed's Jazz and Supper Club: Hail and Farewell

2007-12-29T12:15:00.000-06:00

Christmas is a mean season in the restaurant business; it's when the landlords raise the rent.

Reed's closed two weeks ago, on a Tuesday. On the Monday I was at the bar, talking to the friends I've made there over the years, and enjoying a perfect Imperia Vodka martini (up, dry, shaken, with a twist. As it should be.) The next afternoon there was a little sign on the door with the bad news. I saw the whole show; I was at the soft opening the day before Reed (yes, Virginia, there is a Reed) opened the club to the public; I had a drink at the bar on the last night, and I spent many happy afternoons there in between.

Reed's was special in lots of ways. The food was great, the staff was great, the location was great, and the decor was great. But there are other places with those advantages; three things about Reed's really made it stand out for me.

First was the music. Reed's was, as its name advertised, a Jazz club. They're rare everywhere these days, but especially so in Texas. There's only one other good Jazz club in Austin; it's called the Elephant Room. The music at the Elephant Room is first-class, but the club is impractically far away from my house - and there's another thing, too.

A great Jazz club is special because of the music, but also because of the crowd. The crowd can dance, to start with. The crowd tends to drink martinis, and wouldn't dream of ordering a Jagerbomb. The crowd is, to put it bluntly, a little older than the average bar crowd. The crowd has fewer tattoos than the usual bar crowd, but the ones it does have come with interesting stories. Most everyone in the crowd, in fact, comes with an interesting story or two.

And that was the second really special thing about Reed's: it made people tell their stories. The bar was what did the trick. It wasn't a long, straight wooden bar like the ones you'll find at a thousand faux Irish pubs all over the world (and at the real Irish pubs - the ones in Ireland - too). Reed's bar was an enormous stone bar, built like a ratcheted gear. It curved all the way around the ground floor - the bartenders inside a continuous, smooth, concave curve and the customers outside on stools around a series of curved sections like shark's fins laid on their sides one after another.

You couldn't sit side-by-your-neighbor's-side staring sorrowfully into your drink at Reed's bar. The curve and the notches made you look at your fellow man; the martinis helped you get over your shyness and talk to him, and the jazz gave you something to start the conversation with. Strangers talked to each other all the time, and if they kept coming back (which a lot of them did) they became friends.

The third thing that made Reed's special was the light. In the afternoons the sun poured in through the frosted windows and filled the whole place with warm gold light. The lamps - inverted cones hanging from the ceiling above the bar - showered pools of the same gold light onto the drinks and the customers. And the mirrors behind the bar picked up all of this gold and threw it out into the dining room.

The light begged to be photographed. I took thousands of pictures at Reed's. Some of them ended up on the CD covers of the bands who played there; others hung on the walls in the dining room in big 20x24 editions, and still others filled a 2006 calendar I made for the staff and the regular customers. The ones I'm proudest of are hanging in 8x10 frames on the walls of the mothers of the bartenders and waitressess and hostesses.

From time to time I'd ask permission to post a particularly good one on flickr; you can see a slideshow of them here.

The Buddha taught me that the cause of my suffering is attachment to things that change - so I won't mourn the passing of Reed's Jazz and Supper Club. But I will remember. Thanks, Reed, for the memories.

The 2007 CECI Award

2007-11-11T21:08:00.000-06:00

It's time once again for the event the whole blogosphere awaits with breathless anticipation - the presentation of the annual CECI award!

Once again this year the judges (me) have sifted through the year's dross and spent Guy Fawkes' Day mulling over who's made the greatest contribution to clear thinking about identity, privacy, security, and risk.

As I made my decision I've had a few things on my mind. I've had in mind, for example, why the principal deputy director of National Intelligence thinks we need to change our definition of privacy. The short answer is that the current definition is very inconvenient to the government. How inconvenient? Well, for one thing, it prevents them from spying on all of us without a good reason.

Since we haven't changed the definition of privacy yet, the US Government is being forced to go to all the embarrassment and expense of arguing (in public! how undignified!) in United States v. Warshak that you and I have no expectation of privacy in email communications because we've signed an agreement with our ISP to let them examine our emails under certain circumstances.

(Side note: is anyone but me thinking "Wait! The fourth amendment doesn't say anything about expectations of privacy! It just says that there won't be unreasonable searches and seizures, and there will be warrants based on probable cause supported by oath or affirmation, and particularly describing the persons or things to be seized"?)

The definition of "privacy" which deputy director Donald Kerr would like us to adopt, in deference to the government's needs, is that "government and businesses properly safeguard people's private communications and financial information."

What does he mean by "properly safeguards"? Probably something like this: that the government and the supermarket will only arrest you, send you to Guantanamo, and deny you access to legal counsel if the FBI thinks your falafel purchases are suspicious; if you eat only a patriotic American quantity of Falafel, you have nothing to fear.

And I've been thinking about why so few people agree with Mark Klein that all this is a problem.

Which brings me to our winner.

The 2007 Ceci Award goes to Andrew Napolitano, former New Jersey Superior Court Judge and current Fox News analyst (I know, I know, but stay with me for a minute), for his most recent (2007) book "A Nation Of Sheep".

Napolitano's basic argument in "A Nation Of Sheep" is this:

The Natural Rights theory says that our fundamental rights come from God and still exist even when they aren't enforced or even respected by the government.
This theory is necessary as a defense against government encroachment, because government does not actually acknowledge any power higher than itself...
(even when it says stuff like "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed")
...but while it is willing to coerce the governed to permit the usurpation of their rights it is embarrassed to say in public that it does not believe in God's supremacy - so attributing rights to God is the only way to make the government acknowledge their legitimacy.
Even attributing rights to God doesn't do us any good if we don't confront government whenever it tries to usurp the rights God gave to us.
But most of us are sheep, and won't confront the government...
Therefore it falls to a few wolves to prevent all of us from falling into slavery.

He's right. Read the book. If, after reading the book, you're feeling sheepish, consider the example of Mark Klein and ask yourself if you've seen any of your natural rights being confiscated lately. If so, ask yourself what you've done about it.

Congratulations to Judge Napolitano on his award. As usual, an acceptance speech in the comments is not required, but would be most welcome.

Turn Off Your Flash

2007-11-01T22:02:00.000-05:00

You're at a party. Or maybe walking on the beach at sunset. Your eye is attracted to a scene. You take out your camera and look through the viewfinder (or at the LCD). You adjust the framing, and, trembling with excitement, you push the shutter button.

You examine the results.

They suck.

What happened?

I'll tell you what happened: your flash spoiled the shot.

What you saw was interesting. What the camera saw was ordinary. The difference was the light. You saw beautiful, interesting, colorful ambient light coming from an interesting direction.

Your camera saw 5500-degrees-kelvin daylight-colored strobe light beamed straight from your eyeball to the subject.

Now stop for a moment and consider a question: if you looked at the scene and liked the light you saw, why did you change it?

So stop changing it.

Look at the picture above. It's a picture of my friend Andre. I took it last week in a shot bar called Chupito's in Barcelona (if you're in Barcelona, go there. You'll like it). Chupito's is very dark. The blue color on Andre's (white) shirt is fluorescence induced by a UV tube illuminating the drink menu on one wall. The red color on Andre's face comes from a very dim incandescent bulb about a foot away from the two of us.

If I'd used flash, It would have lit Andre evenly (so I would have lost the contrast between the shadow on the right side of his face and the brightness of his shirt on the same side) and the flash would have overwhelmed the the red and blue colors of the dim lights. The result would have been a much less interesting picture - a picture which would have looked a little like the one I took of Andre earlier this year in a boring hotel corridor at a different event: This isn't a bad picture, but it's not nearly as interesting as the one from Chupito's. One reason the Chupito's picture is more interesting is that the color of the light is more interesting. If you use flash, your pictures will all be taken in daylight-colored light. But the color of the light isn't the only important thing about the Chupito's picture. The shadows are important too. If you use flash, your pictures will all be lit from your position - that is, they'll all be front-lit, and they won't have very interesting shadows.

Here's another picture; it's a picture of my colleague Mike, and it's front-lit: Again, it's not a bad picture, but it's got no interesting shadows. I have another picture of Mike (taken in a different bar in Barcelona) which is much better, because it's lit more interestingly. Here it is: If I'd taken this picture with a flash, there would be no shadow on the left side of Mike's face (on the right in the picture), and the picture would be much weaker.

The moral of this little story is: if you see light you like, turn off your flash. If you turn off your flash, you might need a fast lens on your DSLR, or a tripod for your point-and-shoot, but your pictures will be much better.

(Full disclosure: if you really learn how to use flash, you can get great results. Joe McNally has really learned how to use flash. He uses lots of flashes, most of them off-camera, triggered by wireless remotes, and some of them filtered to provide interesting colors of light. If you want to really learn how to use flash, instead of just turning it off, a great place to start is strobist. And if you ever get a chance to take one of Joe McNally's workshops, do it. He's a great photographer, a great teacher, and a great storyteller.)

Family Matters

2007-11-01T21:40:00.000-05:00

I've been doing most of my blogging here and here for the last few months. In the meantime, my sister has started a stamping blog, and my daughter, a digital native, has started to write about what identity means to the next generation (among other subjects). Upcoming posts here will include:

Turn Off Your Flash
What Is Privacy, Really?
Fear and the Bigger Haystack
Privacy, Tolerance, and a Free Society
The Boggs Tax

Outsourcing Terrorism to the Victims

2007-02-01T14:51:00.001-06:00

Osama bin Laden can retire now; he's worked himself out of a job. We don't need actual attacks to keep us in a state of terror anymore. All we need is Lite-Brite pictures of cartoon characters.

Yesterday, Boston was paralyzed by a terror alert arising from a Cartoon Network guerilla advertising campaign gone wrong. If you believe the Boston Herald, the Boston Police Department spent a million dollars on the incident, and it probably created much larger costs by tying up the city's roads and bridges all day. Those expenses may be only the beginning - Boston will spend an enormous amount of money on lawyers if the city follows through on its promise to throw the book at Turner Broadcasting and at the two artists who created the campaign.

Federal, state, county, and city officials have all been quoted emphasizing the seriousness of the situation. Tom Menino, Boston's mayor, explicitly tied it all back to 9/11, saying "It is outrageous, in a post 9/11 world, that a company would use this irresponsible marketing scheme".

Menino suggests an interesting and important question: what, exactly, is "irresponsible" in this post-9/11 age?

The attitude of terror - that everything unfamiliar is dangerous, and that any time you see something that's not completely familiar, you should stop what you're doing, panic, and run and hide - is not responsible. Osama bin Laden wants you to assume the attitude of terror. He wants you to freak out and call the police every time you see a little pile of white powder, even though the probability is zero that it's anything more dangerous than sugar, salt, or coffee creamer.

