More browser security

The Electronic Frontier Foundation has released a new Firefox extension called HTTPS Everywhere. This extension will protect your online sessions (to some extent) by forcing your browser to use the more secure HTTPS protocol when an online provider makes that available. The rules apparently protect your use of Twitter, Facebook, Paypal, Wordpress, and other social and blogging networks.

If you want to use online services somewhat safely, use Firefox, with HTTPS Everywhere, Noscript, Petname, and other extensions which improve your browser security.

OurCourts is now iCivics

I've written before about Justice O'Connor's OurCourts initiative which develops games and curricula for middle and high school students; the idea is to deliver lessons about the Constitution and our form of government in a more compelling fashion. My kids have pre-tested the games; but so have I, and they're pretty fun. The foundation is now called iCivics, and has expanded a bit; even if you visited them before, please check them out again, as they've added more content, especially for teachers.

Where there is injustice ...

A quote from Chief Justice Earl Warren; it is apparently the epitaph on his grave stone:

"Where there is injustice, we should correct it; where there is poverty, we should eliminate it; where there is corruption, we should stamp it out; where there is violence we should punish it; where there is neglect, we should provide care; where there is war, we should restore peace; and wherever corrections are achieved we should add them permanently to our storehouse of treasure."

Justice Harlan on protecting liberty with the Fourteenth Amendment

Excepts from his dissent starting on page 523:

Due process has not been reduced to any formula; its content cannot be determined by reference to any code. ... The balance of which I speak is the balance from which [our country] developed as well as the traditions from which it broke. That tradition is a living thing. A decision of this Court which radically departs from it could not long survive, while a decision which builds on what has survived is likely to be sound. ...

[The character of the Constitutional protection of liberties] must be discerned from a particular provision's larger context. And inasmuch as this context is one not of words, but of history and purposes, the full scope of the liberty guaranteed by the Due Process Clause [of the Fourteenth Amendment] cannot be found in or limited by the precise terms of the specific guarantees elsewhere provided in the Constitution. This "liberty" is not a series of isolated points pricked out in terms of the taking of property; the freedom of speech, press, and religion; the right to keep and bear arms; the freedom from unreasonable searches and seizures; and so on. It is a rational continuum which, broadly speaking, includes a freedom from all substantial arbitrary impositions and purposeless restraints ...

It is the purposes of these guarantees and not their text, the reasons for their statement by the Framers and not the statement itself, [ ] which have led to their present status in the compendious notion of "liberty" embraced in the Fourteenth Amendment.

Each new claim to Constitutional protection must be considered against a background of Constitutional purposes, as they have been rationally perceived and historically developed. ... The decision of an apparently novel claim must depend on grounds which follow closely on well-accepted principles and criteria. The new decision must take "its place in relation to what went before and further [cut] a channel for what is to come." (citing Irvine v. California, dissent).

This sounds pretty prophetic to me.

What do your online photos reveal about you?

I've written before about the fact that all your data on the internet can become public at any time, and the fact that on your phone or other devices, "apps" can be disclosing your location or other information. Another thing to be aware of is that photos that you place on the internet can leak information about you as well.

What sorts of data are available in photos? Your camera puts in statistics about the photo itself: size, resolution, color data, etc. There's also information about the camera, information about the environment (including, in some cases, GPS coordinates), and date/time stamps. Some cameras apparently even let you "tag" photos, with things like the subjects/participants.

What can this tell other people about you? Well, that flattering and innocuous picture you put up as your profile picture on Facebook might have the GPS coordinates of a bar or nightclub. A collection of your pictures, tagged with location and date information, could let people know you travel a lot to expensive locales. Tagged pictures with names help others calculate who your friends are (or other people you hang around with). Sometimes information that's stored in just one picture is no big deal, but the photos in the aggregate can paint a picture of you that you might not expect. Read the article; you should at least know what can be in the photos.

Of course, photo upload sites like Flickr and Facebook could help you by purging that information for you. As a matter of fact they typically do when they convert your uploaded photo to another format or size; however, if the original file is still available for download, the information your camera saved in there will travel with it. And of course if the site may keep the original, or the data from the original, for its own use. You may decide it's not worth the trouble to sanitize your photos before you share them - but I think you should at least be aware of this issue.

Calculus, the musical

Our family went to see Calculus, the musical when they were in town a year or so ago. It's an amusing play describing Newton's route to calculus, including old tunes updated with math lyrics. Some examples include:

• 5 Sizes of Numbers (In the style of: The Beatles - In My Life)
• The Limit’s Alright (In the style of: The Who - The Kids Are Alright)
• Differentiabul (In the style of: They Might Be Giants - Istanbul(Not Constantinople))
• Power Rule (In the style of : Petula Clark - Downtown)
• Under The Curve (In the style of: Red Hot Chilli Peppers - Under the Bridge)
• and a favorite: L’Hôpital(I have Calculus in the Heart) (In the style of : Bonnie Tyler - Total Eclipse of the Heart)

At their web site they have some new albums for sale, and they say they're ready to come around on tour again. I'd love to figure out how to bring them to Houston, either to Rice or to a local high school. Anyone interested?

The value of being open

The Register reports that the security on the iPhone 4 can easily be bypassed by a particular sequence of key presses. Apparently earlier iPhones suffered from a similar issue.

On a recent earnings call, Steve Jobs amusingly described Apple's iPhone as being more "open" than Google's Android operating system. If the iPhone really were in fact open at all, security problems like this would have more likely been found and fixed before they were widely distributed. End users would have been able to patch their own phones, if they wanted to, using the source code to Android itself. There are how-to articles and online support communities to help. And finally, if iPhone were really an open platform, other companies or enthusiasts could port Adobe Flash or Java to run on it.

The bottom line is you will never be able to fully trust your machine if it is running Apple software. You don't know if it's secure, and without source code you will never know if apps are stealing your data or are making transactions on your account. It's sad to hear Steve Jobs trying to claim the mantle of being "open" when it's so clear he wants to completely control the experience of every one of his customers - to their detriment, with at best an ephemeral benefit in return.

Firesheep

There's a new Firefox plugin called Firesheep which helps people hack your social network accounts. Here's some information about what it does and how you can react to it.

What it does

Firesheep configures your network connection to monitor the traffic your neighbors are generating. Looking at their network traffic, the plugin can find any "cookies" transferred between your browser and the social networking site. Once it's grabbed the cookie, it can implant their cookie into your browser, giving you access to their account. Social network sites which are vulnerable include Facebook and Twitter.

When are you vulnerable?

Although the plugin sounds pretty powerful, it's only dangerous in a particular environment - one in which your machine can see the network traffic of your neighbors (and they can see yours). So if you are connected to the network via an open WiFi hot spot, you can see the traffic of other people. If you're at work but they use an old security mechanism called WEP then others can pretty easily see your network traffic; I don't think the current Firesheep plugin handles this case, but it wouldn't be too difficult to add.

Wired networks are pretty safe. Modern switches and routers keep you from seeing the traffic of other machines on the network, even on your local network segment.

What can you do to be safe?

• Contact your social network vendor and insist they encrypt your entire session (not just the login sequence) via SSL. Google has already configured Gmail to do this by default. And then while you're waiting:
• Don't connect to your social networking site over public networks. Don't use Twitter or Facebook at a coffee shop, or frankly even on your phone, unless you don't mind someone having access to your account. Make sure your WiFi at home has a WPA2 password configured.
• Don't let it matter. Make sure no other sites will trust your credentials from your social networking site; this is an issue if you use OpenID at the other sites, and those sites trust your social network identity. You should also make sure you don't mind losing any items or value you might have stored up in a game or other application in your account, email or photographs stored there, etc.

Driving the Chevy Volt

I test-drove the Chevy Volt today. I've been following the story of this car and its technology on the gm-volt.com web site for about three years now, and am excited to have the opportunity to finally see it in person.

The Volt is an electric car with a gasoline engine. It's not like the gas/electric hybrids currently available; the gas engine exists to charge the battery, not to drive the car. It's more properly known as an Extended Range Electric Vehicle. The battery will drive the car for about 40 miles before the gas engine kicks on into "charge-sustaining mode." The electric engine is still driving the car; at some higher speeds, the rotations from the gas engine help drive the car a bit, but never on its own. With a full tank of gas, the total range of the car should be about 250 miles.

