CVS.com, cleansed

I bought a product at CVS online. They emailed me a request that I review the product on their site. I did. I didn’t like the product, but I complied with every single requirement for comments. Today I got a polite email telling me they had rejected my comment. When I clicked on the link to “contact us,” 404’d.

So when you see a certain glow on the CVS site, remember, it is carefully edited. 

(Original post on Tumblr)

It happens, sometimes,
that things are too much.

Stacks overflow.
Trusses break.

I get that.

What I don’t get is:
how one barrels through.
Where does that strength come from?
How is it fed?

And if it doesn’t appear on command,
how does one hold on, waiting?

Everything is collapsing.
By definition, that means:
nothing remains to be held.

Anon.
(Original post on Tumblr)

On the emptiness in the concept of "neutrality"

One of the most frustrating aspects of this report is the role of “neutrality” — especially in light of the criticism MIT makes of the prosecutors reported in the post below.

“Neutrality” is one of those empty words that somehow has achieved sacred and context-free acceptance — like “transparency,” but don’t get me started on that again. But there are obviously plenty of contexts in which to be “neutral” is simply to be wrong. 

For example, this context: The point the report makes in criticizing the prosecutors is that they were at a minimum negligent in not recognizing that under MIT’s open access policies, Aaron’s access was likely not “unauthorized.” As the report states (at 139): 

As far as the Review Panel could determine, MIT was never asked by either the prosecution or the defense whether Aaron Swartz’s access to the MIT network was authorized or unauthorized—nor did MIT ask this of itself. Given that (1) MIT was the alleged victim of counts 9 and 12, (2) the MIT access policy, its Rules of Use, and its own interpretation of those Rules of Use (including the significance or “materiality” of any violation of those terms) were at the heart of the government’s CFAA allegations in counts in both indictments, and (3) this policy and these rules were written, interpreted, and applied by MIT for MIT’s own mission and goals—not those of the Government— the Review Panel wonders why. (p139)

But that criticism goes both ways — if indeed MIT recognized this, and didn’t explicitly say either privately or publicly that Aaron was likely not guilty of the crime charged, then that failure to speak can’t be defended by the concept of “neutrality.” 

Indeed, the criticism of MIT could be stronger: At most, the prosecutor was negligent. But MIT was more than negligent: The issue was explicitly flagged for it, by a senior member of the MIT administration. As the report indicates, Joi Ito, in the summer of 2011, explicitly raised the point: 

One particularly pertinent moment was in June 2011 when the Media Lab Director [Joi Ito] informed the administration that Aaron Swartz was charged with “unauthorized access” and suggested that MIT would be in a position to cast doubt on this charge if so desired (see section III.B.1). …

A charge of “accessing [the MIT network] without authorization or in excess of authorized access” deeply involves MIT, since MIT provides the authorization and sets the rules of authorization. Thus MIT set rules that played a key role in determining what constituted a felony in the Aaron Swartz case. In the 1994 prosecution of David LaMacchia, MIT communicated to the USAO that, as a student, LaMacchia was authorized to accessthe computer as he had done. There was no reflection on the LaMacchia case during Swartz’s prosecution: institutional memory had been lost. Part V, Question 1, in considering the need for greater expertise at MIT relating to computer crime, also asks about ways to help preserve institutional memory.

MIT has justified intervening in the LaMacchia case and defended not intervening in the Swartz case on the basis that LaMacchia was a student and Aaron was not.

But that defense is absurd: If MIT knows that a human is being prosecuted on the basis of a false interpretation of MIT’s rules, what possible difference does it make whether that human is a student or not? If a MIT official sees someone bleeding on the Mass Ave, do they decide whether to call 911 only after checking for a student card? MIT knew something here that at a minimum could have cut short a prosecution, and which, it turns out, could also have saved someone’s life.

“Neutrality” does not justify failing to pick up the phone, and telling the prosecutor, “hey, in fact, his access was authorized.” Maybe it wouldn’t have mattered. Maybe the prosecutor would have stayed the course. But then that would have been (yet another) failure of the prosecution, not MIT’s.