The attitude of helplessness - that the world is so dangerous there's nothing you can do to protect yourself except to surrender your judgment, your rights, and your defense to government experts - is also not responsible. George W. Bush wants you to assume the attitude of helplessness. He wants you to leave the war on terror to him, after you let him suspend habeas corpus, the accused's right to counsel, and the requirement for judicial warrants to authorize wiretaps.

These attitudes are irresponsible, because if we adopt them, our fears drive us to attack ourselves. We spend money responding to imaginary threats. We lock ourselves in our homes and suspect everyone and everything. We turn toys into weapons, strangers into enemies, and jokes into crimes. We put cameras in every room and policemen on every corner. When we've done all these things, the terrorists don't need bombs, airplanes, and anthrax anymore; they've outsourced terrorism to the victims, and we'll finish the job ourselves.

If we don't want to become bin Laden's subcontractors, what is responsible? Simple: thinking clearly - thinking for yourself - about risks and precautions is responsible. As I've already noted, Sam Hughes explained it best.

If Boston takes millions of dollars of public money which could be used to investigate and prosecute real terrorist threats, and spends those millions instead on persecuting a couple of cartoon marketers who have (possibly completely accidentally) embarrassed the Boston Police, that won't be responsible. And it won't be popular, either. Enough Americans can still tell the difference between real enemies and phantoms. Some folks who recognize a phantom when they see one are already selling the t-shirt.

Update: Bruce has an excellent entry on this too.

The Dumbest Advice Yet on Iraq

2007-01-23T21:54:00.000-06:00

Did James Webb really say this tonight???

"As I look at Iraq, I recall the words of former general and soon-to-be President Dwight Eisenhower during the dark days of the Korean War, which had fallen into a bloody stalemate. "When comes the end?" asked the General who had commanded our forces in Europe during World War Two. And as soon as he became President, he brought the Korean War to an end. These Presidents took the right kind of action, for the benefit of the American people and for the health of our relations around the world. Tonight we are calling on this President to take similar action... "

When comes the end? Not yet! Has Webb noticed that Eisenhower's action stationed tens of thousands of American troops in Korea for (as of the current date) MORE THAN FIFTY YEARS, at the end of which the stalemate has not resolved but rather hardened to the point where we now face a dictator threatening us with nuclear weapons??? Is this an experience we want to REPEAT?

Could Webb have chosen any better example to SUPPORT President Bush's claim that leaving Iraq would leave us with a "nightmare scenario"?

Five Things

2006-12-21T13:38:00.000-06:00

Pam "tagged" me with a challenge to post 5 things you might not know about me and "pass it on". OK...

Stirred. Not shaken.
I have an IMDB entry. How weird is that? Surely the Oscar is just a matter of time.
Although some (tiny, ridiculous) dogs seem to have found their way into my house via some other family members, my own personal pets are more highly evolved. They are, in fact, cats. Balinese.
I still use film. In fact, I still develop it in the sink!
I was the last PhD graduate of the University of Michigan's late, great Computer and Communications Science department. (John Holland was the first.)

Now for the hard part: Avery, Marcus, Lori, Adam, and Al: Tag, you're it!

Your mission, should you choose to accept it, is to tell us five things we wouldn't otherwise know about yourself, and then accelerate this little pyramid scheme's consumption of Internet bandwidth and server storage by tagging five people whose oddities or secrets you'd like to know.

Happy Holidays to all!

The 2006 CECI Award

2006-11-06T10:36:00.000-06:00

Ladies and Gentlemen, follow the red carpet for a very special treat: the presentation of the first annual CECI Award for clear thinking about security, privacy, identity, and risk.

The nomination and selection process is, like that for the Nobel prizes, mysterious - so don't ask. Nominees who fall short are not humiliated by having their unsuccessful candidacies announced and discussed.

The award is simply bestowed, here, by me, in a suitably magisterial fashion, with appropriate fanfare, pomp, and circumstance (and a little gold picture of Magritte's notapipe).

The 2006 CECI Award goes to David Murakami Wood and a large cast of co-authors, expert contributors, and reviewers for the publication of "A Report on the Surveillance Society". This report was prepared for the Information Commissioner of the United Kingdom. It is in the opinion of the CECI Award selection committee (me) the best government report of the Millenium to date, and it sets a standard which is unlikely to be excelled often in the remaining 994 years.

The report's scope is breathtaking, but its focus is intense. Its language is clear, direct, and even elegant. Its importance cannot be overstated. To select a representative quote seems almost a disfigurement; the thing should be taken as a whole. Still, as an advertisement for what you absolutely must read - and I am in no way kidding or exaggerating here - I offer you the very first paragraph:

"We live in a surveillance society. It is pointless to talk about surveillance society in the future tense. In all the rich countries of the world everyday life is suffused with surveillance encounters, not merely from dawn to dusk but 24/7. Some encounters obtrude into the routine, like when we get a ticket for running a red light when no one was around but the camera. But the majority are now just part of the fabric of daily life. Unremarkable."

I will have a lot to say on topics this report addresses in the coming months, but I am not likely to improve on any topic it addresses directly. I invite you to read it. Your children's lives will be profoundly affected by how well you understand the issues it raises, and by what you choose to do based on your understanding.

Congratulations to the recipients. An acceptance speech in the comments is not required, but would be most welcome.

In the Crosshairs

2006-11-03T14:02:00.001-06:00

Ars Technica has just published this story about a system you'll want to check out. You'll want to, but you won't really be able to.

The system is designed to collect large amounts of personally identifiable information about every person entering or leaving the United States for the purpose of assigning each individual a "risk assessment" rating. It will be implemented and operated by US Customs and Border Protection, a unit of the Department of Homeland Security.

If you travel a lot, the system will pretty quickly contain your name, address, telephone number, email address, frequent-flyer numbers, travel itineraries, and other information. It would surprise me if it didn't eventually include some credit card information.

The most surreal aspect of the system is its name: THE AUTOMATED TARGETING SYSTEM. Whoever approved that moniker obviously doesn't work in public relations. But in fact Customs and Border Protection clearly isn't too concerned with public relations. While your AUTOMATED TARGETING SYSTEM record can be accessed by courts, government officials at all levels including international, law enforcement, congressional offices, contractors, researchers, the Department of Justice, the National Archives, and intelligence agencies, it's not subject to the protections of the United States Privacy Act, and you can't access it yourself for purposes of reviewing the record's accuracy and correcting errors.

If you're worried about the privacy implications of this, well, you'll probably have lots of company. But don't let your privacy worries distract you so much that you don't worry about another important problem: the accuracy of the "risk assessment" which will be performed using your data.

Since the risk assessment criteria haven't been published, it's not easy to analyze any weaknesses that might exist. But it's not hard to predict that these weaknesses will be profound. Here's a fairly simple question I'd ask if I were assessing the system:

What risk rating would the system have assigned to Timothy McVeigh? Mohammed Atta? Omar Abdel Rahman? Brandon Mayfield? Hugo Chavez? Pope Benedict XVI? Aldrich Ames? John Walker Lindh?

I'm also interested to know whether a "high" risk rating will be considered sufficient justification for initiating an investigation of a US citizen or resident alien, and if so, what due process will be granted to the individual who is investigated.

This type of system (a large-scale system constructed in secret to solve a poorly understood but highly politically sensitive problem) has always resulted in failures, cost overruns, and injustices in the past. There's no reason to predict that THE AUTOMATED TARGETING SYSTEM will be the exception to the rule.

Heeding the Message

2006-10-30T13:50:00.000-06:00

It takes a big man to admit that he's made a mistake, especially in politics.

It takes an even bigger man to think it over carefully enough to propose doing something genuinely useful. Rep. Markey has done both; here's what he wrote in his latest press release, covered on Chris Soghoian's blog:

Under the circumstances, any legal consequences for this student must take into account his intent to perform a public service, to publicize a problem as a way of getting it fixed. He picked a lousy way of doing it, but he should not go to jail for his bad judgment. Better yet, the Department of Homeland Security should put him to work showing public officials how easily our security can be compromised.

Exactly. This is the kind of thinking we need more of. Kudos and thanks to Rep. Markey for a courageous and helpful statement.

Shooting the Messenger

2006-10-28T12:03:00.000-05:00

Congressman Ed Markey (D-Mass) has called for the arrest of Chris Soghoian, a University of Indiana graduate student who created a website which enabled printing of fake Northwest Airlines boarding passes.

If Congressman Markey, who represents himself as an authority on technology and civil liberties issues, and who publicises national security vulnerabilities on his own congressional website, is surprised by the fact that boarding pass security is a joke, then he hasn't been paying attention for a long time.

Boarding pass security has always been terrible. ABC reported on this vulnerability in June. Bruce Schneier wrote about it as early as 2003, and explains here why he's not worried that it's still easy to forge print-at-home boarding passes.

The print-at-home vulnerability has been covered at Stupid Security and elsewhere (here too!).

Publishing instructions for how to do it isn't new either.

In fact, Slate has pointed out that you don't even need to forge a boarding pass to get past airport identity checks - you can just use somebody else's real one.

Providing an easy online utility to automate forgery may indeed be new. But before we start arresting people, let's think for a minute about who we should be locking up. Real villains - not security researchers - should be at the top of our most-wanted list.

What say we start with the people who actually want to commit terrorism? Congressman Markey lists Homeland Security and Defense among his top issues. You may have noticed that we haven't caught Osama yet.

Once we arrest the people who create the threats, we should go after the people who create the vulnerability. This would be airlines (who allow you to print insecure boarding passes at home in an easily-forgeable format) and the TSA, who take a cursory look at your forged boarding pass and wave you through their checkpoints.

Then let's look for the guys who have failed to hold the airlines and the TSA accountable for their failures. Congressman Markey's bio says he's one of them: "As the third most senior Democrat on the House Homeland Security Committee, he has emerged as a leader in both legislative and oversight activities in the areas of nuclear, aviation, rail, liquefied natural gas and chemical security." If this oversight were effective, Chris Soghoian wouldn't have been able to build his website and we wouldn't be talking about it.

Bruce is right that the real problem is elsewhere. But even if this were a real problem, arresting the messenger wouldn't solve it. Congressman Markey undboutedly knows that - and he also knows that loud law-and-order noises sound good in an election year.

Pink for October

2006-10-01T23:48:00.000-05:00

Special this month: Ceci n'est pas un Bob will be Pink for October to promote awareness of breast cancer. Plus, pink is cool.

Getting Crowded In Here

2006-09-08T20:08:00.000-05:00

From the shameless promotion desk: my Identity and Privacy Services team at the Burton Group has started a blog. I'll be posting there too from time to time, but what makes me really happy is that you'll get to hear the same voices I hear every week at work.

Check it out.

O Brave New Web

2006-09-08T12:42:00.000-05:00

... That hath such creatures in it.

