In an announcement that’s sure to bring joy to privacy advocates everywhere, it seems most ISPs are shuttering plans to monitor user activity for the purpose of directed advertising. This is the practice by which they record your web surfing activities, selling the data to advertisers who then send you “directed” ads based on your surfing preferences.

Aside from the free money ISPs would make from it, I don’t see how this got as far as it did. Think of the concept in real-world terms: you walk into a department store, and browse basketballs in the sporting goods area. Then you wander over to automotive and look at wrenches. How would you feel if, as you left the store, someone walked over and said “we noticed you were looking at these things today, here are some upcoming sales you might be interested in. Oh, and by the way we know your name and address and will be sending you even more ads for the same items.”

That’s what this strategy broke down to — free access to your habits for anyone who wanted to pay for it. The reason it’s now deemed unacceptable is obvious: privacy. Plus, ISPs have complained for years that they should be treated, like the phone company or postal service, as a “common carrier.” They’ve always argued they’re not liable for, or in control of, the data they transport. As a common carrier, they aren’t responsible for cutting off transmission when someone is uttering a threat or planning a robbery. They don’t look at the data, they just move it from place to place.

This makes sense. The phone company isn’t allowed to tap your calls whenever it wants to. The post office can’t open and sift through your mail. So if ISPs are common carriers, how can they be allowed to look at your browsing habits and sell that information to advertisers? Congress seems to agree, as do overseas users who are bringing the practices of another company there under scrutiny.

It’s time this situation gets defined clearly, and fixed rules are established. Until that happens, consumers are trapped in the middle.

Given the massive rise in cyber-crime over the last few years, you’d think more governments would be doing something about it. However, according to a recently released report by the Center for Democracy and Technology, it appears most states aren’t doing much at all. At best, they’re pursuing pedophiles and sexual predators while totally ignoring most cases of fraud and deception. In other words, they’re going after high profile, high visibility cases that could only be ignored at great peril to political careers.

What this means is that cases of auction or retail fraud, identity theft, and other money-related scams are largely being ignored. This is despite the fact that, according to a press release related to the report, “in 2007, 24 out of 30 states that provided rankings reported an Internet-related category within their top 10. Eight states ranked Internet-related complaints among their top three most common consumer complaints, including four states that ranked Internet-related complaints at the top of the list.”

The states need to face up to facts. Lots of crime that was previously conducted at a low level via traditional means (like mail fraud, selling non-existent merchandise, or the pyramid scheme) is going online. It’s also exploding in volume, since online fraudsters don’t need any infrastructure at all in order to operate. All they really need is a few disposable email accounts, maybe a $10 a month domain, and enough expertise to set up the scam. All the work can be done in Internet cafes, so they don’t even need their own PC.

The Attorneys General in most states aren’t monitoring spyware and viruses, and apparently aren’t taking much action in regard to fraud schemes, ID theft, and other common online crimes. Maybe it’s because their offices aren’t equipped to handle the volume. Maybe they consider it interstate crime, and therefore the FBI’s domain. One way or the other, consumers are out in the cold. And with hundreds of thousands of cases of online crime a year, it’s just going to get worse.

I saw a statistic somewhere showing that Americans lost something like $20 million to Nigerian “419″ scam artists a year or two back. Will states, or even Federal authorities do anything about it? Or will consumers simply be left swinging?

I suspect the answer is obvious. You’re on your own.

Be afraid. The US Department of Homeland Security (DHS) is randomly seizing laptops, cell phones, PDAs, and anything else it decides is potentially useful during border crossings. They don’t have to prove anything, they don’t even have to have probable cause. If they decide your device (or, for that matter, anything in your pockets or on your person) is of interest, they’ll take it.

This is very troubling for any number of reasons, and with any luck it’ll be changed sometime “soon” to require some sort of reasonable suspicion. However, in the meantime anyone — US citizens included — who’s crossing the border may be forced to surrender all or some of their electronic devices with no recourse at all.

Don’t think you can avoid this problem by stashing your private data on a thumb drive, either. They can seize those too. Welcome to the police state.

What can we do about this? The first step is to write your Congressional representatives to protest, and to demand a change to these idiotic and capricious rules. But if you’re traveling with a laptop, you might want to consider a number of strategies to minimize potential loss.

The easiest is to avoid carrying any expensive electronic devices at all. Instead, use Internet cafes and other access points located in your foreign destination. Store all your data (encrypted, please) at some central access point so you can retrieve it at any time.

If carrying your machine abroad is unavoidable, consider either of two strategies. You could go for stealth mode and use encryption technology to conceal all sensitive data on your machine. This is arguably more dangerous in that DHS could decide hiding information means you’re more suspicious. If you have nothing to hide, why encrypt anything? This is standard operating procedure for law enforcement and military investigators. It’s long been known that encrypting your email automatically makes you more suspicious, for exactly the same reason.

