Tennessee Makes Password Sharing Illegal

Here's a new law that won't work:

State lawmakers in country music's capital have passed a groundbreaking measure that would make it a crime to use a friend's login -- even with permission -- to listen to songs or watch movies from services such as Netflix or Rhapsody.

[...]

The legislation was aimed at hackers and thieves who sell passwords in bulk, but its sponsors acknowledge it could be employed against people who use a friend's or relative's subscription.

While those who share their subscriptions with a spouse or other family members under the same roof almost certainly have nothing to fear, blatant offenders -- say, college students who give their logins to everyone on their dormitory floor -- could get in trouble.

Posted on June 7, 2011 at 5:32 AM • 82 Comments

Comments

SJune 7, 2011 5:35 AM

Seems a trifle unnecessary passing a law to ban something that's surely against their terms of service already...

---

O/T [now it's hit the media & I can talk about it without getting in trouble]: I guess everyone's heard that the RSA breach is the worst case scenario everyone had assumed?

PaeniteoJune 7, 2011 6:19 AM

@S: "...ban something that's surely against their terms of service already"

Well, there are usually greater resources to prosecute criminal activities than for simple contract violations.

I.e., the police will hardly begin to search a student dormitory for a TOS issue. They might do so for a criminal investigation.

Clive RobinsonJune 7, 2011 6:22 AM

What this tells me is there are a bunch of "bum on bench" Politico's with to much time on their hands, or they are in receipt of inducments to make themselves look stupid.

Much as I hate to say it there are perfectly good reasons to share passwords (like when your bit of hardware only alows one account etc) how are sys/net admins, support persons and others supposed to do work where sharing a password is unavoidable...

SJune 7, 2011 6:27 AM

@ Paeniteo 'Well, there are usually greater resources to prosecute criminal activities than for simple contract violations.'

Exactly; more evidence of the power that the RIAA et al have over those that make the laws.

Still an entirely unnecessary step though.

@ Clive re. sys admins etc: they should be fine (because they aren't doing anything to piss the RIAA off!)

I'm still trying to chase down a copy of the actual law, but this seems the relevant para.:

"The bill expands an existing law used to prosecute people who steal cable television or leave restaurants without paying for their meals. It adds "entertainment subscription service" to the list of services protected by the law."

So it's not specifically password sharing they've banned, it's restricted to passwords for certain types of services.

TimJune 7, 2011 6:31 AM

Password sharing is easy to detect and stop. I don't see why they need a law...

Danny MoulesJune 7, 2011 6:46 AM

"The bill expands an existing law used to prosecute people who steal cable television or leave restaurants without paying for their meals. It adds "entertainment subscription service" to the list of services protected by the law."

Sharing my meal in a restaurant and watching TV with my family are undoubtedly criminal offenses and I'm glad they're legislated for .....

SJune 7, 2011 6:51 AM

Hyperbole does you no favours Danny.

Yeah, it's a stupid law, but we can criticise it without bringing up examples that they certainly don't appear to be trying to legislate for.

David ConradJune 7, 2011 6:51 AM

@Samps: No.

It was a bill in Indiana in 1897 about squaring the circle, it implied a value for pi of 3.2, and it didn't pass the state senate and never became law.

foosionJune 7, 2011 7:15 AM

@s - the due process clause of the constitution is usually interpreted to bar ambiguous or over-broad laws (e.g., void for vagueness).

It doesn't really matter what they were thinking of, it matters what the law says.

Clive RobinsonJune 7, 2011 7:19 AM

OFF Topic.

@ S,

"I guess everyone' heard that the RSA breach is the worst case scenario everyone had assumed?"

Not sure what you have heard.

All I know is last night Art Coviello RSA's Executive Chairman released an open letter ( http://www.rsa.com/node.aspx?id=3891 ) in which he said,

"It is important for customers to understand that the attack on Lockheed Martin doe not reflect a new threat or vulnerability in RSA SecurID technology. Indeed, the fact tha the only confirmed use to date of the extracted RSA product information involved a major U.S. defense contractor only reinforces our view on the motive of this attacker."

Made me think WTF does he mean with "... does not reflect a new threat or vulnerability..."?

If the attack on a major US Deffence contractor nearly succeeded as some journalists have suggested, then what chance do smaller operations with less sophisticated IDS in place have?

Also there is that nagging thought in the back of my head about why LM would let RSA keep the secret seed... I cann't see why they would that suggests to me that all 40million token users and 250million software users need to have a real serious think on this.

On the bright side for the token holders the letter promises that they can have the token replaced...

Now let me see 40million customers at a minnimum I'd say $5 for each token + $10 admin etc. So as a minimum this is 600million which is a little bit shy of RSA's annual profit. And also represents 3% of EMC's annual profit which is going to hurt.

Now what if my minnimum estimate of $15/token user turns out to be more like $50/user which it could easily do...

And that's before we start talking about the costs involved with the 250million software users...

JohnJune 7, 2011 7:21 AM

My definition: A police state is one in which everybody is a criminal.

The Tennessee law is not ignorance and stupidity. Tennessee is a police state.

Andre LePlumeJune 7, 2011 7:40 AM

Now people... If TN is busy doing this, that's less time they have to require that public schools have a month-long Noah's Ark/Adam+Eve module to counteract the hippie dogma that is evolution.

SJune 7, 2011 8:05 AM

@ foosion - yep, which is why I was looking for a copy of the law itself. Got bogged down in something else and haven't yet had a chance, but it would be interesting to contrast that with the linked news article.

---

@ Clive

That's pretty much what I was referring to, although those are some excellent weasel words!

Word is that _all the seeds_ did in fact get taken. Which was obviously what the attackers were after in the first place, but RSA's refusal to come out and say so sooner was disappointing, to say the least.

As you say, there are a lot of questions to be asked about what they were doing with LM's seeds, especially given they supposedly offer the option to manage them yourself internally.

Anecdotally - I have some tangential involvement in the sector - there's at least a couple of fairly large defence companies I'm aware of on this side of the pond that are in the same boat. Still not entirely clear on the reasoning behind trusting RSA with the seeds, but it seems to be a more common practice than people were assuming. Not ready to speculate yet on whether seeds were being stored for companies who were under the impression that they were not being stored, but there is that nagging thought, as you say.