The car itself was pretty nice looking; it had that new-car appeal. Under the hood there are what look like individual modules; the gas engine is in there, as well as a computer system, and containers for various fluids (brake, coolant, wiper, etc.). The back is a hatch-back, with a small open space behind the back seats; I worry a bit that things might fly forward out of there if you stop suddenly. Lifting up the "floor" of the hatch space, you see access panels for the battery terminals, and space for a charger cord. Not until later did I realize I hadn't seen the spare tire; there may be one under the vehicle.

There are four bucket seats in the car; the two seats in back are separated by what I believe is part of the T-shaped battery. The back seats fold down, to allow more cargo space. Someone remarked "that's plenty of room for camping gear!" but I thought "only if you don't take your kids with you." This is not a cargo car; it'll move groceries around, and take you and a friend to the airport, but maybe not more.

Overall, this is a practical electric car to have. It will take you around town on the electric charge, and take you on a longer trip with the gasoline engine as an extender. If you have a family, your second car should have some hauling space, and probably seat at least five. Houston won't likely have any available until next year or so; I just hope the $7500 tax break is still around when I'm ready to buy my Volt.

Update - Facebook apps leak your identity to advertisers

In an update to my previous post on the danger of "apps", a researcher has found that Facebook applications leak your identity to advertisers. Any application which displays ads to you while you use it is potentially sending your identity to their advertisers.

Why does this happen? It could be sloppy programming on the part of the application (i.e. Farmville in the article), or it could be the result of the contract between the application provider and their advertisers:

• Sloppy programming

  Any application which displays ads by asking your browser to fetch the ad directly from the advertiser's system is running the risk that all kinds of information from your browser reaches the advertiser. A more secure way to deliver ads would be for the application to request the ad for you, then display it to you; it could then make you anonymous to the advertiser. However, advertisers may explicitly want to avoid this, which brings us to:
  

• Contractual obligations to advertisers

  Advertisers are paying the application either for each ad displayed or when a user "clicks" on the ad. An advertiser would typically want to make sure that the ads actually reach the users; if they're paying for "impressions" then they probably want to count those deliveries themselves. Therefore they're less likely to trust the application developer to count for them; instead, they'll want to identify each ad request by its unique browser/requestor.

  Another consideration is that advertisers (or the ad networks that deliver the ads to the applications on their behalf) may explicitly want access to your browser so they can use cookies to track you. They therefore would not want the application to fetch the ads on your behalf; they would want your browser to make the request directly, so they can fetch and drop tracking information. In theory, this tracking information should allow you to be "semi-anonymous"; however, if it's tied to an explicit Facebook (or other social network) ID, then that anonymity vanishes.

What's the solution? Well, the easiest is: don't use "apps" in social network settings. Other solutions are a bit harder. You could use a Firefox extension to block the information from the advertisers; I don't use any so I can't personally recommend any particular one. You could configure your browser to use an anonymizer - a proxy which strips your personal information and routes your request through several machines so the web site has a harder time identifying you. Or you can run a proxy server on your local machine which modifies incoming pages and outgoing requests. You can even run a combination of all of these, so you don't have to place all your trust in any one solution.

Project proposal - please vote

Please check out and vote for a new proposal at Mozilla's Drumbeat site. It's project which will create an interface which will allow educators to bring together disparate teaching materials online. This should allow teachers to create curricula from content available world-wide; allow authors to contribute more easily to a global educational corpus; and allow researchers and entrepreneurs to use the materials in innovative new ways. I urge you to look through the materials and give it your vote, to help convince Mozilla to fund the proposal.

Full disclosure: I am related to the project author.

Houston ISD Magnet Program survey - admissions criteria

I wrote earlier about Houston ISD's questionnaire about its magnet programs; in particular about the survey question on funding. Another such question asked about how students should be admitted to magnet programs.

The magnet programs at HISD exist both to cluster students with similar interests, skills, and abilities, and to allow students from under-performing schools to attend programs outside their HISD zone. In a perfect world, every student who wanted to attend a magnet program would; however, there are a limited number of programs, and a limited number of students the programs can admit. Therefore there needs to be some way for a program to admit a fraction of its applicants.

One thing that makes this a little more complicated is that HISD has a parallel program called "Vanguard" which targets a subset of the children who are identified as "gifted and talented." I think the idea is generally sound - it's easier to provide a centralized accelerated academic program in a small number of schools than it is to have a separate such program in each of schools. I'll address each program (Vanguard, magnet) for each grade level (elementary, middle, high school).

Elementary school

• Vanguard

  HISD uses a battery of tests to determine which students are identified as "gifted and talented"; within that population, a further set of tests determine which students qualify for the "Vanguard" program. I'm not sure the data convince me these second tests are effective - it's not clear that all the students chosen for the programs end up thriving in them, nor is it clear that the students excluded from such programs would not have done better as participants. If the second battery of tests does not effectively differentiate between those populations, then perhaps admission to a Vanguard program at this level should be by lottery from the pool of "gifted and talented" applicants.
  

• Magnet

  I believe most magnet programs at this level accept applicants by lottery. This seems pretty fair.
  

Middle school

• Vanguard

  At this level HISD has more data about its students, based on grades, test scores, and teacher evaluations. It may have enough information to be able to tell which students would benefit from accelerated Vanguard programs. If so, selection based on these criteria would be appropriate. If the data are not enough to be able to rank students, then perhaps a threshold to apply plus a lottery among the qualified would be better and would allow more students to participate. Some students might not thrive in such an environment and may choose to leave it; programs should actively recruit new students for open spots in 7th and 8th grades to replace them.
  

• Magnet

The Magnet schools at this level are impressive - foreign language, performing and visual arts, etc. Students are likely to self-select at this point, so it may be that a lottery is reasonable as a selection process. On the other hand, it may be better to use the screening processes that high school programs use, below. Students can further be clustered in the school by aptitude for acceleration, if appropriate.

High school

• Vanguard

  By high school, the district should have enough data to be able to determine which students will do well in a Vanguard/accelerated program. Students will also self-select at this level, since these programs will typically include an expectation that students take a decent number of IB or AP courses and exams. The pressure to have a high GPA may convince students not to attend unless they're sure they'll succeed. Therefore, at this level the schools should probably have open admissions or a lottery of all candidates who qualify based on grades and test scores.
  

• Magnet

  The Magnet schools at this level are really incredible - foreign language, performing and visual arts, science/medical, engineering, even a school with a flight program. If the program has some minimum ability requirements it should test for them (language fluency or aptitude, science/math scores or grades, performing ability, etc.) Like the Vanguard programs above, students will likely self-select at this point, so programs should probably have open admissions or a lottery among all who qualify. The assumption is that anyone applying to such a school will be interested enough to succeed if they have the skills to do so.
  

Since one of the goals of the magnet program is to allow students to "escape" an under-performing they're zoned to, perhaps at each level some preference should be given to an applicant who is zoned to such a school. There also, frankly, should be more magnet programs!

Houston ISD Magnet Program survey - funding magnet programs

Houston ISD is conducting a survey of parents and teachers about its magnet program, sending out questionnaires and holding town hall meetings around the city. The survey they sent out asks a number of thought-provoking questions; I'm curious to know how they collate and respond to the submissions they receive. I wonder if they will hold a subsequent round of discussions so we can react to each others' responses.

One question asked how you would recommend funding the programs at magnet schools; they give three suggestions: (1) equal funding by school; (2) funding by pupil; (3) differential funding by type of program. They give only a small box for the response, so I thought I'd elaborate on my submission here:

Each paradigm has its merits and demerits.

• Funding by pupil has the problem that programs with few pupils, especially starting programs, may not have enough baseline funding to hire the personnel necessary to get established.
  
• Funding "by program type" implies differential funding - do STEM schools get more than music/arts schools? How about Vanguard/Gifted schools? Do we decide there are a small number of "types" and assign funding amounts to them? How would an innovative new "type" of program get established and funded?
  
• Finally, while equal funding per school sounds fair, it can be attacked as providing inordinate funding to schools with small magnet populations. It might also under-fund popular programs with a large number of applicants.
  

