Government’s proposed ‘three strikes’ rule would damage business, say hotels and public institutions

Opposition to the government’s digital economy bill has increased sharply, with strong criticism in the House of Lords for its failure to offer “due judicial process” to people accused of illicit filesharing under the proposed “three strikes” rules of the bill.

Outside parliament, hotels and educators have complained that the bill also endangers their businesses and provision of the internet to the public because of its insistence that organisations providing net access should be liable for the actions of their customers.

The digital economy bill, which is being sponsored by Lord Mandelson through the Department for Business, Innovation and Skills, is a broad-ranging bill covering digital spectrum, greater powers for Ofcom, legislation over copyright infringement via the net, and the enabling of better access nationwide to faster internet connections.

The bill proposes a “three strikes” rule which would mean that persistent copyright breaches would be lead to disconnection from the internet. The aim is to reduce illlicit filesharing by 70%. But in a letter (PDF) to Lord Puttnam, representatives from institutions such as the University of London, British Library and the Imperial War Museum, said: “Because public institutions often provide internet access to hundreds or thousands of individual users, the complexity of our position in relation to copyright infringements must be taken into consideration.”

It says that the bill is unclear about the role of “intermediaries” such as libraries in the bill.

The letter added: “If this is not done, a public institution such as a library, school or university’s internet connection as a whole could be jeopardised, resulting in loss of internet access to large sections of the public, particularly the 15 million citizens without an internet connection at home.”

Meanwhile, the British Hospitality Association (BHA), which represents thousands of hotel, catering and leisure establishments, worries that the requirement in the bill for hotels to provide guest details to an internet service provider (ISP) where copyright infringement is alleged could be impossible in some cases – and that hotels might be disconnected if guests are persistently infringing copyright.

Disconnection would endanger a hotel’s business which the BHA said would be a “grossly unfair consequence” of a guest’s action.

“If it is passed in its present form, the difficulties of applying this bill to the hospitality industry, with its transient profile, appear not to have been considered,” said Martin Couchman, deputy chief executive of the BHA.

The Lords’ Joint Committee on Human Rights (JCHR) notes in a report published on Friday (PDF) that “at the moment the Bill defines a process of appeals with no presumption of innocence” and that “[this] process will be applied irrespective of the sanction or evidence.”

That, they say, goes against natural justice, which should start with the presumption of innocence and the onus on the prosecution to prove guilt. “In the particular case of disconnection – which is a severe punishment – the need for a prior hearing based on an innocence presumption is unquestionably essential,” the commitee writes.

The Open Rights Group, an advocacy group, is backing the industry groups’ call for a guarantee that they will not become victims of the new legislation – as well as other venues in similar positions – and encouraging more people to protest at the provisions of the bill.

Jim Killock, ORG director, posted on its website: “The situation is exactly parallel for cafés, bars and hotels, as well as community centres: if you are involved in any of these you should make your views known to the front bench teams now.”

TalkTalk, one of the three largest broadband providers in the UK, has criticised the bill on the basis that it assumes guilt, and is unworkable in practice.

In November, soon after the bill was originally published, Lilian Edwards, professor of internet law at Sheffield University, pointed out that the bill, as currently set up, threatens the British Library with its public Wi-Fi access, with potentially swingeing fines:

“The [British Library] is not set up to be a forensic investigator; obliging it to act as one will be a fantastically resource intensive exercise for a public body providing a free service. There is also an issue of privacy and anonymity, something academic researchers are often touchy about. And again, if the BL refuse to comply – or more likely, simply says it can’t – it is, at least in theory, subject to a fine up to £250,000.”

Whether that possibility applies has not yet been clarified in the bill.

However it is unclear whether it will succeed in passing through parliament, given the limited time left before the election must occur, and the amount of opposition that it is attracting from groups inside and outside parliament.

Internet groups fear alliance means US government could access personal information

Google’s decision to enlist the help of the National Security Agency in tackling cyber attacks has caused alarm among internet groups and bloggers, who fear that users’ personal information could be accessed by the US government.

The Washington Post reported yesterday that the internet giant had turned to the NSA, which conducts surveillance and codebreaking for the federal government, in the wake of a cyber attack it believes came from China.

The agency is responsible for securing the US administration’s computer networks against similar breaches, and is said to be helping Google to understand and analyse the attacks.

Sources say that the agreement will not allow the NSA to view users’ searches or access email accounts, but the deal has angered some members of the online community.

The Electronic Privacy Information Centre, a public research centre based in Washington, has filed a freedom of information request seeking details of the agency’s relationship with Google.

“Google and NSA are entering into a secret agreement that could impact the privacy of millions of users of Google’s products and services around the world,” the centre’s executive director Marc Rotenberg told the New York Times.

Sam Diaz, blogger and senior editor at ZDNet, a technology website, said he felt “squeamish” about the possibility of information sharing between Google and the government, and was sceptical about the NSA’s ability to help protect the company’s infrastructure.