Also of note: RSA had apparently been informing certain high value customers (read: 'national security') over the last couple of weeks, before making the public announcement. Which really sucks. I mean, who the fuck are RSA to decide that your need for security is lesser than another company's?

& on a more humorous note, a chat with one of our network security chaps earlier (we're not aerospace/defence or anything connected, but use SecurID) revealed that he is planning to take RSA up on their offer of replacement tokens - for several thousand users - and *then* tell them where to stick their contract, before moving to another solution. To paraphrase him slightly more politely, he is in favour of causing RSA some inconvenience in return for that which they've caused him...

Dirk PraetJune 7, 2011 8:11 AM

I'm not surprised that of all places this kind of lunacy pops up in Tenessee. One gets a headache worse than any hangover trying to find, read, and understand both the state laws and the local regulations for alcohol sales there.

IIRC individual counties can actually chose whether they are dry or not. The most ironic case is probably that of Lynchburg, home of the Jack Daniel's Distillery, where it's ok to produce my favorite drink but where you have to move to another county to actually buy a bottle.

For more downright crazy laws in Tenessee, check out http://www.dumblaws.com/laws/united-states/... . This kinda makes me doubt @John's statement that Tennessee law is not about ignorance and stupidity.

OFF Topic:

The really smart folks at EMC/RSA should visit this blog more often.

BF SkinnerJune 7, 2011 8:22 AM

Massive Fail.
Although I thought there was already Federal law covering the trafficking


@Clive "dose not reflect a new threat or vulnerability in RSA SecurID technology."

Yeah. right? Just the same one from when they lost containment on their most precious, sensitive, data. But that's WAY old news.

Fred PJune 7, 2011 8:59 AM

Music sharers: the new drug users:

"Stealing $500 or less of entertainment would be a misdemeanor punishable by up to a year in jail and a fine of $2,500. Theft with a higher price tag would be a felony, with heavier penalties."

A actual summary of the bill:

http://wapp.capitol.tn.gov/apps/billinfo/...

My under 9-year old child appears to be a felon - or would be if they lived in TN and continue to do what they do after July 1.

Seriously, if this is a problem, it's an easy one - permit each user a limited amount of bandwidth per time period. Over that amount, just charge them more. Then, with 20 users on the same account, you'd get more money than with 1. Netflix is happy, people who aren't abusing their accounts are happy, entertainment industry is less unhappy. The only people who aren't happy are those who run for-profit prisons.

RandyJune 7, 2011 9:17 AM

Re: Sharing passwords:

Will this allow the TN police to arrest everyone that are "sharing" the same password of "password"?

I say, "Round 'em all up!"

Randy -- ormaybenot

Clive RobinsonJune 7, 2011 9:20 AM

@ S,

"Word is that _all the seeds_ did in fact get taken."

I did wonder if this was the case the way they were going about things.

I wonder if it was due to the reasons I suggested at the ttime in my "little thought excercise",

http://www.schneier.com/blog/archives/2011/05/...

Not sure who I would claim my pint of beer off of for being right though ;)

RandyJune 7, 2011 9:25 AM

Fred P, Thanks for posting the link to the summary.

However, by my reading it doesn't imply that *sharing* account details would be theft. I think the relevant sentence is...

"AMENDMENT #1 adds to present law by specifying that a person commits theft of services by intentionally obtaining services by forgery or false statement, in addition to deception, fraud, coercion, false pretense or any other means, to avoid payment for the services."

How does this include sharing my brother-in-law's Netflix account?

Randy -- atleastihopeitdoesnt

John CampbellJune 7, 2011 9:29 AM

I sometimes think that id10tic laws exist to enable capricious enforcement.

Look at HOAs for another example of capricious enforcement.

Mind you, folks in the executive branch have been most clever in finding new and creative ways to apply RICO and PATRIOT statutes.

SJune 7, 2011 9:40 AM

@ Randy: 'How does this include sharing my brother-in-law's Netflix account?'

Easy: you'll be contravening Netflix's terms of use (I'm in the UK so have never used it, but I'd be very very surprised indeed if there wasn't wording to the effect that the account was for the use of the account holder or similar), which is surely fraud or deception or false pretence, or maybe all three if they're in a bad mood with ya.

--

@ Clive - from what I've heard, bang on the money, as ever! If we ever cross paths, I surely owe you several pints for your posts on here over the years. And I'm the right side of the pond, so at least you can be sure it'll be proper beer ;)

SJune 7, 2011 9:42 AM

Erratum to my above:

'...to the effect that the account was ONLY for the use of...'

PaeniteoJune 7, 2011 9:53 AM

@Randy: "How does this include sharing my brother-in-law's Netflix account?"

That's not really hard to see: You pretend to be your brother by using his credentials. And by doing so you avoid to pay for the service.

squarooticusJune 7, 2011 10:19 AM

The content cartel simply wants to offload their enforcement cost to the taxpayers. Why potentially pay legal fees dealing with problem customers when you can get a law passed making their behavior illegal, thus putting them on the defensive, AND make them pay for their own oppression at the same time?

paulJune 7, 2011 10:26 AM

The obvious ways to enforce this will involve focusing people who log in from multiple IP addresses in a short span or who have multiple simultaneous logins. Depending on how various providers handle address allocation, that could get pretty ugly.

Fred PJune 7, 2011 10:37 AM

@Randy - I was reading this as broadly as possible to come to my conclusion. That said, my familiarity with TN law is negligible. In other words, I don't know the definitions, the precedents, and have read few or no legal opinions; it's quite possible that this law means something rather different than what I'm reading into it.

If it really matters, I'd ask your lawyer.

Captain ObviousJune 7, 2011 10:48 AM

Mooching kids better start buying their own milk. We'll make it illegal to share ANYTHING!

Clive RobinsonJune 7, 2011 1:09 PM

@ Davi,

"Almost as illegal as if you call a Tennessee Whiskey a bourbon"

Don't you be calling that potash filtered moonshine whiskey either. They might pay the excise man but it don't make it legal as whiskey.

Some of us on this side of the puddle who like good beer and single malts have strong objections to some of the bevrages the US consumer has foisted on them (mind you some of your micro brewers are making good natural beer a man would be proud to hold in his glass 8)

Daniel MartinJune 7, 2011 1:11 PM

Obligatory quote from http://www.gnu.org/philosophy/right-to-read.html :

Dan resolved the dilemma by doing something even more unthinkable—he lent her the computer, and told her his password. This way, if Lissa read his books, Central Licensing would think he was reading them. It was still a crime, but the SPA would not automatically find out about it. They would only find out if Lissa reported him.