Your friends and associates: Collect 'em! Trade 'em! I'll give you eight bucks for a mint Babe Ruth rookie card, or six for a Larry Ellison business card!

Jigsaw has been slashdotted today via a story in the San Francisco Chronicle.

Have I mentioned The Absurdity of "Owning One's Identity"?

Jigsaw's claim that user activity will keep information up to date in their system isn't particularly convincing to me, by the way: I used their "Find out if you are in Jigsaw" feature to discover that information for "blakley@us.ibm.com" IS in their database. I'd like to meet him. I bet we'd have a lot to talk about.

Jim Fowler, Jigsaw's CEO, says he's thought deeply about the moral issues Jigsaw raises, and that everything's OK. To investigate that claim, try the following thought experiment:

Meditate on Jigsaw. Breathe deeply. Let your feelings flow.

Meditate on LinkedIn. Breathe deeply. Let your feelings flow.

Explain your feelings.

Want a hint? LinkedIn is different from Jigsaw - it requires you to accept an introduction before it dishes the dirt on you. That's a tiny step in the right direction, but I'd rather have a Meta-Identity System than either of these Web 2.0 Identity Systems. It would be easy to do this for business contact information.

Here's you visiting a Business Contact Identity Oracle:

You: "Do you know Bob Blakley?"

Oracle: "Yeah, I know him".

You: "Great! Give me his email address."

Oracle: "Pound sand, loser."

You: silence while thinking for a minute.

You: "OK, if I give you MY email address, and a message, will you send it to him?"

Oracle: "Gladly."

Now wasn't that easy?

On Burton

2006-08-04T23:12:00.000-05:00

It's always disconcerting to be discussed in public... Jamie's post touches all sorts of topics which hadn't even occurred to me. I suppose there's a lot that could be said about many of these topics, but the only thing I really want to say is that if you want to know why I chose The Burton Group as the next place to go, look here. If you haven't heard these folks speak, or read their reports, you have a treat coming. They're making a difference in the industry (SAML wouldn't have happened without them, for example), and I'm looking forward to pitching in and helping.

We Interrupt This Program...

2006-08-01T12:06:00.000-05:00

As of today, I've moved from IBM to The Burton Group, where my job title will be Principal Analyst. I'll be working on Identity, Privacy, Security, and Risk Management. The views expressed here are still mine, and don't necessarily reflect the positions or opinions of either employer.

The Meta-Identity System

2006-07-12T18:04:00.000-05:00

Let’s start with a question: “In the Identity Metasystem, how can Identity Providers Exist?”

It seems simple in principle; someone sets up an Identity Provider server which has a Web Services Security Token Service (STS) and a policy engine. The server invites “subjects” to create profiles (lists of identity attributes) and then creates signed tokens asserting those profiles for consumption by Relying Parties. All this is easy to do.

The Paradox of the Identity Provider

What’s hard is:

Paying for the Identity Provider server and the service it provides.
Convincing Relying Parties that they should rely on information provided by a third party (the Identity Provider) rather than maintaining identity attribute information themselves.
Assigning liability when a relying party asserts that a claimed identity attribute is incorrect.
Assigning liability when a subject claims that the wrong identity attribute claim was released to a Relying Party.
Making subjects whole when a security failure “leaks” subject identity attributes directly from the Identity Provider.
Assigning liability and making subjects whole when a security failure “leaks” subject identity attributes from a Relying Party.

There’s a vicious circle here. Relying Parties won’t want to outsource identification of their transaction partners unless they can feel sure that the Identity Provider’s information is better than their own, or unless they can be indemnified against losses arising from mis-identification. Identity Providers, therefore, have to spend a lot of money on data verification, or liability insurance, or both. But to spend a lot of money, Identity Providers need to make a lot of money. This means that either their fees or their transaction volumes need to be very high. To generate high fees and high transaction volumes, Identity Providers need to have a valuable asset. And (here’s the rub) if Identity Providers provide their subjects’ identity attributes to Relying Parties, they don’t have an asset - because they’re giving it away to their customers.

The Potemkin Village

Parenthetically, by giving identity attributes to Relying Parties, Identity Providers turn the Identity Metasystem into a kind of Potemkin Village - a false front hiding emptiness and weakness. The Identity Metasystem's subjects rely on the Identity Provider to safeguard their private information, but the Identity Provider can’t safeguard information which is sitting in Relying Party systems. Unless the Relying Party's systems change, the implementation of the Identity Metasystem does nothing to reduce the total privacy risk of the environment it’s introduced into - though it may increase Relying Parties’ liabilities for that risk, because the Identity Provider’s contracts may create liabilities for Relying Parties who mishandle the information they provide.

The Meta-Identity System

If this seems gloomy, there’s good news. The technical infrastructure of the Identity Metasystem contains the seed of a solution to both problems (“How does the Identity Provider make money?” and “How do we avoid building a Potemkin Village?”). That seed is metadata.

In order to build an asset, the Identity Provider has to stop giving its crown jewels - identity data - to its customers. It can do this simply by changing what it puts into the claims it hands out to Relying Parties. Instead of answering a Relying Party’s query “How old is Bob?” with the claim “Bob is 45”, it can answer “How old is Bob?” with the claim “Bob is over 18”. Instead of answering the query “Is Bob a good credit risk?” with the claim “Bob’s credit history is (fifty-page report goes here)”, it can answer “Is Bob a good credit risk?” with the claim “97% of people with credit histories similar to Bob’s repaid loans of under $200,000 on time.”

Claims like these contain metadata rather than data. From the point of view of the Identity Provider, identity metadata has two big advantages over identity data. The first advantage is that using identity metadata in claims allows the Identity Provider to provide a service to its customers without handing over its core asset - and in fact using identity metadata allows the Identity Provider to build the value of its asset by developing expertise in analyzing raw identity data and transforming it into more and more accurate and useful metadata.

The second advantage of using metadata instead of data is that it allows the Identity Provider to provide a service to Relying Parties while minimizing the disclosure of specific personal information to those parties - thereby reducing privacy risks to subjects. Once the Identity Provider gets out of the business of providing raw identity data, of course, it no longer makes sense to call it an “Identity Provider”; calling it an “identity metadata provider” sounds hopelessly geeky, though, so I propose instead to call it an “Identity Oracle”, since what it’s really doing is answering questions about an identity.

As a technical community and as a society, we can realize a lot of benefits by eliminating Identity Providers. Instead of building an Identity Metasystem with Identity Providers, we should build a Meta-Identity System with Identity Oracles. The technical infrastructure of the Identity Metasystem doesn’t need to be changed - all that needs to change is what we put in the claims and the way we think about the system.

I gave a talk about this at the recent Burton Group Catalyst Conference. The talk includes a lot of material I haven’t discussed here; if you’re interested in listening to the talk, the Burton Group has kindly posted it in podcast form here, along with the accompanying slides.

Memorial Day

2006-05-29T21:21:00.000-05:00

I attended a high-school graduation in a local church on Sunday; the liturgical paraments expressed the perfect wish for Memorial Day. My long silence was not idleness; May has incubated many thoughts, to which you'll soon be exposed. If you've been anticipating the fulfillment of promises made in past posts, you won't be disappointed.

Auto-exposure

2006-04-09T21:55:00.000-05:00

Since Phil took the bait, here's a simple test you can do to find out whether automation is homogenizing your photographs. Take one of your photos and open it in Photoshop. Then do this:

Filter > Blur > Average

Image > Mode > Grayscale

Now use the Eyedropper tool to sample any point in the image.

Finally, look in the Color Palette and see what percentage of gray is "average" for your picture.

If the answer is about 50%, you probably used auto-exposure. Phil likes aperture-priority automation. He justifies its use this way:

"I don't think the automation in the camera makes a great deal of difference. Once you have decided what you want to take a picture of, compose the shot and focus on the topic of interest there are only two real choices you can make on a camera; aperture and shutter speed. And the choice of one strongly constrains the other"

This is true - if you want the average density of your photo to be 50% gray. Your camera wants the average density of your photo to be 50% gray, because that's the average for a photo with a "full range of tones" more or less evenly distributed (for example, a picture of a human subject outdoors in the daytime on a grass lawn.)

Here's a photo I took at Reed's late last year. I saw some shadows on the wall in a dark corner and thought they looked interesting in a brooding, film-noirish way. The corner was very dark, and I wanted the picture to look dark, the way my eye saw it. If you run the Photoshop action I've described above on this picture, you'll see that its average gray percentage is 95%.

When I took the picture, I knew that the normal exposure for ambient light in Reed's is about 1/60 of a second at f/2 on 400 speed film. In dark corners, there's much less light. I shot this picture (manually) at 1/30 at f/2. If I'd used aperture-priority automation at f/2 (assuming my camera did that, which it doesn't), the camera would have noticed that the wall wasn't lit, and it would have set a shutter speed of either 1/4 or 1/2 second - resulting in a picture with an average gray percentage of about 50%, which would have looked like this:

I like my picture a lot better than the one an automatic exposure meter would have generated. I could have tricked my F-100's auto-exposure system into producing the picture I wanted by setting "exposure compensation" to tell the F-100 that the scene was supposed to be dark. But then what good is the automation? I already know the scene is dark, and it's no harder to set the exposure values manually than it is to set exposure compensation manually - so all the automation does is make it more likely that I'll get lazy and end up with a bad picture.

Automation won't hurt your "average" pictures (photographs of people in daylight, for example), because those are the pictures it was designed to produce. It is much more likely to hurt dark or light pictures, or anything else "out of the ordinary".

Open up a bunch of your pictures and try the Photoshop experiment I've described above. If your highest gray density is only 10% higher than your lowest, turning off autoexposure will probably improve your photography.

How I Take A Picture 1: Take Responsibility

2006-04-02T22:25:00.000-05:00

I have a Nikon F-100. It's a great camera. It has lots of advanced functions. It winds the film onto the takeup spool as soon as I close the camera back. It reads the ISO sensitivity of the film off the film cassette and sets it automatically. When it gets to the end of the roll, it automatically rewinds the film. I can set it to leave the film leader out of the cassette, or to wind the film all the way into the cassette with no leader sticking out. The F-100 has aperture-priority and shutter-priority automatic exposure, and a program mode, and a "flexible program" mode, which lets me change the aperture or the shutter speed and automatically compsenates for the exposure difference by changing the setting I haven't touched. The F-100 has spot metering, center-weighted average metering, and "matrix metering". It has autofocus. It has TTL auto-flash with distance sensing, which measures the light as it hits the film and closes the shutter when just exactly the right amount of light has gotten in. It has exposure compensation and flash exposure compensation. It shoots 5 frames a second. It fits my hand like a glove.

I never use it.

I got tired of turning all those features off.