The other strategy is to leave everything on your laptop open — just don’t store anything sensitive or private on it. Keep all your data on a central server and be sure to clear your caches before crossing a border. This way, they can search all they want without (hopefully) finding anything interesting.

One note: one source told me that law enforcement can’t compel you to reveal your encryption key. I’m told the precedent for this was established a year or so ago, when a court ruled that forcing someone to reveal their private key was tantamount to violating the fifth amendment. So if someone demands your key, just say no.

A while back I mentioned certain ISPs were considering tracking network usage of their customers, in order to determine browsing habits and bandwidth use. Now, at least one of those companies has backed off from these plans in the face of privacy and other concerns. Bravo, although as one privacy advocate noted this was “quick damage control” on the part of Charter Communications.

The announcement they issued was a classic of corporate double-speak. “Our customers are always our first priority,” Charter said. “We will continue to take a thoughtful, deliberate approach with the goal to ultimately structure an advertising service that enhances the Internet experience for our customers and addresses questions and concerns they’ve raised.” This is boilerplate PR gibberish designed to calm the situation while leaving the door open for future monitoring.

What the above basically says is “we got caught and will make other plans that will allow us to gather the information we want.” The pie is too big to do otherwise. Internet advertising, especially the directed type that sends locale-specific ads to customers based on IP address, is big business. ISPs want other revenue streams, so if they can come up with a way to gather data that’s useful to advertisers, they’ll do it.

Charter’s plans drew immediate (and definitely unwanted) attention from Congress. Many voters are concerned about how their private data is being used and misused. Personally, I despise locale-based advertising and think it should be heavily regulated. For the most part, it seems to consist of directed ads for movie tickets at nearby theaters and idiotic nonsense about “meeting local singles.” I’m sorry, that’s just a waste of bandwidth.

What the US needs is a good data protection act that prohibits companies from gathering or using this sort of data for advertising purposes. While ISPs need the ability to monitor bandwidth consumption for the purpose of improving network service, they should not be able to retain that data or mine it for advertising purposes.

For that matter, we need a law similar to one in effect in the EU that forces companies to delete credit card information no more than six months after a consumer buys something. Keeping it around forever (which is the current state of play in the US for most companies) just means there’s more to steal when someone hacks into a company’s servers.

With the War on Terror in its sixth full year, and with no sign of abating, privacy activists are becoming more concerned with the Bush Administration’s policy of inspecting digital assets during random checks at border crossings. Basically, if you’re crossing the border and agents notice anything even remotely suspicious on your laptop, you’ll probably end up in court.

The controversy revolves around the objective of the searches, which are supposed to be focused on suspicious data that might uncover terrorist activity. On several occasions in the past, such random checks have resulted in arrests for possession of alleged pornographic materials (specifically, child porn) found on someone’s laptop. While such material is justifiably illegal, it’s not exactly National Security material. If the laptops (or PDAs, etc.) hadn’t been inspected as part of the War on Terror, the materials would never have been noticed.

Thus, representatives of many organizations sent an open letter to Congress, protesting the actions and asking for a legal review of the practice. This makes sense, since current search-and-seizure tactics place our overall privacy at risk. Security is a good thing, but governmental ability to raid and seize any material it deems potentially suspicious opens the door for massive privacy abuses.

There’s another problem, too. I regularly encrypt sensitive documents if I have to carry them around on my laptop. Anything that’s encrypted immediately raises flags among security personnel. Will I be forced to surrender my private key in order to “clear” myself of any potential wrongdoing?

The worst part of this practice is that most competent terrorists aren’t going to be stupid enough to travel around carrying incriminating materials on their digital media. So the idea of randomly searching laptops and other electronic devices is probably nothing more than a feel-good practice that’s unlikely to accomplish anything useful.

In the meantime, it’s probably a really good idea to be very careful what you carry on your laptop, PDA, or digital camera. A single suspicious photo, even one of your own kids taken in the wrong context, could land you in jail.

Here’s a quick quiz. You’re visiting your brother, and notice he’s using some snazzy new graphics package on his PC. You comment on it, and he offers to cut a copy on CD or DVD so you can use it as well. It’s licensed commercial software.  If you accept the copy and install the software, are you guilty of piracy?

Answer: yes.

That’s not what you wanted to hear, was it?