RunnySpoonJune 7, 2011 1:31 PM

These "entertainment subscription services" could also allow more than one user ID to be associated to a single account, maybe even with a small charge for each user. I, for one, would like to allow my 9yo child to log in and watch/read/listen age-appropriate content in a different room while I watch something else, I'd like my spouse to be able to log in (while I'm not there) and watch/read/listen to those rom-com's that please her so much, all without the worry of being pursued by the long arm of the law.

Way back in the days of yore, when I was a student, I lived in a house with 4 other students; we rented the house collectively, we rented one TV, one VCR, etc, I don't see why this should be different. Each of those contracts had all 5 of us named so that any one of us could manage the account, deal with billing issues, repairs, upgrades, etc. From your description, it would be the equivalent of renting 5 TV's and 5 VCR's, if I rented a movie from Blockbusters I would have had to send the other 4 out of the "TV" room while I watched it.

I realize that this probably isn't the *intent* of the law, but it still criminalizes the majority of households. Facilitating multiple user ID's on a single account seems like a logical approach to me.

I can't imagine that the police in TN have nothing better to do with their time than to crack down on student dorm's who share a Netflix account.

JasonJune 7, 2011 2:14 PM

In Tennessee, if a police officer has a court order compelling you to provide a password for your encrypted volume how do answer him?

I can't because it is against the law for me to share my password? You are now in contempt.

Provide the password? They now have another charge they can throw at you to get to plea bargain.

Unless they just make law enforcement immune this law like they many others.

Deron MerandaJune 7, 2011 2:14 PM

"...those who share their subscriptions with a spouse or other family members under the same roof almost certainly have nothing to fear,..."

"Almost certainly?" You are either in violation of a law, or not. It is not acceptable to base justification of the law on a vague and unpredictable notion of whether the State will care IF you break the law -- "fear" of or from secret selective enforcement. If it doesn't intend to enforce this against household members, then the law should explicitly exclude them.

The content cartel should rewrite their law rather than obfuscating the over-reach and potential harm of the law with their typical propaganda. But then again, stealthy legal over-reach has always seemed to be the goal of such pro-IP (anti-consumer) organizations.

Nick PJune 7, 2011 3:57 PM

@ David

"Almost as illegal as if you call a Tennessee Whiskey a bourbon"

That's dangerous in my state. We make some of the best whiskey in North America and we ain't having nobody call it diluted, err, bourbon. Of course, it's kind of embarassing to see my state on the news pushing yet another retarded law...

KevinJune 7, 2011 5:05 PM

"Mooching kids better start buying their own milk. We'll make it illegal to share ANYTHING!"

I'll second the request to back off on the false-comparison hyperbole. By about the age of 10, I understood the difference between
1) going to a movie theater and sharing my friend's popcorn and
2) going to a movie theater and sharing my friend's ticket stub.

Redneck HippieJune 7, 2011 8:38 PM

Tennessee also passed the Butler Act (1925) which prohibited public school teachers from denying the Biblical account of man's origin. That worked out well (see Scope's Monkey Trial).

tommyJune 7, 2011 9:02 PM

For non-US readers unfamiliar with Tennessee's conviction of a schoolteacher for teaching Darwin's theory of evolution, as alluded to by Redneck Hippie,

http://en.wikipedia.org/wiki/Scopes_trial

Deron Miranda beat me to my other comment, but I'd add that nothing is more certain to strike fear in my heart than the Government telling me that I "almost certainly have nothing to fear... (from, fill in the blank - new law, economic policy, new tax).

Proof: US Income Tax was originally declared unconstitutional, because it was. Constitution was amended to pass it, with pols guaranteeing the sheeple that it would always be only a "soak the rich" tax, and middle-class families would have "nothing to fear" from it (would not be affected.) Right....

Anthony WeinerJune 7, 2011 9:11 PM

If only that law had been in place for US Congress, I would never have shared my Facebook and Twitter passwords with what I thought were trustworthy friends. And look what happened...

Nick PJune 8, 2011 1:34 AM

@ tommy

Ah, yet another point of shame for us. Thanks for posting it, though. The Wikipedia article is actually one of the best [and well-cited] summaries I've seen of this case. Although we have more intellectuals than ever, I can't say that the situation is different for the average person in Tennessee, Mississippi, or Arkansas.

tommyJune 8, 2011 2:07 AM

@ Nick P:

You're welcome, and thanks. Are you saying that you're from, or in, Tennessee? (of course you don't have to say). The state that elected Al Gore to Congress seven times in a row, but refused to support him for POTUS?

Often overlooked in the controversy over the Florida results in the 2000 POTUS election: Gore was the first POTUS candidate since 1972's George McGovern not to carry his own home state. Had Gore merely won the State that sent him to the House six times in a row, then to the Senate after that, the controversy in Florida would have been moot - Gore would have had enough electoral votes for a win without Florida.

My spin on the whole story:
http://www.amiright.com/parody/60s/...

BF SkinnerJune 8, 2011 6:11 AM

Again. There are already laws at the Federal Level for password trafficking.

So why the push to get US State level laws in place?

I'm thinking so RIAA can have a friendly venue to prosecute people in other states from. If they can make the claim that the netflix traffic transitted TN from their servers to the consumer they might be able to make a case for standing.

Anyone know if the backbone goes through TN?

Clive RobinsonJune 8, 2011 6:14 AM

@ Bob,

"How do I log onto Starbuck's wifi now?"

That is one of the things. I was refering to in my post at the top of the page.

At a guess they will have to usse a radius server with a system connected to the server and tills that generates a short lived account name and password that it prints on the bottom of your till recipt.

Like most "technology" legislation it's dreamed up by those with a "one world view" that everybody has to do business in the way they do or they should be punished for not doing so.

The reason is that the various royalties people have realised that royalties are not a good way to do business as they have to do lots of unproductive accounting work, and then hand royalties on to the artists.

What they would much preffer is an access model where you pay a big fat subscription to a service and get "one time play" files. The artists then don't get paid royalties only a one off fee per track etc. and lose all rights there after. If they don't want to play and set up there own service, then other DRM legislation will enforce very large fat fees out of them to make it financialy not viable.