I turned them off because I realized after a while that my first step in taking a picture should be to take responsibility. Taking responsibility was hard with the F-100. It was always whispering to me. It would say things like "The light just changed. I could handle that for you - why don't you just let me set the exposure while you worry about more important things?" or "It's really dark in here. Why don't you just let me add a little flash?" And since I'm lazy and weak, I'd sometimes give in and let the F-100 take some of the responsibility I should have been taking.

The F-100 handled those responsibilities beautifully. It made far fewer mistakes than I did.

You're wondering why I wanted to take responsibilities away from a machine which handled them better than I did. Here's why: because the F-100 was a slut. Everything it did for me, it would have done for you too. It was homogenizing my photography.

Imagine this. You and I are standing in front of Kilauea. There's a Pacific cyclone a hundred miles offshore, and the biggest thunderhead either of us has ever seen is towering over the ocean behind the volcano, showering lightning bolts like Steven Spielberg on a $200 million budget. The volcano itself is erupting spectacularly, and to top it all off, there's an incredible sunrise behind us spraying orange and pink light all over the clouds and casting a huge rainbow over the volcano and in front of the storm.

The light's changing fast, so I have the F-100 on Program auto-exposure, in matrix metering mode and autofocus. I take a picture. You forgot your camera, so you ask to borrow the F-100 and you take a picture too.

We just took the same picture. Of a once-in-10-lifetimes scene. Not only that, we both took the same picture as all the other tourists standing around looking at the scene through the viewfinders of their auto-everything cameras. We all took the pictures our cameras wanted to take, not the pictures we wanted to take.

If I were using the all-manual Leica IIIf shown at the top of this blog entry instead of the F-100, I would have to make a bunch of creative choices. I would have to choose a shutter speed and an aperture setting, for example. The combination of the two would determine whether the scene in the picture looked "normal", "dark", or "light". But each individual choice has implications beyond darkness and lightness. A slow shutter speed would give me more lightning bolts, but it would blur the lava spewing out of the volcano. A wide aperture would blur the foreground, and would slightly decrease the overall sharpness of the picture. If I want a slow shutter speed and a wide aperture, I get a lot of light. That's OK if I want the picture to look lighter than the scene looked in real life - but if I don't want that, I'll need to put some filters in front of the lens to block some of the light.

When I use the IIIf, I have to think about what I want the picture to look like before I push the button. It has no automation, so it can't whisper the siren song of automation in my ear. It doesn't want me to take average pictures - pictures just like yours and everyone else's - because it doesn't want me to take any particular kind of pictures at all. All the creativity and intelligence stay in my head, where they belong.

If you want to take pictures just like everyone else's, set your camera to automatic.

If not, take responsibility. Set your camera on manual.

If that sounds scary, don't worry; in the next entry in this series I'll tell you what to do next.

Within This Decade

2006-02-21T14:51:00.000-06:00

Security professionals have known for many years that your password is one of the weakest points in the security of the web of computing devices and services you use.

We’ve been trying to do something about the problem for as long as I’ve been in the business.

We started by obfuscating passwords on servers after we figured out that the password file was an attractive target for attackers. UNIX was a pioneer in this area, though as usual MULTICS was there first.

Obfuscating and encrypting passwords has never worked very well, because a large percentage of passwords are very easy to guess in just a few attempts.

But protecting passwords on servers didn’t work for another reason too: you could read them off the network as they zipped by. We’ve tried encrypting them on the network (TLS became an IETF standard in 1999, by which time its predecessor SSL had already been in use on the Internet for three years), and we’ve tried pushing their use to the client system to keep them off the network entirely (Kerberos became an IETF standard in 1993, by which time it had already been in use at MIT and elsewhere for many years).

Keeping passwords on the client assumes a bunch of things which aren’t true. It assumes clients are secure; they aren’t. It assumes passwords aren’t trivially easy to guess; they usually are. And it assumes that the user won’t tell the password to anyone who asks. Phishing attacks are what you get when the bad guys figure out that you will tell your password to anyone who asks.

It’s bad enough that passwords aren’t very secure; what’s even worse is that they’re a huge pain too. We all hate them because we have to change them all the time and they’re hard to remember. Your organization probably has a bunch of rules for good passwords: they have to be at least “some number of” characters long; they have to include a bunch of weird characters you can’t find on your keyboard; you’re not allowed to use your name, or your account name, or more than two characters from your last password - and so on. All these rules are just variants of the Two Platonic Password Composition Rules:

Pick something you can’t remember.
Don’t write it down.

No problem, right?

We security guys have known for a long time that the right way to deal with passwords is to get rid of them. We resolve to do it periodically, but these resolutions are like New Years’ resolutions to lose weight - somehow we never get around to finishing the job.

In 1998 the Internet Architecture Board got a bunch of us together to take a look at what the security architecture of the Internet should look like. We agreed on almost nothing - with one exception:

“One security mechanism was deemed to be unacceptable: plaintext passwords. That is, no protocol that relies on passwords sent over unencrypted channels is acceptable.” IETF RFC 2316, 1998.

Eight years later lots of websites still ask for your password over an unencrypted HTTP connection (but giving examples wouldn’t be nice).

In 2003 the National Academy of Sciences got a bunch of us together to take a look at authentication technologies and how they affect your privacy. Unsurprisingly, we agreed again:

“Static passwords are the most commonly used form of user authentication, but they are also the source of many security weaknesses... great care should be taken in the design of systems that rely on static passwords.” “Who Goes There?”: Report of National Academy of Sciences Panel on Authentication Technologies and Their Privacy Implications, 2003.

The report doesn’t come right out and say we should just get rid of passwords - because at the time I argued passwords were still OK in some contexts and that an out-and-out ban would be an overreaction to the risk.

I was wrong.

Static passwords are an unacceptable hazard, good alternatives exist, we should get rid of static passwords in favor of those alternatives, and we should do it fast.

We’ve been saying this for years; it’s time to get off our butts and do it. Bill Gates agrees; in his keynote address to the RSA Conference last week, he called passwords "dinosaurs", and noted that they're becoming the weak link in the security of the Internet.

As penance for my past sins, I’m going to issue a challenge to the information security community from my little soapbox here:

“I believe that this community should commit itself to achieving the goal, before this decade is out, of providing every computer user with a strong authentication device and the infrastructure required for its universal acceptance.”

What do I mean by “a strong authentication device”? It’s a device with the following properties:

It’s always with you
You notice quickly if you lose it
No one else has one exactly like it
It keeps a secret you can’t remember without writing it down
It never does the same thing twice

Why these characteristics and not others? Because: if your device never does the same thing twice and no one else has one exactly like it, you need to have your particular device to authenticate yourself, and you need to have it every time you authenticate yourself. If you lose it, you can't authenticate yourself, Period.

Luckily, it's always with you, so you can authenticate yourself. Since it's always with you, you can always use it to authenticate. Because you always use the device to authenticate yourself, you're always authenticating with a secret which you can't remember without writing it down – and because the device keeps the secret, neither you nor anyone else knows it.

Because the secret is this strong, it can't be recovered by guessing or by brute-force enumeration, as in a dictionary attack. This means that in order to get the secret and use it, your enemy has to get the device itself.

But if the enemy does get the device itself, you'll know immediately, because you notice quickly if you lose it.

And once you know the enemy has the device, you will of course take steps to cancel it and get another right away.

The overall effect here is to reduce the number of ways your authentication can be attacked, and to reduce the period of time during which the enemy can profit from a successful attack.

We need to get a strong authentication device into the hands of every man, woman, and child on the planet.

To do that, we’re going to need lots of strong authentication device providers and lots of innovation. The devices are going to need to be cheap, they're going to need to be trivially easy to use, and they're going to have to come in all shapes, sizes, and colors to fit with the widest possible variety of lifestyles.

If you want strong authentication in your cell phone, we need to give it to you in your cell phone. Want it in your iPod? We need to put it there. Wristwatch? Why not? Car key? Sure. Glass eye? Well, I don’t want to beta test that one, but we’ll - ahem - look into it.

Strong authentication devices aren’t a panacea. There are lots of problems they won’t solve. Bruce argues that they won’t even solve the phishing problem - and he’s right. But here’s what strong authentication will do:

It will shorten your window of vulnerability after your authenticator is stolen. Today, if someone phishes your password, or uses a password-cracking program to recover it, or looks over your shoulder while you type it into a login screen, you might not notice for a long time. During this long time, the password thief may do you a lot of harm. When you have a strong authentication device, you notice it’s missing the first time you go to use it, so you can report the loss and stop the damage.
It will force anybody who wants to hijack your authenticator without stealing it to interact with you every time he wants to use your identity. Today, a phisher who gets your password once can use it as often as he likes. Since a strong authentication device never does the same thing twice, the phisher who wants to use your identity has to get you to give him a one-time value, and then he has to use that value before it expires and before you use it. If he wants to use your identity again, he has to get back in touch with you to get a new one-time value. As Bruce notes, the phisher can do this using a man-in-the-middle attack, or he can plant a Trojan Horse on your client system. But both of those things are harder than sending you an email and waiting for you to respond, and both are things we can, and must, defend against in other ways.

If we’re going to use authentication at all, there’s no excuse for using weak authentication. Let’s fix the problem. We’ve got 4 years. We've also got a roadmap. The OATH consortium, which I've been participating in for the last two years, is dedicated to promoting the development and adoption of open, strong authentication technologies.

OATH isn't a standards body, and it doesn't make money off strong authentication. Instead, it encourages and publicizes. OATH has endorsed the development of an open, one-time password standard called HOTP at IETF. OATH has also published a reference architecture for strong authentication, and we're working on identifying the work that needs to be done to make that architecture a reality.

If you agree that we need to get rid of passwords and replace them with something better, I'd like you to do something about it.

If you can, I'd like you to help us advance the cause of the strong authentication by joining OATH.

If you don't feel that you have something to contribute, or if you're already working on something else equally important and don't have the time to join this crusade, you can still do something very important: you can ask the providers of your information systems and services this simple question:

"Why do I still have to use a password? It's annoying for me, it's expensive for you, and it's insecure for all of us – can't you give me something better?"

If you don't get an answer that makes sense, keep asking.

Sorry, Jim, Reputation is a Story

2006-01-27T02:41:00.000-06:00

Jim Kobielus disagrees with me that your reputation is "just a story".

He proposes an alternative:

"Reputation is a computed halo—positive or negative--around our socially contextualized identities...
Reputation is a score computed by relying parties in order to determine whether or not to authorize the reputed party to access resources such as jobs, communities, romantic encounters, time of day, etc....
Reputation is an assurance that someone is worth our while."

I'm sorry to say that this is just wrong. All these computations take reputation as an input rather than producing it as an output.

Easy example: Is George W. Bush "worth our while"? Peoples' answers differ violently, on the basis of exactly the same set of information. The information is the reputation. Whether the reputation is "good" or "bad" depends upon where you stand.

