Thursday, March 28, 2013

The infinite scrollbar

It's somewhat annoying when sites decide to show, say, the first 20 items of a list on a web page and to get more you have to find the "next" button.  It's nicer to bring up a list you can scroll through.  As you scroll, the size and location of the scroll bar will tell you how much you've got left.

Except when it won't.  Some sites -- particularly social sites, it seems -- will give you a scrolling list, but when you get near the bottom, they hit the server and bring in more items.  Suddenly your scroll bar gets smaller and the space below it grows.  After a while you realize that no matter how much farther you scroll, there will still be some left.  But by then you're hooked.  Just one more page ...

Technically, it's not a bad call.  Browsers can handle pretty big scrolling lists these days, but they probably wouldn't deal well with the full list of, say, hundreds of thousands or millions.  Bringing items in on demand is a nice compromise.  Chances are the human doing the scrolling will grow bored long before the browser's memory limits are seriously tested, and if not it can always throw out items from the top that are now well out of sight.  Score one for AJAX.

Psychologically it's pretty clever, too.  The nice large scrollbar at the beginning says "Come on in!  Just a little bit to look at here.  Won't take too long."  As noted, by the time you see what's really going on, you're drawn in.

Overall, I'm not sure I have a strong feeling about this style of widget.  I guess the convenience outweighs the subtle feeling I've been played.  But not by a lot.

Film studios ... not dead yet.

A few years ago I ran a series of posts (starting with this one) questioning a 60 Minutes piece on online video piracy.  My take was that 60 Minutes was parroting the MPAA's stand on piracy at the time without critically examining it as one might expect from an investigative news program.

I stand by that.

In one segment, director Steven Soderbergh doubted whether films like The Matrix could be made any more, since piracy was putting the studios out of business and keeping them from financing original works from outsiders.  At the time of that interview, Avatar was on its way to grossing an all-time record 2.8 billion dollars on a budget of $237 million.  Granted, James Cameron is not exactly a hollywood outsider (more on that below), but if the studios aren't financing new faces, it doesn't appear to be for lack of money.  Six of the top ten highest-grossing films have been made since that interview, and ten of the top twenty.   Comcast (owners of Universal) has nearly tripled its stock price.  Disney, Time-Warner and Viacom (owner of Paramount) have approximately doubled.

Overal box-office grosses have been basically flat since that interview, which would indeed be bad news for studios, if that were the only way that they made money.  But it isn't.  Video on demand and DVD/Blu-ray releases, with much lower overhead than the box office, have been a standard part of movie releases since before that interview was done.

Home video numbers seem harder to come by than box office grosses, but there's no doubt that, however much illegal copying may be going on, there's plenty of legal rental going on as well.  It doesn't look like the ability to copy bits online is hurting the film industry any more than the ability to copy them on videotape did.

In fact, the folks at South by Southwest seem to think that video on demand is actually helping get original films from outsiders made and seen.  The title of the panel, How I Learned To Stop Worrying and Love VOD, is itself instructive.

Nor do I think anyone seriously sees this as a triumph of the brave heroes at the MPAA against the evil pirates.  Rather, the industry has adjusted to the new technology and figured out how to make money off of it.  Which is their job.

I am not my IP address

It appears that the major ISPs have decided to launch an "education campaign" about copyright violation.  If their filters determine someone using your IP address is uploading copyrighted content, you will get a series of increasingly firm warnings telling you that you may be breaking the law.  And, as some have pointed out, to let you know that your ISP is watching what you're doing and to leave a nice, visible paper trail saying "you were warned".

I say "copyrighted content", but in practice that probably means video, .mp3 files and such.  I doubt that they're trying to catch people uploading the text of The Hunger Games or whatever, even though that's just as copyrighted as, say, Thrift Shop.

Before going on, I suppose this is a good opportunity to repeat the disclaimer: I don't speak for my employer.  I speak for myself, at least on a good day.  Let's throw in the "I am not a lawyer" spiel while we're at it.