We have seen this sort of thing in the UK with OfCom who issue licences to small radio stations. The wheeze behind it is the difference between FM & DAB. Basicaly it is not that difficult to purchase and install an FM transmitter in a perfectly "standards legal" way so there are people doing it who arn't "licence legal" these are more commanly known as "Pirates" and they have all sorts of ills blaimed on them by the likes of OfCom often without a shred of evidence.

Quite a few years ago the UK Government under significant preasure from their "media friends" started trying ineffectualy to crack down on the pirates with the only result significant political embarrassment for the regulator. So they came up with the idea of "community licences" and "special events licences". The trick they tried was that all pirates that wanted to bid for the licences had to stop broadcasting before the protracted application process started.

The regulator was accused of dirty tricks for a number of reasons (one being applications that apparently never arived) and the fact that the allocations were based on deliberatly flawed ideas of what a community radio station was there for.

Well that didn't work so they fell back on plan D which was DAB and getting rid of the FM broadcast band. DAB does not work like conventional FM in that many stations are multiplexed up together on a single frequency and the way you find the one you want is through the 'matrix' which is a beacon on specific frequencies that tells your radio which frequency and multiplex slot to tune to.

The way DAB works in the UK means that as a station you cann't set up your own DAB transmitter you are forced to go cap in hand to a service provider.

Now DAB is not exactly popular in the UK the radios are expensive they don't work that well and as portable devices they chew up batteries about three times faster than an FM radio at the same moderate volume setting (so DAB is environmentaly and landfill unfriendly).

But OfCom want's rid of the FM band to get rid of the pirates, the UK Gov want(ed) to get rid of the FM Band to more profitably licence it off to pull in more money to the Treasury.

So when these "community licences" came up for renual OfCom made it abundently clear that existing stations would only keep their licence unoposed if they put out a DAB service as well as their FM Service. Further if it went to competive applications prefrence would be given to those offering a DAB Service (unofficialy it was said that on a competative application if the current licence holder did not have a DAB service in place they would only get the licence back if they were the only applicant).

Now the DAB matrix and transmitter licences had only been issued to a very very select few who just happend to be the competition of the community broadcasters (ie National and commercial broadcasters)

So guess what happened to the "asking" price of entry to the DAB service?

Yup it was up above the equivalent of 100,000USD (50,000GBP) for the equivalent of AM broadcast quality...

Oh and on top of this the community stations had to pay "royalties" not on the records played but as the equivalent of a tax on their income (usuall ask price 20% of gross income). The large commercial stations of course went about paying minimised royalties in ways not open to the community stations...

When you see this kind of "stichup" you know just where the Goveernments and their friends are going to go with this sort of legislation...

GreenSquirrelJune 8, 2011 8:10 AM

@Kevin

"Mooching kids better start buying their own milk. We'll make it illegal to share ANYTHING!"

I'll second the request to back off on the false-comparison hyperbole.

----------------
I agree that the hyperbole sometimes gets out of hand but I had read the Milk like as a joke. It seemed to be a humorous comparison rather than an attempt at a realistic one.

I may have misread it though.
----------------
By about the age of 10, I understood the difference between
1) going to a movie theater and sharing my friend's popcorn and
2) going to a movie theater and sharing my friend's ticket stub.
----------------
Interesting example - what is the difference, as I am not sure I understand it.

By sharing popcorn with your friend you are reducing the profits available to the popcorn manufacturer. They price their product, and assess their profit margins based on the fact that people will often share but fundamentally, isnt it the same thing?

If you were forced to buy your own popcorn, the popcorn profits would go up. If you were able to share the ticket stub the cinema / theatre profits would go down.

We seem to have a hardwired assumption that reducing one source of profits is socially acceptable but the other one isn't.

When I think about it, I really cant explain why there is a difference.

BF SkinnerJune 8, 2011 8:21 AM

Well since an analysis of the Sony account passwords http://www.troyhunt.com/2011/06/... show pretty much what the HBGary hack did. . . Common, simple, reused passwords . . . Should I really be held to account if i mistype my userid and happens to have the same password as someone else?

Clive RobinsonJune 8, 2011 8:24 AM

@ Greensquirrel,

"We seem to have a hardwired assumption that reducing one source of profits is socially acceptable but the other one isn't."

Try thinking in terms of tangable and intagable goods.

When you buy a tangable good you own it and can decide what you do with it as it's your property.

When you "buy" an intangible product you are actually not getting an kind of ownership just a concession from the intangable product provider who might or might not provide a service.

It is in the producers interest to make you buy an intangable product or service where ever possible as this gives them greater control.

We are now seeing some tangable product providers moving over to the same model because of the extra profit margin.

RookieJune 8, 2011 8:24 AM

@GreenSquirrel
"...I really can't explain why there is a difference."

Come on, Greensquirrel, from your other posts you're a bright guy (or gal?), you're just muddying the waters to try to make a point.

The difference between going to my neighbors house to watch the big game and running coax from his cable plant to my house to watch the game is not hard to figure out, even though the cable company lost potential profit both ways. Sharing a product someone else paid for vs stealing a product that you should have paid for is a clear distinction.

We do not live in a world free of ethics, morality, and laws (despite some other people's fervent desire). Potential profit is not the only yardstick to use.

albinoJune 8, 2011 8:41 AM

On almost all websites (Google being a notable exception) it is possible to force other users to log into your account with your username/password using Cross Site Request Forgery, even where the website is otherwise not vulnerable to it.

PaeniteoJune 8, 2011 8:55 AM

@GreenSquirrel:
> By about the age of 10, I understood the difference between
> 1) going to a movie theater and sharing my friend's popcorn and
> 2) going to a movie theater and sharing my friend's ticket stub.
> ----------------
> Interesting example - what is the difference, as I am not sure I understand it.

The difference is IMHO that for sharing popcorn one sharer really gives up something that is given to the other.
The people "sharing" the ticket don't have to give up anything, they both see the same movie (i.e., each gets a full bucket of popcorn, so to speak).

Hence, "sharing" a movie ticket reduces the cinema's profits, and at the same time increases the sharers' profits (two movies seen for the price of one).
Whereas sharing popcorn reduces both the cinema's profits and the sharers' profits. The latter sounds fairer, doesn't it?

"Sharing" a movie ticket in the sense of sharing popcorn would be more in such a way that one person would see the first half of the movie and the other person would see the second half. That would be morally acceptable, IMHO.