The dictionary (American Heritage, of course) agrees with both of us, but gives Jim's definition priority:

reputation: NOUN: 1. The general estimation in which a person is held by the public. 2. The state or situation of being held in high esteem. 3. A specific characteristic or trait ascribed to a person or thing: a reputation for courtesy.

Words of Wisdom from Sam Hughes

2006-01-16T20:48:00.000-06:00

The man who taught you how to destroy the earth speaks out on how to fight terrorism.

Far too sensible to be taken seriously, right?

Reed's 2006 Calendar

2006-01-14T19:40:00.000-06:00

If you like the pictures in the previous post, you can get copies of them (and 10 other great shots!) by ordering the Reed's Jazz and Supper Club 2006 Calendar at Lulu.com.

Reed's is an upscale Jazz club and restaurant in Austin, and it's a great place to visit if you're in town. It's open Monday through Saturday, except major holidays, and there's live Jazz every night.

The calendar is 13" by 19", spiral bound, and comes printed on heavyweight stock. It comes with US holidays and celestial events (equinoxes, solstices, etc...) indicated on the calendar grids.

This isn't precisely shameless self-promotion, since neither I nor Reed's make any money off the calendar - I used Lulu's "zero royalty" option. I produced the calendar because I enjoy taking pictures at Reed's and wanted to have a way to show them off, and because I was interested in whether Lulu.com could produce a high-quality photo calendar (I'm pretty happy).

On The Absurdity of "Owning One's Identity"

2006-01-12T16:25:00.000-06:00

Kim's First Law

Kim Cameron's First Law of Identity (User Control and Consent) says

Technical identity systems must only reveal information identifying a user with the user's consent.

Let's start by stipulating that this isn't a "law". In the technical world, laws describe things as they necessarily are, rather than as we want them to be. In these terms, Kim has stated a requirement, rather than a law. You can see this at a glance just by examining the grammar; "User Control and Consent" is in imperative mood ("Technical identity systems must only reveal..."); whereas scientific laws are in indicative mood ("A body at motion remains in motion"). It doesn't make any sense to ask whether a requirement is "true" or "false", but we can talk about whether "User Control and Consent" is feasible and whether it's desirable.

Owning Identities

We'll have to talk about several cases, because Identity is Subjective. There are lots of versions of your identity out there, but we'll lump them into two broad categories: your reputation (the story others tell about you), and your self-image (the story you tell about yourself). For each category, we'll talk about "Control" and then we'll talk about "Consent".

Owning My Story About You

Your reputation is my story about you. You can't own this by definition; as soon as you own it, it's no longer my story about you; it instantly becomes an autobiography instead of a reputation.

Control

In principle, you could "Control" my story about you, but there are all sorts of good reasons you shouldn't be given this control. At least in public, and at least in the USA:

There are exceptions, of course, but they're quite limited. The rules are similar elsewhere in the world, and you really don't want to change these rules. Let's say you want to stop me from talking about you - (maybe you don't want me to talk about what diseases you have, or how much you spent on beer last month). You'd start by getting rid of this rule:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

...because as long as the first amendment is around, I can tell anyone I want how much you spent on beer last month, and (as long as I'm telling the truth) you're just going to have to suck it up. Once our constitutional rights are out of the way, you'll still have to clean up little annoyances like this:

Copyright in a work protected under this title vests initially in the author or authors of the work.

US Code Title 17, chapter 2, section 201, part (a) (Copyright) actually is a law - though not a scientific law - and it's not compatible with User Control and Consent. Copyright says Michael Moore owns this story about George W. Bush. Because Moore owns the story, he, not Bush, controls its publication and distribution. It's not a story Bush likes, so if Bush did control it, you wouldn't get to see it.

After you've gotten rid of the laws that prevent people controlling their identities, you'll have to decide what to put in their place. If your goal is to stop me from telling the truth about you once I know it, and you want to stick with proven techniques, you might decide on something like this.

But then you'll run into another inconvenience - to enforce your control over whether and how I tell your story, you have to watch me all the time, to make sure I'm following the rules. And of course, I have to watch you all the time, to control your use of my identity. If your point was privacy in the first place, you might be getting worried about how much surveillance is creeping into the solution.

It's clear that this path is not leading us anywhere we want to go, and it's also clear why. Applying "User Control" to my story about you requires the government to give you authority over me - or to exercise authority over me on your behalf. Letting you control me this way creates fundamental conflicts with other values in a free society. This may be one of the reasons it's so hard to find a "right to privacy" in the founding documents of the United States - it's not just that the government finds it convenient to look into your affairs; it's also that enforcing a "right" to privacy requires the government to look into your affairs on behalf of others far too often.

Consent

If you can't get a workable privacy regime by giving you a right to control my behavior, you might want to do it by making me "Consent" to control my own behavior before you let me see your private information. At first blush, a Consent regime doesn't seem to create conflicts between fundamental rights (e.g. my right to free speech vs. your right to privacy) the way a Control regime does. By moving privacy into the realm of contract law, a Consent regime allows me to "opt out" of receiving your information from you if I don't like your rules for the use of that information, so it appears to preserve my autonomy.

In practice, though, a Consent regime quickly becomes a Control regime, because the consent relationship doesn't involve the right set of parties.

If a third party (say a business) asks you for information about yourself, there's a reasonable chance you'll make good decisions about what uses to consent to and what uses to prohibit. But remember: we're talking about my story, not your story; you're not involved in the telling of the story - I'm telling it to the third party. If a business asks me for information about you, I don't have any reason to withold consent for any use whatsoever. This was one of the issues in the JetBlue disclosure; the government asked Axicom for information about a bunch of individuals who weren't around when their stories got told.

Imposing a requirement that I get in touch with you and ask for consent whenever a situation like this arises drags Control back into the equation; it makes me ask for your permission every time somebody wants me to tell my story about you. This might be reasonable if all my information about you originates from you - but if that were true, we'd be talking about your story about you, not my story about you.

Imagine what happens in a Consent regime if I want to give "Conglomerex" a piece of information about you. If you gave me the information in the first place, you're free to tell me what I can and can't do with the information, and you're free to withold the information if I don't agree. You're also in a position from which it's possible to impose a Consent rule: since I have to get in touch with you to collect the information, we can have a discussion about consent while I'm doing the collecting, or (if I'm not sure how I'm going to have to use the information) I can ask how to get in touch with you to get your consent when I need it. But if somebody else gave me the information, or if I discovered it myself, then I certainly don't have your consent, I may not have any way to contact you to get your consent, and I may object to getting your consent, on the grounds that you have no right to constrain my liberty.

Owning Your Story About You

Your self-image is your story about you.

Control

In principle, controlling the information that makes up your self-image seems easy - you just choose what you tell to whom, and under what conditions. You can indeed decide on any rules you like for distributing identity information about yourself, but you have to make tradeoffs to enforce those rules.

You value your privacy, of course, but you also value other things, like the ability to get a credit card and the ability to travel on airplanes.

If you want to get on an airplane, you have to show ID, and all the acceptable forms of ID display your home address. This means you have to make a choice between getting on an airplane and keeping your home address to yourself. If you want to establish credit, you have to submit to a credit check, which reveals a lot more about you than just your home address. Here again, you have a choice between getting the credit and controlling information about yourself - if you want the credit, you have to give up information somebody else chooses, and you have to do it on somebody else's terms.

So while you might control your self-image information in principle, in practice you can't really exercise control - you have to negotiate the terms for the use of your information.

I'll note in passing that letting individuals control the use of information about themselves violates Kim's own criterion that "Claims need to be subject to evaluation by the party depending on them" - because invidual control over information gives the individual the unfair advantage of being able to keep adverse information about himself secret.

Consent

Negotiating the terms on which you will disclose self-image information is what Consent is all about.

In many cases there are laws and regulations constraining what an organization can do with information it collects about you in situations like this, but you don't control the content of those laws and regulations - so you're not making the rules (and in fact the interests of society and the interests of corporations influence the content of laws and regulations at least as strongly as the interests of individuals).

If you want to control your identity based on consent, you have to decide between two approaches:

Build one set of terms which covers all uses of your information, and let an automated system take care of negotiating your terms and enforcing your rules. In this case, you need to figure out in advance what all the possible scenarios for use of your identity are, and write a policy which covers each scenario.
Negotiate terms manually each time someone asks for your information. In this case, you need to get notified each time someone tries to use your identity, and make a decision about whether or not to grant consent.

Case 1 clearly isn't going to work all the time; you can't know in advance what benefits are going to be offered in exchange for identity information, and you can't know in advance what risks are going to be created by giving that information out - so no matter what your policy is, there will always be cases it doesn't handle correctly. This means there will be lots of exceptions to your policy, and when these exceptions arise you'll have to fall back on case 2.

Case 2 doesn't really work either. We know because we've tried it. Look here, or here, or here, or here for examples of what you're already being asked to consent to. How well do you understand these terms? How likely are you to take the time to clear up the things you're not sure about? How likely are you to say "no"?

The forces at work here are obscurity, coercion, and burdens.

Obscurity exists not because the people who write consent agreements are trying to confuse you, but instead because of the third axiom of identity

IDENTITY ALLOCATES RISK

Let's imagine that you don't have a lot of money, and you have a poor credit history, but you're facing a big expense. You go to the bank and ask for a loan. In this case, there's a fairly big risk that you won't be able to make the payments if you get the loan. The interesting question in this case is "who suffers the consequences of this risk?" If the bank gives you the loan, they suffer the consequences - because they're out the money if you don't pay it back. If the bank denies the loan application, you suffer the consequences - because you can't meet your expenses. The bank makes its decision based on a piece of identity information: your credit score. If the score is high, you get the loan, and the bank gets the (small) risk; otherwise, you don't get the loan and you get the (larger) risk. Your credit score allocates the risk either to you or to the bank.

Because Identity Allocates Risk, society makes rules to make sure Identity is used fairly. Two typical rules are (1) someone who wants to use your information has to tell you what it will be used for ("notice"), and (2) someone who wants to use your information in a way that might create risks for you has to get your permission ("consent"). You have to pay close attention here: the rules don't say that businesses and other parties can't create risks for you - all the rules say is that other parties have to tell you when they create risks for you, and they have to get you to agree to the creation of the risks.

These rules create obscurity, because in business, the language of risk is law. The bank makes lots of loans, and therefore it is exposed to lots of risk. Because it's exposed to lots of risk, the bank is willing to spend some money to protect itself against that risk. It spends that money on people who speak the language of risk - lawyers - and those lawyers write consent agreements that let the business do what it needs to do profitably (in this case, it needs to create risks for you by using your identity information) without breaking the rules.

