Regulatory Humility : yet another brilliant Larry Lessig Talk

Simply Brilliant!

Larry Lessig delivered a brilliant talk (Internet is Freedom) at the Italian parliament on March 11, 2010, acknowledging the “either / or mistake” that prevails and leads to “extremism rules”, stressing the “cost of mistrust” towards learning “regulatory humility”. This is fundamental for the sake of our children and the information society we want them to inherit.

Unfortunately, no tangible sign of such humility anywhere around the world (be it © reform, anti counterfeiting agreements, three strike approaches, HADOPI, LOPSI 2, Digital Britain bill, etc.).

In my research domain on DRM technologies, I’ve been struggling with this for several years now with limited success arguing there is a need for “managing exceptions” in DRM environments as a middle ground between the © freaks and the abolitionists (holding yet another Day Against DRM on May 4th, 2010 among other initiatives).

Society has stopped thinking critically and creatively. I suggest March 11th should be marked as the “Day of Regulatory Humility”, engaging people around the world to take a step back and to humbly and critically look at the issues their respective parliaments are working on. March 11th, 2010 : The First Day of Regulatory Humility… 360 days left to organize the 2011 edition. Care to join ?

Don’t take my word for it, and do spare the 37 ‘ listening to the talk :

[kml_flashembed movie="" width="480" height="390"/]

BRAVO Larry and thanks for all the inspiring work you do.

Source :

Follow up article in La Stampa (translated in The Huffington Post) :  “20th century media government burdening 21st century media is a pattern followed by too much of the world already

18 year old Swiss-Italian girl sentenced for illegal file sharing

In Ticino an 18 y.o. girl was judged and sentenced for illegally sharing her favorite movies (270) and songs (4’200) over the Internet. She did not appeal. The judgment is now into force and is likely to be a major precedent for future cases (jurisprudence). A short TV news brief was aired on January 7, 2010 on Swiss television.

This raises several key concerns :

First, in the case of Switzerland, downloading is not illegal but sharing copyrighted content over the Internet is. This is different from other countries such as our French neighbors for example who will (try to ! ) track illegal downloads of copyrighted content through ISPs implementing a Three Strikes approach with the HADOPI law. Etc. As a result, we live in this paradox of a world where the Internet is the most extraordinary example of something global for the greater good but artificially constrained by totally ineffective and contradictory laws which are in essence territorial, thus useless on a global scale.

Equally worrying is the Bounty Hunter approach ! Some countries, like Switzerland, will prosecute based on private companies reporting cases regardless of privacy concerns. Such a situation is extremely worrying as it leads to questioning the legitimacy and means of action of a system relying on private sector / interest group triggered justice. Companies such as Swiss based Logistep AG have built their business on such situations. In most cases they will use intimidation towards an out of court settlement based on warning letters threatening to bring the case to court. People often comply fearing a trial.

Finally, the disproportion of sanctions compared to the actual situation of ordinary people who aren’t the real criminals after all. We’re looking at penalties in the order of 3 years imprisonment or 100’000 CHF in the case of Switzerland. For crying out loud, at that level one would be more comfortable running a real piracy powerhouse in Asia or any Internet safe heaven. I’ve always been amazed to see how the entertainment industry has been going after the small fish, trying to preserve obsolete business models repeatedly failing to see the true opportunities exhibited by disruptive technologies such as the Internet. Not to mention the feeling that the industrial pirates seem to enjoy business as usual situations in almost total impunity.

We need to work something out. It requires to re-think a few things creatively. There are alternatives out there and we just need to reach out to do something:

New Business Models and their corresponding services need to be launched. The Internet is here to stay. The whole entertainment industry needs a deep change taking into account the people (and what they want) and the technology as an opportunity. We now live in a service driven economy characterized by its global, participative and dematerialized nature.