Perhaps a "tiered" system makes sense. Schools with 1 - 100 magnet students would receive some baseline amount; schools with 101 - 200 get more; and perhaps a per-capita allowance for every student over 200. That might be supplemented by service-based funding for things like after-school programs, or grants of initial capital to do things like purchasing art supplies and tools, musical instruments, gymnastics or dance items, etc.

The danger of "apps"

A recent study of a sample of Android apps found that they were "calling home" (sending the phone's current location to a remote web site) on a periodic basis. It was clear that the apps were not telling the user they were doing this; what was not so clear was if the users were adequately notified of this behavior when the applications were installed.

On a related front, Facebook applications can access and store your data and the data of visiting friends. The site gives you some options to suggest which data you want to share and with whom; however, keep in mind that behind the scenes the software must try to interpret your preferences in a way that keeps both you and Facebook's advertisers happy. That's not a tension that is likely to resolve in your favor.

My suggestion would be to delete any applications you don't need from your phones and social networking sites. Eventually, if you really need a phone or device which runs "apps," I'd suggest an Android, because it can be legitimately upgraded (hacked?) to reveal (and perhaps control) such data leaks. And remember, even though your location, demographic, and friend information may seem like innocuous information to be sharing, keep in mind all your data are potentially public.

Fixing weak cellular coverage

Bloomberg reports that Sprint is giving away "femtocell towers" to a small number of customers who have weak reception in their homes. These towers act as local cellular stations inside your home; they transmit your calls over your internet connection back to Sprint. They therefore depend on your internet speed; if you have a slow or spotty connection, your calls will not sound very good.

If you can't get one for free, these towers seem to cost around $100 retail, with a $5 monthly charge. You can apparently set it up to route multiple numbers over your connection for an additional charge.

Remember: your data are all public

By now everyone's heard this from me multiple times: be careful what you send in email or post to the Internet, on your blogs, Facebook, Twitter, Buzz, etc. Everything you upload in any fashion can potentially be saved forever, and at some point, redistributed.

As this article about an untrustworthy insider at Google illustrates all too clearly, your data are only protected by the goodwill and diligence of the companies you are trusting. Some companies may not have any policies or procedures in place to try to restrict access to your accounts and posts; some may have these but may not aggressively enforce them; and as the Google case shows, even if you have policies and enforcement, it won't be perfect. For example, it's likely that Facebook employees can impersonate you; there are legitimate reasons why that capacity is built in, but remember it can also be abused. Trusted insiders at these companies will have access to large pools of your information, and inevitably some of them may not be worthy of that trust. So far the stakes have apparently not been high enough for affected users to contemplate any lawsuits for breaches, collectively or individually, even when they apparently happen in violation of the representations these web sites make to you in their Terms of Service and Privacy policies.

The bottom line should be: treat absolutely everything you type into a web site or publishing program (blogger, messaging program, texts on your phone!) as though your boss (or your grandmother?) were going to read it tomorrow - because there's always a chance they might.

Building a Muslim community center in NYC

The Park51 project, sometimes described as the "Ground Zero mosque", is a Muslim community center and prayer space located a few blocks away from the former site of the World Trade Center. The location is zoned to allow religious organizations to build there; as such, the Religious Land Use (and Institutionalized Persons) Act protects the group's right to build there. This is the same statute that protects the right of a Christian mega-church to expand, or a a small church to use a downtown space to hold services. This law was passed by Congress to protect the right to free exercise of religion, a right recognized by the First Amendment to the U.S. Constitution.

In an interview on National Public Radio (NPR) on September 11, New York's Mayor Bloomberg discussed the recent controversy around the Park51 project. I was impressed by his analysis of the issues:

NPR: There've been so many controversies leading up to today, between the proposed Islamic Center there in lower Manhattan, the threatened burning of Qurans in Florida. Have 9/11 commemorations become politicized?

Mayor BLOOMBERG: I think that a lot of it has become politicized. The whole issue of the Islamic center, which was proposed a while ago and nobody seemed to have any problems with it, all of a sudden in the middle of an election campaign became something that the candidates can't stop talking about. It's pretty hard to argue that they aren't trying to make something out of this for their own political gain. And that will go away after the November election.

The real issue here is history will look back and say, did we have the courage to stand up for the Constitution and keep us free going forward? The government shouldn't be involved in telling people who to pray to, where to pray, how to pray, who's going to fund their praying.

And I think that hopefully we'll be able to look back and say that, you know, a few people were a little bit of hotheads, a few people tried to take advantage of it, but in the end America understood that the Constitution has protected us for a long time and if we don't protect other people's rights, we're not going to have our rights.

NPR: Your support of the right of the Islamic center to open being noted, if the people who run the Islamic center on their own decided to move it, would you be relieved?

Mayor BLOOMBERG: The government should not be relieved or whatever - concerned, I guess, that they have a right to build a place of worship any place that's zoned for that kind of activity. This place is. And it's totally up to them. And if the government starts expressing a view of concern or relief, that's just the government trying to influence a decision which it should not.

Compare that expression to the pressure brought to bear by the Obama Administration (and others) on the church threatening to burn copies of the Quran - an attempt to affect a different right (free speech) under the First Amendment.

Burning the Quran

A congregation led by a Pastor Jones is planning to burn copies of the Quran on September 11, 2010 - the same day as the feast of Eid ul-Fitr, which marks the end of the Muslim holy month of Ramadan. I find it surprising that the plans of a 50-person congregation from somewhere in Florida are being reported around the world. Why would the actions of such a small group cause so much commotion?

1. This is not news.

   It should come as no surprise to anyone that there exists somewhere in the world a small group of people who are prejudiced against one or more other groups. If the media were to report on every such collection of people, they'd run out of room in every broadcast and in every newspaper. Had the news media not made a "story" out of these plans, no one would likely have even noticed it happened; as an event, it's especially uninteresting because there's no threat to anyone's safety or welfare. Sadly, by shining a spotlight on this insignificant group, and by making its leader famous enough to appear on television, the news, and in print, the media inspires them and others to even more outrageous acts in the future.
   

   This is a great example of where the phrase "nothing to see here, move along" is applicable.
   

2. They have the right to burn copies of the Quran.

   Speech of all sorts is protected in the United States under the First Amendment to the Constitution. There are some types of speech which can be controlled or punished, but for the most part, the tension between (1) protecting others and their reputations, and (2) encouraging discourse about the government, officials, and important issues generally ends up protecting most types of speech. In particular, as long as you're not causing a danger to anyone (arson) you're generally allowed to burn anything you want. That goes for flags, books, pop albums, etc.
   

3. Anyone who responds to this is responsible for their own actions.

   A number of U.S. officials have attempted to warn the group that their planned event will end up endangering the lives of U.S. citizens and troops around the world. I don't think this is a reasonable or relevant observation.
   

   To begin with, any response by a member of the Muslim faithful to the burning of a copy of the Quran is their own responsibility, not the fault of the members of this congregation. No one has the right to respond with violence to what amounts, at most, an insult. It's useful to keep this in perspective: the books this Florida church plans to destroy are mere copies of the text; burning these books will not make it impossible for others to continue to teach or worship as they did before. This is not an impediment to anyone else's free exercise of their religion. And no one's health or welfare will be directly harmed by the book burning.
   

   That said, people will respond in various fashions, and some will be incited to violence. Some of the violence may happen where U.S. troops are currently stationed. Frankly, the best way to prevent violence against the troops is to move them to somewhere safe, especially home. By referring to the potential danger to U.S. troops, General Petraeus and President Obama seem to be trying to use guilt to stop the book burning; the implicit suggestion is that any subsequent violence around the world will amount to "blood on [this congregation's] hands." These statements come across as nothing more than an indirect way to pressure this group to cancel their plans.
   

   Sadly, there are also likely to be responses from those who support the views of Pastor Jones and his church. If the event goes forward, it might instigate copy cat burnings in other communities, or may inspire other groups to grab media attention with even more outrageous activities. If the burning is called off, sympathizers may act out against those whom they believe worked to shut down the event. Again, anyone who responds violently on either side should be held responsible for their actions, in accord with the law.
   

4. What this group is doing is insensitive and an inappropriate response to 9/11.

   Of course, the purpose of the protection of speech in America is to encourage reasoned discussion and debate in our community. To that end, it's welcome to have public officials, ecumenical leaders, and generally everyone else point out that burning copies of the holy book of any group is simply a manifestation of hatred toward the members of that group. Such an event adds nothing to our understanding of the causes and/or effects of the events of 9/11; instead, it acts to rend the ties in their community (and in any others which respond).
   