You probably aren't a lawyer, so the language in which consent agreements are written is foreign, and confusing, to you. On the other hand, you don't value your privacy enough to hire your own lawyer each time you encounter a consent disclosure - so you end up doing something (reading a complicated legal agreement which allocates risks between you and the corporation) which you're not really qualified to do, and it's confusing and frustrating (Don Davis calls this kind of situation a "compliance defect").

Coercion works because you need services like banking and medical care more than banks and insurance companies need your business. Sometimes the coercion is completely explicit; look over here for an example (go to page 78; the document is PDF because the html version didn't render properly for me in Firefox or Safari, and I don't want to inflict it on your browser). Email me from prison if you decide to withold consent.

Burdens work by wearing you down with work you don't really want to do. When you sign up for an online service, you really want the service (otherwise you wouldn't be at the signup page), and you're impatient to get it set up. If you have to do a lot of work (reading agreements, consulting the Better Business Bureau, the FTC, or other reputation services, checking out the information handling practices of all the partners the business shares your information with, and so on), you're very likely to give up and consent, thinking "how bad could it be?"

Even if you always read consent agreements carefully before you decide whether to accept them, wording like the following (adapted from an actual consent agreement) makes it hard to know exactly what you can expect:

Our business changes constantly, and our Privacy Notice and the Conditions of Use will change also. We may e-mail periodic reminders of our notices and conditions, unless you have instructed us not to, but you should check our Web site frequently to see recent changes. Unless stated otherwise, our current Privacy Notice applies to all information that we have about you and your account. We stand behind the promises we make, however, and will never materially change our policies and practices to make them less protective of customer information collected in the past without the consent of affected customers.

And, of course, sometimes things just go horribly wrong.

The Nub of the Problem

Remember the wording of Kim's First Law:

Technical identity systems must only reveal information identifying a user with the user's consent.

It's clear that this "First Law requirement" isn't feasible - a system which actually obeyed this law would be illegal (because it would withold information in cases in which the law requires it to disclose information without the data subject's consent), and it would be dangerous to the data subject (because it would withold personal information even in critical situations if consent couldn't be obtained - for example when the data subject is unconscious and injured after an accident).

If you agree with most or all of what I've written above, you'll agree that the "First Law requirement" isn't desirable either, because it creates a lot of work for the individual without really solving the privacy problem.

The reason the First Law doesn't work is actually very deep and subtle, and I'll write more about it soon. But I'll leave you with a hint. The nub of the problem with the First Law is the assumption that privacy is based on secrecy.

International Dadaism Month

2006-01-05T17:32:00.000-06:00

If you really want to get into the spirit of the thing, today would be as good a day as any to start celebrating this.

1

2006-01-04T23:26:00.000-06:00

Sony DRM Disaster - and the Mac

2005-11-20T18:30:00.000-06:00

If you're reading this, it's highly unlikely that you don't already know about Sony's DRM disaster, so I won't go into the details.

Sony's FAQ, though, is just too weird to pass over in silence. Leaving aside that it's written in a language which only approximately resembles English, and that it appears not to have been proofread in any language, it's got all sorts of amusing stuff in it. I recommend you snuggle up with a glass of your favorite recreational beverage and browse through it. As Lewis Black would say, you've got to experience it in person, because there's no drug which will duplicate the experience.

My favorite part is this little gem:

3. How can I get tracks I rip from my CD into iTunes and/or onto my iPod?
Apple's proprietary technology doesn't support secure music formats other than their own and therefore the music on this disc can't be directly imported into iTunes or iPods.
Sony BMG wants music to be easily transferable to any device that supports secure music. Currently, music from our protected CDs may be transferred to hundreds of such devices, as both Microsoft and Sony have assisted to make the user experience on our discs as seamless as possible with their secure formats.
Unfortunately, in order to directly and smoothly rip content into iTunes it requires the assistance of Apple. To date, Apple has not been willing to cooperate with our protection vendors to make ripping to iTunes and to the iPod a simple experience.
If you believe that you should be able to easily move tracks from your protected CD to your iPod then we encourage you to use the following link to contact Apple directly and tell them so. http://www.apple.com/feedback/ipod.html
That said, while there is no direct support on the disc for iTunes or iPod, SONY BMG has worked out an indirect way for consumers to move content into these environments, despite the challenges noted above. If you'd like more information on how to move content to iTunes please CLICK HERE.

One of the many things that's funny about this text ("secure music"?) is that nothing in it bears any resemblance to reality! It happens that I have one of the XCP-infested discs: Cyndi Lauper's "the body acoustic". I bought it the other day before I knew about the DRM problem, but I hadn't listened to it until tonight when I noticed that it was on Sony's XCP list.

After I read the Sony FAQ, I figured I'd just take a shot at "directly and smoothly ripping the content into iTunes". I used my usual solution for this:

It worked perfectly. None of the distorted audio the FAQ warns about, no warning messages, no attempts to install the Mac version of Sony's DRM on my machine, no prompting for admin passwords, no incompatibility - just the usual Mac iTunes import process, with the usual successful result.

In fact, Sony knows this. They even admit it in the FAQ:

1. I have an Apple Macintosh computer. Will the disc work on my MAC?
Yes. This disc will behave like a traditional CD in a Mac.

Did you catch that? The disc will behave like a traditional CD (i.e. it will work!) in a Mac. It's only on a Windows machine that the CD becomes "non-traditional" - and stops working!

Let's translate that: It's Sony's proprietary technology - not Apple's - which makes the CD misbehave on PCs. Sony hasn't gotten around to making its CDs break iTunes on the Mac yet, presumably because Apple's market share is smaller than Microsoft's.

I think this is in fact the key to the success of iTunes and the iPod. Apple designed their system to make it easy to copy and play music; Sony designed theirs to make it hard - unless you play the game their way.

The CD is great, by the way. Too bad for Cyndi it will be off the market for at least part of the critical Christmas buying season (I'm sure Sony feels terrible about this, because, you know, DRM is all about protecting the artists and their revenue). But it's on my iPod, and I'm keeping the XCP-protected version of the CD, too. Who knows, it might be worth something some day...

Photography Loses Another Grand Old Man

2005-11-11T10:27:00.000-06:00

Lord Lichfield died today.

He joins a long list of his contemporaries we've lost recently... Galen Rowell, Herb Ritts, Richard Avedon, Helmut Newton, Henri Cartier-Bresson. Our world has been enriched by their work.

Self-Image

2005-11-09T09:55:00.000-06:00

I'm fascinated by peoples' reactions to photographs of themselves. Remember Pam's comment on this picture? Here's what she said:

You have no idea how pretty and attractive and a million other things that your photo makes me feel. It may be a photo that everyone can enjoy, but it means an order of magnitude more than that to me. To me, that photo represents what most women spend thousands of dollars on wedding photos for - proof for the ages of vitality, of attractiveness, of youth (ok, so not-so-much youth for me, hehe) -- the details vary but the theme remains. Your example of a photo that has no need for a mnemonic is exactly the opposite to me, because in 20 years, this photo will bring to life the memory of what it is that I am now, for the small group of people who knew me. And not just a shady memory, but an idealized, perfected memory at that...

When Pam says You have no idea how pretty and attractive and a million other things that your photo makes me feel, my photographer's ear hears "You have included the things I like best about myself in the picture, and you've left out the things I don't like about myself".

This doesn't always happen. Sometimes I take a picture I think is beautiful, but which the subject hates. When this happens, everyone else I show the picture to agrees with me that the picture is beautiful. In cases like this, the subject always has some very specific complaint ("my nose looks big", or "my eyes are different sizes").

In both cases - when the subject likes the picture and when she doesn't - I feel like I've succeeded because I've taken the photo I wanted to take: a photo which communicates what I find beautiful about the subject to almost everyone. But the first case - Pam's case - is better, because Pam agrees with everyone else that there's something beautiful about her which I've captured in the picture.

The best case of all, of course, is when this is news to the subject - the photographer's dream is to hear his subject say "No one has ever taken a picture that good of me - I didn't know I was that pretty".

This can happen because we all have mental pictures of ourselves which don't correspond exactly to reality. When Pam calls her picture an idealized, perfected memory, on one level she's just being literal; I did pose her and light her to best advantage, and I did do a little retouching to clean up stray hairs and things, so the picture is "idealized" and "perfected" to some extent.

On another level, though, what Pam is saying is that the picture on your screen looks better than the picture of herself she carries around in her mind.

This isn't neurotic; most people's mental images of themselves are less attractive than the real thing. I can't count the number of times people have told me "I'm not photogenic", when what they really mean is "I don't like my nose, and it makes me unhappy when I see it in pictures". I also can't count the number of times people who have said this to me have loved a picture I've taken of them. These people are surprised at how good their pictures look because when they're looking in the mirror (or at casual snapshots taken without any attention paid to posing and lighting), they're focusing on things they consider unattractive, but when I'm looking in the camera's viewfinder, I'm focusing on things I consider attractive - and figuring out how to leave everything else out of the picture.

At this point, you might accuse me of lying with the camera, or of contributing to unreasonable standards of feminine beauty, flacking for the cosmetics industry, etc...

But wait a minute - my image is no more a lie than Pam's mental image; neither is "the truth" - they are both just stories. If you could print out Pam's mental picture and lay it beside the picture on your screen, different people would have different opinions about which story is more "true". Pam would say her mental picture is closer to the truth; I would insist that my picture is closer to the truth. You, dear readers, would argue amongst yourselves.

Our self-images consist, of course, of more than just pictures. Our self-images are stories (An Identity is a Story), and we construct stories about all aspects of our lives and personalities. Our versions of those stories differ in lots of ways from the stories other people make up and tell about us (Identity is Subjective). This is why flattery works; we like it when we hear a story about ourselves which is prettier than our own version. It's also why gossip hurts - nobody likes it when a third-person account of "his story" compares unfavorably to the "official" first-person version.

And, of course, it's why we can be surprised - delighted or depressed - by pictures of ourselves. Surprises like this can change us; I like to think that Pam's mental picture of herself is a bit prettier than it was before she saw my picture of her.

Good News!

2005-11-09T09:26:00.000-06:00

There are about half a million school-aged children in Kansas.

None of them will be competing with your kids for the best jobs of the 21st century.

Come to think of it, they may not even be able to enjoy a good beer when they graduate...

Similarity Versus Identity

2005-09-09T11:29:00.000-05:00

It's a cliche: your driver's license picture doesn't look like you. But if this is really true, then what is the picture for?

The stated intent is that the picture is supposed to prevent someone else from using your driver's license. Everyone in the U.S. who's under 21 and enjoying a beer right now knows how effective the picture is for that purpose.

The driver's license picture fails as a descriptive reference because people basically all look the same, and because people don't look very carefully either at pictures or at other people.

Recognition without similarity

Don't believe it? Who's this guy?

You recognize Jesus instantly, even though he didn't actually look like that. In fact, you recognize him no matter what he looks like. He can have brown hair and brown eyes.