The sad fact is that lots of people are using pirated software. When you buy a copy, either over the Internet or in a store, it’s generally a single use license. This means (if you ever bother to read license agreements) you’re permitted to install one and only one copy. You’ve bought a license to use the product on one machine. That’s all. In some cases, vendors add a special “running instance” clause that allows you to install on more than one machine, as long as only one copy is in use at a given time. No fair installing two copies so your kids can run the same package while they’re at school.

Microsoft is dealing with this problem via its somewhat onerous hardware-based licensing scheme, as used in XP and Vista. If you install a second copy, it’ll try to register itself over the ‘Net. When it does so, it’ll detect that it’s already been installed elsewhere. Eventually it’ll refuse to run. Theoretically, Microsoft could track down the illegal machine’s IP address and send the software police to knock on your door.

More strangely, some people seem to think they can buy a Vista “upgrade” package and slip through a loophole regarding licensing. This is a very dangerous game, and one that’s bound to lead to problems later on. They certainly won’t be given support if they need it, since the OS was installed “fresh,” not atop an earlier version of Windows.

Software licensing isn’t a game. Eventually, if you run outside the law, it’ll catch up with you. Paying $200 for a cleanly licensed application is a lot less expensive in the long run. Heck, that amount would only cover the first hour of a decent lawyer’s fee.

There’s been more fallout following the revelation last autumn that Comcast was using TCP/IP reset packets to limit the throughput of file sharing users and some streaming video. A company in California has created a plug-in that allows users of its file-sharing application to tell if their ISP is using the packet-reset trick to limit their bandwidth. They’ve also instituted a petition to the FCC to force broadband ISPs to stop limiting access for file-sharing applications, and are encouraging users to testify.

This all makes a huge amount of sense. For nearly half a decade, media companies have been working on pushing more content to the Web. Big networks like NBC and CBS have created sites where users can stream in complete, unedited copies of “vintage” TV shows, as well as recent series like Lost and The Office. Movie companies are releasing increasingly popular trailers of upcoming attractions, like the new Indiana Jones movie due in May. All this could be jeopardized if ISPs are allowed to limit bandwidth for high volume users.

The new plug-in from Vuze at least allows users to tell if their ISP is using the TCP/IP reset trick. It won’t help with other, more subtle means of limiting bandwidth and isn’t useful for people who don’t use the Vuze application, but it’s a start. I suspect it’ll inspire other companies to create standalone applications that’ll help users better determine how their ISP is behaving.

The fact that Vuze has challenged the FCC to do something about the problem is also a good thing. If ISPs are allowed to get away with limiting bandwidth, they’ll probably also start charging differential prices for “high volume” data consumers. Such schemes have been discussed, and I previously reported on at least one ISP that’s implemented it as a “test.”

For a while, consumers have benefited from a price war that’s driven access costs down. If providers discover they can jack up monthly fees or charge by the packet, those low prices will vanish quicker than a politician’s promises after election day. Don’t let that happen. Get involved. Write your representatives, petition the FCC, and don’t let big corporations hold your data hostage in order to bloat their already obscene profit margins.

A few months back I talked about allegations that Comcast was manipulating traffic patterns for certain types of data on its network. Effectively, the company was messing with user data in order to “slow down” downloads and P2P (Peer To Peer) data exchanges such as Gnutella and BitTorrent. This claim was first reported in October, and Comcast tacitly acknowledged it a few days later. It provoked a storm of outrage, and has since spawned numerous lawsuits.

Now this story is back in the news again, and Comcast’s tactics are in the open. They’re interfering directly with TCP/IP streams, sending reset (RST) packets while users are attempting to use certain file-sharing packages. This causes the file exchange to terminate with an error.

According to the article, “As the user is uploading the file, Comcast sends a message to both the uploader and the downloader telling them that there has been an error within the network and that a new connection must be established. Because the message sent to users does not appear to be sent directly from Comcast, many critics have accused Comcast of sending forged or spoofed packets that they say are deceiving to consumers.”

I’m sorry, but that’s a very shady business practice for a company that bills itself as one of the largest telecommunications providers in the US. The EFF (Electronic Frontier Foundation) ran tests on Comcast’s network, comparing their handling of heavy user activity with that of other providers. Other companies use a much less intrusive strategy. The EFF  insists “several other ISPs have to deal with users that hog bandwidth on their networks, and many of them use tactics such as dynamic per-user traffic shaping that mitigate individual user’s impact on their network.”

Despite Comcast’s claims that it’s only managing its network traffic, I suspect the numerous class action lawsuits and other negative press will cause it to change its strategy. This incident has given the company a black eye. It’s now seen as a “big brother” entity that’s censoring traffic, rather than acting a common carrier.

No provider should be permitted to interfere with data sent by its users. Sure, they can throttle excessive use during peak periods. But sending bogus RST packets in order to cut off file sharing? That’s interfering with user transmission, and should be prohibited.