(Original post on Tumblr)

The MIT Report on #aaronsw

The MIT report (PDF) on the Aaron Swartz case is out. I am going to take some time to study it and understand it more fully. I’m away with my family and won’t be commenting on the report now, beyond the following: 

The report says that MIT never told the prosecutor that Aaron’s access was “unauthorized.” They indicated that his machine was not supposed to be plugged into the ethernet jack it was plugged into, but there is no law against abusing an ethernet jack. The law regulates authorized access to a network. The whole predicate to the government’s case was that Aaron’s access to the network was “unauthorized,” yet apparently in the many many months during which the government was prosecuting, they were too busy to determine whether indeed, access to the network was “authorized.” 

Here’s the section from the report (§11b): 

The superseding indictment abandoned the theory of “exceeding authorized access,” and counts 9 and 12 (applicable to MIT) relied instead on “unauthorized access.” The allegations in the indictment focus on numerous means whereby Aaron Swartz obtained access to the computer through unauthorized means, such as repeatedly taking steps to change his computer’s apparent identities and to conceal his computer’s real identity. Clearly, these are means whereby Aaron Swartz obtained access to the computer in order to engage in unauthorized conduct, that is, to do something that MIT did not want him to do through its network: engage in massive downloading of JSTOR articles.

The question posed by this charge in the indictment is, however, different: it is whether— given MIT’s guest policy—Aaron Swartz accessed the MIT network without authorization. Put differently, it is whether Aaron Swartz was authorized to access the network, regardless of whether he used improper means to do so. To illustrate this distinction, the Review Panel has asked itself the following question: had Swartz, intending to engage in the conduct for which he was indicted, walked into an MIT library, shown his personal identification to the desk, and asked to log on to the MIT system as a guest—would he then have been given access? If the answer to this question is “yes,” then it seems possible that Aaron Swartz’s access to the MIT network was authorized, notwithstanding his inappropriate means of implementing access, or of then abusing such access (which may themselves have been violations of different criminal or civil prohibitions). 

The Cambridge Detective involved in the prosecution explained to the Review panel that he repeatedly asked, in various ways, whether the laptop was authorized to be in closet; whether the cable from the laptop to the network switch was authorized to be there; whether the manner of downloading the articles was authorized; and, overall, whether the method of accessing and using MIT’s network in this manner was authorized. He was told “no,” and told that MIT had tried to prevent the downloading by disconnecting the computer of the (then) unknown suspect. 

The Review Panel questioned five employees of MIT’s IS&T who were involved in the identification and monitoring of Aaron Swartz’s laptop found in the network closet of Building 16 and who provided information to the prosecution during its preparation of the criminal case. According to them, and also according to OGC and MIT’s outside counsel, at no time, either before or after the arrest of Aaron Swartz, did anyone from the prosecution inquire as to whether Aaron Swartz had authorized access to the MIT network. Given MIT’s open guest policy, it might be argued that Aaron Swartz accessed the MIT network with authorization. Put differently, there is apparently an issue as to whether Aaron Swartz was authorized to access the network, regardless of the considerations that (1) he might have used improper means to implement such access; and (2) once he was on the network, he might have used such access for an improper purpose. 

The relevance of this distinction can be seen in the Department of Justice’s computer crime manual, Prosecuting Computer Crime (2nd ed.), published by the Office of Legal Education, Executive Office for United States Attorneys: “A more difficult question is whether a person with some authorization to access a computer can ever act “without authorization” with respect to that computer. The case law on this issue is muddy, but, as discussed below, there is growing consensus that such “insiders” cannot act “without authorization” unless and until their authorization to access the computer is rescinded.”

As far as the Review Panel could determine, MIT was never asked by either the prosecution or the defense whether Aaron Swartz’s access to the MIT network was authorized or unauthorized—nor did MIT ask this of itself. Given that (1) MIT was the alleged victim of counts 9 and 12, (2) the MIT access policy, its Rules of Use, and its own interpretation of those Rules of Use (including the significance or “materiality” of any violation of those terms) were at the heart of the government’s CFAA allegations in counts in both indictments, and (3) this policy and these rules were written, interpreted, and applied by MIT for MIT’s own mission and goals—not those of the Government— the Review Panel wonders why. (p137-39)

If indeed Aaron’s access was not “unauthorized” — as Aaron’s team said from the start, and now MIT seems to acknowledge — then the tragedy of this prosecution has only increased. 