GreenSquirrelJune 8, 2011 10:19 AM

@Clive

"Try thinking in terms of tangable and intagable goods."

Sort off - however at the end of the movie, I have seen a movie and eaten some popcorn. Other than some calories in my body and thoughts in my brain, nothing of either still exists.

@Rookie

Thanks for the kind words, I like to think I am intelligent but others may think otherwise.

"The difference between going to my neighbors house to watch the big game and running coax from his cable plant to my house to watch the game is not hard to figure out, even though the cable company lost potential profit both ways. Sharing a product someone else paid for vs stealing a product that you should have paid for is a clear distinction."

Stealing is different - yes but the point I am making is why do we view one as stealing and not the other.

You havent explained the difference, you have just restated the situation with a different analogy.

Let me try some examples: If I go to the cinema with a friend, we may share popcorn with no one objecting however if I eat the popcorn belonging to a stranger without asking, I am stealing. That makes sense (and there is a deprivation which fits nicely with the concept of theft).

However, from the Popcorn makers point of view both are equally bad and reduce his/her profits.

When it comes to the TV - if you hook up a cable to a friends house, who is happy for you to do so and is content to pay the cable charges while you freeload, you are not depriving anyone of anything other than the profit the Cable company would have got if you had paid for the service yourself. This is the same as you choosing to not pay for the service and spending your life mooching on your friends couch to watch their TV. In one instance you are a layabout friend and in the other a criminal but they are effectively the same thing.

I am not advocating a world free of ethics, morality or law. Quite the opposite.

I am saying that it is unethical, immoral and lawless to have this double standard.

If I mooch my friends popcorn, I am stealing a product I should have paid for in exactly the same way as the cable but we have been socially conditioned to accept it.

@Paeniteo

"The difference is IMHO that for sharing popcorn one sharer really gives up something that is given to the other."

Ok - that sort of makes sense in the film example but I think what is really being bought is the seat - so if you could fit two people on one seat, why should they pay twice?

This doesnt hold as well when it comes to other sharing issues - such as cable TV though as they can be shared without one person giving something up in legal manners and then in a slightly different manner it becomes illegal.

As I see it, the problem is not one about moral issues, ethics or even the legal nature of theft. It is simply that we are conditioned to accept some things should be the way they are. If popcorn manufacturers could make it illegal to share popcorn they would, but the reality is they lost the battle long ago and now price their product to reflect the social status.

When it comes to other shareable items, we arent there yet and, as a result, there is a bit of a rear-guard action that leads to some crazy rules.

BF SkinnerJune 8, 2011 10:46 AM

@GreenSquirrel "at the end of the movie, I have seen a movie and eaten some popcorn."

Independent revenue streams. The movie remained property of the studio. The theater paid a losing rate to exhibit it. The popcorn is where the theater makes it's profit. The profit ratio on Popcorn exceeds gas, herion and diamonds.

GreenSquirrelJune 8, 2011 11:11 AM

@BF Skinner

Good point. They are independent but that doesnt explain why sharing one is theft but not the other.

(except, as I believe, the popcorn price is already set to allow for massive sharing)

Clive RobinsonJune 8, 2011 12:14 PM

@ BF Skinner,

"The profit ratio on Popcorn exceeds gas, herion and diamonds."

I don't know about the profit ratio, but that dam toffee sauce is more addictive than heroin, and probably does a dam site more damage to the health of the US population than heroin.

In the UK various scientists have been pointing out for quite some time that both processed tabaco in cigarettes and most forms of alcohol are more dangerous than heroin (in the medical/pure form, not the rat poison and drain cleaner adulterated street forms).

The problem is the politicos won't go for it so we suffer the misseries of the street and other crime involved. As was pointed out to me the Politicos would rather have more criminals than less votes...

Any way it's 18:20 in the UK anybody any idea what Bruce is doing rather than posting a blog page?

AppSecJune 8, 2011 1:24 PM

@GreenSquirrel

I think that Paeniteo and Rookie both had it right..

In the case of the Movie Ticket, you are leasing the right to a spot (note: I specifically didn't say seat for a reason) in the shared lobby and a particular theater auditorium (note: even doing double features with one single ticket is still looked upon as stealing). Unless you and your friend can somehow occupy the same space in the theater simultaneously, you are stealing space.

With regards to Cable TV - even if your friend was okay with you running cable from his house to yours, you are still violating and stealing as the right to view is limited to a property address. Now, I am not sure how one would view putting a 500 screen tv configuration outside and putting numerous shows on so your neighbors can watch.

With regards to the popcorn -- it was paid for and owned by your friend. Your friend owns the right to do with that popcorn what he chooses (so long as it doesn't interfere others in the theater -- like ending up in their head). If he wishes to give you some, he is allowed.

Those services have leased the right to a given individual to lease a movie for the time they wish to view it. They did not provide the right for the individual to sub-let that account (for money or not).

Quite simply put: theft of service various by service type and there is no one-size fit all answer. It isn't double standard. It isn't hypocritical. It just simply isn't the end users decision as to what the service provider considers theft of service.

imawhoJune 8, 2011 2:16 PM

Heh, all those CEO's, and elected officials are going to have to start typing their own emails! :)

Nick PJune 8, 2011 2:30 PM

@ GreenSquirrel

"As I see it, the problem is not one about moral issues, ethics or even the legal nature of theft. It is simply that we are conditioned to accept some things should be the way they are."

I think you're right on. Even history illustrates this. Just take a look at how ideas flourished during the Renaissance and other periods. Artists wrote their works, made a certain bit of money off it, and people shared their works. Sharing music, plays, and ideas was considered "ethical" and enlightening so long as credit was given.

Next, certain groups of artists seeking to maximize their personal profits pushed for laws to protect their intellectual property (funny concept when you really think about it). Now, it was officially a crime and people know it's "unethical" to commit "crimes" like sharing, err, "stealing" ideas, err, other people's "intellectual property."

What about what was happening changed? Nothing. Sharing and improving ideas remains the same. The only thing that changed was the profit motivation of certain content providers and they paid some guys in power to enforce their will. Society grudgingly accepted it and now it's called "wrong," "unethical," or "criminal," even though the act itself is both unchanged and beneficial. So, like you said, the real defining point in ethics here is just what one group wants people to believe is right and what certain groups of people accept.