Inform and train our youngsters very early on. Our children are now Digital Natives. They were born after the Web, they grew up with the mouse in one hand, the Internet as their TV and their cell phones as radios. It’s not by criminalizing them that we’ll get this right. They sample, share, participate, mix and remix with what we’ve given them ! We should not forget this. Our legacy for them is their playground ! What information society do we want them to live in ? Education and training are and will always be key elements of progress for mankind.

Public policies also have a key role to play in setting the guidelines prior to enacting new laws that are often useless or simply obsolete by the time they come into force. In the current situation it is clear that whatever laws countries enact, they are bound to be useless given the global nature of the Internet.

Do we need a Universal Declaration of Digital Rights AND Obligations ? Maybe, but this would require tremendous efforts to work on sometimes conflicting interests and values to be shared for the future of our digital society. Moreover it would have to be ratified by a significant number of countries in order to create the required level of pressure on reluctant countries. Would the UN be a suitable place for such a proposal or are we at a time requiring to consider creative alternatives ?

One we’ve been hearing about for some time now is the creation of a new State without physical land. A Digital State of which anyone would be automatically a citizen of, thus providing Digital Identities, passports, etc. A sort of confederation (idea we love in Switzerland) where member states would join their efforts on all digital matters that are global in essence. It could also have its own institutions, courts and procedures.

Food for thought, please feel free to react, comment, oppose, disagree, contribute or start something !

Long Time, No Blog … Short Update and Best Wishes for 2010

Haven’t blogged much this year, not that I didn’t have plenty to say and talk about but as most of us may feel : time flies 😉

It’s been a busy year so I’ll update with a few post on some noteworthy things and events, starting with my Best Wishes for 2010 while this is still timely 😉

Feel free to comment, react, challenge and have a great year !



Greetings 2010

The “Three Strikes and you’re Out” law… Wrong assumptions lead to bad solutions and generate obnoxious laws!

I thought we would be out of the woods last April when the European Parliament rejected the idea of any form of “three strikes” laws across Europe. Unfortunately, here goes the French Senate again with the “Three Strikes and you’re Out” approach to address the issue of copyright and illegal P2P file sharing over the Internet. The basic argument underlying this is that Internet based P2P file sharing of copyrighted work will basically kill creativity and put the whole industry at risk or halt.

The planed law proposes a gradual and proportionate answer in three steps. The first step requires the ISP, on behalf of the HADOPI (Haute autorité de diffusion des oeuvres et de protection des droits sur internet), to warn the user by email. In case the user repeats the offense within six months a second warning is sent both by email and by registered mail. Finally, if the user does it again within the year after the second warning, HADOPI can either order the Internet access to be suspended for three months to one year or order the user to take measures preventing further infringements. ISPs in this context will have to comply to such new laws and not only spy on their subscribers but also collaborate with the legal authorities.

Several points need to be stressed about this :

First, this goes against the European Parliament positions on this issue arguing that it would go against civil liberties, human rights and the principles of proportionality, effectiveness, and dissuasiveness. A recent vote on the issue led to the position that it would require a court order to disconnect someone from the Internet. In the 21st century, Internet access has become a vital commodity like water or electricity. One cannot reasonably ban someone from the Internet ! People depend on it to work, bank, trade, find jobs, socialize, shop, telephone, etc.

Second, such a law will be totally ineffective. By the time it comes into force and can be applied there will already be dozens of ways to circumvent it technically using infrastructure outside national jurisdiction and encrypted networks.

Third and most notable is that we are working with the wrong paradigm. The whole industry is working under the assumption that the user is presumed criminal. The rights holders have barely accepted the idea of “managed copying“. The DRM technology providers basically implement what the industry tells them to do. Consequently, what can you expect from the public policies and legal framework : the above mentioned kind of laws.

The fundamental assumption is wrongly postulating that the threat comes from the user and consequently turns him into a presumed criminal. Under such hypothesis it is no wonder that DRM technology providers implemented DRM solutions based on strong cryptography shifting the load of the burden towards the users. The impulse coming from the media industry refusing to see the transformation of their industry as an opportunity rather than a threat, the requirements were naturally mapped on old patterns of copyright coming from the pre-Internet age.

