ITsecurity
twitter facebook rss

Music a Bridge Too Far, But Not Your Personal Data

Posted by on September 5, 2015.

I was a member of MP3.com back in the day and even had a song make it into the top 10 of its genre. Also at that time, Napster was in a huge legal battle and rightfully so because it literally was breaking copyright laws by sharing music that was not properly purchased. MP3.com also had an idea at the time, that didn’t break any laws, yet because of the confusion between what it was doing, the limited technical prowess of the legal system and the conflation with Napster – MP3.com lost its legal battle against RIAA.

The “contrasting similarities” strike me between that lawsuit and recent developments of personal privacy rights in this new digital era. MP3.com’s idea was about saving bandwidth. This may seem silly these days but back at that time, being able to listen to your own music on different computers was groundbreaking. If you had an MP3.com account, you could upload your own music and listen to it on any other computer via your account. This upload took a great deal of time. MP3.com’s idea was to create a large database of all music (sort of like a NSA of music). Once this database was in place, using their software you could load a CD in your computer and their software would use some algorithm magic (I assume hashing) and validate you did own the CD. At that point, you had access to the online version of the exact same data without needing to upload it. To be clear, MP3.com was giving you access to the exact same data you just proved you had. Yet that was a bridge too far for the legal system.

Fast-forward to today. On October 13, the Australian government will enact law that requires internet companies to collect and store metadata about all users. Whom they email, when they email, their IP address, browsing session times, and how much data they download and upload. The data must be stored for two years and shared with numerous government agencies, including law enforcement. Note I did not say just “Spy” agencies.

In the US, we have the NSA’s XKEYSCORE, which does pretty much the same thing, but takes it to another level. They store “full-take data” at collection sites — meaning that they capture all of the traffic collected. Forget silly little metadata.

We also have this other thing in the US called the Fourth Amendment:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

So seizing everyone’s data and storing it seems to be clearly out of the bounds of the Fourth Amendment and eerily similar to the RIAA law suit against MP3.com – with the exception of the data being personal, the data being accessed by people who do not own the data and it not bothering the RIAA.

You might be surprised just how long this sort of thing has been going on. The Electronic Frontier Foundation showed that in 2006 AT&T installed a fiberoptic splitter at its facility at 611 Folsom Street in San Francisco to make copies of all emails, web browsing and other Internet traffic to and from AT&T customers and provided those copies to the NSA.

I certainly want my government and those protecting us to have the best intelligence available, yet doing wholesale dragnets of the people is clearly a violation of the Fourth Amendment. The potential abuse of having access to such data is hard to quantify. Could it get a political deal passed, swing an election, be used to compromise the very people that are charged with protecting us? The simple answer is a resounding yes! The deeper troubling fact is that it is all possible because this stuff is not secure, but that is a topic for another post.

So… as I see it, if you store personal data about everyone in a database, in clear violation of the Fourth Amendment, and give people that do not own it, access – that is fine. If you store musical data in a database and give people access to that which they already own – when they prove they already own it – that is a Bridge Too Far!


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Martin Zinaich | Tags: ,