The damage this kind of thinking does is most evident in the patent system's effect on innovation. I somehow can't find it right now but I once had a video that illustrated using Beethoven's music, which is a novel combination of many old and new musical techniques. Had the old one's been patented, the vast majority of the song would be gone. If the work was created, Beethoven would have been a "thief" and "wrong" for giving us this music.

Is this kind of ethical thinking valuable? Where we allow selfish pricks to determine right/wrong for their sake and enforce it on the majority? Would our modern information age even have come about if the modern approach of handling content and I.P. began a few hundred years ago? Imagine how many segments of ideas it took for the Internet to come about and tell me how someone could've pulled it off while licensing or being sued over each one. Nah, we need to get rid of laws like these, resist anyone promoting them, and subvert all opportunities to enforce them. They just hurt us way too much to tolerate.

asdJune 8, 2011 3:25 PM

I like to think about IP law has, skill/money/time. You might have the smt to make a pizza, but you proable don't have the smt to make "avator".
If you are put on this earth to watch avator they can charge as much smt as you can pay, but less than it takes to create the movie yourself.

Dirk PraetJune 8, 2011 6:26 PM

@ Clive

"We are now seeing some tangable product providers moving over to the same model because of the extra profit margin".

iTunes: have your music on your hard disk
iCloud: have it somewhere else

I want my stuff on media owned and controlled by myself, not by some corporation that can cut me off at will for violating some silly service condition that wasn't there when I signed up, failed to understand the legalese of, or when told to do so by the government. Or in the case of Sony has both my stuff and personal information compromised by failure of maintaining even the most basic of security best practices.

For a really good explanation on cloud security, check http://www.youtube.com/watch?...

Dr. TJune 8, 2011 6:28 PM

Numerous commenters have, without any evidence, assumed that NetFlix is behind this law. That is unlikely. A single NetFlix account can be accessed via any number of computers, but only by one at a time. It is perfectly legal for me to access NetFlix on my computer in the den, for one of my daughters to use the same account on her computer upstairs, and for my other daughter to use the same account on her laptop far from home.

It is far more likely that content providers, perhaps represented by the MPAA, pushed for the modification of the law.

Nick PJune 8, 2011 8:44 PM

@ Dr T on why this ain't RIAA vs world

"It is perfectly legal for me to access NetFlix on my computer in the den, for one of my daughters to use the same account on her computer upstairs and for my other daughter to use the same account on her laptop far from home"

In general, that sharing is the kind of thing the law targets and service providers like Netflix would like to go away. The exception to this statement being your giving it to your daughter, who is your child and not legally able to purchase the service (maybe). That's a gray area they probably don't care about. If you substitute "friend" for "daughter," then you would be committing a crime in Tennessee now.

Disclaimer: I'm not saying I believe Netflix is behind the law. I have no beliefs on the source for lack of investigation. I'm merely saying they have an even higher profit motive to do this because they experience actual losses when people share.

This is different from people downloading free music because many wouldn't have got it if it wasn't free, meaning no loss would have happened. In contrast, sharing a SaaS, cloud or streaming offering uses actual resources of the service provider. If your friend uses your account, Netflix *might* be loosing the opportunity to sell to that friend and *will* be expending resources they wouldn't have if it was just you using it. See where the motivation comes in?

BF SkinnerJune 9, 2011 6:30 AM

@GreenSquirrel "sharing one is theft but not the other"

That is true. But as far as theater goes they hate you bringing in your own crap and try to make it 'policy' that outside food and drink is forbidden.

It's probably a question of enforceability and degree of infringement.
Books and Videos are also, uh, books and video and are not supposed to be lent right?
But no one has ever approached me and said "Can you prove the chain of custody for all your books and video's and ensure us that you have not borrowed any of them?" Given the state of the US I'm more worried about Guy Montag and other Bradbury Firemen.

So digital makes copying and enfringement easier and broader. Duh.
What was tolerable and manageable with the capitalists...uh I mean the information producers...controlling the means of production and distribution no longer is.

I was going to go on a side rant about being able to trace and track communication channels but I think this is the central issue.

The owners of the media have lost control on it's distribution and they are trying to get back.

GreenSquirrelJune 9, 2011 6:57 AM

@AppSec

"Those services have leased the right to a given individual to lease a movie for the time they wish to view it. They did not provide the right for the individual to sub-let that account (for money or not)."

So then it is an equal offence if some one invites people round to their house to watch tv?


"Quite simply put: theft of service various by service type and there is no one-size fit all answer. It isn't double standard. It isn't hypocritical. It just simply isn't the end users decision as to what the service provider considers theft of service."

I agree that there isnt a one size fits all, and I am not trying to justify the illegal sharing of resources. I am, however, curious as to how we appear to be happy with a very arbitrary set of distinctions.

I also think that the issue is far from as clear cut as some people make out and, interestingly, it is one in which we are strangely willing to allow service providers full authority over telling us how we can use something we have paid for.

If I rent a book from the library, I dont expect them to say I cant let my neighbour read it before I return it.

Also, I actually thing that the best arguments presented here are ones that have never crossed the mind of those who are in the process of selling us the services in question. Is this a post-hoc justification of the status quo?

Richard Steven HackJune 9, 2011 7:01 AM

Clive: "It is in the producers interest to make you buy an intangable product or service where ever possible as this gives them greater control."

Exactly. Intellectual property is solely and completely about gaining control over YOUR "property", which they regard as THEIRS. It's about overriding property "rights" (a term I hate to use because it's another ghost concept with no meaning) with contract "rights".

Which of course is entirely meant to put you under someone else's control. Intellectual property is inherently about reducing freedom.

Green Squirrel: "I am not advocating a world free of ethics, morality or law."

I am. All three are bogus concepts that achieve the opposite of their (alleged) intent and are primarily used to control populations to their detriment.

"I am saying that it is unethical, immoral and lawless to have this double standard."

Correct.

"If I mooch my friends popcorn, I am stealing a product I should have paid for in exactly the same way as the cable but we have been socially conditioned to accept it."

Agreed. The example I use is a hammer. If I buy a hammer from someone, I've paid for and allegedly "own" that hammer as my "property." I can dispose of it as I choose. Now if my neighbor needs a hammer, and I loan him mine, I have deprived the hammer seller of his profit. But I have NOT "stolen" anything from the seller. He still has his hammers and can continue selling them.