In this context, it is no wonder DRM opponents and activists justifiably argue that DRM is “defective by design“. And I have to fully agree, even though I am a researcher in DRM, as long as the users will be considered criminals a priori.

So the true question is not how to ditch DRM and copy protection, as often argued by Cory Dotorow, but rather how to approach the problem with the right assumptions and consequently the right business models (e.g., Apple iTunes Plus DRM free content). Such an assumption postulates to put the user back where he belongs in the center of the model and to trust him (the criminals are not who the media industry thinks they are). In doing so, DRM can be approached in a totally different way. Enhancing user experience (which to the best of my knowledge is a key success factor in this industry). Work has been done in this area with models for managing exceptions in DRM environments, but the media industry just doesn’t want to see it and is still on a witch hunt trying to preserve an industry which has already changed whether they like it or not.

I want to close this blog post illustrating the negative impact of law on creativity quoting the brilliant TED Talk of Lary Lessig March 2007.
In law, there is a basic principle that often applies called the burden of proof (onus probandi) applicable to the plaintiff to prove his allegations.

In other words and in this context, shouldn’t lawful use be presumed, unless otherwise proven by the right holder ? But this is common sense “a rare idea in the law! ” quoting Lary Lessig.

Information Security Management : A Wake Up Call !

A great article by Thomas Kendra (Symantec) posted in the Financial Times, Digital Business, Personal View (Dec. 5, 2007) urging for the need to adopt a “fresh approach” to information security management given the new challenges posed by our modern organizational structures. These now involve increasing interorganizational processes, insider threats and ubiquitous computing infrastructures. Obviously, this is “music to my ears” given my research interests in Enterprise DRM and Digital Policy Management (DPM).
Basically the whole point addresses the issue of how to go beyond current security approaches which are now insufficient and consequently fail given these new challenges. Or in other words, how do we address the current weakest link of information security basically boiling down to People and Mobility. And as we all know, security is only as good as its weakest link.

So, despite the “YouNameIt++ frenzy” (trend consisting of giving and incrementing version numbers to reflect the next generation of challenges in a topic, e.g., Web 2.0, Web 3, Identity 2.0, etc.) he calls for “Security 2.0” saying it builds on traditional security (Security 1.0) adding protection at the level of the information itself and the interactions.

Interestingly, Enterprise DRM is currently one of the possible technologies used in the corporate environment to address some of these issues trying to persistently protect and manage content no matter where it resides (i.e., including outside traditional corporate perimeters). As a result, this brings the granularity of the protection down to the individual information level by cryptographically associating governing rules to the content. Moreover, given the criticality of the managed content it is also possible to dynamically adapt those rules in real time thus allowing to basically “recall” content if needed.

Our environment cannot rely anymore only on perimeter based security, Access Control, and secure communication channels. We’ve passed the point of no return and need to address information security in a way that accommodates current and future business practices.

Two problems arise here : First Interoperability and the lack of standards in the field of Enterprise DRM. We cannot rely on vendor specific proprietary solutions. Second, most deployed solutions today address specific needs in siloed approaches (e.g., SOX, Based II, HIPPA, IP protection, etc.). As a result, the field needs to take a step back and rethink the whole problem at a higher abstraction level in terms of Policies and how they are managed. Some of which may be electronically instrumented through technical means (e.g., Enterprise DRM). This is Digital Policy Management, an emerging and very important research area I’m working on. I have setup a page for this in order to generate and stimulate discussion on these issues here: The Digital Policy Management (DPM) Page. Everyone is welcome to join the conversation (practitioners and researchers) on all aspects of the problem (engineering, management, legal, social, ethical, behavioral, etc.)

Source :, Dec. 5, 2007, New Threats call for a fresh approach, Personal View by Tom Kendra,