   I understand and defend their right to express their ideas in this fashion, but I can't say I appreciate or support it. While the government and elected officials have no right to tell them not to go ahead with their plans, I wish they would choose on their own to cancel their event, and I really wish I'd never heard of them at all in the first place.
   

Zojirushi

The Zojirushi corporation manufactures all kinds of consumer goods, including coffee makers. When we were looking for a new coffee maker, we decided to get one of theirs online; the description fit all our requirements, and online we didn't see any major negative reviews. Ours is a drip-style machine; water from a tank in back is pumped through a heating element and dripped through a basket of coffee grounds into a carafe.

We were happy with the machine's performance for about 6 - 7 months, when the pump abruptly failed. We were pleased enough with the experience to go ahead and buy another one as a replacement. Unfortunately, the second one failed in about the same amount of time, in the same fashion.

A coffee maker is one of those things that's hard to justify repairing, especially long distance when shipping costs are factored in. The time you spend on the phone and packing it up are also part of the cost. However, we had two of the same machines fail in the same way, so we figured it was worth alerting the company to see what they could do.

They came through with flying colors. I'm pretty sure that whatever the warranty was on the machines, it had expired by this time. They promptly offered to pay for shipping both ways to pick up, repair, and return both machines. We shipped only the brewer bodies for each; they suggested we hold on to the carafes because they didn't need repair. When they returned to us, it appeared that one was reparable (and came back without the carafe), and one was not. They seem to have decided to send us a new one to replace the second machine.

We've not yet had enough time with the returned machines to see if this problem will happen again. If we have one fail again in the same way, we'll at least contact them to see if they want to repair it further. In that case, I wouldn't recommend you purchase one of their coffee machines. Overall, though, I'd have to say I'm very impressed with their prompt and friendly customer support. If you're thinking of buying a Zojirushi product, you should at least factor in their apparent willingness to stand behind their product and keep the customer satisfied.

Copyright, economics, and the moral high ground

My friend Herman sent out a link to a blog post by Jason Robert Brown, which documents Brown's discussion with a teenager named Eleanor about "trading" Brown's sheet music online. It occurred to me that although Brown was correct about the law and his rights, and although Eleanor's invocation of the "starving artist" argument was weak, overall she had the better of the argument.

First, the conclusion: Brown does have the legal and moral right to control copies of his work. Almost all countries observe the Berne Convention, which governs what works can be protected by their authors and when that protection becomes active. The Convention provides for a minimum duration for the protection; individual countries can allow longer protection periods if they choose. Legally, Brown is right, and can enforce his copy rights either by asking infringers to stop or by suing them in court.

Eleanor is a fan of Brown's music, and enjoys performing his songs as part of her burgeoning career in theater. She complains that she's unable to get access to Brown's sheet music because she doesn't have a credit card (and so can't purchase it online), so she has to resort to a "trading" web site, which is apparently like Napster for sheet music. Brown points out that each song is about $4, it can probably be found in a store somewhere, and maybe even at the library, so she really has options that conform to the law. Maybe Eleanor lives in New York, and that's easy for her; maybe she lives somewhere else, where sheet music is harder to find. In either case, those truly are her only legal options. One wonders, in passing, how the young Jason Robert Brown secured access to sheet music as he grew up, and what affect that had on his development and career. Maybe he had a budget big enough to afford copies of the all works he needed or wanted; maybe he stuck to works whose copyright had expired? Or maybe he just had a great local library.

Eleanor ultimately gets her fair use argument wrong but makes two convincing economic points, both of which influence the publishing behavior of successful authors like Cory Doctorow, Stanford Law Professor Larry Lessig, and economic writer Kevin Carson. The first is (very broadly) that you literally lose nothing by giving your work away to someone who would or could not have otherwise paid for it; there's no lost sale in that case. There's a bit of nuance to the concept, because different people might have bought it at different prices (marginal utility), but overall the idea of a phantom "lost sale" still holds. The second is that unless people know who you are, you'll be able to own and protect 100% of a relatively smaller number of sales of your work. By treating the works you give away for free as a marketing expense, you "grow the pie"; as Eleanor points out, you increase your reputation, and that can have "network effects" down the road. Each of these authors is making money even though they also give copies of their works away for free. Why? Because people appreciate their talent and ideas, and still love having actual books, and they pay to come hear these thinkers address an audience. Such authors don't end up charging 100% of the people who enjoy their works for each copy, but the compensation they get is certainly more than the whole "pie" of a lesser or unknown author or artist.

Brown tries to justify his moral position by giving a few examples, two of which are weak for different reasons. His first anecdote is about a friend borrowing a screwdriver and not giving it back, but that's comparing apples to oranges; in the screwdriver, he has a property right in a non-reproducible physical object, which is different from his copyright in a reproducible digital work. The second anecdote describes a "lost sale" that the Thornton Wilder estate misses out on because his friend wants Brown's copy of a Wilder book, and doesn't want to buy his own. Brown argues that Wilder's estate deserves to benefit from the sale of another copy; that's true to a point, but it exposes the whole issue of the debatable and ever-lengthening copyright periods in the United States. How long should an artist be able to prevent others from copying their works? What are the trade-offs, the parties affected, and their relative utilities? The Berne Convention says protection should last no less than 50 years, but signatory states can set longer periods; the US has extended that quite considerably (to "life of the artist plus 75 years") and may continue to do so. He then gives a third example which gives a good overview of the concept of "fair use", and then is apparently surprised that a good discussion of copyright issues is available from the University of Texas web site ("Texas! Of all places!"). I guess he doesn't think he has a lot of fans in Texas. I'm also guessing he probably doesn't run all his blog posts past his agent for feedback.

Jason Robert Brown doesn't feel like he needs to give anything away to become better known, and maybe the struggling/starving artist idea doesn't resonate with him. That's fine; that's his right. In the end, though, there will certainly be other musical geniuses who market themselves like Doctorow, Lessig, and Carson; and people like Eleanor are going to share, perform, and enjoy their music, perhaps to the exclusion of people like Brown. The ugly truth is that you can maximally benefit from the "it's all mine" approach, a strict insistence on charging for every copy of your work, only if you're selling necessities; Brown's just not in that business. His sales will go up or down based on his reputation more than from his aggressive copyright enforcement. Eleanor has no legal or moral right to steal or share his sheet music; Brown has no moral obligation to make it available to her or anyone else for free. But by trying to get every dollar he can from his work, he may be putting a limit on his relevance and appeal. It will be interesting to watch it all play out.

Clinic experiences for evening law students

At law school, the legal clinics offer an opportunity to students to work on real issues with real clients. The University of Houston Law Center has a number of well-regarded clinics which are available to full-time students, or students who can commit to spending hours during the day. Sadly, no such program is offered (yet?) to the evening students. My thanks to Luke Gilman for the reference to:

David F. Chavkin, Clinic Under the Stars: Giving Part-Time Students Their Due, 13 Clinical L. Rev. 713 (2007). Some notes:

• It's possible to have a clinic which includes part time students, even a clinic which involves litigation work. Such a clinic would be designed to give students who have full time jobs plenty of notice of court appearances so they can ask for time off work. It would have to be in a practice area in which appearances are not frequently reset.
• ABA Standard 301(b) requires, in part, that "A law school shall ensure that all students have reasonably comparable opportunities to take advantage of the schools' educational programs, co-curricular programs, and other educational benefits."
• ABA Standard 302(b)(1): "(b) A law school shall offer substantial opportunities for: (1) live-client or other real-life practice experiences, appropriately supervised and designed to encourage reflection by students on their experiences and on the values and responsibilities of the legal profession, and the development of one’s ability to assess his or her performance and level of competence; ..."
• Clinic Under the Stars, p. 738 fn 67: "Although we refer to students in the evening clinic as part-time students, a better term for them would be 'more than full-time students.' ..."
• Running a successful clinic for evening students requires a full time commitment from a full faculty member, and at times significant support services for the clinic students. Full time students can be expected to handle "less important" tasks such as running to the courthouse to file a petition or send certified mail; clinic faculty might take on a more active support role so the limited time that evening students can commit to a clinic is better spent.