(Original post on Tumblr)

The Original Meaning of "Corruption"

Inspired by the work of Zephyr Teachout and Zach Brugman, and aided by the work of two research assistants, Dennis Courtney and Zach D’Amico, the lawyers at the Constitutional Accountability Center and I have submitted this amicus brief to the Supreme Court for the upcoming McCutcheon v. F.E.C.

The basic question the brief addresses is this: What would the framers of the Constitution have understood the word “corruption” to mean? This question is important since at least 5 justices on the Supreme Court are “originalists,” and the Court has held that the meaning of “corruption” determines how far Congress may go to address the issue of “campaign finance reform.” 

To answer that question, Dennis Courtney and Zach D’Amico gathered every use of the term “corruption” from documents at the founding. They then each coded the uses. The basic questions they asked were first whether the term “corruption” was being predicated of an institution, or an individual; second, whether the use was discussing “quid pro quo” corruption; and third, whether it described “improper dependence” as a kind of corruption.

The results were striking. A significant majority of the times the Framers use the term “corruption,” corruption is predicated of an entity, not an individual (57%). Every instance of “quid pro quo” corruption is describing individual corruption, not entity corruption. And for the significant number of cases in which the Framers are discussing “improper dependence” as a kind of corruption, they are describing entity corruption (67%) not individual corruption (33%).

These numbers make it hard to believe that the Framers of our Constitution would have used the term “corruption” to refer to “quid pro quo” corruption alone. Or put more sharply, these number suggest that only a non-originalist could support the idea that “corruption” refers to “quid pro quo” corruption alone. 

You can see the original research at the tumblr blog, oCorruption.tumblr.com

(Original post on Tumblr)

the rare soul in business

Each year I try to take a chunk of time away with my family, off-the-grid, as an imperfect balance to the 100+ days away that defines the rest f the year. This year, we’re going to be near my parents, who are getting too old to visit, and so who we don’t see enough. They live near Hilton Head, SC, so we got a house on the Island, sort of near the beach.

Last night I rented bikes for the month online from Hilton Head Bicycle Co. My parents had warned me about island prices, but ok, it’s vacation.

This morning, I got an email from the owner: “I don’t feel good about the rate that came up for you,” he or she wrote. So they preemptively lowered the price by 25%.

When I was growing up, my dad (who ran a steel fabricating firm) would always explain behavior like this with a phrase like, “it’s the right thing to do, and it’s good for business.” That always puzzled me because it couldn’t always be both, or else why would we need to call it “right” (as opposed to “wrong”). 

But it strikes me the ether that are the Nets could help the second part a bit, so more did the first bit. So here, Nets, please notice: there was plenty of whuffie earned here. 

(And BTW: please excuse the silence after July 17.)

(Original post on Tumblr)

On the freedom to speak

On Bill Moyers, and in the Daily Beast, I spoke about the need for code to protect liberty and privacy in cyberspace. (Or a little more precisely, I repeated an argument for code to protect privacy that I have been making since 1999 — in Code and Other Laws of Cyberspace.)

In the course of both, I referred to one example I had recently learned of created by Palantir. The specific technology essentially builds an audit trail to the core, so any use of data by, say, a gov’t official, is perfectly tractable. So in the Moyers interview I said:

When there are plenty [sic – actually there are not “plenty”] of entities out there, companies like, there’s a company called Palantir who’s built a technology to make it absolutely, make you absolutely confident that a particular bit of data has been used precisely as the government says it’s supposed to be used. 

And in the Daily Beast piece I wrote:

And there are companies, such as Palantir, developing technologies that could give us, and more importantly, reviewing courts, a very high level of confidence that data collected or surveilled was not collected or used in an improper way.

This reference has now been criticized. (Here’s one careful and balanced example.) The essence of the criticism is that Palantir is a bad company, or that it has done bad things, or that it has been funded by bad people. 

I am completely in favor of questions being raised of anyone like me (meaning people trying to push a particular public policy) about whether mentioning a company or their product is done in exchange for money. That question needs to be raised more often, especially of academics. And one of the things we’re working on at the EJ Safra Center Lab is a more transparent and certifiable way that people can certify their “independence,” as in “non-dependence” upon the interests to which they are making reference.