Lately Microsoft has been making a lot of noise about alleged patent violations it claims to have found in the Linux OS. This is pretty rich from (as Linux founder Linus Torvalds said recently) “a convicted monopolist” like Microsoft. It’s also reminiscent of SCO’s 2003 claim that IBM infringed on its ownership of the UNIX OS by slipping bits of proprietary source into Linux.

Fear, uncertainty, and doubt (AKA “FUD”) are the keywords here. SCO tried to get airtime by claiming anyone who bought Linux faced legal action based on its alleged ownership of the source code. It’s taken four years and millions in legal fees for the SCO case to wind down.  In the end it turns out SCO didn’t own that software at all. Novell did, and they bought Linux vendor SuSE. They’re also suing SCO for the money it brought in by selling “licenses” it had no right to sell.

It’s telling that Microsoft paid SCO millions of dollars several years ago, allegedly to indemnify itself against these claims. This served several purposes. It increased the uncertainty factor by giving a measure of credence to SCO’s claims of ownership. If a big company like Microsoft was willing to pay, it must mean something. Right?

It also injected a lot of badly needed money into SCO’s dwindling coffers. The company barely recognized any other revenue from its (now largely dead) claims, but Microsoft’s payment of licensing fees kept the lawyers fed for at least a while longer.

It’s been in Microsoft’s best interest to keep the FUD factor around Linux alive for as long as possible. Its latest claims, that Linux violates Microsoft patents, is just the next round in the FUD maelstrom. They want to keep people from abandoning Windows, which is now starting to happen more quickly as Linux matures. The latest claim is no different from a politician insinuating that his or her opponent is an untrustworthy crook.

Even better, the Supreme Court recently ruled patents have been handed out too freely over the last few decades. The Electronic Freedom Foundation’s lawyer,  Eben Moglen, is happy about this development.  He claims software isn’t patentable since it’s  no  more than a mathematical algorithm. He’s probably right.
Moglen’s hand “got stronger just last month when the Supreme Court stated in a unanimous opinion that patents have been issued too readily for the past two decades, and lots are probably invalid. For a variety of technical reasons, many dispassionate observers suspect that software patents are especially vulnerable to court challenge.”

Nice try, Microsoft. Free software is here to stay, and you need the competition.

Despite protests from some states whose governments are lamenting lost revenue, the US Congress has approved another extension to the Internet tax moratorium. Now it’s down to President Bush’s signature, and there’s no reason to believe he won’t sign it. If he doesn’t, his polling numbers are sure to drop even further.

For anyone who’s not aware of this debate, it’s a key feature of Web business as well as a sticking point for many state governments. States levy sales taxes on transactions involving any business with a “physical presence” anywhere in their state; thus you pay tax on your new PC whether you buy one in a traditional bricks-and-mortar store or online – presuming the retailer (say Best Buy) has a physical store or other facility somewhere in your state. This is an outgrowth of the mail order economy, which also charged no sales tax except in the state where the company operated physical facilities.

Online-only retailers like Amazon and Tiger Direct operate in a similar manner and have enjoyed the same tax exemption, much to the dismay of state governments who claim shrinking revenues due to the increased effect of Internet based businesses. They also would like ISP access itself to be taxable, which is simply a money-grab strategy. A variety of schemes have been proposed to mitigate the alleged loss of revenue, none of which have ever gotten past committee. One insisted sales tax should be levied for all online purchases, based on the buyer’s home address. Other states have said that anyone who buys from an online merchant should mail a check for the appropriate amount of sales tax to their home state’s department of revenue! Needless to say no one has taken any of these ideas seriously, since the first would place a massive burden on Internet-based retailers while the second is simply unenforceable.

All hyperbole aside, sales taxes were originally intended to compensate local governments for the burden involved in supporting local retailers. If someone built a shop on Main Street, the local government needed to provide police and fire protection, as well as other physical infrastructure to support that business (roads, utilities, etc.). The sales tax was seen as the state’s “cut” of a business’ profit… and thus the “physical presence” test. Internet businesses don’t have a physical presence and place no burden on government resources: therefore sales made through these online retailers shouldn’t result in a windfall for government coffers. And in any case, the additional revenues made by UPS and other delivery services as a result of Internet businesses should more than compensate states for any loss in other areas.

The tax ban is now being extended for another seven years. This also includes, even more importantly, a ban on “bit taxes” that would have subjected consumers to fees for Internet access itself. Some providers said access costs could “shoot up as much as 17% without” an extension to the moratorium. Given that this ban has been extended several times already, it’s apparent it should be made permanent so lawmakers are no longer required to waste time debating it all over again.