I wonder: how many evening students at UHLC would participate in a clinic, given Professor Chavkin's estimate that it requires an evening and weekend commitment of on the order of 26 hours per week for seven credits? If it were available, would I dedicate a semester to such a class for the practical experience it offers to me, and the legal assistance it offers to the clients?

America's Prophets

I'm reading America's Prophets - How Judicial Activism Makes America Great by UH Law Center professor David Dow. In the book, Dow describes the function of the biblical prophets in ancient Israel as cultural course correctors; their role was to tell the public when their practices were contrary to higher law. The prophets were, in effect, the visionaries who had the courage to tell the majority "no" when necessary.

In contrast, the priests were the ones who maintained cultural continuity; it was their job to preside over and defend norms of long standing. It was their job to look to the past for guidance. This metaphor is from page 11:

... We can think of priests and prophets as judges taking a ride together on a train. The priests are seated facing the rear. They can see backward along the rails all the way back to the depot from which the train began its journey. They believe that their job is to be experts on all that has transpired between the origin of their culture and the location at which they reside at the moment. The prophets face sideways. Turning their heads one way, they see what the priests see. Turning their heads the opposite direction, they see forward. They cannot see to the end of the track, perhaps, bu they can see some distance into the future. Of course, to continue with this metaphor, there will be spots in the future that the prophetic judge, no matter how keen her vision cannot see. ... Nevertheless, the prophetic judge can see some distance into the future, and the prophetic judges believe that their job is to ascertain, based on the vector from which they have come, where they are going.

How is a US Supreme Court justice like a prophet in the Bible? In our political system, the Constitution provides the higher law, the foundational framework against which all legislation must be measured. Like the Jewish prophet who warns the people when they stray from their fundamental goals and principles, the activist judge is in the position of saying "no" to the Congress and the majority it represents, when the Congress (or a state) attempts to enact a law which runs counter to the Constitution. This is not a comfortable role for a judge to play; as any parent knows, saying "no" invites an emotional backlash. Without judges performing this role, however, we run the risk of subjecting less powerful groups to the tyranny of the majority, a concept first described by Alexis de Tocqueville, and later mentioned in the Federalist papers.

Are these "activist judges" imposing their personal morality, ethics, or interpretation of the Constitution on the rest of us? Or are their decisions based on a strict application of legal reasoning to the text and principles of the Constitution? Dow gives us the examples of Plessy v. Ferguson and Brown v. Board of Education as examples of "priestly" and "prophetic" approaches to racial equality, and promises to visit other similarly controversial examples of "activism" later in the book. He asserts that the prophetic course corrections are grounded in good law and reasoning; they would have to be, given the decisions and rationale are all public. However, I've not yet read his analysis of the various cases; those are later in the book.

On a related note, can "activist" judges on the US Supreme Court be identified by their ideology? Some interesting research from Dow and collaborators:

A study of the last ten years of the Rehnquist Court reveals that a justice's deference score* depends on something besides a judge's simple belief that the majority should be free to do as it sees fit. For example, the same justices who are most willing to tell the majority no when Congress intrudes on individual liberty (i.e., Justices Stevens and Souter in the aforementioned study) are least willing to tell the majority no when Congress intrudes on the states. Conversely, the justices most protective of the states, and therefore most willing to tell Congress no when it interferes with state power (i.e., Justices Scalia and Thomas), are least willing to tell Congress no when it interferes with individual rights. ...

I'm not even half way through the book, and I find it fascinating, hard to put down. The idea of the judiciary as a brake on the majority is a concept I've been trying to articulate and logically frame for myself for a while, and here's a book by an author who's thought it through and is a compelling writer. I'm hooked.

* A judge's deference score describes how often a judge defers to Congress and the majority it represents. A judge receives a positive score (+1) for each time he or she votes or holds that the law is consistent with the Constitution, and need not change. A judge receives a negative score (-1) for each time he or she decides a law is unconstitutional.

Like butter on bread

"I feel thin — sort of stretched, like butter scraped over too much bread."

Bilbo Baggins to the wizard Gandalf
The Fellowship of the Ring (the Lord of the Rings Trilogy)
Written by J.R.R. Tolkein

Web security and SSL certificates

You may recognize secure web sites by the fact that their URL starts with https://, or by a little lock icon in the address bar or on the bottom of your browser window. Maybe the URL location bar turns green when it's "safe" - when a third party has verified that the server you're communicating with is at the address you expect. This weak authentication regime is implemented using SSL certificates, little pieces of data which are badges handed out by third parties to server operators,for a fee. Each certificate contains the name of the domain or host name the server is handling, and a digital signature by a company such as Verisign, GoDaddy, AC Camerfima, or TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı. In Firefox you can see the list of trusted third parties by choosing (Edit or Tools)->Preferences->Advanced->Encryption(tab)->View Certificates. These are the companies you and your browser are trusting to authenticate web sites around the world.

How do you know they can all be trusted? Wired magazine has an interesting article about certificate spoofing. If you are not careful about checking the name on each certificate at each site, your browser won't tell you if it's necessarily a good one; all it knows is that the certificate was signed by an entity it trusts. Some entities have embedded their certificates in network-level devices so the devices can spoof certificates from any site you're visiting. With that, the device and its owner can intercept all the traffic between you and the site you suppose is secure, maybe your bank or GMail.

You can fight back, a bit, if you have Firefox. There's an extension called petname which lets you "tag" certificates from sites you've verified. If you visit Google's mail site and petname doesn't recognize the certificate, it'll warn you, and you should be suspicious or at least extra careful. The alternative is to check every certificate for every secure site - and memorize the issuer for each. Not really an easy task.

Remember, SSL and browser security aren't enough! It's all based on trust. So verify!

Curbside recycling

Our neighborhood has recently improved its curbside recycling program. We used to have a small open green bucket to put our paper and other recyclables in; this bucked lived outside, and got put out every other week next to our giant, closed trash container. We would never remember which week was recycling, and we didn't want to keep the materials outside in the bucket to be waterlogged by rain. Therefore we rarely used the curbside recycling; I'd occasionally take our saved materials to the recycling center, but not on a regular basis.

Now we have a giant, closed container for recycling as well. It's just like our trash container, except it's bright green, and it has a handy sticker on the outside which describes what's appropriate to put in the container. It's so easy now to just toss recyclables in the container outside; much better than trying to manage them inside in the small space we can spare in the kitchen. Paper, plastic, cans, glass - it all goes in together, as soon as it's clean.

Our family tries not to have too much to recycle or dispose in the first place; the best policy is to eschew things with so much packaging. Nevertheless, we do generate trash, except now our trash container is rarely full. Instead, the recycling container has been almost full every two weeks, as we are more disciplined about putting in the newspapers, junk mail, cans, and even plastic clamshells from berry and tomato containers. I think this new program, with its bigger, closed containers and its automated pickup, must be drawing a lot of material out of the garbage stream. I'm looking forward to seeing the numbers when they're published.

Congratulations, Google

The Free Software Foundation congratulates Google on its release of the On2 VP8 video codec. Free software can be built for this free codec, allowing high quality libre video content on the web. Thank you, Google.

Public disclosure of private facts

Justice Louis Brandeis's Right to Privacy outlined a legal theory which in the United States led to the creation of four privacy related courses of action. One of these is known as public disclosure of private facts, which is defined (roughly) as a

1. public disclosure
2. of one or more private facts
3. the release of which would offend a reasonable person.

A publisher can claim that the facts are newsworthy as a defense; however, the truth of the fact(s) is not a defense, as it is in defamation actions.

Google is perhaps setting itself up as the Napster of location disclosure. As part of its data collection effort for Street View, Google has been collecting private wireless hot spot data; Irish and German authorities caught them keeping private information and forced them to remove it in a fashion auditable by third parties. Google reports that they are using the data about your wireless routers to better locate the position of Internet users. They keep that wireless information in a huge database, associated with its physical location.

How does this work? An application running on your computer, or phone, or network router can continuously check to see what wireless hot spots are around you. The application can then submit that "MAC" information to Google's location service to find out where you are.Once that's determined, the application can send that information to an advertising service, or to a social network site, or basically anywhere else, to keep track of you and let others know where you are.