So in this case, here is my answer: Consistent with my long-standing policy, (see Disclosure) I have not, or (now that I’ve publicly admired a product of theirs) would not ever, accept money from Palantir either as a consultant or to fund my research. This is the core case of the Non-Corruption Principle that I describe in my disclosure statement. And if this was necessary, then let this be a reaffirmation of that principle.

I’m less convinced that the principle of “corruption of blood” should be a part of policy discussions. In both cases above, I was pointing to a type of technology. The truth or falsity of what I was saying doesn’t depend upon whether Palantir is a good or bad company. About that question, I am not, and don’t purport to be an expert. I’ve known two people in the company with any seniority — one for a dozen years, and one more recently. About the former I’m certain, but of both I’d say I have a high regard for their integrity. But again, that wasn’t my claim in either context.

And more generally, it’s my view that a culture of free debate depends upon the ability to point to ideas or technology without that being read as an endorsement of the creator. Endorsements are of the form: “Wikipedia is a great company/community” (which it is and is both). References are of the form: “Terrestrial Trunked Radio is a great example of end-to-end encryption” (which Wikipedia says it is and who am I to disagree with Wikipedia?).

Thanks for the decent engagement. That, ultimately, is the most important here.

(Original post on Tumblr)

On Bilderberg

I was invited to the Bilderberg conference this year — embarrassed I hadn’t known anything about it before, and more embarrassed I hadn’t known anything about the controversy around it. 

But having been there, and done that, I confess I don’t get the outrage. 

It’s a conference. There’s no agreements, or planning, or anything beyond people speaking in panels, and people asking questions (or “asking questions”) of the speakers. Or at least that I saw. (Sure, it might have been that between 10pm and 8am (the only time we had off) there were secret meetings held by the rulers of the world. Suffice it, they didn’t invite me to them if they indeed were happening.)

The venue was nice, but not opulent.  The topics were wide ranging. There was a great panel on Syria and on medical research, but every other panel was interesting as well. The audience wasn’t representative of the world, but it was mixed. There were strong critics; there were views expressed that most there didn’t agree; and there were more of that than came just from me. 

True, the meeting is conducted with Chatham House Rules, meaning while the ideas expressed can be shared, the identity of speaker can’t be shared. Again, I don’t get the outrage about this. I’ve been to many conferences with the same rules, and many times I’ve recognized why they make sense. Especially if you’re someone in authority — CEO of a company or minister of a government — while you should be held accountable for your words, it’s fair your words not be taken out of context. Or at least, I get why people would only choose to participate if they were confident of this modest protection.

There’s a business model to protest. I get that. There’s value in rallying the people. But here was yet another time I thought: if only we could get this sort of passion directed against something real, or something that mattered. Outrage about people meeting to hear at least some ideas they don’t agree with doesn’t seem to me to be the highest and best use of outrage. 

(Original post on Tumblr)

The Anti-Aristocrats (our Framers) v1

I’ve been collecting research about the Framers view about the potential for American aristocracy. My RA, Dennis Courtney, found this fabulous quote from Patrick Henry at the Virginia Ratifying Convention (emphasis added): 

It has been said, by several gentlemen, that the freeness of elections would be promoted by throwing the country into large districts. I contend, sir, that it will have a contrary effect. It will destroy that connection that ought to subsist between the electors and the elected. If your elections be by districts, instead of counties, the people will not be acquainted with the candidates. They must, therefore, be directed in the elections by those who know them. So that, instead of a confidential connection between the electors and the elected, they will be absolutely unacquainted with each other. A common man must ask a man of influence how he is to proceed, and for whom he must vote. The elected, therefore, will be careless of the interest of the electors. It will be a common job to extort the suffrages of the common people for the most influential characters. The same men may be repeatedly elected by these means. This, sir, instead of promoting the freedom of election, leads us to an aristocracy. Consider the mode of elections in England. Behold the progress of an election in an English shire. A man of an enormous fortune will spend thirty or forty thousand pounds to get himself elected. This is frequently the case. Will the honorable gentleman say that a poor man, as enlightened as any man in the island, has an equal chance with a rich man, to be elected? He will stand no chance, though he may have the finest understanding of any man in the shire. It will be so here. Where is the chance that a poor man can come forward with the rich? The honorable gentleman will find that, instead of supporting democratical principles, it goes absolutely to destroy them.

(Original post on Tumblr)