He can have black hair and dark eyes.

Or he can have blond hair and blue eyes (if you want a really disturbing experience, by the way, go to Google images and search on blond jesus - no quotation marks).

Part of this, of course, is context. If you run across somebody wearing a crown of thorns and sporting a halo, Jesus is going to be on your list of possibles, and you may not look too closely at the height, weight, eye color, hair color, or restrictions fields of his license.

Similarity without recognition

Context is a reasonable guide to recognizing pictures of Jesus, because nobody really knows what he looked like - there aren't any contemporary pictures or descriptions which survive, as far as we know.

But even without context, we would all recognize pictures of Jesus, because the Christian community has for centuries been in the habit of using pictures as descriptive references to endow him with certain physical features - tall, thin, long face, beard, benign expression, etc....

Here's another test: do you recognize this guy?

You probably don't, but Jesus would have; when he held up the coin and asked "whose face is on this?", he was looking at this picture - it's Caesar Augustus, and you can bet your last denarius that it's a very good likeness (what do you think happened to sculptors who made Caesar's nose look too big?).

Mistaken Identity

We all have both these problems all the time, even with people we know well. How often have you been at a party, recognized a friend across the room, called out his name, and then realized that the guy across the room is somebody else entirely, and your friend isn't even at the party? That's recognition without similarity.

On the other hand, how many times have you answered the phone and conducted a conversation for several minutes before you finally had to break down and ask "I'm sorry, who is this?" (and then had to say "Oh, mom... you sound different - do you have a cold?") That's similarity without recognition.

Cases like this sometimes make the news. Recognition without similarity doesn't have to be based on a picture of your face; a picture of your finger (for example) will do. If you're Brandon Mayfield, a picture of your finger might look something like this:

Somebody who saw a different picture of a fingerprint - maybe the one below - might decide that it looks like a picture of your fingerprint...

...and if that somebody were the FBI, they might arrest you if the second fingerprint picture was taken at the scene of the Madrid train bombings. You might be more likely to be arrested if the context (for example, the fact that you are a Muslim) reinforced the impression of similarity created by comparing the two fingerprints.

This really happened; these aren't the real fingerprints, but the real second fingerprint was an image of Ouhnane Daoud's finger, and Brandon Mayfield was released.

The point, of course, is that because identity is subjective and identity changes over time, identification is necessarily a process of judging the degree of similarity of two descriptions (or images), and the result of identification is a probability rather than a certainty that the two descriptions refer to the same person or thing.

Art and Ambiguity

The ambiguity of identity creates rich possibilities not only for drama (The Man in The Iron Mask), for comedy (Twelfth Night), and for crime (The Sting), but also for art.

My favorite example of art and the ambiguity of identity is the work of J.S.G. Boggs, who creates drawings of banknotes, which he then "spends" by exchanging them for goods and services. He always makes it clear to people that he's giving them artwork, not "real" currency (whatever that means!), but he also always requires change and a receipt.

Several legal cases on several continents have centered around the question "is this a counterfeit banknote, or is it something else?" So far, the answer has always been "it's something else." You can read about Boggs here.

Identification And Modes Of Reference

2005-09-07T19:49:00.000-05:00

What if I know an individual and you don't? I can tell you all the stories I want, but the stories won't be useful to you until you have someone to associate them with. To make the stories useful, I have to IDENTIFY the person to you. I can do this in two ways.

If you and I and the individual in question are all in the same room, I can point to the individual and say "See that guy?" The act of pointing to a person or thing to refer to it is called

INDEXICAL REFERENCE

It's called "indexical" because (in the English-speaking world anyway) you use your "index" finger to point to people. Pointing at something is a way to connect a reference to a thing (a name, for example) or a story about a thing (an identity, for example) to the thing itself. Indexical reference only works if you and I can both see the thing I'm trying to point to at the same time. Links on the web are a form of indexical reference, and they break when something moves out of view. Weirder things than broken links can happen when indexical reference breaks on the internet - things like this, for example. Once I've referred to a person using indexical reference, I can start telling stories about that person, in order to communicate my view of the person's identity to you. I can say, for example, "That's Kim Cameron; he's the guy who wrote the Laws of Identity. He works for Microsoft, because they bought Zoomit, which he founded. He's a frequent speaker at the Burton Group Catalyst Conference, and ...." I could go on and on here, but you get the idea. If you and I can't both see the person or thing I want to identify to you, I can't use indexical reference. Fortunately, I've got another option.

DESCRIPTIVE REFERENCE

Let's imagine I want to identify Kim to you, and I can't point to him. Maybe you can't see me pointing because I'm typing something about Kim into a blog and you're reading the blog in a Starbuck's coffee shop thousands of miles away.

Since I can't point, I have to do something else. What I do is this:

"Look for a guy with curly, white hair, a grayish walrus moustache, taller than me and a bit heavier, dressed business casual. He has a softish Canadian accent, wears glasses, and smokes." If I give you this description and you run into the guy in this picture, you might be confident to go up and introduce yourself: On the other hand, you might not be confident enough to go up and introduce yourself, because, after all, my description isn't terribly specific, and it probably applies equally well to thousands of people; I'll talk about this some more in the next blog entry. The fact that descriptions are all ambiguous to some extent is one reason why even people as well known as Kim wear name badges at conferences (the other reason is that the conference organizers want to make sure that even people as well known as Kim pay their conference fees).

Kim's name badge brings us to the third mode of reference; once you and I both know an individual (so that we've gotten past the need to identify the individual), we can refer to the individual using a name.

NOMINATIVE REFERENCE

This mode of reference is called NOMINATIVE REFERENCE. It's not foolproof. I'm a great example.

My name is "Bob Blakley", in the sense that this is what everyone who knows me actually calls me.

In another sense, though, my name is "George Robert Blakley III", because that's what appears on my birth certificate and various other official documents.

In a third sense, my name is "Bob Blakely", because lots of people misspell my last name (go ahead, Google it - you know you want to! About half of the top hits in a search for "Bob Blakely" are actually references to me - including the first listing, which is there because Kim Cameron misspelled my name when constructing a technorati link to me from his recent post; the misspelling has since been corrected but its progeny live on in the Google cache).

These things happen because, generally speaking, there is not a one-to-one correspondence between people and names. Many people have nicknames, assumed names, stage names, married names and maiden names, aliases, pen names, and so on. The government hates this and is trying to make it harder and harder to have multiple names - I've had to change the name on my frequent-flyer cards from "Bob" to "George Robert" in order to get on airplanes, for example - but the effort to eliminate alternate names is going to fail, if only because no one is actually going to call Camilla's husband "Charles Philip Arthur George Windsor, His Royal Highness The Prince of Wales, Duke of Cornwall, Duke of Rothesay, Earl of Carrick, Baron Renfrew, Lord of the Isles and Great Steward of Scotland, Knight of the Garter", because that would just be a pain in the ass.

But let's go back to the first sense - try a Google search for "Bob Blakley". It turns up the usual ten billion references to me. But it also produces another interesting thing - a bunch of links like this one. These are links to my father. He's George Robert Blakley, Jr., also usually known as Bob, also a computer security researcher, also from Austin, TX, and so on. And if you look far enough down in the list (apparently I'm very famous compared to many other Bob Blakleys) you'll find entries like this, which point to people to whom I'm not related (as far as I know).

This happens, of course, because in general there isn't a one-to-one correspondence between names and people. In fact, it's a dead cert that lots of other people have the same name as you, unless your name happens to be ... which is also a pain in the ass.

Identity Is Subjective

2005-08-31T21:34:00.000-05:00

Pam commented:

"If you were to open an old photo album, and see a picture, let's say this picture was taken by an aunt or uncle. And this picture showed one of your children at christmas, looking up with delight just after they found out what their present was. Would you look at that picture and see that the lighting was all wrong, and that cousin Mervin was picking his nose in the background - or would you register that this loved one of yours was experiencing a moment of joy? Isn't it possible that you would register both? And that the emotion that is valid for you and a small handful of people within this very specific context makes up for the artistic absence?"

This is precisely right! I would register both a (negative) feeling for the photographic aesthetics and a (positive) feeling about my child. And a small group of people who know my children would register the second feeling, too (they might not register the first feeling, unless they too have The Photographer's Eye) - but most viewers would have either just the first feeling ("that photo sucks") or they would have the first feeling together with a generic feeling of affection toward a child at Christmas.

Why does my feeling about this (hypothetical) photograph differ from the feelings of the multitudes who might view the photo on flickr? Because of the first axiom of identity:

IDENTITY IS SUBJECTIVE

Umberto Eco has said that a novel is a machine for generating interpretations; the same thing is true of a picture. But which interpretation a picture generates depends on one's experience.

When I see a picture of my own child, I recognize the child. Because of my experience, I know a rich, detailed story about the child, and I associate the picture with that story (the story is, from my point of view, my child's identity - since An Identity Is A Story).

A stranger - someone who doesn't know me or my children - has nothing to associate with the picture when she sees it, but she has to react anyway.

Because the stranger's experience does not provide her in advance with a story to go with the picture, she has two choices:

She can associate the picture with a generic story which seems suitable to the content of the picture (here she may be using something like a Norman Rockwell painting of a child opening Christmas presents as an archetype).
She can have a purely aesthetic reaction to the picture, without thinking of any story at all.

The picture doesn't contain either my version of my child's identity story or the generic story which the stranger makes up when she sees the picture; it's just kind of reference to those stories. Over time, more and more people either forget the stories, or forget what the subject of the stories looked like; this tends to disassociate the picture from the stories and make the picture less useful as a reference. (I remember a photo.net thread which asked "what do you most wish were in old pictures?"; the best answer was "name tags".)

There's an important lesson here for people who want to use biometrics as identifiers; biometrics are essentially pictures of people, and people change over time. The practical effect of this is that the biometric database, over time, will tend to "forget" what the subjects of its stories look like (because it will be relying on old pictures) - and indeed one of the design parameters for biometric systems is the rate at which peoples' physical features change.

In fact, of course, everything about a person changes over time - his physical appearance, his attitudes and beliefs, his creditworthiness, his address, his name (OK, more often her name), his bank account number, his employer, and so on. This is in fact our second axiom of identity:

IDENTITY CHANGES OVER TIME

This is blindingly obvious if you think about it; if An Identity Is A Story, then of course an identity will change over time - because the story keeps developing (unless you're reading some awful psychological novel or play where nothing ever happens).

But let's leave discussion of the second axiom for a future post. We haven't yet exhausted the riches of Eco's observation that a story is a machine for generating interpretations.

Anytime there's a story, there's also a storyteller and an audience. The storyteller has an intention in telling the story - just as I have an intention in taking a picture. But the members of the audience don't necessarily know what that intention is, and they don't share all of the storyteller's experiences; they bring their own attitudes and experiences to the the campfire around which the story is told.