Is this a public disclosure of a private fact? A number of moving parts must be analyzed to answer that question.

First, is your current location a private fact about you? If so, does the disclosure of one's location offend a reasonable person? Those questions are probably best answered by a jury, should a case like this ever be brought to court.

Is there a public disclosure of your location? To whom is the location disclosed? At what point in the process is it disclosed? Who is at fault for the disclosure; what is the proximate cause? Certainly your computer or device can know your physical location (latitude and longitude) if you are using a GPS (Global Position Service) device; most phones have that built in, and you can buy a GPS device for your computer or laptop. Without such a device, which is presumably known to you and/or under your control, your computer and its applications can't know your location without a database like the one maintained by Google. Therefore it's definitely difficult to argue that Google is the cause of a disclosure, if one happens. They are only potentially an enabler, much like Napster was, and perhaps can be held liable under a similar theory.

More to the point is that it's the browser or other application which is taking the environmental information (local hot spots etc.), is using that to determine the location, and then is publishing your location (with explicit or implicit permission?) to other applications and services. Netscape/Mozilla has been here before in Specht v. Netscape Communications Corp., when it was sued over its "Smart Download" applet, which stored and transmitted information about user downloads back to Netscape Corporation. Litigating the disclosure of location information is more difficult, because there are likely a large number of applications and devices which are performing the public disclosure, each of which would have to be enjoined. That would be a lot of work. If Google and other "geolocation" services can be reached under a Napster-style enabling theory, then the problem goes away much more quickly, unless they can make a case that they are providing a compellingly important public service.

By the way, you can turn off location information in Firefox. Just browse to the bottom of that page to see how. Can you do that in other browsers?

Google Flu Trends - take with salt

Google has a service called Flu Trends which attempts to predict influenza outbreaks based on people's search behavior. The theory is that during outbreaks, people do more searches for particular terms or items.

As any investor can tell you, past performance is no predictor of future returns. Any algorithm Google can come up with can correlate very nicely with past data from the CDC, but may not be as useful for forward predictions. Still, it's a nice idea, and one more bit of information to add to the mix.

Just don't bet your house on it.

Brandeis on Monopolies

I've been reading Mel Urofsky's biography of Louis Brandeis. I'd been aware of Brandeis and his article The Right to Privacy, and enjoyed touching a bit on privacy-related claims in my Torts class. I also appreciated his dissent in Penn. Coal Co. v. Mahon, where he argued that to analyze a "taking" by the government, the courts should determine the value of what remains to the owner, not a narrow diminution of the part that was taken. This approach was incorporated into the majority opinion in Penn Central Trans. Co. v. New York City, a landmark case about, well, a landmark.

Brandeis was a firm believer that large aggregations of economic power, including monopoly, were dangerous to the economy and to democracy. He argued that economies of scale and of monopoly are an illusion, and that competition is healthier:

This argument is essentially unsound. The wastes of competition are negligible. The economies of monopoly are superficial and delusive. The efficiency of monopoly is at best temporary. Undoubtably competition involves waste. What human activity does not?

This reminded me of an article in the Houston Chronicle by Lisa Gray, An economics lesson on the beer aisle, in which Ms. Gray points out modern examples of how prices at the supermarket are affected by a lack of competition in production and distribution. We see the same attempts at market control by participants in the software industry: Microsoft attempts to use its monopoly to maintain high prices for its operating systems and office software; Apple tries to lock users into its proprietary iTunes and iGadget ecosystems; and Oracle is trying to dominate the market for database systems and middle-ware. Louis Brandeis would feel right at home in our economy, almost 100 years after beginning his "reformist period" at the turn of the 20th century.

Google Picasa

I don't use Google's Picasa photo manipulation and management software. It's not Free Software; it's free as in beer, but not free as in freedom.

That said, my family does use the program, and recently downloaded the newest version. Google has added a cool but slightly creepy feature which extracts faces from pictures and tries to assign names to them. It looks at each picture, and identifies regions which are probably faces, and then it presents you with equally sized thumbnails of each face, so you can tell it who they are. Small faces in the background, large faces up front - they're all scaled to the same size, so some are really sharp, and some (the small ones in back) are kind of blurry.

Of course (?) the program can't know at the start who each face belongs to. You start assigning names to the thumbnail pictures, and Google adds the names as tags to the photos. So far, that sounds like a Facebook for your photo album, albeit with the cool face detection. But here's where it gets creepy.

Once you start tagging the faces, the software learns, and starts suggesting names for the faces. Not only is the detection pretty good for current faces - it is also smart enough to match earlier and earlier faces, so it eventually can find baby pictures with disturbing accuracy. My family trusts Google, and believes Picasa is not publishing the face recognition patterns up to the "mother ship", Google's servers. I'm not so sure. Google has had some issues with grabbing your private data recently. With governments making big investments in closed-circuit televisions to monitor public areas, they need a good way to match names to faces. How tempting it would be for a government to work with Google to patch Picasa to upload all those face matches so it can determine who's showing up on those street corners, at those rallies, in the subways, etc.

Just be careful.

Healthy School Lunches

My family has really enjoyed Jamie Oliver's Food Revolution, a television show centered on changing the food available for school lunches in an American town, Henderson West Virginia. As much as I appreciate our Houston Independent School District, the food vendor we've been acquainted with, Aramark, has provided absolutely unpalatable food for the student lunches. My kids pack a lunch every day, so they don't have to eat school food.

I'd love to find a group of like-minded parents at my kids' schools, who would be willing to work on changing the food in HISD. My kids would benefit greatly from a warm, healthy lunch, especially one with a vegetarian option. I'm worried, though, that HISD is too huge for a small group of parents to move; it would take a very dedicated set of individuals to take on this effort. In the mean time, maybe what we need to do is help pass federal legislation to provide incentives to schools to experiment with providing healthier meal choices to students.

If any parent or group is interested in coordinating a district-wide effort to improve school lunches at HISD, please let me know; I'd be willing to be a liaison to the schools my kids attend.

Spaced out

I've always been fascinated by the cosmos - imagining on a huge scale, in both space and time. I enjoyed the Scientific American imagining visiting the 8 wonder of the solar system; as my daughter said, "it almost feels like it's real!"

I am, however, emphatically disappointed in NASA's Be a Martian site, which allows some web users to help NASA explore Mars. The most obvious problem with the site is that it requires a proprietary piece of software (Microsoft Silverlight) to even use it; in that sense, it's not a real web application at all. Requiring that particular plug-in makes it impossible for anyone using Linux, or any supporter of free software who still uses MS-Windows or Apple MacOS-X, to interact with the site. I'm disappointed that a government agency, funded by my tax dollars, has taken a compelling idea and locked it behind an application which is not free, and which advertises a single commercial software company. I realize this is just part of Microsoft's attempt to replace Adobe's Flash as the dominant platform for rich web applications; it's embarrassing that a government agency has enlisted itself as a participant in that commercial battle. The site does not give much of an opportunity to submit feedback; if you want to contact NASA about it, you might try this email address.

University of Houston Law Center Tuition Increases 2010 - 2011 (Coda)

The fee schedule for UHLC 2010/2011 has been posted. If you compare last year's fees to this year's for returning resident students, there's about a 12% increase, which was reportedly negotiated down from the original request.

It's not as big an increase as I reported earlier but it's still large, and for incoming resident students, even larger (on the order of 26%). I worry that part of the negotiation was to ask for another increase in the near future; I hope that second request, if it comes, is more than two years away.

University of Houston Tuition Increases 2010 - 2011

I'm attending University of Houston Law Center (UHLC) as an evening student, since the Fall 2009 semester. The proposed tuition increases at the University of Houston in general and at the Law Center in particular are a big concern to me. As you can see on page 4 of these materials presented to the Finance Committee of the UH Board of Regents at their meeting on 10 February 2010, the Law Center is proposing a 40% increase in resident tuition for students who joined in Fall 2009 and Fall 2008. The increase for the class entering in Fall 2010 is even greater; for residents, the increase is 65%, and for non-residents, 132%. Yes, if I am reading it correctly, that's the increase, not the resulting tuition as a percent of the current rate.