“I mean no disrespect to my country or my government but I have to ask: Is Washington really the best choice if you’re looking for help with something as serious as cyber security?” he wrote.

“After all, I wouldn’t exactly place any Washington agency at the cutting edge when it comes to fighting what was referred to as one of the most sophisticated cyber attacks experts had ever seen.”

Andrew Beal, writing in Marketing Pilgrim, said: “Big brother just partnered with big brother.

“While it’s unlikely that Google’s going to hand over any user information, I still don’t like how close – and how quickly – Google is snuggling up with perhaps the scariest of all government agencies,” he blogged.

Referring to the NSA’s monitoring of the email and telephone calls of thousands of Americans after the 2001 terror attacks, Beal wrote: “This is the same agency that tapped your phones and emails without a warrant after 9/11. We’re supposed to feel confident it won’t take a poke around Google’s sensitive data?”

Noah Shachtman, writer of Wired magazine’s national security blog Danger Room, described the NSA as a “particularly untrustworthy partner”.

“We all know that Google automatically reads our Gmail and scans our Google calendars and dives into our Google searches, all in an attempt to put the most relevant ads in front of us,” he wrote.

“But we’ve tolerated the automated intrusions, because Google’s products are so good, and we believed that the company was sincere in its ‘don’t be evil’ mantra.”

Shachtman said Google’s pledge that its agreement with the NSA would not compromise user data was “hard to believe, given the NSA’s track record of getting private enterprises to co-operate, and Google’s willingness to take this first step.”

The company said it was subject to a “highly sophisticated and targeted attack” in December 2009, which it said originated from China. In January, Google said that it was no longer willing to censor search results on its Chinese service.

Analysis suggests the hacker was in east coast of America and operated over a number of days, but much remains unknown

Figuring out who was behind the hack of the Climatic Research Unit (CRU) at the University of East Anglia requires some digital forensic skills – and an insight into the mindset of those who were trying to get at CRU’s files at the time.

Analysis by the Guardian and digital forensics experts suggests that an outside hacker gained access to a server at the UEA which held backups of CRU emails and a collection of staff documents. It also suggests the access occurred over a period of days, if not weeks, and was carried out from a computer based on the east coast of north America.

The release of hacked emails and documents came just months after climate change sceptics had filed more than 50 freedom of information requests querying the CRU’s refusal to release of raw data and program code during the summer.

Egged on by a group of sceptical bloggers, the requests almost all began with the words “I hereby make a EIR/FoI request in respect to any confidentiality agreements restricting transmission of CRUTEM data to non-academics involing the following countries.” Others sought “a copy of any digital version of the CRUTEM station data set that has been sent from CRU to Peter Webster and/or any other person at Georgia Tech”. All were refused under FoI exemptions because of commercial confidentiality.

Into that silence came the release of the archived “zip” file by someone with clear hacking skills: first they grabbed the files, then they broke into the RealClimate blog to upload the archive and prepare a draft post; then, when that was thwarted, they uploaded it to a Russian website, and posted links to it on climate sceptics’ blogs using web servers located in Saudi Arabia and Turkey.

That sequence of events led Sir David King, the government’s former chief scientist, to say that it must have been “carried out by a team of skilled professionals, either on behalf of a foreign government or at the behest of anti-climate change lobbyists in the United States”. But he quickly backed away from that statement, admitting he had no inside information.

The Guardian’s analysis shows that a small group of just four of the scientists from among the dozens employed at the CRU were targeted in the sifting of email. They are: Phil Jones, the head of the CRU; Professor Keith Briffa, who studied tree rings; Tim Osborn, who worked on climate modelling for modern and archaeological data; and Mike Hulme, director of the Tyndall Centre for Climate Change Research. All are either recipients or senders of all but 66 of the 1,073 emails, and almost all the rest are sent from mailing lists, such as the Met Office’s “scenarios” listing, to which at least one of the four would certainly belong.

A few remaining emails are sent by, or to, other CRU staff – indicating that the hacker had access to a backup server holding CRU emails dating back to 1996. That it is a backup is confirmed by the presence of a duplicate sent to Osborn: separated by one second, both have the same document attached, but from different machines. That suggests that the UEA’s system administrators had backed up emails from CRU staff’s machines onto a server – and that the hacker got into it, and also at a set of documents held on the same machine.

Jones, Briffa, Osborn and Hulme had been the focus of sceptics’ ire because their high-profile scientific papers had been used to back the IPCC’s reports on global warming. At the same time they had declined to release either the data (citing commercial agreements with suppliers) or the computer code they had used to analyse that data and draw their conclusions, to the frustration of many outside academia who wanted to repeat – or discredit – the work.

Early speculation that the release of the emails and documents came from a one-off hack also appear to be wrong. Digital forensic analysis shows that the zipped archive of emails and documents was not produced on a single date. Instead it was created by copying the files over a number of weeks, with bursts on 30 September 2009, 10 October and 16 November. On the last date a folder of computer analysis code by Osborn was added to the package.