Depriving someone of a sale by means other than coercion is NOT "stealing".

And if technology allows digital files to be easily copied and transmitted by unauthorized persons, receiving such a file may be depriving someone of a sale but it is NOT "stealing" either. Neither is making and distributing the copy in the first place.

It's merely the inevitable result of technology obsoleting a business model - which is what technology does and is SUPPOSED TO DO.

There's also a good argument to be made that intellectual property IS "theft". I'll leave that for elsewhere. Google for Stephen Kinsella and read his stuff.

GreenSquirrelJune 9, 2011 7:24 AM

@ BF Skinner

"It's probably a question of enforceability and degree of infringement."

That strikes me as one of the most likely reasons. They can enforce the one person per ticket rule but it would be nearly impossible to enforce the no-sharing eats rule.

Its a shame we seem to be in the process of building a moral framework out of this.

Clive RobinsonJune 9, 2011 9:14 AM

@ Richard Steven Hack,

"Intellectual property is solely and completely about gaining control..."

These days sadly yes.

However historicaly it was to stop exploitation or passing off.

I guess the Patent was the start of it in many ways. It was recognised back in the Tudor times that even physical objects have intelectual work put into them just the same as other intelectual works such as the writen word and musical tunes etc.

It was felt that for the "common good" an inventor could gain protection of their ideas so that thay might profit by them for a reasonable period. In return their methods would become public knowledge such that others could benifit, but only by giving due defference to the inventor by way of a licence.

It was a good idea but was poorly executed and as a result lawyers and judges became involved and over time instead of being used to protect the inventor it became a way to develope closed markets such that old innefficient players could defend there failings against younger dynamic organisations.

Oh and as a side note it is said it went wrong with the first patent application for a machine to knit stockings. Apparently because it could not make silk stockings Elizabeth in one of her usual fits of peek refused to grant the patent...

RookieJune 9, 2011 9:38 AM

@Richard Steven Hack
"I am...advocating a world free of ethics, morality or law. All three are bogus concepts..."

It's off-topic but, despite that fact that you've been around the track a few times, I don't think you can fully conceive a world like you're advocating. You, and most others, wouldn't literally survive 1 week in that world.

Richard Steven HackJune 9, 2011 11:33 AM

Rookie: Actually, viewing human history, most of that history was without "ethics, morality or law" in the sense used today.

And we're still here. It was bloody getting here, but it's bloody now, too.

But the point is that without people educated and trained to behave rationally, it wouldn't work. But without people behaving rationally, the current system of "ethics, morality and law" doesn't work, either. It's all used to maintain control over people to their detriment. It's purely a control mechanism, regardless of what most people believe is the purpose.

If you suddenly removed law, say as occurred in New Orleans during Katrina, you quickly find that present day society is as primitive as always. So what does this say about humans in general?

If you can't maintain the present human society without the sort of repression (of all kinds, including psychological as well as physical) in use today, what does that say about the system?

In any event, when I advocate an existence without such bogus concepts, I'm not saying it will work with humans as they are. I'm saying they're bogus concepts that don't address the real issues of human nature and human society.

Addressing those issues and constructing a truly viable human society is simply impossible given human nature. Which is why radical Transhumanism is the only solution - altering human nature to render a "human" society irrelevant.

Clive: "However historically it was to stop exploitation or passing off."

Well, as to copyright, my understanding is that it was originally promoted in the UK to insure the state's printers had control of things. I forget the details (I read up on this stuff off and on, then forget about it) but it wasn't about protecting society.

As for patents, check out this lecture:

Terence Kealey: “Science is a Private Good: Why Government Science is Wasteful”
http://blog.mises.org/13017/...

He basically establishes by the historical record that whenever you have no IP laws, you have more science and technology development.

Again, the whole concept of IP as intending to have some social benefit is just a con game and a smokescreen for the real purpose: control. It's on a par with "think of the children".

AppSecJune 9, 2011 1:18 PM

@GreenSquirrel :
"So then it is an equal offence if some one invites people round to their house to watch tv?"

Not necessarily. Some service might think so. Some producer might think so. Some might not.

In all honesty, I am amazed how some feel they have the right to dictate (maybe it is self justification) how they should be obligated to distribute their product or feel how they are wronged and want to take action against those who wrong them. I'm pretty sure if someone wronged you, that you'd want to be able to take action against them.

Which leads me to...

@Richard Steven Hack
"And we're still here. It was bloody getting here, but it's bloody now, too."

Yes, but the hope is to get to be more civil in how to deal with conflicts -- not rely on last man breathing methods.

Richard Steven HackJune 9, 2011 6:52 PM

"I'm pretty sure if someone wronged you, that you'd want to be able to take action against them."

The question is whether one has actually been wronged. I prefer not to leave it up to someone's feelings about that issue. Which is precisely what the state is doing with the IP issue. The RIAA cries and the state passes laws which 1) do nothing about the alleged problem, and 2) infringe on personal property to benefit certain industries.

"Yes, but the hope is to get to be more civil in how to deal with conflicts -- not rely on last man breathing methods."

Email me when this happens. What I'm seeing is the exact opposite.

"Hope" is not a plan.

Nick PJune 9, 2011 6:54 PM

@ Richard Steven Hack

This article I just read on how the government is handing the leaks of their ineptitude and transgressions supports your notion that's it's just a tool for control that profits a few at the expense of many. The capabilities and actions described in this story are pretty terrifying and would have left the Soviet Union with envy. My favorite quote: "I feel I’m living in the very country I worked for years to defeat: the Soviet Union."

The Secret Sharer
http://www.newyorker.com/reporting/2011/05/23/...

GreenSquirrelJune 10, 2011 2:46 AM

@AppSec

"Not necessarily. Some service might think so. Some producer might think so. Some might not."

Ok, so rather than it being an ethical issue, its simply whatever the producer wants.

I dont actually have an issue with this - I am not arguing that we should be able to share our cinema seats - I am simply asking about the double standard whereby we think it is ethical / moral (whatever) to share one product and not another.

There is no ethical argument here other than it may go against the wishes of the vendor - but the same happens with popcorn, I bet they would be happier if everyone bought their own box.

My original (and as yet, unanswered) question was what really is the difference between sharing popcorn and the ticket that makes one fundamentally wrong.