I understand the need to increase tuition as state funding drops and expenses go up. The campus-wide rise seems to be pegged at a little less than 4%, which seems reasonable, especially as it's paired with an increase in student aid, and a rise in the maximum income a family can earn while still qualifying for the Cougar Promise of free tuition. The Regents and the administration have a duty as stewards of our tuition to spend that wisely on education: to fund research and programs to enhance learning, and to attract and retain great faculty. I wouldn't have any objection to an increase of that magnitude.

I do, however, object to the purpose stated in the Justification for the increase at the Law Center: Support for advancement to top 30 school status including faculty salaries and new facilities. Let me address each element separately:

1. Advancement to top 30 status. The Law Center administration may argue, much as Dr. Rupp did at Rice University almost 20 years ago, that a top tier university should be charging top tier tuition rates. I won't address the merit of that decision; it seems to have worked out more or less well at Rice, and it would be possible to gather data on how that increase affected the demographics there. Assuming arguendo that raising tuition for incoming students is acceptable because they've not yet decided to turn down offers elsewhere, I submit that incorporating such a "prestige premium" for current students is unconscionable. Students currently attending UHLC relied on the Fall 2008/2009 tuition scale when they made their decisions (in many cases) to move to Houston and turn down offers from other schools. The time and money these current students have already invested in a career at UHLC were made relying, perhaps in large part, on the cost of that education. It's not enough to offer to offset the increase with expanded access to student loans; that merely pushes the problem to after graduation, when it becomes even more difficult (for example) to decide to enter a public interest position, or to go into practice for one's self (perhaps in one's small home town). And it certainly doesn't do anything for those who may be paying for their education themselves.

2. New facilities. Heaven knows UH needs to rebuild the Law Center; just last week, during the heavy rains, we had water leaking in, and some ceiling tiles soak through and drop to the floor. This sounds dramatic, but it's not surprising for a building its age. Nevertheless, new buildings should be built with funds from a capital campaign which solicits contributions from alumni (and even current students). Even after such fund raising there will be a significant amount which will need to be financed; however, that should reasonably be added to the tuition of the students who will be enjoying the new facilities. It makes no sense to force current students to start paying for a building we'll never see or use.

   One could argue that a new Law Center campus would add to the school's reputation and prestige, and that such improvements would be to our benefit in our careers. However that benefit would also accrue to alumni and to the future students using the facilities. We current students would be in the strange position of being compelled to pay for the new facilities (unlike alumni) while never receiving the benefit of the new building (as would future students).

The Board of Regents meets on Tuesday 16 February 2010 to vote on the proposed tuition increases. Law Center alumni on the board include Jarvis V. Hollingsworth of Bracewell Giuliani; Nandita V. Berry of Locke Lorde Bissell and Lidell; Nelda Luce Blair of The Blair Firm; Jacob M. Monty of Monty Partners; and Carroll Robertson Ray of Andrews and Kurth. I hope they take all these considerations into account and choose to vote against increasing tuition for current students at their alma mater.

Being thankful

I attended a workshop this weekend (13 Feb 2010) which was focused on the parents and teachers of advanced students. There were interesting discussions, and it was impressive to see the groups of parents organized to provide or procure academic services for their children.

Most of all, I came away pretty grateful for the infrastructure Houston ISD has put in place to serve gifted and talented children. It's not perfect, and I've written before about at least one way they can improve. In general, HISD can now get better by implementing routine assessments of gifted students and supporting their curricular needs on an individual basis, especially in the middle schools. They should also consider soliciting more feedback from parents, and implementing an assessment/feedback loop to improve their programs.

That said, we as parents in HISD are starting well ahead of the pack compared to some of the other nearby school districts. We have large clusters of gifted students and at least moderately accelerated curricula. Parents from smaller districts have a harder time; their children learn with fewer peers in their group, and their districts may not have the resources or desire to provide services adequate for their advanced children. From some of the comments I heard, I feel I've had an easier time keeping my kids academically challenged because of the support I've had from our school district.

Verified by Visa: Weak Security?

Steven J. Murdoch and Ross Anderson analyze the '3-D Secure' protocol, implemented as Verified by Visa (VbV) and MasterCard SecureCode (MCSC), in a recent article for Financial Cryptography and Data Security. The two credit card companies have implemented software and a process which attempts to make online transactions more secure by asking the card holder for a password whenever the card is used for a purchase. The idea is that someone holding a stolen card would not know the secret or pass-phrase the holder uses, and so won't be able to complete an online transaction.

In theory, this isn't a bad idea. Having a two-factor authentication scheme for purchases, if implemented correctly, can make fraud harder to perpetrate online. Because the second factor is (in theory) under the control of the card holder, it is their responsibility to make sure it's difficult to guess, and that they change it frequently or whenever it may have been compromised. Based on this theory, the card holders have changed the rules for liability profile for such transactions; a purchase conducted pursuant to the '3-D Secure' protocol shifts the liability for fraud to the issuing bank, away from the merchant and acquiring bank. In section 2.4 on page 4 of the report, the authors identify a situation where the issuing bank then passes the responsibility to the card holder; this is a UK bank, and I'm not sure that would be possible in the US.

The article points out that there are two important areas this protocol can fail. The first comes from the potential shift in liability to card holders, which would reduce the pressure on the banks involved to make more than token additional investments in fraud reduction, either by transaction analysis or by using effective security technology. This is in contrast to the current regime which absolves card holders of responsibility for fraud when they promptly report a lost or stolen card to the bank or issuer; when the cost of fraud lies with Visa or MasterCard, they make (and have made) significant investments in detection and prevention. Our cards have been stolen a few times; each time a large number of purchases were charged, and each time our prompt action avoided liability for the fraudulent balances. I think in most of those cases the bank called us to warn us of the unusual charges, implying that their fraud detection is pretty effective. Keep in mind that this potential responsibility shift to card holders may not be possible to effect in the US, at least under current laws.

The second area '3-D Secure' potentially fails is in the implementation; there are a number of weaknesses exposed in some banks' software:

1. The web page asking for your VbV or MCSC password is not obviously served by your bank or by Visa or Mastercard. The password field is implemented as an IFRAME (an embedded frame) which does not trigger the security notices that are typically present in your broswer's location bar, so it's not easy to confirm that it's a safe place to type your password.
2. A safe protocol would have you register a password or phrase at your bank's site before using the card. Unfortunately, the protocol allows something called "Activation During Shopping" (ADS) which prompts you for a password the first time you make a qualifying purchase. Well, maybe that's you, or maybe that's the person who stole your wallet. Some sites want to confirm it's really you, so they ask for your birth date - which is conveniently located on your driver's license, right next to the credit card. Or they may ask for your ATM PIN, which hopefully you haven't memorialized on another piece of paper in your wallet ...
3. Password resets are not consistently secure. Some banks identified in the report prompted you for a new password if you entered an incorrect one three times.

Finally, there's another issue to consider. Because of the complexity, it seems a number of banks are outsourcing the implementation of '3-D Secure' to a third party such as Cyota. The potential positive effect of that decision might be that the participating banks all benefit simultaneously from increases in security as that party improves. The possible concern is that there's now yet another entity which knows about all your online credit card purchases; in fact, because transaction details are passed to the issuer to present to the card holder for verification, they now are told not only the total for the transaction but all the items in the purchase. That level of detail was not reported by the merchant to the bank previously (in the current/older SET protocol).

So what's the conclusion? Maybe you should consider this course of action when you're challenged by a site using Verified by Visa or MasterCard SecureCard: abandon the transaction, write a letter to the merchant explaining why you think '3-D Secure' is a bad idea, and write to your card issuer and let them know you'll be using another card (Discover? American Express? Paypal? Amazon Payments? Google Checkout?) for your online purchases. In the worst case, the driving consideration behind the development of this protocol is not improved security; instead, it could be the shift in liability for fraud from the banks to you. Maybe if enough card holders push back, they'll get the message, and maybe future implementations of '3-D Secure' will be better.

Sustaining grant-funded software

As I've written before, I am impressed by the Our Courts foundation, web site, and materials. My children found the interactive games compelling, and I'm considering using the volunteer guides in their schools.