Each listener's attitudes and experiences generate a unique interpretation of the story, just as Eco observed. And this means, of course, that if I tell an identity story, each member of my audience hears a different identity story. So when our first axiom says that IDENTITY IS SUBJECTIVE, it's not just saying that different observers know different parts of the same story. Even if two listeners hear exactly the same story, each of them feels and remembers a different story.

If you think about it, this is why more than one credit agency can exist; if all credit agencies had the same algorithms for taking information about me and turning it into a credit report, or a credit score, then they would all be delivering exactly the same product, and there would be no basis (except price) for competition and no reason to consult more than one agency. It's precisely the subjectivity of identity that creates the possibility of, and the need for, competing services.

Eco is careful to note that no interpretation should be considered privileged or canonical (as indeed the credit agency example makes clear; if one agency's interpretation were correct, that agency would be able to put the others out of business quickly).

The storyteller's own interpretation is particularly suspect (Eco writes "The author should die once he has finished writing. So as not to trouble the path of the text.") What he's saying here is that interpretations are essentially subjective - that there can be no such thing as a true interpretation. And this too is true of identity stories; certainly the person the identity story is "about" is an unreliable narrator - he's got too much invested in the happy ending to be trusted to give us the unvarnished truth - but he's also the only one who knows all the facts!

The Photographer's Eye

2005-08-26T21:08:00.000-05:00

Go visit flickr. Pick out a photo with some people in it (pick one where they're looking at the camera). Now let me describe what you're looking at.

There are two to five people in the photo. Some probably have their arms around each others' shoulders or waists. They're looking straight into the camera. Probably there's a beach, or a picnic table, in the picture. Or maybe they're inside, possibly at a restaurant table, with their faces brightly lit because of the flash and the background hidden in shadow. Wherever they are, they're smiling broadly.

There's other stuff in the picture too. maybe half-finished plates of food, or a 4-wheel drive vehicle, or toys and a plastic wading pool. Maybe there's even a power line entering the right side of the back of someone's head and exiting the neck on the left side, like the Warren Commission's magic bullet.

What exactly is going on here? I asked my friend Pam about this yesterday, and she gave me a great answer, which started me thinking...

My questions to Pam were:

Who are these pictures for?
What are these pictures for?

She got it right in one try: who they are for is the photographer and his or her friends (they're not for you and me), and what they are for is to recall the scene to the mind of the audience.

In other words, there are really two pictures: the picture you and almost everyone else on the Internet sees on the screen, and the picture the very small group of people who were actually there at the time the picture was taken see in their minds.

Now the interesting thing is that while you and I see the assassin's power line, the Nissan Pathfinder, and the half-eaten Pad Thai, the people in the intended audience do not see these things. The first picture - the thing on your screen - is just a mnemonic to them; it's the Platonic shadow of the second picture (the "real" picture in their minds). When the people in the intended audience look at the first picture, they see the second picture.

I couldn't understand why people were putting these pictures on flickr, because I have a particular type of brain damage which caused me to forget that the second picture exists. The type of brain damage I'm referring to is "the photographer's eye".

I've been photographing things for a long time. When I started photographing things, my photographs were mnemonics, like the ones on flickr.

If you photograph long enough, however, you'll eventually have the experience I had: you'll take a "real" photograph. What I mean by a "real" photograph is one which does not require the viewer already to have the real photograph in her mind in order to see the real photograph.

This experience of duplicating the real photograph you have in your mind with the one you put on film changes the way you see forever. Like certain psychotropic drugs, it actually re-wires your brain.

This brain damage makes you look at pictures differently. Because you know it's possible to make the mnemonic (the picture on screen, or on paper) look like the "real" photograph in your mind, you start to think about the picture in your mind and make sure there's nothing that doesn't look like it in the viewfinder before you press the shutter button. So when you see a Nissan Pathfinder, you walk around until it isn't in the picture.

As the condition progresses, you spend more and more time moving around and fiddling with the camera to make sure that what the film sees is what's in your mind. I take pictures of my friends like everyone else does, but they don't look like the ones on flickr. When I take a picture of Pam at a conference we're both attending, for example, it looks like this:

I didn't use a flash, or studio lights, or a fancy background, for this photo. I just asked Pam to sit next to a window, fiddled with my (manual) camera settings a bit, and took the picture. What you're seeing here is what I saw. But unlike most of the pictures you'll see on flickr, you're not also looking at whatever else happened to be in the area when I saw what I saw.

(Full disclosure: I did a little dust removal in Photoshop, took out a stray hair or two, maybe touched up the odd mole, and cropped the picture from 24x36 proportions to 8x10 so that it would print on standard photographic paper - but otherwise you're looking at what came straight out of the camera.)

My picture is better for me than the ones on flickr, because the brain damage has rewired the part of my brain where the mnemonics live. I still take mnemonic pictures, by accident, because it's hard to take a "real" picture. But I don't post them on flickr - I just file them away in their little boxes in the closet. They annoy me, because instead of making me recall the scene, they make me think "the scene didn't look like that!", which makes me feel like I've failed as a photographer.

My picture is better for you too, especially if you don't know Pam. It's better for you because you don't have to read my mind ("Was the photographer looking at the girl, or at the Nissan Pathfinder?"), and you don't already have to have a picture of Pam in your mind, to figure out what I saw. I removed everything that wasn't what I saw from the picture before I took it. All that's left is what I saw, so that's what you see - even if you weren't there at the time and even if you've never met Pam.

An Identity Is A Story

2005-08-22T14:24:00.000-05:00

Ceci n'est pas un Bob.

After thinking for a long time about Kim Cameron's Laws of Identity, I gave a talk on Identity at the Burton Group's Catalyst conference last month. Jamie Lewis and Kaliya Hamlin (who blogged my talk) approached me after the session and urged me to start my own blog in order to join the online identity discussion. If you like what you read here, you should thank them for pushing me past my deep ambivalence about blogging.

Here's a little taste of what you might see here at ceci n'est pas un Bob over the next couple of weeks.

I think identity behaves in consistent and predictable ways in the real world, BUT most contemporary discussions of identity are completely out of touch with what identity really is and how it really works. To understand how identity behaves, it's necessary to distinguish the different uses people make of identity, and consider each of those uses individually.

I think a set of axioms of identity can be defined which describe what identity can and cannot do, and what it will and will not do in particular circumstances. We can enumerate these axioms by looking at centuries of thought about identity and examining that thought in the light of situations which occur in the real world today.

I think that systems designed with the axioms of identity in mind will be more effective than systems designed without regard for the axioms.

I think that the axioms define how identity and privacy are related, and can help illuminate when we can determine identity, when we can protect privacy, when we must choose, and when we are out of luck on both counts.

As usual, it's best to start with definitions.

IDENTITY

The problem of identity has a long and difficult history. Nietzsche, surveying that history, threw up his hands:

"Belief in the identity of different things, or in the identity of the same thing at different times, is a fundamental philosophical error"

This was already an old idea in the East, of course; Buddha denied the existence not only of identities but even of things before 500 BC.

The West conducted a nuanced discussion of identity for centures, until the industrial state decided that identity was a number you were assigned by a government computer. Aristotle's tortured treatment in the Topics set the stage for centuries of debate about what exactly it is that is "identical" in the identity of a person.

Serious modern discussions descend from book 2, chapter 27 of Locke's "An Essay Concerning Human Understanding", which distinguishes between the identity of a body, the identity of a man, and the identity of a person, and which makes the argument that the last of these is what is of interest in cases of law, because without continuity of memory and intent, there is no rational basis for the assignment of praise and blame.

Literature has mined the philosophical discussion deeply; mistaken identity is one of the great themes. Think of Twelfth Night, Dr. Jekyll and Mr. Hyde, The Man in the Iron Mask, Zorro, The Phantom of the Opera, and The Picture of Dorian Grey, for starters. If you haven't read it, Christopher Priest's "The Prestige" is a great recent addition to the genre.

If you want to follow the philosophical discussion into the modern day, start with "The Identities of Persons", by Amelie Oksenberg Rorty.

You should want to follow the discussion, because the twentieth-century statist notion that each person has an unchanging identity which can be observed by a third party (for example, a clerk at the Department of Motor Vehicles) and with which a number can be uniquely and persistently associated has broken down, and the consequences of the breakdown are intruding on your personal life, liberty, and privacy right now.

Don't believe me? Let's look at an example. ICAO is in the process of finalizing standards for incorporating biometrics into passports. The motivation for putting biometrics into passports is that better identification will help in "the war on terror". If the problem in the war on terror were preventing known terrorists from crossing national borders at official checkpoints using genuine passports issued in their own names, biometric passports might help.

But let's look at something Rorty says in her introduction:

"Why are we interested in someone being the same person, and not merely the same human being or physical object? One reason is primarily retrospective: we need to know whom to reward and whom to punish for actions performed when "they" were acknowledgedly different in some respects from the present population. But we have more forward-looking reasons as well: we want to know what traits remain constant so that we can know what we can expect from the persons around us. We assign crucial responsibilities to individuals, assume important continuing relationships to them in the belief that certain of their traits are relatively constant or predictible."

If you buy this argument, you're forced to conclude that "whether a person is the same physical object as at some past time" (which is what a biometric sensor measures) is not what you need to know, either to punish the person for a past misdeed or to predict whether they're going to do something bad in the future.

How much taxpayer money are you willing to spend on biometric passports before you know whether you believe this or not?

In the National Academy of Sciences Committee on "Authentication Technologies and their Privacy Implications", we tried to define terms like "Identity", "Identifier", "Attribute", "Identify", "Authenticate", and so on - as a contribution to settling these arguments before systems began to be designed and deployed. If you're interested in the topic you can read our entire report; if you want to keep up with the identity discussion you can just take a look at the definitions.

I still like our definitions very much, but I'm going to venture my own personal (new) definition of "identity" here. I think it's consistent with the committee's definition, but it's a lot catchier:

AN IDENTITY IS A STORY

It's that simple. One of the reasons it's simple is that I've left out lots of things which are commonly but falsely assumed about identities.

For example, I might have said "An identity is a story about a person". But this overconstrains the definition: lots of identities exist which are not stories about people. You know many of them:

Captain James Tiberius Kirk
Lara Croft
The current King of France

I might also have said "An identity is a true story". But of course truth isn't a requirement for identity attributes. The only time Richard Nixon ever told you "I am not a crook" was after he had committed a crime but before he was pardoned for it. In almost every identity story, some elements are true, others are false, and others have an indeterminate status (that is, people disagree about whether they are true or not, but there is no way to settle the argument).

John Demjanjuk has been associated with at least three identity stories. These stories are inconsistent with one another, so they cannot all be true in all their particulars, but courts in two countries on different continents have been unable after extensive investigations to pick the stories apart and determine what's true and what's false.