"In all honesty, I am amazed how some feel they have the right to dictate (maybe it is self justification) how they should be obligated to distribute their product or feel how they are wronged and want to take action against those who wrong them. I'm pretty sure if someone wronged you, that you'd want to be able to take action against them."

I am not sure who this was aimed at, I certainly dont think I have the right - or the inclination - to dictate how products are distributed.

However, I do think it strange (as I keep saying) that we allow some service producers to avoid the commercial pressures of a free market and dictate terms to the end user that other services providers cant. That this is then written into law seems to me, morally, wrong.

When a library can legally prevent someone from sharing a book with their neighbour then I will see the on-demand TV industry in a different light.

Clive RobinsonJune 10, 2011 3:04 AM

@ Dirk Praet,

"For a really good explanation on cloud security..."

I look at it in a simplistic way ;)

Your data is like your password.

1, You don't store your password on a public access system in plain text (or atleast that's what you hope the service providers don't do).

2, You don't send your password across a network of any kind in plaintext (again atleast that's what you hope the service providers don't do).

We have learnt these two lessons repeatedly for the past 30 odd years from the 1960's due to naredowells taking advantage of not enforcing them.

So either you treet your data like a password or consider it fully exposed in all respects with the cloud. And as you cannot usefully use the cloud (except for storage) in a fully encrypted manner it means atleast for me that the choice is simple,

You either have private data you keep under your control (via encryption etc) or you consider it fully and irrevocably exposed for all time.

Now if you take that view (which I consider reasonable ;) then under various bits of legislation such as SabOx HIPPA etc using the cloud for anything other than fully public data puts you in violation.

You might also be inviolation even if the data is fully public because seeing how you manipulate it might provide intent towards trading direction. And this could be used for the equivalent of "insider trading".

I have yet to see any decent counter arguments but, even as a tough audiance I am still listening ;)

asdJune 10, 2011 3:51 AM

@Clive Robinson ,IBM/Microsoft/Intel are working on a product that should fix this
http://www-03.ibm.com/press/us/en/pressrelease/... "Secure Blue".
I'm guessing it will have the abialty for you to send encyted information to the cload, which they will be able to process.
With the bonus you can encode it again without raising flags for encoded data.

AppSecJune 10, 2011 7:52 AM

@GreenSquirrel
That wasn't aimed at anyone specifically. Sorry if it came off that way. It's just a feeling I get when I hear conversations around "piracy" of DVDs, games, etc. The comments of "oh, they make money off of concerts" or "oh, they make enough money already".

"My original (and as yet, unanswered) question was what really is the difference between sharing popcorn and the ticket that makes one fundamentally wrong."

Maybe we are talking about two different things. Neither is really all that fundamentally different, but the producer and provider are taking two different meanings. Same thing goes for harassment law suits. I can have the same conversation with two different people and in one case, I could end up in HR.

@ Richard Steven Hack
"The question is whether one has actually been wronged. I prefer not to leave it up to someone's feelings about that issue. Which is precisely what the state is doing with the IP issue. The RIAA cries and the state passes laws which 1) do nothing about the alleged problem, and 2) infringe on personal property to benefit certain industries."

"The right to life, liberty, and the pursuit of happiness." The "pursuit of happiness" is a personal matter, you cannot avoid bringing feelings into it. This is even true for businesses which I think were considered "individuals" in this case. Thus, just like the harassment cases, the RIAA feels like it is being wronged and its right to pursuit of happiness is being impacted.

And no, I don't think people have the right to acquire all music, services and movies. These are privileges, just like driving. As long as there is free TV/Radio for public messaging distribution, you don't have the right to watch latest episode of The Real Housewives of Main Street.

GreenSquirrelJune 10, 2011 9:54 AM

@AppSec

Ok - there may be a bit of misunderstanding at work here. I am not deliberately saying anything in support of piracy or the like.

I think, and sorry for going back over old ground, that the comment Kevin made still escapes me and based on the general response there is actually no real difference between sharing popcorn and sharing a cinema seat - its all down to how we interpret it.

"Same thing goes for harassment law suits. I can have the same conversation with two different people and in one case, I could end up in HR. "

A good example, but again the double standard is simply wrong. However for various cultural and social reasons we have come to accept it and enshrined parts of it into law.

Nick PJune 12, 2011 12:30 AM

@ asd

",IBM/Microsoft/Intel are working on a product that should fix this... SecureBlue"

It sounds like one of those secure processor, SOC, crypto accelerator, etc. designs. Acalis's tamper-resistant PPC chip, numerous smart cards, and the IBM FIPS 140-2 Level 4 coprocessor come to mind. Viable attacks on all of these have been found that require sophistication and patience, but not as expensive as some think. Ross Anderson's people have used regular lab equipment and college undergrads to beat many "secure" chips. I'd take any IBM claims with a big bit of skepticism.

If you want a nice one though, look up the SecureCore or SP hardware-software architecture. It's a nice design that can reuse legacy cores. Another issue is subversion. Can't be sure the hardware is what they say it is. It could be backdoored by them or an adversary during various phases of development and manufacturing. The closer to the silicon, the harder to detect the backdoor. (RobertT illustrated this in great detail a while back. Just type this into google with quotes: "RobertT" "Nick P" "fab")

There's also a very small number of fabs. There's currently just three that make all the smartphone chips. Only conspire with 2 or compromise three to backdoor every cell phone in the world? Do you think someone hasn't done it? Even if only one success, you have a 1 out of 3 chance of being vulnerable. See why I don't trust hardware security claims that don't include specifics and a bunch of fab options?

RobertTJune 12, 2011 2:56 AM

@Nick P

",IBM/Microsoft/Intel are working on a product that should fix this... SecureBlue"

Just a few thoughts
- Intel and IBM are different from most of the industry in that they do all the chip creation steps in house (even mask generation, I believe)

- Because both companies do military chips and both control all steps, it is possible that they have procedural methods in place to protect against database or mask tampering, I don't know their specific design flow so it is hard for me to comment on any security deficiencies in the flow.

- BTW Neither IBM nor Intel sells any smartphone chip sets (although I believe Qualcomm in the past used IBM as a fab I don't know specific details)

- for smartphone chipsets the following companies are important
Texas Instruments (Omap),
Samsung (ARM Cortex)
Qualcomm (Snapdragon)
Marvell (aramada Arm)
Mediatek (quad arm)
Broadcom (arm cortex)


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..