The digital forensics on the files indicate that they were created on a computer set at some times four hours behind GMT, and at others five hours behind – plants the hacker on the eastern seaboard of Canada or the US.

Then early on 17 November, RealClimate’s blog was hacked, locking out legitimate administrators, and the hacker tried to create a blogpost claiming that global warming was a myth, and enclosing the emails and documents.

Gavin Schmidt, one of the RealClimate administrators, says that “my information is that it was a hack into [CRU's] backup mail server”.

But who was the hacker, and what were they after? Jeff Condon, who runs the climate-sceptical Air Vent blog – which posted one of the links to the archive – told the Guardian that the content of the emails and documents actually points to someone who is not expert in the topic.

Referring to an email it includes from Tim Osborn which says “we usually stop the series in 1960″, Condon says that: “The only interesting detail in that email was the data, but that’s not what the person wrote. What that means to me is that whomever posted these emails doesn’t have a terribly deep understanding of the issues in paleoclimate science. Although the emails themselves featured some scientists who do know the issues and had some very nice details in them.

“Therefore if it’s an inside job, it’s likely not by a paleo or climate grad student, definitely not by a scientist,” Condon said, adding: “If it’s an international conspiracy I would have guessed someone on the team would know the science better than that.”

But how would an outside hacker get in? Although UEA has security in place, it has seen a number of accidental security breaches of the UEA system in the recent past. On one occasion a server was configured wrongly, so that anyone outside doing a search would “fall through” to directories of files. (UEA closed that hole after being alerted about it.) A misconfigured server could have left just the hole that a capable hacker with a determination to find the data being denied via FoI requests could have exploited. But they are not government-class skills.

So what was the hacker looking for, and how? Besides the clear targeting of the four scientists, it is obvious that this is not the entirety of the CRU’s emails: there are none of the routine administrative messages about fire alarms, holiday reminders and so on. Therefore the emails have been filtered. One quick way to see into the hacker’s mind is to use “concordance analysis” – examining what the common words or phrases are in the emails and documents. Though usually used in linguistics to compare translations or the frequency of words, concordance software can be used to demonstrate authorship of papers, by combining a “stoplist” of words to be ignored (such as “the” or “and”) with a straight analysis of the frequency of words in the text.

Concordance analysis of the emails suggests that the hacker did some careful sifting. But working out precisely what is complicated by the fact that this is the wheat – not the chaff. For instance, the hacker has clearly removed standard words such as “holiday” – except where they appear in emails to or from Jones, Briffa, Osborn or Hulme. There’s no other way to explain how such a comprehensive catalogue has so few emails about time off.

Instead, emails with the words “data”, “climate”, “paper”, “research”, “temperature” and “model” prevail, according to a concordance plot. That may have been precisely what the hacker was looking for – and the fact that he also ignited a controversy over techniques might have been a surprise to him as well as the rest of the world.

(Note 5 Feb 12:42GMT: the concordance analysis that was here has been moved to a separate file. We will also post a graphic of the analysis in due course.)

The first MP to start a blog, Labour’s Tom Watson, loves his Mac and wind-up radios, but the slow computers at the House of Commons drive him crazy

What’s your favourite piece of technology, and how has it improved your life?
It’s a small wind-up radio. Great for camping and supports a busy disorganised life. It always takes me beyond Sailing By on Radio 4 before slowly fading out until its morning wind up.

When was the last time you used it, and what for?
This morning. Our 20-month-old daughter, who has a habit of waking before 6.30am, likes to play with the circular handle, earning us 10 extra minutes in bed.

What additional features would you add if you could?
It already has a little torch at one end. I would probably like it to be a wind-up recording device, too.

Do you think it will be obsolete in 10 years’ time?
No, I think more people will be using them to live more sustainable lives.

What always frustrates you about technology in general?
Battery life, particularly on the iPhone. Sort it out, Steve Jobs.

Is there any particular piece of technology that you have owned and hated?
Every computer in the House of Commons library probably tops the list. They’re ridiculously slow and cumbersome, and until last week used Internet Explorer 6.

If you had one tip about getting the best out of new technology, what would it be?
Never be an early adopter.

Do you consider yourself to be a luddite or a nerd?
An apprentice nerd.

What’s the most expensive piece of technology you’ve ever owned?
Oh, that’s the telly. A big flat 46in Panasonic. Great for PS3 gaming.

Mac or PC, and why?
Mac. They rarely crash even when you drop them.

Do you still buy physical media such as CDs and DVDs, or do you download? What was your last purchase?
I’ve not bought CDs for years, but I’m hardly downloading either since subscribing to Spotify. The last thing I purchased was Joni Mitchell’s Blue for the umpteenth time. I’ve got iTunes lists on four different devices and can’t merge them all properly.

Robot butlers – a good idea or not?
They beat MP flatmates every time.

What piece of technology would you most like to own?
After the robot butler it would have to be a Midway Addams Family pinball machine. The best, ever.