On the one hand, I'm not horrified by this.  It certainly seems like a better approach than previous attempts to crack down.  The ISPs certainly have some right to do such things.  Your agreement with your ISP is a private contract.  As much as we value free speech as a principle, when you're paying a private company to convey your speech, they get some say.  Restrictions imposed by your ISP are not laws of congress.  Not to say that there shouldn't be some sort of protection, but any first-amendment case would have to be aimed at the laws regulating ISPs, not at the ISPs themselves.   Outside the US, your mileage may vary ... hmm ... how do you say "your mileage may vary" outside the US?

Likewise, the studios and record labels have a right to protect their copyrights (that is, the copyrights they acquired from the people who actually created the content).  Whatever we may think of studios, record labels, publishers and such, there is a legitimate business to be done in financing, publicizing and selecting content.  The question is whether it's done well or badly, ethically or not-so-ethically, and in what cases it makes sense for the creator to take on that role personally or hire it out.

That said, I'm leery of the basic approach of tying activity to an IP address.  In a typical household, any of several people may be using a given address, and the person paying for the service is generally not going to be aware of what every person in the household is doing at all times.

Neither is it safe to assume that the only people using the IP address in question are living in the house to which the IP address is assigned.  There are plenty of insecure wifi routers out there.  For that matter, there are plenty of deliberately insecure routers out there.  Is a coffee shop with free wifi also liable for whatever its guests choose to upload?

Nor is it that hard for someone uploading copyrighted material to disguise that fact, or plausibly deny it -- and it's a good bet that someone who makes a habit of distributing copyrighted material illegally would positively enjoy confounding The Man.

In short, it looks very easy to get false positives (someone notified of suspicious uploading when it's not their fault) and false negatives (someone up to no good going unnoticed).  If the idea is to "stop piracy", it's unlikely to work any better than previous attempts.  On the other hand, if the idea is to remind people that copyrighted material is protected by law, or start a discussion between the person legally on the hook for the internet bill and the rest of the people using it, that could probably work.

Behind all this is the issue in the title: to what extent can an IP address be identified with a person?  A reasonable analog in the real world is the distinction between a car's license plate and a person's driver's license.  A license plate is associated with a person, and that person bears some legal responsibility for what happens with that car, but if you loan your car to a good friend and that friend gets pulled over for speeding, the points go on the friend's license, not yours.

If the friend runs a red light and gets caught by a camera, though, you'll get the notice, as registrant of the car.  What happens next is a bit unclear, particularly if your maybe-not-so-good friend doesn't feel inclined to step up.

The ISP case seems more like the camera case than the pulled-over case.  Just as (generally) only the car can be positively identified, only the IP address, and not the person, can be positively identified [that is, the numeric address is known for sure ... there are ways, at least in theory, to spoof addresses in the sense that the packets sent to and from that address aren't going where the system thinks they're going].  Again, if the idea is to educate people about copyright law and remind them that yes, companies take this seriously and, by the way, we can see what you're doing with your IP connection, that's probably OK.  But if it comes down to fining and arresting people, the IP address involved had better be just one piece of evidence in a stronger case.

Not that that's much comfort if you have to hire a lawyer anyway.

Tuesday, March 19, 2013

Password reductio ad absurdum

I was just now logging into a site I hadn't logged into in several months, one for which I wanted to be sure I had a unique password.  Naturally, I'd forgotten the password.  So I clicked on the forgotten password link and chose the email option.  There was also a security questions option.  I should remember to make up some random lies for that, since I'm not going to use it and would prefer no one else did either.

Before too long, an email arrived with a clearly randomly-generated sequence of twelve upper- and lowercase letters.  That's about 68 bits of entropy.  If you could guess a trillion passwords a second [which, scarily enough, is not at all far-fetched], it would still take about 12 years to guess all the possibilities.  I'm not a great fan of passwords in general, except when used locally to unlock something that's actually secure, but that's a pretty reasonable password generation scheme.

So I log in with my new password.  Before I actually get in to the site, I'm told I need to change my password.

Because it's too weak.

Because it doesn't have a letter and a number.

But I'm free to make up any seven-character or longer sequence that does contain a number and a letter,  which does at least filter out all but two of SplashData's top 25 list of weak passwords (all but trustno1 and password1).  Let's just say it's 92% effective at improving password security and leave it at that.