I'm disappointed by their decision to use CC-BY-ND-NC as the license for the materials, in particular the inclusion of the NC (no commercial use allowed) and ND (no derivative works allowed) restrictions. The definition of "non-commercial" appears intuitively obvious, but as the discussions at creativecommons.org have demonstrated, its full import is still unclear. When coupled with ND (no derivatives), it's almost unnecessary; since no one can make a derivative work, anyone trying to commercialize the unchanged content would have to compete with Our Courts, which is providing the same work at no cost. The economics apparently wouldn't encourage such an attempt. There's also a compelling argument that restricting commercial use is unnecessary to protect the freedom of works and is incompatible with the principles of free software and free culture.

However, the use of ND is a bit more of a concern to me; it means that adopters can't adapt the materials if appropriate: altering vocabulary to address a different grade level, translating to another language, adding fact patterns or rights to the card hand-outs in the volunteer guide. Each potential improvement is a derivative work prevented by the license. Further, it means the games can only be re-distributed intact; downstream recipients, programmers and content developers, cannot add a new fact pattern to "Supreme Decision", or add/alter fact patterns to "Do I have a Right?" (DIHAR), add/change lawyers, add/change law firm upgrades, add rights, translate, etc.

I will guess that their team has plans to create more and different resources (games, materials, etc.); I look forward to them as they arrive. However, as they move forward, older resources will tend to ossify. By removing the no-derivative (ND) restriction (and perhaps by replacing it with SA) they may in fact improve the chance that these materials stay relevant and become more widely adopted, as they are adapted to new statutory environments, and are translated into Spanish, Chinese, and other languages. I recommend they use the CC-BY-SA to make it possible for Our Courts to foster an ecosystem around the content, and leverage their investment in those impressive materials by taking advantage of the enthusiasm and efforts of a wider, engaged community.

No grant-funded project wants to think about what happens when the soft money runs out - but funding doesn't last forever. Until Our Courts figures out an economic model that's self-sustaining, they run the risk that when they can no longer afford to publish and improve their materials, that investment and hard work disappears. They might take a look at the Connexions repository as an example of a project which uses the CC-BY license, thereby ensuring that their materials will continue to be updated and useful by the community even if their own funding should run out.

Seems obvious

When network operators (phone and internet) implement wiretap back doors to allow governments to monitor your data, it should be expected that the wiretap channels can also be accessed by other entities. This includes other governments, employees at your service provider, random third parties. The fact that these wiretap facilities have no audit trail means you don't even know when your data has been compromised.

Don't steal this textbook

I'm a pretty regular reader of Kevin Carson's writings over at the Mutualist Blog and at C4SS, the Center for a Stateless Society (I only read his contributions and cannot recommend any of their other writers to date). As a self-described "libertarian leftist" he contributes a lot to a vision of a distributed and decentralized society, one which is potentially more robust economically and socially. His work is a generally well reasoned synthesis of wide range of philosophers and economists; I recommend not only his blog posts but the longer works published as PDFs. In a nutshell: broadly available tools of production and raw materials should make it possible for more people to participate in the economy as producers, to contribute improvements to processes and designs, and to realize the full value of our efforts. Decentralization reduces the concentration of wealth and power and make the system more resilient because the failure or destruction of any one contributor (individual, group, firm) does not have a huge effect on the ecosystem. In such a system, no one producer is too big to fail, contributors leverage incremental increases in knowledge, and everyone realizes the bulk of the value they add to the economy.

Sometimes Mr. Carson gives advice on how get to such an ecosystem. In Steal this Textbook, Mr. Carson identifies textbook producers (especially publishers of college texts) as market manipulators, and suggests a course of action to reduce or remove their influence in the market. He points out that professors both write and recommend texts for classes, and suggests that new editions are produced and printed for what are typically minor changes (which disrupts the market for used/re-sold books). These points are debatable; but let's assume arguendo they're true. He suggests the market power of the textbook publishers can be broken by a coördinated effort to scan and electronically distribute copies of their books; however, I think this is not a reasonable course of action, and the effects may run counter to what he might intend. It's also a recommendation to break the law, which I can't condone anyway.

My second objection is that his suggestion is counter-productive. A wide scale disregard for copyright would undermine (for example) the Free Software ecology; the enforced sharing inherent in "copy-left" licenses such as the GNU General Public License requires the respect of the rights of the authors and copyright holders in the relevant software. Without such protection, such gifts to the community could be appropriated by publishers who would benefit from the value without contributing anything to the community in return. In another example, the works at C4SS (and on this blog) are published to the readers under a Creative Commons "By Attribution" license, which means you can use the work however you like as long as you credit the author(s). The academic ecosystem relies on reputation, and attribution is a crucial component of that calculation. A disregard for copyrights would undermine these and related sharing based environments.

Another objection arises from economics. When textbook publishers lose revenue because of illegal copying, they can to some (large?) extent recoup the loss by increasing prices on legitimate textbook purchasers because there are as yet no alternatives to their products. An example comes from computer operating systems: it isn't massive copying or "piracy" alone which makes Microsoft worried about their hegemony, it's the presence of alternatives to MS-Windows. As long as there were no viable alternatives to using MS-Windows (remember the 1990s), Microsoft could take advantage of their monopoly position to raise prices to maintain their profit margins, and their corporate and legitimate end users had no choice but to pay the rents. Now that Apple is increasing its market share, Linux is taking over data centers and desktops, and distributors like Lenovo and Dell are pre-installing Ubuntu on computers, Microsoft faces an upper bound on what customers are willing to pay for their software, which makes piracy a much more potent threat to their revenues. I suggest to Mr. Carson that it's far more effective for people to support and contribute to open education resources such as Connexions than to spend time scanning and distributing copyrighted texts on the internet. Once there is real competition in the textbook space, the publishers will start worrying about their rotting corpses [being displayed] on [our] battlements. Until then, the publishers can figure out alternate ways to extract revenue from students: mandatory textbook fees per student from universities? Textbook rentals instead of sales (like K-12 schools)? Higher textbook prices? etc.

As I and other comment writers suggest on the article, readers should look for open source textbooks, wiki books, and open education efforts such as Connexions to participate in. Having valuable peer-produced texts to use in education will start the process of forcing the textbook publishers to change their profit model to survive. I don't think it's worth the effort to scan and distribute textbooks; all that will do is convince textbook publishers to adopt the RIAA approach. Far better to have publishers react as IBM did to free software: figure out how to make money by providing added value, either with improvements to the products, or in associated services.

Teaching the law

As we raise our children to become informed and active citizens, I think it's important they have an understanding of how the legal system works. They should become familiar with the rights and responsibilities they have under current law, and know how laws operate and are created. This knowledge will help them evaluate their rights and responsibilities, and give them some guidance as they inevitably wonder how to change the system.

Professor Wesley Newcomb Hohfeld, in a an influential (but a bit dense) work in 1919, analyzed how laws operate. His description attempted to resolve the ambiguity around the term "rights" (as used by different, other philosophers) by presenting laws as a realization of 8 foundational concepts (right, no-right, duty, privilege, power, disability, immunity, liability), used as both opposites and correlatives. A Unified Theory of Law by lawyer John Bosco, available at the amazing Connexions knowledge repository, takes Hohfeld's Fundamental Legal Conceptions as Applied in Judicial Reasoning and distills it to a simpler structure, which can hopefully be more easily understood by middle and high school students. The core of the concept is the "Periodic Table of the Law", which takes the three independent variables of legal construction and demonstrates the nine components of the three possible types of law.

Another site called Our Courts is designed to present legal concepts to middle school students through interactive games and instructions for classroom volunteers. The site was developed by an organization whose board is led by former Supreme Court Justice Sandra Day O'Connor. The site is currently organized around two interactive (Flash) games: Supreme Decision, which walks a player through a Supreme Court case, the issues involved, and an analysis of each; and Do I Have a Right? (DIHAR), which helps students understand some of the rights secured by the amendments to the US Constitution.

The materials are well organized and compelling; the content is complete and engaging, and the presentation is appealing. The games are supported by teacher materials and volunteer guides so practitioners and parents can easily bring these civics lessons into classrooms. The games are well designed: they're informative at the right level (middle school); they include randomized events, so it's possible to play more than once without being bored; there are enough variables (especially in DIHAR) to play with so kids can make decisions such as upgrading the office or individual lawyer desks; and the game benefits (points) are directly and proportionately related to the goals, so success is rewarded, and failure counts gently against you. Their team clearly had access to game play designers who know what they're doing.

I encourage you to go check out these resources!